“How can I keep my Bitcoin safe?”
It’s the most common question we get asked here at Coin Street. Crypto security is a hot topic.
As the price of various cryptocurrencies continues to rise, more and more people are investing in digital assets. And it’s clear from the hundreds of emails we get on this topic that the security of your digital assets is the biggest concern you have.
Here’s the good news. It’s not difficult to dramatically improve your security.
And to give you the peace of mind you deserve, we’ve put together a complete step-by-step guide to keeping your cryptocurrency safe.
Remember, there’s nothing inherently insecure about Bitcoin or cryptocurrency. The security risks are not due to the blockchain technology itself, but rather old-fashioned theft.
As our friends at Chainalysis note, the security risks you face can be grouped into four categories. Phishing, Exploits, Hacks and Ponzi Schemes.
(photo credit Chainalysis)
The good news is that if you follow the simple steps in this Guide, you’ll greatly reduce your chances of falling prey to any of these.
One point needs to be made clear.
YOU are responsible for the security of your own digital assets.
Unlike traditional investments like stocks and bonds, there is no regulated and insured institution whose job it is to keep your assets safe.
Unlike tangible assets like gold, digital assets aren’t “stored” anywhere. Cryptocurrencies like Bitcoin exist only as an entry on a ledger. And they are sent and received through an address which requires a set of keys.
Take Bitcoin for example:
Every Bitcoin address has two keys: a “Public Key” and a “Private Key.”
The Public Key is used to generate your Bitcoin address. It can be shared freely as the place where you want to receive Bitcoin. It acts just like your email address. They main point is that the Public Key can only receive, not send.
Contrast that with your Private Key. This key is what enables someone to move Bitcoin out of a wallet and send it elsewhere. So whoever has the Private Key has control of the contents of that wallet.
Note, for a more in-depth explanation of Public and Private Keys, check out our Crypto Terms in Plain English post.
So ultimately securing your digital assets all comes down to keeping your Private Key safe.
Before we discuss how to keep your Private Keys safe, you must take some basic security measures.
Honestly, these really aren’t just for cryptocurrency. Anyone with an online presence should implement these.
Before we go any further, you need to make sure your computer itself is secure and free from viruses.
The easiest way to do this is to install and run Malwarebytes.
Once you’ve done that, you can move on to Step 2.
The next step to take is to ensure that your computer is running all the latest manufacturer software. This means you should download and install all system updates and security patches.
This isn’t difficult to do – simply follow the easy steps in these links:
Now that your computer is up to date and free of any nasty viruses, it’s time to talk passwords.
Hands up if you’ve been using the same password for more than 6 months? A year? Longer?
Ok, how about this one. Do you re-use the same passwords for multiple sites?
Don’t feel bad, you’re in good company as the vast majority of us either use weak passwords or reuse passwords. I know it’s a major hassle to use strong and updated passwords.
And that’s where a password manager comes in.
A password manager will create and store secure, random passwords across all your accounts. All your (now super strong) passwords will be stored encrypted on their servers. It’s incredibly convenient. Now you only need to remember your “master” password that you use to log-in to the password manager vault.
It’s pretty simple to set up.
First, you download and install an extension for your browser. Google Chrome is our preferred choice.
To set up your account, you’ll use your email address and you’ll need to come up with a master password.
Now, given how important it is to keep your “vault” safe, you should make this password crazy strong. Make it something long, throw in some numbers and symbols.
Remember it and write it down and keep it stored in a secure location.
Next, you tell the password manager about your various accounts. You can import passwords you have stored elsewhere or store the details the next time you log-in to a site. This will create your “vault” of stored passwords.
Now when you need to log in to any of your stored sites, you’ll see the small red square at the top right of your screen. This shows you that Lastpass has recognized the site and has your details ready to go.
All you need to do is click on the small grey box in the login field and Lastpass will give you the option to log in using the stored details. Just click on the pop-up and Lastpass will auto-complete the username and password details.
Which password manager is best? Well, we recommend Lastpass. LastPass is the leading online password manager because it’s easy to use and very secure.
Even better. LastPass lets you implement stronger two-factor authentication (we’ll discuss that next).
Creating ultra-strong passwords (and freshening them up every so often) is a must-do. But even that leaves you open to risk.
The next step is to enable Two-Factor Authentication — or 2FA — on your most valuable online accounts.
Think of 2FA as a second layer of protection over and above your password.
It’s pretty simple. The best kind of 2FA is what’s known as a One-Time Password (OTP).
This is a short – usually 6-digit – number that you need to input to access your online accounts. After you’ve logged-in with your standard username and password.
Here’s the catch.
The OPT changes every 60 seconds and you need to have the mobile app such as Google Authenticator physically with you to get the latest code.
Here’s one very important warning. Make sure you disable the option of unlocking your 2FA by being sent a SMS text message. We’ll discuss it more later, but for now just understand that its easy for hackers to get control of your SMS phone number. This means hackers can “recover” access to your secured account just via that number. So, avoid using SMS for 2FA, especially on anything of value.
So even if someone steals your password, it’s useless unless they also have your mobile app. And they won’t, because it will be secure on your smart phone.
We like the Google Authenticator app. It’s easy to install on both iPhone and Android and works with all major online sites that require that extra level of security (hint – any website you use for cryptocurrencies!).
For a step-by-step guide on how install and use Google Authenticator, you can check out the official Google guide here.
Once you have the Google app installed on your phone, its time to visit each of your accounts and enable 2FA protection. The process differs on each website, but the option is usually found in either the Settings or Security sections of “My Account”.
The fifth and final “basic” security step you should take is to secure your phone.
First up, make sure you require a password or pin to unlock your phone. That way if it’s ever lost or stolen, there’s a secure wall between a potential hacker and sensitive information.
The final thing to address is kind of shocking. It turns out hackers are contacting cellphone carriers and tricking them into transferring or “porting” your phone number to a new device.
Why would they want to do this?
Think for a minute about the last time you tried resetting your password on a website. It probably sent you a confirmation code to ensure that the password reset was valid, right? And, often, I bet one of the options was to receive that code by SMS or text message.
Now you see the damage a thief could do if they got those codes on their newly-ported cellphone. Instead of yours.
Poor Cody Brown had $8000 of Bitcoin stolen using this method – you can read his story here.
Unfortunately, there doesn’t seem to be a perfect way of avoiding being the victim of phone porting. Each cell provider has their own procedures and security requirements.
For a more detailed analysis on preventing phone porting, read Krakken’s excellent blog post.
Now that all you’ve finished your basic online security improvements, it’s time to talk crypto safety.
As the value of cryptocurrencies goes up so does the chance of being a theft target. .
One of the most common ways to fall victim to crypt theft is through Phishing. “Phishing” (pronounced “fishing”) is where legitimate looking websites trick you into giving away their important security information. Here likely your passwords and Private Keys.
The most common examples are where you click on a link in an email, chat message or website. The link takes you to a website that looks authentic but is in fact a clone set up by the thief. Online banking sites used to be the most common target for phishing attempts. But now cryptocurrency wallets are being targeted.
Here’s a recent example for the cryptocurrency Omisego. This link was shared around various social media sites.
Like in the Omisego example, you can spot a Phishing site by the incorrect website URL. (Here it was a .com.co URL). Unfortunately sometimes these URLs are so close, it’s tough to spot the fakes.
So how do you avoid being a Phishing victim?
There are a few easy steps you can take.
First, avoid clicking on links that you see on websites or in messages. This may sound hard, but you shouldn’t be relying on these types of links to take your most trusted sites.
This leads us on to the second precaution.
There will be a short list of “core” sites you use most often. Maybe it will be Coinbase (for buying cryptocurrency), Bittrex (for trading) and an online transaction searching site such as Etherscan.
Whatever your list looks like, there’s no reason why you should be clicking on links or using Google to get there. Instead, use bookmarks. The first time you visit the site, double and triple check the URL and then save the URL to your Bookmarks.
Then always, ALWAYS, use the Bookmark link going forward. No more Google, no more links from Facebook and no more typing the site address in by hand.
Remember when we said you should be using a Password Manager like Lastpass? Well as an added bonus, it will protect you against Phishing sites.
When you visit a site that’s stored in your vault, Lastpass will recognize it and auto populate the login fields.
Lastpass isn’t tricked by fake URLs that look ‘similar’. It only recognizes the website’s official URL and won’t give you the auto-fill option if you happen to land on a Phishing site. That alone is always a red flag suggesting you’ve landed on a phishing site.
The final piece of advice is simple. Don’t EVER give out your Private Key online. It’s yours and no other website has any reason to need it. If a site asks you for your Private Key it should set off alarm bells in your head.
Think of it like someone asking for your debit card PIN number, your social security number and your mom’s maiden name all at once.
Just don’t give it out. Seriously.
A web wallet is any kind of service where a third party hosts your Private Keys. We get it, these are convenient. But your private keys are being stored online outside your direct control. This makes web wallets vulnerable to hacks.
If it’s absolutely necessary to use a web wallet, do your research first. Only choose the service that can has the very best reputation for security.
Even then, only use web wallets like your checking account. Only keep the smallest amounts that you need in the very near future. Anything above this should be stored in more-secure ways.
Mobile wallets are just web wallets accessible through a smartphone app. That makes them even more of a security risk that web wallets. If you lose your phone or your phone is hacked your funds are gone forever. These may be useful to store small amounts of “spending cash” but nothing more.
What applies to Web Wallets applies double to Mobile Wallets.
Online cryptocurrency exchanges are a necessary evil. At some point you’ll want to trade some of your base currencies (Bitcoin or Ethereum) into other assets. And that’s where an exchange comes into play.
It’s unrealistic to think that you’ll never leave currency on these exchanges. How else are you going to be able to take advantage of price dips if you don’t have funds available to invest?
Unfortunately there have been many high-profile thefts from exchanges (see Mt.Gox and BTC-E).
So how to protect yourself against exchange theft while also being able to trade?
We’ve spent long enough talking about what not to do. Now it’s time to discuss how you should keep your crypto safe online.
Using a Desktop Wallet is far more secure than web or mobile wallets. Here, you store your Private Keys on your local machine, not online. You still run the risk that when your computer gets infected with a virus or someone manages to hack in to steal your Keys.
One way to further protect yourself is to encrypt your wallet using a very strong password. It’s best not to trust this password with an online password manager. Instead pick a password that is long but that you’ll remember. Next, write it down somewhere offline. Make multiple copies of the written-down password and store them in separate physical locations.
As we explained above, you’re still vulnerable to attack even when using a Desktop Wallet.
For that reason, it’s better to keep your Private Keys in an offline location. This is what’s known as “Cold Storage”.
For the 99.9% of time that you don’t need access to your Private Keys, they stay away from the internet. It’s only when you need to make a payment or transfer online that you expose the offline location to the internet. Compromising a cold wallet is very difficult without physical access to the device.
The most secure cold storage systems are Paper and Hardware Wallets
A Paper Wallet is exactly what it sounds like. You store your Private Keys on a physical piece of paper. Creating a completely secure paper wallet does require some technical knowledge. Here is a guide that walks you through the process of creating a secure paper wallet step by step.
The paper wallet process is complex. So we prefer storing Private Keys on a Hardware Wallet.
Hardware wallets have become very popular. And it’s because they provide cold storage without any technical knowledge. Even better, the setup process is very simple to follow.
These are encrypted USB drives that run their own special operating system. Their only purpose is to protect your Private Keys. They never reveal them – even if you need to connect the device to the internet.
When you want to make a transaction, you attach a hardware wallet to an online machine. It processes the transaction using the Private Keys but without ever revealing them. That way, even if the computer is infected with malware or a virus, there’s no way your Private Keys can be accessed. Even better, no personal information is required to set up your hardware wallet. So there’s no personal identifying data that can be leaked.
TREZOR: this is like the Nano except that it offers a screen. This means you can confirm transactions on the TREZOR itself, meaning it can still be used even if the computer it’s plugged into is infected. Buy TREZOR on Amazon here.
This has been a long post. But don’t use that as an excuse for not improving your online security right now.
Remember, you don’t have to be perfect.
The goal is simply to make yourself a harder than average target. There will always be theft and people will always fail to take even basic security steps. Just make sure it’s not you.
When you’re being chased by a bear in the woods, you don’t need to be faster than it is. Just faster than the person running next to you!
Seriously, stop what you’re doing right now and protect yourself.
I hope you’ve found this Ultimate Guide helpful (and it saves you from being a victim of theft).