How to Keep Your Crypto Safe: 8 Security Tips from the Pros
Phishing, hacking, SIM jacking, oh my! Here’s what you need to know to thrive in the era of cryptocurrency
Somewhere in Attinghausen, Switzerland, there’s a “cold room” lined with slabs of steel. It sits 300 meters down inside a granite mountain in an old, repurposed military bunker. Inside is air gapped hardware with the private keys of high value crypto holders who are looking for a little peace of mind. These security measures might sound extreme, but the attack vectors are myriad in the cryptosphere: hacking, phishing, SIM jacking, shams, scams, extortion, friends turning on friends, spoof friends, and good ol’ fashioned human error.
Some examples: fake websites, spoofed calls from imposters posing as trusted institutions, social media is a minefield of spam bots and malicious posers. Users can’t flag fake accounts fast enough. Fake Vitaliks. Fake Joe Lubins. How hard does anyone really look at social media handles? Someone flying through twitter is prone to miss the “l” in @etlhereumJoseph. Don’t let it be you!
For many users, the bulk of their crypto is still sitting “hot” — in online wallets on centralized exchanges, which have had their share of reckonings over the years: the infamous Mt. Gox hack in 2014, in which hackers made out with approximately 740,000 BTC, and the Bitfinex breach more recently, which drained almost 120,000 BTC from the exchange. Unfortunately, exchange hacks have become something of a regularity, resulting in a healthy paranoia for traders and HODLers alike. Nowadays, it’s common to read headlines of cryptocurrency exchanges folding after a serious breach, leaving their customers in the lurch with little recourse.
And then of course the age-old threats, fire and forgetfulness (one man accidentally threw out $9 million worth of bitcoin). Attack vectors can be unassuming, furry even. The problem is, misplaced crypto has a way of altogether disappearing — sometimes across jurisdictions and beyond the reach of the law, sometimes into cryptographic black holes (in 2011, 2,609 BTC vanished on Mt. Gox because of a scripting error).
What’s liberating about blockchain is that you can become your own bank. But that can also be a daunting thing for many of us who have grown comfortable letting central institutions manage our lives for us. It’s time we educate ourselves.
A word of caution: compiling these pro tips brings with it the meta-anxiety that any tools or security measures we recommend here will now become the focus of bad actors. So stay sharp. But stay with it. Blockchain isn’t just about surviving. It’s about creating choices for yourself. As Nick Dodson, whose Pro-Tips for Ethereum Wallet Management was an inspiration for this piece, writes: “Be vigilant and you will thrive.”
1. Know the attack vectors.
AKA Know your enemy. You gotta take care of the basics before anything else: don’t have the same password for every account, don’t get phished, don’t answer calls from anyone pretending to be tech support, don’t keep your hardware wallet on your keychain! A general sense of vigilance about crypto security will serve well as the base layer for more advanced security measures.
Much of this comes down to watching out for the proverbial “man in the middle” — someone trying to get in between you and your destination. Phishing emails are ubiquitous and spoof sites can be picture-perfect nowadays. Make sure you double check URLs. Better yet, bookmark your crypto sites, and stick to your bookmarks (MetaMask also blacklists MyEtherWallet clones for you). Verify software downloads. A copy of Tails OS is no good if it’s infested with spyware.
A man-in-the-middle attack can even be literal: one guy lost his life savings to a reseller on Ebay who pulled the recovery seed from a hardware wallet and repackaged the wallet. Always buy your hardware wallet directly from the manufacturer. Now think two steps ahead. Maybe your URLs look good. But how do you know someone hasn’t hacked your Wi-Fi or snuck on to the same public network, spoofed the DNS, and redirected you to different IPs? Safe computing is like chess: always assume your opponent is smarter than you.
2. Generate strong passwords.
You should know the drill by now — no names, birthdays, street addresses, song lyrics, etc. (don’t even get me started on my mom’s passwords). But even if you mash the keys on your keyboard, that’s still unfortunately not random enough. Password-crackers can rifle through 350 billion guesses per second. Use a random mnemonic generator to create a passphrase, or buy a hardware wallet to generate powerful keys and signatures for you. Multiple passwords are better than one. Multi-signature wallets, like Gnosis’, require multiple keys to validate transactions.
Use two-factor authentication for everything: email, exchanges, Steam, etc. Heads up: the countdown on Google Authenticator might be annoying, but app-based two-factor is much more secure than SMS. Let this be your warning.
3. Use cold storage.
You don’t have to go 300 meters underground, but you should keep the majority of your crypto “cold” — that is, air gapped and offline. Only keep an amount in exchanges and online wallets that you are willing to lose. You can either build an air gapped computer by removing the network card from your PC or laptop (Tails is an operating system that you can run offline), or buy a hardware wallet. When generating the seed phrase, plug your hardware wallet into a wall outlet to keep it as cold as possible.
4. Don’t get SIM Jacked.
A whole new attack vector to worry about is the trend of SIM jacking, which many in the blockchain ecosystem have already encountered. With increasing commonality, SIM Jacking AKA Sim Swapping AKA Phone Porting is a very real threat. That’s because it’s not that hard to do. Using information that’s often publicly available, hijackers migrate your mobile account from your SIM card / phone to a different SIM card / phone that they control.
The jacker then uses your phone number to gain access to your other accounts by going through the account recovery process with your number and information in conjunction with other information or access they have. By the time you figure it out, the damage is often already done.
The ways to prepare yourself for SIM jacking are multifarious and emerging. MyCrypto’s Guide is an in-depth explainer of all the particular attack vectors. Tony Sheng’s personal story should be a warning, and Gitcoin Founder Kevin Owocki offers 10 very salient tips for mitigating risk. This growing problem shows a glaring hole in the security of telecommunication providers and internet companies, and
5. Test everything.
Make small test transactions or practice with a tiny amounts of funds on a test network before going full monty. Never manually type out addresses (over 12,000 ETH have been lost forever due to typos). Copy and paste, and then check again to make sure, use Ethereum Name Service, or scan QR codes.
Make sure your scan app is secure (Pro Tip #1: Know the attack vectors). Double-check the identicon of your target address. Before transferring any crypto onto your hardware wallet, test your seed phrase. If you’re building an air gapped computer, record and re-check the MD5 checksum before and after you load data onto the SD card. For the love of Ethereum, test everything, whether it’s simple or incredibly complicated.
6. Store your seed phrase(s) across different devices and locations.
A standard Bip39 seed phrase is that curious string of 24 words from which you can derive a private key. Manage your seed with utmost care. If you write it down on paper, consider making two copies and storing them in separate locations. SD cards are another storage option, but they rarely last more than five years, and they could be wiped by a pinch (EMP bomb). Use both analog and digital just in case (rumors abound of people who hammer their seed phrases into steel). If you want to level up: store pieces of your seed phrase in separate, safe locations. And remember: meticulously record your steps, so you (or your heirs) can recreate the seed.
7. Maintain plausible deniability.
Plausible deniability in the crypto-verse means the ability to keep certain data hidden. Minimize your risk exposure by distributing your holdings across multiple wallets. Here’s a helpful public emission guideline: don’t broadcast your holdings, and especially don’t tell the world (over social media) the exchanges where you keep all your crypto (again, this guy). All your crypto shouldn’t be hot anyway (remember Pro Tip #3: Use cold storage). If you don’t have the information saved in your email, then it’s not there when someone hacks you to find it.
8. Level up. Help the ecosystem.
Your security choices affect not only you, but the ecosystem and community that surrounds you. If you don’t use two-factor authentication, and someone seizes your email (that, say, you left open on a library computer), when that bad actor starts phishing your personal network, that’s on you. When your dad gets phished because he didn’t know the basics, that’s on you as well.
So challenge yourself to level up. Experiment with hardware wallets, Tails, and multi-sig. Channel your inner Snowden. Learn by teaching. Tell your friends about cold storage, and your mom about strong passwords. Help the community flag spoof sites and fake accounts. Nick Dodson’s “Pro Tips” are a gift to the ecosystem, and something we can pay forward.
Disclaimer. The views, information, and opinions expressed are solely those by the author above do not necessarily represent the views of Consensys AG. They are meant for informational purposes only, are not intended to serve as a recommendation or investment advice to buy or sell any securities, crypto assets, or other financial products.
