You can lose all your cryptocurrency for two reasons:
- A hacker is actively attacking you
- You are a victim of collateral damage sparked by a bigger event: If any of the services you trust (the cryptocurrency exchange, the password manager, the browser) are being hacked, your data can become compromised and someone else can get access to your funds.
If the second scenario happens, you might think that it’s not you who was responsible for that and you are not the only one affected so, under crowd pressure the affected platform will have no choice but to reimburse your loss. Well, say that to the 127,000 creditors processing claims against Mt. Gox. Do you think they will ever get back the $2.4 trillion (worth of Bitcoin) they lost when the exchange went bankrupt due to a 650,000 BTC hack?
In this article, we won’t repeat the same common sense practices you’re reading everywhere, such as keeping your private keys safe how to create a strong password. You should follow or at least be aware of these measures, but today we’re planning to reveal a list of bad practices you might be doing without even knowing that you’re putting all your cryptocurrency funds at risk. Don’t worry, we’re suggesting a quick solution for each of them along with extra tips if you’re looking to strengthen your security even more.
Not checking for HTTPS
When you connect to a website with a regular HTTP address, your data is sent over in clear text (your exchange password, PIN number, or even the private key of your wallet) that can be easily intercepted over WiFi or through your network provider. Not only that, but also there’s no way to verify if you’re connected to the correct website or if you’re on a compromised network that’s redirecting you to an impostor site that looks exactly like an exchange or your web wallet.
How to check if the website has a secure connection:
- In your web browser’s address bar, the address starts with “https://”.
- Have a lock icon next to the address bar.
- Clicking on the lock reveals a valid certificate for the website.
Some browsers hide the “https://” by default, but the lock icon is common. To check for the full address, you typically need to click or tap inside the address bar.https://twitter.com/INB4CNBC/status/988799292012871680
UltraSafe Tip: For the websites that you know you’ll be using regularly, after doing the extra check you can immediately add them to your bookmarks and never use anything else than that to access them.
Be aware that the presence of the word “https” itself isn’t a guarantee that the site is legitimate. Scammers can also get certificates for a look-alike website. An address like “https://binance.com.1337.com” might have the lock icon, the https, and everything else, but it’s still not the original Binance website. Maybe this one looks obvious to you, but sites like “xn — inance” manage to steal people’s funds before. Also, “binance dot us dot com” did it as well And check out the one below; would you fall for it?https://www.reddit.com/r/CryptoCurrency/comments/7ykzar/be_careful_of_spoof_exchanges_would_you_have/
Not updating your browser and OS
If your browser and operating system (OS) are not up to date, you’re being exposed to many security threats that can put your cryptocurrency at risk while you’re simply browsing the web. Many software updates will be issued to combat the problems found after the OS’s official release. If you’re not getting the new version (even if it’s a minor “bug fix” update) those problems will still be there for you, giving bad actors the chance to exploit them.
How to keep your browser and OS up to date:
- In Windows 10, automatic updates are enabled by default. Microsoft Edge will also be kept up-to-date automatically.
- If an update is available, Chrome will download it automatically by default. But in order for Chrome to be updated, you need to restart the browser.
- The Android operating system will keep standard apps, such as the Chrome browser, automatically updated to the latest version.
- Mozilla Firefox should automatically download updates and prompt you when they are available to install.
- If you have Apple updates turned on, the OS and Safari should stay up to date automatically. Although, some updates require that you restart your device.
- The iOS operating system will keep the system and standard apps, like the Safari browser, automatically updated to the latest version.
Ultra Safe Tip: Sometimes it happens that the latest update itself comes with problems and it might expose you for hours or even days until a patch is released to address that issue. If you are skeptical, you can tweak your settings in such way that you get notified when a new update is available, but only allow it to be manually installed. This gives you the opportunity to do some short research on forums or to simply Google the update number to find out if there are any known problems with it.
Holding your cryptocurrency on a centralized exchange
If you’re looking to convert your tokens or to actively trade them for profit you must go through a cryptocurrency exchange, as this became the conventional way of doing it. The problem, however, lies in choosing the exchange.
A lot of people are choosing a centralized exchange that was (remember: “was”!) the most convenient way to handle their cryptocurrency and, deliberately or not, accepting the counterparty risk of giving the custody of their funds to a third party. First, their storage can be hacked. It happened to Mt.Gox, it happened to Coincheck (the second largest exchange in Japan), it happened to Binance (one of the largest global exchanges), and it happened to many other exchanges leading to over $1 billion worth of crypto assets stolen in 2018 alone. Second, their business can be shut down by the SEC for any number of reasons, much like how 1Broker was seized because of money laundering. The risk wasn’t worth it one year ago when the alternatives, decentralized exchanges (DEXs), weren’t user friendly and it’s definitely not worth it now when the user interface of the new DEXs improved significantly, being almost as easy to use as their centralized counterparts.https://ciphertrace.com/wp-content/uploads/2018/10/crypto_aml_report_2018q3.pdf
How to use a decentralized exchange (DEX):
- Link your wallet
- Make a deposit
- Make a trade
- Withdraw your funds back to your wallet
That’s all! And the biggest benefit of using a decentralized exchange is that you are holding your own funds. This makes a world of difference as it eliminates all the risks mentioned above.
And it doesn’t stop here. We have examples like VDEX, who are taking a step forward by offering their users a multi-currency wallet solution, VERTO, for free. Instead of releasing a DEX and leave you to figure it out, their goal is to build a digital assets ecosystem (DAE) where the access to a complete service is easy and seamless. While you are in full control of your private keys (and your assets), VDEX handles cross-blockchain communication, finds a match for your buy/sell order, and executes a peer-to-peer transaction at minimal cost for both parties. That’s what the experience of using a DEX has evolved to in just a few years!
Using a password manager
This one might sound counterproductive to most security advice, but at the end of the day, all software has a point of vulnerability and even password managers can be hacked. Maybe the benefits outweigh the risks for most people, but in your case you’re not only losing your Facebook account, you’re also risking your cryptocurrency. How big is the risk? LastPass, one of the most popular password managers got hacked a few years ago. So, it happened once already; it can certainly happen again.https://hotforsecurity.bitdefender.com/blog/last-pass-hacked-users-urged-to-change-master-passwords-12011.html
How to keep your passwords safe in case you might forget one of them:
- Never store any of them on your computer
- Write two copies on paper (don’t print them, printers can be compromised)
- And store them in two different locations
Don’t underestimate paper. This is how popular individuals of the crypto space lost millions of dollars. Ian Balina, an influential cryptocurrency investor, got hacked for $2 million worth of crypto after he stored his public keys in the cloud storage program Evernote.
“I remember getting an email about it being compromised and tried to follow up with my college security to get it resolved, but wasn’t able to get it handled in a fast manner and gave up on it thinking it was just an old email.” Ian Balina
Nicholas Merten, known as DataDash, the largest crypto YouTube influencer lost 100,000 SUB (Subtrastraum tokens) after his hard drive stopped working with the only copy of his private keys inside.
Not using 2FA because of the convenience
Most platforms today, especially the ones that involve financial services, offer the option to enable 2FA (two-factor authentication) as an extra security step. While it is not required and left only as an optional selection, it is the only way to protect your account (and the access to your cryptocurrency) in case your email, password, or computer is compromised.
How to activate 2FA
- Find the option in your account’s settings menu (usually under the “Security” category)
- Install an authenticator app on your phone, such as Google Authenticator or Authy
- Scan the QR code generated in your account (or input the given code in the app)
- Write the backup code on a piece of paper (this will be your only way to recover the access in case you’re losing your phone or uninstalling the app)
That’s it, you’re protected by 2FA. Some platforms offer SMS protection as an alternative, but it’s arguably better to opt for the first suggestion. We’ve seen it so many times when network providers give phone numbers to hackers after they provided all the required data for the recovery process. It even happened to the security expert John McAfee one year ago when someone took over his Twitter account.
“What happened is brand new to me. They managed to hack AT&T to move my phone number to another phone,” John McAfee
Ultra Safe Tip: Install the 2FA app on a spare phone with nothing else installed and connect it only to a network that you know is safe. This way, you’re minimizing the chances of someone hacking into it, making it an even more valuable security step for all your other accounts that have it activated.
It may be troublesome to start changing your bad security habits, many of which have been created due to convenience. But remember: owning cryptocurrency means that you’re in charge of your own money. You don’t have a bank or a third party to blame in case anything happens. In most cases, the authorities can’t even help you because cryptocurrency, by their nature is made to protect their user identity. That’s what makes them attractive to hackers. Adopting some easy routines, like checking for https, updating your software, using 2FA, keeping your passwords safely on paper, or always using a decentralized exchange can protect you from becoming a target to anyone with malicious intent. Keep yourself safe!
5 Ways you’re Putting your Cryptocurrency in Danger without even Knowing it was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.