A Safer MyCrypto
Why MyCrypto is deprecating support for private keys on the web, and what you should do to prepare.
TL;DR: We’re removing support for private keys on the web version of MyCrypto because it’s not safe — and we encourage others to follow suit.
If you want to use your private key still (or want to be safer in general), use the upcoming stable MyCrypto Desktop app. The Alpha version is available now, but the stable version will be released the next few weeks. At that point, private key based wallet access will no longer be supported on MyCrypto.com.
Phishing is out of control
A recent analysis of EtherscamDB’s scam database shows a total of $23 Million dollars in stolen user funds, with potentially millions more unrecorded. As pointed out in the phishing analysis, fake MyCrypto/MyEtherWallet sites are the cause of nearly a third of the losses, totaling at least $8 Million dollars.
The web is a minefield, and traps can be set on any email you receive or site you visit. Phishing attacks are purported through a variety of channels, and hackers are only getting more sophisticated.
MetaMask recently warned of a novel attack where sites would impersonate an active MetaMask session and prompt users to enter their secret mnemonic phrase.
New users are especially vulnerable, as they may be phished on their very first search for a wallet.
When we first started building our product, a browser-based solution had two key benefits: the low overhead of building and maintaining and the ease of use for users. We went to great lengths to monitor and secure our infrastructure and we made the decision up-front to never store any personal data (like your keys, passwords, login details, etc.) on our servers.
Reducing the risk and attack surface was a good choice, but not a foolproof one. The past years have shown that ease-of-access has risks — even (and maybe especially) when the user is in full control of their funds and personal information.
Steps we’ve taken so far
Over the past few months, messaging on MyCrypto.com has become increasingly persistent in recommending users to switch away from unsafe wallet formats. We have pestered users to run locally and offline, utilize hardware wallets, and consider key managers like MetaMask and Parity Signer.
On April 24th, MyEtherWallet became victim to a hijack of Amazon DNS servers. The attack against MEW targeted the infrastructure of the internet and proves the lengths malicious actors will go to in order to nab your private keys.
After this attack, it became clear that we needed to do more to prevent users from losing funds. When users first visit MyCrypto.com, they are greeted with an on-boarding flow that provides a guide on best practices to prevent phishing. This guide advocates for best practices like verifying the URL and Certificate, and bookmarking the site. For most use-cases, this level of paranoia is more than enough, and frankly more than we can really expect. Mass adoption of cryptocurrencies is unlikely in a world where a mis-click can cost you your life savings. Tragically, even when a user takes painstaking precautions in verifying that they are on the correct site before entering their private key, a compromise of the site itself can still result in a total loss of user funds.
How do we solve this?
Soon, when you visit MyCrypto.com and attempt a login with a private key, keystore file, or mnemonic phrase, you’ll see a notice to download our audited and stable Desktop applications (currently in Alpha, but will be released in the next few weeks). These applications offer the full MyCrypto interface with our entire suite of supported wallet formats.
MyCrypto Desktop will replace private key, keystore file, and mnemonic phrasebased access on MyCrypto.com.
For users already using MetaMask, Ledger, Trezor, or Parity Signer, great job! MyCrypto.com will continue to be the fully-fledged wallet interface you know and love today, and you won’t need to change your workflow (although we do think our Desktop applications are pretty swanky)!
To prepare yourself for this change, you should download the MyCrypto Desktop Alpha.
While the MyCrypto Desktop is still in Alpha, we’ll be pushing out a release in the near future that will bring it to a full stable launch in the next few weeks!
We’re incredibly grateful to the Alpha testers of the new MyCrypto Desktop applications. Their feedback and validation of our foray into a new platform has given us the confidence to make a full, stable launch of our new desktop applications.
Ensuring MyCrypto Desktop is secure
In addition to the community feedback we’ve solicited during our Alpha testing period, we’ve partnered with Cure53 to perform a second round of audits on MyCrypto, with a special focus on our Electron-based Desktop wallets. We’re grateful to Cure53 for their help in hardening MyCrypto Desktop, and are excited to be cleared for launch! You can see the entirety of both our 1st and 2nd audits here.
In spite of substantial efforts, numerous approaches, thorough testing and the code review completed by several Cure53 testers, the MyCrypto project stood strong. It meets- and oftentimes exceeds — key security standards and should be seen as recommendable solution from a security standpoint going forward.
Even though Electron applications tend to be prone to “Critical”-level pitfalls, the MyCrypto app managed to avoid these and remains secure.
— Cure53
Note: We’ve heard reports of phishers impersonating MyCrypto staff offering to remote-in to your Desktop to help fix and debug issues. MyCrypto Staff will never ask you to install applications like teamviewer or logmein to help resolve your support questions.
We’re asking the industry to follow us in deprecating support for direct private key access in the browser
At the Wallet UX “Unconf” following Edcon in Toronto, I gave a talk on some of the security and usability improvements in the new MyCrypto. As part of my talk, I advocated for an industry wide standardization of removing private key based wallet access in browsers. A room full of major wallet providers gave a unique opportunity to gather consensus on such a controversial change. I want to make a special shoutout to Derek Chiang for taking the time to make the “Unconf” happen.
For new and existing dapps, we strongly discourage offering private key / mnemonic / keystore-based access.
As we have regretfully learned, this functionality, while great for low-friction usability, is a long-term security nightmare. To set up the ecosystem for a more secure future, we need to protect our users and add some friction to our workflows today.
Luckily, there has been a flurry of development to provide both usable and secure alternatives to private key, keystore file, or mnemonic phrase formats. The Parity team has done an excellent job of bringing the Parity Signer to production. MetaMask has maintained an extremely usable and low-friction service via their Web3-enabling chrome extension. Hardware wallets have continued to be the most secure option for the majority of users to hold their cryptocurrencies. These tools, in addition to the new MyCrypto Desktop application, show a mature ecosystem that is absolutely ready to replace direct private key access in the browser.
Questions?
We are doing our utmost to make this transition as quick and painless as possible. Should you have any questions or concerns about accessing the MyCrypto interface with your private key, keystore file, or mnemonic phrase, please don’t hesitate to reach out to us at support@mycrypto.com.
Report Issues / Bugs / Unintuitive Things
- HackerOne (for critical vulnerabilities)
- bugs@mycrypto.com
- GitHub Issues
Get Help & Give Us Feedback
Get Involved
- Gitcoin
- GitHub
- Translations! If you speak another language, we could use your help translating the UI so we can once again be truly global.
