Cryptocurrency Security is a daunting topic for crypto holders, but it is an important facet of keeping funds safe from the nefarious characters who prowl cryptocurrency communities. This post is a general guide on cryptocurrency safety for both users of custodial exchanges and non-custodial crypto wallets.
General Account Security
Be paranoid, particularly with your primary email account. JamesRuleXRP posted an article from a local publication about hackers emptying $75k out of a User’s Coinbase account using a cellphone number hijacking technique called a sim swap.
In a sim-swap, an attacker convinces a phone company to issue a sim for a number owned by the victim. Any authentication texts sent to that phone number arrive on an attacker’s device instead of the owner’s. Using these authentication texts, the attacker hijacks accounts associated with that number.
An account protected by text message 2fa is one quick sim-swap away from hijack. So, if you have a significant amount of funds stored in a custodial exchange, take additional security measures:
- Use an additional form of 2fa (more on this below).
- Use an email service that doesn’t require you to provide a phone number for recovery (like protonmail).
- If you have a Gmail account, opt for a more secure form of 2fa and sign up for their advanced protection program.
Strong passwords are a cornerstone of account security. But re-used passwords, even if they are strong, are a vulnerability. Password managers are one of the best ways to stay safe online. They allow you to create strong and unique passwords for each website you have an account with. Some password manager recommendations:
- Use the built-in Google Chrome password manager. But make sure you’re using the browser’s password generator to create strong passwords and not simply remember old insecure ones.
Also known as 2fa, two-factor authentication is a system that requires an additional log-in step to authenticate an account.
Unfortunately, text messages are one the most frequently used forms of 2fa. Many websites still use this insecure form of two-factor authentication. Fortunately, there are many convenient and secure alternatives. Websites like Coinbase require many additional steps to disable these more secure forms of 2fa from an account.
Two of the most popular 2fa apps are Google Authenticator and Authy. These apps generate an additional string of numbers that websites require during log-in. According to support documentation for Coinbase, Authy is not supported. Generally, Google’s authenticator product is more secure because it cannot be restored from a cloud backup. It will only exist on devices it has been explicitly installed on. That doesn’t mean Authy is unsuitable for less important accounts. Many users keep Google Authenticator for crucial accounts while using Authy for the less important ones.
Cryptocurrency exchanges like Coinbase also allow users to require 2fa authorization to send transactions.
For those who want additional security, a dedicated 2fa key like those from YubiCo or the Google Titan security line are highly recommended.
These security keys resemble USB thumb drives and plug into your computer and phone using wireless communication, NFC, or plain old USB. When a user logs into a cryptocurrency exchange like Coinbase, the site will ask them to plug in their key and press a button found on the device before allowing them to login or transact.
Important accounts, like email, crypto exchanges, Twitter, Facebook, etc., should be secured using a strong form 2fa. Never use text message-based 2fa to protect important accounts.
Had the individual mentioned by JamesRuleXRP used a hardware-based 2fa, the attacker would have had to go through the arduous account recovery process to disassociate that hardware key from their account before stealing the funds. Hardware keys are also protected from device malware as they exist separately from a computer or mobile device.
When using the Google Authenticator, it’s important to remember that the codes will not transfer when you purchase a new phone. There is a built-in mechanism to add the account to a new phone, but it requires you to still have the old one in your possession to do so. Users can add the authenticator account to multiple different devices that they own, but shouldn’t actually save the barcode the app generates on any electronic device. If an attacker manages to grab one of those images, they can then transfer your authenticator accounts to their own device.
Authy has a cloud backup feature and will transfer to a new phone. This cloud-based transfer is a security risk that can be mitigated by enabling the device limitation feature in the Authy settings. This ensures that your Authy account can only exist on one device at a time.
Imagine how much more difficult account compromise is when proper two-factor authentication is enabled. An attacker now needs to hijack multiple accounts, each protected by either hardware keys isolated from a host system or 2fa apps that generate one-time codes. To compromise a Coinbase account, an attacker will also need to capture a user’s email account, phone number and present a copy of the victim’s photo ID to try and fool Coinbase support into giving them access.
Apple ID Account Protection
Apple has historically been negligent with account security. For a long time, text message-based 2fa was the only way to protect an Apple ID. There’s some logic to this. If users lose access to their Apple ID, they lose everything they’ve backed up in iCloud, on their iPhones, MacBooks, etc. But preventing more technical and high-risk users from protecting their accounts with better 2fa has led to some high profile Apple ID account hijacks.
Fortunately, Apple users now have the option of enabling additional authentication using a recovery key. A recovery key is a random string of characters generated by an Apple device that users will have to input as an additional form of authentication if they lose access to all of their devices. This recovery key should be either printed or written on paper, as if it’s stored anywhere digitally, it’s functionally useless as 2fa.
Instruction on how to turn the recovery key on are found on the Apple Support website.
Keep in mind that if you lose all of your devices and this recovery key simultaneously, there’s no way to get your account back. So, store the key somewhere safe.
This might be a controversial opinion, but a reliable exchange will be just as safe as using a hardware wallet for less technical users.
The most significant risk for novice users is social engineering – by far. And as we’ve seen time and again, novice users with hardware wallets still lose funds to these kinds of attacks.
If the exchange is insured and has a good track record, like Coinbase or Gemini, it will be easier for novice users to keep their funds safe from hackers and user error than with a hardware wallet, especially if protected by an effective form two-factor authentication.
For more experienced users, hardware wallets can be an excellent tool to keep cryptocurrency safe, but they still come with risks. Funds are irrecoverably lost if the owner passes away or becomes injured in some way that prevents them from remembering their password or where they hid their seed words.
Funds held on a hardware wallet are also not insured, so if an attacker finds a vulnerability in a popular hardware wallet that leads to the loss of funds, a user will most likely never see that money again. With an insured exchange, as long as the loss of funds are not due to user error, the money can be recovered by insurance. With reputable custodial exchanges, account recovery is also an option.
For novice users, hardware wallets are daunting, difficult to set up, and can lead to permanently lost funds if set up improperly.
Whether you use a custodial service like Coinbase or a non-custodial hardware wallet like Ledger or Trezor should depend on your individual risk profile. If you’re likely to be subjected to targeted attacks, a hardware wallet should provide you with an additional layer of security.
If you’re a novice, insured custodial services like Coinbase are going to be easier for you to use safely than a hardware wallet. I wouldn’t use a small local exchange, as they are often less reputable unless some local insurance service guarantees the deposits.
For non-us customers, I’m not sure if the Coinbase insurance applies as they specifically reference “U.S. customers” in their website documentation. For Canadians, Coinberry advertises up to $200 million in digital asset insurance using the Gemini Trust Company LLC. Do your research on local exchanges, and if you cannot find a reputable one, self-custody using a hardware wallet would be the safest option.
As far as I know, none of these exchanges protect users from theft due to user error. Then again, neither do the Ledger or Trezor hardware wallets. If you get phished, or you share your seed phrase inadvertently with the internet, you are just as screwed using a hardware wallet as an exchange.
Wallet Seed Phrases and Account Recovery Keys
Seed phrases are also sometimes referred to as recovery phrases or recovery seeds. These are typically a string of numbers or words a user needs to record to recover a cryptocurrency wallet if lost, damaged, or a user purchases a new device.
Many users have had funds stolen because they saved these recovery seeds as images or text files in the cloud. Once an attacker compromises a cloud account where a user stores his recovery seed, they can use that phrase to steal all of the cryptocurrency in their wallet. Many cloud services are also not end-to-end encrypted, meaning a rogue employee could also swipe the seed phrase, blame hackers, and steal user funds.
Don’t store your seed phrases in the cloud. Write them down, print them out, and store them in a secure location. Most hardware wallets support additional password authentication for wallet recovery to prevent loss of funds from physical theft of seed words.
The same concept applies to the Account Recovery Keys websites ask you to print out when you enable hardware 2fa. The point of hardware wallets and 2fa keys is that they prevent a remote attacker from easily compromising your accounts. If you store these on your computer or in the cloud as a text or image file, you’re giving an attacker an easy way to hack your account remotely. At that point, you might as well revert to a software wallet and a password to protect your accounts.
Browser, Software, and Operating System Updates
Exploits target flaws in software like web-browsers, operating system software, etc., to try to install malware onto a user’s system or to trick the software into disclosing information it would otherwise not have given an attacker.
The WannaCry ransomware spread using an exploit in Microsoft’s SMB protocol two months after Microsoft had released a security patch fixing the flaw. Had infected users installed their operating system updates, they would have avoided infection.
If you’re only going to do one thing in this guide, do this: keep your software and devices up to date. This includes your router firmware, operating system software, apps, and software installed on your computer. Phone manufacturers have settings that automate this, so there’s no excuse for not taking this basic but essential step.
A general rule of thumb to follow with browser extensions, and software in general, is to uninstall it if you don’t need it. Malicious Browser extensions can steal login data. In the past, hackers have hijacked popular browser extensions and used them to steal cryptocurrency from victims. Keep this in mind if you have lots of extensions installed because each one is a potential risk if the developer loses control of their add-on.
Make sure that your firewall is enabled and configured correctly.
The Windows firewall should be enabled by default. Microsoft’s settings menus are somewhat more confusing than Apple’s as there are multiple locations that each control the same thing. If you search for firewall in the search bar in the bottom left corner of windows, there are two different menu locations. One is Firewall and Network Protection in system settings and the other points to the Windows Defender Firewall options in system preferences. Either of these will show whether a firewall is enabled or disabled.
Each time a user connects to a new network, Windows will prompt them to select whether it is a public or private network (home network or public wifi).
On Mac, click the Apple logo in the top left corner > System Preferences > Firewall. It should look like this:
If your system firewall it off, hit the button to turn it on.
Useful Security Tools
- The Malwarebytes extension is an amazing tool for novice users. It blocks advertisements, malware, and phishing links. It does not require any additional software on the operating system or a subscription for use.
- Ublock Origin is an excellent adblocker for more technical users. It offers customizable blocklist subscriptions for trackers, malware, and advertisements, but in my experience, the malware and phishing protection offered by Ublock is inferior to that of the Malwarebytes extension. However, Ublock does do a better job of blocking ads.
- Hitman Pro is a popular third-party malware scanner that can scan a whole system in seconds without requiring a full installation or a subscription. Malwarebytes is another popular scanner, but it does require installation.
- Chrome has its own built-in malware scanner on windows devices. To access it, click on the three dots in the top right corner of your browser window, then go to settings>advanced>reset and cleanup>Find harmful software.
- iVerify is an app for iOS that scans for indicators of compromise and advises users on the best practices for maintaining iOS security. It also provides an additional notification for when operating system updates are available.
Additional tools for more technical users
The VirusTotal results for every running process will be displayed on the right side. Any obvious malware will be easy to spot, as it will have hits from VirusTotal’s multi-engine scanner.
Pay extra attention to any weird running processes you might spot in Process Explorer; even if they don’t have a malicious rating from virus-total, they could still be malware. If you see Wscript or Powershell running on your system, and you don’t explicitly know why, have an expert look at your computer because these are big indicators that the system is infected.
Autoruns displays a variety of relevant system information like autostart entries, installed drivers, scheduled tasks, running services — all of these are areas that malware uses to gain persistence on a system to survive a restart.
Like Process Explorer, Autoruns also has virus-total integration so novice users can glance through the scan results to catch any obvious malware. I don’t recommend manually modifying any of these entries unless you know what you’re doing, as deleting something important is never a good thing.
These three tools will give a glimpse into a computer’s network activity. They display active connections and traffic to and from your computer. Glasswire is the easiest to parse as it comes with an informative user interface and integrated virus total scanning for unknown processes.
TCPView and Wireshark are more technical, but they’re also free. Of these two, TCPView is the easier one to use.
Generally, malware can’t steal login info unless it’s connected to the internet, so watching network traffic is a great way to spot malicious activity on a system.
Objective-See Apps for OSX users
OSX has a set of useful security tools made by Objective-See. In some ways, they’re even better than the ones from Sysinternals.
Knock Knock scans a system and reveals installed browser extension, startup items, startup scripts, kernel extensions. It also features VirusTotal integration for effective malware scanning.
Malicious Browser extensions can also hijack login data, so Knock Knock’s at a glance display of installed extensions across all browsers on a system is useful.
Task Explorer shows the running process on a Mac with VirusTotal scan results on the right-hand side.
Netiquette displays connections from third-party apps running on a system. It can also show connections to native Apple apps, but that setting needs to be manually enabled.
The most common crypto scam is the giveaway scam where a scammer will impersonate a public figure and advertise a crypto giveaway for users that send them funds. Never send anyone cryptocurrency with the promise of getting more in return. If you do, you’ll never see that money again.
I’ve seen these scams in paid YouTube ads, Twitter ads — we’ve even had a few from blue checkmarks that were mistakenly verified on Twitter. Every time, users lost funds. No one is going to give you free money.
Phishing and Man-in-the-middle attacks
If you hold cryptocurrency on an exchange, or you want to send crypto to an exchange, you may be vulnerable to Phishing or Man-in-the-Middle attacks.
Phishing is where an attacker, either using an email or a fake website, will try to trick a user into inputting personal information and login details. These phishing websites masquerade as legitimate websites like PayPal, Coinbase, or any other popular financial or cryptocurrency website.
A man-in-the-middle attack is when an attacker inserts himself between you and your destination website and can relay and alter traffic between you.
How to stay safe:
Banking-related sites, exchanges, and online wallets use encryption to keep you safe. The easiest way to tell if a website is using encryption is to check for the little padlock next to the URL in your browser. A site using valid encryption on Google’s Chrome will look like this:
If you visit Coinbase or any other exchange, and you don’t see an icon that looks like this, leave the website, as it means your traffic is not being encrypted.
Phishing websites can sometimes have valid encryption certificates, so the simple visual indicator above might not protect you. Most of these will have incorrect issuance names. You can see the URL that a certificate has been issued by clicking on the padlock next to the URL > clicking Certificate > Clicking the details tab, and you should see this:
If you visit Coinbase, and see a certificate with a URL that isn’t for coinbase.com under “CN =” leave immediately.
You don’t need to be this vigilant with every website you visit. The consequences of someone grabbing your Reddit password won’t be as severe as your Coinbase account. But you should try and familiarize yourself with the way your exchanges look. Pay attention to the certificate issuer if you’re particularly concerned (these change from time to time). Familiarize yourself with the look of the website. Most phishing pages are not direct one-to-one copies. They often look different and have odd grammar and spelling errors.
Additional ways to protect yourself:
If you’re traveling or on public Wi-Fi, use a trusted VPN.
Keep a bookmark of your cryptocurrency exchange or memorize the URL. Never enter login details from a link you’ve clicked from an email, instant message, or from another website.
Subscribe to my Newsletter:
Sign up below to receive notifications of new posts by email.