Staying up to date with security best practices is vital as a cryptocurrency investor, trader or user. This guide will help you learn how to minimize the risk associated with using cryptocurrency websites, exchanges, and services.
If you are a public figure involved in cryptocurrency, the importance of following proper security practices is even more critical. You should consider yourself an active target for hackers. Many vloggers, bloggers, hedge fund managers and other individuals who have spoken or written publicly about cryptocurrency have had funds stolen, or at the very least, thefts have been attempted. This, however, is not a reason to slack if you’re not a public figure, there are numerous ways bad actors can find crypto holders and choose a mark, it’s not exclusive to those in the spotlight.
1 Accounts
For example, let’s imagine you always use the username “crazy_crypto_fiend.” Even if your e-mail address is not visible on a target website, an attacker can search for your username on other sites, which might publicly display their users’ e-mail addresses, and locate yours. Once they have your e-mail from this third party website (perhaps with lower security standards), they can use it as a starting point to get into your accounts on crypto exchanges.
Let’s look at the options for remaining as anonymous as possible when creating accounts on any website or platform:
Unique Usernames
Noone cares how much you love it, drop it. Start using random usernames for accounts on websites, social media and in particular, crypto-related sites. As mentioned above, your username can be used as an attack vector if it’s plastered all over the internet so make sure you are using unique usernames for every website or service.
Random Passwords
This should go without saying. Do not re-use passwords across multiple websites. There are regular database dumps of usernames, e-mails, passwords and personal data made available to hackers, sometimes from prominent sites such as Yahoo. Use a long password which contains numbers, uppercase letters, lower case letters, and punctuation. The length is extremely important, so use passwords that are as long as possible. It would take considerably longer for a hacker to brute force a thirty letter password than a five letter password. Your password manager should have an option to generate and store these passwords for you, more on password managers further down.
Crypto-Specific E-Mail Address
Use an e-mail address specific to your crypto dealings. This way, it is harder for attackers to locate your e-mail address from social accounts, database dumps and through other means. Don’t include your name in your crypto e-mail address, something generic would be much more secure.
Stay Informed to Hacks & Dumps
Knowing when your e-mail, username, password, or personal data has been compromised is useful when trying to keep your online identity secure. Sign up with have i been pwned to receive notifications when your information is contained within a dump. It’s advisable to sign up with your personal e-mail and your crypto-specific e-mail.
2 Password Managers
3 Two-Factor Authentication
The Options
The 2FA software runs on a mobile device and can be downloaded from the Google Play Store or the Apple Store depending on your handset. Never download apps from a third-party website. Avoid using SMS as 2FA at all costs. Your telco could unknowingly port your phone number to a hackers SIM which would allow them to take over your accounts. More on this later.
There are pros and cons for each of these 2FA options. Google Authenticator is more secure out of the box, but Authy can be backed up to multiple devices which means you are not locked out of accounts should you lose your primary handset. I’ll explain how to secure Authy so that you have the benefit of multi-device backup, without the security flaws that can be present in some configurations. You will need a backup device to install Authy on too.
- Install the Authy app on your main handset
- Add 2FA to your chosen websites using the Authy app
- In the settings on your main handset, allow multi-device
- Install the Authy app on your backup device
- Check that your accounts have synced across both devices
- In the settings on your main handset, turn off multi-device
- Setup a PIN number for the Authy app on both devices
Now both devices will sync, but further devices cannot be added to sync. This means that if an attacker was to compromise your mobile number, (it happens much more than you might think) they will not be able to add Authy to their device and sync your accounts.
If you choose to use Google Authenticator, you will be required to print and store backup codes for each website you decide to add.
Secure Your Accounts
Now that you have 2FA setup, you need secure your accounts. It’s best practice to secure everything that allows it. Most decent websites support 2FA these days, so get it enabled. Here’s a list to get you started, securing all of the below is extremely IMPORTANT:
- Add 2FA to your password manager
- Add 2FA to your Google account(s)
- Add 2FA to your e-mail accounts
- Add 2FA to your crypto exchange accounts
- Add 2FA everywhere else you can
4 Mobile Phones
There are some steps you can take to secure your mobile account, but sometimes these options may not be available, it depends on your telco. It’s advisable to do as many of the below as possible to secure your account:
- Set up an account PIN number
- Ensure this PIN number must be used to talk to a representative or make any changes at all on your account
- Memorize your PIN
- Ask your telco what would happen if you forget your PIN and ensure it is secure
- Use a telco specific e-mail address for your account (similar method as using a crypto-specific e-mail)
5 Think Like a Nasty Hacker
Being security aware is more of a mindset than a method, but the following steps should get your started to thinking like a hacker:
- Dox yourself – use Google, social media and other resources to try to find your personal information online.
- Do the above for names, addresses, e-mails, phone numbers and any other personal information you can think of.
There are many ways a hacker can infiltrate your online identity, and it’s important to stay in the mindset that it could, and might, happen to you.
I’ll leave you with the eeriest example:
The photos on your mobile phone may contain EXIF data. This data includes the make and model of your phone, the software version (hacker jackpot), the date and time you took the photo and the GPS coordinates of where you took the photo (amongst other things). Yes, you heard me right, your uploaded photos could give a hacker or thief pinpoint directions to your house, bedroom or office. Scary right?
Luckily, most major social networks strip this data away from uploaded images, but there are plenty of smaller sites, blogs, and services that don’t. Something as simple as uploading a photo could lead a hacker to your address. If this doesn’t drive the importance of OPSEC and good security practices home, then I don’t know what will.
If you want to learn more about to secure your crypto holdings, then grab yourself a hardware wallet and read our in-depth guide.
Feel free to debate the methods discussed in this article below. If I’ve missed anything, please let me know.