10 minutes and you can protect your Bitcoin and cryptocurrencies better

There have been an absolute spate of account hijackings based on professional hacking groups. These groups target anyone online who is associated with the cryptocurrency industry.

I’m sure you’re reading up to this point with casual interest. I want you to imagine this:

The sinking feeling you will have when your phone goes dead and you get a message from your carrier saying “Your SIM has been successfully updated” The panicky feeling when you realize that hackers have taken over your email accounts, your social media accounts and possibly even your bank accounts. The disgust and embarrassment you will feel when the hackers have contacted all of your friends and family through your communication and messaging system. The anger you will feel when you learn that one of your most kind-hearted friends has sent money or cryptocurrencies to the hackers out of concern for you. Not only did one of you kindest friends lose money, but they also heard upsetting lies about you and why you needed the money. The frustration you will feel trying to reestablish control over your electronic accounts, then your cryptocurrency exchange accounts, which you will be locked out of. You will need to re-establish KYC with all your crypto exchange accounts. The pain of being locked out of your exchange accounts as the market goes up and down and you being unable to trade assets locked on your exchanges. The loss you’ll feel when your hard earned money is stolen from you.

I’m only enumerating these feelings because I want you to commit TODAY to two things, to:

taking 10 minutes to protect yourself. taking 1 minute to protect your friends by sharing this post with them.

10 minutes to better safety

OK so what are the three most important things you can do?

A quick caveat is that there is no 100% hack proof security. These are just some of the easier things you can do to avoid the bitter pains of being hacked, and hopefully deter hackers or make their jobs harder.

1. Remove Phone Number From Gmail

There are two places where you should remove your phone number from your Gmail account.

One of them is for account recovery. This is the screen below. Make sure that there is NO PHONE NUMBER associated with your account. If there is a phone number there, DELETE IT. That is exactly what the hacker will use to reset your password to one of their choosing.

The second place to remove your number is SMS based 2 Factor Authentication (2FA). Authentication is how a computer system knows you are you. 2 factor means an additional second way the system knows you are you (other than the login ID password pair which is the most common first factor).

The problem with someone porting your phone number is that the attacker now has your phone — so they appear to be you. And if you use SMS as the second factor, they can just use that to reset your password, thus letting themselves in and locking you out at the same time.

Remove all SMS based 2-Factor-Authentication from all accounts, especially email / Gmail.

a. In the case of Gmail first go to your Google Account

b. Then click Sign-in & security

c. Then Signing in to Google

d. Then 2-Step Verification

e. Then delete ANY phone numbers associated with your account. The result should look like the below (aka no phone number associated with your account at all.

2. Diminish Likelihood of SIM Swap Attacks

This can be done in several ways.

Use Google Voice to keep your phone number away from hackers

One approach is to get a phone number that is not associated with the SIM card in your phone. An easy way to do that is to use Google Voice. If you have a Google Voice number you can use that number on your business card and give it out to people, and if they call that number it will redirect to you.

2. Use Google Fi

Some people recommend Google Fi as a secure carrier. I am not sure this is a great answer only because I have not researched it sufficiently. So if you plan for this to be your security measure, I recommend you research it yourself.

3. Buy a “burner phone”

You can buy a special phone that you only use as an authentication device. If you do this, you STILL don’t want to use SMS authentication. If you’re using Google Auth or Authy, please be sure to back up your keys (the printouts with the QR code) in a safe location in case of loss of device.

4. Talk to your carrier

You can set up special account access passwords and additional security measures with your carrier. You must be very explicit with them that you want to prevent anyone from porting your phone number. You should clarify exactly under which circumstances you would allow your number to be ported. Be careful. One friend reported that the carrier was called 30 times in an attempt to fraudulently port his number and the 30th call was the one that went through. The attackers are persistent, professional and willing to fail over and over and over. There are rumors as well that store employees can be bribed to participate. If true, a store employee could claim you are physically present with government ID and then port your number.

5. Use a tablet or a device without a SIM card like an old phone for 2FA.

3. Replace SMS 2-Factor With Better or Best

What’s better than SMS 2 Factor Authentication? Almost anything.

Better: Replace SMS with a dedicated Authentication App

You can use Google Authenticator, Authy or Microsoft Authenticator. I haven’t researched which one is the best, so please do your own homework.

When you DO set up app based 2FA, PLEASE do yourself a big favor and print out the authentication keys and store them somewhere SAFE.

Remember that the authentication keys DO allow ANYONE to regenerate your authentication app signature, so please secure these. But the point of backing them up is if you lose your phone, you can be locked out of all of your accounts.

2. Best: Replace 2FA with Hardware Key

Right now the dominant player in this space is YubiKey.

There is a cool promotion where you can get 12 months subscription to WIRED magazine for $10 and they will throw in a free Yubikey. Just to be 100% transparent, someone suggested that I get referral links and make money off of people clicking. I make NO money off of anyone doing any of this and there are no referral links in this article. I mention the WIRED promotion because I actually bought my second Yubikey device today through this promotion and I honestly think it’s a good deal.

Would I buy a WIRED subscription for $10? Probably not on my own, but would I buy a YubiKey for $10? Hell yes. And would I mind if WIRED gave me a subscription on top of that? Sure why not?

https://subscribe.wired.com/subscribe/wired/115698

Just for completeness, Google has announced a foray into this space with a product called Titan Security Key. I wasn’t at the time of this writing able to find this product for sale on the Google Store online.

I also got a hot tip from a cryptocurrency cybersecurity expert, Jolly from Crypto Lotus that he likes OnlyKey better than Yubikey

His rationale for liking OnlyKey better is that yubikeys dont pin/password protect your u2f token which is problematic in the case of an attack where you lose your hardware key.

Here is what I recommend with respect to these keys. You can use the hardware key to lock a password manager like Lastpass. Lastpass actually has the ability to manage multiple Yubikeys. I recommend you buy 2 different Yubikeys and you put both keys into your lastpass account. Store the second yubikey in a safe and hidden location.

This way, when (and not if) you lose your yubikey, you can use your backup key to maintain seamless control over your accounts. As soon as you know your key is lost, get into your password manager and revoke access via the old key. For good measure if you suspect that your password manager was compromised, regenerate all your passwords starting with the most important accounts.

Once you have done this, order a new backup key and when it arrives add it to your account.

Bonus Round: Buy and Use a Hardware Wallet

This one is fairly obvious and there are many web sites dedicated to this topic.

I like both Trezor and Ledger but you can choose whichever one feels good to you.

You may consult with many web sites about this topic, I won’t teach you how to use one of these devices here. I will provide you with one warning though.

I did tell you to “Buy and Use” a hardware wallet. Many people buy a hardware wallet and then leave their cryptocurrencies on an exchange, for a variety of reasons. Laziness may be one of them.

The hardware wallet works because it contains your private key and the key never leaves the wallet. This is awesome because it ensures the key can’t fall into the wrong hands. Obviously your backup key will be your recovery words or some printed out form of key. You naturally will need to store those in a safe and hidden place as well. I use the phrase safe and hidden to mean that the location should be inobvious, and by safe I also mean that the location should be free from the elements that can destroy the information. If your private key is hidden in a place where it can suffer water damage or bleaching from the sun or any other factor that can render it unreadable, you also lost your asset.

But the cardinal rule should be to use the hardware wallet to protect your crypto assets. This means go ahead and use exchanges, but when you’re done, bring the assets back to your own wallet addresses that you control. Leaving assets on exchanges is just providing a soft target for hackers.

If there’s anything wrong about the advice I’ve given, please comment on the article and I can fix it.

Protect your friends

Now that you’ve protected yourself, please protect your friends. Share this article with them on Twitter, Facebook, Linkedin or wherever they hang out.

If you want to protect the industry and people you don’t even know, please give 50 claps to this article so it will be amplified. Deterring hacking helps the cryptocurrency industry achieve legitimacy.

The other imperative is that every successful hack incident just funds more hacking and incentivizes more such behavior. Many of those people are also committing other crimes. Please help spread the world. Thanks.

Click the Buttons, Get Evercoin