Crypto Security Primer
Many cryptocurrency investors have fallen prey to scams, hacks, and phishing schemes. If you plan to HODL your own crypto, there are some basic things you can do to reduce the number of attack vectors that you are exposed to. Bear in mind that security is a moving target, much like the endless battle between our immune systems and the many pathogens that besiege each of us on a daily basis. You can never “win” outright, but just like with our immune systems, there are a number of steps we can take to swing the odds in our favor.
First of all, the best defense is to simply not get targeted. In order to improve your chances of this, be careful not to paint a target on your back. If you happen to have a presence on social media, then be sure to limit disclosure of the amount of your holdings, where you buy, or the specific steps you take for security. A hacker will look for people who post screenshots that show they purchased a large amount of crypto from a specific exchange for example, and then craft emails to you that mention the data that was shared. For example, if you said on social media you just bought 100 Bitcoin on Kraken, you’ve just given away several pieces of information that make you a target.
A hacker now knows which exchange you use.
The hacker now knows a minimum amount they can gain if they compromise you.
Assumptions can be made about the time of purchase.
So now you might get an email from a spoofed domain saying something like “Important information about your purchase of 100 BTC on May 2nd, please click here to verify your transaction” or some such. However, when you click that link, you’re taken to a mirror site which simply steals your login credentials. Tricky, tricky.
Another step you can take is to be sure and not disclose too much information about what you hold and where in text messages. There are two big reasons for this, namely text messages are not secure and you should consider anything you text to be in the public domain forever, and secondly the more people know what you’re doing the worse your security becomes.
If you do tell someone that you trust information that you want to stay private, consider at least using an encrypted text message application like Signal. Ask your trusted party to install the same app, which uses end-to-end encryption. Ensure that your texts are destroyed after a period of time (often called auto-shredding), so they cannot be searched later on if there is some kind of a breach.
Now, anywhere that you sign in should be considered a point of vulnerability. Especially important are your email account and exchanges that you might use. Your email account can be used to reset your exchange password if someone gains access to your email. So, consider securing your email as a very high priority. A story was circulating on Twitter recently where a hacker got into someone’s email account and put a filter on their inbox. Emails from their exchange were automatically filtered. The hacker would simply read those emails from their trash, so the actual owner never even saw the emails.
In order to secure your email, make sure to use a modern client (some older email providers are still not using proper encryption). Second, make sure to have a strong and unique password, and set up some kind of two-factor authentication. SMS messages are the worst form of 2FA, so avoid that (text messages are too easy to spoof and scrape). A better option is a time-based code like Google Authenticator, and even better is using a hardware key, such as Yubikey. A hardware key will prevent anyone from signing in as you unless they have a physical device, which you can keep with you. This makes compromising your email a task that cannot be accomplished from a remote location.
Make sure to back up your 2FA codes if you’re using an app like Google Authenticator. The reason being, if you drop your phone in a lake you will be unable to sign into any service requiring a 2FA code until your 2FA is reset.
Additionally, I recommend never turning in your old phone when it’s time for an upgrade. This may seem a bit over the top, but I just don’t trust that “wiped” devices are ever truly wiped clean. If you hold a significant amount of crypto, consider this a necessary step.
Lastly, please consider HODLing your crypto long-term in cold storage. Never buy a cold storage device (also known as a hardware wallet) used, or from a site like Craigslist. These devices could have been tampered with or the private keys could be known. Only purchase from a reputable company direct from their own site. For example, with Trezor, go to Trezor.io rather than simply Googling “Trezor for sale.” Once you get your cold storage device, follow the instructions carefully and make sure to have a recovery plan in place. This means keeping your 24-word backup phrase someplace safe and typically NOT in the same location as your hardware wallet. The reason being if there were a fire or a flood, you could lose your hardware wallet and your backup codes at the same time. Geographical separation removes this possibility.
Using cold storage can have a steep learning curve. But once you get used to the peace of mind that comes with using it and knowing that your private keys are stored in such a way that hackers cannot reach them, you will sleep much better at night. By the way, the reason hackers cannot reach your cold storage device is because these devices are simply not connected to the internet unless you are using the device to broadcast a transaction. There are even some devices (like Coldcard) that never need to be connected to the internet because the signed transaction is transferred via a memory card from cold storage to your wallet on your computer or phone.
As I mentioned before, security is a moving target. If you’ve already taken the steps that I mentioned above then you’re probably ahead of the curve. But there’s always more you can do. In general, it’s a good idea to put measures in place that are one step beyond what you think you’ll actually need.
Thank you,