We at Electra care about our community’s safety and welfare with regards to the way they conduct themselves on the internet, especially when it comes to their cryptocurrency holdings. In light of a few recent events, we’ve come up with a simple guide on how you can stay smarter and safer on the internet!
Always use passwords and multi-factor authentication together
You might have the most complex password in the world for your favorite exchange account, but what good is it if an attacker manages to hack the exchange and obtain the password? That’s why you should always use multi-factor authentication in combination with your password!
Multi-factor authentication is one or more additional steps after inputting your password that’s required before being able to log into your account.
Typically, these secondary levels of authentication consist of providing a randomly generated, alphanumeric code to wherever you’re trying to log in.
There are several ways you can set up multi-factor authentication: mobile, authenticator mobile app, email, etc. For us, we recommend an authenticator app, like Google Authenticator or Authy.
- Email isn’t entirely recommended, as someone with unauthorized access to the account can nab this code without having to be in the same physical location as you.
- Mobile authentication is also not recommended, as hackers are finding new ways to obtain your number and port your line to themselves. If you insist on using mobile authentication, then ensure you contact your mobile phone carrier to prevent line porting and call forwarding.
Most, if not all, exchanges support multi-factor authentication, like Binance (see Figure 1). Just go to your user settings and look for options such as ‘multi-factor’ or ‘two-factor’ authentication and follow the instructions on how to set it up.
Another pro-tip: make use of additional settings that locks out access to your account after failed attempts with either password or multi-factor authentication. Most likely, you’ll also receive an email to notify you about these unauthorized attempts to your account. If this option isn’t automatically enabled, make sure you turn it on!
Lastly, don’t use the same password in more than one location. Vary your passwords across all of your accounts in combination with multi-factor authentication to ensure the best possible mitigation of risk to you and your investments!
Secure your PC, Mac, favorite Linux-distro, and/or mobile device
Always update your devices as these updates come. Pushing it off runs the risk of you exposing yourself to an attack. This includes not just updating your device’s operating system, but also keeping your antivirus and firewall up to date (where applicable).
Use strong passwords and/or biometric authentication. We don’t recommend PIN codes unless it’s at least six characters long.
Never use pattern locks under any circumstance (*cough* Android *cough*).
Use a dedicated device for all of your cryptocurrency needs. This helps limit the chances of being hacked, rather than using the same device for your cryptocurrency needs as well as your daily web surfing, gaming, work-related activities.
NEVER USE PUBLIC WIFI FOR ANYTHING SENSITIVE WITH YOUR DEVICES. This should go without saying. Attackers are able to sniff out your traffic and obtain sensitive information you send over the internet, such as login information and passwords. Always sit behind an encrypted network you can trust.
- Even being at a known location such as Starbucks won’t be enough to protect you; attackers can easily create their own network in the same location with the same broadcast name (i.e., Starbucks Wifi) and attempt to trick unwary people into connecting to their network.
Encrypt and backup your data, especially your cryptocurrency wallets. Again, it goes without saying. Use encrypting software such as Bitlocker or VeraCrypt (for Windows), or FileCrypt (for Mac) to encrypt your sensitive data. As for backing up your data, always backup sensitive files (like your wallet.dat file) on multiple, secure locations. This includes cloud storage, USB drives, external HDD/SSDs, and more.
Be wary of online scams, such as phishing, spam, and malware
Phishing is an attempt to obtain information about someone, such as personal information or login information, through various means. These include spam emails designed to look legitimate, fake websites made to look like legitimate websites, text/instant messaging, and downloaded software.
- Spear phishing is a type of phishing, where the attempt is specially-crafted to target just a few, specific victims. This is usually performed when previous, identifying information had been obtained about you, such as which bank you use or where you work. Often times, this sort of information can be easily obtained through your social media accounts.
- Baiting is another method of phishing, where an attacker would “bait” a victim into performing an action that would allow the attacker access to their personal information. An example of baiting would be to purposely leave behind or drop infected USB drives or other storage mediums in public places, such as public restrooms, libraries, parking lots, and more. The attacker would most likely use more than one kind of storage medium, to increase their chances of having an unwary victim connecting it to their computer, home/corporate network.
- Vishing is similar to typical phishing, only it’s done through voice communications. A very common example of this would be a supposed “Microsoft Support Member” contacting you that your computer is infected and that they must gain access to your computer to fix it.
- It’s incredibly easy to clone a website and have unwary visitors try to login through it. This is also a phishing attempt, as each time you input your login information, this data is actually sent back to the attacker, who will then use this information on the real site to log in and take your cryptocurrency, etc.
- If your web browser alerts you that a website may be unsafe or insecure, it probably is! Always look for the little lock icon at the top of your web browser, informing you that your connection is secured, and the website is verified.
- Ensure that the website you’re visiting is the actual website. For example, always make sure that you’re using https://www.binance.com. If the website you’re on has a URL like http://www.binance.cc, http://www.binance-com.org, or similar, close out of the browser window immediately.
- For example, this happened during the CoinsMarkets fiasco. A malicious actor created two websites, coinsmarkets.net and coinsmarkets.org, that looked exactly the same as the original website. Instead of being able to log in, unsuspecting users were redirected to the original website and their login information was sent to the attacker.
Spam, which is unsolicited advertising messages that are sent en masse, can be used to deliver malicious software to unwary victims.
- Typically, an email message with “too good to be true” advertising offers a link for the victim to click on in hopes that the victim will click on the link, allowing something malicious to take place.
- Most modern email services have excellent spam filters in place, but one or two may get through.
- If you received an email from an unknown sender that asks you to respond back with personal information, asks you to click on some link, or similar, DON’T RESPOND OR CLICK ON ANYTHING WITHIN THE EMAIL. Instead, see if the email address is legitimate or not, use VirusTotal to scan the URL within the email, and in a corporate environment, send the email to your technical support for review.
- Spam is not just limited to email; it can also come in the form of text messages, instant messages like Facebook Messenger, and more.
- Phishing can be conducted in the form of spamming.
Malware is malicious software that’s designed to conduct some sort of wrongdoing towards a victim, be it information theft, data ransom/deletion, and adware (advertising software).
- Never download and install anything on your computer or mobile device that doesn’t come from a trusted developer and/or source.
- Always use the most up to date antivirus software available, such as, Windows Defender, Avast AV, ESET, and more. Not Norton though…
- Use online services to scan software before you install them! VirusTotal, Hybrid Analysis, and Joe’s Sandbox are just a few of the many free, online services you can use to scan software before you install it.
- If you suspect your computer is infected, the most important thing is to take it offline immediately. Then, download and install antivirus software you can use on a USB key that will run and attempt to clean your computer. Make sure you download this software on a different, clean computer on a USB drive you didn’t connect to your infected computer!
- If your computer is infected with ransomware (where your information is locked up and won’t be unlocked/threatened to be deleted), NEVER SEND ANYTHING TO THE RANSOMERS. Usually they’ll ask for some sort of cryptocurrency to be sent to them before unlocking your computer. Don’t cater to them; instead, see what you’re willing to lose and what you managed to back up elsewhere, and look into a recovery service that could undo the ransom process (although attempts are seldom successful).
- Also, be aware of cryptocurrency miners, especially web browser miners. These are typically embedded into web pages that use your computer’s resources to mine cryptocurrencies such as Monero.
- If your computer is behaving funny (use Task Manager in Windows to see if your CPU usage is around 100%) from just visiting a web page, there’s a good chance a script that directs to a miner has been installed somewhere within the web page.
- Remember that these scripts may often times not be intentionally installed by the website’s owners. Often times, an attacker will test a trusted, well-known web page for any vulnerabilities that will allow them to install a script that will use the large number of the website’s visitors’ computer’s resources to mine cryptocurrency for them instead of making their own dedicated website.
Always use core wallets, never exchange wallets! Also, don’t brag about your holdings
When you use a core wallet, you’re in control of your investments, because the wallet sits on a device you can physically control. By using an exchange wallet, you’re leaving your cryptocurrency outside of your control and susceptible to either a hack or exit scam.
- Exit scamming is when a service, such as an exchange, cuts off access to customers’ assets and keep the assets for themselves. In the case of an exchange, the exchange will allow for a certain amount of cryptocurrency to be stored on the exchange, then close off access for the unsuspecting victims. The operation would then take the cryptocurrencies and send them to one or more wallets (often split up through multiple wallets) to make recovery of the victims’ funds next to impossible.
Only use exchanges to make trades and only trade a specific amount at any given time. If something happens where you’re in the middle of a trade and an exit scam or hack occurs, you’d be better off losing just a small amount instead of all of a specific coin (or coins).
To maximize your investments’ security, use offline hardware wallets like Trezor or Nano Ledger for cryptocurrencies they support.
Lastly, never disclose (and especially, don’t brag) your holdings to just anyone. Close friends and family should be okay, but you wouldn’t tell any old person on the street you have millions of dollars, right?
With this information, we hope that the community can become a bit more savvy when it comes to their investments and how they interact on the internet.
Stay safe out there!