Keeping your crypto-currencies
How to KEEP your Bitcoin, as opposed to losing it
The last post Where is a Bitcoin? wrapped up with an essential take-away: your private keys ARE your Bitcoin. (Reminder: we’re using Bitcoin as a placeholder for your favorite crypto-currency). This is so important that it bears repeating: securing your Bitcoin = securing your private keys. Someone who knows one of your private keys can easily steal the associated Bitcoin. Permanently lose one of your private keys and you’ve lost the associated Bitcoin.
As you consider this post, keep in mind that there are A LOT of hackers — some of them very smart and very resourceful — trying to steal Bitcoin. They are HIGHLY motivated, because (a) there is a LOT of money in it and (b) successful thefts are rarely caught. Also keep in mind that there is very-little-to-no safety net, unlike your bank account.
Now underway is the long-awaited discussion of the most popular places to keep your crypto-currency:
- Account on an exchange
- Account on an unaffiliated website
- Unaffiliated wallet app running on phone or computer
- Hardware wallet
Account on an exchange
Most people procure most of their Bitcoin from an exchange. A significant percentage of people leave it on the same exchange. This has the advantage of being the easiest of our four storage choices. And “easy” has something going for it from a security standpoint.
We will mix best practices with the associated risks. Because if you chose NOT to follow these best practices, we would have to discuss an entirely different class of risks. A few of these will strike you as “duh” and others will strike you as “that’s crazy paranoid.”
Mitigating risks of your exchange account being hacked
Strong account password(s). “Duh!” Many exchanges offer the OPTION of separate passwords for trading or withdrawing funds. Take advantage of that really good idea. Should an attacker steal your login password (via key logger malware), they MIGHT not have your withdrawal password.
Two-factor authentication (2FA). A “duh” for most of you. Many of you are using 2FA in the form of “send me a one-time code via SMS text message.” That method is no longer considered secure. There are MANY documented cases of hackers hijacking your phone number by social engineering your phone company. (“Hi AT&T, I lost my iPhone. I bought a new phone and need to activate it.”) And yes, there are documented cases of hackers doing this specifically to gain access to your crypto-currency account. It is far, FAR safer to use 2FA authenticator app such as Google Authenticator. That method foils the hijacking your phone ploy, unless the hacker physically steals your phone.
Multiple 2FA. I mentioned that many exchanges offer the option of separate passwords for trading and withdrawal. Some exchanges offer the OPTION of separate 2FA codes for withdrawal. That is NOT as “crazy paranoid” as it sounds. But there is a subtle catch if you want to make separate 2FA codes effective: the separate 2FA codes need to be generated by an authenticator app on a SEPARATE device. Purchase an unlocked Android phone for $100 (no phone activation required, just Wi-Fi), install Google Authenticator, hide the phone in your house, and ONLY use it to generate the 2FA code for withdrawals. Extra work, yes, and you’ve further reduced the risk of someone making off with your Bitcoin.
Enough account hygiene: taking the above measures reduces the risk of your exchange account being hacked. Yea! We’re not quite done. Many exchanges offer a time-delay mechanism of one form or another: withdrawing funds requires a 24–72 hour waiting period, for example, during which time the exchange sends you emails and TXT messages saying “Withdrawal in flight.” This gives you a few days to take action … very much UNLIKE learning of a withdrawal after the fact, at which point you’re screwed.
Risks of your exchange being hacked
Unfortunately, all of the measures outlined in the section above mitigate risks of your exchange ACCOUNT being hacked. There remains the risks of your EXCHANGE being hacked. Unless you are in a position to perform an in-depth security audit of your exchange, there is nothing you can do to mitigate this risk. The most popular exchanges take their security very seriously, but they are up against VERY motivated hackers.
The more popular the exchange, the more crypto-currency that can be stolen, ergo the greater the motivation for hackers. Less popular exchanges might be less attractive targets for hackers, but they very likely are not as well protected as the more popular exchanges. While hackers have never made off with ALL of the private keys held on an exchange, there is little comfort there: (a) they may or may not make off with YOUR private keys, and (b) the exchange operator may opt to spread losses across ALL accounts as a percentage of holdings.
Before moving on to the other three bullet options, there is a concrete measure you can take to mitigate risks of your exchange being hacked: spread your crypto-currency holding across multiple exchanges. Rather than keeping 300 BTC on one exchange, keep 100 BTC on each of three exchanges. No free lunch here: you’ve now got THREE accounts that might be hacked, so you must enable all of the account-protection-measures outlined earlier on ALL THREE accounts. With that done, for all practical purposes, only one-third of your holdings are at risk in an exchange hack.