Why should you stop using mobile wallets?

How can an online wallet be safer than paper purses or cold stores?

I tested it by creating a secure wallet on BitGo.

They provided a multisig address for deposits. 2/3 of the keys are required to withdraw bitcoins. BitGo contains a key, you get a private key and a backup key. You don't need to print a private key to withdraw bitcoins. The passphrase is sufficient (it appears that the key is derived from the passphrase).

BitGo cannot conduct Bitcoin transactions without the user's consent because they are missing the other halves of the key. This protects against some attacks. For example, the site does not have a hot wallet that could be emptied if there is a violation on the server. BitGo forces the activation of SMS two-factor authentication when logging in. This is also good to protect against loss of credentials due to theft or phishing.

If the BitGo infrastructure is compromised, any wallets created after the compromise will also be compromised, as the attack can capture keys as it is created. So ultimately, you trust BitGo. Or, they could lie to you openly and keep all copies of the keys being created while they are creating the keys, not you. Even if the key generation is done in a web browser using JavaScript, trust the code you get to run it.

BitGo is still an online site. If you save your passphrase in a password manager or web browser and your computer gets infected, you could lose your bitcoins even without your interaction. BitGo is also exposed to malware attacks that change the take-back requirements on the fly. However, "The Crazy General Problem" cannot be solved if you do not conduct verifications outside of the online world, e.g. B. manual phone calls and voice confirmation. You always need to trust the device you are using to make the withdrawals.

BitGo has a nice process and good instructions for creating a multisig wallet and they hold a third key of their own that you can access through password and SMS verification. You could create a similar setup yourself, even more securely, but BitGo might save you the hassle. BitGo is also more secure than any Bitcoin wallet service where you don't have any private keys at all.

The bottom line: Lots of marketing promises, ultimately an online site, but possibly more secure than your average Bitcoin wallet service. You have to trust BitGo. No more secure than your own cold wallet / multisig solution, if you know what you are doing.

arik

Hi, I am a software developer at BitGo and I would like to point out that we are actually not creating the keys. The user and backup key are both generated on the client side, and only the public keys are sent to our server. The user's private key is encrypted with a symmetric key derived from the wallet password, and this encrypted blob is also sent to us. This is also openly verifiable as our SDK that generates the keys is open source and available on Github: github.com/BitGo/BitGoJS