In our hyper-connected cyber world, how does one keep safe online, especially when it comes to crypto security?
Threats to crypto security are broadly sorted into two categories, internal and external threats. Internal threats are threats of one losing their crypto due to a mistake they made on their own. External threats define threats that come from malicious third-party actors.
Crypto holders need to practice extra caution to protect their private key from both internal and external threats.
We all have heard countless stories about early crypto adopters who would be holders of massive fortunes if they hadn’t become victims of security breaches. Whether by their own account, such as losing their hard drive access or by some sort of external security breach. With the increasing popularity and adoption of crypto, the need to digitally safeguard wealth and personal information has never been higher.
Before delving into security measures specific to crypto, it is important to note general cybersecurity best practices.
In particular, things that one can do to improve security include:
Using a dedicated email address for logins improves privacy and security on the internet. Websites usually ask for an email as the “username” for authentication purposes – you can set up a special email specifically for websites that deal with financial-related activities. This way, you can keep that email address private and hide your username from the public. Most people use their public-facing email address as their username for most websites, which can give a potential attacker a starting point to try to compromise your account.
Setting up multiple email addresses may seem inconvenient, but most email services allow you to forward emails received to a separate email address. This way, you can have emails from your special dedicated email address be forwarded to your regular public-facing email, avoiding the need to manage each email address individually. This type of “layering” provides extra privacy and security on the internet.
Using unique passwords on every account is crucial as if a website gets hacked and your password stolen, the hacker will often try the same login combination on other websites. Password managers act as a vault where your passwords are stored and encrypted, making it easier to manage unique passwords. Lastly, enabling multi-factor authentication whenever possible provides an extra layer of security for your accounts.
As centuries of philosophers and a myriad of motivational Youtube videos have described, “to overcome adversity is to overcome oneself”. There is no other place where that quote is as true as it is in the crypto world. Beginners in crypto often put an emphasis on defending against external threats but fail to take adequate measures to guard their crypto assets against their greatest threat ... themselves.
A crypto holder is much more likely to lose their crypto as a result of their own mistake with crypto storage, as opposed to someone stealing it from them. For example, not properly storing seed phrases, or throwing out a hard drive where the private keys are stored.
With today’s crypto storage technology, most wallets (whether hardware or software) allow the user to control their private keys (also called “non-custodial” wallets) and use a “seed phrase” to secure the wallet.
This seed phrase is a list of 12 or 24 English words in a specific order and can be used to regain access to a wallet if the wallet device or app gets corrupted or destroyed. For the seed phrase, users must ensure they follow the instructions and not try to invent their own scheme to secure the seed phrase.
Breaking up a seed phrase into 3-segments where each segment contains two-thirds of the seed phrase may seem like a good idea, but it's not. This means that for a 24-word seed phrase, even one segment would contain 16 words, leaving only 8 unknown.
A minimum of 12 words is required to prevent a brute-force attack. Therefore, a skilled attacker could eventually guess the remaining 8 words just by randomly guessing. If this is done with a 12-word seed phrase, any one segment would only be missing 4 words, which would be very easy to brute force.
Schemes of seed phrase splitting are not recommended. Some users may try to fool would-be house robbers by separating their seed phrase on different pieces of paper and placing them in different locations in one’s house.
Devising a convoluted scheme like this is not recommended as the user would put themselves at risk of forgetting the scheme, leading to the loss of the seed phrase. Recall, that a seed phrase must also be in a specific order, so even if all the words are there, it is useless without being in order. Therefore, this is an example of a threat to one’s crypto that is the result of one’s own actions, and so it is classified under the category of “internal threats”.
The reality that users of a crypto wallet must understand is that crypto storage solutions have been debated and developed for years by experts in the cybersecurity field to balance security with ease of use. One should not deviate from recommendations on how to store crypto securely.
The recommended way of storing seed phrases is to write the words down in full and in order on a piece of paper and, preferably, laminate the paper to protect it from water damage. For those willing to spend more money, some products will allow users to etch their seed phrase into metal, which has the added benefit of protection against fire damage.
It is recommended to have at least two copies of the seed phrase stored in different geographical locations. This would help prevent the loss of the seed phrase due to natural disasters like floods or hurricanes. One should avoid having any digital copy of the seed phrase, specifically digital copies stored in cloud storage accounts, to prevent the seed phrase from being compromised in a cyberattack.
As Benjamin Franklin once said, “nothing is certain except death and taxes”. As much as we don’t like to think about it, there will be a day when we inevitably kick the bucket. There have been instances where an individual with a massive fortune in crypto died unexpectedly, and the remaining family members could not locate the deceased party's seed phrase. If the remaining family members of the deceased crypto holder are not tech-savvy enough, this may leave them susceptible to scams and other scenarios where the crypto can be lost.
When it comes to crypto stored self-sovereignly, it is best to leave instructions for loved ones to gain access to one’s crypto if a tragic unexpected event should occur.
External threats describe ways other agents try to steal crypto through a deliberate attack. External threats exist on a spectrum, from explicit attacks, where the attack is very aggressive and obvious, to implicit attacks, where methods like trickery are used and often requires a small amount of participation from the victim. We will describe such attack vectors in detail.
Phishing is when someone tries to trick you into giving up your money or personal information by pretending to be a trustworthy company or person. They often do this through email, and the email may look real but actually has a link to a fake website set up by the attacker. Once you click on the link, you may be asked to enter your password or secret phrase, which the attacker can then steal.
Another scam is the "send crypto, receive crypto" scam. The attacker sets up a livestream of an interview or press conference with someone or a company that is well-known in the crypto community. However, the interview was actually done in the past and has nothing to do with the Youtube channel hosting the livestream. The stream claims to offer a crypto giveaway where the crypto will be doubled and sent back if you send crypto to a certain address. But there are no good deals like this.
In reality, the address you're directed to is controlled by the scammer, and the livestream is just a pre-recorded interview from another event. The scammer is taking advantage of the fact that crypto transactions can't be undone. Any crypto sent to the scammer's address is lost forever.
Further, there exists a special class of attack called a "man-in-the-middle" attack, that can be a paired with a phishing attack. A “man-in-the-middle” attack is when a bad actor, i.e. a hacker/scammer, gets in between two people who are trying to communicate securely. The bad actor intercepts the messages and can steal important information, change the messages, or send their own messages to trick the two parties.
For example, imagine you're trying to log in to your bank account online, but a bad actor is secretly listening in on your communication with the bank's website. They can see your login credentials and use them to steal your money or identity.
To protect yourself against such attacks, always use secure websites with the “HTTPS” protocol (indicated on your browser by the 🔒 icon in the URL bar), keep your software and devices updated, and avoid using public Wi-Fi networks without a VPN.
Ransomware is a type of malware that encrypts a device and demands payment in exchange for decryption. It can be difficult to remove once it has infected a device. To prevent ransomware, use antivirus software and don't download or run programs from unknown sources.
Another type of malware, called "clipboard-jackers", targets crypto users. These viruses replace copied crypto addresses with addresses controlled by attackers. Always double-check crypto addresses before sending transactions, even if you copy and paste them.
The most explicit and obvious threats to a crypto holder include physical or threats of physical harm to a crypto holder unless they agree to give up their keys to an attacker. It is dubbed the “$5 Wrench Attack” because it’s an attack that can be performed with minimal cost and expertise, i.e. using a wrench that costs $5.
Crypto holders should recognize that crypto that is self-custodied is inherently different from money sitting in a bank account. With self-custodied crypto, there are no third parties that can secure your wealth on your behalf, and whoever holds the private keys of the crypto is the true owner. To avoid becoming a target of a $5 Wrench Attack crypto holders should avoid publicizing exactly how much crypto they hold. Further, crypto holders should exercise extra caution when travelling with their crypto wallet or seed phrase, or doing transactions that involve physically going to a location to meet a buyer/seller that they’ve never met.
Closing: By practicing good cybersecurity habits, such as using strong and unique passwords, enabling two-factor authentication, and being cautious of phishing scams, a person can protect their crypto assets from being stolen or compromised. Good cybersecurity habits are especially important in the world of crypto because transactions are irreversible, meaning that if a person's crypto is stolen, it may be difficult or impossible to recover. By being proactive about their cybersecurity, a person can ensure the safety and security of their crypto assets.