“How to buy Bitcoin” dominated Google how-to searches in 2017, ranking third overall. With the hype surrounding cryptocurrency at an all-time high, now is a better time than ever to cover the essentials of keeping cryptocurrencies safe.
If you are just getting into the crypto space or you’ve known what ‘HODL’ means for a while now, there are some basics everyone should know about protecting their holdings.
Need-to-know: private keys
Let’s start with the basics. First and foremost, you should know the difference between your public and private wallet addresses (aka keys). A convenient analogy here is that most cryptocurrency wallets essentially operate like a postal box.
Each wallet has a unique public address that can be given out freely to anyone, much like you would give out your P.O. box address at a post office. This public address will only allow people to send coins to the wallet.
You also have a private address that unlocks your wallet and allows you to send coins out of it, similar to how your mail key allows you to unlock your P.O. box and withdraw your mail. This key is yours and yours only. Never share your private address with anyone.
Keeping up with your wallets’ private addresses is an exercise in personal responsibility. You don’t have a physical key to save you, and instead need to carefully store your private address (which is simply a long string of characters). Above all, storing private keys insecurely on your computer is an easy target for cybercriminals who use malware capable of sniffing out and copying your private keys.
If you choose to store private wallet addresses on your devices, never keep them in plain text format, and instead store them on a password-protected, encrypted drive. For maximum security, only print paper versions of your wallet and store multiple copies in secure places, such as a home safe or a bank safety deposit box. This technique is referred to as cold-storage, as your wallet is not stored on an internet-connected device. Hardware wallets, such as those made by Trezor or Ledger, are other options for secure storage of your crypto assets.
Risky business
Buying and storing coins on an exchange such as Coinbase is inherently risky, especially the storage part as you don’t have access to your wallets’ private addresses on an exchange. The convenience factor may be great—user-friendly apps, pretty charts, and a multitude of coins to explore—but on an exchange, you do not have access to your private wallet addresses.
To be fair, that’s part of the ease-of-use exchanges provide since you don’t have to worry about copy and pasting a private address every time you want to unlock a wallet to send from. But this also means that you are not in full control of your coins and if you were to violate any terms of the exchange (knowingly or unknowingly), they could ban your account and you would lose access to your coins. The same is true if the exchange was hacked. If they were improperly storing private keys, you could lose your coins forever.
Staying in full control of your wallet also has additional perks. In the case of a ‘hard fork’ or ‘airdrop’ to holders of a certain coin, you would be able to claim those. As it currently stands, most exchanges do not give you hard fork coins or airdrops, and instead keep those assets for themselves to increase profitability.
‘All your Bitcoin are belong to us’
Perhaps only one thing is certain in the crypto-world: hackers can and WILL try to steal your cryptocurrency.
While blockchain technology is considered an incredibly reliable, real-time database that’s proven resistant to attack and manipulation, wallet- and exchange-side security have shown numerous vulnerabilities over the years. Perhaps you’ve heard of the infamous Parity wallet hack in which an attacker exploited a wallet vulnerability to steal over 150,000 ETH (today that’s $165 million USD).
Just last week, a Google researcher discovered a bug in the popular Electrum wallet that would allow websites to steal the wallet’s contents, causing the Electrum team to quickly release a patch to fix the bug. Case in point—do your homework on any desktop, browser, or mobile wallets you plan to use. Don’t trust blindly.
Phish food
Beware of tried-and-true phishing attacks. Phishing attempts to steal private keys are abundant and targeted specifically toward unwitting investors chasing the crypto rush. Below is a phishing site that visually copies a legitimate site belonging to the wallet app Bread. Notice that the malicious URL (hxxp://breadtokenapp.com/sign.php) is just barely different than the legitimate URL (hxxps://token.breadapp.com/en/).
Dead giveaway. No website should ever ask for your private address. The same is true for exchanges as they manage wallets on their side and would never need your private keys either. The only circumstance where your private address needs to be inputted is to access a wallet. It’s a good idea to bookmark wallet sites such as the popular myetherwallet.com to make sure that you are always using the correct URL and not a phishing site.
It might seem obvious, but making sure your computer is free from malware is mission critical when dealing with cryptocurrencies. A trusted antivirus solution, secure password manager, and browser security can help protect you from would-be crypto thieves.
Have questions or concerns specific to cryptocurrency wallet security? Drop me a line in the comments below.
Update 2/8/2018:
Reports have surfaced recently that Ledger Nano S hardware wallets are susceptible to potential man-in-the-middle attacks.
Man in the Middle Attack – Am I at risk? Our answers and actions to address the threat https://t.co/ms5LAnAR2O
— Ledger (@LedgerHQ) February 5, 2018
The Ledger, while safe in offline storage, must still be connected to the internet to make transactions. Ledger has confirmed that their device is vulnerable to man-in-the-middle attacks (using malware that scans for the recipient’s address and changes it to the hacker’s own address). This reiterates the importance of always double-checking the wallet address that you intend to send to, as well as ensuring your computer is free from malware.