So you have made it this far. You want to start buying cryptocurrencies, tokens, use dapps, and explore the world of Web3. We all have made it to this point for various reasons with varying levels of conviction. But no matter where you are, we all need to familiarize ourselves with the basics and learn some of the lessons from those that came before us.
I should start this off by saying that you should enter this space at your own pace. This could take you months to only understand 10% of it. That is fine. If you know someone who seems like they understand all of this, they don’t. That is also fine. This is all new and most of the people who are building this will admit that it is moving so fast they aren’t even familiar with everything going on. That being said, let’s get started with the bare minimum and for those of you already in the space looking for a check up, scroll down.
Not all wallets are equal
No matter what you want to do in this space, you are going to need a wallet. There are several kinds of wallets and I’ll try to break down the benefits and differences among all of the options available. Truth be told, you will probably use multiple of these for different use cases.
Set up an account at your exchange so you can get started at Coinbase, Kraken, Gemini, etc. These wallets are the most convenient as you can log in at any time with ease but these come with two concerns. You aren’t in control of your private keys so you don’t actually control your assets and these are more prone to hacking. These are really, really, really, really, prone to hacking. If you buy some assets, move it off of the exchange and onto a hardware wallet immediately. I should also note that many of these companies have very good security practices but I would still encourage all of you to move it off of an exchange. Shapeshift is a great alternative as you can only buy and trade on their platform on a hardware wallet meaning they never take custody of your funds.
Hardware Wallets: These are physical hardware devices that allow you to interact with the Ethereum and other blockchains without your private key ever leaving your devices. I would highly recommend buying one of these eventually. When exactly? If you ever possess an amount of assets where you would have anything more than an, “Eh? Oh well” reaction to it being stolen, lost, or any other scenario where you cannot access it, you should buy one. I would recommend buying a Trezor or a Ledger as it has the best integration with many services. Both are great devices and there are others out there such as Keepkey which has direct integration into the primary service of Shapeshift but not widely integrated into additional services. Thankfully Shapeshift is an all in one platform. There are others that I cannot vouch for such as BitBox or Coldcard as I have never used it.
Unsafe: Do not use unless you have to
- Mnemonic Phrase: This is a list of 12 to 24 words and is one of the most secure ways to create a wallet. This list of words creates a masterseed and if your wallet is HD compatible, you can create an unlimited number of public-private key pairs for an unlimited number of addresses. The odds of these words being guessed are rare but can often be password protected as well. This is a great second choice if you don’t want to buy a hardware wallet. But again, buy a hardware wallet.
- Keystore or Json file: This is a common file type you can use with popular browsers such as Metamask and often offers to password protect the file. These are created one address a time but can be easily, albeit insecurely, transferred from one service to another.
- Private Key: An unencrypted private key isn’t secure and I wouldn’t recommend using it. That being said, a private key is the direct password if you will that is associated with the public key. If you are going to use this, and you shouldn’t, you need to keep it offline.
Security — Take This Seriously
I cannot stress this enough. Take. This Seriously. One of the key features of a permissionless blockchain is that it is immutable meaning it cannot be changed. The physical world and our legacy systems have taught us that we can call customer support, dispute a charge, or get a refund. If someone gains access to your private key, assume everything is gone. Permanently. As time goes on, I believe two things will happen:
- better custody solutions will emerge to look like today’s systems and
- much of the legacy world will become tokenized
Which means that if you lose your private key, imagine losing your checking, savings, 401k, pink slip to your car, and deed to your house with no recourse of getting any of it back. Ideally, new custody solutions will emerge and be adopted faster than the legacy system will become tokenized but since I cannot guarantee that, please take your personal security seriously.
Not your keys, not your cryptocurrency.
Exchanges provide amazing services from acting as an onramp to exchange your fiat currencies into cryptocurrencies. They also provide a platform for sophisticated investment tools to trade on. Unfortunately, every, single, hack, (almost) ever has been at an exchange. Some exchanges have issued some kind of compensation for the losses while others are forced to declare bankruptcy. However, if you took custody of your own keys, it puts the responsibility solely on you but most of us don’t have multibillion-dollar honeypots to target. Moreover, we generally don’t have internal bad actors to worry about especially if you take these tips seriously. So choose a wallet, secure it, and only leave an amount of cryptocurrency at an exchange you are willing to lose or immediately need access to.
Buy a hardware wallet.
It is hard to have your private key lost or stolen if it never leaves the device or touches the internet. That being said, there are plenty of hardware wallet scams out there. Buy the hardware wallet from the provider directly or through one of its trusted affiliates.
If you buy it on Amazon or eBay, ensure that the box hasn’t been tampered with, ensure the firmware is legitimate and updated, and always use a new seed phrase. There have been attacks through all of these vectors and each company has tried to stay ahead of it.
Store your seed in a secure location.
Again, if someone has access to this, that person has access to everything. Lock it in a safe, tape it under your desk, I don’t care what you do with it but definitely do something with it where no one will find it.
If I have made your paranoid to the point where you don’t want to store your seed in a nightstand, home safe, etc. as someone in your home can access it, I am sorry and you’re welcome. However, if you are going to put it somewhere such as a safety deposit box, know that it is still susceptible to floods, fires, and other natural disasters.
This is where a debate comes in over best practices. Writing the seed down in a word document offline and storing it on a USB works but hard drives fail and standards change. Imagine the passwords saved to a floppy disk. A piece of paper is both susceptible to fires and floods but paper has survived thousands of years in the elements and is still being discovered in tombs. You could laminate that paper to prevent water damage but it still doesn’t protect against fires. Additionally, the plastic from the lamination can eat away at the paper over time. My personal favorite solution is to buy a metal casing to store your seed that won’t be destroyed by natural disaster but again I am not trying to force you to spend money.
Get paranoid about that location.
One of my favorite solutions to storing your seed at home or offsite is a bit funny but it came from a story Ari Paul told about consulting with an NSA specialist. He recommended wrapping the seed, hardware wallet, USB, etc in tamper sealed bags, taping it up with tamper sealed tape, and then splattering nail polish on the outside. You can buy tamper seal bags and tape online but if the bag were opened, it would be destroyed in the process. However, if the attacker for some reason knew which brand of bags and tape you use, you still have the paint. The thought process is that paint splatter is too random to recreate so if someone has seen your seed or tamped with your device, you can tell as the pattern will not be the same. You can take a picture of the markings and keep it on your phone or print the photo and leave it with the items. I would actually recommend going one step further by putting your item in an envelope, seal it, and sign the back of the envelope along the fold. That way the attacker would have to not only recreate the splatter marks but also forge your signature on the same branded envelope.
Do not get fancy.
Do not rewrite your mnemonic seed backwards. Do not split your seed in multiple locations. Do not triple encrypt your seed. Do not do anything you won’t be able to remember or recovery. If you control your own private keys, you are responsible for your own security but that doesn’t mean you should be your own worst enemy.
Secure your Google account.
Remove your recovery phone number and email and then try hacking yourself. Log out, click forgot password, and keep hitting try another way. If your google account gets compromised they get access to your passwords, your payment information, etc. Don’t believe me? Log in and go to www.passwords.google.com Secure it. Secure it. Secure it.
Use a Chromebook.
Chrome OS has something called verified boot. It means that every time you turn on the device, it checks the version of Chrome OS against the one published on Google’s servers to ensure that it hasn’t been altered in any way. Additionally, each tab and application runs in a secure sandbox that prevents it from affecting other parts of the computer. Let's assume the worst-case scenario. If there was malware on the device to find your private keys and send it an attacker or a keylogger was installed to track your passwords, it would be identified and removed once the device was restarted.
Bookmark your favorite sites.
In a world of autocorrect and Google, we have been accustomed to typing in the incorrect website and it being the correct one. However, in a world of immutability, would you want to bet the value of your wallet on it? There have been numerous phishing sites that look like the site you are trying to reach but are really fake. How do you know you are about to bookmark the correct site? Cross-reference the URL from multiple verified sources. Google it, then check Twitter, then check for the founder or other employee to link to the site. If you think this can’t happen to you, try this phishing quiz made by Google’s Jigsaw.
Don’t click on links.
With a lot of links being shortened by bit.ly and other services, you no longer know where a link is taking you. My recommendation if you aren’t going to bookmark your favorite sites is to hover over any link so you can see where it is going to take you. Ensure that is the correct URL and never click on links that were sent to you on Twitter, Slack, etc. as most projects will never DM you.
Don’t click on ads.
There are plenty of phishing websites that are ad-based. If you see an ad for an exchange or service you are familiar with please click on the organic link below the ad. Take this link for example, www.coίnbase.com. If you didn’t pause, you failed. I am not sure if you can tell the difference between Coίnbase vs Coinbase but one is a fake site. If you can’t tell the difference, it is the ί vs the i. Don’t worry, that fake link takes you to the Rick Astley page.
Check the security certificate.
The security certificate is the green name or lock in the URL bar when the website is secure. Each certificate is issued to a specific company which cannot be faked. MyEtherWallet Inc [US] is what you would see for the MyEtherWallet page. So while phishing sites can mimic the layout of the site, the security certificate is harder to falsify. I don’t expect you to memorize every security certificate out there so please bookmark these sites.
For those of you who don’t want to check the security certificate each time, Metacert is another extension that will pop up a green banner at the top of sites if the security certificate is valid. If you find it annoying, you can turn that off and the extension will change color but you have to get in the habit of looking at. As a side note, Metacert is looking to issue its own ethereum token to provide an incentive for people to flag and review sites to keep everyone safe. *This is security and product, not investment advice*
Check your antivirus software.
If you ever go to a site and notice that the security certificate has gone from the company’s name to a simple green s after http in your browser, you may not be in danger yet. First, give yourself a pat on the back for paying attention. Second, your antivirus software may be interfering with this so you want to disable it momentarily and refresh the browser or proceed in an alternative manner. Additionally, you may be able to specifically disable the SSL scanning or web security portion of your antivirus software. This way you still have protection from most things while being able to confirm that you are on the correct site.
Desktop and offline apps.
MyCrypto recently released desktop apps for MacOS, Windows, and Linux which mitigates all of the attack vectors from fake websites. As an added bonus, Chromebooks will now support running linux applications but wider support will be released later this year. Both MyEtherWallet and MyCrypto have offline versions of the website itself if you want to get extra paranoid but this gets complicated quickly.
Put Two Factor on everything. There are three pillars of security, 1. things we know (passwords), 2. things we have (phones or 2FA keys), or 3. things that we are (fingerprints or faceID). Two factor authentication or 2FA relies on one form of security, often a password, and a secondary form which is often a code from something you have. This secondary layer of protection helps slow down attackers as passwords are often leaked after a hack. Another issue is that security questions to reset a password are often publicly available. If I looked over your Facebook page I could probably guess your favorite color or find out your maiden name. There are multiple forms of two factor authentication and some are more secure than others:
Universal Second Factor: This is the most secure option as the risks are limited and it is easy to remember a physical device. I’d recommend buying a Yubikey or Google Titan Security Key. If you need to buy a hardware wallet, Trezors can be used as a U2F key so you can secure your assets in a really secure way and secure your accounts online. I’d recommend buying more than one in case you lose it. These are so secure that Google gave all 85,000 employees security keys in 2017 and its phishing attacks fell to 0 and now mandates all employees have one.
Time-based One Time Passwords (TOTP): This is another secure option but it isn’t as user-friendly as a U2F device but these services are free for anyone on a budget. Downloading an authenticator app such as Google Authenticator or Authy is where you should start. You’ll see a string of letters such as WICEUIDWJFPMWU or a QR code. Enter the string of letters or scan the QR code on all of your devices. This will create a six digit that you will have to enter into a website. These are familiar to most people who have ever been text a code but these will change every 30 to 60 seconds, unlike the codes that get texted to you.
SMS based two factor: This is better than nothing but there are some major risks associated with it because of Sim Porting. Sim porting is an attack where someone calls your phone provider pretending to be you and convinces them to activate their phone with your phone number. They then can get access to your two factor codes as it gets sent to their phone and your assets are gone in minutes. I would recommend reading this AMAZING guide on how to prevent it.
Here is a list of services that provide two factor authentication. Turn it on for every site that you can possibly use it on. If you have the option to use multiple forms of 2FA, use keys, then TOTP, and then SMS.
Do not have your phone number linked to anything. I know I just said to use 2FA but try to limit the number of ways someone could find out your phone number. If you have to have your phone number linked to a service, please contact your carrier to add a password or other security layer to prevent attackers from being able to transfer your phone number to a new device. As a bonus tip, write “DO NOT PORT MY NUMBER” in the second or third address line in your billing information. If this were to happen and the representative at T-Mobile were to ask the attacker to verify your address, they would see:
123 Fake Street
Apt. DO NOT PORT MY PHONE
Amazing, NY 12345
If you do need to leave your phone number attached to something, use a service like Google Voice as you can’t port those numbers.
Switch to Project Fi. Most people don’t know this, but Google actually is a carrier and can provide service to your phone and tablet. A Lot of us have grandfathered data plans, myself included, but it is much harder to port your phone number to a new device with this service. For starters, there isn’t a generic phone number to call or a store to visit as Google relies heavily on your Gmail account. In order to register the device as stolen, you will need to log into your Gmail account and access the support page through the Project Fi website or app. This puts the liability and security back in your control and not someone at one of the major phone carriers. That being said, you should create a strong password and turn on 2FA to prevent your Gmail from being hacked. Google also has an Advanced Protection Program which provides additional protections for free but restricts the kinds of things you can do with your account.
Cautions to TOTP codes. While Google Authenticator is a better solution than SMS codes, it isn’t without its concerns. While this is highly technical, the short version is a concern about how the data is stored and secured if your device and the server have to stay in sync. The data can be monitored in transit thus someone being able to access your TOTP code. If you use Google Authenticator, ideally the app should be installed on a secondary device that has never touched the internet and is kept offline. This can be done through a website like APK Mirror and then transferring the app onto a new Android device. You can buy cheap Android devices for less than $50. Conversely, if you are going to use Authy, ensure that you turn the multi-device setting off. It is on by default unfortunately and essentially creates the phone number porting issue but this time through an app.
Run two browsers with an ad blocker on one. While we all hate ads, pop-ups, etc. it is a necessary inconvenience until a better solution comes along to keep the internet free. That being said, I suggest keeping your favorite browser as is and installing an adblocker on a secondary one. That secondary browser is where you should do all of your cryptocurrency related tasks. I recommend uBlock Origin if you are running a traditional browser as it is open source and doesn’t whitelist ads for a fee like AdBlock Plus. If you really want to support a native cryptocurrency project, you can download Brave. It is a browser built by the cofounder of Mozilla except this has ad blockers and an Ethereum wallet built in.
Use a password manager. If you are going to take this next section seriously, you are going to need a password manager. There are plenty of great password managers such as LastPass which is free or 1Password which is $2.99 a month.
Audit your passwords. Force yourself to use unique passwords for each site with this Password Alert. It is an open source Chrome extension built by Google’s Jigsaw that looks at the password you saved to one site and will alert you when you are entering the same password into a different site.
Create complex passwords that are hard to crack. PwndPasswords is a great resource for this after the Yahoo and Equifax hacks. Enter your password and you can see how long it would take a computer to guess your password (don’t worry it is safe and the code is open source). Ideally, you would like a password with a high level of entropy which is a fancy word for randomness. P4s$w0rd123 is not a complex password or a high level of entropy. A password manager will generate a unique, complex password for you for each site.
Check to see if it has already been hacked. If you enter your email address on this website by the same creator, you will see where and if your email address and password have been compromised. You can get notified of any future breaches by clicking the Notify Me tab at the top. This service is built into 1Password already or you can add it yourself and save the subscription cost by using Lastpass.
Audit your permissions. Do you trust the producers of your extensions? Do you trust the websites that you used the Facebook Log in button with? I would recommend reading Nick Szabo’s Trusted Third Parties Are Security Holes as it is one of the best pieces on the subject matter. Most permissions you grant an app have specific use cases but things change and bugs occur. There have been attacks where a developer sells their chrome extension and the new owner adds some malicious code to it. This is usually a virus of some kind but one attacker would copy their Bitcoin address when you logged onto exchanges as they could “Modify data you copy and paste.”
Avoid the $5 Wrench Problem. If your wallet is compromised for whatever reason, the worst thing to have is all of your assets stolen because everything was in one wallet. I would recommend using a Hierarchical Deterministic (HD) Wallet which allows you to generate multiple wallet addresses from a single seed phrase. This allows you to put your assets across multiple addresses so if you are forced to provide the password to one of your wallets, an attacker doesn’t wipe you out.
Check twice, send once. In carpentry, you are told that you should, “measure twice, cut once” as you cannot undo a cut to a piece of wood. The same goes for sending cryptocurrencies and tokens. Always copy and paste it AND double check it. Never type an address as you could make a mistake. Don’t believe me? There are millions of dollars of stuck tokens in a lot of smart contracts as seen below because someone sent it to the incorrect address. There is an EIP for a new token standard called ERC223 which would ideally prevent the accidental transfer of tokens to a smart contract but until then, you should double check.
Install Ether Address Lookup. EAL is a useful Chrome extension created by Harry Denley, a member of the security team at MyCrypto, that highlights and matches Ethereum addresses. This can help prevent some copy and paste errors by giving you visual cues.
Install EtherSecurityLookup. ESL is another useful tool developed by Harry Denley that highlights fake Twitter accounts by finding names that are similar to the verified names. I will note that there are some false positives so take it as a stop sign; Stop, look both ways and then proceed if safe. I should add that both of Harry’s apps are constantly being updated with new features so this advice will age well but these pictures won’t.
No one is giving you free ETH. Airdrops are a powerful tool. It allows companies to jump start a two sided marketplace, allow potential users to use the dapp, and create liquidity by distributing tokens. If you are going to participate in an airdrop, you will never need to send your private key to receive your tokens. Each project does it differently but the tokens will be distributed by balance, recent activity, or by registering to its site. If you need to register for it, only use a public address for a wallet that is in your control. You cannot use an exchange wallet for airdrops so head over to MyCrypto or buy a hardware wallet to get your tokens.
Do not give them free ETH. Sending private keys to receive free tokens isn’t the only scam that popular through social media channels. There are a lot of 10x scams on Twitter. This is a scam where you send an address 0.1 or .3 ETH and someone will send you 10x the amount of ETH back. They won’t send it back. I promise. People fall for these scams because they create user names that look like the celebrity or business but are misspelled.
Nobody understands the cloud. Except for scammers and hackers so do not screenshot your recovery seed and back it up to the cloud. This goes back to securing it in a safe location. Dropbox, Google Drive, iCloud, etc. have never had a widespread hack but user's accounts are hacked all the time. If you are going to save it there, and you shouldn’t, ensure you are following the tips listed above about passwords and 2FA.
Only unlock your wallet to send something. If you want to check your portfolio to Lambo ratio, use a block explorer like Ethplorer or a portfolio manager like Blockfolio. This goes to the phishing attack issue, every time you are visiting a site and unlock your wallet, you are running the risk of some kind of attack. If you aren’t going to send something, don’t needlessly risk the asset to check your balance when you can use a block explorer to see the value of the address.
Only use Metamask as needed. Similar to the unlock issue listed above, there are plenty of ways attackers are targeting Metamask. One larger concern that is developing though, is how web3 browser extensions are injecting a bit of code into the websites you are visiting exposing the address associated with the account. While they are actively fixing this, I wouldn’t be surprised if some savvy advertisers are collecting that data to target which of its users have cryptocurrency. Facebook doesn’t need to know your address or your balances.
If you have any feedback or suggestions on any of this, please let me know. My DMs are open as I am sure this will need to be updated annually.
Please stay safe and remember to always “Stay humble, stack sats.”