It’s fairly common to hear about people losing their entire crypto portfolio to a scam or hack or phishing site. Follow any crypto slack group or Facebook group or trawl through reddit.com/r/cryptocurrency and you’ll find a plentiful supply of ‘Someone Emptied Out My Crypto Account!!” stories abound.
Expect the loss of crypto funds through theft/scams to be a common theme over the coming years as more and more ‘new’ money enters the market.
Why is this happening? Because with cryptocurrency YOU are the bank.
BE YOUR OWN BANK
If you can’t secure your crypto holdings on your own, you risk losing them all.
So you need to protect your cryptos like you would your bank account. Because when it comes to your crypto holdings, you are the bank, the bank teller, and the bank security guard.
In this article, I’m going to comprehensively cover how you can protect your crypto assets from scams, hackers, and your own basic stupidity.
Fortunately, there are a few basic and easy things you can do to protect your crypto assets. Everyone who gets into cryptocurrrency should follow these steps.
1. Use a Hardware Wallet
You can pretty much reduce your risk of getting your crypto funds stolen to nearly 0 by using a Hardware wallet.
For the love of god, use one.
The sad thing is that even though protecting crypto assets from irrevocable loss is only $50 Euros and about a week of shipping, many people dumping their savings into crypto don’t have one…or use one.
If you don’t use one, you are shoving your hand into a fire.
It’s only a matter of time before you feel the burn.
What is this wonderful, magical device that every crypto investor should have?
It’s basically a souped-up USB key that securely stores your private cryptocurrency keys.
What is a private key? It’s your access code to your crypto wallet.
And by key I mean a string of random alphanumeric digits that look like a drunk monkey started pounding on your keyboard for five seconds.
Every blockchain and the unique address on it can only be accessed by a cryptographic key — what we call a ‘private key.’
Through the magic of cryptography, every private key is paired to a public address with only YOU having the key that can access the contents of that address.
Technically (depending on the encryption scheme), there may be other ‘key pairs’ that can open your address, but the odds of anyone getting these key pars are so slim the entire universe would burn out before such a key pair would be found via a brute force attack.
So to unlock your wallet, you need that key.
The problem is that many people do NOT securely store their private keys. They toss this them into their email, stash them on some cloud storage service, or store them on their computer.
This leaves you vulnerable to many kinds of attacks, from hackers snooping around on your computer to malware that will search your computer for private keys.
A hardware wallet stores your private key directly and never reveal it to the outside world. To access your hardware wallet, you have to enter a pin code, then you have to ‘sign’ (by typing a physical button on the device to confirm) any transaction done.
This means that no hacker can get your private key. Not unless they physically grab your device, type in the pin code, then manually hit the confirm button for any transfer of cryptocurrency from your wallet. This is impossible for any hacker to do remotely. And unless someone steals your device and knows the pin code, the device itself is secure from even people who can physically get their hands on it.
There are many stories of people losing funds to maleware or phishing sites. Don’t be one of these stories.
Buy a $50 Nano Ledger S and store most of your crypto funds on the device.
2. Two Factor Authentication is Your Best Friend
Don’t know what 2FA is?
Then stay the fuck away from crypto until you do!
Seriously, enabling 2FA on everything that touches your crypto is a must.
- Enable 2FA on every single one of your cryptocurrency exchanges (if you don’t, you’ll get hacked and lose your funds)
- Enable 2FA on your email & social media accounts
When it comes to using a 2FA app, I recommend using AUTHY. It’s much better than Google Authenticator as it requires you to use a pin/password to log into it (Google Authenticator does not) and you can store your 2FA keys on the cloud in case you lose your phone.
3. Keep Most Funds off Centralized Exchanges
Exchanges are not secure. Only leave what you are willing to lose.
Now some hardcore crypto types will rant against the evils of centralization.
But we live in the real world here, not a fantasy land.
As much as I hate it, I know banks are here to stay, the government will tax crypto, Ripple will continue to rise in market cap, and Vitalik will remain alien-thin.
It’s unrealistic NOT to use centralized exchanges. They are risky to use but deal with it.
However, what you can do is mitigate your risks.
Exchanges have been hacked and will be hacked in the future.
If an exchange gets hacked and your funds were stolen, you are trusting that the exchange will cover your losses. It’s entirely possible the exchange declares bankruptcy. There is also the risk the exchange itself goes under due to governmental interference, taking your crypto assets with them.
Here are just a few examples of exchanges that have been hacked or had funds go missing:
Trust me. You don’t want to wake up one day and find the exchange that you kept 100% of your assets making the news due to a massive hack or FBI raid.
Exchanges are a necessary evil. You need them, but you sure as hell don’t want to trust them with everything.
So how to minimize risks when using exchanges?
1. Keep Most Assets on Hardware Wallets
I recommend only keeping a portion of your funds on exchanges. Keep anything you don’t need to actively trade with on a hardware wallet. If the exchange gets hacked and funds stolen — or shutdown by the local government — you still have most of your funds safe outside of that exchange.
2. Scatter The Rest Among Different KYC’ed Exchanges
You ever heard that phrase ‘don’t keep your eggs in one basket?” Well then, don’t keep all your cryptos in one single exchange either.
Scatter your crypto around several reputable exchanges you have KYCed at.
For example, keep 30% of your funds on Binance, 30% in Bittrex, 30% on Kuicoin, etc.
If you are even more paranoid, you will want to make sure those exchanges are all located in different geopolitical borders (USA, Europe, Singapore, etc). It’s likely that some of the US exchanges like Bittrex and Kraken, say, will be getting a visit from the SEC + FBI at some point.
So you don’t want your funds on one of these exchanges when and if that happens.
One interesting solution is to use a DEX (Decentralized Exchange). Going forward, DEX’s will be part of the new crypto ecosystem as they solve the problem with centralized exchanges controlling your funds.
However, as of 2018, DEX’s are a bit too slow and not as easy to use as Centralized exchanges. This is one infrastructure area that will be developing over the next couple years.
4. Turn on the All Extra Security Options Offered By Cryptocurrency Exchanges
Using a centralized exchange?
Then opt for as much security as you can.
Good exchanges usually allow extra security to be enabled. This makes it a bit more inconvenient to do logins and withdrawals, but the extra security is worth the pain.
Some of these features are:
- IP Whitelisting (only IP Addresses you add to a whitelist can withdraw funds from the exchanges0
- Address Whitelisting (only addresses you manually add to a whitelist can have funds sent from the exchange)
- Email Confirmation (you have to click on a link sent to your email to confirm withdrawals)
- SMS Confirmation (phone code sent to your phone)
- Extra Admin Password Required
Most good exchanges will add at least SOME of these features. Some (like Bittrex), offers them all. I personally opt to enable every security feature that’s offered.
You should too if you value your crypto wealth.
5. Be Wary of Phishing Sites
While everyone loves a good hackings story, the truth is that you are far more likely to lose your crypto funds through ‘trickery’ than by having a hacker snoop around on your computer and steal your shit.
The easiest way for bad actors to get your crypto funds is to trick you into giving that information. The easiest way to do this is to get you to give your private wallet keys or exchange login information by trickery.
The popular way is to for scammers to create a fake ‘phishing’ website that looks like the real thing. You click on a link that you think leads you to the real website (say Binance or MyEtherWallet) but end up at a fake site.
Scammers often register domains that look like the real URL but with a misspelling. New investors who don’t double check may be fooled into thinking this fake website is the real thing and enter in their login credentials.
This could include:
Now you may think you are safe by having a 2FA (Two Factor Authentication) enabled with your exchange. Good exchanges will usually ask you to put in the 2FA to log in AND while again when you do a withdrawal.
But scammers have a way around this.
What they do is create a fake login page that asks you to enter your 2FA key. The page gives you a fake loading symbol to stall you for a minute, giving the scammers enough time to log into the real site (which is sent to them right away) using your information and 2FA key.
The login prompt shows again asking you to re-enter the 2FA which gives the scammer the new 2FA key to withdraw your funds.
How to Avoid Phishing Sites?
- Make sure you BOOKMARK the real website and only access that site from your bookmarks. This prevents you from clicking on a fake ad in google search or a fake look-alike domain in google search (i.e. you type ‘Binance’ in google and see a google ad for ‘Binance.co’ which leads to a fake clone site of Binance run by scammers
- Make sure you DO NOT CLICK on any Google Ads. Scammers use these to list fake phishing sites with misspellings of the real domain
- Make sure the exchange / online wallet has HTTPS in the domain. HTTPS is an encrypted protocol (unlike HTTP). Legit businesses and exchanges will only ever run from HTTPS. It’s a red flag if that’s not the case.
- Install the Metamask chrome/firefox plugin. This links up with your ethereum wallet and gives you a big visual notification if you end up on a fake phishing website.
6. Avoid Crypto-ing on Public WiFi
Public WiFi is great for checking your Facebook — but not for cryptocurrency transactions.
Don’t log into your private wallets or exchanges using public wifi.
Public wifi is not secure. It’s possible to have a hacked router or someone who is snooping around on the public wifi. Your private wallet keys can be compromised like this.
I personally know one story of a guy who was using the Public WiFi at a Crypto Conference a few months ago and had $150,000 stolen from his MEW wallet because the WiFi was targetted by hackers.
So if you have to do crypto in a public location, tether your phone connection and use that, not your local Starbucks wifi, which is asking to get all your shit stolen faster than a Donald Trump presidential speech gone bad.
7. Double Check Your Address is Correct After Copying & Pasting It
Be careful when doing a crypto transfer. If you are like 99.9% of the people out there, you will use the COPY and PASTE feature to grab an address to send to or receive too.
The problem is that there’s malware that will modify your COPY / PASTE function and insert a hacker’s own address.
To avoid unknowingly sending your funds to a scammer’s wallet, always double check an address after using the COPY & PASTE. I usually look at the first 4 digits and last 4 digits to make sure the address is the same.
It’s better to be safe than sorry here.
8. Secure Your Private Keys in a (Multiple) Remote Locations
If you store your cryptocurrency in a private wallet or hardware wallet, you need to protect that key by keeping it somewhere NOT in your immediate vicinity.
If you use a Hardware wallet like a Nano Ledger S or Trezor, you’ll have a seed key that you can use to recover your wallet information, should something happen to your device. You don’t have access to your private keys if you use a hardware wallet as those keys are stored on the device itself. But you do have access to the seed key, which is just about the same thing (except that it’s the key to ALL your private keys).
If you lose your private key to a wallet, you are screwed.
If you lose your hardware wallet seed key, you are really fucking screwed.
It’s best to not do either.
You need to make sure
- you always have access to this in the event you lose your hardware wallet
- the seed key is safe from fire, theft, loss
If you lose your seed key or someone else gets it, you’re fucked and your entire crypto stash can (and will) be stolen,
So protect this like it’s your first born child.
You can search around online for some good ideas on how to secure your seed key. I recommend the following:
- Have several Nano Ledgers paired to the same seed key (if you lose one device, you have a backup at hand)
- Get yourself a Crypt Steel to store your seed in such a way it can’t be lost
- Keep Your Seed Key in different locations
For example, you might want to store a nano ledger and/or a seed key in a safety deposit box at a bank in case your house burns down.
Put it this way: have as many backups as you can, stashed everywhere.
9. Don’t Use Phone Wallets to Store (Major) Assets
If you are using a phone wallet to store huge amounts of crypto, there’s a whole lot that can go wrong. Phones are hardly secure.
There’s nothing wrong with keeping some spending money on your phone wallet. But not your life savings.
I know you like to use your phone to do just about everything in your life, but storing your life savings in crypto wealth, protected by a mere 4 digit pin code and your ability to remember where you left your phone during that drunken Saturday night at Chilli’s is many levels of bad.
Use a real private wallet or better a hardware wallet like the Nano Ledger S. Not your phone.
10. Use an Isolated Computer Just for Crypto-ing
For the really paranoid, consider using a completely separate computer to handle crypto transactions.
This means a computer that you don’t install anything else or do anything else but using to access your private wallets/exchanges.
I recommend getting a brand new laptop or desktop computer and dedicating this ONLY for accessing your crypto exchanges or private wallets. Or you can take an old computer and reformat the entire thing and reinstall the operating system.
And by isolated, I mean only install the minimal software needed to JUST do crypto.
And yes, it means don’t watch your filthy midget porn on it either.
No to surfing the web. No to downloading apps. No to Netflix. No to downloading torrents. And no to porn.
This computer should be a safe zone for crypto only.
Using an isolated computer (i.e. used for ONLY crypto) may be a bit paranoid, but it’s one way to ensure you don’t use a compromised computer (no viruses, maleware) when accessing your funds.
Certainly, if you are accessing millions of dollars in crypto access, you want to be extra careful.
Now if you are too cheap/poor to buy and use a separate computer to access your crypto funds with, you can install an Encrypted Virtual Machine in which you only access your crypto funds. This creates a very secure environment that’s completely walled off from your regular operating system on the same computer. It’s not quite as good as a hardware wallet, but it’s certainly better than nothing.
Or you can use a hardware wallet, which is by far the easiest and safest and least technical solution. However, hardware wallets only support a limited number of coins so you can’t use them for EVERY coin you have, likely.
11. Never Click on Random Links on Crypto Specific Channels (Slack, Telegram)
It’s a fact that crypto-friendly social media platforms like Slack and Telegram are hotbeds for scammers.
Never, ever click on strange links that get posted in crypto discussion groups. This includes Reddit, slack, telegram, facebook and the like.
There is a chance you could be clicking to a phishing site (fake site) or end up at a website that installs browser malware which may steal your private wallet keys.
Always be on guard.
Think before you click people.
12. Be Extra, Extra Careful of Scams During an ICO
ICO’s are absolute targets for scammers looking for easy victims. Scammers and hackers know that people are looking to send a lot of money to a specific address. So hackers and scammers will do everything they can to get people to send their ICO funds to the wrong address.
Before you send ANY funds to an ICO address (at time of writing, usually an ethereum address or NEO address since 99.9% of ICO’s are run using the NEO or Ethereum platforms), use multiple sources to verify that address is, in fact, the real contribution address and not a fake one.
This means to verify it via multiple sources:
- The contribution address posted on the website
- The contribution address posted by the official team members on slack and telegram (be careful here, scammers like to pretend to be the team)
- The contribution address posted online via a video stream on YouTube by the team
- The contribution address shared (or the last 4 digits of it) on Twitter
- Look at the http://etherscan.io/address/[INSERT THE ETH ADDRESS HERE] to verify it’s legit
To prep you guys for potential scams, here are 4 common ones I’ve seen used during ICOs:
1. The Fake Contribution Post Scam
This means that scammers love to pretend to be the Admins on SLACK and Telegram and post fake ICO contribution addresses in the channel. People are often fooled into sending money to this fake address, thinking it’s the real thing.
2. The Fake Message from Admin
Another variation of this is to have a fake Admin send a private message to everyone in the channel asking for funds to be sent to a specific (and fake) address.
3. Fake Emails from the ICO Team
Beware of FAKE emails being sent to your inbox. Scammers can and do get/steal email lists for those who have signed up for ICO whitelists. During ICO’s, they love to send out fake emails pretending to be the ICO team with a fake ICO address.
I’ve also seen the actual ICO website get hacked with a fake address posted by the hackers. This happened with Enigma and CoinDash and resulted in millions of dollars in lost/stolen funds.
So if you are participating in an ICO, ALWAYS verify from multiple sources (telegram, website, etc) that the address posted IS the right one. Never assume right away that the first address you read is the right one. For even more security, go to etherscan.io and put in the address to verify it’s a legit address going to the right place.
13. Install Premium Antivirus Programs
Let’s touch again on the theme of securing your computer against malware. I hammer on about your computer being a real liability when it comes to securing your crypto assets because it is.
I recommend you install a premium antivirus and some specialised antimalware software.
Not, the free antivirus is probably not enough.
- Install the Premium version of Malware bytes
- Use multiple antivirus solutions (like Eset Internet Security and Kaspersky).
I’ll leave it up to you to find the best antivirus programs to protect your crypto.
But don’t cheap out and use the free antivirus scanners though. Having multiple layers of security is the best method. I personally use 2 different (compatible antivirus scanners) and a malware scanner.
14. Don’t Publically Advertise Your Crypto Life Unless You Want to Be a Target
As much as I would love driving a lambo with ‘HODL’ or ‘BITCOIN’ or some such stupidity on the license plate, that’s asking to be targeted by people with no-good intentions.
The same goes with wearing crypto shirts, blabbing to everyone you meet on the street that you are a crypto millionaire, or walking around with your Nano Ledger hanging around on your neck.
Don’t live in fear, but don’t be stupid either.
The last thing you want is to get hacked or be this guy or that guy.
You can have the best computer security in the world, use a nano ledger, and stay away from public wifi. But this won’t help you when Yuri kidnaps you on a Bali beach, drags you into a soundproof room then pulls out a pair of pliers.
Advertising your crypto wealth online (and linking it to your real world address / idenity) also makes YOU a target for hacks and scams. It’s best not to make yourself a target.