Are your crypto assets kept safe?
If you keep your crypto on an exchange, you are not safe.
If you keep it on your device(PC/Phone), you should make sure your device is safe.
The safest way to store your crypto is using a hardware wallet or a paper wallet.
I’ll try to cover as much as possible, what I do to secure my crypto assets.
PART 1. Control your private keys
CONTROL YOUR OWN PRIVATE KEYS!
- Do not share your private keys
- Don’t leave your crypto in an exchange. Exchanges have been hacked and it’s biggest target for hackers. It will happen again.
- Have a safe backup of your private keys. Your PC/Phone can break, or get stolen. Make sure you can access your private keys without your main device.
- Use a hardware wallet if possible. Hardware wallet doesn’t support all cryptos. When possible, keep it safe in a hardware wallet. Software wallets are not safe since your private key is stored on the device which can be hacked. Hardware wallets are harder to hack since the private key never leaves the device. Since you don’t have real access to your private keys, there are some limitations. For example, you have to wait for the manufacturer to support a fork when a fork happens. (You can use BIP39 tool to extract private keys from the device but it’s extremely dangerous!)
PART 2. Securing access to exchanges
Even though you should keep most of your cryptos in your local wallet, you have to use an exchange to buy or sell your crypto. As of now, most exchanges are centralized. They own the private key and if something goes wrong you could loose your crypto. Exchanges can get hacked, but your account also can be hacked. Here are some tips to make your account safer. Remember it isn’t 100% safe.
- Never share your passwords between exchanges and websites. I recommend using a password manager and generate unique secure password using the password manager.
- Enable 2-factor authentication. SMS authentication is not safe. Use Google Authenticator(or compatible app) if possible.
- Bookmark your exchanges and NEVER use google search to find exchanges. Scammers are placing ads to fake exchange sites. Using a password manager also helps, because if you are accessing a fake site, the password manager will not fill the user id/password automatically.
- Withdraw cryptos and fiat from exchanges if you are not actively trading. Store most of your cryptos in your local wallet.
Also backup your authenticator. If you loose your phone or it breaks, you’ll not be able to access exchanges easily. It takes weeks and sometimes months to disable your authenticator. Get a backup authenticator device(iPad or old phone), and store your authenticator codes also on a backup device. Google Authenticator(at least on iOS) does not restore codes from a backup. So if you are getting a new iPhone, plan ahead. I take screenshot of every authenticator codes and store it safely(encrypted) just in case. Make sure only you can access it!
Here’s a post about Google Authenticator with more details: https://steemit.com/cryptocurrency/@mix1009/google-authenticator-and-ios-backup-restore
Are decentralized exchanges safe? There were some hacks and attacks on etherdelta. I don’t think it’s safe for now, and the volume is not there and user experience is lacking. I think we need some time for decentralized exchanges to mature.
I use https://www.lastpass.com/ as my password manager. There are many password managers. Make sure you use a strong master password whichever you use.
PART 3. Securing your storage & backup
Here are some tips related to software wallets on PC/Mac and backup.
1. Open your wallet only when it’s absolutely necessary.
Don’t access your wallet every time you check your balance. Store your address somewhere so you can use block explorers to check your balance. Manage your portfolio using an app or use my Google template to track your balance. (https://steemit.com/cryptocurrency/@mix1009/cryptocurrency-portfolio-template-version-2-for-google-sheets)
If you aren’t transferring, don’t open the wallet. Use a block explorer. To receive, you don’t need to open your wallet. Use block explorer to check if you received the asset.
Here are two popular block explorers:
Google for block explorer for other coins.
Write your addresses. This aren’t private keys, but if someone can edit your files, they can trick you to send your coins to their address. I keep my address inside a password protected note in Mac/iOS Notes app. I also save links to the block explorer so I can access it faster.
Since many bitcoin wallets change it’s receiving address, it’s better to just write down your coin holdings. Since figuring out how much you hold is time consuming to figure out from a block explorer. If privacy is important to you, you’ll have to open your Bitcoin wallet to check the new address. If privacy is not too important you can reuse the old address to receive BTC. For some coins you have to use new address for each transaction.
2. Unique password for each wallet
If you are using a software wallet and it saves private key with a passphrase, make sure you use different passphrase for each wallet.
3. Use encrypted drive
Use encrypted drive to save your private keys(keystore files). If you have to enter a private key(which I think is a bad wallet) to access the wallet, save it where it’s encrypted. I used to use Jaxx and it had weak security. Jaxx used to encrypt private key with common key (not sure now), so I encrypted the config folder. I only open this encrypted drive when accessing Jaxx. It’s a bit technical to achieve this(using symbolic link) and I don’t know how to do it in Windows. I don’t use Jaxx anymore. My Ethereum keystore files are stored in an encrypted drive.
I recommend using a encrypted container file. Not a physical drive thats encrypted. Encrypted drive data is stored in one container file. You can connect/disconnect faster and it’s easier to backup.
How do you create an encrypted drive?
You can use VeraCrypt(https://www.veracrypt.fr/) on Windows or Mac.
If you are using a Mac, you could also create an encrypted drive from “Disk Utility”. http://technology.pitt.edu/help-desk/how-to-documents/creating-encrypted-disk-image-mac-os-x
Windows 10 seems to support encrypted drives: https://www.howtogeek.com/193013/how-to-create-an-encrypted-container-file-with-bitlocker-on-windows/
Only connect(decrypt/mount) when you access it, and disconnect right after use. If you copied something important to the clipboard make sure you copy something useless to the clipboard. And don’t use a clipboard management app.
My wallet files (which is needed to send coins) are stored in one encrypted drive.
My backup files that stores 24 restore words for hardware wallet & Authenticator screenshots are in another encrypted drive with different password.
4. Backup your encrypted drive.
I also make a backup of the encrypted drives. I zip the encrypted drives with different password and store it in external drives located in multiple distant locations.
5. Always double check addresses when transferring
Make sure you send to the right address. Double check the receiving address. There is report about malware replacing addresses from clipboard.
PART 4. Hardware Wallets
Hardware wallets are safe because private keys are kept in the device and never leaves the device. So how does it work? When you want to send coins, the devices signs the transaction using the private key directly from the device. The software that runs on your PC/Mac doesn’t have access to the private key. So even though your PC/Mac is compromised, it’s not possible to steal the private key from the computer. It’s possible to hack the hardware device, but it’s much harder because it is not an open platform.
So, which wallet should you buy? Popular ones are “Ledger Nano S” and “Trezor” and “KeepKey”.
- Ledger Nano S : https://www.ledgerwallet.com/
- Trezor : https://trezor.io/
- KeepKey : https://www.keepkey.com/
Whichever wallet you choose, buy it directly from the manufacturer!
Watch some YouTube videos to learn setting up the device. Become familiar with the device before you use it to store your valuable cryptos. Hardware wallets should display the 24 recovery words from the device display when setting up.
There are some scam attacks related to setting up the wallet. Someone got a device with recovery words written on a scratch card. He entered the recovery words from the scratch card when setting up, and lost all his funds. The device will NOT be distributed with recovery words for you to enter into the device! And you should buy it directly from the manufacturer.
You should keep your 24 recovery words really safe. If someone steals your recovery words, they have full access to all your coins and tokens. So store it really really safe.
Secure devices will present the 24 recovery words on the device display. You should write it carefully. Try to reset the device and restore from 24 recovery words to make sure restore really works. It takes time and effort, but you don’t want to find out later if recovery fails. Make sure you make at least two copies of the backup words and store safely in two distant places. Don’t copy it using a scanner/printer. Don’t take photo of the backup words. Try to only use analog way of copying.
If you want to store digitally, make sure you understand computer security in general. If you are unsure, don’t store it digitally.
If you are aware of the security risks, here are my tips for storing it digitally.
- Disconnect from network when entering recovery words. Turn off WiFi and unplug ethernet cable. Don’t use bluetooth keyboard.
- Store it in an encrypted drive with unique password.
- Make sure your computer is not infected with malware. Use antivirus software. Never install software from untrusted sources. Don’t install cracked software.
- Disconnect from network also when accessing encrypted drive.
- Store directly to an encrypted drive.
- Use simple text editor. Complicated ones may create cache or recovery files.
- Unmount encrypted drive right after use.
- Reboot device before connecting to network after accessing encrypted drive.
I use an encrypted drive to store my 24 recovery words. I don’t recommend storing your recovery words digitally if you don’t understand computer security in general. I turned off WiFi and unplugged from internet. Then created an encrypted drive and stored it using simple editor(vi in my case) and unmounted after. The passwords should be unique. I rebooted the device before connecting it to the internet. This encrypted drive should not be opened often. When it’s opened, your computer should be disconnected from the network. I made backup and store it in two distant places.
PART 5. Emergency Plan
You now know how to safely keep your private keys. But what if you get into an accident and loose your memory? What if you die? If you don’t have an emergency plan, your crypto assets will be lost forever.
It might be a good idea to have an emergency plan for your family or relatives.
I gave out my instructions on paper where to look for instructions to recover my funds. They’ll need access to my PC to recover. The paper has password to my encrypted drive. I didn’t write password in plaintext. The password is combination of things that we know together and is very long.
Inside the encrypted drive, I have my hardware/software wallet recovery keys, private keys and userid/password/authenticator_backup to exchanges. I also have some basic instructions and who to ask for help. You have to have full trust in the people you give this info.
It was like making puzzles to a secret place. I had fun making it. I do want some way to make sure no one can access it if I’m alive. Maybe I could use https://ifidie.org/ service to save part of the password. Any better ideas?
PART 6. ICOs, Forks & AirDrops
DONT SHARE YOUR PRIVATE KEY
Don’t share your private keys. Don’t share your recovery words.
If you use myetherwallet or mycrypto to participate in ICOs, install CryptoNite, EAL or MetaMask on Chrome. It will warn you if you connect to a scam site.
If you are using online web wallets like myetherwallet, make sure you use bookmark to access the site. Also consider using the offline version: https://myetherwallet.github.io/knowledge-base/offline/running-myetherwallet-locally.html
If you want to participate in an ICO, only trust official announcements and don’t trust anybody who connects you privately. Also when you send ETH, always check the address using etherscan.io. Check if there is any comment on the address. If it’s used for scam, it might have some comments attached. Etherscan also warns you if they flag address as scam address. I would not send ETH if the address has no smart contracts attached. That means you have to fully trust the other party to send you the tokens manually. I also see availability of contract source code for the crowdsale. It’s best practice to share source code, so anyone could verify if the crowd sale is not cheating. Also check if they got audited by third party auditors.
Do not get information solely from ICO website/community site. Check bitcointalk and youtube for others’ opinions before you invest. Investing in ICOs are extremely high risk. Don’t just follow other’s opinion and do your own research(DYOR).
If you want to get forked coins, make sure you have the private key when the fork happens. After the fork, send all funds in the wallet to your different wallet before giving your private key to the forked coin wallet. Please see my post on Litecoin Cash for detailed explanation. It should be applicable to any forking situations. Some exchanges offer forked coins if you have original coin on the exchange. But exchanges are not a safe place for your crypto. Don’t deposit in a new/small exchange just to get your forked coins.
There are also many scams related to airdrops. Don’t give them your private key. Installing chrome plugins will also help you identify scams.
Here are two services that check for scams:
- https://www.clearify.io/ : Enter the address and see who owns it.
- http://shamcoin.com/ : List of potential scam ICOs.
Scammers and hackers are busy trying to steal your crypto.
Protect your private key and stay safe.