Making wallets more safe

Protocol
1

[size=14pt]Hi there![/size]
I’m here to share some thoughts and ideas. Maybe they are stupid, but maybe they will help to develope some good things. You decide.

[size=14pt]Short intro[/size]
First of all few words introducing, so that you can know how much to rely on my “general computer experience”. I know some basics in programming (C,C++, Java, SQL, Matlab, HTML, PHP). Mostly for fun during studies. I’m not profesional programmer. My daily activities are internet reading and using computer like general people do for fun, music, entertainment, movies, shopping.
My crypto experience
I do some trades on exchanges. Lost few BTC’s on GOX. Got PPC and LTC wallets. I would call myself a newbie. No experience in cryptography.

[size=14pt]Cryptocurrency user experience, observations and conclusions:[/size]

  1. Using cryptos is less safe then fiat currency, because to robb my online bank account you need not only my pass but also a token (which I get on cellphone or I got a separate device). And wires are reversible and trackable. Cryptos are fast, irreversible, and you can loose track easily.
    So for example if I got money in my wallet and got a keyloger virus, someone may steal my PPC forever. Like my all time savings! Because keylogger will intercept my password in encrypted wallet. Please note to steal money from once wallet can be done from another side of the world. Stealing currency via mone transfer is rather not possible this way (long time trackeble wire transfer).
    CONCLUSION: we need some more safety. Bank payment methods seems more secure here.

  2. Remembering long password is problematic. If I loose it, I loose money. So many people will keep it on their devices which is not safe again. And even long password does not give me 100% protection (keylogger virus still can get my password). So it’s neither convienient nor really safe. Comparing to bank account: if I loose my password I go to bank show my ID and get a new one :slight_smile:
    CONLUSION: we need easiest way of protection then long passwords. Some protection against key readers maybe.

  3. If my computer will broke, cellphone device will be lost/stolen or so, I loose my wallet. It is simmilar to loosing cash, but not like loosing credit card. I can go to a bank and block lost credit card number, and get a new one.
    CONCLUSION: again it’s not obviously safer way of keepeing value in crypto.

[size=14pt]Conclusions summary[/size]

Ok then. Is it clear now that for regular people, that are not hackers, using cryptos does not give straight message that it’s better then just online bank account, VISA card and so on? It’s actually harder in usage, less safe, and if you broke sth, loose a key or be robbed noone will help you.

There is much work to do and to solve these problems to invite more regular people to use cryptos like PPC. Otherwise PPC will just become a part of money transferring system (like eletric currents are in internet wire hidden somwhere in the deep), but not a entity that will be commonly used like Dollars $.

[size=14pt]Now the ideas part[/size]

  1. To have good protection with easier pass I suggest to implement a CAPTCHA in each wallet permanently. That way automatic money spending by using wallet will be at least protected by a captcha image. I would prefer a single pass phrase + captcha protecting my wallet then the 8-word long.
    [bad/stupid/not possible?]

  2. Protection against loosing cellphone/any device with a wallet. Maybe there are some posibilities that the whole network keeps info about each address content/amounts. This way loosing my device could result in folowing steps to get wallet back:
    a) get a new device
    b) install a PPC wallet
    c) press revover, enter your OLD address, enter password.
    [bad/stupid/not possible?]

  3. Maybe some token application possible within PPC network? Like some mobile app synchronised with my wallet. Mobile app would display additional token on my special celphone screen when I want to do a transfer? Maybe passphrase won’t be neede only token this way?
    [bad/stupid/not possible?]

  4. Can we protect pass phrase (from a keyloger virus reading) typing with addtional thing - typing at least part of the phrase with a special random keyboard within the wallet app? So that a user would type it hitting mouse/touchpad/cellphone glass with displayed randomly keys, not the regular/physical keyboard.
    [bad/stupid/not possible?]

  5. Protectic a wallet/address from trying many transaction with wrong passphrase (protection against dictionary attack by time delays increasing time delay for wallet each time passphrase is wrong). This might require network to detect a wallet is trying to be used for several times, and maybe requires to split spending PPC into 2 phases. One - preparing to spend, before pass entered, TWO - after password enetered.
    [bad/stupid/not possible?]

  6. Maybe wallet.dat itself should become a computer program, not a static file, but sth in between. This way it could have a state (maybe token hidden inside, changes every few seconds) and some processing in it to be safer?
    [bad/stupid/not possible?]

Thanks for reading. I hope not everythin I’ve written is stupid :slight_smile: and maybe I will learn more about PPC

Regards

2

Thank you for sharing your ideas. The problem you target is also my biggest concern. I imagine my mother dealing with Bitcoin on her windows laptop. This will be far too dangerous. You could only have a small wallet then or use a online wallet. But the third party involved has to be trusted and as we learned by the mtgox desaster, is that keeping your bitcoins with some company will also lead to loose all your funds.

What’s probably the only solution right now is to make it trivial to generate paper wallets by integrating this functionality into the peercoin client. You can also use small paper wallets as cash while there are no real mobile wallets available. At least for iOS there are basically only websites available for the foresee able future.

3

Hi czarly, thanks for supporting this topic.

I did simmilar post on NXT coin forum. It appears they are closer to such system which allows additional security, as there is no wallet file :slight_smile:

Check this out: https://nextcoin.org/index.php/topic,4394.0.html

4

Hi again.

I think I came to this final idea which makes installing more complicated but usage more simple. I’ve shared most ideas on the NXT forum, but here is the essense and summary of my freaky ideas :o

Read all 4 steps to get the whole idea :slight_smile:

1. Brain wallet like NXT has is needed (no wallet.dat file that can be stolen).
Network controlls and stores all the information.

2. Synchronised client tighten to 2 synchronized devices.
Having brainwallet and installing client requires 2 devices, which will have shared wallet and the clients will be synchronised. More over the clients will have passphrase encrypted during installation. Only* the two deices will be able to log in - automatically. No need to remember password :smiley:. More over - the other device will always play role of token while doing transfer.

    • only if the other device is distroyed “transfering client” should be possible.

3. Grant security to a friend (friend shared security).
Installing client requires a real life friend wallet address to approve security changes. While one of my devices get lost or destroyed, I try to transfer my client from my other device to a new device my friend gets message “approve user XY client transfer”. As he’s my friend I would call him and ask for aproving :slight_smile:

4. Having brain wallet (like NXT inside network) should allow scheduled automatic transfer.
In case I lost connection I should be allow to set “after X months without connecting to this address please send all my funds equally splitted to following addresses:”.
This way losing your all devices your friend could get your funds, and you are saved :slight_smile:


If you like the idea I’ve shared, you may share some PPC tip :slight_smile:
PD6hbjVeE7gDJokA6SdWmWtS4H3PBC8tj1

5

Hi, I agree with you end user security is top priority.

Fortunately Bitcoin has been taking the brunt of the damage from malware. While we get to watch, learn, plan and prepare.

I hate Captchas!

Here linked below is an article written by Vitalik Buterin and published only a few days ago by Bitcoinmagazine.com. The article is on Multi-Sig security improvements. I find some of it to be advanced and likely to create giant security improvements for end users. It is a good read:
http://bitcoinmagazine.com/11108/multisig-future-bitcoin/