MyCrypto’s Security Guide For Dummies And Smart People Too

An in-depth guide on how to be safe in the crypto world and the online world in general.

Taylor Monahan
Jul 15, 2018 · 16 min read

The following is a modified mash-up of some of our internal policies, procedures, action items, and security-related stuff that we thought would be helpful or applicable to the larger community. This is just a sliver of MyCrypto’s security policies and has been modified to not create a security incident in itself. We hope you find it helpful, no matter who you are.

Image for post
Image for post

I understand that this is ruthless and terrifying.

  • We must take security seriously.

I will walk through this industry’s graveyard.

  • I am aware that cryptocurrency companies are global anomaly to the security industry.

I will buy stuff (on the company’s dime!)

Yubikey

USB Drives

No-Wifi Printer (if you don’t have one)

Ledger Nano S or TREZOR (if you don’t have one).

I will panic correctly.

  • I acknowledge that I might someday probably cause a security incident, and that forgiveness is applied towards those that escalate a problem correctly and immediately.

I will post in our internal security channel if…

  • One of my accounts or passwords is compromised.

I will call the security team / management / anyone and everyone if I don’t receive an immediate response in the internal security channel.

  • Any international charges will be paid by the company. Don’t be scared to call.

Audit your processes, software, extensions

If you have a clipboard manager, get rid of it

If you have an auto-upload screenshot app (e.g. Cloud App), get rid of it

  • And never, ever install one again.

If you have a remote viewer (e.g.Teamviewer), get rid of it

  • And never, ever install one again.

Install a password manager (e.g. 1Password, LastPass)

  • Do NOT use your browser’s built in password manager to manage passwords, credit card details, or other information

Audit your Chrome Extensions

  • Remove extensions you don’t use, don’t need, don’t trust

Audit your Software

  • If you have an old computer that you’ve used for a while, do a brand-new install, or talk to management about getting a new computer

Be especially mindful about installing little “helper” tools and avoid like the plague. These include apps like…

  • Clipboard managers.

Do not install software gratuitously.

  • Only install what I need and keep it up to date with patches.

Audit your Cloud Storage Software (Dropbox, iCloud, OneDrive)

What is uploading automatically?

  • Disable features like “auto upload all screenshots”

What is already saved there?

  • Remove anything sensitive. Realize that things that have been uploaded once are there for life, even if you “delete” it.

Make sure it is secure.

  • Change the password now.

Audit your Chrome Settings

Visit chrome://settings/content and ensure the following settings:

  • [x] Unsandboxed plugin access: Ask when a site wants to use a plugin to access your computer.

Encrypt Your Shit

Encrypt your Computer / Laptop

  • Click Apple menu, System Preferences, then select Security & Privacy.

Encrypt your USB Drives

  • Go to finder

Change your passwords to new, unique, strong passwords

  • This is what a good password looks like: 3o*awM#A^9x&r61v.

2FA all the things!

If you are using Authy, stop using Authy

If you must use Authy:

  • Make sure “multi-device” is OFF under settings.

Enable 2FA on all the things via Google Authenticator

Remove your phone number and email as a backup option

  • Print backup codes via no-wifi printer or hand-write them.

Update passwords & turn on 2FA for every service. Things like…

  • Amazon (shopping) — Remove old credit cards, addresses, etc. while you are there.

Audit your Google, Github, Facebook, Skype, Twitter

For all of the above, check for authorized apps, logged in devices, and others.

Authorized apps:

  • “Apps” where you use a different service like Google or Twitter to sign into that service, or is otherwise linked (e.g. Fantastical Calendar app manages your Google Calendar).

Log out of all devices:

  • Yes it’s annoying.

Review forwarding and filters that are pushing data externally.

Remove any “Application Specific Passwords” that will bypass auth.

  • This feature is especially damaging in an account takeover scenario, because app specific passwords rarely, if ever, are destroyed in a password reset. This leaves simple access behind for an attacker pretty easily if they’ve created one.

Skype / Microsoft: Turn on 2FA

Google: Remove your phone number & email as a backup option

For all your Google Accounts!

  • Go to https://myaccount.google.com/security

Github: Audit your auth’d apps, turn on 2FA

  • https://github.com/settings/applications

Facebook

Some of these are best-practices and related to privacy and not security.

Must Do! https://www.facebook.com/settings?tab=security

  • Turn on “Get alerts about unrecognized logins”

Must Do! https://www.facebook.com/settings?tab=privacy

  • Future posts: Friends

Must Do! https://www.facebook.com/settings?tab=applications

  • Audit list, remove anything out of date or not actively in use.

Must Do! Turn off Profile Picture Login. Holy fucking shit what a security nightmare that “feature” is.

Recommended! Make sure “Trusted Contacts” was set up intentionally

  • This feature to allows you to regain access to your account via trusted friends. Make sure you use this feature very wisely.

Recommended! Make sure “Legacy Contact” was set up intentionally.

  • Similarly you can have an account transition to someone else upon memorialization (if Facebook receives proof that you’ve died). Make sure it is set up carefully.

Recommended! https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

  • Go to “Your Information” w/ green icon. Toggle all switches OFF

Recommended! https://www.facebook.com/settings?tab=timeline

  • Who can post on your timeline? Friends

Dropbox / Cloud Storage

Call your cell-phone provider

  • Inform them that you work in an industry that has had a number of phone number hacks in the recent months. You are concerned about their ability to protect you and are thinking about moving to a different carrier due to this risk.

Miscellaneous

Move any funds that have been created with an online computer to cold storage.

  • Use your hardware wallet or air-gapped computer + paper.

Sign up for https://keybase.io/

  • Verify a few profiles. Install the phone app.

Never Use Public Wi-Fi

Google Yourself

  • Remove personal information, old forum links, etc.

Look yourself up on haveibeenpwned.com

  • For anything that has been pwned, ensure that you are not using the same password

If you don’t use Chrome, install and use Chrome from now on.

Bookmark your sites.

  • Only use these bookmarks. Do not click links. Do not trust email. Do not trust links in emails. Do not trust attachments on emails.

If you ever encounter a malicious crypto site that isn’t blocked, report it immediately to https://etherscamdb.info/

Install an adblocker

Encrypt your laptop because it can be lost or stolen.

Do not leave your laptop, keys, USBs, phones unattended, even for a moment.

Do not travel to crypto-conferences with laptops, keys, USBs, phones that have all your secrets on them.

Do not store super-secret things on the laptop.

Always check github commits for secrets before committing.

  • Do not ever place keys, keystore files, ssh keys, secrets, passwords, access codes, auth tokens, or anything in any folder that you will be committing to Github. Ever.

Make sure you are part of the internal security channels.

  • If not, ask someone on the team to add you.

My reputation and online identity are powerful

As I engage with the community and others working on projects, my words on social media, via Skype or Slack, or others carry more meaning. There is a level of trust you may have or build without realizing it.

When I speak, others may take it as I am speaking for the company.

  • An off-handed comment may harm the company.

During a security incident related to our company or another company, I may be part of confidential conversations or learn about confidential items that I am not at liberty to discuss in the short-term, long-term, or both.

  • I will be helpful, calm, and composed in these situations.

My personal accounts may be the target of an attack

  • I see that this space has an unusual mixture of personal identities and professional identities.

Other Resources / Sources

Have something to add? Find a typo?

Leave us a comment or suggestion here: https://docs.google.com/document/d/1bY3axPDgcPiMn5wMVvzUkJuH91s2_SgtNpt5J__88dM/edit?usp=sharing

MyCrypto

The Official MyCrypto Blog

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store