More than a year ago Bitwala introduced a new wallet function to their users. As I used the Bitwala Credit Card and the service to pay invoices before that point in time. It seems that I signed up for this wallet on day one.

In general I used the service by transferring bitcoins as needed to bitwala. In other words: Every time I had to pay an invoice I transferred the exact amount from my other wallets. Now somewhere early summer I decided to transfer money to my wallet — to collect and pay a larger invoice. Transaction completed — bitcoins lost…

What happend?

By transferring the bitcoins to the online wallet of them. They can only be used with a wallet password. This might be communicated somewhere — however before trying to transfer from the wallet to some other destination you do not get a chance to validate that you have the password (and if — to check if your password is correct). At this point in time the Limbo started… contacting support…

A bit(coin) of technical backgound

The use holds the key to the money. This is a major change in behavior and workflow compared to typical financial transactions. By the time of creating a wallet several crypto keys get generated from within the users browser. At Bitwala those keys are shipped to the user with a PDF that you download once — and is not stored somewhere else. If you loose this PDF your bitcoins are lost.

I am still not sure if I ever received this PDF — but that is not the point…

In plain English support told me that if I do not know the password for the wallet — or if I do not have the PDF. I should try to brute force it.

As Bitwala is using standard Javascript library BitGO to implement its wallet it is just a question of time to get password, public and private key. So I decided to give the challenge support provided me a try….

… a few weeks later, having several nodes trying to find my keys, I am now sure that I have all the information that should have been stored in the PDF. Bitwala’s support confirmed this by mail that password and crypto keys are correct. But still I am not able to use the wallet, feed up my card, pay some invoices.

Multi-Sig — Best Practice with a “but”

In order to transfer bitcoins from A to B you need to sign a transaction. Signature is granted by your private key. If everything is right you can fire this transaction directly to the miners — and your coins will be transferred as a result. This is the main reason why some people always claim that blockchain technology is removing “man-in-the-middle”. As long as you hold the key — your coins are like cash. You do not have to ask someone to transfer.

However coin owners are humans. They loose their keys, get hacked, and and and… they need to be protected from being autonomous acting species.

Most online wallet do this “service” by introducing a multi signature feature. In other words each transaction need to be signed not just by the user — in addition it needs to be countersigned with by the online wallet provider.

But what if the wallet provider looses their key to sign? Let’s have a look on how Bitwala reacts or tries to defuse:

Sie waeren dann der 4. (und hoffentlich letzte), der ein “korruptes” PDF erhalten hat. Auch dafuer haben wir aber eine Loesung in petto, keine Sorge also.

Corrupt PDF — or in other words useless Key-Information. That is exactly what I ended up with. Bitwala stopped communication and I still see the bitcoins as lost in Limbo.

Blockchain experience

The technology behind blockchains, crypto keys and every use case based on is complex. And — it is completely different from “common knowledge” — which is based on traditional banking systems.

In traditional financial systems there are human species acting. They trust each others and are able to judge and build exceptions. Exceptions of the consensus.

Technology is brutal in its self. If something goes wrong by design it will go wrong as long as there is no build in way for human “correction”.

Bitwala did everything right from an engineering point. But from my perspective they failed in implementing humans into their system.

At the end of the day there will be humans deciding if they trust technology or other humans. Blockchain Technology will not find a way to main stream, if Startups ignore this fact. There will be a lot of money lost in the system until we find a real best practice.

Conclusion

Around 2.000€ for a coaching in user experience is not too much. Today I thank Bitwala for the chance to loose money as this gave me personally the knowledge on how complexity, change management and human interaction could be managed in the domain of blockchains.

UPDATE 31.08.2017 from Bitwala

Hey Thorsten,

You provided the client secret, XGw58NzSbDFXS8oh7.

This is data added to strengthen your password rather than the password itself.

To recover bitcoins, you need access to 2 of three unencrypted private keys, or 2 encrypted private keys with a password to decrypt them.

Unfortunately, if you don’t have your password, you cannot decrypt your private keys.

Best regards,

Tech Team