One of the most beneficial factors of owning crypto assets is the individual sovereignty it grants us compared to restraints used by the traditional financial system. In other words, ownership of digital assets allows us to “Be our own bank”. Once you buy Bitcoin (BTC) for example, you have the option of keeping it on an exchange or storing on a wallet of your choice. From there you can sell it whenever you want, loan it out in the Defi space, or even take out a crypto backed loan. The whole point is, crypto gives you full control over your financial destiny without you having to worry about someone telling you what you can or can’t use your funds for (I am not encouraging illegal activity) or having to worry about your funds being frozen (assuming you’re holding your crypto on a wallet and not an exchange). However, as with anything good this comes as a double edged sword with its own risks that anyone desiring to own a significant amount of crypto assets should consider. In this article, I am going to break down all of the risks of owning crypto assets, how you can appropriately position yourself to avoid being hacked or having your crypto assets stolen, and how I see the technology around crypto security evolving into the future.
Everyone who's been in the cryptocurrency space for a while will recognize the name “Mt. Gox”. Launched in 2010, Mt.Gox was the world’s largest bitcoin exchange until it’s collapse in 2014. By 2013, Mt.Gox was handling 70% of all BTC trades world wide but had to shut down after it was revealed that it had lost 744,408 of its customers bitcoins and 100,000 of its own bitcoins. The loss amounted to approximately 7% of all BTC at the time. And you guessed it, the people who lost their BTC on Mt. Gox still hasn't recovered their stolen funds. There’s a saying in crypto, “Not your keys not your crypto”. In other words, that means that if you don’t exclusively own the private keys for the wallet that your crypto is stored on and you leave it on an exchange for custody, you risk losing all of your crypto just like the investors who trusted their BTC on Mt. Gox (Mt. Gox is not the only exchange that has been hacked). Let’s go over all of the different ways that you can avoid a tragedy like that from happening.
To start, the first thing you should know is that all crypto currencies reside on their own blockchain, and while you may think that your crypto is stored on a wallet, they’re actually not. Your private keys (usually 10-30 different random words generated when you create a new wallet) is actually the only way you have access to your crypto assets on that particular blockchain, similar to how a key, cut in an exclusive way can open a lock to a door. Every wallet generates private keys but, the most important thing you need to know in regards to your private keys is to keep them safe! It’s recommended that you write them down and store a copy in a safe or another safe place (some people bury them underground). You never want to store your private keys on your computer or your phone because it's relatively easy for an advanced hacker to hack into your computer and steal them, then get access to all of your precious crypto. Let’s cover the different types of wallets so that you can determine the best one for you and your situation.
The following wallets are listed from least secure to most secure. You have desktop wallets, software wallets, hardware wallets, and multi-signature wallets. Desktop wallets are computer programs that store cryptocurrencies on a PC so that its information is not accessible to anyone but the user, whose private keys are kept only on the desktop. These wallets are the least secure because they’re connected to the internet, which means if someone gains access to your desktop they can see your private keys. I personally never recommend using this type of wallet.
Next is software wallets (also called hot wallets in crypto) which are available in three forms — desktop, mobile and online. Mobile wallets come in the form of a smartphone app and are easily accessible to their users at any time, considering most people don’t leave their homes without their phones. However, it is worth remembering that mobile devices are vulnerable to various malware and can be easily lost. Online wallets are web wallets that can be accessed from anywhere and any device, making them more convenient, but the private keys are stored by website owners rather than locally on user devices. Given that these wallets are moderately secure, I personally would only use these kinds of wallets for a small percentage of my overall portfolio that I plan on holding for the short term.
Moving on, next are hardware wallets (also called cold wallets in crypto). Hardware wallets allow you to store your private keys in a secure physical device (your private keys are generated from the wallet once you first turn it on). The cryptocurrencies stored in the wallet are kept offline, meaning that they can’t be hacked. However, these coins are at your disposal whenever you need them. One important thing to remember when buying a hardware wallet is to always buy it directly from the company and never from a reseller. The reason is because you can become susceptible to man in the middle attacks. Similar to what happened to ledger hardware wallets, if a reseller has physical access to the device before generation of the seed, an attacker could fool the device by injecting his seed instead of generating a new one.
Finally, the most secure wallets are multi-signature wallets. A multi-signature wallet requires at least two key signatures to authorize a transaction. This means you will have to trust another party. Unlike storing funds on an exchange, however, you get to choose the identity of the third party, and even if that keyholder tries to betray you, they will not be able to unilaterally access your funds. There are numerous permutations available, ranging from 1-of-2, in which either party can sign transactions, to the more common 2-of-3, which is popular with escrow-based services such as Localbitcoins, and 3-of-5, which is commonly used by exchanges to secure their cold and hot wallets. Now that you have a good understanding of the different kinds of crypto wallets, let’s cover additional ways for you to keep your digital assets safe.
Other than hacking into your wallets, hackers will also try to get into your phone or computer in an effort to see if your private keys, and/or the password(s) to your exchange account(s) and email address are stored there. Let’s cover how to prevent this from happening. First, as I said before, I never recommend you store any of your passwords on any of your devices. In addition to that, you never want to have a generic password that can easily be guessed, and never use the same password for multiple services. After that, you can use KeePass to keep all of your passwords safe. How it works is very simple. All you have to do is create a new database, which is just a file that holds all of your passwords. You have a master password, that protects the rest of your passwords. So you only have to remember one single master key to unlock the whole database. Database files are encrypted using the best and most secure encryption algorithms currently known (AES-256, ChaCha20 and Twofish).
The next thing you want to do is call your phone carrier and tell them to leave a note on your account that no matter what, they must never port your sim card over to another device. You want to do this because hackers will get access to your phone number over the internet (not hard to do nowadays) and then call your phone carrier pretending to be you. They will then claim that they lost their phone, and that they need to port over the sim over to a cell phone that they possess. They will usually do this in the middle of the night while you’re sleeping, resulting in you waking up wondering why you’re not getting any calls or texts. The important thing is, now they can get into your email or login to your exchange and send all of your crypto to their wallet while you’re sound asleep. They do this by trying to log into one of the accounts I just mentioned by selecting “forgot password”, which will prompt the company to send your phone number an access code to verify your identity. The code will then be sent over to the device owned by the hacker since they ported over your sim card, enabling them to successfully login to your account.
This brings me to the next form of important security measures; you never want to use your phone number as a form of verification for anything regarding your crypto so that you can prevent the issue I just described entirely from happening. How you do this is by adding an extra layer of security by using 2-factor authentication (2FA) for your email address and your crypto exchange accounts. How this works is simple, instead of just using your username/email and password to access your account, 2FA forces you to provide additional verification before you can login. For example, two of the most popular software 2FA providers are Google Authenticator and Authy. These software apps on your phone forces you to type in a six digit code after you enter your username and password. The cool thing is that these codes are randomly generated and they change every 30 seconds. This makes it tough for a hacker to get into your account because they would need access to your username, password, and your 2FA code that changes every 30 seconds.
But what if there is a really advanced hacker that is somehow able to get access to all three of these required credentials? There’s another more secure form of 2FA that I recommend using that makes this nearly impossible. This form of 2FA isn’t a software app on your phone, instead, it’s actual hardware. My favorite provider is a company called Yubico. How it works is very simple; you purchase one of their Yubikey jump drive looking devices online (always directly from the company and never from a reseller). I recommend purchasing two so that just in case you lose one, you’ll have another one as a backup. After that, just like Google Authenticator or Authy, you need additional verification other than just your username and password in order to login to your desired account. The difference is, you’re not typing in random numbers generated by a software, instead, you actually have to physically plug your Yubikey device into your phone or computer, and then touch it in order to get into your account. This means that in order for a hacker to get into your account, they would have to get access to your username, password, and your physical Yubikey device. So the hacker would actually have to physically break into the location where it’s stored and steal it, which is highly unlikely because these people are usually cyber criminals and don’t usually resort to breaking and entering.
Now that we talked about how to protect your cell phone, let’s cover how to protect your computer from attacks. The biggest vulnerability for a hacker when using your computer online is your internet protocol (IP) address. Your IP address is your unique ID on the internet and it's synonymous with your home address. Anyone in the world can contact your computer through its IP address, and send a retrieve information with it. This is one of the reasons proxies and anonymity services exist, to protect people from discovering your IP address. To prevent hackers from discovering your IP address, it’s recommended that you use a dedicated device for buying and selling your crypto. It’s also important that you use this device for buying and selling your crypto only, and not using it to surf the web, check emails, or watch videos on YouTube, like you would with your traditional laptop.
The dedicated device that I recommend using is a Librem laptop from the company, Purism. Typical computers use hardware chips coupled with software that can expose you (including tracking you without your consent). News stories have shown how these chips can secretly transmit voice, networking, picture or video signals. Other chips are used to install malware, spyware, or viruses. These built-in vulnerabilities can turn “your” computer into “their” computer. The Librem laptop comes preloaded with secure anonymity software that is designed to protect your online usage, local data, and everything in between. The moment you turn on your Librem, you will be as protected as cryptographically possible.
In addition to that, it would be wise to purchase a Librem Key. The Librem key looks like a jump drive and it’s recommended that you keep it with you (preferably on your keys with your Yubikey device). Your Librem Key will be shipped separately from your computer so that it would be more difficult for an attacker to interdict both packages versus just one. How it works is very simple, let's say you’re staying in a hotel and you leave your Librem laptop in your room and you come back and you suspect that your laptop has been tampered with or hacked into. Once you go to turn it on, the laptop is going to ask you to insert your Librem key into the side before you can even log into the laptop. If it blinks the color green twice then it hasn’t been tampered with and you have nothing to worry about. If it blinks red then that means it has been tampered with. If this happens, your laptop will not let you log in so as to prevent the spread of a dangerous malware or virus that could have possibly been installed. After that you email Purism and they will advise you on the next course of action.
To put the cherry on top of your already secure cake, I would recommend that you install a virtual private network (VPN) and a Socket Secure (SOCKS Proxy) on your Librem laptop. A VPN gives you online privacy and anonymity by creating a private network from a public internet connection. VPNs mask your IP address so your online actions are virtually untraceable from hackers. SOCKS is designed to route any type of traffic generated by any protocol or program. A SOCKS proxy server creates a Transmission Control Protocol (TCP) connection to another server behind the firewall on your behalf, then exchanges network packets between you and the actual server. But here’s the kicker, you generally pay for one or more IP addresses that you can access with proxies as they can come in batches of 5, 10, 25, 50, 100, and up.
To make this simple, think of it like a chain of different IP addresses that protect your actual IP address. This means in order for a hacker to figure out your IP address, they would somehow have to figure out the trail of different IP addresses and follow the bread crumbs to the first one. The good news is, if they do get to the first one somehow, it's going to end up leading them to the IP address of the server that you’re utilizing for your VPN, leaving them no way of getting to yours. The best company I found for VPN and SOCKS proxy is Private Internet Access (PIA). PIA has the largest network capacity across the globe to provide the most encryption and highest speeds. PIA is also the only proven VPN service in the world that never logs user data. Normally you would have to go through two different companies or purchase two different packages to have a VPN and a SOCKS proxy, but PIA has it wrapped together so that you can easily use both services simultaneously with the click of a button. It’s also convenient that PIA’s VPN platform is fully integrated into Purism’s software and hardware offerings for unprecedented privacy and security protection.
Now, you should have a great idea as to how you can safely and securely operate in the wild wild west of the crypto industry. Given the increasing demand for crypto assets, (especially since public and private companies are buying hundreds of millions of dollars worth of BTC with their cash reserves to hedge against inflation) it's pretty safe to assume that this will incentivize companies to innovate more advanced security protocols. This will make it so that more Fortune 500 companies can feel safe utilizing Bitcoin as a treasury reserve asset and being able to custody their crypto on their own, or feel comfortable being able to outsource the custody. As usual I’ll end this article with one of my favorite quotes by Nelson Mandela, as it pertains to this subject, “ Safety and security don’t just happen, they are the result of collective consensus and public investment”.