Security best practice
What you'll learn
- You are ultimately responsible for your crypto
- Things to protect against; accidental loss & theft
- Best practice & sleeping soundly at night
If you’ve reached this stage in our series of articles on how to use cryptocurrency, you’ll have invested considerable time and hopefully some of your money; putting into practice what you’ve learned and owning crypto of your own.
All that effort and potential value will be wasted if you don’t know to protect your cryptocurrency from loss or theft, which is what this article will now explain.
Returning To The Concept of Custody
If you read the first article in this section you’ll be familiar with the concept of custody, which is central to cryptocurrency ownership. Custody refers to how you manage responsibility for the one critical piece of information that enables control of your crypto - a Private Key or Seed.
As cryptocurrency works without a central authority like a bank, possession is ownership, and simply boils down to one of the most important ideas you can learn: ‘Not your keys, not your coins’
Custody simply refers to the two options for ultimate responsibility of those keys; you can assume full responsibility yourself, or trust someone else to look after it.
- Look after crypto yourself - non-custodial
- Trust someone else to look after your crypto - Use a custodial service
It is up to you to decide which option is best for you, understanding the threats to loss and theft specific to the two options - Custodial & Non-Custodial.
Your decision will also be dependent on how much crypto you own, which in turn will relate to the severity of potential risks to its security..
Threat | Relevant to Custodial or Non-Custodial |
Loss of data/access details | Both |
Phishing | Both |
Brute Force Attack | Custodial |
SMS Hijacking | Custodial |
DNS Spoofing | Both |
In person attack | Non-Custodial |
Loss of data/access details
If you decide to let an exchange or mobile wallet custody your crypto, the most obvious point of failure is forgetting the details that enable you to access that service.
In the first instance this means your Username and Password, which you should take appropriate action to be strong/unique and saved securely. If you save those credentials through another service, such as your Google account or LastPass, that in turn becomes a point of weakness.
Further to this, access to your email address is generally required to approve key actions, such as approving withdrawals, or setting up other security features, so take care to remember those access details. to, which are an other crucial layer of access.
If you take the non-custodial option - the DIY approach - the loss of access details will relate directly to your Private Keys or Seed. If you haven’t heard of him already James Howells provides one of the most extreme examples of this, highlighted in our blog story on lost bitcoin fortunes.
Always back-up your Private Keys or Seed - obviously taking appropriate security measures and storing in a separate location, preferably offline. Don’t use something perishable, like paper, or anything corruptible.
If you use a Hard Wallet (more on wallets in general here) you’ll likely have several layers of security and weakness: credentials for a dashboard service (e.g Ledger Live), a pin to access the device and the Seed. Of those, the Seed is most crucial, if all else fails, that will enable you to recover your coins.
The ultimate solution to protect your seed is to engrave the phrases into metal that is corrosion, heat and pressure resistant. Renowned Bitcoin evangelist, Jameson Lopp, has created an amazing review of the best metal seed storage engraving options.
Of course you then need to store that metal engraving somewhere safe, illustrating that the buck (or Bitcoin) has to stop somewhere.
Phishing
Guarding against phishing should be something that you are already wary of when using any online service. It refers to attempts to trick you into downloading malicious software which can then compromise your computer, or spoof sites which will then harvest your details and access funds/data.
This is particularly relevant for custodial services, for which phishing emails and fake websites are very common, but non-custodial options aren’t immune.
Ledger, the maker of a popular hard wallet, had a database of customer details hacked in July 2020, including email addresses. Those customers then became targets for phishing.
Equally, browser-based services are often targeted with fake websites, which then trick users into downloading malware of harvest details.
To guard against email phishing:
- Use an encrypted email service like Protonmail and use it only for important services
- If you're unsure whether an email is authentic, check the actual sending address rather than just the visible sending name; this is usually a giveaway
- Authentic services will often refer to you by name, Phishing emails don’t
- The content of Phishing emails is often poorly written or formatted
Brute Force Attack
It's one of the oldest and most obvious techniques for trying to steal someone’s password, running a software that churns through password options. This can be used in conjunction with information known about the user from OSINT - Open Source Intelligence.
The best way to mitigate this kind of threat is to use two-factor authentication (2FA), a secondary layer of access detail form a separate source, normally your mobile phone.
Any decent exchange will either enforce or strongly encourage the use of 2FA, but it is important to avoid using text for 2FA, as the next subject explains.
The two most common 2FA providers are Google Authenticator or Authy.
SMS Hijacking
Having just encouraged the use of 2FA as standard for custodial services, we now have to warn that choosing SMS as the 2FA can create a serious vulnerability via SMS hijacking.
If attackers know your mobile number and provider, and have harvested personal information from OSINT, they can impersonate you with your Mobile Service Provider and request a replacement SIM be sent to them.
This gives them access to the 2FA code, which would be used in conjunction with a brute force attack.
The solution is to always use an App based 2FA like Google Authenticator or Authy. The device running the App does then itself become a point of weakness, as anyone who has lost their phone will appreciate.
This can be avoided by storing your 2FA backup codes, provided when you set 2FA up. Without the 2FA back-up, get 2FA reset requires you to go through a laborious process of recording a selfie/video with some ID and a hand-written note.
Google updated Authenticator in May 2020, the first in three years, making it simple to export/import 2FA codes, which is welcome, but doesn’t help if you lose your phone or it dies.
DNS Spoofing
In November 2020 popular crypto service Celsius was the victim of a DNS attack, which involved an attacker convincing their DNS provider - Godaddy - to essentially change the site that is served behind their App.
This is difficult to mitigate against, other than being vigilant, or in the case of Celsius judging the safety of a service by how seriously they treat their DNS set-up.
In-Person Attack
We’ve left this one to last because it should only be a concern if you have a really significant amount of crypto. There have, on rare occasions, been instances where individuals known to possess large amounts of cryptocurrency have been kidnapped/extorted to give access to their funds.
As the Ledger Attack, mentioned above, leaked postal addresses of customers, there was a lot of talk on social media about this danger from irate customers. There have however, been no actual reported instances of in-person attack as it is much riskier than the online options listed.
Though this risk exists in any circumstance where portable wealth is concerned - expensive watches, jewelry and collectibles - crypto is a specific target because it is hard to insure and can be hard to trace/recover.
If this is something that concerns you, in the first instance don't publicise the fact that you own crypto, which includes anywhere online or with anyone you don't explicitly trust.
You should also think about something called Multi-Signature, which essentially requires more than one person to approve a crypto transaction.
This gives plausible deniability. Check out keys.casa for a cost-effective multi-sig security service.
Learning about, and investing in crypto can be a hugely liberating experience. It is an expression of financial sovereignty, but if you are cutting an authority - like a bank - out of your financial life, you become ultimately responsible, so need to at least be aware of the best practice for keeping your crypto safe and ensuring you sleep easy at night.