Zengo & Coinmama’s Integration: Securing the Weakest Link in Crypto Purchases

If someone wants to buy crypto on a broker’s website and store it on their mobile wallet, their wallet address must reach the server of the broker’s website so the crypto purchase will end up in the right wallet. This manual process of transferring the address is the weakest link in the crypto purchasing process. It’s not only confusing to the user but also dangerous from a security perspective.

A Bitcoin address

A few weeks ago, we launched a world-first integration of our Zengo wallet with Coinmama’s crypto brokerage services. We did this to automate the address transfer process and bring simplicity and security to the crypto purchasing experience. In this article, we’ll take a more in-depth look at our solution’s security.

The Dark Ages: Pre Zengo Integration

Purchasing crypto on a broker’s website has traditionally required desktop users to go to their mobile wallet, copy the address, somehow send it to their desktop (e.g., by email to oneself) and then paste it on the website of the broker.

Typical address flow (pre Zengo integration) 

This is a manual process with multiple security problems.

The human factor

Let’s admit it. Humans are not very good at copying long meaningless strings of characters, and crypto is unforgiving. In Ethereum, for example, every address is considered valid, so a one-character typo will make that newly purchased crypto lost forever as it is sent to an address that is probably not claimed yet.

Over 12,000 Ether Are Lost Forever Due to Typos (Source: consensys)

Insecure transmission medium

Once the mobile wallet’s address is copied, users need to send their address from their mobile device to their desktop. The channel of communications (e.g., email or instant message to oneself, all kinds of sync apps) is not always secure and adequately encrypted. There are many reported cases of crypto hacks due to connection to unsecured public wifi

Source: CBS

Insecure user devices

Devices (desktop and mobile) are often the weakest security link as they are used for many purposes and are therefore an easy target for all kinds of malware, rogue browser add ons, phishing sites, etc. Perhaps most notable are malware attacks that have targeted mobile and desktop devices by replacing a copied victim’s address with an attacker’s address when pasted, thus stealing the victim’s purchased funds.

The Age of Enlightenment: Zengo Integration 

Zengo integration solves all of the problems mentioned above. With Zengo’s integration, the broker server talks to the wallet server, and both servers are maintained and monitored by dedicated security teams. The channel between the servers is also authenticated and encrypted, and the content integrity is checked.

The address flow with Zengo integration

By sending addresses directly from Zengo’s server to Coinmama’s server, instead of having them sent via the user interfaces and copy-pasting, we significantly improve the security of address handling (and the user experience).

  • We remove the insecure human factor: no more prone to error humans in the loop. With our integration, we replace humans with computers that don’t have these problems.
  • We remove the insecure transmission medium: no more ad-hoc channels over an insecure transmission medium. Instead, we now have secured channels over the Internet which use standards compliant authentication, encryption, and integrity checks.
  • We remove insecure user devices: No more insecure devices. Instead, we use dedicated servers that are monitored and maintained by professional security teams to significantly reduce the dangers of malware.

Parting Notes

Life is a series of trade-offs. In most cases, you have to choose between imperfect options. However, every now and then, you get a no brainer, and Zengo’s integration with brokers to eliminate outdated address handling methods for greater simplicity and security is precisely that.