I ran a computer consulting company for a decade. When a prototype ransomware virus ripped through one of our biggest customers, I knew I was finished. Within three months I’d sold the company.
Simple: I knew I couldn’t protect people from themselves anymore.
People are always the weakest link in security.
I remember the exact moment it turned for me. I’d just walked into a frustrated VP’s office. I stared dumbfounded as she closed a window with a skull and crossbones on it. It popped back up a second later, the text lurid red and written in broken English.
“How long is this going to take?” she said. “I’ve got a lot of work to do.”
The message on screen said, “No worry, all file encrypted for protection and safe.”
“I can’t open any documents,” she said. “I really need that Excel file for a meeting. I’m late.”
Every icon on her desktop was broken, replaced by a generic unknown file type icon.
“Um, how long has it been like this?” I asked.
“All morning,” she said.
I pointed to the skull and crossbones. “This pop-up message didn’t have you worried? You didn’t think maybe you should call someone?”
“Oh, I’ve just been closing that all day. That’s OK, right?”
I couldn’t believe it. It took every ounce of self-control not to strangle her.
“What about this makes you think it’s OK?” I said, taking a deep breath. “Is it the broken English? The skull? Does this look normal to you?”
“I dunno. Looks fine to me.”
Right then I knew that was it. I couldn’t account for PEBCAK (Problem Exists Between Chair and Keyboard). In the past, if someone got infected, I could always save them. I could clean the virus or reformat their machine and they’d be off and running.
But this was a brave new world of nastyware. Even if I removed the virus, their data was toast. Without a good backup, there was nothing I could do. Luckily, I had a good backup for that customer, but I knew it was only a matter of time before some enterprising young malware writer attacked people’s backups too.
Computer security is a war. “The jets you’re flying against are faster, more maneuverable, just like the enemy MIGS.” Virus writers today have scrum teams, unit tests and release cycles. It’s no longer some “400 pound hacker” rolling solo to send some email. There’s big money in malware. They’re out for your money and your life.
Which brings us to rule number one:
1) If You Can’t Tell the Difference Between a Drink Tray and Your DVD ROM, You Shouldn’t Own Bitcoins
Look, let’s be honest. Cryptocurrency ain’t user friendly yet.
There’s lots of folks working on making crypto easy enough for grandma to use but those days are still not here yet. It takes skill and personal responsibility to secure your digital money. If you’re not comfortable with that, don’t own cryptocurrency. Period.
You don’t want to wake up one day and find that someone hacked your machine and took off with $10,000 of your hard-earned money.
Cryptocurrencies are decentralized and that’s awesome. There’s no greedy banks, no middle men, no centralized “trusted” entity suddenly turning evil and making everyone’s life a nightmare. But with great power comes great responsibility. There’s nobody to call to get your money back. You can’t dispute the transaction. There’s nobody to reset your password if you forget it.
If you die in the Matrix, you’re dead.
If someone rips off your Bitcoin, they’re gone.
It’s up to you to keep them safe. So be brutally honest with yourself.
Can you handle it?
If not, better to not own them at all.
But even if you’re good, things go wrong. Hard drives fail. USB sticks die. You click the wrong link because you’re tired and weren’t paying close enough attention and now you’ve got a virus.
That brings us to rule two:
2) Always Have a Good Backup
In fact, have two or three or four. Have one offsite and onsite. Have as many as you can.
Take a cue from Mother Nature. Mamma N knows how to scale. Your DNA is replicated to every single cell in your body for good reason. They’re backups. You can lose millions of cells and it’s no problem because there’s always another copy.
Be like Mother Nature.
I’ve survived for so long in the tech world because I’m religious about backups. If a backup goes down I spent all night making sure it comes back online. It’s saved me hundreds of times.
Your computers don’t matter. It’s what you create with them that counts.
Your laptop could burst into flames, but it doesn’t matter if you have a good backup.
Hardware and software are replaceable.
Your data is not.
Once it’s gone, it’s gone.
Get yourself an external hard drive or two, like this 1 TB Western Digital.
And pick up a few USB sticks while you’re at it. Here’s a pack of ten 16 GB ones for under $50 bucks. I like these swivel top ones because you won’t end up losing the stupid cap.
You don’t need a lot of room to store backups of your wallets, so 16 GB is fine. I like to get more than one stick because I expect them to fail — there’s not a lot of margin in the $5 dollar mem-stick biz. Never back up to just one external disk and consider it done.
You can also consider a nice wearable USB drive for travel. Check out these wristband USB drives for example.
But the most critical step is an offsite backup. If your house burns down, having a backup sitting in your sock drawer isn’t much good. I recommend getting a safety deposit box at the bank and throwing a few sticks in there. See, banks are still good for something!
Of course, if you’re carrying one of these little sticks around, they have a habit of going missing. They can slip out of your pocket or get taken by Gremlins.
For that reason, you might want to consider an online backup to the cloud. Backblaze lets you manage your own encryption keys which is essential. Never, ever trust someone else to manage your private keys for any reason. For the same reason, even though Backblaze has their own encryption, I don’t fully trust it and neither should you. Only backup files you’ve already encrypted yourself.
Files you’ve encrypted yourself?
That brings us to rule number three.
3) If the Data Can Slip, You Must Encrypt
If you’re storing sensitive data, you’d better encrypt it.
Meet my good buddy, Veracrypt. It’s the successor to the wildly popular TrueCrypt, a fantastic piece of software built by an anonymous team that decided to call it quits after a decade. Do not continue using TrueCrypt as it’s gone and never coming back.
I recommend making several encrypted file containers for wallet backups and passwords. Just watch the video from the last link to see how. Let’s pretend we call those files crypto-backup and passes.
These files act like small virtual harddrives. Just make them a few GB. I recommend choosing double or triple encryption, like AES/Twofish/Serpent.
Once they’re created, all you do is mount the virtual harddrive with Veracrypt and then you can put whatever you want in them. Each file contains a complete file system. So you might mount the “passes” file and drop a bunch of text files with passwords in there. But really you can store whatever you want in there, like images, videos, and text files.
Even better, the entire file is easy to take with you! So you just pick up the “crypto-backup” file like any other file and copy it to a USB stick.
Core wallets, like Bitcoin Core (see Rule #4), include the ability to back up your wallet, typically to a single file called wallet.dat. It includes your private keys, password, and wallet information. Dump your wallet.dat backup file to your crypto-backup folder.
Do not store your wallets and passes on the same virtual file store, or else an attacker can grab both your password and your wallet! Be sure to use different passwords for both containers.
Mount them only when you need them and unmount them right away. Do not leave them mounted 24x7. Do not mount them at the same time. That’s lazy and dangerous.
You can even make a portable copy of the VeraCrypt program right on your USB stick. Then you don’t even need to install it on another computer. It runs right from the stick! Beautiful.
Now that we have the basics out of the way, let’s pick a wallet.
4) Wallets, Wallets Everywhere
Your first wallet choice should be a core wallet. Every project has them. This is especially important for cold storage. That’s when you store your coins offline for a buy and hold strategy. The reason is simple:
If your coins are offline for a few months or a year, it’s highly likely the file format will remain compatible with the latest version of the core wallet.
Core wallets are no frills and designed to be stable and conservative. That’s a good thing. It doesn’t help if you have a fancy, multicoin wallet and then the company disappears on you and you find it doesn’t run on the latest operating system when you pull your coins out of cold storage a year later.
I’ve made the mistake of trusting a non-core organization. The older version of Multibit I used in 2013 got abandoned for a new-fangled version.
I loaded up the old version on an OS it was never designed or tested on. I just wanted to send my coins to a new core wallet, but to my horror they got stuck in limbo because of a bug in the unmaintained code. It took me a week to fix it. Not fun. There’s nothing scarier than seeing your money evaporate into thin air because of some screw up in the code. So stick to the core for cold storage.
Be sure to set a strong password and encrypt your wallet. The link has a video tutorial. It’s a few years outdated but the process is exactly the same.
However, for day-to-day usage, I find the core wallets slow, clunky and frustrating. It’s incredibly annoying to start them up and have to wait twenty minutes for them to sync, all while you’re desperately trying to send coins to an exchange because prices are dropping like a rock. Not to mention they download the entire blockchain. With just a few alt-coins I’ve managed to eat up 50GB of space with useless data I don’t really need.
So for quick, day-to-day usage, I recommend Exodus for its gorgeous and intuitive interface. It even has the awesome anonymous Shapeshift exchange built right into it, which lets you change from one coin to another without having to sign up for anything.
Jaxx is another great choice. Both are multicoin wallets. Jaxx supports lots of coins and has plans to support dozens more. It also has the added benefit of having a mobile wallet, while Exodus is desktop only at this point. That said, Jaxx is a little uglier and less intuitive to use.
Both are based on the Electrum system of decentralized servers that’s been around since 2011. They’re deterministic wallets, which means they’re generated from a pre-created seed instead of totally random starting point like other wallets. That has advantages and disadvantages.
The big advantage is that you get a twelve-word passphrase that allows you to recreate your wallet anytime, anywhere. You could literally delete the wallet, move somewhere, then download the software, plug in the passphrase and have all your money back. That’s incredible.
Both Exodus and Jaxx allow you to set a pin or a passphrase to send money or start the program. But the huge downside is that your password is not connected to that twelve-word seed passphrase. If someone has your seed phrase, you are screwed. They can recreate your wallet and the password on your desktop is now worthless, because they have all your money.
Exodus also has a security flaw in that it only asks for your password when it starts the program. If you go to send money, it doesn’t prompt you again. That’s very bad. It means if you leave the software running anyone can remote in or waltez up to your unlocked desktop and take your money. Jaxx at least requires you to put in your pin every time.
There are also hardware wallets like the Nano Ledger. They’re a little hard to come by right now, as the rocketing rise of cryptocurrencies has ratcheted up demand. I just got my Nanos in the mail after a month but haven’t had a chance to test them. They sport hardware encryption and an LED screen. At this point I’m not convinced they’re much better than a dedicated USB stick with Veracrypt but I will give them a whirl and see for myself.
There’s also the Trezor wallet, another popular hardware choice. If you’ve had experience with this wallet, feel free to post in the comments section.
[NOTE]: After some great comments by users on hardware wallets and some experimentation on my part with the Nanos, I’m prepping to amend this section, as hardware wallets are proving to be an amazing choice for storing your crypto.
However, under no circumstances should you carry a lot of crypto on a freaking smart phone. Carry only a very, very, very small amount of cash. I’m talking the equivalent of $20 to $100. I repeat, do not use a mobile wallet for primary storage of your fundage. The reason should be obvious.
A friend was given a bunch of crypto on his phone while traveling. It was a nerve wracking experience. He was walking around with the equivalent of $5000 on his phone. It went from being a $100 lump of plastic to being a mini-bank. He spent half the day checking his phone was still with him.
If you lose your phone or your phone is compromised your funds are gone forever. Anyone remember when a bunch of naked pics of celebrities showed up online because of mass hacking of people’s iCloud online backup? Yeah. Don’t make that mistake with your money.
6) An OS is an OS is Not an OS
Andreas Antonopoulos, the famed crypto-entrepreneur and author of the fantastic tour-de-force Mastering Bitcoin (now in its 2nd edition) said “nothing teaches someone about security faster than having their Bitcoin on a Windows machine.”
In other words, as soon as someone hacks your machine and runs off with $10,000 worth of Ethereum, you’re going to get real interested in security. Don’t let it get to that.
There are some small advantages to using Windows, like better looking GUIs and a unified installation procedure, but Windows machines are a seething mess of infections, vulnerabilities and half-assed, retro-fitted security that doesn’t work. Under no circumstances should you consider holding your cryptocurrency on your everyday machine while merrily browsing for porn or the next crappy Flash game to install. That is a recipe for disaster.
Strongly consider using a separate bare metal Linux box or a virtual machine running Linux in VMWare Workstation or Virtual Box. A minimal install of Red Hat Enterprise Linux or CentOS or a security focused-distro is your best bet. Lock that box down and do not run as root.
However, if you’re just going to assume that Linux is superior and call it a day, see rule #1. That’s like walking into Whole Foods thinking that any random box of crap you pick up off the shelf is healthy. Just because it says organic and crafted by unicorns doesn’t make it good for you. Forty milligrams of “natural” sugar is still sugar. Even with Linux you still have work to do.
And if you’re adamant about sticking with Windows, you have a lot more work to do. Run it on a clean install VM, with tightened security. Don’t run as an administrative user. Admin users have way too much power on Windows. Regular users can’t install software. Hell, they can’t even change the time. That means malicious software will have a much harder time planting seeds in your machine. Make yourself an administrator to install all your software and then demote yourself to a regular nobody.
So what security software do you need?
7) Free Anti-Virus is Not Anti-Virus
Sorry, but you don’t get to grab some freeware anti-virus and consider yourself protected. Anti-virus software requires constant updates and a dedicated team of professionals behind it to deliver those updates. Those teams cost money. The bad guys never sleep. You cannot afford to choose free here.
You also can’t afford an anti-virus company that monitors and sells your data as a way to make money, which is how many of the free AVs pay for that expensive team of virus-fighters. Even if their software is good at catching bad stuff, the trade off is Big Brother living in your machine. That’s a no go.
Malware Bytes has a free version but it’s not good enough when it comes to protecting your precious Bitcoin and Ethereum and Dodgecoin. The free version only scans for infections after your machine is already damaged. By then it’s too late.
The premium version includes a real-time blacklist of suspect sites. If you try to browse a blocked site, it will intercept the connection so you can’t open the malicious page. That said, on your crypto VM you absolutely should not be browsing the web. Do that on your every day desktop.
That VM is dedicated to one thing: managing your money. That’s all it should do.
Eset also includes a sandboxed browser for banking that disables all plugins. This is useful for connecting to the exchanges if you want to do some trading.
There are also versions of Eset for Mac and Linux. And yes, both of those systems get viruses and malware too. So get them protected.
Oh and Eset and Malware Bytes make mobile Android versions too. Your license should cover you on both.
One other piece of software to consider: Faronics Deep Freeze. It proxies all writes to the disk and tosses them away after a reboot. That means you can utterly destroy a desktop and then reboot it and it’s as if nothing happened. The computer is right back to normal.
Police departments across the US use it for their cruiser computers. With it, they don’t even need to run anti-virus (but don’t do try that at home). If something goes wrong all they have to do is reboot and everything is golden.
But be very, very careful with this software.
It’s super easy to make a mistake.
If you forget the computer is frozen and write something you want to keep to the disk, it’s gone. Forever. That includes things like your private keys. So if you install a new wallet, download $500 of Bitcoin to it and then reboot, your wallet’s toast as is your $500 bucks.
However, if you flip the computer to unfrozen, install your wallet and encrypt it, you can then reboot to frozen mode and conduct transactions. Your private keys and wallets will not be deleted on reboot (since you wrote to the disk in unfrozen mode). Only blocks will disappear, since they are pulled down after the disk is frozen again. Because your money lives on the blockchain and not your wallet, that means that even if five days of blocks get thrown away by Faronics, your money is safe. You just have to sync again to see it.
The added bonus of this method is that it can prevent against ransomware perfectly. If a new type of ransomware attacks Bitcoin wallets and encrypts them, all you would need to do is reboot and the virus is gone, as well as the locked up version of your wallet. Pretty cool.
Unfortunately, Faronics is only for Windows and Macs. They do have a version for SUSE Linux but who the hell runs SUSE? There was an alternative project called Lethe but it’s dead so we’re out of luck there. If anyone knows any alternatives please post them in the comments.
Lastly, if you’re running Windows, it’s secretly spying on you. It constantly sends telematic data back to your Big Brother Microsoft. That’s why you need Spybot Anti-Beacon, a free software that crushes all the little spy engines woven into your machine.
You can also pull some old school sys-admin tricks to secure a Windows machine. One of my faves is to remove your user permissions from the registry keys that allow programs to start with Windows. These are the magic keys:
That means even if any malware does manage to install itself, it won’t be able to start. And since you’re not running as an administrator it shouldn’t be allowed to install software anyway. You aren’t running as administrator, right?
This trick is a bit of a pain when you need to install legit software, but you can always change the permissions, install your app and set the restrictions back.
Lastly, uninstall notoriously vulnerable software from your machine right now. No web games. No search bars. No stupid browser plugins to “help” you shop.
And no freaking Flash.
Steve Jobs was right. It sucks. Get rid of it.
8) Your Friend, Two-Factor Authentication
Finally, if you’re trading on the exchanges, you absolutely must enable two-factor authentication. Usually that means adding software to your smartphone, like Google Authenticator or Authy. Each site is a little different to set up, but not much. Follow the instructions in the help section of the site.
After you log in to one of the major exchanges like Poloniex or Kraken you’ll be prompted for a code from your authenticator program. The codes change every thirty seconds. The idea is that even if someone manages to capture your password, it won’t work thirty seconds later.
Two-factor also protects your withdrawals. This is critical. When you go to move money from the exchange to your personal wallet, it prompts you for a code again.
Guess what happens if you don’t have two-factor? That’s right: Someone captures your password, pops it in, and waltz away with your money scot-free.
Without two-factor you’re playing with fire. Simple as that. I’ve seen countless examples of people posting on forums that they were hacked. They blame nefarious secret cabals of employees within the exchange or some sophisticated nation-state uber-hacking team.
Sorry, but no.
They got taken by garden variety hackers.
If you don’t have two-factor authentication enabled, you might as well tattoo “steal from me” across your head. All someone needs is your username and password and your funds are their funds now.
Don’t get lazy. Set up two-factor before you put a single red cent into any exchange.
That brings us to biggest question people have about exchanges. How much money should I leave in there?
You’ll find a lot of advice that says you should never leave your coins in the exchange. Honestly, that’s not very realistic.
If you’re planning to buy and hold, it makes sense. No reason to keep them there. Better to control your own private keys.
But at some point, you’re going to want to trade and that means leaving the funds there until your price point is triggered, if it’s triggered at all. You won’t know when that time comes. It could be ten minutes or ten days.
Eventually, you’re going to have to trust the exchange or just choose not to trade. I recommend splitting your funds between multiple exchanges. Get KYCed on five or six of them. Then if one of them gets hit, they don’t take you for everything you’ve got.
Everyone who was around during the Mt. Gox debacle knows the pain of getting hacked and losing your coins. I lost some coins, just like everyone else. It sucked. No doubt about it.
Still, security has gotten much stronger since those days. Every one of the major exchanges, from Poloniex to Bittrex, knows they have no choice but to hire an army of security engineers.
I’m not saying a major exchange won’t get hacked again, but if you want to trade, you’ll just have to accept some risk.
No risk, no reward.
Conclusion: If You Don’t Have the Private Keys to Your Money You Don’t Own Your Money
That’s a lot to take in, but this is no game.
Take your digital money seriously.
It’s incredibly empowering to control your own funds, but it’s also a big responsibility.
Why go through all of this, though? It’s a ton of work. Security is not easy. It’s not for everyone.
The reason is simple:
You may think you own your money, but you don’t.
If it’s in a bank, the bank owns your money.
Anyone who’s lived through a financial crisis learned this lesson the hard way. During the housing crisis I had multiple friends and relatives who couldn’t take their money out of the bank. During the Great Depression, bank runs nearly crippled the economy. Right now, in Venezuela, folks can’t take their own money out of the bank. It doesn’t matter that they’ve worked their whole life to save that money, they get to sit and watch as it craters in value while the banks hold that money hostage.
Here’s why they can’t give everyone their money: The don’t have it.
It’s called fractional reserve lending. You might imagine that banks safely store your money in a vault for safe keeping so it’s there when you need it. The don’t. They lend your money out to other people, make money off the back of that lending, while you get nothing, all for the privilege of “safely” storing it for you.
It works great, right up until everyone wants their money out at the same time.
And the moment someone tells you you can’t have your money, that’s when you’ll know for a fact that if you don’t have the private keys, you don’t own your money.
Former President Obama said, “We can’t have people walking around with Swiss bank accounts in their pockets.”
Actually we can.
That’s exactly what cryptocurrency offers.
You are your own bank. And your money is your money.
But with great power comes great responsibility.
DISCLAIMER: Be a big boy or girl and make your own decisions about where to put your hard earned money. I am not a financial adviser and this is not financial advice and if I really need to tell you this then it’s best to keep your money in your pocket anyway.
If you love my work please do me the honor of visiting my Patreon page because that’s how we change the future together. Help me disconnect from the Matrix and I’ll repay your generosity a hundred fold by focusing all my time and energy on writing, research and delivering amazing content for you and world.
If you love the crypto space as much as I do, come on over and join DecStack, the Virtual Co-Working Spot for CryptoCurrency and Decentralized App Projects, where you can rub elbows with multiple projects. It’s totally free forever. Just come on in and socialize, work together, share code and ideas. Make your ideas better through feedback. Find new friends. Meet your new family.
If you enjoyed this article, I’d love it if you could hit the little heart to recommend it to others. After that please feel free email the article off to a friend! Thanks much.
A bit about me: I’m an author, engineer and serial entrepreneur. During the last two decades, I’ve covered a broad range of tech from Linux to virtualization and containers.
You can check out my latest novel,an epic Chinese sci-fi civil war saga where China throws off the chains of communism and becomes the world’s first direct democracy, running a highly advanced, artificially intelligent decentralized app platform with no leaders.