A Basic Crypto Security Guide

This article is one of the first ones published under the Qi Capital brand, and although you probably expected some alpha from us, we want to talk with you about security first. Why? Because it is the foundation of any new or existing crypto wealth, and you should care about it no matter if you are new to space or a veteran who hasn’t thought about it much yet.

Therefore we want to provide you a guide containing the essential measures you should take to mitigate risk. We don’t even try to say “eliminate risk” because there is no 100% security, especially not in the crypto space. Cases like the hack of High Karp’s (the founder of Nexus Mutual) MetaMask wallet in 2020 should tell us that (you can read more about it here).

Security vs. Privacy

Before we dive into individual security measures, let us quickly distinguish the two topics, security and privacy, as they often get mixed up. We define privacy as the ability to be free from undesired observation (you “hide your action” from the outside world). In contrast, security is all about the ability to negate unauthorized actions (you “keep your funds safe” from the outside world). Both concepts are interlinked, and privacy can help you gain better security, but our general focus is keeping your funds safe(r).

Security & Privacy

A myriad of risks

There are countless risk factors when dealing with cryptocurrencies, and the measures we propose often help you fend off many of these simultaneously. Let us mention just a few of those:

• Malicious actors contacting you — often disguised as a trusted person — to steal your funds (e.g., asking for your seed phrase)
• Scams: there is a never-ending stream of scams in various forms across all possible channels (Websites, Emails, Telegram channels, Twitter posts, etc.) that all try to lure you into depositing funds
• Smart Contract bugs/exploits: Bugs or errors in smart contracts might lead to lost money either by the error itself (unable to retrieve locked funds) or by people exploiting these bugs to enrich themselves
• Unwariness: just mixing up one letter in a wallet address might cost you a fortune. The blockchain is unforgiving, and making a mistake can’t be undone in most cases (e.g., sending a transaction to a wrong address).
• “$5 wrench attack”: Someone who knows that you have a lot of money in crypto and also knows your identity can threaten you to hand over your money to him.

Centralized vs. Decentralised

When you are actively buying, trading, investing, or staking in the cryptocurrency sphere, you are confronted with different centralized, custodial services and — especially since the rise of Decentralised Finance (DeFi) — many decentralized, non-custodial ones. Both expose you to various risks.

The world of decentralized finance (DeFi)

Centralized, custodial services

Centralized, custodial services like Exchanges (e.g., Coinbase, Binance, BlockFi) typical ask for KYC data (“Know Your Customer”) beyond a certain amount of funds, linking your funds to your data and as a centralized entity with a high value under management offer a big target for hackers or even inside jobs. There has not been a single year without dozens of such hacks. Also, if a centralized exchange shuts down for solvency reasons, your funds might be at risk too. Also — as you provide your data to the other party — they might be leaked and exposed (this, for example, happened to customers of Ledger in 2020 as you can read here.

On the other side, primarily larger entities invest a lot of money into top-notch security and insurance funds (compare securing your server or trusting a cloud provider like AWS).

When deciding which service you want to use to invest, trade or stake, the following criteria will help you to make an educated decision:

• Track record: How long does this service already exist, how much funds do they have under management, and have there been any data breaches that happened in the past?
• Security options: How many and what kind of security options does the service offer (e.g., 2FA, password recovery, etc.)?
• Personal data: What data do you need to provide to use the service?
• Regulation: Where and how is the service regulated?
• Insurance: Does the service offer an insurance or safety fund?
• Custody: Does the service allow you to manage your funds in your personal wallet where you alone own the keys?

Decentralized, non-custodial services

When using decentralized non-custodial services like wallets (e.g., Metamask, Trustwallet) or Smart Contracts in the DeFi sector (e.g., Aave, Uniswap), you are yourself managing your funds and keys and are responsible for keeping them safe. If you make mistakes in interacting with these services, there is no one you can make any “refunds.”

In order to decide which service you want to use, many of the above-stated criteria apply but with a different spin to it. If we focus on decentralized apps in DeFi, it would be as follows:

• Track record: How long does the service exist, and for how long have the smart contracts used been exposed to the outside world? How much value is already “secured” by the service?
• Smart Contracts: Have the smart contracts used been copied/forked from another project, or are they genuine (both have advantages and disadvantages).
• Audits: Have the smart contracts been used been audited by multiple trusted entities? If you have the knowledge or know someone with the respective skills, review the contracts yourself.
• Team: Is the team known, and are they at least putting their credibility at risk with their project?
• Insurance: Is a safety fund part of the project? Can you ensure against smart contract risk with a service like NexusMutual or similar?
• Contract & key management: Who has access to the admin keys? Is the project decentralized?
• Community review: How is the reception of the project within the community you trust?

Besides, many of the upcoming measures that we describe around the address and key management are of utmost importance.

Your personal data

As mentioned above, keeping your data private also increases your security, so generally, try to keep your personal information (name, address, email address, phone number, passwords) secret and therefore protecting your identity.

Keep your personal data secured. Image source: Unsplash.com

But when you use centralized services, you often need to provide this data; but you can at least improve your security if following three basic rules.

• Use unique and secure passwords (or better passphrase) for each service and use a password manager to manage them.
• Use multiple email addresses for your different accounts to prevent a hacker from gaining access to lots of accounts if your email address gets compromised.
• Always use Two-Factor Authentication (details below)

Two-Factor Authentication (2FA)

Whenever you are using a service with a possible login, enable two-factor authentication (2FA) as only using a single login mechanism like email + password is extremely risky. With 2FA, you gain additional security as an attacker needs to know a randomly generated code from a second device. If such an option does not exist, question the whole offering’s security and better stay away.

As the second authentication factor, use an app like Google Author Authy and ideally use a second (offline!) phone. Never ever use SMS as the second factor as this opens up new attack vectors such as incompetent support personnel at telco companies, SIM hijacking, etc.

Address and key management

When you manage your own address and keys (which is always recommended!), the best way is to rely on cold storage/cold wallets. This means that you store your private keys in an offline environment, away from the internet. This can be achieved via paper wallets (writing down your private key on a piece of paper and storing it safely) or hardware wallets like Ledger or Trezor.

An alternative to paper wallets that can easily be lost or destroyed is more durable solutions like Cryptosteel, where your private keys are represented in steel that can withstand fire, shock, or other dangers.

Always lock sensitive information away. Image source: Pexels.com

In any case, it is paramount that you keep your private keys separated from your public keys (e.g., never store your Ledger recovery phrase next to your Ledger hardware wallet) and absolutely safe but also make sure that you can retrieve them (nothing worse than being locked out of your wallet). One way could be to store your private keys in your trusted bank’s safety vault.

Never ever write your private keys down on your computer or smartphone or print them. Never make a screenshot of them.

Also, never post your wallet address (public key) online. Any reader could not directly access your funds, but it could make you a target because anyone can see your store’s amount of funds and transaction history.

When making transactions, always double-check to which address or contract you send your funds and complete a test transaction first.

Multi-sig

Multi-sig stands for multi-signature and means that more than one address and or user need to confirm a transaction via a signature in order for the funds to be accessed or transferred. This allows (1) individuals to achieve additional security by having multiple wallets confirm a transaction and (2) groups of people to join their funds within one address and manage the ownership by multiple signers.

Image source: Doreen Wang/Coindesk

Both Bitcoin and Ethereum and most other cryptocurrencies support this, and there are various multi-sig wallet solutions supporting this. The most prominent ones are:

Bitcoin: Electrum, Armory, Copay
Ethereum: Gnosis, Consensus, BitGo

General tips

Last but not least, there are many safety measures that are not directly related to the blockchain or cryptocurrencies but your computer and network. They are still essential for the safety of your funds and are often overlooked.

Put enough time into improving security to avoid this. Image source: Pexels.com

Only use your own device and network

If you use someone else’s computer, a public network, or a network of someone else, you have no way to know if it’s secure. Don’t expose any account data by working on those devices.

Keeping your device and software up to date

Always keep the operating system of your computer and smartphone as well as software you use for handling cryptocurrencies (hardware wallet firmware, desktop & mobile wallets, etc.) up to date.

VPN

It would help if you always use a VPN. This might be a revelation for some, but it is true. Virtual Private Networks allow you to conceal your activity and your originating IP address and also encrypt all the data you transfer. A lot of value for a few bucks per month.

Learn more here: [6 Major Benefits of VPN — Why You Should Be Using a VPN](https://www.top50vpn.com/vpn-guides/benefits-of-vpn)

Use the right web browser

Both Firefox and Chrome are excellent choices as your trusted web browser.

Adblocker

Use an adblocker in your browser to not only stop ads but block malware.

Check website certificates

Always check the HTTPS certificate of the websites that you are using. They should be genuine and not display an error.

Encrypt and backup

Encrypt and backup essential files on your computer and ideally store them in multiple secure locations.

About Qi Capital

Qi Capital is a group of like-minded and experienced individuals from around the globe, sharing two common objectives: providing insights about crypto and DeFi, and proactively working with ambitious teams on the future of decentralized finance. Our core principle is to promote and foster individual creativity, growing not only as a group but also as creative thinkers and builders. To learn more about us, check out our website www.qicapital.org and our “Qi Podcast” via www.buzzsprout.com/1729379/ or engage with us on Twitter: @QiCapital.