Experts say that a multi-signature scheme is the best protection against malware in an individual’s phone or other device, which could collect vital information, such as their private key to a Bitcoin wallet, without the user's knowledge.
However, figures from P2SH.info - which keeps track of the number of Bitcoins being held in Pay To Script Hash addresses, mostly multi-signature addresses - shows that only 11 percent of existing Bitcoins are held in such addresses.
Although Bitcoin wallet experts from FreeWallet and Bitmain think that a malware attack could lead both ways if it breaches a device that has a wallet installed and used on it, they both agreed that multisig is still the best way to go.
“When a Bitcoin wallet provides a 2-of-3 multi-signature setup then the user is safe because the device only holds one key. Without the other keys the attacker has no chance in spending the Bitcoin,” says Bitmain’s Alejandro De la Torre, who believes that vital information could definitely be collected from a device without the user’s knowledge.
“Wallet providers must use multi-signature security with a scheme like I mentioned above. Otherwise users are in grave risk.”
No issue for mass market
However, Freewallet’s Alvin Hagg says to Cointelegraph:
“We don’t think this case would lead to the fraud of Bitcoins. The level of Bitcoin adoption is so low in sense of mass market. The probability that someone would collect the data of thousands of people and then try to find access to Bitcoin wallets is quite low. However, security question is a key focus for wallet providers. We always analyze all possible patterns of hacks. As for the case of losing Bitcoins due to data leakage, Freewallet users would not suffer since we don’t store sensitive information on user devices. Most part of user funds are stored offline in the vault which has multi-signature protection. However, if you store your private key on a mobile device, for sure you should be prepared for the risk of losing your funds.”
According to P2SH.info, about 1.7 mln Bitcoin addresses - 11.15 percent of existing total addresses - use the Pay To Script Hash.
A multisig wallet may not be the best choice for every Bitcoin user but still guarantees better security as a primary concern. It lets two people complete a third-party payment - one person generates a transaction while the second person authorizes the payment. It also allows individual users to implement 2FA in which one key would be on the user’s computer while the second would be on a smartphone. In such a situation, the funds would only be spendable with the signatures from both devices.
Coinbase, GreenAddress (recently bought by Blockstream), Electrum and many more employ multisig capabilities. Others include Bitgo, CoPay, Armory, Blocktrail, Xapo and Coinkite.