imToken on Security: Beginner guide to security in crypto
Today we give you a few simple steps to reduce most of your security risks of being in crypto.
Now let’s see how to stay secure.
One-time setup to start staying more secure
Look yourself up on haveibeenpwned.com
Websites get hacked all the time. And with that, your email and password lands on the web, for people to buy or sometimes completely free.
Have I Been Pwned is a website run by a friendly Microsoft employee who gathers all the password data breaches he can, and lets you search your email address (and phone number).
If the website shows that your email has been hacked on some other site, it is likely that hackers will try to use the password to that account on all your other accounts.
Look your email address and phone number up on this site. If your data is breached, never ever use the same password on another account again. In fact, better always use automatically generated passwords from a password manager. More to that later.
Install an adblocker
Ads make your internet browsing slow and annoying. But even big websites don’t directly manage the ads on their own website. And this is why some advertisements are actually malicious. In fact, the New York Times website, one of the most visited sites, did serve malicious ads for 4 days in 2009.
There is no reason to have to watch ads. Simply install an adblocker (like the open source tool uBlock Origin) or use an ad-blocking browser (like Brave) and you are good to go. Just make sure that you download the correct one.
Install a password manager
A password manager is not saving passwords in your browser, but saving passwords on a separate app. The benefit of storing your passwords there is that you do not use the same password in different accounts anymore. Instead the password manager will automatically generate passwords that look like this a8#!2D@#*H( and are literally impossible to guess.
This way you solve the two biggest reasons for hacks: First, you can stop using standard passwords like 123456 and picture1. And second, you can stop using a similar password for all your accounts.
Buy a hardware wallet if big part of your money are in crypto
Do you own more crypto than you want to lose? If yes, then better get a hardware wallet.
Hardware wallets used to be kind of annoying, but nowadays they come in all kinds of forms and for all kinds of use cases. Ledger is just one of them. Check out which are on the market and make sure to buy from an official source.
Hardware wallets are devices that keep your crypto separate from any device connected to the internet, keeping your crypto safe. Our own is called imKey.im . Because a computer might not be the best place to store your valuable tokens.
Learn the right mindset to stay secure
Do not leave your laptop, keys, USBs, phones unattended, even for a moment
If you leave your computer unattended and unlocked for just a few seconds, people can plug in a malicious usb stick. And without doing more than that, your computer would already be infected with a virus that reads all the text you type in — including passwords — and sends them to the attacker. Similarly, the software would steal your MetaMask keystore in a matter of seconds. This is likely how this NFT fan got hacked, a story worth reading:
Never plug in any devices or cables into your computer
Simple USB sticks can be equipped with harmful software. We know that some scammers use usb sticks with a software that steals your MetaMask key store as well as installs a keylogger virus on your computer.
But even charging cables can have chips hidden inside that perform exactly the same function. And charging your phone on public USB hubs, such as in an airport, can download a virus to your device too. Read how an iPhone charging cable might get you hacked:
This hacker's iPhone charging cable can hijack your computer
Most people don't think twice about picking up a phone charging cable and plugging it in. But one hacker's project…
Never Use Public Wi-Fi
Open wifi networks such as in hotels, restaurants or airports allow all people on the same wifi to read everything you do on the internet, show you fake websites or even directly send you viruses.
A scammer could, for example, read all internet traffic going through the wifi network and filter out any information that looks like a bank account password, a private key and so on. Ironically, some would even mine crypto on your computer:
Note: Even password-protected wifis are dangerous.
Never trust people that ask for your secret phrase or even personal information
Never ever give away your private key (or keystore, wallet QR codes, Mnemonics etc) because knowing that means owning all the assets in your wallet.
Often scammers would pose as fake customer support, to talk to you for a long time, gain your trust and then ask to have your screen shared or your private key entered into a google form.
Check out the two similar cases below:
Never reuse passwords, use your password manager
As said above, installing a password manager is probably the single most important step you can take to get more secure.
Once you have a password manager, use it. And use its ability to generate passwords. This makes it very easy for you to not use myname12 or girlfriend123 as passwords anymore. Instead you’ll have a different password for every bank, exchange, social media etc.
Never click on random files from strangers or what seems to be friends
There has been a wave of NFT artists and collectors receiving suspicious emails that look as if sent from friends or acquaintances. Attached to the email would be a file.
Just clicking on the file will start a program that will scan your computer for crypto keys and steal anything possible. It most likely will also install a software that reads your passwords as you type them on your keyboard and send those to the hacker too.
See one such example below:
Keep following basic security steps
Now comes the harder part. There are a few steps you should follow each time you set up a new account of buy a new computer:
First, remember to always use Two-factor authentication (2FA). This will add a little bit of work but makes it very hard for hackers to enter your bank, exchange and social media accounts even if they know your password. Because the second factor is a security code that’s generated periodically on your phone, so that only you can see it.
Do make sure to always use app-based 2FA, because text message-based 2FA can be hacked.
Then, learn how to secure your computers and software. Because learning using a computer for your crypto makes it easier for attackers to target. (Blog post incoming)
Encrypt your computer and all drives. Because encryption secures your data even when stolen. (Blog post incoming)
Secure all your accounts. Because every account might give an attacker access to another account with your crypto. (Blog post incoming)