A beginners guide to Cryptosecurity
A Beginners Guide to Cryptosecurity
Imagine you lost all your coins. Not a particularly nice thought, right? Staying protected in today’s cyber world is very tricky but also more important than it has ever been. Especially if you’re dealing with very sensitive date like private-keys for cryptocurrencies.
In this article we’ll give you some tips and tricks, helping you to stay protected and minimise the likelihood of becoming a victim of an attack on your data and/or funds.
Let’s start out with some general security practices you should implement no matter whether or not you hodl crypto.
.
Online security basics:
Passwords: Use a different password for every website. Use a password manager to store your passwords and only use randomly generated passwords. Most password managers allow you to do that.
Security questions: Don’t answer these truthfully. If you know your mother’s maiden name, it should be trivial for an attacker to find out as well.
VPN: Instead of connecting directly with your ISP (Internet service provider) when you use a VPN, your device first established a private connection (sometimes called “tunnel”) which is hopefully encrypted (make sure you’re using a good VPN) with the VPN server. All your ISP can see is that you’re connected to a VPN. If that VPN is located in a different country, it will seem as if you were located in that country. That could be helpful when certain websites are blocked in your country. Use a good VPN service, especially when you’re using public WiFi. We’ve had good experiences with Mullvad and they let you pay in Bitcoin.
HTTPS: Have you ever noticed that some website addresses begin with “http://” and others with “https://” That little extra “s” makes all the difference. It means that the traffic between your device and the web server is encrypted. Today, a lot of websites already support https but some still don’t. If a website supports it, your browser will show you a green padlock in the URL bar. There is a plugin, called “HTTPS everywhere” that enforces the use of https when available by requesting the secure version. You can install it here.
Malware, Keyloggers and Viruses: Surely there is no 100% protection against these and even though you should rather assume that your device is infiltrated than not, it’s still a good idea to run a software like Malwarebytes. Probably the best way to protect yourself is to not click on suspicious links/downloads and generally be conscious about what you’re doing online.
Two-factor-authentication: Whenever a web-service allows you to enable 2FA you should definitely use it. The easiest and most common way is Google Authenticator but always remember to backup the code, given to you when you set up the 2FA. Please DO NOT use text/SMS as a 2FA. See why. Another great way to make use of 2FA is to get a Fido U2F device.
Email: Your email account is like the control station of all the other services you’re using online.If someone gets access to your mail account they’ll also be able to get access over other accounts. That’s why you need to make extremely sure that your email account is secure. That means: use a random password, 2FA, and don’t use the account for weird stuff. Consider creating an email address specifically for things that needs to stay extra secure, like exchanges, bank accounts etc. We can recommend Protonmail for that.
Messaging: I guess you or someone you know has said the following before: “I’ve got nothing to hide, so why bother with all this.” That’s like saying free-speech is unimportant as you’ve got nothing valuable to say. That’s a different discussion though. Just because someone doesn’t value a particular good (privacy, free-speech etc) doesn’t mean it’s not useful in a lot of other cases. So no matter whether you have something to hide or not, your privacy should be protected. Thus, please use a secure messaging app like Signal.
Backups: Ever got your computer/phone stolen or it crashed and you didn’t have a backup? Well, just back your stuff up regularly and that won’t happen. As easy as that. Especially as hard-drives are so cheap these days, so there really is no excuse for not doing it.
Ads: In order to show you ‘relevant’ ads online; Google, Facebook and all the others first need to know what you’re interested in. That means they’re building an interest-profile about you. If you don’t like the thought that some cooperation is spying on you to find out what you’re interested in, to then convince you to buy another pair of sneakers, rather run an ad-blocker.
Browser: Make sure you only have plugins installed that you actually need. Check what permissions they have. Switch your default search engine to DuckDuckGo and your browser to Brave.
Let’s now consider some additional steps for our dear crypto hodlers. We’ll start with general tips which are agnostic to what kind of storage solution your using and then dive into the different layers of wallets and their pros and cons.
General stuff:
“Remember: Gone is gone. There is no-one to call and reverse a transaction. Your private key = your coins. You’re responsible to make sure you’re not getting rekt. That means: Never share you’r private key. That’s why it’s called PRIVATE key. ”
What is a blockchain: it’s a decentralised database, that keeps track of transactions. Decentralised means that a copy of the data is saved on not one device (like a centralised server) but on many computers, dispersed around the world. These computers are called (full) nodes.
When you own bitcoin (or any other cryptocurrency) and store them in your wallet, then that coin isn’t actually stored in your wallet. Your wallet just stores the private key that gives you access to the coins associated with it. Put another way, your wallet holds the key you need to use your funds. That means all you need to keep secure is your private key.
What is MyEtherWallet (MEW) and MyCrypto (MC):
These two services are web-interfaces that allow you to create Ethereum wallets and interact with the Ethereum blockchain. When you create a paper-wallet via MEW or MC, it uses your computers random number generator to generate a private key. This private key is created on YOUR computer. That means MEW or MC don’t have access to your wallet and in case you lose access they won’t be able to restore your wallet.
Everyone who claims they can help you restore your MEW or MC wallet (for example via an official looking email) is trying to scam you for your private key (=your funds). Never give your private key to anyone. The MEW or MC team will never ask you for it.
What is Coinbase, Kraken, BitStamp etc.
These exchanges are the main Fiat-Crypto exchanges and are very popular with starters. The difference between such an exchange and your own wallet is, that not you but the exchange is holding the private key to your funds.
IF they should go bust, get hacked or an attacker gets into your account, your coins would probably be lost forever.
Once you’re comfortable with crypto you should definitely consider storing most of your funds on an offline hardware-wallet, like the BitBox.
Remember:
- Never share your private key
- Always double check the address you’re sending to. Carefully!
- Even if you checked: Don’t send all at once, send a test with a small fraction.
A few words about phishing attempts in crypto:
It happens. Every day. Just google the name of some crypto exchange and look at the Google search ads. It’s likely that some will look like this. Therefore:
- Double check URLs
- Bookmark exchanges, MyEtherWallet/MyCrypto and all other websites that could be a target for phishing.
- Don’t trust links sent to you via Slack, E-mail, Reddit, Twitter etc
- And never click on Google search ads for exchanges, wallet websites etc.
What to do with your private key/seed/mnemonic and what NOT to do:
Do’s:
- Use a Hardware-wallet, like BitBox, to store the majority of your funds offline. The extra security is more than worth the cost.
- Make multiple backups of your private key/seed/mnemonic and store them at different locations.
- Consider protecting your seed/mnemonic against nature with a STEELWALLET, something similar or make your own :D
Dont’s:
- Don’t save your private key/seed/mnemonic in a cloud like Google Drive, Dropbox etc
- Don’t ever give it away/leak it. “Who owns the Private key owns the funds”
- Don’t type in your private key/seed/mnemonic on your computer or smartphone as you might have a keylogger or other malware installed. Get a hardware wallet to avoid such risks.
The different layers of crypto storage
Now it’s time to talk about the different ways you can store your crypto in more detail. We’ll start with exchanges as these are probably the first touchpoint for starters. Then we’ll cover software and hardware wallets, paper wallets and finally physical offline backups.
Disclaimer: All of these explanations are heavily simplified.
Exchanges
Nearly everyone who’s in crypto has to interact with an exchange in one way or another. As the exchange is holding the keys to your funds and not you yourself, all an attacker needs are your login credentials. That’s why you should make sure that you’ve implemented the tips from this article. Once someone has access to your account and has withdrawn your funds to his wallet, it’s too late. There’s nothing you or the exchange can do to get it back.
Due to the irreversibility of cryptocurrency transactions and the third-party risk (meaning, the exchange could go bust) you should only keep the minimum amount necessary on site. Only have as much as you really need at a given moment on an exchange.
Software Wallets
A software wallet is a special application (desktop or mobile) that stores your keys. However, as it is your using your normal device’s hardware and is running on an insecure environment (your device) there are a few attacks that could leak your keys. Therefore, you should only hold a small amount in a software wallet, like what you need to pay at a cafe ;)
Hardware Wallets
A hardware wallet is a dedicated device, which sole purpose is to make sure that your private key is secure. It achieves that by minimising the attack surface in two means:
a) Special hardware: Most hardware wallets use special chips to store your private keys that are equipped with anti-tampering mechanisms to prevent your keys from being extracted.
b) Minimal OS: A hardware wallet isn’t a full-fledged computer. It only has what is necessary to fulfil its purpose: storing private keys and signing transactions. That greatly minimises the attack surface as there is less that could go wrong on such a system.
A great open-source Hardware-wallet is the BitBox from the Swiss company Shift Cryptosecurity. Check it out here or if you’re speaking German here.
Paper Wallets: A paper wallet is a piece of paper with your Private key on it. Theoretically, that is a very secure solution to store crypto offline for a long time. However, the problem lies in creating it. In order to do it properly, you’d need an offline computer (has never and will never touch the internet), you’d need to make sure that this computer is using a strong source of randomness and get an offline printer (has never and will never touch the internet). If that sounds like a lot of effort, then you’re right. It is.
Apart from these huge set-up drawbacks, you can only use a paper-wallet to store your crypto long-term. Once you need to transact, you’ll have to enter your private key on a computer and then you should assume that it’s compromised.
Physical Backups
If you already have a Hardware-wallet you’re probably familiar with how the seed (a human-readable version of your private key) is stored. In most cases, the user has to write it down on a piece of paper or it is saved on a Micro-SD card. With this recovery item you can then restore your wallet, should your Hardware-wallet get lost or break.
However, there might be cases in which your Hardware-wallet and your backup are destroyed at the same time, like a house fire, a flood or other natural disasters. If you haven’t got another backup, then there’s no way to restore your wallet.
That’s why you might want to consider backing up your seed in a way that will survive natural disasters. Or you might want to bury it for your descendants. STEELWALLET allows you to do just that.