Crypto security 101
Crypto is the wild wild west. Here's how to protect yourself from bad actors and keep your crypto safe.
This blog post is a not so short explainer highlighting risks when connecting to, using and storing information, details and crypto on the blockchain and the internet.
Blockchain and cryptocurrency networks live online, commonly referred these days as Web3, seen as the foundation for the next frontier of the internet. When we connect to the internet, our connection security may differ depending on the network, type of network and its locations.
There are many types of wireless networks we all connect too. To fully understand the security pros and cons of Wi-Fi networks and the risk they carry we must first outline how they differ.
When using an open Wi-Fi network, devices look for an SSID (Service Set Identifier) or a name to them with no lock next to them. When connected to these networks, it is important to remember they are unsecured and wide open - anyone can connect to them. Someone in a coffee shop next to you or across the street can connect to it.
When that happens, malicious users can:
- Intercept your traffic;
- See what you’re doing;
- Websites you’re visiting.
It’s like you were talking in an open room hoping the person next to you doesn't overhear that conversation.
A more secure type of wireless networks you will interact with is a closed Wi-Fi network. An example is when you go to a coffee shop and see the SSID name or the wireless name, requiring a password.
With a password, the communication between your computer and the Wi-Fi network is encrypted. Someone sitting next to you, wouldn’t be able to understand your “conversation”, in other words, what you are doing on the internet. However, the person running that coffee shop (the administrator) can see where you are going and what you are doing (website history).
What is a VPN?
A virtual private network, or VPN, is an encrypted connection service that masks your IP address and protects your personal data. A VPN hides information about your physical locations and secures your digital data through encryption.
When you connect to a VPN, all of your traffic is funnelled from the network you are in (coffee shop) to somewhere else on the internet, before being routed to the destination website.
There is no guarantee after it leaves that exit point (website) the information is protected and that no one can see your personal traffic, but at least on the entry point, it is hidden.
Keep in mind that the VPN provider can see what you are doing. The benefit of using a VPN is that it gets you out of the potentially hostile local network, to somewhere else potentially less hostile.
A coffee shop owner can see what you are doing if you don’t use a VPN; a VPN provider can see what you are doing if you’re using a VPN, so which of the two is the lesser of the two evils is a decision for you to make.
A method of ensuring online accounts are better protected is to increase the number of security layers which must be successfully passed before entry, validation or allowing changes to be made. It is recommended to learn how to secure your accounts with two-factor authentication (2FA) and why it’s safer to use it on your phone through an application, instead of a phone number.
Traditionally, the usual method of logging into an account is using a username and password. It can be described as a single factor of authentication because it’s the only way you’re using it to access an account online.
Two-factor authentication (2FA)
Two-factor authentication creates an extra layer of security using another method of authentication in addition to your usual method. It’s something you know: like a PIN, secret question or keystroke pattern. It can also be a hardware token or an app on your mobile device to authorise a push notification.
Why is 2FA important?
There is a chance that an attacker could learn you’re using a password and guess it for a particular website. If that happens, the attacker would be prompted with that second factor.
If they try to login as if they were you but are not in possession of the hardware token or your mobile device, they cannot get any further.
Why shouldn’t I use my phone for 2FA?
There is a technique that attackers are using that is called SIM swap (more on that in a later section). This is a method of taking your phone number, which is tied to your mobile device and porting it to the mobile device of the attacker. Any phone calls or SMS messages that were meant for you, go to the attacker’s mobile device instead.
The attacker can now get into various accounts that you have that use SMS authentication or that use SMS as a method of recovering an account. For example, the attacker can gain access to your email account by receiving an SMS with the “I forgot my password” and it will be sent to them as a text message. The attacker follows the instructions and resets the password for that email account. They can rinse and repeat that attack and reset all the passwords tied to that email account and phone number.
Crypto, and your phone
Storing crypto on a mobile device can be considered secure to a certain degree provided the value is relatively low, 2FA is enabled and it is more secure than your other alternatives, however it is not the ideal place to store any meaningful or sensitive information. If you currently do not have a secure place to store your crypto, keeping it in a software wallet (app that allows users to receive, send and store their crypto) on your phone is the safest place to do so, versus keeping it in a paper wallet in your pocket.
Keep in mind that there could be vulnerabilities in the software or there could be vulnerabilities in your phone that could expose the private keys from that wallet.
How do I make my phone secure?
Have a passcode lock on your phone. In most cases, that also in turn encrypts the content of that device, so if you lose your phone and someone else was to pick it up, they won’t be able to just log into that phone and unlock it.
Ensure your mobile device is up to date. Every time a patch comes out for Android or Apple, there are security fixes in those updates. Keeping your phone’s software up to date increases the chance of avoiding malicious attacks.
Could I use an old phone?
You may find that an older phone no longer gets updates. It’s recommended you go out and shop for a brand new phone, or at least one that is still supported by the manufacturer.
When devices no longer get updates, they also no longer get security fixes. They still have vulnerabilities that get discovered, but they just won’t be able to defend against those vulnerabilities by applying a patch.
Should I avoid certain apps?
You want to be aware of the apps you install on your phone. There are thousands of apps available in the iOS App Store and Google Play. You need to know that those apps are not exposing personal information, they’re not leaking information about you. Don’t trust, verify.
Uninstall applications that you’re no longer using. If you like to install lots of games that you later get bored with, it’s a good idea to uninstall them. There have been cases where game updates introduced vulnerabilities, exposing information or opening a vector of attack. Keep the bare minimum apps on your phone, those you use on a daily basis from providers you know and trust.
Your email is your central hub for what you do online, such as creating social media accounts or accessing financial services (exchanges, browser wallets).
Most things you do online require an email address. These services need a way to contact you, newsletters need a way to send you information. If your email account is compromised, the attacker gets access to services you are connected to. Securing your email is one of the most important things you can do.
How can I secure my email account?
Most, if not all email providers allow you to take simple steps to increase your email account security, such as:
- Create a strong password
- Use two-factor authentication
- Recovery email address/phone number
Keep in mind that it’s not recommended you add SMS as neither authentication nor recovery method as explained earlier. Another email account as a recovery method is a better option, but make sure it’s secure as well, otherwise an attacker may get access to your primary email account through the recovery email by resetting the former’s password.
There is a technique called Phishing where an attacker finds your email address, who you are and sends you a targeted email. They may ask you to log in to a site where you have that email address. It could be a social media site or an online banking site.
The email may look legitimate, looking like it comes from that service provider they’re impersonating. The attacker’s goal is to get your login information for those services. The email prompts you to download an attachment with malware, or click a link to visit a fake website (which looks like the site being mimicked) and enter your username and password. By doing so, you gave them your credentials, and they will be able to access your account.
The Nigerian Prince
One of the most famous and successful scams is the ‘Nigerian Prince’ which first started through postal mail but has since been going on for decades on email. Known as the 419 scam, in which the victims receive spam email from a person claiming they are a Nigerian Prince.
The particulars may vary: it can be a member of royalty or a simple person, but the plot is that they are to inherit a large amount of money and need your help to offload those riches. For that, they will need more personal information from you, or they may require you to send money to pay for taxes and customs.
This is fake. There are no Nigerian Princes or royal members offering millions of dollars to random people on the internet.
How can I spot an email scam?
Be aware and vigilant. Practise common sense.
Check who is sending that email (the sender). Is it the right email address? Does it come from the service’s domain, such as your-bank.com and not yourrr-bank.com? Make sure the link you are on is the correct URL address on your browser.
Never click on random links. Always enter the url address into your browser manually.
Check for the language used in the email. Oftentimes these are written by scammers whose English is not their first language. Look out for weird sentences and awkward grammar, such as “kindly”.
Check for the email structure. There can be weird spaces and characters, broken images or other elements that look off in the email.
If you are not sure about whether or not the email you received is legitimate, call your bank or service provider in question. Or open a new browser window, go to that service provider’s official website and contact them. Ask them if they send that specific email and they will be able to tell you about the validity of that information.
The best password is one criminals don’t know.
A good password is one that:
- Is unique. It’s not used for other sites or applications.
- Is long. Six characters isn’t enough. Use a minimum of 25.
- Isn’t obvious. Password isn’t a password.
A long password doesn’t need to be hard. It can be a passphrase, a unique long memorable string of words, such as “having-fun-playing-padel-881-ketchup”. Obviously don’t use this example.
Why can’t I reuse passwords?
When you use passwords for the same sites and applications, you are weakening the security of all the accounts of those providers.
Choose strong passwords that are unique for different services so if one site get hacked no other accounts are vulnerable. If your login information is compromised in one service, expect other services using the same password to be compromised as well.
What’s a password manager?
A password manager is software that usually has a main passphrase that unlocks a password vault. They allow for greater security and ease of management with passwords.
A good password manager not only holds your passwords securely, but it may also generate random, strong passwords and login information for sites, apps and newsletters. Examples are 1Password, Last Pass, Dashlane and others.
What is Two-Factor Authentication?
Two-factor authentication, or 2FA for short, is using another method to login to a service in addition to that service’s usual method.
Instead of logging in with just your username/email and password, you are required to also use one of the following:
- PIN (number of digits)
- Secret question
- Keystroke pattern
- Hardware device (YubiKey)
- One-time authentication code (Authy, Google Authenticator)
What is Google Authenticator?
Google Authenticator is software that generates unique 6 digit codes every minute.
The user enters their username and password, and then needs to enter a unique six-digit code from an authentication app, such as Google Authenticator, Authy, Aegis and other similar apps).
By using an authenticator app, you’re giving an additional layer of security to your accounts. Even if a criminal knows your username and password, they will not be able to login to your account with that six-digit code. They can guess, but that would be like guessing the lottery numbers.
You may have heard or read on the news of criminals using a technique known as SIM swapping.
This is a method of using your phone number that is tied to your mobile phone, and porting it to a phone in possession of the attacker. Now any phone call or text (SMS) messages that were meant for you, are going to their phone instead.
SMS is not a good recovery method
The attacker tricks your provider to switch your phone number to a SIM card they have. They can use this to get into various accounts you have that utilise two-factor authentication or SMS as a method of recovering that account.
The attacker goes to your email account and clicks the “forgot my password” link. The system sends a text message to their phone (not yours), they follow the instructions and reset the password for that email account. They will rinse and repeat the attack, resetting various passwords and gain access to multiple accounts tied to that phone number.
Any device that is online can potentially be hacked.
There are different choices available depending on how you want to store cryptocurrency. You can keep it on your mobile phone or desktop computer. These devices can be hacked and result in a wallets private keys being stolen.
The evolution of security around cryptocurrency resulted in the development of the hardware wallet.
What is a hardware wallet?
A hardware wallet is a physical electronic device designed to protect cryptocurrency funds by securing an individual’s private keys offline, where they are less vulnerable to attacks.
You can disconnect it, keep it offline, store it in a safe or bank vault someplace. Even if your storage device gets hacked or is compromised, there would be no way for a criminal to jump from that piece of technology into a hardware wallet that’s kept offline.
Hardware wallets typically have screens on them and the ability to enter a physical passcode to unlock them before they can be utilised in a piece of technology like your mobile phone, desktop computer or laptop.
What if I lose my hardware wallet?
Hardware wallet manufacturers have a list of key phrases that can be utilised to restore another hardware wallet.
The typical use of a hardware wallet is that when you first initialise it, you will be prompted to create a list of 24 words (amount may vary depending on manufacturer). This list is known as a seed phrase, or recovery phrase. It’s a list of words that are used to restore a lost or broken hardware wallet.
Make sure you keep the list in a safe place, separate from the hardware wallet. In the event that something was to physically happen to the hardware wallet (drop it, lose it), you want to be able to restore that wallet to a new piece of hardware.
If you have a hardware wallet and have no backup, no way to restore it via that list, and you physically lose it, your cryptocurrency is gone forever.
Are hardware wallets secure?
Just like with any piece of technology, hardware wallets are only going to be as secure as the quality of hardware design and software running on them.
Wallet manufacturers release firmware updates to close security vulnerabilities, to prevent wallets from physical attacks to extract the private keys.
As with any other piece of technology that you own and want to keep safe, it’s important that you maintain knowledge of the physical possession of that hardware wallet. Anyone that has physical access to that hardware wallet could potentially extract the contents of that wallet and your private keys.
YubiKey is a two-factor authentication hardware that, when used in conjunction with strong security measures, can enhance safety.
What is a YubiKey?
A YubiKey is a piece of hardware, typically small, that you can plug into the lightning adapter of your phone, into the USB-C or old USB port of your computer.
The YubiKey is used as a second factor of authentication. When you login to a site, type your username and password and plug in your YubiKey as an additional security measure.
Once it’s plugged in to the device, you tap a connector, usually a piece of copper on the side, which prompts YubiKey to generate a one-time password and input that two-factor field on that system.
Most people have a home network. It’s usually a Wi-Fi network, a wired network in their home they use daily for all sorts of things online, like working, social media, etc.
You need to secure that network, and ensure that no one is able to gain access to the network. If they do, they can get access to everything else you’re doing. They can get access to your computer, see the traffic you’re sending across the network, and others.
How can I keep my network secure?
Maintaining and protecting your home network is a security must, since so many other data access points are connected to it.
Make a checklist and go through it when you have to set up a home network. You don’t want it to be an open Wi-Fi network, nor name the SSID as your address or last name. You want to secure that wireless network with WPA2 that the password you’re using to connect all your various devices to that Wi-Fi network is long and complex.
- Password protect your network
- Give the network a unique name
- Secure the network with WP2
What type of devices can I connect?
The network is only going to be as secure as the things you connect too. If you are using a smartphone or computer, you’re probably ok. But you need to be careful with Internet of Things (IOT) devices. These are devices that are connected to the internet and may “talk” to other devices on a network.
You may be compromising the security of your network when plugging IOT devices to your network. These devices can phone back to their cloud services and may have remote control capabilities.
You have therefore extended the security of your home network to all those various providers. If one of those providers is laxed in their security, or worse, is known to spy on their consumers, then you now have exposed your own network and personal life to those services.
When using the internet, browsing on different websites, you’ll often be inundated with ads. You’ll see them along the sides of your browser, above, below and in-between website content.
What do ad blockers protect me from?
Ads on websites are often served by third-parties. The reason you want an ad-blocker is not just because you don’t want to see them, as ads all over the place make for a poor user experience. But also, you want to block ads because even though the website you are on may be reputable, ads from third-parties could be injecting malicious content into your browsing session.
There have been cases where a well-known media company was using third-parties to serve up ads, those third-parties were hacked into, and in turn, were pushing malicious content to users visiting that legitimate media company.
Ad blockers, in short:
- Protect privacy;
- Provide better UX;
- Protect from malvertising;
- Save bandwidth.
Ad blockers limit your exposure
In many cases, ads will also drop cookies in your browser that can be used to track where you browse on the internet. So if you visit site X for 30 minutes, close your tab and go to site Y, the same ad provider is serving up ads. They know that you visited site X and later visited site Y because of those cookies.
Having an ad blocker in your browser is a good personal security measure as it limits your exposure and attack surface when doing your normal day-to-day activities online.
Securing your browser is an essential part of strong crypto security.
The browser is the most used piece of software to access the internet, so criminals focus on browser vulnerabilities that can be exploited.
What is Cyber Hygiene?
Cyber hygiene is the practice and steps that users take to maintain system health and improve their online security.
There are tasks you do on a daily basis: wake up every morning, brush your teeth, make your bed, wash etc. You maintain certain habits to keep your body clean and with good hygiene. By the same token (no pun intended), updating software on your computer, phone, your browser, are the type of cyber hygiene things you do as best practices.
If you neglect these good habits, you are exposing your browser and potentially operating system. Just like when you don’t brush your teeth, don’t get exercise, or practise other healthy habits, not following a good cyber hygiene routine can result in loss of information and money.
Is it safe to use browser extensions?
There are applications that can run in your browser. These are typically called extensions (eg.: Chrome or Edge) or addons (Firefox).
Some extensions exist for security purposes, such as ad blockers and cookie cleaners, others for productivity or visual purposes. And then there are those that exist specifically for cryptocurrency, which are browser wallets like MetaMask or Phantom.
Two things to keep in mind when using extensions:
- Only download reputable extensions from trusted sources
- Keep extensions updated to protect against vulnerabilities
HTTP vs. HTTPS
Hypertext is the content you view in your browser. It’s the method of transferring that content between a server on the internet into your browser.
HTTP by itself sends that communication in the clear, it’s not encrypted between you and the web server.
HTTPS, where the S stands for secure, uses a different protocol. It encrypts the transmission to and from the server.
When sending and receiving important information from a web server, it should be one from an HTTPS address and not an HTTP address. This is something you can spot at the top of your browser. If it shows a (usually green) locker icon, it’s safe. If it shows “not secure”, that information could be intercepted on the internet, on your local network, your ISP or from someone somewhere along the path.
While you may not need to know everything as described in this post, it will help if you are at least acquainted with some of these concepts.
Following this short list of practices will improve your security by 90% better than most people:
- Use unique, different passwords for services you use;
- Incorporate two-factor authentication (2FA) for logins;
- Don’t trust links in emails and messages from strangers;
- Get a hardware wallet (Trezor, Ledger) to store your crypto;
Crypto Security 101 (rabbithole.gg)
How to avoid getting scammed in crypto (basis.markets)