What amount of money in your savings would you be content with losing? As in, if you permanently lost that money, would you just shrug it off? $10? $100? $1000? $10,000?
What about cryptocurrency? If you're holding some bitcoin in an exchange, and the exchange lost your coins, somehow lost your account, or they were stolen, at what amount would it be that you would just shrug off those losses?
I don't typically like spreading FUD about cryptocurrency exchanges as FUD is a pretty weak marketing technique usually reserved for security companies presenting at conferences, but in the case of cryptocurrency exchanges there are quite real and present threats to the assets being held within them, and you can spend almost nothing to get to a strong level of control and security, impervious to most attacks (except for maybe getting drugged and hit with a $5 wrench).
Holding Addresses In Your Control
The true value in the cryptography that runs cryptocurrency chains is that you don't need any central authority to issue you cryptocurrency addresses. If you can create cryptographic keys with a computer, you can create as many addresses as you like. So, the first step to gaining control of your coins is to create your own addresses.
There is a catch though - yes you can create as many addresses as you like, but you still need a way to conduct transactions with your self-created addresses. With coins like Bitcoin and Ethereum you need to run a node connected to the network, constantly running software to keep your node up to date and downloading the entire chain to your machine before you can interact with it.
In the case of Bitcoin, a self-hosted node is probably the worst with this chain out of all of the popular chains, purely because it requires so much data to be downloaded to get going. Just over 300GB at the time of this article being written. So, what can be done if you don't want to run your own bitcoin node? Well there are a few options:
- Use an exchange that lets you import your own keys. I personally haven't yet encountered an exchange that supports this, but I've only looked at Australian exchanges like BTC Markets, CoinSpot, and CoinJar. In theory if there are any out there, then this is an option.
- Use a Blockchain-as-a-Service to interact with a node hosted by someone else. BlockCypher and CryptoAPIs both provide this service, but you're going to need to code up your own integration with their services, as they only provide APIs.
- Use an application that provides the ability to conduct transactions without running a node yourself. Apps like Signata and Exodus offer this kind of service.
Whichever option you choose, you can then use those services to create your own bitcoin wallet and then send and receive bitcoin accordingly.
When it comes to Ethereum, much of the same options that apply to Bitcoin also apply here, but options for self-managed Ethereum addresses are a little more broad than most other coins. This recent big swell in interest in Decentralized Finance (also known as DeFi) has brought with it a multitude of new applications and services for the Ethereum network and all of the alternative coins like Chainlink and Uniswap that are running on top of it.
If you're wanting a basic self-managed wallet, services like MyEtherWallet, MetaMask, and WalletConnect are providing useful and free tools for managing your own Ethereum wallets. Back-end services like Infura are providing nodes accessible from the internet (as long as you pay for your usage).
Please note: I don't endorse any individual product here, these are just products and coins that are popular right now. Actually I endorse Signata, but that's because I helped build it 😉
So, you can create yourself an address pretty easily with any of these services, and start sending and receiving currency in and out of exchanges at will.
This article is only looking at Ethereum and Bitcoin, but the overall gist of these options still apply to practically every chain out there.
Security of Holding Addresses
Creating addresses yourself with self-managed applications is great, but it does bring in some new risks. You need to ensure that the addresses generated aren't being stored insecurely somewhere. You need to ensure the service you're using is actually reliable and transparent with its security processes.
This is a muddy area to get in to - I can't personally vouch for most of the services listed above as I didn't make them, so it's best to dig deep into how the services operate, and especially how they monetise their products. If a service is providing you a free wallet, then you should look carefully at how they actually make their money. Some services take transaction fees if you make trades between currencies, and other services charge a small percentage of any transaction fees you make. If you can't figure out how they make money, then it might be worth looking elsewhere.
From our own perspective with Signata, we make it clear up front that you have to just pay a small fee any time you want to withdraw currency - this fee is effectively covering our expenses with using Infura and BlockCypher in our back-ends for interacting with blockchains.
The other important factor to look at is how your wallet keys are stored. Make sure that the keys themselves stay under your control, and your control only. If a 3rd party is storing them on their servers for you, and they control the keys, then you're no better off than still just storing coins inside exchanges.
Hardware Key Storage
If you want the best assurance of security around how your keys are stored, then the best approach is to bring in hardware key storage. Ledger and Trezor make some dedicated and quite well integrated devices for cryptocurrency key storage, and alternatively Signata lets you use a YubiKey for hardware-based encryption.
One piece of advice I'd give with hardware wallets - make sure you buy them from trusted sources only - the best is directly from the manufacturer. If you're buying from a 3rd party, you need to be certain the supply chain hasn't been compromised.
I've tried Trezor devices before, and I quite like them for their ease of use, but I find them quite expensive considering they serve only one function - especially as you usually need to buy a spare unit or two. I built Signata specifically because I know from integrating cryptographic systems for businesses that the capability to securely encrypt data already exists, and that we could just use that exact same technology with devices as uniquitous as YubiKeys - which cost a whole lot less and are far more capable than Trezor/Ledger-style hardware wallets.
The other factor we've addressed in Signata is disaster recovery - if you've put all your coins into a Ledger device, and you lose it or it's destroyed somehow, then I hope you remembered to create some backups of your keys as well. With Signata we still hold a copy of your coins in our cloud service, but we just encrypt them so that we (the service provider) can't actually ever see your private keys - you just have to make sure you store your recovery passphrase somewhere safe.
Hold cold, trade hot
So if you're looking to actually take control of your crypto assets, have a look into some of the options in this article for moving coins out of exchanges. If you're just sitting there waiting for months or years for a price rise to happen on a coin, and it would be devastating to lose the coins you have, then take that little bit of extra time to move them out to offline storage. Just make sure you don't put all your crypto eggs into one wallet basket - have a disaster recovery plan set up for your offline coins.
When you're ready to sell or swap, just move them into the exchange and start trading again 😎