I’m sure you’ve seen people saying “That’s how you get hacked!” or “Do ____ so you won’t get hacked.” The list of ways to get hacked in crypto is endless but there are some not-so-common sense measures to prevent getting hacked in crypto.
Let's (not) Get Hacked:
- Not Turning On Two Factor Authentication (2FA)
- Using SMS based 2FA
- Publicly Disclosing Portfolio Value
- Publicly Disclosing Email
- Using an Email Multiple Places
- Using a Password Multiple Places
- Clicking Links in Your Email
- Clicking Links in Slack
- Clicking Google Ad Links
- Clicking Links in Chat Groups
- Showing Private Keys
- Using a Public Network
- Using a Compromised Network
- Using a Compromised Device
- Using a Web Wallet
- Using a Simple Password
- Not Whitelisting IP’s
- Allowing Physical Access to Wallets
- Allowing Physical Access to Devices
- Replying to “Customer Service” Emails
- Keeping Crypto on Exchange
Two- Factor Authentication Explained
Two Factor Authentication (2FA) confirms you are the user you say you are, twice. The first confirmation is your password. The second is through a code sent to somewhere secure. Some variations of 2FA use an app, SMS, or your email. These methods aren’t created equally. I recommend using Google Authenticator, or next best, Authy for 2FA. SMS is vulnerable because can be compromised through various service providers. If your email address is compromised then having a confirmation sent there is no security at all. I recommend securing your email with 2FA as well.
Publicly Disclosing… Anything
Its great to be a vocal cryptocurrency enthusiast. It isn’t great to make yourself a target by disclosing the value of your portfolio. If I were a hacker I’d much rather target someone with a large balance than a few spare satoshis.
Don’t click on anything unless you know what it is for. Specifically. Don’t disclose an email you use for crypto logins. Don’t use your regular email for crypto logins. Don’t use your exchange emails on ico lists or forums or anywhere else. Use a different, complex password for every account. Enable 2FA on anything that offers it.
The best passwords are sentence length with letters, numbers, and special characters. Even better if it looks like a private key because it’s that complex. Don’t use the same password in two or more places. Change passwords regularly and don’t share them with anyone.
Links, Links, and More Links
Don’t click on links that are sent to you. Don’t click on links in Slack, your email, Google Search, or anywhere else. Find the legitimate site, bookmark it, and never leave it to chance again. Don’t click links. Just don’t. MyEtherWallet does not need you to click that link, I promise. Neither does the ICO, the exchange, or any other company.
Playing Loosey Goosey with Private Keys
Accidentally exposing private keys is the easiest way to get hacked. Some have done it on video, others in pictures. If doing a how to, talking about crypto on video, use a dummy account made specifically for that purpose and use wallets created for the same purpose. Keep your real info away from anything that can record.
Networks and Devices
If you use a device or network that is public or compromised, then you’re putting your information at risk. Keep your device and any devices on your networks secure, scanned regularly, and free from risky behavior. A good bit of advice I saw in a crypto Facebook group once, “Keep your porn and crypto separate”. There are many ways to accomplish this security, different programs, different strategies, operating systems, devices, and more. More than I can cover in this post, so look out for a post from me on device and network security soon. The basics are to keep your device and any devices on your secured network malware/virus free and to keep access to your device and network limited. Many ISP’s also offer the ability to set up an unsecured guest network, so you don’t give out your Wi-Fi password or allow access to your phone, tablet, smart watch, or computer. Every device on your network is an entry point, baby monitors, and smart appliances included.
Cold Storage is an offline storage method. There are a few ways to accomplish cold storage. Paper wallets, hardware wallets, a device without internet connection, encrypted flash drives… The two most popular are paper wallets and hardware wallets both of which can be vulnerable if physically accessed. Restrict physical access to anything that can access your wallets, emails, or exchange accounts.
Unsolicited “Customer Service”
Crypto companies have TERRIBLE customer service. They are likely never going to contact you without you harassing them. Don’t reply to unsolicited customer service. “Urgent security issue”? “Password Update required?” Close the email without clicking anything or replying. Go to your bookmarked exchange link and change your email ASAP. Consider moving balances to cold storage while you get new information set up. If really in need of customer service, follow the steps on the website, but expect to harass them with your request number on social media, complete with shaming.
Exchanges in Crypto are a Weak Point
Exchange level hacks and exchange exit scams are enough of a risk that it is recommended to keep your crypto offline unless you’re actively trading. The best options in order are: cold storage, device wallet, web wallet, exchange wallet. In crypto, whomever has the private keys has the crypto. You don’t have the private keys on an exchange, so you don’t really have your crypto.
In crypto, you are your own bank. There are many ways to get hacked in crypto, but it’s fairly straightforward to keep your crypto safe. The basics are covered here, but I will be following up with some more detailed security focused posts in the near future. Keep your keys safe and your crypto in places you control and have secured.