Staying up to date with security best practices is vital as a cryptocurrency investor, trader or user. This guide will help you learn how to minimize the risk associated with using cryptocurrency websites, exchanges, and services.
If you are a public figure involved in cryptocurrency, the importance of following proper security practices is even more critical. You should consider yourself an active target for hackers. Many vloggers, bloggers, hedge fund managers and other individuals who have spoken or written publicly about cryptocurrency have had funds stolen, or at the very least, thefts have been attempted. This, however, is not a reason to slack if you’re not a public figure, there are numerous ways bad actors can find crypto holders and choose a mark, it’s not exclusive to those in the spotlight.
The accounts you set up and use for cryptocurrency related matters are a potential security concern. Bad actors can use information found via these accounts to home in on the identity of the person behind them.
For example, let’s imagine you always use the username “crazy_crypto_fiend.” Even if your e-mail address is not visible on a target website, an attacker can search for your username on other sites, which might publicly display their users’ e-mail addresses, and locate yours. Once they have your e-mail from this third party website (perhaps with lower security standards), they can use it as a starting point to get into your accounts on crypto exchanges.
Let’s look at the options for remaining as anonymous as possible when creating accounts on any website or platform:
Noone cares how much you love it, drop it. Start using random usernames for accounts on websites, social media and in particular, crypto-related sites. As mentioned above, your username can be used as an attack vector if it’s plastered all over the internet so make sure you are using unique usernames for every website or service.
This should go without saying. Do not re-use passwords across multiple websites. There are regular database dumps of usernames, e-mails, passwords and personal data made available to hackers, sometimes from prominent sites such as Yahoo. Use a long password which contains numbers, uppercase letters, lower case letters, and punctuation. The length is extremely important, so use passwords that are as long as possible. It would take considerably longer for a hacker to brute force a thirty letter password than a five letter password. Your password manager should have an option to generate and store these passwords for you, more on password managers further down.
Crypto-Specific E-Mail Address
Use an e-mail address specific to your crypto dealings. This way, it is harder for attackers to locate your e-mail address from social accounts, database dumps and through other means. Don’t include your name in your crypto e-mail address, something generic would be much more secure.
Stay Informed to Hacks & Dumps
Knowing when your e-mail, username, password, or personal data has been compromised is useful when trying to keep your online identity secure. Sign up with have i been pwned to receive notifications when your information is contained within a dump. It’s advisable to sign up with your personal e-mail and your crypto-specific e-mail.
2 Password Managers
Wondering how on earth you are going to remember multiple random, long, and unique passwords? Have no fear; password managers are here. A password manager allows you to sign with a single password and then automatically fill passwords on other sites from an encrypted database. You can view some of the available password managers here. The issue here is that you have one single password as a point of failure. If your password manger’s password is compromised, everything is compromised. To further secure your password manager you must set up 2-factor authentication on it.
3 Two-Factor Authentication
The 2FA software runs on a mobile device and can be downloaded from the Google Play Store or the Apple Store depending on your handset. Never download apps from a third-party website. Avoid using SMS as 2FA at all costs. Your telco could unknowingly port your phone number to a hackers SIM which would allow them to take over your accounts. More on this later.
There are pros and cons for each of these 2FA options. Google Authenticator is more secure out of the box, but Authy can be backed up to multiple devices which means you are not locked out of accounts should you lose your primary handset. I’ll explain how to secure Authy so that you have the benefit of multi-device backup, without the security flaws that can be present in some configurations. You will need a backup device to install Authy on too.
- Install the Authy app on your main handset
- Add 2FA to your chosen websites using the Authy app
- In the settings on your main handset, allow multi-device
- Install the Authy app on your backup device
- Check that your accounts have synced across both devices
- In the settings on your main handset, turn off multi-device
- Setup a PIN number for the Authy app on both devices
Now both devices will sync, but further devices cannot be added to sync. This means that if an attacker was to compromise your mobile number, (it happens much more than you might think) they will not be able to add Authy to their device and sync your accounts.
If you choose to use Google Authenticator, you will be required to print and store backup codes for each website you decide to add.
Secure Your Accounts
Now that you have 2FA setup, you need secure your accounts. It’s best practice to secure everything that allows it. Most decent websites support 2FA these days, so get it enabled. Here’s a list to get you started, securing all of the below is extremely IMPORTANT:
- Add 2FA to your password manager
- Add 2FA to your Google account(s)
- Add 2FA to your e-mail accounts
- Add 2FA to your crypto exchange accounts
- Add 2FA everywhere else you can
4 Mobile Phones
Your mobile phone is a weakness in your security armor. Hackers regularly trick telcos into porting their victims’ numbers to their SIM cards by simply calling up, and playing it dumb. They could have also obtained personal details about you from a dump, hack, social network or some other means which will give them extra sway with your telco when they’re trying to pass themselves off as you. This is the main reason it is a bad idea to use SMS as a 2FA option.
There are some steps you can take to secure your mobile account, but sometimes these options may not be available, it depends on your telco. It’s advisable to do as many of the below as possible to secure your account:
- Set up an account PIN number
- Ensure this PIN number must be used to talk to a representative or make any changes at all on your account
- Memorize your PIN
- Ask your telco what would happen if you forget your PIN and ensure it is secure
- Use a telco specific e-mail address for your account (similar method as using a crypto-specific e-mail)
5 Think Like a Nasty Hacker
If you were a career hacker, whose income revolved around finding and exploiting information relating to a person, e-mail account, or phone number, what lengths would you go to? The answer is probably “any,” and this is why you need to put yourselves in a hackers shoes to make sure you are secure.
Being security aware is more of a mindset than a method, but the following steps should get your started to thinking like a hacker:
- Dox yourself – use Google, social media and other resources to try to find your personal information online.
- Do the above for names, addresses, e-mails, phone numbers and any other personal information you can think of.
There are many ways a hacker can infiltrate your online identity, and it’s important to stay in the mindset that it could, and might, happen to you.
I’ll leave you with the eeriest example:
The photos on your mobile phone may contain EXIF data. This data includes the make and model of your phone, the software version (hacker jackpot), the date and time you took the photo and the GPS coordinates of where you took the photo (amongst other things). Yes, you heard me right, your uploaded photos could give a hacker or thief pinpoint directions to your house, bedroom or office. Scary right?
Luckily, most major social networks strip this data away from uploaded images, but there are plenty of smaller sites, blogs, and services that don’t. Something as simple as uploading a photo could lead a hacker to your address. If this doesn’t drive the importance of OPSEC and good security practices home, then I don’t know what will.
Feel free to debate the methods discussed in this article below. If I’ve missed anything, please let me know.