The incredibly popular MyEtherWallet service has announced that they will be launching a new mobile app to increase the security of using their site that has already been attacked successfully numerous times. The goal of the app (with the unfortunate name of MEW Connect) is to not only protect users from phishing attacks, but also to act as a hardware wallet of sorts. It other words, it will not require users to enter their private key into the site, which is a very risky thing to do in general.
Despite its poor choice of naming (and we think anything crypto related with the word connect in it is probably a bad idea for at least the next decade or so), the idea comes at a critical point in crypto history where we are seeing an increasing number attacks of various types. Particularly attacks aimed at high-profile targets like exchanges and wallet services.
Former BitConnect spokesperson Carlos Matos performing his now-infamous “BitConnect!” shout, and reminding us all why the word “connect” should never be used by a crypto project ever again
MyEtherWallet has been attacked primarily in three different ways.
The first way was to phishing sites where fraudsters would create Google ads or other advertisements for a look-alike page. Crypto newbies who are most susceptible to this kind of attack would then access the site and enter their private keys. This, of course, resulted in the total loss of all of their accounts contents such as ether and ERC-20 tokens. In response to this sort of activity, most major web services put a stop to all cryptocurrency-related advertising. However, that trend may be reversing as Coinbase ads are now appearing on Google, Instagram, and other services.
The next major attack type that MyEtherWallet saw was based on an attack on a DNS service where users typed in or otherwise visited the correct URL were fraudulently redirected to a phishing site. The attack only remained active for a few hours, but estimates suggest that the hackers stole a fair amount of money in the attempt.
The last interesting attack vector we are going to mention here is one where users of the Hola VPN service had all requests to visit MyEtherWallet for a five-hour period forwarded to a phishing site. In a sense, this attack had a similar outcome to the DNS hack.
It is in light of these types of attacks that MEW Connect is entering the market.
Launching the Beta
The service has not gone live yet, however, and it will soon be entering a closed beta for a lucky set of people chosen to participate. The beta will be iOS only, but the site says and Android version will be coming soon.
Some of the features available in the service include client-side encryption, transaction verifications, account backups, and of course, protections from hackers and phishing.
According to TechCrunch, the system works in a way familiar to most mobile crypto users. That being, it uses scanned QR codes in place of needing to enter private keys. Presumably, the user will enter their private keys into the mobile app, and from then on would never need to enter private keys into a computer or browser.
The TechCrunch article confirms that MEW Connect will use “Apple’s keychain services to encrypt the app – which it said retains data on-device – and pair it with the web-based peer.”
A Key-Free World
One important step towards general adoption of cryptocurrencies is that interacting with one’s wallet should be easy and foolproof. In other words, wallets should be designed so that it is difficult for someone who is inexperienced to make a serious mistake and lose all their funds as a consequence.
For example, the average user should most likely never need to interact with their private keys. This is because the private key is the most vulnerable point of attack. If a new user is somehow convinced or tricked into giving up their private key without knowing what it is, then these sorts of hacks will continue. This doesn’t mean that a wallet should necessarily restrict a user from getting their private key if they understand what it is or what it’s for, but for most non-technical users, direct access or interaction with a private key should be unnecessary by design.
For instance, a well-designed mobile wallet should generally only deal with a users public addresses and QR codes for sending and receiving. Services like MyEtherWallet allow for a lot of flexibility in interacting with the Ethereum blockchain. But as we’ve learned the hard way through potentially millions of dollars being lost through hacks of just that one service, the way things are set up now is simply not working for the average and potentially inexperienced user.
The reason why people today use services like credit cards and online banking is because they feel safe doing so. That’s partly because these systems were designed with non-technical users in mind. It’s also partly because if a theft occurs, there is an insured bank that will cover any losses. Crypto doesn’t have insured banks to cover losses, and so in order to convince an average user that cryptocurrency is safe, the software that we use to interact with it needs to be absolutely bulletproof.
Perhaps MEW Connect will be a step towards that lofty but essential goal.