5 security tips you’ve never heard of
The typical security advice that everybody tweets and posts about is “never type in your seed words on a website” or “don’t click on links from people you don’t know” or even “never give you password to anybody even if they say its customer support”. And rightfully so! This is good advice that folks should be aware of and practice to keep their coins safe. But what do the experts do that go beyond this? How do developers and people critical in the pipeline for products and code, or just people who have a lot of lose if they get compromised, how do they mitigate risks?
First let’s set the tone: security is about evaluating attack surface and mitigating risks as you see fit. On one extreme side of the spectrum, you can never get hacked if you don’t use a computer, but then you can’t do anything else either. On the other extreme, if you use weak passwords, disable 2FA, never update your apps and click on every link people send you, you’re going to be sharing your crypto with others for sure. What you want to do is decide which risky activities fit your particular profile and what tolerances you have for them and set up your security posture accordingly. If you can ground yourself in this, you can think and reason and build things that make sense in a security context. Now let’s get into it!
1) Understand how to protect yourself from phishing
Phishing is the most common attack against crypto users these days because it works. One day there will be better protection and identity verification to stop most of the traditional phishing attacks, but there’s no much out there today to help you. You can however do two things that may help you from falling for a phishing email and site:
If using Gmail, click the vertical dot-dot-dot on the upper right side of the message and then “Show original”. This will open a new window with all the emails raw content so you can easily inspect the sender and email security headers. If anything looks funny, don’t go any further. Have somebody else look at it by forwarding it to them and ask them to check it out as well. Send the link to a malicious URL site checker like VirusTotal or Palo Alto Network’s URL Filter.
Read the email and ask yourself, “If I do what they’re asking, will it affect my security or password?”
Always look for browser security warnings too if you do click on any links and never just “click through” warnings that you get from links you clicked on in an email: they are trying to warn you!
2) Use VirusTotal to check for malware signatures BEFORE you install the wallet or run the app
It’s super easy: drop the downloaded file into VT and it will check for reported malware from a ton of different antivirus engines running in the cloud. Or give it a URL and it will check for people reporting the link as malicious.
3) Don’t tell people you have crypto or are even in the market
This one is hard. Ok, if you must shout about Richard’s projects to your friends and family, you can make exceptions but in general don’t tell people you don’t trust that you’re into crypto. Keep it on a need-to-know basis and you’ll have less to worry about as far as opsec and theft goes. Create different email addresses and social media accounts specifically for crypto, so if anything goes wrong, everything is separate from your personal stuff. And if you want to pack it in and retire one day, you can just leave those accounts alone for a while.
4) Don’t fall for the VPN hype
VPNs allow you to encapsulate your traffic and send it over encrypted an network instead of just using the one you're on. Basically they "make all the things SSL", but keep in mind you're still at the mercy of the company providing the VPN to not be malicious. If they are bad or get compromised, someone now can play with your traffic and be watching every site you visit. They still can't see your HTTPS traffic, for example, unless they trick you into accepting their man-in-the-middle attack by getting you to click through all the warnings like "This site is not secure" or "Bad certificate", which you’re probably already used to doing. Why anyone would use a VPN at home is beyond me unless you turn it on only when you’re trying to bypass some filter or censorship. Otherwise, if you think your own WiFi is malicious, you’ve probably got bigger problems to solve.
The point is VPNs have a purpose, but know the risks with them. Only use a trusted VPN company that been around for a long time such as Freedome (no sponsorship, just like the product). Using a random VPN provider means you're taking a coin flip on them messing with your traffic. Be especially careful with the free VPNs: if you're not paying for the product, you are the product. There’s plenty of public articles detailing their less than ethical behavior, security breaches, data leaks and exploits. VPNs are useful and they have their place, especially if you travel and you need to use wifi, but these days there’s a ton of scams and they’re overused constantly.
5) Use something other than Windows when doing crypto stuff
No matter how many security features they add to Windows, it’s 2022 and viruses and ransomware still are a big problem. One solution is to just not use Windows, so Windows malware (which is the majority of malware) cannot infect you if you do happen to click on a bad site. Mac is the obvious easy choice and Macbooks are pretty neat, slight learning curve but worth it. Linux is also another option, Ubuntu is very easy for professionals and newbies a like to use and it’s much more modern and supported these days vs a few years ago, running Chrome/Firefox/Metamask all the apps you need to do most everything in crypto are right there and work fine.
Honorable mentions include multisig, only opening files or email attachments in a VM, using a paper wallet, using a different browser with metamask installed vs normal browsing and keeping your apps up to date (especially Telegram, Chrome, etc), using a hardware wallet (although they can be compromised if you lose physical access, but so can paper wallets technically), use good passwords for Metamask and everywhere else and generate and store them securely in a password manager don’t text/use facebook/whatsapp, just use Signal and don’t use text-based 2FA, only authenticator apps or email if you must.
Also, don’t keep coins on exchanges (unless they’re just passing through to fiat, etc) as it protects you in two ways: 1) you can’t trade it on the exchange if its not there, helping you delay gratification as we all should be life hacking ourselves to do and 2) it can’t be stolen or locked by the exchange if it’s not there. You can do this! Do the little things and keep your coins safe.
