So you own some cryptocurrency but is it really yours? I wrote this guide to show you how to keep your coins more secure.
Welcome to the world of cryptocurrency! The first thing have to understand and remember at all times is that you are your own bank. You are responsible for the safe keeping, depositing and withdrawal of your money. It's not insured and if you make a mistake, it's gone! There is no recourse, the police can't do anything, the developers can't help you and this includes accidents and malicious actions.
Where your funds are stored.
To store and use cryptocurrency you need a wallet, you might think of this as your crypto account. Your wallet will have a public key, this is your address where you send, receive and store money. With your public key you'll get a private key, this is used to unlock your public key. Your public key is visible to anyone and your private key is something that you never share. Think of your public key as your house and your private key... well your keys to the house.
Additionally your wallet will also generate a seed for you. The seed is a string of up to twenty four random words which is used to back up and restore your wallet should you ever lose or delete the wallet or the device your wallet is stored on (desktop/laptop/phone.) It's important that this seed is never shared and stored securely. Anyone with access to this seed has access to your wallet. If you lose or destroy your wallet, it and it's contents are gone forever without your recovery seed.
Where to get your cryptocurrency.
Cryptocurrency can be bought, traded or earned. The most common point of call for people wanting to start off with cryptocurrency is at an exchange. This is where Fiat (government issued money) and cryptocurrency may be exchanged and traded. Reputable exchanges require identity verification and have multiple layers of login security so it's easy to assume that these exchanges are secure.
You should however always consider that this industry is unregulated. You don't know the developers or the owners of these exchanges and cryptocurrency may not always be the right side of government approval. Exchanges can be forcibly shut down by governments, hacked, hi-jacked, close down taking all of your currency or they might just outright steal your currency.
Exchanges, will never issue you a private key or your seed. Due to this, you must consider that any currency you hold on an exchange as not belonging to you. You only have access to the exchange because they have granted you permission. At any point, permission may be revoked, access denied and you lose everything. You can minimise your exposure to this risk by only keeping money on an exchange if you're trading. As soon as you have finished, move it off. Of course, if you're actively trading you have no choice but to keep your trading assets on an exchange.
In addition to their ambiguous status using an exchange means you are at additional risk to:
1) Phishing Websites. Thieves will frequently run ads for exchanges which leads the user to a fake site. These sites will look exactly the same but with a very slightly different name. These are used to steal your credentials so if you navigate to an exchange by Search Engine, never click on the ads and always check your links!
2) Phishing Emails. These have been around since forever but still trick many people into giving away their log-in details.
Exchanges might offer SMS confirmations, email confirmations and 2-Factor Authentication. Some exchanges even offer a Vault facility. Usually this requires authentication from a secondary email for any transactions and a time delay before funds are moved.
These security measures might protect against unauthorised access and withdrawals, however they offer no protection against an exchange simply deciding that they've had enough and decide to close down taking everything with them.
Exchanges to consider might include:
If you want to move your money off an exchange you need to have a your own wallet. Wallets come in four forms with varying degrees of utility, convenience and security. Which ever wallet you decide to use they will all issue you your public key, your private key and your seed. These are now your responsibility to secure.
1) Desktop and Laptop.
These are the least secure wallets as they are the most vulnerable to viruses and trojans. This is especially true for Windows devices. As the value of cryptocurrency appreciates, scammers are on the look out for easy access wallets on these devices. Not only are these vulnerable to malware, they can be stolen and are subject to hard-drive failure.
Mobile devices are more resistant to malware, however they are not invulnerable. A known method of attack is for scammers to upload fake or misleading wallets which allows them to steal your user name, passwords and funds. They are also frequently lost, stolen and damaged.
Paper wallets are simply your public and private keys printed on a piece of paper. The public address is printed in the form of a QR code so that it can be scanned by devices and funds sent to the address. The advantage of a paper wallet is that your private keys don't exist digitally anywhere so can't be hacked or corrupted. The disadvantage is that paper is fragile and degrades easily.
Warning: The computer and printer used to generate the paper wallet may still contain the keys in the form of temp files or even in the printer's cache/spool. Of course, if you created a paper wallet on a compromised device, it's game over for you from the very start!
You can generate a Paper Wallet at bitaddress.org
When you start to accumulate a significant amount of currency, you really should consider buying a hardware wallet. These are very specialised and secure USB devices which allow you to access your wallet securely, even if your computer or phone is infected with malware.
The Ledger Nano S requires that you physically enter your PIN on the device.
Hardware wallets like the Trezor or Ledger require that they are present and plugged into your device. To access your account or to make any transactions, you must use the hardware wallet to type in your passcode. A malicious agent monitoring your desktop activity or keystrokes might be able to grab the address you're logging into and the amount, but would not be able to take control of the Hardware wallet device and its private keys. The only way anyone can get your funds is to make you very sorry for not handing them over to them.
The placement of the numbers are displayed on the Trezor device and their locations are always randomised.
How can I trust my hardware wallet?
The Trezor uses open source code. This means that their firmware is open and transparent for anyone to inspect. Ledger's firmware is not open source as a NDA prevents them from revealing it, however their wallet is open sourced and can be inspected here.
If you're buying a hardware wallet make sure that you buy it from their official site. There is a risk that buying from a third party means that you receive a compromised device.
Update: January 07th 2018.
Do NOT buy a hardware wallet from 3rd party sellers! A Reddit user named moodyrocket reported on Reddit that they bought a Ledger Nano S from eBay, which unknown to him was compromised. Subsequently he lost £25,000 which he thought was stored safely on his device.
How did this happen? The Ledger Nano S he bought had already been activated. The seller noted down the seed words and mocked up a fake 'Recovery Sheet' with scratch off silver paper.
The seller was then able to scan the wallet to check for any deposits. Once it was confirmed that there was a balance, all they had to do was recover the wallet onto another Ledger using the seed words that they had provided to moodyrocket. From there, all they had to do was send the money to another wallet and which then left a moodyrocket out of £25,000.
An uncompromised device would have generated the seed words and requested that the user write them down the provided blank recovery sheet. Presumably, if you're buying a hardware wallet you have significant amounts to store. Don't risk it all buy trying to save a few pounds on eBay or any other site which isn't the official manufacturer's site.
End of update.
But can't they run off with my money?
No, hardware wallets aren't bank accounts, they don't hold your money. All they do is provide a secure means (web portal and physical device) to access your public address.
What about my Private Keys?
Both the Ledger and the Trezor devices hold your private keys. For security reasons you cannot view them or extract them from the device. They are protected by your PIN.
How to secure your Seed.
There are varying lengths you can go to to secure this. The most common is to write it down on paper and hide them. However paper can get wet, burned and ink can get smudged or fade. You can increase durability by storing your seed as a image or document on an encrypted USB or burn it onto a CD/DVD/Blu-Ray however these also suffer from environmental factors. The most durable form is to etch the words onto a metal plate. It is also known to store seeds in actual bank vaults. Whichever method you choose, it's recommended that you have multiple copies at different locations.
Two factor authentication adds another layer of security to your accounts. When you enable 2FA, you will be required to input another code after you've entered your password. 2FA generates a single use code which is dynamic. This means the code will change constantly and can only be used once. The code is delivered to you via SMS, eMail, phone call or an App. You can click here for a detailed breakdown of 2FA. It's recommended that you choose 2FA via an App like Google Authenticator or Authy as it's well known that phone numbers are easily stolen and SMS can be intercepted. How To Geek have a great article explaining these vulnerabilities.
Never use a pubic wifi to access your accounts as this leaves you vulnerable to wifi eavesdropping and man in the middle attacks. It's relatively easy for bad actors to set up false wifi access points with the sole purpose of stealing usernames and passwords. Rather than an unknown wifi, it's better to tether to a trusted mobile device. If you must use a public wifi, use a reputable VPN service like Private Internet Access. A VPN creates a secure tunnel between yourself and the websites you're interacting with - local networks and internet providers won't be able to monitor your activity.
Practise safe browsing on the device you use to access your money, run regular thorough malware scans to make sure the machine hasn't been compromised.
Also, never buy any wallet from eBay or Craiglist - unless you really don't care about your money!
Don't make it easy for them.
As with everything with utility, there's always a compromise between security and convenience, I hope that this guide demonstrates just how important it is to take your own security seriously. Without any protection or regulation, there are plenty of bad actors waiting to scoop up easy money - make them work for it!
About The Author.
Lester Lee. "I've accidentally held some cryptocurrency since 2014. The only financial advice I can give is 1 Be rich, 2 Don't be poor."
The content of this article does not reflect the official opinion of Fierce Edge.