Security best practice

• You are ultimately in charge of your cryptocurrency.

• Accidental loss and theft are two things to be wary of.

• Best practice and a good night's sleep

If you've made it this far through our series of articles on how to utilize cryptocurrencies, you've put in a lot of effort and, ideally, some money into putting what you've learned into practice and acquiring your own cryptocurrency.

All of your hard work and potential value will be for naught if you don't know how to secure your bitcoin from theft or loss, as this article will explain.

Returning To The Custody Concept

You should be familiar with the concept of custody, which is important to cryptocurrency ownership, if you read the first article in this area. Custody refers to how you handle responsibility for a Private Key or Seed, which is the single most important piece of information that allows you to control your cryptography.

Because bitcoin functions without a central authority like a bank, possession equals ownership, which boils down to one of the most important concepts you can learn: possession equals ownership. 'Nor your keys, not your coins,' says the narrator.

Custody refers to the two possibilities for ultimate responsibility of those keys: you can take complete responsibility for them yourself or entrust them to someone else.

· Non-custodial crypto should be looked after by you.

· Use a custodial service to trust someone else with your crypto.

It is up to you to decide which choice is best for you, taking into account the risks of loss and theft associated with both Custodial and Non-Custodial options.

Your decision will also be influenced by the amount of crypto you own, which will influence the severity of any security threats.

Threats to Custodial and Non-Custodial Personnel

Data/access information is lost. Both

Phishing Both

Brute Force Attack Custodial

SMS Hijacking Custodial

DNS spoofing Both

In-person assault Non-Custodial

Data/access information is lost.

The most obvious point of failure when entrusting your crypto to an exchange or mobile wallet is losing the details that allow you to access that service.

In the first instance, this refers to your Username and Password, both of which should be strong/unique and saved securely. If you save your credentials in another service, such as your Google account or LastPass, you've created a vulnerability.

Furthermore, access to your email address is usually required to approve key actions, such as approving withdrawals or setting up other security features, so keep that information handy. to, which is another important layer of access.

If you choose the non-custodial alternative - the do-it-yourself method -

Your Private Keys or Seed will be immediately linked to the loss of access data. If you haven't heard of James Howells, he is one of the most extreme cases of this, as we discussed in our blog post about lost bitcoin fortunes.

Always make a backup of your Private Keys or Seed, using suitable security precautions and keeping them somewhere else, preferably offline. Don't use anything perishable, such as paper, or anything that can be corrupted.

If you use a Hard Wallet (read more about wallets in general here), you'll probably have several layers of security and vulnerability: credentials for a dashboard service (e.g. Ledger Live), a pin to access the device, and the Seed. The Seed is the most important of all; if all else fails, it will allow you to recover.

The most effective way to protect your seed is to engrave the phrases into corrosion-resistant, heat-resistant, and pressure-resistant metal. Jameson Lopp, a well-known Bitcoin advocate, has compiled an incredible list of the best metal seed storage engraving alternatives.

Of course, you'll need to keep that metal engraving secure, indicating that the buck (or Bitcoin) has to come to a halt at some point.

Phishing

When utilizing any online service, protecting yourself from phishing should be a top priority. It refers to attempts to persuade you to download malicious software, which can then compromise your machine, or impersonate websites, which can then harvest your information and access funds/data.

This is especially true for custodial services, which are frequently targeted by phishing emails and bogus websites, but non-custodial choices are not immune.

In July 2020, Ledger, the maker of a popular hard wallet, had a database of client information, including email addresses, compromised. These clients were then used as phishing targets.

Fake websites are also frequently used to attack browser-based services, tricking users into downloading malware or harvesting personal information.

To avoid being a victim of email phishing, take the following precautions:

· Use an encrypted email provider like Protonmail for essential communications.

· Check the actual sending address rather than simply the visible sending name if you're unsure whether an email is genuine; this is generally a giveaway.

· Authentic services will frequently address you by your first name. Phishing emails aren't effective.

· Phishing emails are frequently badly worded or designed.

Attack with Harshness

Running a software that churns through password alternatives is one of the oldest and most obvious strategies for attempting to steal someone's password. This can be combined with information on the user obtained from OSINT (Open Source Intelligence).

Two-factor authentication (2FA), a secondary layer of access detail from a separate source, usually your mobile phone, is the best approach to mitigate this type of attack.

Any competent exchange will either impose or strongly encourage the usage of 2FA, but as the next topic shows, it is critical to avoid utilizing text for 2FA.

Google Authenticator and Authy are the two most popular 2FA solutions.

Hijacking of SMS

After encouraging the implementation of 2FA as a standard for custodial services, we now have to advise that using SMS as the 2FA can expose you to a severe security risk due to SMS hijacking.

If attackers acquire your cell number and provider, as well as personal information obtained through OSINT, they can impersonate you and request a replacement SIM be given to them.

This gives them access to the 2FA code, which they might then use in a brute force attack.

The solution is to always use a two-factor authentication app such as Google Authenticator or Authy. As everyone who has misplaced their phone knows, the device that is running the App becomes a point of weakness.

This may be avoided by keeping your 2FA backup codes, which are given to you when you set up 2FA. If you don't have a 2FA backup, you'll have to go through the tedious procedure of shooting a selfie/video with some ID and a handwritten message to have 2FA reset.

In May 2020, Google upgraded Authenticator for the first time in three years, making it easier to export/import 2FA codes, which is great, but it doesn't help if you lose or death your phone.

Spoofing DNS

Celsius, a popular crypto service, was the target of a DNS attack in November 2020, in which an attacker persuaded their DNS provider, Godaddy, to effectively modify the site that is served behind their App.

Other than being attentive or, in the case of Celsius, gauging the security of a service by how seriously they regard its DNS set-up, this is tough to mitigate against.

Personal Assault

We've saved this for last because it should only be a concern if you have a large amount of cryptocurrency. There have been a few incidents where people who are known to have substantial sums of bitcoin have been kidnapped or extorted to hand up their funds.

Because the Ledger Attack, as previously indicated, exposed customer mailing addresses, there was a lot of discussion on social media about the threat of enraged customers. However, there have been no actual reports of in-person attacks because they are far riskier than the internet possibilities.

Though this risk occurs in any situation involving moveable wealth, such as expensive watches, jewelry, and collectibles, crypto is a particular target because it is difficult to insure and trace/recover.

If you're concerned about this, the first step is to keep your crypto private, which means not mentioning it anywhere online or with anyone you don't explicitly trust.

You should also consider Multi-Signature, which entails the approval of a cryptocurrency transaction by more than one individual.

This provides credible denial. For a low-cost multi-sig security service, go to keys.casa.

Learning about cryptocurrency and investing in it may be a liberating experience.

It is a symbol of financial sovereignty, but removing an authority - such as a bank - from your financial life makes you ultimately responsible, so you need at the very least be aware of the best practices for keeping your crypto safe and ensuring you sleep well at night.