You can never be too paranoid in Cryptosphere. This might seem like a hyperbole but ask anybody who has lost their crypto-stash and I am sure they would agree with me. I have lost my hard earned money because I was careless. I have spent time after that in understanding things and am posting my learnings in this post. I am by no means a security expert or a cryptocurrency expert. If there are any flaws in this post or suggestions leave them in comments so that I can update the post accordingly.
Cryptocurrency is a still a nascent field. Though there has been references to peer to peer electronic cash for long, 3rd January 2009 (when Bitcoin was introduced and the Genesis block was mined) can be considered as the official start of cryptocurrencies. For a technology that is barely 10 years old it has made many heads turn and has given sleepless nights to many governments across the world.
Since cryptocurrencies are highly unregulated markets you won’t have any consumer courts or governments coming to your support if you loose money because of your own mistakes or if you are conned out of your money. So it is very important that you know all the risks before you invest your hard earned money in cryptocurrencies.
Cryptosphere is full of incidences where people have lost their money. I will not be covering all the hacks in this article. I will just cover one international exchange hack, one exchange hack from close home in India and one Wallet related hack. If you want to know about other hacks you can read https://coinsutra.com/biggest-bitcoin-hacks/
The biggest and the most notorious hacks till date is Mt. Gox (Magic The Gathering Online Exchange) hack that occurred in 2014. At the time of the hack Mt. Gox was handling close to 70% of the worlds Bitcoin exchanges. The repercussions of this hack are being felt even today.
While many people are aware of this hack in 2014, not many are aware of the attack on On June 19, 2011 when the value of bitcoin in Mt. Gox fell all the way down to one cent! Imagine buying Bitcoin for 1 cent in June 2019, that would have been a killer offer. https://blockgeeks.com/guides/cryptocurrency-hacks/
On 13th April it was reported that Bitcoins worth 20 crores(Nearly 438 Bitcoins) were stolen from CoinSecure by its CSO Amit Saxena. This was the first high profile exchange hack from India. The way these coins were stolen by its own CSO clearly shows lack of maturity and gaps in the safety measures. Though Coinsecure started the process of returning the funds of the users it proves that storing your funds in exchanges is not safe.
Bitcoins worth Rs 20 crore stolen from exchange in India's biggest crypto theft_Nearly 438 bitcoins worth over Rs 20 crore were stolen from a top exchange firm in India in what is being billed as the…_economictimes.indiatimes.com
Though https://www.myetherwallet.com/ was not hacked in this case I chose to call this Myetherwallet.com hack because most of the people who have done a ethereum transaction would have used https://www.myetherwallet.com/ and would have assumed it to be foolproof. While MEW was not hacked in this case it was a DNS attack where the users were redirected to a Russian server which stole the funds. This was a limited attack as users were given a warning about the wrong certificate and only those who ignored this warning were subjected to the attack.
Hackers emptied Ethereum wallets by breaking the basic infrastructure of the internet_At midnight ET last night, MyEtherWallet users started noticing something odd. Connecting to the service, users were…_www.theverge.com
This is one more reasons why you should always give attention to the warnings. Especially in cryptosphere you must follow this thumb rule
When in doubt, don’t do it. Google first and then read about it in the sources your trust.
There are two ways of storing your crypto funds. You can save your coins in your Wallets or you can save your coins on Exchanges.
The bad news is that there are risks associated with both.
Security is only an illusion :P
Before listing down the things that you can do safeguard your cryptocurrency funds I would like you to focus on one thing in particular.
Convenience is the enemy of Security. Humans are the weakest link in the security of any system.
Once you understand these two things it becomes easier for you get your lazy ass up and take all the necessary precautions. One thing that I have observed is that people are wary of all these challenges and hence postpone entering into cryptocurrencies. But once they enter and start investing they ignore the safety precautions.
Understanding how cryptocurrencies work is very important so that you are well informed and you can decide what safety measures needs to be taken. These safety measures will vary from one cryptocurrency to other and from one exchange to other. Being up to date is important so that you are aware of any hacks immediately and can take necessary steps. I was planning to participate in an ICO recently and was about to open MEW but I saw in twitter my feed about the MEW related DNS hack and it kind of saved the day for me. So it pays to be updated.
Whether it is for trading on an exchange or whether it is for transferring your funds from one wallet to exchange or exchange to wallet or wallet to wallet always make sure that you do the transactions on a safe computer. Avoid doing your crypto transactions on shared machines or work machines. If you can afford it is better to have a separate computer for crypto transactions.
From a couple of discussions I see that people prefer MAC laptops. I am assuming that a Linux OS is equally secure and these two are preferred to Windows OS.
Do not use public or unverified WIFIs. WIFIs are generally less secure compared to ethernets. So whenever possible use ethernet. If you don’t have then use your personal WIFI. Never use a public WIFI or a WIFI whose router you can’t control.
On the computer you use for cryptocurrency transactions, make sure that the browsers doesn’t have untrusted plugins/extensions. I generally use chrome browser and make sure that I install only required chrome extensions. Browser extensions and plugins generally have access to lot more data than you can imagine. Better to stick to only crypto related plugins like Metamask and
Bookmark all the websites that you use. Whether it is an exchange, wallet or MyEtherWallet.com website. Never search a website in google and then visit it from there. There are many impostor websites which have their domains very similar to the original websites. There are some fraudsters who even bid in Google ads so that they can take you to their websites which are similar to popular websites and steal your data and hence your money. Be aware of these phishing attempts.
Google chrome also highlights your matching bookmarks which I feel is very handy. As you can see in the image I bookmark couple of frequently used urls from the exchanges I use.
For example I generally open the Send Transaction page of MEW. So I bookmark that page in addition to the home page.
Some people prefer using a plugin like Cryptonite (https://chrome.google.com/webstore/detail/cryptonite-by-metacert/keghdcpemohlojlglbiegihkljkgnige?hl=en) but I am wary of any crypto related extensions other than Metamask.
If you prefer using this extension instead of Bookmarking every crytpo site out there you can go ahead and install it.
There is a lot of discussion about how to generate strong passwords that we can remember easily. The problem with us is that we try to create passwords that we can remember easily and in the process sacrifice the security. Ideally we should generate passwords that are easier for us to remember but difficult for computers to guess (using weak password guessing and bruteforce). The following xkcd image captures the concept very well.
You can read more about alternate strategies on https://lifehacker.com/four-methods-to-create-a-secure-password-youll-actually-1601854240
I have been reading up on random generated passwords. Some people strongly recommend random generated passwords and go to the extent of saying that if you can remember your password it is not secure. I first came across this in Steemit. I would like some review on this from anybody working security domain.
And coming to Steemit’s rules about passwords Rule No 1,2 and 3 are universal to all blockchains. I am looking for some confirmation on Rule No 4 and 5. Regarding 5 I am still researching what is the best way to backup. I am of opinion that anything that is stored in software can be lost. So for a master password I would prefer to put it on a physical structure. Metal engraving probably??
There is difference of opinion on this topic again. https://www.hacker9.com/why-you-should-never-copy-paste-your-passwords.html makes a case for why copy pasting is bad and there are many who advise against typing passwords because it is easy to install key-logger software on machines. For now since I am using random generated passwords I am sticking to copy pasting, as I can’t type in those passwords.
Using a same password across different websites is a very bad idea. If one website is compromised your hacker can access all the websites where you have used the same password. This is one trap which most people fall into because everybody knows that it a pain to remember many passwords. I generally keep couple of versions of passwords and use them accordingly based on whether the website I am using is for general purpose, storing personal data or storing funds. But after doing enough reading I feel that it is better to have unique passwords for each website, at-least when dealing with Cryptocurrency Websites. I know this will be a pain and hence the next tip.
Password managers fixes one main issue and that is of password reuse. It is a kind of broadly accepted that Password Managers improve the security. You can read more on https://www.wired.com/story/password-manager-autofill-ad-tech-privacy/
I am currently using Google Smart Lock but am planning to shift to LastPass shortly. LastPass also has an option creating a random generated password that can be used for a each new website/exchange.
Don’t trade on exchanges that doesn’t provide you 2FA. There are way too many exchanges these days. Especially if you want to buy a token that is fresh out of ICO you would end up creating accounts on multiple exchanges. Many of the new exchanges look shady sometimes and there is no way for you to know how secure they are. One parameter that I use is I only trade on centralised exchanges that provide 2FA. I am currently using Google Authenticator but will be moving to Authy shortly.
When you leave your money on exchanges there are lot of things that can go wrong. Governments might freeze the funds in the exchange. Your account might get hacked. Your exchange might get hacked and so on. Most of these exchanges not having proper customer support only adds to the problem. And hence it is suggested to move your funds which you don’t use for trading to an offline wallet.
The whole premise of cryptocurrencies is that you own your money and you are not dependent on some trusted third party. So moving your coins to an offline wallet is a good idea. When you use an offline wallet have your private keys and hence you own your money. If you loose your private key you loose your money. There is just no way. Its gone. There is no reset password. There is no central organisation to whom you can raise a request and they will send back your password. So if you are creating an offline wallet, you better be aware of what you are getting into and what it entails.
It was a scary thing for me and it still is. There are numerous instances of people loosing their money(or should I say crypto fortune) because they lost their private key.
A research from https://www.chainalysis.com/ states that out of 17 million bitcoins in circulation as of November 2017, nearly 4 million bitcoins might be lost forever because their owners lost their private key.
Image Source : Forturne Magazine
If you have a considerable amount of stash or if you are a HODLer this is a good option. There are two downsides to this, one if you loose your private key you loose your money. Two if you want to trade any of these coins you will first have to transfer them to an exchange and then sell them. The second point might be addressed as there are many distributed exchanges coming up. Once Distributed exchanges have enough volumes they you can trade using an extension like Metamask without ever transferring your funds to a centralised exchange.
If you have large funds I think it is better to use a cold wallet. A cold wallet means that your private keys will never be a system that is connected to internet. For this you will need two different computers one that is connected to internet and one that is not connected to internet. Your offline computer will be used to sign the transaction and your online computer will be used to broadcast transaction.
If you want to know the details of how this can be done for ether using MyEtherWallet checkout https://kb.myetherwallet.com/offline/making-offline-transaction-on-myetherwallet.html
Inspite of all the safety precautions you take you can never be sure of safeguarding your assets. So in addition to following these safety precautions it is better to think of strategies where you can limit your losses in case of some catastrophes.
Shortlist and use a portfolio tracker that helps you keep track of the funds. In my case I first came to know of the hack after checking my balance on my portfolio tracker. Though I had lost my funds I was able to spot it quickly. If not for my portfolio tracker I might not have realised the hack for another one week at-least. I was using Cointracking.info as my portfolio tracker. You can read the detailed manual of how to set up and use Cointracker.
Considering that I am generally bad at remembering things and I keep loosing my passwords it is a risk to safeguard my private key. So to reduce the risks I distribute my funds between my offline wallet and multiple exchanges. Amongst the exchanges I keep more funds in the exchanges I trust. So I have more funds in Binance and Kucoin than any other exchange. I also have a fair share of my funds in Steem https://steemit.com/@gokulnk/transfers because it has a mechanism for account recovery in case of a hack.
I hope this will help you keep your funds safe. If you are following any other safety measure do let me know in comments.
Disclaimer : This is not financial advice and you are request to Do your own research(DYOR). The article contains referral links.
The maximum you can clap is 50 times. Click and hold to clap multiple times.
If you found this article helpful do share your feedback in comments and don’t forget to clap.