Guide to Safely Sending and Receiving Cryptocurrencies

We would first discuss precautions applicable to both sending and receiving funds. After that, we also provide safety measures specific to each aspect.

Sending and receiving cryptocurrencies

Never type in addresses. Always copy and paste. After pasting the addresses, check that the pasted address matches the intended address. Typing out addresses is prone to error. Not verifying the recipient address leaves you vulnerable to malware like Coinbitclip. When installed on your computer, the malware alters the pasted address. What’s more, the malware pastes addresses that look similar to your intended address. The scammers are able to do this as they possess numerous wallet addresses. The video below demonstrates how this works.

Such malware is not confined to desktops. Recently, similar malware surfaced on Google Play.

“But the address I am sending to is too long to verify?” If you get lazy, perhaps you can verify the first few and last few letters of the recipient address. But bear in mind that each character you don’t review increases the probability of loss. This is because hackers can generate addresses that appear similar to yours. Let us illustrate this with an example.

Suppose your intended recipient address is this:

1xvgsad12312c

If you only verify the first character, all the hacker has to do is to generate an address that starts with 1 to fool you. For example, he may just generate keys to the following address.

1byj1xr5vgq7d

However, if you verify all but the last character, the task of the hacker becomes much more difficult. He/she would now have to generate keys to address like the following in order to fool you.

1xvgsad12312d

This requires much more computational power is thus more costly to an attacker.

Care when using QR codes. QR codes offer a great deal of simplicity to users. Instead of simply copying and pasting addresses, why not just scan a code? However, because they are indistinguishable to the naked eye, scammers have begun preying on them.

There have been malicious sites which help users convert addresses into QR codes. However, these sites encode the scammer’s address instead of the user’s. If you need to generate a QR code, avoid using such sites. Instead, get a reputable wallet with a built-in QR generator.

Or you can use DuckDuckGo to generate your QR code. Simply type “qr” followed by your address to convert it to a QR code.

If you ever use a QR code, be sure to scan the code to obtain the encoded address. Then, verify that this address is indeed what it is supposed to be.

Don’t rush when carrying out transactions. Doing so makes you more prone to errors…

Sending cryptocurrencies

Send small quantities first. For handling transfers of crypto, why not take a tip from the pros.

Consider sending small amounts first. Upon confirmation of receipt, then proceed to send the remainder.

Double check the recipient address with an alternative channel. An example would be when sending crypto to exchanges for trading. You would first obtain the address to deposit your crypto into from the exchange website. If you did this on a PC with Firefox, then reperform this step using a different setup. For example, using your Android phone with Chrome browser. You can even introduce more variation by using different networks (eg. one with WiFi and another with cellular data). If the addresses match then you have a high degree of certainty that it is correct. By verifying using a second channel, you lower the risk of man-in-the-middle attacks. It is certainly possible for a hacker to compromise Firefox on your PC. However, it is less likely that both Firefox on your PC and Chrome on your Android get compromised at the same time.

Other ways to verify addresses include SMS, face-to-face meetings or via phone calls.

Remember to check transaction fees too. You don’t want to be paying excessive amounts to get your transaction confirmed. Neither do you want to pay too low a fee and have to wait days to get your transaction confirmed.

In the above screenshot, a glitch in Ledger Live caused it to add $55 to all transactions. This is a large amount to pay for transferring less than a dollar worth of Bitcoin.

Receiving cryptocurrencies

Consider using human-readable addresses. When providing your address to others, consider using services like ENS. ENS is a service for Ethereum which shortens addresses to human-readable forms. This makes it easy for the sender to verify your address.

Unconfirmed transactions are not secure. Transactions do not start out as irreversible. Instead, they receive a confirmation score indicating how hard it is to reverse them.  If receiving significant funds, wait for sufficient confirmations prior to accepting payments.

For Bitcoin transactions, six confirmations are recommended (see table).

For hardware wallet users

Only trust information on the device, never what’s on your computer screen.

Always assume that the software (eg. Ledger Live or Trezor Bridge) your hardware wallet interacts with is compromised. This is applicable even if you previously verified its authenticity. It is much easier for the software on your computer to be compromised than for your hardware wallet to be. This is because your computer is routinely exposed to potentially risky data from untrusted sources, unlike your hardware device.

Trusting only information on your device mitigates man in the middle attacks. In such attacks, scammers replace receiving addresses shown on the software with their own addresses. But because they can’t alter information on your hardware device, this attack would fail if users rely solely on information on their device.

Some wallets do not require you to verify addresses on your device by default. However, users should find out how to verify addresses on their devices. For example, in older versions of Ledger desktop software, such verification was non-mandatory. But users could select a button on their software that would show the address on the device. Ledger users should note that this step has become mandatory with the upgrade to Ledger Live.

This is especially so if you are transferring large sums of crypto. Avoid relying on lightweight wallets or blockchain explorers such as Blockchain.com. Doing so would mean delegating responsibility for transaction verification to third parties. And you have to make many assumptions:

• That the third party provider is not hacked.
• That their consensus algorithms are free from bugs.
• That they are not deliberately trying to mislead you.
• That there isn’t a man-in-the-middle attack. Or that your computer setup isn’t compromised to display false information.

As should be obvious from the above, this is far from ideal. Running a full node helps eliminates the need for making such assumptions. You do not need to trust anyone to keep the network honest. Instead, you are doing it yourself. By independently validating your transactions you gain transaction certainty. If a transaction breaks consensus rules, your node will reject it. This happens even if everyone else accepts the transaction. For businesses that accept crypto, running full nodes are thus critical.

There is another benefit to running your own full node – more privacy. While absolute privacy is impossible, running a full node broadcasts less identifying information. Connecting to third-party providers to broadcast your transaction exposes you. Providers would be able to log information such as your IP and time of the transaction. Or if you used your email to sign up for your online wallet, your transactions will get associated with it. If such information is linkable to your real-world identity, it opens the door to many side effects. An example would be social engineering to extort funds from you.

Read more about setting up a Bitcoin full node here. If privacy is of concern to you, consider running a full node over Tor. If these instructions feel troublesome, then get a plug-and-play solution. Examples include Casa Node and Samourai Dojo Trusted Node. These help you easily run your own full node.

• Andreas Antonopoulos
• Cryptocurrency Security Standard
• Ledger
• Trezor