The Basics of Crypto Security

  • 110 views
  • 7 minute read
  • ByAlex
  • November 24, 2022
Total
0
Shares
0
0
0
Share
0 people shared the story
0
0
0
0

One of the most daunting aspects of being a crypto investor, is worrying about the possibility of your assets being stolen in a hack or scam. The almost daily occurrence and news of crypto theft can make any investor, particular those uncomfortable or unfamiliar with technical aspects, dissuaded from being involved in the space. Some don’t even realize there is a security aspects in protecting assets and learn the lesson the hard way.

Fortunately, it doesn’t have to be the hard way. When it comes to maximizing your crypto security, the key element to remember is that it’s not only about having the right, but also following best practices. The following is a list of basic best practices, categorized in 9 general rules, to help you keep your crypto assets secure.

Rule #1: Self Custody

Always store your crypto on a self-custody device. Leaving significant amounts of crypto assets on exchanges have repetitively shown to be recipe for disaster. The famous phrase “not your keys not your crypto” could not be any truer. Exchanges have shown many ways how they can either lock you out of your funds, are unable to stop hackers from stealing your assets, or outright steal your assets themselves.

The general method to self-custody your crypto can be either the use of poplar crypto hardware wallets (ie Ledger, D’Cent, Trezor, etc ) or crypto wallet apps installed on dedicated mobile devices equipped with Security Processors. I’ll provide more details and rules later on in this post specific for each of these types of wallets. However, in both cases, these wallets are initialized and created with a 12 or 24 word seed phrases word (or large numbers). It is utmost imperative that you NEVER, EVER, UNDER ANY CIRCUMSTANCE DISCLOSE ANY OF YOUR SEED PHRASES. If anyone ever asks for them, for whatever reason, it is guaranteed to be a fraud trying to steal your crypto. Reason being, is that that giving your seed phrase allows another party full access to your crypto holdings on the blockchains or DLT. You can consider them as good as gone at that point.

Rule #2: Never share your Seed Phrases

NEVER, EVER, UNDER ANY CIRCUMSTANCE DISCLOSE YOUR SEED PHRASES  … ok, now that I drove that home, we can move on to the other rules …

Rule #3: Backing up your Seed Phrases

When creating or initializing a crypto wallet, you will need to submit a seed phrase (or in cases like the Xumm wallet, a combination of multi-digit numbers). As mentioned before, these seed phrases (or numbers) allow you to recover access to your crypto stored on the blockchain/DLT in case something happens to the hardware device or crypto wallet (device theft, damaged in fire or flood, internal electronic circuitry dies or corrodes, etc). Therefore, it’s important to write down these seed phrases/numbers on paper only, and stored in a secure, trusted location like a safe or well hidden, inconspicuous area of your home. They should not be stored digitally, and certainly not on any cloud or public storage platform, due to the risk of a hacker attacking this third party platform and stealing this critical information.

It is strongly recommended that a second paper only copy is made and stored in another secure, trusted location different than the first. If something adverse happens in one location (ie fire), the critical information is still available in another location.

Rule #4: Passwords on Centralized Exchanges

A general rule you’ve likely heard before is not to use the same password for multiple sites. It applies not only to centralized exchanges, but in general to all websites requiring a password. The biggest risk, especially for lesser known websites that likely have more lax security practices, would be a hack where a site’s users password and email information would be compromised and used to hack into other sites with the same (or co-linked) account and password combination. Since a hacker would enter onto other sites without any issues, hacker activity would carry on undetected. Consider using password managers like 1Password, NordPass, Keeper or other reputable managers for handling multiple passwords.

Rule #5: Use 2FA, not SMS

Even though exchanges have considerably improved their security practices, they often utilize secondary login or action confirmation mechanism to further protect their customers’ accounts from hacking. This secondary confirmation mechanism is carried out by either a two-factor authentication (ie 2FA), or in another manner like SMS text messages.

SIM card cloning or copying is one of the most dangerous threats hackers can utilize to not only take over your mobile phone number, but also any critical information linked to it. Worse yet, they may never need to physical steal anything from you to do so and can be done all remotely without you knowing or given any warning sign. It’s for this reason that 2FA should always be utilized instead of SMS messaging for any security settings on centralized exchanges or wallet platforms. 2FA is typically done via user friendly third-party mobile apps like Google Authenticator, Authy or Okta.

It’s important these 2FA apps are installed on a device that is different than the one you use for purchasing or storing crypto. For example, if you typically purchase crypto on a laptop, install the 2FA app on a mobile device. Or, If you purchase on a mobile device, install the 2FA on a different mobile device.

Rule #6: Backing up your 2FA

Similar to Rule #3, backup your 2FA via the procedure provided by the mobile app. Each one employs a different method, so don’t hesitate to look up instructions online. Make sure back-ups are up to date whenever any crypto platform is added/dropped on in your 2FA lists.

Rule #7: Hardware Crypto Wallets Good Practices

This is more like a set of rules all related to hardware crypto wallets instead of a hard and fast rule, but I promise to keep it neat and tidy:

(7a) Always buy directly from manufacturer

Never purchase from secondary reseller like Amazon or E-bay. Hardware wallets can be tampered with and resold to unsuspecting buyers.  This is sadly not theory, but fact, as incidents have occurred where hardware wallet holders suddenly find their assets drained, later realizing the wallets were purchased either second hand or from a third-party distributor.

(7b) Download updates only from official websites

Never download from supposed links from non-official sites like Discord or 4chan, but rather only from the official page of the wallet provider. It would be a good idea to follow the official twitter page as well for any critical news or information releases.

(7c) Enable any biometric, 2FA or MPC

If your hardware wallet comes with additional features such as biometric authentication, 2FA or multi-party computation (MPC), they may be disabled by default. Take the time required to learn how to enable and utilize them, adding strength in the security of your hardware wallet.

(7d) Dedicated laptop/desktop for MetaMask

It is highly likely that your hardware wallet alone will not enable you to participate and engage with DeFi dapps. You will likely have to pair or interact with a web3 browser and/or wallet (ie Brave or MetaMask). Therefore keeping the laptop/desktop secure is as equally vital as the wallet. In short, the laptop/desktop should be dedicated strictly for crypto related operations only (ie no social media, email, non-crypto browsing, messaging, etc). It doesn’t have to be a top of the line model, however good anti-malware/virus should be installed, with the OS and all related programs updated regularly

Rule #8: Dedicated Mobile Wallets Good Practices

Crypto wallet apps on mobile devices have long been shunned as unsafe and ineffective, simply because they are perceived as “software wallets”. However, the latest mobile devices equipped with Security Processors, specifically designed to prevent malicious software from accessing private information. They offer just as much security to your crypto as a hardware wallet. Look out for a future blog post where I provide more details backing this statement. Nonetheless, a set of rules as good practice should be followed.

(8a) Purchase new devices only

Similar to hardware wallets, the mobile device you decide to use should be purchased new, not pre-owned nor refurbished. This eliminates any chance the one you use is undesirably tampered with.

(8b) Vet out the crypto app before usage

Before downloading and utilizing a crypto app on your mobile device, apply some due diligence. Is it from a legit developer? Has it been security audited? Is the app you are downloading the correct one?

(8c) Enable any biometric security feature

When initially configuring and utilizing the crypto app, be sure to activate any biometric protection feature of the app. This activates the app to utilize the Security Processor to store the private keys, making it virtually impossible for malware, even physical tampering, to steal them.

(8d) Dedicate device to crypto only

Likely the most important recommendation, as this measure cuts out nearly all possible remote attack vectors such as malware to infiltrate your device. You should only install and utilize crypto related apps. Nothing else should be installed or utilized, in other words: no browsing, social media, email, messaging, photo sharing, etc.  This may imply that a fresh new provider account (ie. Apple ID) independent of your personal accounts would have to be created in order to avoid unwanted applications and data to be automatically installed on this dedicated device.

(8e) Latest and greatest software

Be sure to regularly update the crypto apps and mobile OS to the latest and greatest. Follow twitter accounts of apps you have installed in case of any critical updates or news.

(8f) offline (airplane) mode

When not in use, the dedicated device should be put in airplane mode, which turns off all WiFi communication to it, with the added benefit of extending battery life.

Rule #9: Do not respond to solicitation

If you ever receive any solicitation for your information related to your crypto or digital assets, never engage nor respond directly with. An example here would be a text or email from what appears to be a crypto exchange platform you may be using stating you need to provide information ASAP otherwise something terrible will happen to your account or crypto. Non-solicited messages like these are almost guaranteed to be a scam, particularly if they present some sort of urgent situation. They attempt to social engineer (ie manipulate) you into giving up information that may actually end up compromising your funds or crypto.

The approach to situations like this is to assume it is a scam and other alternative actions should be taken to check any validity to them. Hence why it is imperative to never respond directly, and certainly do not click on any provided links or phone numbers in those messages. Instead, independently login to the platform the message appears to come from to follow up. You can also contact customer service (look it up independently, do not click or refer to anything from that unsolicited message) to check the validity of the message.

Total
0
Shares
Share 0
Tweet 0
Pin it 0

Leave a Reply

Your email address will not be published.

You May Also Like