Simple ways to protect your crypto

crypto security best practice
Learn Crypto Blog Learn Crypto Blog
Learn Crypto May 19 · 4 min read
  • Lessons from the Ledger Hack
  • Have I been pwd?
  • Heavy Metal Approaches To Securing Your Seed

Owning cryptocurrency can be both profitable and empowering, but with great power comes great responsibility. And when it comes to taking care of security, there are very simple ideas that you may not have considered and some you definitely should have.

Lessons from the Ledger Hack

Using a hard wallet is a great way to keep your crypto offline and secure. We explained all about wallet functions in our knowledge base, so what we’re going to talk about here are some interesting security tricks you may not have considered, inspired by a recent, high-profile data hack.

The hard wallet market is dominated by two providers - Trezor and Ledger. Both produce solid and secure products which have sold several hundred thousand units. Unfortunately, Ledger’s data security didn’t match their product design.

In July 2020 a database of customer information was hacked, which included both email addresses and postal addresses. To make matters worse, Ledger weren’t honest from the outset, which doubled the anger of those customers worried that they had a target in their back from what are called in-person attacks.

272.000

The number of customer names, mailing addresses & phone numbers leaked in the Ledger’s hack

Though the risk is minimal - it would be irrational for an attacker to randomly work through a list of addresses in the hope they actually held a meaningful amount of crypto - it’s understandable that customers lost their minds.

Customers buying a Ledger would have rightfully thought they were improving security overlooking an aspect of security vulnerability - sharing their address. The fix for that is simple - if you're going to buy a hard wallet, use a delivery box address. 

Yes, Ledger should never have held their customer data, but to avoid the risk, just don’t use your home address.

haveibeenpwd?

If you’re a Gmail user - which accounts for about 43% of email addresses - you might have noticed a notification.

Google is giving you a heads-up when any of your passwords have been found as part of a recent data breach. This is important because most people re-use passwords, so if you do this buying crypto from an exchange, your account is vulnerable.

best practice crypto security
best practice crypto security

There are other services you can use that can tell you if your email address is part of a data dump, the most well known is HaveIbeenPwned.

So the pro-tip here is to check email addresses used for important crypto services against known hacks. Better still, 

  • Don’t re-use passwords
  • Use strong password suggestions
  • Use pass-phrases
  • Always use app based 2FA
  • Create a specific email address just for crypto - ideally Protonmail

Heavy Metal Approaches To Securing Your Seed

If you’re reading this you should be aware of the greatest Bitcoin maxim ‘Not your keys, not your coins’. The difficulty with taking responsibility for your keys is that you cannot realistically memorise the 64 characters that are the key to every address you hold.

Luckily modern wallets generate all private keys from one Seed Phrase, but trusting yourself to remember 24 words is also a huge feat unless you are a memory specialist. So somehow/somewhere, you need a copy of your Seed Phrase.

What you are looking for is something that is extremely durable, offline (so unhackable) and easy to store securely. The solution that hardcore Bitcoiners recommend is in complete contrast to the hi-tech nature of crypto - sheet metal.

Luckily you don’t need to train as a Blacksmith to create a solid metal version of your all important Seed Phrase(s) as easy to use kits are available online. Even better, one of Bitcoin’s most respected advocates - Jameson Lopp - has created a guide to the best value options from a surprisingly large list of suppliers out there.

So for less than €40 you can sleep easy knowing your Seed Phrase is safe, carved in solid steel; you just need somewhere safe to put that……..

2FA Is Your Friend

If you are getting into crypto then two-factor authentication should be your best friend. Not the SMS variety, but using an App like Google Authenticator or Authy. This adds a second layer of protection should your email/password be compromised.

The issue with the SMS approach is that they are vulnerable to a SIM Swap attack. However, 2FA via an App does have its own issues, as you must remember to store back-up codes, otherwise if you lose your phone you are in for some painful exchanges with customer support proving your identity.

Use Unique Email Addresses & Passwords

One of the biggest beginner mistakes in crypto is to re-use email addresses and passwords. This greatly increases the attack surface for your crypto because some random site you signed to - for a reason that probably escapes you - can easily get hacked exposing the credentials for something altogether more important.

For this reason, try using unique email addresses and passwords for each service. It may feel like an inconvenience but you can use password management services - like LastPass or via Google - and reduce the risk that being compromised can knock out all your accounts at once.

To learn more about security threats and best practice in crypto head to our knowledge base.