Crypto Security: Your Guide for 2019

Crypto is a rapidly evolving space with new developments each day. Tracking everything requires hours of work each week. While you don’t need to follow all developments, it is advisable to track those that could affect you. For example, have wallets or exchanges you use been hacked?

A perfect example of this would be the attack carried out on the Electrum wallet in December 2018. In brief, a Sybil attack was undertaken in which the attackers created legitimate looking nodes controlled by them. The attackers then broadcasted a message directing users to download a fake wallet. When users transacted with this wallet, it would send funds back to the attacker.

About 250 BTC were stolen as part of this attack. What’s more alarming is that even after Electrum detected and broadcasted that an attack was underway, users continued downloading the fake wallets. Had the victims kept abreast of developments, these losses could have been minimized.

What we use to keep track

• Follow relevant Twitter accounts.
• Setup Google Alerts to email relevant articles that meet keywords defined by you. Examples include wallets you use, crypto you invest in or crypto exchanges you trade with. Attacks in any of these areas can appear out of the blue. Being able to get hold of such information swiftly can mean the difference between retaining or losing your funds.
• Track active crytpocurrency communities eg. Bitcointalk, Reddit
• Subscribe to newsletters eg. Trezor.

This may be common sense to many but is certainly worth repeating. Doing so would be the banking-equivalent of revealing your credit card details, including the CVV.

Have a random stranger on Telegram asking you to transfer him some crypto to claim your reward? Or is Elon Musk giving away crypto on Twitter? If it sounds too good to be true, it probably is.

This is a very broad topic that should be an entire post on its own. Thus, we don’t aim to cover them in-depth here but instead, wish to hit on the key points.

• Computers
• Mobile phones
• Web browsers
• Emails and messaging
• Privacy
• Cryptojacking

Before we begin, we would like to highlight that prevention is always better than cure. What do we mean?

Employing safe surfing habits and computer usage always beats relying on antivirus software to get rid of nasties. Why? New strings of malware get released by hackers every 4 seconds. By the time your antivirus updates with a cure, another malware would have surfaced to bypass it.

Likewise, having strong passwords to prevent unauthorized access beats relying on insurance to cover losses.

Computers

Reinstalling your operating system. If you suspect your computer is infected, then reinstall your operating system first. This may not remove all malware as some may still be deeply embedded within parts of your system. When in doubt, consult a professional.

Keep software updated. So that your software does not have any unpatched security vulnerabilities. Even better, activate automatic updates if possible.

Get paid security software. The three main components of your security setup are:

• Anti-virus: We use Norton Antivirus for this.
• Anti-malware: We use the premium version of Malwarebytes.
• Firewall: We use the firewall available on our Windows computer.

Why paid? Free security software usually provides bare-bones protection. As an example, the free version of Malwarebytes does not offer real-time protection. Only when you perform a scan does it check your system for malware.

If you want to stick with free software, we recommend the following:

• Anti-virus: Avast Antivirus.
• Anti-malware: Malwarebytes.
• Firewall: Use the firewall on your Windows or Mac OS.

Routinely scan your system for viruses and malware. This applies even if you have real-time protection as it may miss dormant viruses on your computer.

Perform regular backups of your computer. When it comes to losing your data, the question is not that of if, but when. There are so many ways of losing your data. Your hard disk may fail, you may be subject to a ransomware attack. Or Windows may even decide to delete your files after an update.

Thus, always have a backup. Store your backups in multiple locations eg. on an external hard disk and to the cloud.

Store your data encrypted. Encryption helps protect your data in the event of theft of your laptops, devices or USB hard disk. Basically, encryption scrambles your data rendering it unreadable to unauthorized users. Find out how to do this on various devices here.

Get a good password manager. Today we have more logins and passwords than we can remember. As a result, people end up choosing easy passwords or reuse login credentials. Never do this.

Instead, get a password manager such as Keepass to help you out. It helps you generate strong passwords and stores them in an encrypted form for you. Whichever password manager you use, always remember to make backups of the database.

Ledger and Trezor users can also utilize the password manager apps on their hardware wallets. Instructions for setting these up can be found here for Trezor and here for Ledger.

Connect using LAN whenever possible. If not, make sure to secure your WiFi. WiFi has always been a security weak point. This is because there are many areas that can go wrong such as:

• Users not changing the default router admin passwords.
• Older routers which no longer receive security updates from manufacturers (planned obsolescence).
• Flaws in their wireless security protocol

As such, always use wired connections where possible.

Avoid using WiFi at public places. If you have to do so, make sure to route all traffic through a paid VPN service such as Private Internet Access. Do not use free VPN as it may not be as secure as a paid one. Free VPN providers are businesses. How do they pay their bills? They sell your data.

Never run remote-access software. Programs such as Zoom, TeamViewer or Ammyy Admin have numerous security holes. See here for some examples. Thus, never install such software on your computer. Especially not on one containing your private keys.

Doing this would overwrite all safety precautions taken such as 2FA, since it gives attackers access to your entire computer with just a string of characters.

Dedicate a computer for managing crypto. This computer should not be used for browsing the internet, playing games or downloading unnecessary executable files.

Mobile phones

Imagine what would happen if a thief got access to your phone which held all the keys to your crypto assets? You can say goodbye to any moon payment. If stolen, your phone can provide anyone with full access to your email, crypto exchange apps and 2FA apps. Securing your mobile phone is thus crucial.

Anti-virus and anti-malware? It is debatable whether mobile phones are more secure than computers. For us, we believe mobile phones are safer. This is because they have a smaller attacker surface and offer pre-screened apps in official stores. Also, unlike programs on the computer, mobile phone apps run in a sandbox environment. In other words, an app cannot access information unless you give it the permission. For example, apps can access your location, but only if you grant them the access.

Thus, we do not install anti-virus and anti-malware software on our mobile phones.

Set up password lock. And use a strong pin. We personally would turn off facial recognition. This is because 3D printed heads have been able to unlock phones with relative ease.

Encrypt the phone. Most modern devices have the ability to encrypt phone storage. Find out how to do this on your devices here.

Setup remote wipe. By activating the software kill switch, users have the ability to wipe all data on their device with a few clicks. This is extremely handy if your phone falls into the wrong hands. Such a wipe would occur when the device connects to the internet. If you activate this feature, do make regular backups of your phone so that you can fall back on them in the event of a wipe. Most devices also come with features that allow users to locate their misplaced phones.

Turn off WiFi and Bluetooth when not in use. These are digital entrances into your device. Leaving them on would leave you susceptible to hacking.

Perform regular backups of your phone. iPhone and Android phones now even offer automatic backups of your phone to the cloud. So backing up is as simple as turning on this feature.

Setup complete phone wipe after multiple failed attempts. Why make it easy for hackers who are going to brute force your password? This feature erases your data after a set number of password attempts.

Update regularly. Keep your apps and operating systems updated. This helps to patch any security vulnerabilities.

Jailbreaking. Never jailbreak your phone. This would break the sandboxing measures built into your phone.

Do not use public USB charging stations. Hackers would exploit these as they provide unrestricted and direct access to devices charging.

Web browsers

Adopt safe surfing habits. As discussed in the introduction, prevention is better than cure. Thus, adopting safe surfing habits is better than simply relying on software for protection. Some examples of safe surfing habits include:

• Not visiting websites with undesirable content such as pirated software.
• Avoid clicking on links which are of questionable nature. If you really need to access a questionable link, do scan it first. You can do this at VirusTotal.
• Clearing your recent history and autocomplete if you accidentally entered a scam site. This prevents the scam website from reappearing as you perform other searches.
• Bookmarking important links. For example, bookmark cryptocurrency exchanges you access and enter them from your bookmarks. Do not use google to search for sites and access them. By doing this, you may end up on scam websites such as the below.

• Do not type in websites directly into your browser to access them. You may mistype and end up on a malicious site eg. Netflix.om instead of Netflix.com. This is known as a typosquatting scam.
• Realize that the appearance of a “Secure” HTTP lock does not guarantee authenticity. Any site can obtain them for free. However, the absence of one should raise alarm bells.

Installing relevant browser extensions. Download relevant browser extensions to protect yourself as you surf the web.

• Adblocker such as uBlock Origin (Chrome / Firefox)

We personally use uBlock Origin. This helps turn off ads, which may contain malware or phishing attempts. But as a general rule, with or without an adblocker, it is advisable not to click on any advertisement. Ever.

• HTTPS Everywhere (Chrome / Firefox / Opera)

This helps encrypt communications with many major websites, making your browsing more secure.

• Netcraft Extension (Chrome / Firefox / Opera)

Helps protect against phishing attacks as it allows you to see the risk rating of every site you visit. Site ratings are crowd-sourced. When members report a suspicious link, the extension prevents users from accessing the site.

• Cookie AutoDelete (Chrome / Firefox)

Automatically deletes cookies not used when you leave a site.

• Privacy Badger (Firefox / Opera)

Blocks spying ads and invisible trackers.

Emails and messaging

Use ProtonMail for emails. It is infinitely better than the advertiser-centered models of Google or Yahoo!

Why so?

Source

In short, using ProtonMail is like sending a sealed envelope to someone. Using Google is akin to sending a postcard.

There may have been debates over ProtonMail’s security. However, unless you are the next Edward Snowden, ProtonMail works just fine in guarding against mass surveillance.

Check if your email has been compromised. You may do so here.

Use Signal for texting and calling. To communicate sensitive matters, go for a higher level of security and use Signal. This is not an email provider. It is an app that allows you to chat/text others and provides end-to-end encryption of your messages. Signal is free, open source and available on iOS and Android.

Be aware of phishing emails. We previously showed an example of a phishing email. Always take note of who the sender is. Also, such emails normally contain attachments and request for personal information.

Privacy

Why privacy matters?

Google and Facebook are actively tracking your activity across the web. For example, Google trackers have been found on 75% of the most popular sites on the web. Also, studies have found that Facebook tracks users on over 8 million websites.

Not only are they tracking your search activity. They are also using your data for ads that follow you around the web. What’s worse, in civil cases like divorces, lawyers can subpoena such information. In 2016 alone, Google has answered over 100,000 such data requests.

In the previous pointers above, we have covered some ways to secure your privacy. Here we discuss other ways to shield your activity from the prying eyes of Google or Facebook.

Setup up privacy protection for your devices. DuckDuckGo has a brilliant post on this for iOS, Android, Mac, Windows, and Linux.

Get Google out of your life. Once again, Dax the duck has a great list of recommendations for getting Google out of your life. Given how integrated Google has been in your lives, this certainly wouldn’t be easy. But when has anything good ever came easy?

Use a VPN. For anonymity, get a good VPN like Private Internet Access. But, using a VPN requires you to trust the VPN provider isn’t monitoring or logging your traffic. Even VPNs that claim to maintain no logs can leave a trail back to you.

To protect yourself even better, consider using the Tor Browser. The tradeoff from using the Tor Browser is that it makes surfing the internet slower.

Cryptojacking

Given its importance and prevalence, cryptojacking deserves a separation section to itself. In 2018, instances of cryptojacking malware increased over 4 times.

What is Cryptojacking?

Cryptojacking is the process by which an attacker uses the processing power of someone else’s computer to mine cryptocurrencies without their consent. In doing so they get mining rewards for themselves in the form of cryptocurrencies.

Why is it harmful?

Mining requires huge amounts of computer processing power and thus electricity. This results in victims of hijacked devices racking up huge electricity bills.

The mining process also generates a lot of heat. This can cause hijacked devices to overheat and be permanently damaged.

What’s more cryptojacking malware can act like trojan horses. They give attackers a foothold on your devices. This allows more damaging payloads to be delivered in the future.

How to protect against cryptojacking?

The measures we discussed previously are applicable eg. installing antivirus. However, there are some specifics to cryptojacking which we would delve into.

i. Computers

Monitor your device behavior. Installing antivirus and antimalware is important. But what’s equally important is monitoring your device behavior. The reason for this is that cryptojacking malware like DarkGate are specifically designed to avoid detection from common antivirus software like Trend Micro and Avast. But what such malware can’t conceal is the vast processing power they consume on your devices.

If your computer is running slowly, check the CPU usage. Windows users can access the Task Manager while Mac users can see their Activity Monitor. If suspicious processes are running that consume substantial processing power, look them up online. If you find them to be suspicious, terminate them.

Also, check to see if your device is overheating. Cryptojacking uses alot of processing power and generates plenty of heat. A program like Core Temp can help perform such a check.

ii. Web browsing

Check your web browser. You can check if your browser has been compromised here.

Protect yourself while surfing. Download the Opera browser. It has an in-built ad blocker to protect against cryptojacking.

If you do not want to use Opera, you can download miner-blocking extensions such as:

• No Coin (Chrome, Firefox, Opera)
• minerBlock (Chrome, Firefox, Opera)

Kill Javascript. The above measures are not foolproof ways of getting rid of browser-based mining. If you feel that mining is still happening, you may want to consider turning off Javascript. However, doing this would hurt your surfing experience as many websites use Javascript. A plugin like NoScripts (Firefox) can help you do this.

iii. Mobile phones

Monitor your device behavior. You can check whether there are any apps consuming excess battery life. Investigate them and terminate if necessary. If your phone constantly overheats, this may also be another sign that cryptojacking malware is present.

Two-factor authentication means confirming a user’s identity with two different factors. For example, if you were to log into email, not only would you have to key in your password (first factor). You would also have to key in a one time password sent to your mobile (second factor).

You should use 2FA wherever possible for logins be it to your emails, exchanges and wallets. Using 2FA gives you extra security since even if one factor gets compromised, your account is still secured.

Never setup 2FA with SMS. Some services allow users to reset their passwords using verification pins sent to their phone numbers. Because of flaws in cell phone networks, scammers are able to intercept such text messages. They can then reset the password to your email account and gain control over it. From there they can work their way into your crypto exchange accounts. See the video below for how this works.

This also means you should remove your phone number from your email accounts and disable account recovery via phone numbers.

Use Google Authenticator or Authy instead. They interact directly with your physical device rather than your phone number. Also, they generate new keys every 30 seconds.

Using these also helps avoid SIM swapping scams. In such scams, the attacker hijacks your sim card to gain access to your mobile phone. Criminals can execute this by calling up your cell phone provider pretending to be you. They then trick your provider into issuing a new SIM card to them. Read more about how these scams happen (here).

Even better, use a hardware 2FA. Hardware 2FAs are even more secure than app-based 2FA like Authy as shared secrets (private key) are not stored or hosted by any vendor. Furthermore, they store their signing keys on the hardware device itself.

Examples of hardware 2FA include Yubikey. If you have a Trezor or Ledger device, they can also act as a hardware 2FA. See instructions on how to do this for Trezor (here) and Ledger (here). Here is a list of services that would be compatible with your hardware wallet 2FA.

As the word cryptocurrency implies, it utilizes cryptography for security. And a golden rule in cryptography is to never roll your own crypto.

What does this mean?

Crypto users should not try to invent seemingly smart schemes to protect themselves. While this gives them the feeling of being more secure, it is an illusion. And it will backfire as they do not understand the complexity of the problem they are solving. In short, Dunning-Kruger effect at work.

Very common examples that we see online:

• Devising their own unique methods for storing their seed eg. seed splitting
• Trying to implement a safe way to generate the seeds for their paper wallets

We would discuss these in detail in the Wallet section.

What should you then do? Operating systems on smartphones are far more secure than your laptops and desktops.

Mobile phones have smaller operating systems, reducing their attack surface to hackers. What’s more, apps have to undergo reviews prior to listing on Google Play or Apple’s App Store. This reduces the risk of downloading malicious apps.

While we aren’t qualified to tell you what to invest in, we can provide some pointers on how to avoid a catastrophe.

DYOR. Which stands for do your own research. Due to the speed and ease at which misinformation spreads, always research your potential investments. Don’t just rely on someone on social media shilling a coin or a news outlet. Fake news is rampant on such mediums so always take them with a pinch of salt.

If it sounds too good to be true, it probably is. This point should be self-explanatory. If some coin provides up to 40% interest per month, would you invest? If so, you are staring directly at a Bitconnect clone.

A quick and easy way to spot scams. We have found this to be an easy way of spotting scams easily so we would share it. Doesn’t always work. Go to the coin’s website. If they have none, huge red flag. On their site, visit the bios of the team. Take the photos of the team and run them through a reverse image search engine like TinEye. If the same photo is also used by someone with a different identity, this is a major red flag. Some scammers go to greater lengths to hide their identity. But this technique provides a quick way of rooting out low-effort scams.

A good example would be the ICO for Miroskii. Here is a picture of their team.

Yes, that’s right. We see a Kevin Belanger, in the bottom left hand corner.

Just to confirm he is who he claims to be, we put his image through TinEye. And the results are….

Looks like it was Ryan Gosling all along. That’s so strange of you Ryan! Why would you ever change your identity when endorsing something?

Only invest what you can afford to lose. Cryptocurrencies are a very difficult discipline to invest in. The skills required are incredibly technical. Reading the whitepaper alone isn’t sufficient. You need to be able to read the code to assess whether it is correctly implemented. And whether there are any backdoors within. It isn’t a field you can simply jump into. This is highly experimental technology which could fail. We would end this section with a quote from angel investor Naval Ravikant: