We see hacks at the exchange, startup, and individual level almost every day now; everyone is at risk of digital theft. Unlike traditional financial systems, participation in crypto demands radical self-reliance, so we've created a basic list of ways to protect yourself in the wild west of digital assets.
1) Protect your private keys
If someone steals your online banking password, debit card number, even credit cards, there's generally a pretty clear way to dispute, reverse transactions, order new cards, and potentially retrieve your lost funds. In crypto, it's simpler: you need to keep your private keys private. There is no insurance; there is no way to reverse transactions; there are no second chances.
We recommend a hardware wallet like Ledger to keep your crypto offline. Back up your private keys/seed/mnemonics in separate, secure, offline locations. For this purpose, consider a Cryptosteel wallet.
- Do NOT save your private key/seed/mnemonic on a cloud provider like Google Drive, Dropbox, etc.
- Do NOT give it away, leak it, share it. Ever.
- Do NOT type your private key/seed/mnemonic on your computer or smartphone as there may be a keylogger or malware tracking the entry.
2) Protect your passwords
Regarding all your other passwords, we urge you to create long, unique passwords for each login. Duplicate passwords create massive risk because once one institution you've logged into is hacked (Equifax, Yahoo, Facebook) so is any other account you've used those credentials for. For example, a study by Google in 2017 estimated that 10 - 25% of the 1.9 Billion passwords available for sale on digital black markets could still access Google accounts.
We recommend 1Password to store and retrieve your unique passwords.
3) Use 2FA
Two-factor authentication is essential for digital security, let alone crypto security. It is important to differentiate two-factor authentication from two-step verification; the latter is vulnerable because it involves sending a one time passcode to your phone number, generally through SMS. If someone has ported your phone number they can intercept your messages and two-step codes, whereas bypassing two-factor authentication requires physically having the unlocked phone with the 2FA app in hand. Organizations like Apple and Coinbase have automatically upgraded their customers from two-step verification to two-factor authentication, and you should take the same precaution for all major services.
Note: Be sure to store your 2FA seed keys offline and somewhere safe, as if you lose your phone (and access to Google Auth) without the 2FA backups, you're in trouble.
4) Use a VPN
Rather than connecting directly to your ISP, a Virtual Private Network allows you to first establish an encrypted, private connection with the VPN server. All your ISP can see is that you’re connected to a VPN. If that VPN is located in a different country, it will seem as if you were located in that country, which can be beneficial for privacy and accessing blocked sites. Use a good VPN service, especially when you’re using public WiFi.
5) Email securely
Your email can be used to access many accounts as it is often the fallback for password recovery. It is essential to use a unique password and 2FA on your email account. Don't use your primary email credentials for trivial or weird stuff; you may even want to create a separate email account for logins and interactions you'd like to keep especially secure.
We recommend Protonmail for email.
6) Browse securely
Perform an audit of what plugins you have connected to your browser; you should only use plugins that are essential to your online experience. Consider switching from legacy browsers and search engines to proven services that put user privacy first.
7) Don't get phished
If the head of the CIA can get phished by a teen, so can you. Sometimes, even with an https connection and what looks to be the correct url, it's possible to fall victim to unicode or homograph attacks, many of which can be impossible to spot with the naked eye.
Many crypto phishing attacks come through DMs, whether on Slack, Discord, or Twitter. If someone sends you a link you feel like you need to see, navigate to the website yourself through a search engine. Bookmark exchanges, MyEtherWallet, and all other websites that could be a target for phishing.
8) Protect your phone
Last but not least, your phone carrier can be a weak point. Port forwarding, or 'SIM swapping', is a trick whereby a thief can use public personal information to steal someone's phone number, forwarding everything (emails, texts, etc.) to a phone in their possession instead. You can prevent this by calling your cell phone carrier and requesting a port validation password. This security pin will prevent anyone from calling your provider, pretending to be you, and porting your phone number to a new account.
As crypto continues to evolve, self-securing digital assets will become easier. In the meantime, don't fall prey to lackadaisical security practices. While centralized crypto exchanges like Coinbase and Binance provide great services, they also have your private keys and are just as vulnerable. Use them to trade, not to hold.
If you have any questions or if you feel we missed something, please do not hesitate to let us know! You can find us in the Cryptotips community discord: https://discord.gg/SSJrEnX