Crypto Security: Your Guide for 2019
One of the draws of cryptocurrencies is that they allow users to be their own banks. While users have more freedom in managing their funds, this comes with responsibility. As users travel across this brave new world, one aspect would follow them everywhere in their journey. Crypto security.
Protecting your cryptocurrencies is critical. Hackers and scammers have already stolen billions in crypto. The anonymity provided by cryptocurrencies makes them a favorite target by cybercriminals.
Are yours next?
In this series, we aim to cover various areas users would interact with in the crypto world. In each area, we aim to highlight areas to help you guard against theft, fraud, errors and even yourself.
Today, we would discuss General Security Principles. As security and privacy are intertwined, we also discuss how to improve privacy.
Some of the recommendations may seem excessive while others may appear blindingly obvious. However, we think there is no such thing as “too secure” in the realm of crypto security. Over the next decade, it wouldn’t be surprising to see lives destroyed due to hacks and scams in the crypto world. Before we begin, we would first like to highlight two important points:
- Anyone can do this. You do not have to be a tech guru or a 1337 hacker to protect your cryptocurrencies.
- In the security realm, there are no guarantees. But the more security awareness you have, the lower your risks are from things going wrong.
1. Crypto security is your responsibility
In traditional banking systems, banks act as intermediaries to process your transactions. In the crypto world, these intermediaries do not exist. You simply send crypto to the intended recipient and pay a mining fee to process the transaction.
Traditional banking system
YouBank A Bank B Recipient
The removal of the banks or intermediaries has brought with it several implications.
- You have become your own bank. Should you lose your credit card, you could always call the helpdesk to cancel it for you (dependence). But, if you lose the keys to your crypto wallet, there isn’t a 24/7 hotline waiting to assist you (independence). The funds are gone. Likewise, if you send crypto to the wrong address, don’t expect to receive them back.
- You are personally responsible for protecting your cryptocurrencies. The task of managing risks thus falls on your shoulders. In traditional banking systems, banks would force safety procedures upon you (passive). Now, decisions for protecting your cryptocurrencies are entirely up to you (active).
Thus, while you get greater control of your assets, this comes with a great deal of responsibility.
2. Keep abreast with the latest developments and scams
Crypto is a rapidly evolving space with new developments each day. Tracking everything requires hours of work each week. While you don’t need to follow all developments, it is advisable to track those that could affect you. For example, have wallets or exchanges you use been hacked?
A perfect example of this would be the attack carried out on the Electrum wallet in December 2018. In brief, a Sybil attack was undertaken in which the attackers created legitimate looking nodes controlled by them. The attackers then broadcasted a message directing users to download a fake wallet. When users transacted with this wallet, it would send funds back to the attacker.
About 250 BTC were stolen as part of this attack. What’s more alarming is that even after Electrum detected and broadcasted that an attack was underway, users continued downloading the fake wallets. Had the victims kept abreast of developments, these losses could have been minimized.
What we use to keep track
- Follow relevant Twitter accounts.
- Setup Google Alerts to email relevant articles that meet keywords defined by you. Examples include wallets you use, crypto you invest in or crypto exchanges you trade with. Attacks in any of these areas can appear out of the blue. Being able to get hold of such information swiftly can mean the difference between retaining or losing your funds.
- Track active crytpocurrency communities eg. Bitcointalk, Reddit
- Subscribe to newsletters eg. Trezor.
3. Never reveal you own cryptocurrencies
Or if you are unfortunate enough to be in a position where people already know you own cryptocurrencies, then never reveal your holdings.
Doing so opens you up to more risk than necessary. Revealing your holdings makes it possible for people to figure out which wallet belongs to you. In fact, the best response to how much crypto you own should be “what is a Bitcoin?!”
A real-life example of what can happen if you do decide to reveal your crypto holdings.
4. Do not share your private keys or seeds!
This may be common sense to many but is certainly worth repeating. Doing so would be the banking-equivalent of revealing your credit card details, including the CVV.
5. Search for reviews online prior to signing up for a service or exchange
Google the exchange or service name + “scam” or “reviews”.
Scam sites rarely last long before getting reported and shut down. In searching for reviews, you should not be looking for sites with extremities. In other words, those with either the most perfect reviews. Or those where everyone is complaining about getting scammed. These are instant red flags.
Legitimate businesses that have been around for a while will always have a mixture of positive and negative reviews.
6. Use common sense
Have a random stranger on Telegram asking you to transfer him some crypto to claim your reward? Or is Elon Musk giving away crypto on Twitter? If it sounds too good to be true, it
7. Don’t trust, verify
When provided with information, always consider the possibility it could be fake. Approach them as you would with news, that it could be fake. Never trust messages received, URLs or addresses. Always verify with a secondary source.
In other parts of this series, we would show specific areas where fake information can also arise. But for now, we leave you with a very common example – emails. Below is an example of a phishing email sent by a scammer.
In the above email, notice how even though Binance appears to be the sender, the domain name didn’t belong to them. When uncertain of the authenticity of an email, never click links in them.
How would you perform verification?
In this instance, Binance users can seek help on websites where their support teams lurk. For example, users can always ask on reddit.com/r/binance/ whether links or emails received were fake.
8. Secure your computer and devices
This is a very broad topic that should be an entire post on its own. Thus, we don’t aim to cover them in-depth here but instead, wish to hit on the key points.
- Mobile phones
- Web browsers
- Emails and messaging
Before we begin, we would like to highlight that prevention is always better than cure. What do we mean?
Employing safe surfing habits and computer usage always beats relying on antivirus software to get rid of nasties. Why? New strings of malware get released by hackers every 4 seconds. By the time your antivirus updates with a cure, another malware would have surfaced to bypass it.
Likewise, having strong passwords to prevent unauthorized access beats relying on insurance to cover losses.
Reinstalling your operating system. If you suspect your computer is infected, then reinstall your operating system first. This may not remove all malware as some may still be deeply embedded within parts of your system. When in doubt, consult a professional.
Keep software updated. So that your software does not have any unpatched security vulnerabilities. Even better, activate automatic updates if possible.
Get paid security software. The three main components of your security setup are:
- Anti-virus: We use Norton Antivirus for this.
- Anti-malware: We use the premium version of Malwarebytes.
- Firewall: We use the firewall available on our Windows computer.
Why paid? Free security software usually provides bare-bones protection. As an example, the free version of Malwarebytes does not offer real-time protection. Only when you perform a scan does it check your system for malware.
If you want to stick with free software, we recommend the following:
- Anti-virus: Avast Antivirus.
- Anti-malware: Malwarebytes.
- Firewall: Use the firewall on your Windows or Mac OS.
Routinely scan your system for viruses and malware. This applies even if you have real-time protection as it may miss dormant viruses on your computer.
Perform regular backups of your computer. When it comes to losing your data, the question is not that of if, but when. There are so many ways of losing your data. Your hard disk may fail, you may be subject to a ransomware attack. Or Windows may even decide to delete your files after an update.
Thus, always have a backup. Store your backups in multiple locations eg. on an external hard disk and to the cloud.
Store your data encrypted. Encryption helps protect your data in the event of theft of your laptops, devices or USB hard disk. Basically, encryption scrambles your data rendering it unreadable to unauthorized users. Find out how to do this on various devices here.
Get a good password manager. Today we have more logins and passwords than we can remember. As a result, people end up choosing easy passwords or reuse login credentials. Never do this.
Instead, get a password manager such as Keepass to help you out. It helps you generate strong passwords and stores them in an encrypted form for you. Whichever password manager you use, always remember to make backups of the database.
Connect using LAN whenever possible. If not, make sure to secure your WiFi. WiFi has always been a security weak point. This is because there are many areas that can go wrong such as:
- Users not changing the default router admin passwords.
- Older routers which no longer receive security updates from manufacturers (planned obsolescence).
- Flaws in their wireless security protocol
As such, always use wired connections where possible.
Avoid using WiFi at public places. If you have to do so, make sure to route all traffic through a paid VPN service such as Private Internet Access. Do not use free VPN as it may not be as secure as a paid one. Free VPN providers are businesses. How do they pay their bills? They sell your data.
Never run remote-access software. Programs such as Zoom, TeamViewer or Ammyy Admin have numerous security holes. See here for some examples. Thus, never install such software on your computer. Especially not on one containing your private keys.
Doing this would overwrite all safety precautions taken such as 2FA, since it gives attackers access to your entire computer with just a string of characters.
Dedicate a computer for managing crypto. This computer should not be used for browsing the internet, playing games or downloading unnecessary executable files.
Imagine what would happen if a thief got access to your phone which held all the keys to your crypto assets? You can say goodbye to any moon payment. If stolen, your phone can provide anyone with full access to your email, crypto exchange apps and 2FA apps. Securing your mobile phone is thus crucial.
Anti-virus and anti-malware? It is debatable whether mobile phones are more secure than computers. For us, we believe mobile phones are safer. This is because they have a smaller attacker surface and offer pre-screened apps in official stores. Also, unlike programs on the computer, mobile phone apps run in a sandbox environment. In other words, an app cannot access information unless you give it the permission. For example, apps can access your location, but only if you grant them the access.
Thus, we do not install anti-virus and anti-malware software on our mobile phones.
Set up password lock. And use a strong pin. We personally would turn off facial recognition. This is because 3D printed heads have been able to unlock phones with relative ease.
Encrypt the phone. Most modern devices have the ability to encrypt phone storage. Find out how to do this on your devices here.
Setup remote wipe. By activating the software kill switch, users have the ability to wipe all data on their device with a few clicks. This is extremely handy if your phone falls into the wrong hands. Such a wipe would occur when the device connects to the internet. If you activate this feature, do make regular backups of your phone so that you can fall back on them in the event of a wipe. Most devices also come with features that allow users to locate their misplaced phones.
Turn off WiFi and Bluetooth when not in use. These are digital entrances into your device. Leaving them on would leave you susceptible to hacking.
Perform regular backups of your phone. iPhone and Android phones now even offer automatic backups of your phone to the cloud. So backing up is as simple as turning on this feature.
Setup complete phone wipe after multiple failed attempts. Why make it easy for hackers who are going to brute force your password? This feature erases your data after a set number of password attempts.
Update regularly. Keep your apps and operating systems updated. This helps to patch any security vulnerabilities.
Jailbreaking. Never jailbreak your phone. This would break the sandboxing measures built into your phone.
Do not use public USB charging stations. Hackers would exploit these as they provide unrestricted and direct access to devices charging.
Adopt safe surfing habits. As discussed in the introduction, prevention is better than cure. Thus, adopting safe surfing habits is better than simply relying on software for protection. Some examples of safe surfing habits include:
- Not visiting websites with undesirable content such as pirated software.
- Avoid clicking on links which are of questionable nature. If you really need to access a questionable link, do scan it first. You can do this at VirusTotal.
- Clearing your recent history and autocomplete if you accidentally entered a scam site. This prevents the scam website from reappearing as you perform other searches.
- Bookmarking important links. For example, bookmark cryptocurrency exchanges you access and enter them from your bookmarks. Do not use google to search for sites and access them. By doing this, you may end up on scam websites such as the below.
- Do not type in websites directly into your browser to access them. You may mistype and end up on a malicious site eg. Netflix.om instead of Netflix.com. This is known as a typosquatting scam.
- Realize that the appearance of a “Secure” HTTP lock does not guarantee authenticity. Any site can obtain them for free. However, the absence of one should raise alarm bells.
Installing relevant browser extensions. Download relevant browser extensions to protect yourself as you surf the web.
- Adblocker such as uBlock Origin (Chrome / Firefox)
We personally use uBlock Origin. This helps turn off ads, which may contain malware or phishing attempts. But as a general rule, with or without an adblocker, it is advisable not to click on any advertisement. Ever.
- HTTPS Everywhere (Chrome / Firefox / Opera)
This helps encrypt communications with many major websites, making your browsing more secure.
- Netcraft Extension (Chrome / Firefox / Opera)
Helps protect against phishing attacks as it allows you to see the risk rating of every site you visit. Site ratings are crowd-sourced. When members report a suspicious link, the extension prevents users from accessing the site.
Automatically deletes cookies not used when you leave a site.
- Privacy Badger (Firefox / Opera)
Blocks spying ads and invisible trackers.
Emails and messaging
Use ProtonMail for emails. It is infinitely better than the advertiser-centered models of Google or Yahoo!
|Screens your emails?||Reads your mails||Does not read your mails|
|Server location?||Present in US and EU jurisdictions||Switzerland (beyond the reach of US and EU jurisdictions)|
|Partnerships?||Partners with the NSA||No partnerships with NSA|
|Tracking?||Continues to track your activity beyond Gmail||Does not track your activity at all|
In short, using ProtonMail is like sending a sealed envelope to someone. Using Google is akin to sending a postcard.
There may have been debates over ProtonMail’s security. However, unless you are the next Edward Snowden, ProtonMail works just fine in guarding against mass surveillance.
Check if your email has been compromised. You may do so here.
Use Signal for texting and calling. To communicate sensitive matters, go for a higher level of security and use Signal. This is not an email provider. It is an app that allows you to chat/text others and provides end-to-end encryption of your messages. Signal is free, open source and available on iOS and Android.
Be aware of phishing emails. We previously showed an example of a phishing email. Always take note of who the sender is. Also, such emails normally contain attachments and request for personal information.
Why privacy matters?
Google and Facebook are actively tracking your activity across the web. For example, Google trackers have been found on 75% of the most popular sites on the web. Also, studies have found that Facebook tracks users on over 8 million websites.
Not only are they tracking your search activity. They are also using your data for ads that follow you around the web. What’s worse, in civil cases like divorces, lawyers can subpoena such information. In 2016 alone, Google has answered over 100,000 such data requests.
In the previous pointers above, we have covered some ways to secure your privacy. Here we discuss other ways to shield your activity from the prying eyes of Google or Facebook.
Setup up privacy protection for your devices. DuckDuckGo has a brilliant post on this for iOS, Android, Mac, Windows, and Linux.
Get Google out of your life. Once again, Dax the duck has a great list of recommendations for getting Google out of your life. Given how integrated Google has been in your lives, this certainly wouldn’t be easy. But when has anything good ever came easy?
Use a VPN. For anonymity, get a good VPN like Private Internet Access. But, using a VPN requires you to trust the VPN provider isn’t monitoring or logging your traffic. Even VPNs that claim to maintain no logs can leave a trail back to you.
To protect yourself even better, consider using the Tor Browser. The tradeoff from using the Tor Browser is that it makes surfing the internet slower.
Given its importance and prevalence, cryptojacking deserves a separation section to itself. In 2018, instances of cryptojacking malware increased over 4 times.
What is Cryptojacking?
Cryptojacking is the process by which an attacker uses the processing power of someone else’s computer to mine cryptocurrencies without their consent. In doing so they get mining rewards for themselves in the form of cryptocurrencies.
Why is it harmful?
Mining requires huge amounts of computer processing power and thus electricity. This results in victims of hijacked devices racking up huge electricity bills.
The mining process also generates a lot of heat. This can cause hijacked devices to overheat and be permanently damaged.
What’s more cryptojacking malware can act like trojan horses. They give attackers a foothold on your devices. This allows more damaging payloads to be delivered in the future.
How to protect against cryptojacking?
The measures we discussed previously are applicable eg. installing antivirus. However, there are some specifics to cryptojacking which we would delve into.
Monitor your device behavior. Installing antivirus and antimalware is important. But what’s equally important is monitoring your device behavior. The reason for this is that cryptojacking malware like DarkGate are specifically designed to avoid detection from common antivirus software like Trend Micro and Avast. But what such malware can’t conceal is the vast processing power they consume on your devices.
If your computer is running slowly, check the CPU usage. Windows users can access the Task Manager while Mac users can see their Activity Monitor. If suspicious processes are running that consume substantial processing power, look them up online. If you find them to be suspicious, terminate them.
Also, check to see if your device is overheating. Cryptojacking uses alot of processing power and generates plenty of heat. A program like Core Temp can help perform such a check.
ii. Web browsing
Check your web browser. You can check if your browser has been compromised here.
Protect yourself while surfing. Download the Opera browser. It has an in-built ad blocker to protect against cryptojacking.
If you do not want to use Opera, you can download miner-blocking extensions such as:
iii. Mobile phones
Monitor your device behavior. You can check whether there are any apps consuming excess battery life. Investigate them and terminate if necessary. If your phone constantly overheats, this may also be another sign that cryptojacking malware is present.
9. Be aware of surveillance
Instead of targeting devices you work on, attackers may decide to target you instead. An attacker can obtain information such as passwords from users by observing them. This is known as shoulder surfing.Edward Snowden covers himself with a blanket while entering login credentialsIn the documentary Citizenfour, Edward Snowden pulled a blanket over himself while typing in passwords. While the government may not be after you, you should be aware of such threats and act accordingly.
10. 2FA up your life
Two-factor authentication means confirming a user’s identity with two different factors. For example, if you were to log into email, not only would you have to key in your password (first factor). You would also have to key in a one time password sent to your mobile (second factor).
You should use 2FA wherever possible for logins be it to your emails, exchanges and wallets. Using 2FA gives you extra security since even if one factor gets compromised, your account is still secured.
Never setup 2FA with SMS. Some services allow users to reset their passwords using verification pins sent to their phone numbers. Because of flaws in cell phone networks, scammers are able to intercept such text messages. They can then reset the password to your email account and gain control over it. From there they can work their way into your crypto exchange accounts. See the video below for how this works.
This also means you should remove your phone number from your email accounts and disable account recovery via phone numbers.
Use Google Authenticator or Authy instead. They interact directly with your physical device rather than your phone number. Also, they generate new keys every 30 seconds.
Using these also helps avoid SIM swapping scams. In such scams, the attacker hijacks your sim card to gain access to your mobile phone. Criminals can execute this by calling up your cell phone provider pretending to be you. They then trick your provider into issuing a new SIM card to them. Read more about how these scams happen (here).
Even better, use a hardware 2FA. Hardware 2FAs are even more secure than app-based 2FA like Authy as shared secrets (private key) are not stored or hosted by any vendor. Furthermore, they store their signing keys on the hardware device itself.
Examples of hardware 2FA include Yubikey. If you have a Trezor or Ledger device, they can also act as a hardware 2FA. See instructions on how to do this for Trezor (here) and Ledger (here). Here is a list of services that would be compatible with your hardware wallet 2FA.
11. Your keys, your Bitcoin. Not your keys, not your Bitcoin
In crypto, private keys give you control over your funds. They allow access to funds stored on the blockchain. These private keys are like your house keys.Would you give your house keys to someone to manage? If not, then why would you do so in the realm of crypto?Thus, never store crypto in custodial wallets or on exchanges. We would dive into more detail on these when we discuss them in subsequent sections.
12. Don’t roll your own crypto
As the word cryptocurrency implies, it utilizes cryptography for security. And a golden rule in cryptography is to never roll your own crypto.
What does this mean?
Crypto users should not try to invent seemingly smart schemes to protect themselves. While this gives them the feeling of being more secure, it is an illusion. And it will backfire as they do not understand the complexity of the problem they are solving. In short, Dunning-Kruger effect at work.
Very common examples that we see online:
- Devising their own unique methods for storing their seed eg. seed splitting
- Trying to implement a safe way to generate the seeds for their paper wallets
We would discuss these in detail in the Wallet section.
13. Do not submit personal details unnecessarily
Despite the crypto bear market, we continue to witness ICOs popping up everywhere. What’s worrying is those that request verification documents from users to participate in token airdrops or bounty programs. Documents requested include scanned copies of your passport and/or a selfie.
While there are legitimate projects out there, understand that there may be sinister motives behind such KYC requests. On the dark web, the average price of a digital passport scan is $14.71. If proof of address or identification is also available, the average price rockets to $61.27.
Selling your information is just one way scammers can make money using your information. Even worse, they could use this information to steal funds you store on cryptocurrency exchanges.
Reddit user Gamm86 provided an overview of how this can happen.
- As part of KYC during registration, exchanges require registrants to take a selfie of themselves while holding their ID.
- Upon approval, a user gets access to their account. If a user sets two-factor authentication, scammers can’t access his account even if they have only obtained the user’s password. The user’s login credentials may have been obtained from other sources eg. keylogging.
- However, with the right set of identification documents, scammers can find their way around this. They can approach the cryptocurrency exchange claiming they’ve lost access to their mobile phone.
- Exchanges would request proof of identity. The scammer then modifies the scans purchased from the darknet as necessary to meet the requirements of the exchange and submits it.
- Upon receiving the proof of identity, the exchange removes or resets the 2FA on the account. This grants the scammer access to the user’s funds, which would then be drained.
This is not just a theoretical scenario, we have researched several exchanges. And have found that their 2FA reset procedures are gameable. Below is one such example.
Needless to say, be very careful about submitting verification documents. Never submit them to unreputable or questionable sources. And if you must do so, always watermark them with the date, the requestor and the purpose of the scan. But of course, do not obscure identifying information. You can use Microsoft Paint or IrfanView (free) for creating watermarks.
14. Do not put cryptocurrencies on your laptops or computers
Do not put bitcoin on those devices, that’s like making a donation to hackers. They have software actively looking for Bitcoin software; when they find it, they take it. Or they put a keylogger, wait for you to do a transaction, enter your password, and then they take it.
What should you then do? Operating systems on smartphones are far more secure than your laptops and desktops.
Mobile phones have smaller operating systems, reducing their attack surface to hackers. What’s more, apps have to undergo reviews prior to listing on Google Play or Apple’s App Store. This reduces the risk of downloading malicious apps.
15. Diversify, diversify, diversify
Do banks place all their eggs in one basket? No, they don’t, they seek diversity so that they don’t just have one point of failure. You should do the same. These are some areas for consideration:
Account logins: For each service, you sign up for eg. exchanges, use a unique username, password and email. The reason for this is simple. If one of your email accounts gets compromised, you can at least limit the damage.
Wallets: Don’t just use one. For example, if you manage Bitcoins using Trezor, also restore your seed on a Ledger too. That way if Trezor botches an update, you would still have access to your funds via the Ledger.
Exchanges: Open accounts on multiple exchanges. If one gets hacked or is slow because of high traffic then you can always trade on another.
16. Invest with caution
While we aren’t qualified to tell you what to invest in, we can provide some pointers on how to avoid a catastrophe.
DYOR. Which stands for do your own research. Due to the speed and ease at which misinformation spreads, always research your potential investments. Don’t just rely on someone on social media shilling a coin or a news outlet. Fake news is rampant on such mediums so always take them with a pinch of salt.
If it sounds too good to be true, it
probably is. This point should be self-explanatory. If some coin provides up to 40% interest per month, would you invest? If so, you are staring directly at a Bitconnect clone.
A quick and easy way to spot scams. We have found this to be an easy way of spotting scams easily so we would share it. Doesn’t always work. Go to the coin’s website. If they have none, huge red flag. On their site, visit the bios of the team. Take the photos of the team and run them through a reverse image search engine like TinEye. If the same photo is also used by someone with a different identity, this is a major red flag. Some scammers go to greater lengths to hide their identity. But this technique provides a quick way of rooting out low-effort scams.
A good example would be the ICO for Miroskii. Here is a picture of their team.
Yes, that’s right. We see a Kevin Belanger, in the bottom left hand corner.
Just to confirm he is who he claims to be, we put his image through TinEye. And the results are….
Looks like it was Ryan Gosling all along. That’s so strange of you Ryan! Why would you ever change your identity when endorsing something?
Only invest what you can afford to lose. Cryptocurrencies are a very difficult discipline to invest in. The skills required are incredibly technical. Reading the whitepaper alone isn’t sufficient. You need to be able to read the code to assess whether it is correctly implemented. And whether there are any backdoors within. It isn’t a field you can simply jump into. This is highly experimental technology which could fail. We would end this section with a quote from angel investor Naval Ravikant:
I think the the deeper you get into this [cryptocurrency] the more you realize how fundamentally ignorant most of us are. The set of people qualified to invest in this space is probably like less than 1% of the size of all the venture capitalists out there today. It’s a deeply deeply technical space.
You just learned a ton about crypto security, from protecting your devices to avoiding scams.
Now it’s your turn: leave a comment below and let me know what you’re going to implement first.
Or if you have other suggestions, we would love to hear it.
Let us know with a quick comment below!