Your identity. This encompasses your physical life as well as your digital life. When dealing with cryptocurrencies, both of these worlds intersect. The importance of protecting your digital assets lies in the nature of what cryptocurrencies offer. The ability to send digital assets to virtually anywhere in the world in a decentralized manner can also entice the wrong type of people.
When maintaining control of your digital assets, We, at Cryo Security, have always maintained the importance of controlling your private keys. This has been the modus operandi since the beginning of cryptocurrencies(10 year anniversary is right around the corner) and has really been in the eye of computer science activists for much longer than that. While maintaining control of your private keys for your digital assets, you are able to perform many things that normal fiat currencies have a tough time accomplishing.
SatoshiLabs just recently published an article on the very idea of physical threats. I thought this would be a perfect time to elaborate on the importance of physical security.
What is Physical Security?
Before we go about building a security profile for ourselves, we must first understand what physical security is and what its significance means to our cryptocurrency holdings.
Physical security is the measure an individual or company takes to control and secure physical access to whatever the individual/company deem important enough to protect. A real world example is when you are on a crowded subway, you are vigilant of your personal belongings while in such close proximity to people. This tiny example shows us what physical security is.
The individual threats people face — no one will have the same exact threat model. The digital assets may be owned by your firm or they could be your own but the idea remains the same. Be vigilant throughout your daily life and remain proactive.
The danger of cryptocurrencies is the same component that also makes cryptocurrencies so transformative. Decentralization. Though some cryptocurrencies are more decentralized than others(I could argue some cryptocurrencies aren’t decentralized at all) is what people using these assets need to truly understand. If you lose the assets due to whatever reason, there is no centralized system that you can contact to regain your funds. You can go to the authorities but if you were attacked by a sophisticated attacker, the odds of this person or group of people being caught are very slim.
The role of physical security works in congruence with digital security. Digital security, when properly executed, conjointly with the cryptography that underpins cryptocurrencies is very secure. This system protects data-at-rest, but to further protect that information, you must consider physical security as the first line of defense from a potential attacker.
Threat Model
- Understand what your adversarial would look like?
- What tools are available for your adversarial to use against you?
Before beginning to build some kind of physical security system, you must first look at these two points. You must figure out who you believe would want to attack you. This might help if you use the second bullet point. What tools are available to a potential attacker to use against you. This may be publicly available information like physical addresses of businesses or personal residences. The internet makes it much easier for a potential attacker to garner information about a target.
Understanding what your potential adversary’s profile might look like is very important if you plan on taking preventative measures. These questions you ask yourself will help to figure out what kind of attacker will try to come after you. Combine these two bullet points with the next axiom:
- What would your profile look like from the attackers perspective?
This information gives you much greater insight into what kind of adversarial might come after you. Are you running a large cryptocurrency exchange? Is it publicly known that you hold 1/2 of the private keys? Do you scrub any personally identifiable information on the internet? Do you announce that you are holding a majority of your wealth in crypto? Do you use aliases when in public? You must ask your self the question, how did the potential attacker become interested in me?
These are all questions that will attract a specific set of people with a particular skill set. If the juice is worth the squeeze, there will be attempts. To avoid a scenario like this, you need to threat model. What is your threat and how can you take preventative steps.
Preventative Measures
In the SatoshiLabs article mentioned above, there are a few basic steps an individual can take.
- Beware of strangers
- Use common sense
- Don’t be an easy target
All three of these are extremely common measures suggested and don’t really add much safety. A 12 year old could offer you this advice. I want to build on this to offer a real world solution.
- Beware of strangers
Trust no one- these are trustless cryptographic systems. Of course you might need to trust people to function in the real world, but trust no one with your private keys or information about your funds. If you have a question on reddit or a similar online service, use a burner account. Post while using a trustworthy VPN or use TOR to avoid IP tracking. Take small measures like this protect your digital life which intersects with your physical life.
- Use common sense
It would never be prudent to speak about how much of an asset you own, and if you previously did divulge your financial assets to strangers on the street, STOP. Don’t do that for crypto. If someone attempts to steal your stock in a certain tech company, the thief can’t possibly access it. If you get hit with the wretched $5 dollar wrench attack your crypto can be sent to any address. Don’t give someone the idea that you might be worth the attack. When out in public, you don’t need to announce you own any crypto. Unless you are in a situation where a person is awarding crypto to you for previously owning crypto, no one needs to know(We all know how those scams work). Keep a low profile, or better yet a non-existent profile.
I’m not saying to never discuss crypto but what I offer is a solution to a problem that plagues anyone excited about a certain topic. Only you can decide what level of security you believe is acceptable.
- Don’t be an easy target
This will vary between each individual case but you want to make sure you are not the lowest hanging fruit. You also want to realize that the larger the assets you control, that someone knows about, the larger a target you are. An attacker will weigh the cost of going after a target against the potential benefit. The cost can include many different factors but the whole goal is to never appear on anyone’s radar in the first place.
Is that all?
There are varying degrees of measures you can take to further secure your physical life. Your threat model will give you the best insight into what needs to be protected. Do you perform a large portion of your job in an office building? Who has access to that building? How easy is it to gain access onto the premises? Think about your personal property. Can people view what your house looks like from a quick browser search? Do you store any important documents in a safe in your home? Is that same safe rated to withstand some kind of attempt at physical extraction? There are many questions that you should ask yourself(This can be applied across your organization as well, with differing levels). Considering the questions that affect you and taking the necessary steps to harden your lifestyle will make you a much more difficult target. Your goal is to not stand out. You do not want to elevate your profile to a potential attacker. Taking these basic steps and asking yourself these questions will help for you to maintain the low profile desired by anyone walking around with digital money in their “pocket”.
If you have any questions regarding physical security mentioned in this post or any regards relating to cryptocurrency security, please feel free to reach out to me at J@cryosecurity.io or visit CryoSecurity.io.
