Security — Take This Seriously

I cannot stress this enough. Take. This Seriously. One of the key features of a permissionless blockchain is that it is immutable meaning it cannot be changed. The physical world and our legacy systems have taught us that we can call customer support, dispute a charge, or get a refund. If someone gains access to your private key, assume everything is gone. Permanently. As time goes on, I believe two things will happen:

better custody solutions will emerge to look like today’s systems and much of the legacy world will become tokenized

Which means that if you lose your private key, imagine losing your checking, savings, 401k, pink slip to your car, and deed to your house with no recourse of getting any of it back. Ideally, new custody solutions will emerge and be adopted faster than the legacy system will become tokenized but since I cannot guarantee that, please take your personal security seriously.

Not your keys, not your cryptocurrency.

Exchanges provide amazing services from acting as an onramp to exchange your fiat currencies into cryptocurrencies. They also provide a platform for sophisticated investment tools to trade on. Unfortunately, every, single, hack, (almost) ever has been at an exchange. Some exchanges have issued some kind of compensation for the losses while others are forced to declare bankruptcy. However, if you took custody of your own keys, it puts the responsibility solely on you but most of us don’t have multibillion-dollar honeypots to target. Moreover, we generally don’t have internal bad actors to worry about especially if you take these tips seriously. So choose a wallet, secure it, and only leave an amount of cryptocurrency at an exchange you are willing to lose or immediately need access to.

Buy a hardware wallet.

It is hard to have your private key lost or stolen if it never leaves the device or touches the internet. That being said, there are plenty of hardware wallet scams out there. Buy the hardware wallet from the provider directly or through one of its trusted affiliates.

If you buy it on Amazon or eBay, ensure that the box hasn’t been tampered with, ensure the firmware is legitimate and updated, and always use a new seed phrase. There have been attacks through all of these vectors and each company has tried to stay ahead of it.

Store your seed in a secure location.

Again, if someone has access to this, that person has access to everything. Lock it in a safe, tape it under your desk, I don’t care what you do with it but definitely do something with it where no one will find it.

If I have made your paranoid to the point where you don’t want to store your seed in a nightstand, home safe, etc. as someone in your home can access it, I am sorry and you’re welcome. However, if you are going to put it somewhere such as a safety deposit box, know that it is still susceptible to floods, fires, and other natural disasters.

This is where a debate comes in over best practices. Writing the seed down in a word document offline and storing it on a USB works but hard drives fail and standards change. Imagine the passwords saved to a floppy disk. A piece of paper is both susceptible to fires and floods but paper has survived thousands of years in the elements and is still being discovered in tombs. You could laminate that paper to prevent water damage but it still doesn’t protect against fires. Additionally, the plastic from the lamination can eat away at the paper over time. My personal favorite solution is to buy a metal casing to store your seed that won’t be destroyed by natural disaster but again I am not trying to force you to spend money.

Get paranoid about that location.

One of my favorite solutions to storing your seed at home or offsite is a bit funny but it came from a story Ari Paul told about consulting with an NSA specialist. He recommended wrapping the seed, hardware wallet, USB, etc in tamper sealed bags, taping it up with tamper sealed tape, and then splattering nail polish on the outside. You can buy tamper seal bags and tape online but if the bag were opened, it would be destroyed in the process. However, if the attacker for some reason knew which brand of bags and tape you use, you still have the paint. The thought process is that paint splatter is too random to recreate so if someone has seen your seed or tamped with your device, you can tell as the pattern will not be the same. You can take a picture of the markings and keep it on your phone or print the photo and leave it with the items. I would actually recommend going one step further by putting your item in an envelope, seal it, and sign the back of the envelope along the fold. That way the attacker would have to not only recreate the splatter marks but also forge your signature on the same branded envelope.

Do not get fancy.

Do not rewrite your mnemonic seed backwards. Do not split your seed in multiple locations. Do not triple encrypt your seed. Do not do anything you won’t be able to remember or recovery. If you control your own private keys, you are responsible for your own security but that doesn’t mean you should be your own worst enemy.

Online security

Secure your Google account.

Remove your recovery phone number and email and then try hacking yourself. Log out, click forgot password, and keep hitting try another way. If your google account gets compromised they get access to your passwords, your payment information, etc. Don’t believe me? Log in and go to www.passwords.google.com Secure it. Secure it. Secure it.

Use a Chromebook.

Chrome OS has something called verified boot. It means that every time you turn on the device, it checks the version of Chrome OS against the one published on Google’s servers to ensure that it hasn’t been altered in any way. Additionally, each tab and application runs in a secure sandbox that prevents it from affecting other parts of the computer. Let's assume the worst-case scenario. If there was malware on the device to find your private keys and send it an attacker or a keylogger was installed to track your passwords, it would be identified and removed once the device was restarted.

Bookmark your favorite sites.

In a world of autocorrect and Google, we have been accustomed to typing in the incorrect website and it being the correct one. However, in a world of immutability, would you want to bet the value of your wallet on it? There have been numerous phishing sites that look like the site you are trying to reach but are really fake. How do you know you are about to bookmark the correct site? Cross-reference the URL from multiple verified sources. Google it, then check Twitter, then check for the founder or other employee to link to the site. If you think this can’t happen to you, try this phishing quiz made by Google’s Jigsaw.

Don’t click on links.

With a lot of links being shortened by bit.ly and other services, you no longer know where a link is taking you. My recommendation if you aren’t going to bookmark your favorite sites is to hover over any link so you can see where it is going to take you. Ensure that is the correct URL and never click on links that were sent to you on Twitter, Slack, etc. as most projects will never DM you.

Don’t click on ads.

There are plenty of phishing websites that are ad-based. If you see an ad for an exchange or service you are familiar with please click on the organic link below the ad. Take this link for example, www.coίnbase.com. If you didn’t pause, you failed. I am not sure if you can tell the difference between Coίnbase vs Coinbase but one is a fake site. If you can’t tell the difference, it is the ί vs the i. Don’t worry, that fake link takes you to the Rick Astley page.

Small tip: if you hover over the ad you will see the address in the corner.

Check the security certificate.

The security certificate is the green name or lock in the URL bar when the website is secure. Each certificate is issued to a specific company which cannot be faked. MyEtherWallet Inc [US] is what you would see for the MyEtherWallet page. So while phishing sites can mimic the layout of the site, the security certificate is harder to falsify. I don’t expect you to memorize every security certificate out there so please bookmark these sites.

Install Metacert.

For those of you who don’t want to check the security certificate each time, Metacert is another extension that will pop up a green banner at the top of sites if the security certificate is valid. If you find it annoying, you can turn that off and the extension will change color but you have to get in the habit of looking at. As a side note, Metacert is looking to issue its own ethereum token to provide an incentive for people to flag and review sites to keep everyone safe. *This is security and product, not investment advice*

Check your antivirus software.

If you ever go to a site and notice that the security certificate has gone from the company’s name to a simple green s after http in your browser, you may not be in danger yet. First, give yourself a pat on the back for paying attention. Second, your antivirus software may be interfering with this so you want to disable it momentarily and refresh the browser or proceed in an alternative manner. Additionally, you may be able to specifically disable the SSL scanning or web security portion of your antivirus software. This way you still have protection from most things while being able to confirm that you are on the correct site.

Desktop and offline apps.

MyCrypto recently released desktop apps for MacOS, Windows, and Linux which mitigates all of the attack vectors from fake websites. As an added bonus, Chromebooks will now support running linux applications but wider support will be released later this year. Both MyEtherWallet and MyCrypto have offline versions of the website itself if you want to get extra paranoid but this gets complicated quickly.

Source: MyCrypto desktop page

Put Two Factor on everything. There are three pillars of security, 1. things we know (passwords), 2. things we have (phones or 2FA keys), or 3. things that we are (fingerprints or faceID). Two factor authentication or 2FA relies on one form of security, often a password, and a secondary form which is often a code from something you have. This secondary layer of protection helps slow down attackers as passwords are often leaked after a hack. Another issue is that security questions to reset a password are often publicly available. If I looked over your Facebook page I could probably guess your favorite color or find out your maiden name. There are multiple forms of two factor authentication and some are more secure than others:

Universal Second Factor: This is the most secure option as the risks are limited and it is easy to remember a physical device. I’d recommend buying a Yubikey or Google Titan Security Key. If you need to buy a hardware wallet, Trezors can be used as a U2F key so you can secure your assets in a really secure way and secure your accounts online. I’d recommend buying more than one in case you lose it. These are so secure that Google gave all 85,000 employees security keys in 2017 and its phishing attacks fell to 0 and now mandates all employees have one.

USB and bluetooth Titan Security Keys by Google from Androidpolice

Time-based One Time Passwords (TOTP): This is another secure option but it isn’t as user-friendly as a U2F device but these services are free for anyone on a budget. Downloading an authenticator app such as Google Authenticator or Authy is where you should start. You’ll see a string of letters such as WICEUIDWJFPMWU or a QR code. Enter the string of letters or scan the QR code on all of your devices. This will create a six digit that you will have to enter into a website. These are familiar to most people who have ever been text a code but these will change every 30 to 60 seconds, unlike the codes that get texted to you.

SMS based two factor: This is better than nothing but there are some major risks associated with it because of Sim Porting. Sim porting is an attack where someone calls your phone provider pretending to be you and convinces them to activate their phone with your phone number. They then can get access to your two factor codes as it gets sent to their phone and your assets are gone in minutes. I would recommend reading this AMAZING guide on how to prevent it.

Here is a list of services that provide two factor authentication. Turn it on for every site that you can possibly use it on. If you have the option to use multiple forms of 2FA, use keys, then TOTP, and then SMS.

2FA example by Imperva

Do not have your phone number linked to anything. I know I just said to use 2FA but try to limit the number of ways someone could find out your phone number. If you have to have your phone number linked to a service, please contact your carrier to add a password or other security layer to prevent attackers from being able to transfer your phone number to a new device. As a bonus tip, write “DO NOT PORT MY NUMBER” in the second or third address line in your billing information. If this were to happen and the representative at T-Mobile were to ask the attacker to verify your address, they would see:

John Doe 123 Fake Street Apt. DO NOT PORT MY PHONE Amazing, NY 12345

If you do need to leave your phone number attached to something, use a service like Google Voice as you can’t port those numbers.

Switch to Project Fi. Most people don’t know this, but Google actually is a carrier and can provide service to your phone and tablet. A Lot of us have grandfathered data plans, myself included, but it is much harder to port your phone number to a new device with this service. For starters, there isn’t a generic phone number to call or a store to visit as Google relies heavily on your Gmail account. In order to register the device as stolen, you will need to log into your Gmail account and access the support page through the Project Fi website or app. This puts the liability and security back in your control and not someone at one of the major phone carriers. That being said, you should create a strong password and turn on 2FA to prevent your Gmail from being hacked. Google also has an Advanced Protection Program which provides additional protections for free but restricts the kinds of things you can do with your account.

Source: Project Fi homepage

Cautions to TOTP codes. While Google Authenticator is a better solution than SMS codes, it isn’t without its concerns. While this is highly technical, the short version is a concern about how the data is stored and secured if your device and the server have to stay in sync. The data can be monitored in transit thus someone being able to access your TOTP code. If you use Google Authenticator, ideally the app should be installed on a secondary device that has never touched the internet and is kept offline. This can be done through a website like APK Mirror and then transferring the app onto a new Android device. You can buy cheap Android devices for less than $50. Conversely, if you are going to use Authy, ensure that you turn the multi-device setting off. It is on by default unfortunately and essentially creates the phone number porting issue but this time through an app.

Run two browsers with an ad blocker on one. While we all hate ads, pop-ups, etc. it is a necessary inconvenience until a better solution comes along to keep the internet free. That being said, I suggest keeping your favorite browser as is and installing an adblocker on a secondary one. That secondary browser is where you should do all of your cryptocurrency related tasks. I recommend uBlock Origin if you are running a traditional browser as it is open source and doesn’t whitelist ads for a fee like AdBlock Plus. If you really want to support a native cryptocurrency project, you can download Brave. It is a browser built by the cofounder of Mozilla except this has ad blockers and an Ethereum wallet built in.

Password Security

Use a password manager. If you are going to take this next section seriously, you are going to need a password manager. There are plenty of great password managers such as LastPass which is free or 1Password which is $2.99 a month.

Audit your passwords. Force yourself to use unique passwords for each site with this Password Alert. It is an open source Chrome extension built by Google’s Jigsaw that looks at the password you saved to one site and will alert you when you are entering the same password into a different site.

Create complex passwords that are hard to crack. PwndPasswords is a great resource for this after the Yahoo and Equifax hacks. Enter your password and you can see how long it would take a computer to guess your password (don’t worry it is safe and the code is open source). Ideally, you would like a password with a high level of entropy which is a fancy word for randomness. P4s$w0rd123 is not a complex password or a high level of entropy. A password manager will generate a unique, complex password for you for each site.

Check to see if it has already been hacked. If you enter your email address on this website by the same creator, you will see where and if your email address and password have been compromised. You can get notified of any future breaches by clicking the Notify Me tab at the top. This service is built into 1Password already or you can add it yourself and save the subscription cost by using Lastpass.