If you are a digital currency investor and store bitcoins, litecoins or ethereum online on an exchange like Coinbase, Kraken, Poloniex, etc, then you should be taking security seriously. You would only need 15 minutes to go through these steps to gain the peace of mind that your digital currency is secure online from account takeovers.

Note that investing in digital currency is safe, and allows you to participate in and support one of the greatest financial innovations in recent history. Digital currency enables some amazing use cases that were not possible until now e.g. instant and cheap cross-border remittances, smart contracts, merchants offering products with zero chargeback risks, etc. However, the very reasons that make digital currency so attractive to regular users (instant movement of money, irreversible like cash), unfortunately also attract hackers. I’d recently written about how we should not rely on SMS for second-factor authentication and instead use an Authenticator app (Microsoft or Google Authenticator) or Yubikeys where available. In this article, I’ll provide recommendations for some additional steps.

SMS based second factor authentication is the weakest link in online security. Get away from it. Image: © istock.com/FrankPeters

Passwords:

I strongly recommend using a password manager e.g. Lastpass or 1Password to generate a strong, unique password. Use a strong xkcd style password for your master password. Coinbase provides users a view into their password strength based on its entropy.

One additional recommendation I’d like to make is to turn off syncing of passwords across devices in password managers (Chrome, Lastpass, 1Password, etc). Otherwise, once an attacker gains control of say, your Chrome account credentials, they can sync all your passwords to a new device / browser very easily. If you do need to sync passwords to a new device, you can turn multi-device on just when you are about to add the new device.

You should also monitor whether your personal information (card numbers, social security number, passwords) has been breached on AllClearID or haveibeenpwned.com.

Use Authenticator apps for second factor:

For your second factor, switch to using Authenticator apps (Google or Microsoft Authenticator) instead of SMS. I wrote about this on Coinbase blog here. This protects you from SMS based attacks where attacker is able to read your SMS 2FA codes on an online portal (by hacking into your telco account) or by porting your phone number to a device they control. Note that I haven’t heard of SS7 hijacking used in a digital currency heist yet, as the cost for using this method is higher than these far simpler methods (getting telco billing password or socially engineering telcos to port phone numbers).

Make sure you write down the secret key for your Authenticator app and keep it in a safe place, preferably not online. This will allow you to reinstall Authenticator and connect it to the digital exchange, even if your phone is lost or stolen.

Figure: Write down the 16 digit secret code you used to connect your digital currency account on Coinbase with the Authenticator app. If your phone gets lost, stolen or erased, you can use this code to link Coinbase to a new Authenticator app install once again.

Secure your phone like a bank:

If you are an Android user, strongly consider switching to Google Fi which is not susceptible to the social engineering led porting attacks because Google Fi has no call centers. However, you need an extra security measure if you have both Gmail and Google Fi. See section on Google users below.

Call up your telco and put a unique and random PIN to provide access to your account. If you don’t choose a PIN on your own, some telcos default to using either the first or last 4 of your SSN. Due to over-use of SSN and ID theft, you might as well consider your complete SSN as known to attackers and hence create a random PIN. For more details about setting PIN at the major telcos see the following: AT&T, Verizon and Sprint.

Also ask telcos to put a SIM lock on your account. Tell them they should only allow phone porting (moving your phone number to a new device) or phone number porting (moving your phone number to a new carrier) from inside a store, and should ask for an ID before doing so.

Hide your phone number so its not visible publicly on social networks. Don’t add people you don’t know to LinkedIn, Facebook, etc and hide your phone number also from your social network connections. Those who know you, will figure out how to reach you.

A hacker ring is known to gives this tip to its victims after extortion:

“Put a sim lock on your phone. You can also say your account number is compromised and any changes on the account would require a call from a different line on the account for approval.”

Google Fi users must use Authenticator on Google logins:

If you use Google for both email (Gmail) and phone (Google Fi), you now have all your eggs (factors) in one basket. That is an attacker could obtain your Google password, and attempt to port your Google Fi phone number to another carrier. And after that, try to get into your digital currency account. To prevent this, you must:

Use Google Authenticator as primary 2FA on Gmail as well as your digital currency exchange

For extra security, consider Yubikey on Gmail

Figure: Porting of a Google Fi number is fairly straightforward (and frictionless) once an attacker is in your Google account. So the only way to prevent this porting is to use Google Authenticator to protect your Google account login.

Don’t be dissuaded by the effort needed to secure your digital currency account. Bitcoins and other digital currencies are only getting started and the 15 minutes you’ll spend on securing your accounts will serve you well in the long term, if the past 1-year returns on digital currencies were an indicator of things to come.

Figure: Market cap of all digital currencies in last 1 year has gone up by ~7x. Source: www.coinmarketcap.com

PS: Opinions expressed in this article are my own and not the views of my employer.