PYMNTS Crypto Basics Series: What is a Crypto Wallet?

Bitcoin, blockchain, and cryptocurrency are words most people have at least heard of in 2022, as the industry exploded into public consciousness.

In this series of articles, we’ll dive into the basics of the industry, providing an introduction to cryptography that will give you a solid grounding in the technology and a lexicon for its terminology – cryptographers should never be allowed to name everything the public will possibly need to know – in short, enough to understand what people are talking about and decide if you want to dive in.

What we’re not going to do is talk about regulation, funding, or investing – you’ll find that elsewhere on PYMNTS.com.

See also: PYMNTS Crypto Basics Series: What is a Blockchain and how does it work?

See also: PYMNTS Crypto Basics Series: What is a consensus mechanism and why is it destroying the planet?

There are many stories of bad luck in crypto, but few are as difficult as Stefan Thomas and the $266 million digital wallet he can’t open.

Thomas is a programmer who received 7,002 bitcoins from a customer as a bonus for making an animated video, according to the New York Times, BBC News and around 16.6 million other sources if Google is to be believed. It was back in 2011 when BTC briefly spiked as high as $30 before ending the year at $4.25, up over 1,317%. As of this writing, BTC is around $38,500. Mathematics is no friend of Stefan Thomas.

What happened? The short version is that Thomas stored his 7,002 bitcoins on an encrypted flash drive called Iron Key, which protects your data from thieves by destroying itself after 10 failed password attempts.

Thomas tried eight times at last sight.

This is a feature available on many modern crypto hardware wallets. They also have time-consuming and expensive ways to bypass this security – random 25-word passphrases – if you bother to set it up.

So, a wallet is just a USB stick? No.

Well, not for our purposes. You can store the keycodes that allow you to send and receive cryptocurrency to a text file on a reader, or even by writing them to a “paper wallet” in a drawer.

What is a digital wallet?

The most basic answer is that a digital wallet is an app that stores and protects your cryptocurrency.

There are two main types of digital wallets for cryptocurrency: hardware, or “cold” wallets and software, or “hot” wallets. They both present trade-offs between security and convenience and have their pros and cons.

We’ll get to that in a moment, but first, let’s briefly talk about how cryptocurrency works. A bitcoin, an ether, a dogecoin, or even an NFT uses three codes: an address, a public key and a private key. The address is sort of a cross between a routing number and a bank account number. This is where people send you bitcoins.

Then there are the two key codes, public and private. The public key is visible to everyone and indicates where the bitcoin or other cryptocurrency is. The private key is needed to send that crypto to another address – to spend it. The public code is then linked to a different address, and a different private key is created, rendering your old one useless.

So let’s say you want to buy $100 worth of bitcoin. First, you need to open an account with a cryptocurrency exchange.

This can be quite simple at a top exchange like Coinbase or Kraken. It’s not fast, however. They need to verify your identity for Anti-Money Laundering (AML) compliance, which can take hours. You send money to this account from a bank or debit card.

(There are a variety of more complex ways, including wire transfers, but we don’t go that far.)

More professional, user-focused exchanges can become much more complex. This is especially true for decentralized finance, or DeFi, exchanges – known as DEXs – which have no centralized control and therefore no technical support.

Now you can leave it in the wallet of your exchange account, but it’s not in your wallet, so you have no control over it – the private keys are not in your hands. There is a popular phrase among long-time crypto users: Not your keys, not your crypto.

Crypto held in an exchange account is only as safe as its security, and the crypto is only yours to the extent that the exchange is honest. Now, most vouchers either offer or require two-factor authentication (2FA) — a text message to your phone or an app like Google Authenticator — or biometric authentication, like face recognition on your phone.

Read more: PYMNTS Crypto Crime Series: The Story of QuadrigaCX, Canada’s Longest Crypto-Ponzi Scheme

Software hot wallets

Any crypto wallet is really just an app, usually on a mobile phone, although desktop versions are also available. The basic difference between a hot and cold wallet is whether or not it is connected to the internet. Software wallets all have encryption – usually very strong encryption – but they are still online. This means hackers still have the ability to gain access and transfer your crypto to each other if they have your wallet app password.

Thus, phishing, malware, man-in-the-middle attacks, and various other hacking attacks are possible, as well as looking for old-school exploits for security flaws in the wallet app.

That said, it is much easier to use. Just open the app, log into your exchange account, and you can buy and sell with minimal fuss beyond (if you’re smart) a complex app password – although many default to a simple six-digit passcode – and good 2FA.

One thing they share with hardware wallets is that the recovery “password” tends to be huge – randomly selected 25-word phrases. The intention is to write them down rather than store them on a hackable mobile or desktop.

Some are connected to an exchange – Coinbase Wallet is highly rated and is a separate wallet app from the Coinbase account app. Others are standalone like Exodus, which appears in many “best wallet” lists.

They are also free or inexpensive, unlike hardware wallets which cost between $50 and $200 or more.

Hardware cold wallets

Hardware wallets are, as we said, specialized USB drives with a dedicated app, security software, and sometimes physical security like buttons for a digital code or fingerprint readers.

Hardware wallets are called cold wallets because there is no hot – i.e. live – connection to the internet. They are, in the security industry term, “air gapped”.

Thus, they can only be hacked when online, and are usually designed to be malware proof as there is no way to install other software on the device.

And unlike Stefan Thomas’ Iron Key, they allow private keys to be recovered even from a lost or damaged device using the 25-word recovery key on a newer model. Ledger and Trezor are two of the highest rated perennial brands.

That said, lose the recovery phrase – or have it hacked if you kept it on a computer – and any damage or loss or the device is fatal.

However, they may be suspected of another type of man-in-the-middle attack if you buy one from an unreliable supplier who sends a fake. Buying directly from the manufacturer is therefore a good idea.

Then there’s the “$5 key” attack, which refers to this cartoon XKCD – which predates bitcoin – but is nonetheless unavoidable with crypto.

The punchline: “His laptop is encrypted. Drug him and hit him with this $5 key until he tells us the password.

So, there is one last safety measure: don’t tell people you have a crypto wallet – hot or cold.