Software wallets defined. Now, it's important that software wallets is not a term that's used in practice. You say hardware wallet, but you don't say software wallet. But the only reason we're talking about that here is to beat the opposite of hardware wallets and to talk about-. If you're going to talk about hardware wallet, you probably would think there would be a software wallet but in practice, that term is not used at all. So we just put that in here to really provide some context, and to help really in the understanding process here and the learning process. So I just want to be very clear about that software wallet is really not used. People will say wallet. If you say wallet, you're likely referring to, you could be using that in general in conversation, but if you're saying wallet, it's probably talking about software. If it's something other than that, then you would say hardware wallet, or a paper wallet, or some other thing. You would define it. But, if it's just wallet, it's by default talking about software. So this is really just a way to really define what the other wallets are. Just so you can visualize, yes. So software wallet is used on computers, tablets, smartphones. Like we talked about there's, every device, everything that we normally use, there's a wallet for that somewhere. Software can also be used to generate a paper wallet which we are going to discuss later. So a paper wallet is a form of code storage, but yet the software, there is still software that's needed to generate this code storage wallets. So that's why I'm talking about these little nuances there that you have to understand. Web wallets. You've got browser plugins, you've got mobile wallets, you've got desktop wallets, essentially, are all software that are referred to using the aforementioned terms. Again, another nuance, a hardware wallet may also use a browser plugin as the interface. So a hardware wallet that we're going to talk about this. It's a little device that will have a screen. Some model may look like maybe in the form of a smartphone, but often they're quite small devices, but they would have a screen. There is an interface on the screen, but they also typically have an interface that's on the computer screen. So there would be a plugin. So again, you really call that a hardware wallet, but the way to use it, there's still this software interface. It's like a browser plugin. Also, in addition to that, a hardware wallet also typically have firmware, which is not software, not hardware, it's like a firmware. It's like isolated software that's just for that hardware device. So those are some of the little nuances that it's important to understand. So hardware wallet definitions and attributes. Hardware wallet is a distinct term that's used in practice. A hardware wallet is a physical device, as the term would imply. So hardware wallets can be used with infected computers really without compromising security. So that's really interesting part about that, is that you can actually take it with you. It might not be really something that's done so much in practice, but I mean, it's literally a device you can put in your pocket, but you can take it with you. You could use on any computer, and because of the secure element which is the key component, is the value proposition of a hardware wallet. There's other things that you secure elements. Secure elements is not new to cryptocurrency hardware wallets. Secure elements are used in various other other devices. What it does, it's like a little microprocessor that keeps it separately isolated from other software. In other words, malware can't go grab something off a secure elements, like an isolated, almost like an island. So that's the proposition for why hardware wallets can be used with an infected computer, because it's one direction all. They can generate the private key, and communicate transactions going out, but malware can't affect it. The secure element is designed to be a tamper-proof chip. That's really what it is. This is just borrowed from secure elements are already out there in the real world, and in some cases, the secure elements may be an existing secure elements already manufactured somewhere. It's not like a secure element is made newly for the cryptocurrency wallets. The rest of the device may be, but the secure element many times it's actually borrowed from industry. It's already being produced, that specific chip. So in the mnemonic seed, which we're going to discuss later, also is used to restore a lost hardware wallet. It's simply like a private key. So we're going to talk about mnemonic seed and passphrase and private key. For use those terms are interchangeable. What it has is basically, a string of characters that you have to keep secure and if you don't, you're going to lose your assets. So when you set up the wallet, there's like 12 or 24 character mnemonic seed that you create. That's correct. Yes. So that is what's typical with hardware wallets specifically, but it's also used in, it's like an alternative you could think of. An alternative to a private key. A private key is just a string of characters like one word or something. It's like the characters. A seed is literally words. They're like real English alphabet. Like you'll set up a password now. Right. If you wanted to do. So there is a bit actually that we're going to talk about, but those words would be generated. It's generated for you. You don't make them up. They're generated on the screen, and you would write it down on a recovery card. So again, you have the hardware physical device. The cold storage is-. Back to the Post-it notes. That's right. Exactly, you do. But just don't have it-. Don't have it on your computer. Don't have it on your computer. Put it in a safe. Have it in a safe deposit box. But yes, it does come back to that piece of paper. It comes back to the Post-it note. We'll never get away from what our grandparents did. Yes. So that's what you would do. You'd actually write that down on that element post and actually use the card that's provided that actually has 1, 2, 3, 4 through 12 or 24, and a line that actually give you a card that you would write the words down on. These are examples of hardware wallets. So if you guys want to see what these actually look like, these are the three main producers, and there are several more now. There's probably another three or four that are out there, but the three manufacturers that have the best reputation, that had been around for a long time are the Trezor, the Ledger and Keepkey. Keepkey was actually acquired by Shapeshift, which is an exchange, a non-custodial exchange, but you can go to the websites here and just check them out and see what the differences look like in the models and things like that and actually get an idea of what they look like. So those are links to go check out what some of the hardware wallets look like. Like I said, there are other ones out there. I'll talk about managing risks from an accounting perspective like where else do I see where you would or accountants and auditors should dive a little deeper. Well, again, we talked about reputation with exchanges. Well, these, again, are companies. They make these things. Well, they have their own reputation. So again, these were some of the original ones, but there's new ones that are out now. They've just come out. I just heard about some recently. Where I've discovered from searching, and I'm like who are these folks? I don't know who they are. How do I know I can really trust this thing that they're making and so forth. Some of these folks I've actually met some of the founders I've met at conferences and so forth. So I mean, they're known. They're on podcasts. They have a great reputation. So you have to really know if there's a company involved. Now, you can have a blockchain where there's no company. We've talked about that, but whether it's a public blockchain or companies. So you have to know what's the reputation of it. So we talk about paper wallets and backups. We talked about the hardware wallets and that, even though it's a hardware wallet, you're still backing up your seed. You're using cold storage as the backup for it. So you're writing it down on a card, which is simply a piece of paper. But you can also have a paper wallet which is really referring to, it's cold storage, or simply, it's a piece of paper that will have the public key and a private key on that. You can generate that using software. You can also do that offline in a way, but literally, you're generating that on a piece of paper and then you could send Bitcoin to it and have it be secure. Then essentially, you've had something that was generated. It was never generated online, so you've reduced the risk because it wasn't ever exposed in an online fashion. It was created literally offline. Its complete lifecycle is offline. So when you think about paper wallet, that's silly, like the Post-it note, right? Yeah. But it is used. Now, then we start to look in wear offs. Is there a risk? Well, you could have degradation. What if you folded it in half, and not that you would-. Or put it through the wash. There are stories of in the early days about people who had paper wallets. Yeah. They had Bitcoin on it and then they were careless. They literally it wasn't- Yeah. Like a post-it note. It was just in a drawer somewhere. Then all of a sudden few years passed by, and all of a sudden news. There's some value and they go looking for it and they can't find it. Yeah. There's lots of stories like that. Yeah. So lets go on. Yeah. They didn't back it up. So,now if you made two copies of the paper wallet, actually the second copy is actually like a backup itself. Just because you haven't two places. The second version would be the so-called backup, right? So the key pair, again that's generated offline and that's stored on paper. That would be something because it's going to have the private key, typically on the private key and the public address on it. That you would want to have that not laying around, you would store that somewhere. Well, and I wanted to ask you a question about one thing you said it's putting the private key and public address on the same paper. You would store that in the same place or separate places? Would do you want the public address to be stored with the private cases, someone could find that together? Well, that's a great question, but typically you could separate it if you wanted to, but I think by default they come together. Because if you separate, then you've now got split it up into parts. Right. Now you've got the risk that you know one is related to the other. But, many of these things are designed in such a way that it's made the foldover. So, you're like foldover the private key, and you might even have like a holographic stickers that you can get and put it on there. So you know nobody's like tampered with it that type of thing. Yeah. But, it's made that typically, yeah the private-keys folded over. So for instance, somebody went into a safer wherever you had if they just pull it out they wouldn't see it immediately. Right. At least. Yeah. Yeah. Yeah. All right. So at least another point on that too is that, when it comes to paper wallets. Actually, a paper wallet refers to any medium, meaning in this case, it can be wood, stainless steel, or titanium. So it's any medium that's physical and form. But, it's not digital but physical. So you might say paper wallet, but you might say like it's a wooden paper wallet. Looks like it's a stainless steel paper wallet. You could say it's a stainless steel wallet, but I think because paper wallets was a term that was used, or has been in use for so long, that you would still say hey it's a stainless steel paper wallet. So there are actually those companies out there that have a niche in making stainless steel paper wallets. There was one that was, they don't exist anymore. I don't know that anybody has an ad would. That'll be more like for vanity purposes, because you can make one like that. But you know stainless steel and titanium for example have melting points of 1200 to 1000 degrees, and plus they don't corrode. So basically you're mitigating fire damage, water damage, and stuff like that. Yeah. So really, in order to secure what we're talking about here, we need to think about how we protect this information. So think of a hot wallet as an operating bank account, and cold storage as a savings account. One is used for recurring expenditures, and the other is accumulating funds for various purposes, as well as you're seeing all the transaction history and so forth right through your hot wallet. Revenue can go directly into cold storage and then be sent to a hot wallet as necessary. So again, if you want to keep things segregated and then transfer along the way, that is a risk-based approach you can take. Multi-sig should be used in an enterprise environment. So for example, creating three authorised parties and any two consent cryptocurrency. So in essence, in our world this would be like getting a second signature on a check and making sure that you have the right authorized signers for a bank account. So multi-sig can be set up for your operating account of the wallet that you set up for that. There's also a cost-benefit exercise to reducing risk, which is a trade off between ease of use and security. Which is what we deal with today. When you're dealing with clients, this is always a discussion to have. You have to think about how you provide advice like this is the most recommended way I would suggest. If they take another route, then they're going to have to be liable for making those decisions on our businesses and our personal lives. Yeah there's the ideal way that can on the surface. You may look at it and say well that's not really the best risk-based approach, but it's like well wait a second and practice how are you doing it. Right. Then you say, okay well based on that, the cost benefit says that we know that we're going to forgo or accept a higher level of risks because just the way it's practical for us to do this. Whether it's maybe a particular employee or something that you need to have that is not on there managing refunds or something- Right. -around there. There's some way that they're like touching the cryptocurrency on a regular basis and so. Yeah. It's only makes sense to do it a certain way. So the relationship of physical and digital security is that maximum cryptocurrency security has achieved offline and physical form. So what we're talking about with the paper wallets and so forth. So physical security offline has existed for thousands of years, which we do today with deciding what goes to a bank account or credit card versus what cash and cold or whatever we have, that we're trying to protect ourselves. Digital security online has existed for several decades since computers. So it isn't as you know tried and true as our offline ways of securing currency. People are much better at physical security than digital security. That's why we have so many controls around physical security, because we know how to catch issues when they occur. A hot wallet is digital security and a cold storage is physical security. So its a repetition of what we've talked about, but it's just to make sure that is secure in your thought process when you're thinking about how to really implement this into your practice. Then just like before there is a continuum of what kind of risk someone is willing to endure, and what kind of controls that they're willing to spend on based on if they want to be in a less secure environment versus more secure, and how they're going to protect themselves. So that discussion is a really important discussion to be having when you're going through this with your clients as well as if you decide to do this yourself. That's right. Again, it's just important to point out that a physical security because we talk about it being more secure, does not mean that everything they should have physical security. Right. Because it might not be practical to have the resources, the crypto assets, and so forth all in physical security. If you need to use it. Again more like an operating account scenario, then you have to have it in the hot wallet. So it's a combination of factors. There's methods that are more secure than others, but it's how you put everything together and watch your security plan. There's no one perfect security plan, which is also important to point out for a particular organization or an individual. There's no one perfect way to do it. You're reducing risk as much as possible for the particular circumstances that might be what might be more of an ideal or perfect plan for you or your organization, but in general there's not a perfect plan per say. So one of the ways to protect the information as with two-factor authentication, which you might be seeing more and more with software applications that you're using today as well. It's the easiest and cheapest security measure with the highest return. So what happens is, if you haven't used it, it's typically generated by an app that sends a six-digit code that expires in 20 seconds to your mobile device or desktop. The code is needed to access an account after entering usernames and passwords, and there's out there right now, authenticator apps, Google has their own authentication. You can set this up in a lot of ways, but it helps with people hacking into accounts that exists for you. So if someone have your username and password, the hackers still can access your account without the two-factor authentication. So sometimes they can feel pretty annoying when you have to go through the process of doing that two-factor authentication, but the cost benefit of not doing it is huge because when someone actually gets access, and you haven't protected yourself well enough, then it's just gone. So this is an additional layer of security for logging into websites and sending cryptocurrency transactions. You increase security by combining something you know, a password, with something you have, the two-factor authentication code. Now, I just think it's really important that even if you're not using cryptocurrency today or anything with a blockchain, you can be using two-factor authentication. You just might be choosing not to. That's correct. So it's good practice to start getting in if you're not using it so that you're actually comfortable with this, and can actually advise a client on the importance of it as well. So when they're going into these scenarios and access, whether it's their accounting system or any other system that they're using that they've got this setup properly, and you're having the right conversations about it. Yeah. One of the reasons that you hit on something there that comes to adoption in these areas because in the short term you said you're talking about how there's an extra step. Now, you've got 2FA, and even password managers we're going to talk about, with like it's creating extra steps because people are just used to logging in and maybe their e-mails already populated, so they just type in the same password really quickly like that. So it's like that's really fast, and all of a sudden, wait a minute, you're asking me to have a new step. So in the short term, it seems like you're asking to do extra work. Well, of course, it is. That's the reason, again, talking about human behavior, it's very difficult to get people to change. So even that's just how it is, it's difficult people resist change. Yeah. But in the long-term after you develop a habit with it, soon enough is just, that's just what you're used to. Yeah. You know that okay, two-factor code comes in. You don't complain or anything, and you actually have a more of a appreciation and respect for it. More be like a, "Thank goodness, I'm protected." Exactly. Yeah. So these are some ways you can even be doing it today. I had already brought up the Google Authenticator app, there's also an app called Authy, and other tools as well with text messages, e-mails, fingerprint readers, hardware, tokens. All of these things are important practices to put into your life today. This isn't something that you have to wait for blockchain. Just one point. Sure. You're telling that's really important to highlight is that, and also not all 2FA is the same. Just think about it like two types of 2FA as far as a code like a six-digit code, you've got Google authenticator and Authy are just apps. So you download the app it just produces, dial goes around, it produces the code. You got to grab it if you don't get in the time, you got to wait till the next code comes up. But you also got 2FA can take place in the form of a text message. So it comes directly into your phone. That is actually a high risk 2FA that actually may work in reverse, instead of where you think you are getting additional security, could actually be less in the sense that there's a phenomenon I just learned about fairly recently, which is called SIM card hacking. Interestingly enough, the phone carriers, and we know there's really just a handful of major carriers. They do not have really great protocols around protecting consumers around this. So now, there's some measures you can take like you can put a portability hold on it and there's different things like that, or like a verbal password over the phone. There are some measures you can take, but still they don't have, generally speaking, really great controls in that area, and actually we need to have some, I think, regulation, or something along those lines, or there needs to be an outcry. There was a recent article speaking about Fraud magazine, again, where this happened and it can be somewhat done quite successfully, quite easily with social engineering. Now, it's more like a spear-phishing type of scenario because you can't get an e-mail list of hundreds of thousands or tens of thousands, or whatever, and just blast out like a phishing e-mail. This is more like a targeted attack, but it's worthwhile because when the target attack happens, it's a high-reward scenario. So in some cases, I think there was an article that talked about how the person doing the investigating actually called three of the carriers, and I think several of them didn't respond to how they handled. There's almost, oh no we don't want to go there, we don't comment because we don't want to expose how we don't have these policies in place and things like that. But one famous case is, it was one of the founders of trade hoe, which is one of the either first or second cryptocurrency exchange we're talking about are going back to like 2012, '13, somewhere in there. I believe his name was Jerry Kana. He actually as a famous case, it was an article in Forbes, you can look this up. He had a SIM card hack, and a lot of it had to do with the fact that your friend number is out there and the e-mail that you use. Typically, this is where people go wrong also with e-mails, is they use the same e-mail over and over again. So the same e-mail used for communication, you also use for all your account usernames, and we know not every username uses an e-mail, but many do. So once it's out there, it's out there in the cyber sphere, everybody knows what it is. So you've essentially handed over the key to the top block, so to speak, metaphorically, for what can be attacked. So anyway, along the sure of it is, he had a SIM card attack, and they proceeded to get. Once they got control that, then they got control his e-mails, and once they got control of the e-mails, they got control of his entire financial digital landscape identity, et al., and what sounds like drained, maybe all the bitcoins he had. Now, if you know anybody who had bitcoins going back to 2010, '11, like that, which this person did, and you know somebody that likely still have them. We're talking millions and millions of dollars here. Yeah. We're talking mega wealth. He didn't say what he lost, but I have it that it's like the stuff that will make you sick to your stomach with the hack-up [inaudible] Yeah. So these SIM card hacking is a really serious thing. So if you're going to use 2FA, the point here is don't do it in such a way that the code comes in. Really, if you want to get into best practices, especially if we're talking about on an organizational and an enterprise level, you should actually have a phone. But the second phone, depending upon your level of crypto assets, but in my mind, they should actually start off that with best practices, which is to have another number, where you never communicate with that number whatsoever like it's off the radar. It's like a secret stealth phone that you then have to use really mainly for 2FA. Yeah. But e-mail like I said, the text message got hacked, but the same thing can happen in e-mails. E-mails are like I talked about. Phishing is the number one attack because of the human factor. Social engineering, phishing, and by 95 percent hacks are done by phishing whether spear phishing or emails, and so on and so forth, because humans are susceptible, and they've even proven that when those that are most susceptible to taking the base, they're the ones that actually don't learn a lesson. There's the ones, the second, the third time they continued to be the ones that take the base. Right. Like they never learned. Yeah. Well, and so really good points to keep in mind when you're talking about doing best practices as you go forward. So, these are some password managers to support the security, and usability, and password managers are web-based tools for storing and encrypting usernames, and passwords, credit card information, and other important data. You can access the website in a few clicks, and use the password generator feature to create secure passwords so that you're not using the same password on everything, and can put in how you want that password to generate or it will come up with an example for you of a pronounceable password as well. Yeah, that's right. So, ideally you would want to make a long password that has like all the character types by default but again, we go back to that whole ease of use, and cost benefits. So, sometimes when you go to let's say you want to put your emails onto your smartphone. Well, you have to type in the password. So, if you're going to do that 48 character password, it's actually so cumbersome, and that is actually is not practical even though in theory you would only want to do it once. Right. So, sometimes you can still get some of the same say strength with the password. Like with a strong password by choosing it to make it pronounceable. But not necessarily a word. Even not a word. Yeah, it's easy. Your eyes can easily like type that in, and so there's different reasons for having pronounceable passwords or long passwords, and like that. Yeah. So, password managers support the security and usability, and significantly reduce the risk of keylogging and screen capture malware, and brute forcing of passwords, we've talked about that. Typing in a 12-word passphrase or long passwords from cold storage, piece of paper, is just not practical which we just discussed. Cryptocurrency access, ease of use, and speed are balanced with security and achieved by using a password manager. Password managers like all cryptocurrencies security methods are part of an overall complimentary strategy. So like we've talked about before, you need to think through a whole diversified strategy, also ease of use because you don't want someone to not do the two-factor authentication, or some of these other things if you can do it in a way that's going to give them ease of use or your ease of use. It's better to do some of it than non of it. So, there is a software out there called LastPass that will allow you to hold all of your passwords. Yeah, there's many different password managers. This is one of the more widely used more. Now we're not supporting that necessarily it's just one of the good examples that's out there, and one of the reasons it's also because it's free. You can get a free account as one user but it's also an enterprise level password manager that you can scale from one into the hundreds, and it's interesting that we talk about resistance to change, and adoption because some people are like, "Wait a second. Why would I want to, just like a nervous about, why would I want to put all my passwords on the same place," and then I only have one password. That's why they call it LastPass, because it's the last password you'll ever need. Yes. That's a plan on work but you can do two-factor also with LastPass, but then I would say, well, when you go to type in your password every time if there's a key logger. Yeah. It's going to get it. And then the user friendly. So, that's the thing that you do because it auto populates. One thing you're eliminating is keylogging, a malware because it just populates without you typing anything in. Yeah. Screen capture as well, it's hidden so I know that the password feels typically obscure, but again, there are several of these things, these Malware tools that you can avoid by using it. Again brute force, if you look at the science or what the data says about the poor passwords you still have probably somewhere around a third of all passwords are 1, 2, 3, 4, 5, 6 or password, those two combinations are the top two. Right. You can see how poor those passwords are, if you take the top 10 it probably comprises like 50 percent to two-thirds of all poor password. So, having a password manager allows you to make this really stealthy, password that can't be brute forced. So it's another method. It randomly generates the passwords. Yeah. So now you are going to be able to get an opportunity to do this, and try this exercise on your own to set up a password manager. All right. So you want to go to lastpass.com, and click on "Get the LastPass for free". Again, a single user account. If you don't have this already, you can try this. If you happen to have LastPass then you can also just practice adding a sight to it that maybe you haven't added yet. So simply follow the instructions to download the browser plugin. You'll create an account which is the traditional email, and password, and then you also will need to download a browser plugin like for Chrome if you just type in "Chrome LastPass" it pops right up. It is very easy with the plugins, install very quickly in seconds. So you'll click on "Add the site" from the browser drop-down menu, and add credentials, or you can log into a site, and LastPass will add that site automatically. So what you're going to answer is did you use a password manager before this exercise, and if not, do you expect to use it going forward, and what kind of benefits that you get out of because password managers reduce the risk but should not be the end all, especially when using cryptocurrency. So, why don't you take a moment, and try this for yourself, and then we'll come back together.
