Paranoid Guide to Personal Security
You might be wondering, “how much money can I make trading Bitcoin or Ethereum?” — but the first question should really be “how much can I lose?”
I wrote this because I want you to protect yourself online and prosper.
Before you start trading, first you need to understand the risks associated with investing or trading Bitcoin, Ethereum, Litecoin, ICOs, and other cryptocurrencies.
This advice is based on paranoia… and the paranoia is based on experience. I have been working in IT for over 10 years, I have personally administrated many public-facing web, email, phone, and database servers, and I am an active participant at DEFCON (the world’s biggest hacker convention every year) so I have seen a lot of things that normal people have not seen. Check it out almost every IP address in the world is constantly being probed by someone.
How do I prevent myself from getting hacked while trading Bitcoin/cryptocurrency?
First, let’s consider this, you might already be compromised. What? Yeah, your computer or mobile phone could already have malware or malicious software on it as you are reading this.
Targets get hacked way before they ever realize they are being owned until it is too late. Commonly, criminal hackers will already have gained and maintained command and control over a system days, weeks, or months before they act on it.
Some people might think this is going overboard, but once again I ask — what is the cost of losing all of your cryptocurrency?
How do I secure my computer?
There is only one way to know for sure that your computer is totally clean of any malicious software — reinstall your operating system. This is especially true if you have EVER had any viruses, malware, strange pop-ups on your computer. This goes for Windows, Mac, and Linux. No OS is safe — especially if you have been using it for some time or migrating all of your data and programs from one computer to the next.
PC Security Recommendations:
- Get a New Computer or Reinstall Operating System — If you install an operating system yourself, first verify the integrity of your installation media. For instance, you can calculate the MD5 sums of the image you use to install or hire an IT professional to assist you with this.
- Keep Software Updated — Keep your computer software updated regularly and do not use outdated operating systems. Outdated systems are not updated to patch known security holes and vulnerabilities.
- Install Security Software — Schedule routine antivirus scans and/or see an IT professional to have your computer fully inspected for trojans, keyloggers, mischievous applications/browser plugins. (There is a comprehensive guide here on cleaning and protecting your Windows PC.) As of April 2017 — Avast Free has one of the best protection rates of all antivirus programs (Source).
Once you are certain that your computer is totally secure, now let’s discuss passwords.
Use Strong and Unique Passwords.
The guidelines for this are very simple, but keeping track of passwords is complicated without a password manager. I strongly recommend getting one. A password manager is an encrypted database that is protected by a single password. This way, you can have a unique password for everything you do online and only have to remember one password.
What makes a password strong?
- Length — 28+ characters (or whatever maximum length sites allow).
- Variety — mix of numbers, upper and lower-case letters, and symbols.
- Uniqueness — every site and service must have a unique password. Do not reuse passwords.
- Password Managers — Choose and use one. I suggested a few below. You must use a memorable that is 16 characters or more password. This is the only password you have to remember and you use it nowhere else and have never used it anywhere else before. Do not write it down or store it on or near your computer. If you write it down, store it away from your computer and in a place that is private and safe. Be creative, not complicated — one of my friends likes to use lines of poetry for this.
What is the best password manager?
- PROS: Open-source software. You choose location of storage for your password database. You can store your password database on Dropbox or Google Drive (2FA capable) and access it from any device — Windows, OS X, Linux, mobile phones… If the developers are evil, you still control access to your database. There are also lots of plugins and extensions for security (useful for auditing your passwords) and web browser integration so you can have it autofill fields for you.
- CONS: A bit janky.
- PROS: Easy to use. Very slick iOS and OS X app that integrates with browsers and mobile apps, but if the developers are evil or they get hacked, you still control access to your database if you store it on iCloud, Dropbox, or Google Drive (all 2FA capable).
- CONS: Software is not open-source. The apps for Windows and Android, did not work very well when I last checked.
- PROS: Supports 2FA. It’s widely used and it has browser integrations.
- CONS: The password database is stored on their servers. If the developers are evil or they get hacked, you could potentially be at risk.
Use Two-Factor Authentication (2FA) on Everything
What is 2FA?
Two factor authentication is where you need two different methods — usually 2 devices — to login to your accounts. Each web service or software you use might have different levels of 2FA that are offered. Some use text-messaging, but this is weak due to number porting attacks. Most common is One-Time Password (OTP) where a new password is generated every ~30 seconds that you must use in conjunction with your stored password in order to login or access software.
What types of programs or devices are best for 2FA?
- Authy — Authy is an app that stores your seeds for you on their servers. So convenient (and dangerous). One redditor put it simply “storing the secret in the cloud like that is a fairly significant reduction in the security provided by the 2FA” — Reddit /r/netsec post
- Google Authenticator — Simple 2FA app from Google that runs on iOS, Android, and Blackberry. If you lose your phone, the only way to get into your account is by using your seed to setup a new app OR by emailing support for your site and begging them for weeks to let you back in.
- Yubikey 4 — If you prefer to have a completely separate state-of-the-art device, then Yubikey is for you. I have read that Google uses these internally because U2F is much better than 2FA, but not all sites support it yet.
What happens if I lose my phone or device that does 2FA?
When you enable 2FA for any site, it is extremely important that you keep a copy of the seed (secret code) that you use to enable 2FA in a secure place. I wrote something about this a few months ago.
How do I enable 2FA?
There are lots of great sites for instructions on enabling 2FA. After you do it the first time, it will make a lot of sense how to do it again.
- How to enable 2FA on Poloniex — this is very similar for other exchanges.
- How to enable 2FA on Dropbox — very useful if you store any secure notes or password databases.
- Useful list of 2FA tutorials — not all exchanges are listed on here, but you can request additions.
- You can just Google “how to enable 2FA on <insert name of service or site>”
Storing Cryptocurrency Assets
Where is the safest place for me to store my cryptocurrency assets?
Your cryptocurrency assets are all technically stored in the blockchain. However, the keypairs that prove your ownership and to move and transact with must be stored somewhere. Generally, there are two locations: wallets and exchanges.
What is a cryptocurrency wallet?
A cryptocurrency wallet is a secure digital wallet used to store, send, and receive digital currency like Bitcoin. Most coins have an official wallet or a few officially recommended third party wallets. (Source)
Do wallets store my cryptocurrencies?
Wallets do not store your cryptocurrencies. They do store your public and private keys — AKA key pairs. Public keys (AKA addresses) are like a location on the blockchain to track where assets are owned. This is part of how blockchains prevent counterfeiting — there is a record of where each fraction of an asset was created and where it is owned.
What do cryptocurrency wallets store?
Wallets store your addresses and keys. In order to be able to send cryptocurrency you will need an address for the destination and the source. The source address is programatically locked and can only be used with the corresponding private key. If you want to receive cryptocurrency, create an address. Never share your private keys.
What types of cryptocurrency wallets are there?
Full Blockchain Node Wallet is the most beneficial for the network, the most flexible and also the most dangerous way of managing your addresses.
Light wallet — software that allows you to send and receive cryptocurrencies without downloading the entire blockchain.
Paper Wallet — a keypair written on a piece of paper is the closest thing to cash in cryptoworld. It can be used for storage (not recommended) or as a redeemable coupon — which might work for gifts. As soon as it is viewed by anyone else (even by photo) they would be able to sweep the assets into their wallet and this is irreversible.
Hardware wallet arguably the most secure method. I am not aware of anyone who has ever had their hardware wallet hacked.
- Examples: Ledger Nano S, Trezor, KeepKey.
- Storing your hardware wallet seed — split it up behind two 2FA services
Backing Up A Hardware Wallet Key Phrase
- There are many ways to do this and none of them are either completely secure, or simple. My personal approach:
- Divide your 24-word key phrase into 2 parts
- Encrypt both of them with any encryption tool available for you, and store encryption keys in 1Password
- Find 4 storage services which support 2FA: e.g. AWS S3, Google Drive, Dropbox, Github private repo
- Enable 2FA on all of them, store OTP 2FA seeds in Authy
- Put first encrypted part of the key phrase into 2 of the services, and another part into another 2 of them
- With a setup like that your system will have 2 layers of protection: your 1Password master password and your password for accessing Authy. Those will be the only 2 password you’ll need to remember.
- (Source: Medium)
What is a cryptocurrency exchange?
Digital currency exchanges (DCEs) or bitcoin exchanges are businesses that allow customers to trade digital currencies for other assets, such as conventional fiat money, or different digital currencies. They can be market makers that typically take the bid/ask spreads as transaction commissions for their services or simply charge fees as a matching platform. (Source: Wikipedia)
Is it safe to store my cryptocurrency on an exchange?
Exchanges are the least secure place to store your digital assets. There are a lot of shady ones out there and they are often hacked. Also, they have daily transfer limits, for instance if you want to extract money.
How do I protect myself while accessing exchanges and accounts online?
Virtual Private Network (VPN)
I recommend using a VPN to conduct any private transactions online. It’s a great way to protect yourself — especially if you are using WiFi in public places like hotels, conventions, cafes, or co-working spaces. You can use all of these services on your computer and cell phone:
- https://www.ipvanish.com/ — no logs ~$7/month
- https://www.expressvpn.com/what-is-vpn/logless-vpn — no logs — ~$9.99/month
- https://www.privateinternetaccess.com/pages/buy-vpn/ — cheap and reliable ~$3/month
What are some tactics or strategies for mitigating risk while trading cryptocurrency?
- Look at the markets, learn to read charts, read CoinDesk and Twitter, learn strategies such as algorithmic trading.
- Be aware of volume changes in the markets.
- Only trade with 20–30% of your assets once you acquire them, not more.
- Exit strategy — always have a strategy worked out for getting your cryptocurrency back out to fiat currency in case you get stressed out or if you cannot sleep anymore.
- Familiarize yourself with tax compliance.
Protecting yourself online is tricky. There are many, many counterparties profiting off of evil hacking in the world. Additionally, you might mess up and lose important information yourself if you do not know what you are doing.
This guide is pretty comprehensive, but it is only my advice and I am open to feedback about it. There are no guarantees and the choice is and responsibility is ultimately yours. As I always say, “think about what you can lose, not what you can make.”
Below is a little summary of what I wrote above that you can share as a description if you post this to social media or email.
5 Things you can do to protect yourself online while trading cryptocurrency (summary)
- Secure your computer’s operating system. — I recommend reinstalling your OS.
- Integrate a good password manager. — I recommend KeePass.
- Use 2FA. — I recommend Yubikey 4 and Google Authenticator.
- Get an offline hardware wallet. — I recommend Trezor or KeepKey.
- Always use a VPN.