How to Protect Your Crypto and Secure Your Financial Future
The purpose of this post is to provide people who are new to crypto, or even seasoned veterans, the tools they need to be safe and secure on their crypto journey. Hacks and exploits happen daily in the crypto world and unlike traditional banking, once your crypto is gone it's gone forever. Cryptocurrency investments can change your life, but if you don't take active steps to protect those investments then you risk losing it all.
Unfortunately there is no surefire way to prevent an exploit, but there are very simple and easy ways to dramatically improve your security by creating multiple layers of protection. The tips below are industry wide best practices that I've gathered from newsletters and blog posts written by, and interviews of, security and cryptocurrency professionals.
I have done every single step below (and more) and I can confirm that most of these steps just take mere minutes to set up and are either free or very cheap.
Get a password manager (1Password, Bitwarden, LastPass)
Get an authenticator app (Authy, LastPass, Google Authenticator)
Use a VPN (Mullvad VPN)
Get a new email exclusive for trading crypto
Get a dedicated trading device (Lenovo Chromebook)
Important security tips
Protect your private keys. Get a hardware wallet
1. Get a password manager ($0 - $36 per year)
One of the easiest ways to compromise your entire digital security solution is to have a weak password. It's surprisingly common for people to use names of pets or sports teams with one single digit number as their password. On top of that, these weak passwords are usually shared among many websites. That means that if one website is hacked and your password is distributed on the internet, every single account that has that password is then compromised.
To prevent this, each password for each website you visit should be unique and have upper and lower case letters, numbers, and symbols. Password managers like 1Password, Bitwarden, and LastPass, not only allow you to easily create these strong passwords, but they remember them for you so that you don't have to. On top of that, they also make it easy to log into websites on both your PC or mobile device with a single click.
If you aren't using a password manager you are putting your assets at risk and losing lots of time typing in passwords.
Here is what WireCutter had to say about 1password and Bitwarden.
2. Get an authenticator app (Free) / security key ( $25 - $70)
The second best way to improve your online security is to enable two-factor authentication (2FA). Combined with a strong password, two factor authentication will significantly decrease your vulnerability to attacks.
When you try to log in to an online account with 2FA enabled, the site first asks for your username and password and then, in a second step, it typically asks for a code. Even if someone gets a hold of your username and password, they still can’t log-in to your account without the code.
Authenticator App - Free
The easiest, cheapest, and most common way to securely enable 2FA is with an authenticator app like Authy, LastPass, or Google Authenticator. These apps generate unique codes every 60 seconds, are available on most smart phones, and are compatible with most websites that allow 2FA to be enabled.
Security Key $25 - $70
A more secure 2FA alternative to an authenticator app is a physical security key. In lieu of a smartphone app that generates a code, after logging into a website with your credentials (username and password) the website will ask you to connect/activate the security key. There are many options for how to connect the key such as USB-A (standard USB), bluetooth, USB-C, NFC, or lightning port. The most popular keys are the Titan Security Key and YubiKey. I recommend using a security key whenever its available as a 2FA option. However security keys are not as widely accepted as the 2FA smartphone apps are. I also recommend syncing two keys to websites that allow it, in case one key is damaged or lost.
Yubikey is compatible with LastPass, so if you use LassPass for your passwords and authenticator codes then no one can get access to either without your username, master password, and the security key. If you lose your smartphone, you can still get access to your authenticator codes as long as you have log-in credentials and the security key.
Warning: DO NOT USE SMS for 2FA
A well known and surprisingly common method of attack is a "sim swap", which is when someone contacts your wireless carrier and convinces the call center employee that they are, in fact, you, using your personal data. Once they have access to your phone number and SMS messages it could start a chain reaction that grants them access to all of your online accounts. If your email uses SMS as a recovery method then they can potentially get access to that and then, armed with both email and your phone number, they can target your bank account, crypto exchanges, and all of your social media. This is a common method of attack and I personally know multiple people that have been attacked this way.
3. Use a VPN ($5 per month)
One easy to implement, cheap, and often overlooked, layer of security that you can add to your arsenal is protecting your IP address by hiding it behind a virtual private network (VPN). When you use the internet, your IP address is typically recorded by the website you visit and is usually attached in emails you send. One reason to protect your IP address is that it can give away your location. Anyone can plug in an IP address at various websites to find your rough location, usually your city, state, and country. Bad actors can even find your precise location, which is how "swatting" happens (when someone sends a SWAT team to your house by falsely reporting a law enforcement or mental health emergency).
VPNs work by routing your web traffic through a secure, encrypted connection to the VPN's server so that other parties see the VPN's IP address and not the one connected to your home, office, coffeeshop, or hotel you happen to be in. Using a VPN can also stop your internet service provider from recording your online activities; in 2017 President Donald Trump signed a law repealing internet privacy rules passed by the FCC, allowing ISPs to record all of your traffic, insert ads, track you in a variety of ways, and sell that data to third parties.
Wirecutter recommends you use Mullvad VPN. It's easy to use, open-source, and very affordable at only $5 a month. I love it because with it you can easily change which country your data appears to be coming from and you can install it on multiple devices with just one account.
4. Get a new email exclusive for financial services / crypto (Free)
If you're like most people, you have one email address that you have used for years. Using this email, you've likely created accounts on dozens of websites, signed up for mailing lists (intentionally or unintentionally), and communicate regularly with friends and family. Unfortunately this means that your email, along with your personal data and even your passwords, has almost certainly been exposed to a breach. This is not an exaggeration.
You can check not only whether your email is compromised, but exactly what data breaches have personally impacted you by visiting this website.
You should expect the personal data associated with your email account to be exposed via a data breach at some point. This is why if you have a separate email just for your financial accounts (personal banking, retirement accounts, stock trading, and crypto exchanges) you will reduce the likelihood of bad actors even knowing which email you use for your finances.
5. Get a dedicated trading device ($250 - $400)
This next tip is useful for everyone, but it's especially important for anyone trading crypto since crypto hacks are largely irreversible. Similar to getting a separate email, you should get a separate device that is exclusively used for your sensitive online activity such as online banking and trading crypto. For all other activities, use another personal computer.
By only doing one type of activity, you significantly reduce the likelihood of your device becoming compromised due to clicking a bad link, downloading malware, or any other activity that would put you at risk. I recommend you get a computer with an operating system that is resistant to viruses and malware such as MacOS, Linux, or ChromeOS.
This is the most expensive recommendation on the list, but it's also one of the most important. Compromised devices infected by malware can allow bad actors to potentially circumvent your entire security design and potentially steal all of your crypto.
6. Important Security Tips
Each of the tips below are so important that they could each have an entire post explaining in detail what could happen to you if you don't follow them. Take the time to think about each point here and how it could put you at risk.
Do not click on any links sent to you from anyone you don't know and trust. This includes, but is not limited to, emails, telegram, and all social media sites.
Do not download anything that isn't from a trusted site. You could be downloading a virus, a key-logger, or other malicious software that could compromise your security. Malware you download could take the form of ransomware, which is software that encrypts your entire computer, thereby preventing access or data recovery, unless you pay bad actors to unlock it.
Do not connect your cryptocurrency wallet to any website or exchanges you don't trust. Regularly disconnect your wallets from sites you aren't actively using.
Be suspicious of anyone that sends you a direct message on telegram/discord/or twitter. Administrators and moderators in cryptocurrency groups will generally not DM you first, even if you asked for help in a public forum.
If it sounds too good to be true, it almost definitely is. No one is going to give you free money "if you send them money first".
Bookmark websites/exchanges that you frequently visit. This will prevent you from having to type in the address manually. A common method of attack is to create a fake version of popular sites and when you "log in" these bad actors will steal your login data.
Make sure you can still get access to your authenticator codes if you lose your smartphone.
Do not store your sensitive data, such as passwords or SSN, on your computer or in the cloud.
Avoid doing anything sensitive such as crypto trading or online banking while connected to a public wi-fi. You never know who the wi-fi belongs to or who else is connected. This is a serious potential security risk
If you use a mobile device for trading or online banking, make sure you use the official apps created by exchanges or banks to access your accounts. Ensure your apps and mobile device are always up to date with the latest patches.
7. Get a Hardware Wallet ($60 - $170)
This last security tip, but possibly the most important, is to protect your private keys! There are many options for how to do this, but the best way is to purchase a hardware wallet. If you are only trading a few hundred dollars and can't justify the cost of a hardware wallet, protect your keys by keeping them offline either on an encrypted USB drive or on paper in a safe place.
Hardware wallets provide full isolation between the private keys and your easily compromised computer or smartphone. How it does this can be broken down into three steps, which I learned from this video.
Step 1: Once you initiate a crypto transfer, an unsigned transaction is sent from your computer to the hardware wallet
Step 2: The private keys stored on the wallet sign the transaction. Step 3: The signed transaction is sent back to your computer
Since the private keys are never exposed, they cannot be compromised by bad actors.
If you don't understand what the steps above mean, you should definitely watch the video as it explains everything you need to know about how cryptocurrency transfers work.
The two most popular hardware wallets are the Trezor Model T and the Ledger Nano X. Buy directly from the manufactures to prevent the risk of buying a compromised device. 99Bitcoin did a good review of both the Trezor Model T and Ledger Nano X.
The Model T is basically more expensive, likely more secure (open source), and easier to use. The Ledger Nano X is cheaper and has Ledger Live (a wallet that gets lots of praise for its UI). Both hardware wallets are considered the best in their class and you really can't go wrong with either. I recommend you get one of either as well as a cheap backup like a Ledger Model S in case the primary device is damaged or lost.
Lastly, make sure you store your seed phrases in a safe place in case you lose access to your device.
The key to online security is the same as real life security, having multiple layers that need to be breached. To get into Fort Knox you need to get past fences, mines, armed guards, keycards, biometric identification, and more. Each security layer individually may be broken, but together it becomes almost impossible. As our lives are increasingly digital, everyone should actively think about their online security and take every step they can to protect themselves.
The costs above breakdown as follows:
One Time Cost: $50 - $510
Two security keys: $50
Hardware Wallet: $60-$170
Yearly Cost: $96
Yearly cost of VPN: $5x12 = $60
Yearly cost of password manager: $0-$36
I think most people should be able to justify spending this much on permanently and significantly reducing their exposure to hacks and malware. For just $146 (security keys, VPN, and password manager) you can protect yourself for an entire year from the majority of online attacks.
If you are trading cryptocurrency, even the $606 cost for the first year is most likely justifiable. If you are going to be your own bank, you should get bank level security. Why would you settle for anything less? Personally, I sleep much better at night knowing that I'm doing everything I can to protect my hard earned digital money.
Cheers. Big thanks to Brian Girvan for editing.