As the popularity of cryptocurrencies grows, so does the level of activity of cybercriminals who seek to steal crypto in any way possible, by launching phishing attacks, finding vulnerabilities in the source code, or impersonating people who work for companies to obtain confidential user information such as private keys, passwords, seed phrases, and more.
The biggest challenge in securing your crypto is considering the variety of attack vectors and layers of protection that are necessary to truly ensure your funds are safe. There are three primary layers of security to consider when protecting cryptocurrency funds:
- Network : Are your private keys cryptographically secure? Is the blockchain secure from a network attack (like a 51% attack)?
- Application : Does a third party (exchange or app) control your crypto? How do they store their funds? How is your account login secured?
- Real World : Are you vulnerable to offline attacks? Is your computer/device secure and encrypted? Is your phone/2FA account safe from attacks? Have you provided recovery instructions to your beneficiaries in the event you die?
Navigating all of these issues can be very challenging, but the good news is there are a growing number of practices and tools designed to help users secure their coins. There are two crucial practices in particular every user should familiarize themselves with: self-custody and cold storage.
As a crypto holder and investor, keeping your crypto safe is all what you should care about and what your primary job should be. If you understand the risks and learn how to control them, you are set to succeed. Securing your crypto is not complicated but requires a bit of knowledge about how crypto wallets work and how they are used to store your assets. In simple words, when you own crypto, what you really own is a private key that is connected to your crypto on blockchain.
Being sloppy with passwords or sensitive information could get you hacked or become another casualty of phishing. Most people who lost their crypto shared/exposed their private key (something that should never be done) or if they kept their crypto on exchanges, they used the same passwords too long on too many accounts and maybe they didn't have 2FA enabled as well.
So what should you do? Let's take it step by step:
- Email Providers: Use any reputable email provider with 2FA available (e.g. gmail, outlook, protonmail)
- Two-factor authentication (2FA): This is probably the most important thing. Activating 2FA on your email accounts is crucial so nobody can access it even if they got your password.
- The ideal would be to create an email specifically for crypto, and not use the regular email you are using for everything else and you are signing up in websites that can leak your data.
- Look out for Phishing emails. Attackers pray on your emotions, you see this email and start to freak out and click the link without even thinking.
Step 1) Remain calm, before you do anything analyze the email. NEVER click on any links that the email has. Always go to your browser and type the official website by yourself.
Step 2) Check the sender and the email. Attackers will also try to mimic emails similar to the legitimate one.
Step 3) Check the language. Most of the times phishing emails are rushed and loaded with spelling errors.
Quick tips for emails:
Don't trust email links.
Double check the address bar of login pages.
Many crypto exchanges allow an anti-phish banner that displays a code with their emails that you set
You can check haveibeenpwned.com to see what data breaches your email has been a part of. If your email shows up and passwords are listed on the data that was compromised, assume the worse and change the password and never use it again, along with any other accounts that use that password.
Passwords / PINs:
- Do not use the same password everywhere.
- Use strong secure passwords. Passwords managers make these easy to manage and generate passwords. This includes your phone and 2FA app, if you have a weak pin for your phone and someone takes it, remember your 2FA app is then available (if same pin, or no pin/pass set), your email is automatically signed in (same for other accounts auto signed-in), and they can access everything.
- Password Managers: These work wonders when managing passwords securely. They generate random strong passwords which can be adjusted, and its all kept in an encrypted database file, so even if a attacker gets access to it, they won't be able to access it without the password.
- Don't save passwords in your browser. There have been several leaks, bugs and issues on browsers.
Reputable Password Managers:
Two-Factor Authentication (2FA):
- Enable 2FA on everything possible (Email, Exchanges, social media and every account or app that has any sensitive information).
- NEVER use SMS authentication. Always use 2FA Apps like Google Auth ( with SMS disabled). SIM swap attacks are very common and this method is vulnerable.
- Backup codes: When you activate 2FA on any account you should have the ability to generate backup codes, these are used incase you lose access to your phone or authenticator app (accidentally delete it or anything), you should treat these like your crypto private key / recovery phrases. It's the only way to recover them.
- DO NOT take pictures of your QR codes, if you screenshot it, might end up syncing somewhere you don't want it to and if it ever gets compromised they have the ability to continually receive your 2FA code.
- DO NOT sign up for your 2FA app or any crypto service for that matter using your work or school email address. You lose access to that email, then consider all accounts gone as you won't be able to access the codes if you switch devices.
- Do not store your crypto on exchanges, especially significant amounts. Always own your keys and be your own bank. Hardware wallets are the most secure wallets.
- Cold wallets (hardware wallets) will always be more secure than any hot wallets as they aren't connected to the internet.
- Verify the details you are confirming on your hardware wallet device. the wallet app interacting with your cold wallet device could be compromised (especially if you haven't updated the firmware to the latest version), but you would still be safe using it, as long as you verify each action on the cold wallet device, and reject the transaction if anything seems off. There is known malware which replaces crypto addresses with an address owned by someone else. Before sending a transaction always check if the receiving address is correct.
Private keys - The most important thing
- Always write down your private keys on paper or/and physical things, have many copies and have them in separate secure locations. There are also fireproof and waterproof devices, capsules, safes that can protect your private keys. Another great solution would be Safe Haven's Inheriti.com, the first and only decentralized inheritance and backup platform.
- NEVER write/save them online or on devices like phone or PC or on cloud.
- Private keys should always remain private and known only by you. NEVER share them with anyone or type them on any website that promises you giveaways etc.
- The top 3 Browsers built for privacy are Firefox, Epic and Brave.
- The best Search Engine for privacy is DuckDuckGo.
- Extensions: One of the most dangerous threats that aren't taken seriously are extensions. These can start out legitimate, then through an update turn malicious. Especially if you are using online/browser wallets like metamask and you copy-paste your words or anything similar, the extension can steal your copied data. After an exentsion turn malicious might be removed from the webstore, but not your browser. Some will be removed the store due to not being supported anymore which means no more updates, and no more updates means vulnerabilities that won't be fixed If you have Google Sync activated, these extensions will also sync to all those devices. Remove any extensions you don't need, check to see if they are still available on the store, and even search them to see if some security articles top up about it. Check the privacy practice tab of the extension to see what data it collects.
- Always update your phone everytime there is an available update.
- Never store critical and sensitive data on your phone.
- Unique pin / password for the phone.
- Be careful on what you click and download.
- Avoid apps you don't need or that may be dangerous.
- Download VPN / be aware of the wifi you are connecting to.
- Be aware of phishing.
- Call your service provider and see if they can lock your SIM card and prevent SIM swapping.
Other General Safety Tips:
- Harden your PC (This guide is for Windows 10, but can translate to other OS) Update OS and any software whenever there is an available update. Everything you download is an attack vector.
- Whitelist addresses on exchanges (Some exchanges allow you to designate a address as 'safe' any other transactions besides those won't go through).
- Don't disclose your crypto holdings and earnings publicly - online.
- Don't access your crypto (exchanges or online wallets) on computers that do not belong to you and might not be trusted.
- Don't answer PMs from people that ask you about crypto or they pretend to be investors or advisors that can help you earn money.
Actual hacks in the crypto world are rare, and the most common ways to steal cryptocurrencies are phishing and fraud. Often, users themselves provide private information, not suspecting that there is an intruder in front of them. For example, you can't “hack” cold wallets, only if you give out your private keys and fall a vicim of a phishing scam or you have saved your private keys online and hackers steal your information.
Security isn't a chore, it's an opportunity. We often find good security measures to be a burden, but the better mindset to have is one where you view security as an opportunity to bring yourself peace of mind in an uncertain and turbulent world. Whatever you chose, think critically about your threats and ensure that you aren’t the reason that your cryptocurrencies suddenly vanish. Stay safe.