Hello Hacker - take my private key!

mebt · May 10, 2017, 9:00am

Hello community!
First of all, I have to say that I’m falling in love with the concept of NEM. You guys seem to have built something here that is truly great.

I have one question regarding the handling of the private key. Please correct me if I’m wrong in any of my assumption.

Assumption 1:
As with bitcoin, in consequence of the blockchain, transactions on NEM can’t be resetted or somehow cancelled once they are approved by the network. Meaning that when my money (or any other asset as XEM) is gone, its gone.

Assumption 2:
To make a transaction on NEM, my private key is needed. It signs the transaction, and assures, that this transaction is from me.

Assumption 3:
Transactions on NEM are getting triggered through a Wallet. This can be Lightwallet on a computer as a app wallet on a mobile device. Each wallet contains the private key.

Assumption 4:
If I want to run my wallet on multiple devices, I have to share the private key between these devices. This happens either trough scanning a QR code or copying the private key itself manually or with copy paste.

My question:
Is this sharing of the private key not kind of dangerous for the normal user? If he is doing anything wrong with the private key, the content of his wallet is lost.
If I were a hacker, I’d try to build something that looks like the nem client/lightwallet, and try to snitch private keys with it.
If someone is able to break into my android phone or my Mac, can he/she just read out my private keys out of text files? Are these at least protected with the password I can set in the wallet?

Off Topic:
Obviously this a cruel question to all cryptocurrencies. How is the normal user which is not used to computers protected? With VISA, MASTERCARD he still has the opportunity that they can restore the transaction, but with crypto this is no more possible.

Thanks!
mebt

marc0o · May 10, 2017, 11:39am

You should never share the private key(s) of your wallet(s) with someone else. As you mentioned correctly, everyone who knows your private key has full control over your assets (XEM or other mosaics) and can transfer them anywhere he wants to.

So yes, if a hacker builds a nem-wallet or something that looks like that in order to snitch the private keys of the users, he could propably be successful. (same as the well known “phishing” through scam-mails …)
For that reason you should only use your wallet / private key within applications you can trust.

Towards your last question:

if you export your wallet with the official client / wallet he shouldn’t be able to read your private key (assuming he doesn’t know your password / passphrase)
if you store your private key unencrypted within a text-file on your device … well … I think you know the answer

Well this is all up to every individual if he/she wants to be responsible for himself/herself or not. Sure there will still be “centralized” providers which can take care of your wallets and private keys. You would then for example login to their page and then execute your transactions on their user interface. But this is exactly the thing that most blockchain-enthusiasts want to avoid because they want to be responsible for themselves and not be depending on a centralized provider.