Every 6 months or so, I like to revisit this topic with everyone, and for a great reason. Many humans are extremely lazy when it comes to their own personal security.
You may lock your vehicle and your house all the time, but basically leave your “security door” wide open when it comes to your online security. Doing a security checkup is not just important for your cryptocurrency accounts and wallets, but for EVERY single online account you have. The reason I revisit this topic often is not just to preach about doing better. It is because every week, I hear devastating stories from real people who were lazy in one way or another when it came to account security.
In this How To Crypto Report, we’ll explore some of the top method’s we’ve seen lately that scammers and hackers have used recently to steal people’s assets, and then we will share the Security Checkup blog originally shared last year with a few updates made to it.
One of the top methods used recently involves a fake message, either an email or text message that is disguised to appear to be from either a cryptocurrency exchange or wallet provider. There is usually a warning or call to action to secure your account with a malicious link that is designed to either steal your login credentials or could imbed a virus on your device. Even if an email or message looks legitimate, it is best never to click on links in these messages but instead, manually type in the correct website address for whatever platform it is related to. In some cases, the fake websites will be clicked on from a Google search or similar.
These fake websites are designed to look identical to the real sites they are copying, but usually have a slight misspelling or different domain extensions, like .net instead of .com, or something similar. Some of these sites have optimized search engine optimization(SEO) to appear higher on search results than the legitimate site. A similar type of hack to this we have seen a lot of lately are fake wallets or web wallet extensions designed to look like Metamask or other wallets. When a user is asked to enter their seed phrase or recovery phrase to restore their wallet, that is when the fake wallet is given full access to all of the assets in the wallet. It is important to ensure you are always visiting the legitimate websites and downloading the legitimate wallets. Below is our past blog called It’s Time For a Security Checkup, with a few updates.
Take the time to do a self evaluation on ALL of your accounts and security measures and take the steps necessary to correct your faults. Hackers and scammers look for the path of least resistance. Anything you can do you further secure your assets and accounts will make you less likely to be targeted, and even worse being a victim.
The Responsibility That Comes With Cryptocurrency Trading and Investing
One of the amazing things about cryptocurrency is that it truly gives you freedom and true ownership of your assets. Compared to the money you “hold” in banks which are not truly in your control, as we’ve seen many times in many countries where banks or governments freeze accounts. Many times they will claim the frozen account belongs to a criminal, but what happens when the laws that are broken are immoral themselves or the true criminals are the ones in power?
More on that in a different report, but you don’t have to look far to see instances of this happening throughout recent history in many countries. With this great freedom comes great responsibility, the responsibility to do your part and protect your accounts and wallets from hackers. Hackers can be considered today’s modern-day pirates. Throughout history, where there has been gold, there have been pirates. So it’s no surprise that where there is digital gold, there are digital pirates.
This is not new with cryptocurrency. Since the inception of the internet, poor account security has been a main target of hackers looking to steal financial data or financial assets. One of the best ways to prevent becoming a victim is to take the below listed steps. Many of these are not just for cryptocurrency. I teach my students to take these precautions with every single account they have. The biggest reason for people to have their identities stolen or money stolen online is due to one major factor: Being lazy when it comes to your account security. So let’s jump in, do a self checkup of each of your accounts that holds financial records or assets, and take the action needed to make your accounts more secure.
One of the first things we’ll discuss is your actual email account. You may be thinking, “what does this have to do with account security?” Most people will use the same email address for everything.
For example, people will use the same email address for their financial accounts as they do for every email mailing list they are on, like retail store newsletters, non financial accounts, etc. It is best to create a separate email address for your financial accounts that you will not give out publicly to others.
Some hackers can do what’s called credential stuffing, which will be discussed further in the password section below. If you want to change your email address on current accounts, most accounts just make you verify the change by sending a confirmation email to the existing email on file and the new one you are changing it to. Now, Gmail, Hotmail, and Yahoo are the most popular email servers, but if you’re looking for a more secure email server, Protonmail has been one many have used for years for additional security.
Regardless of the email server you choose, you want to make sure that you follow the additional steps listed below to secure your accounts.
Let’s face it. Passwords can be hard to remember, especially if you have to change them frequently. However, don’t get lazy when it comes to passwords. Passwords need to be complex and not easily guessed. If your password includes things hackers can guess about you by studying your social media profiles or public records, such as kid’s names or birth dates, you need to make a change in this immediately.
Also, if you use the same password for multiple accounts, you will want to change this immediately. Use a different password for each account. Back to the topic of credential stuffing mentioned in section above. Hackers will gain access to a centralized data point, not through any fault of yours. We’ve seen this in major retailers who have had their stored data compromised such as Target and Home Depot.
Many security experts say there are two categories to put all companies that store customer data, those that have been hacked and those that will be hacked. Hackers will then take those same credentials from the hacked source and try to find financial accounts or email accounts that use the same login credentials.
If you use the same password across many accounts then you can be susceptible to this. Passwords should also be complex. This means a good combination of uppercase letters, lowercase letters, numbers, and special characters. For instance instead of a password being ilovenewscrypto123, you can replace some letters with numbers or special characters such as !L0veNew5crypt0. This makes your password much harder to guess or crack with a decoding program. The longer and more complex the better. Hackers will always target the path of least resistance so the harder to crack, the better.
2 Factor Authentication
Strong and complex passwords are only one part of your account security. It is best to add another layer of protection called 2 Factor Authentication, also known as 2FA. 2 factor authentication adds another step to the account login process after a username and password has been entered.
Even if your account username and password have been compromised, 2 factor authentication can stop a hacker from accessing your accounts. Now, we’ll look at the different levels of 2 factor authentication, as some methods are not as secure as others. The least secure option is text SMS authentication or email authentication. When these are enabled, after logging in, you will receive a text message or email with a code you must enter on the website to gain access.
The reason this is the least secure is due to the fact that your email account could be compromised. Also, a fairly new type of hack called sim swapping can be done where a hacker compromises your phone account and moves the service from the sim card in your phone to the sim card in the hackers phone.
If it’s your only option on an account, it’s better than not having it enabled, but most, if not all sites give you the option for better security than this option. A more secure option would be to use a 2 factor authentication app, such as Google Authenticator, or Authy. These allow you to sync accounts to a time based code that changes at regular, short intervals. Once you have this enabled, you log into your accounts and then open the app to obtain the current code before time elapses and it changes.
Usually when you set these up, you will be given a backup code to restore if you lose access to your authentication app. It is best to write this down in a secured notebook or on a hard drive that is not live and connected to a computer or internet when not in use. The most secure form of 2 factor authentication is using a physical security key. There are several to choose from so do your research on which ones are best. The one that I have experience with is made by Yubico called the Yubikey.
With a security key, you have a physical device that you either insert into the usb or other port and tap the button or if using NFC, tap the back of your phone while pressing the button to confirm 2 factor authentication. These are recommended that you have at least one backup security key, in case one gets lost or stolen. I currently keep one on my keychain that stays with me at all times and one locked up in a secure safe.
Backup Codes and Seed Phrases
Now that we’ve looked at securing accounts, let’s talk about securing your security data. Anytime you create an account with 2 factor authentication, you will have a backup code to store. Do not store this in the notepad on your phone, notepad or Word program on your computer, or as a screenshot on either.
When you create cryptocurrency wallets where you control the private keys, which is recommended for any cryptocurrency you are not actively trading, you will be given what’s called a seed phrase or backup phrase. This phrase usually consists of a string of letters and numbers or a 12 to 24 word phrase of randomly generated words.
This allows you to restore access to the wallet if your device is lost or stolen or crashes. Anyone with access to this info can gain access to your wallet and steal your cryptocurrency. That is why it’s important to protect this data. As mentioned a couple times above, any of this backup or restorative data needs to either be written down in a physical notebook and kept in a secure location or stored in a digital drive that is not connected to the internet and not connected to the computer when not in use.
The best defense is to do both options, or multiple options of both. Keep a copy in a secure location separate from the main data. I’ve heard of instances where flood or fire have happened and due to following this advice, those people were able to restore access to their accounts. There is risk wherever you store data, whether you are in complete control of it or not, but when you are in control, you can take steps to ensure you are protected.
Websites and Apps
As the technology involves, so do the types of scams that are designed to either steal your data or steal your financial assets. One method that is becoming more common is when someone with ill-intentions creates a website made to look like the official website you are intending to visit.
Once someone visits these sites and enters their login credentials, the hackers then can use that information to log in to your actual accounts. In recent months, we’ve seen these fake phishing sites exploit Google ads to rank higher on search results than the legitimate website.
Last year with the rise of popularity of Uniswap, at one time there were 4 or more sites ranked higher. Most exploits change one letter or replace a regular letter with a letter or with special character above it.
To avoid this, try to avoid using Google search to find a website address. In the case of cryptocurrency websites and cryptocurrency exchanges, you can use resources like CoinMarketCap.com and CoinGecko.com to identify the correct websites. When you click on each cryptocurrency, it will link you to their official website. The same goes for cryptocurrency exchanges, both centralized and decentralized. Mobile phone apps are the same.
There have been instances of fake apps being published on Google Play store and Apple app store that are not the legitimate app. If you find an app in the respective app stores on your phone, you can check validity by going to the legitimate website of the exchange or cryptocurrency project and verifying from the download link provided on the website.
All of these fake apps and websites have one purpose, to steal your login credentials so they can access your real accounts. This is also another place where credential stuffing can happen and they will try to see what other accounts you use the same email and password to access. Back in early 2017 there was an exchange that had no official app at the time, but a fake app was posted in Google play store to trick people into entering their login credentials. Eventually these fake sites and apps get flagged or taken down, but before they do, users can lose funds if they fall prey to this type of attack.
Virtual Private Network(VPN)
One topic that we must touch on briefly is the use of public wifi access. Many businesses will provide free wifi access, such as hotels, coffee shops, restaurants, etc. Many times it is best not to use these public wifi access points as your data and access to your devices could be easily exploited by hackers. However, if you decide to connect to this, here are a few tips to protect yourself.
First, make sure you trust the company providing the free wifi access. This doesn’t mean it is safe. It just means that the entity providing the free wifi access is trusted. There have been instances found in the past where hackers have set up fake wifi access points with the intention of stealing data from those that connect with it. Even if you decide to connect to a public wifi access point, it is best to use a virtual private network, also known as VPN. A VPN gives you secure access to your VPN provider which then allows you to make a private connection to the websites you plan to visit.
It is very important to do your research and use a reputable VPN provider. There are many good options. Two that I’ve personally used are Torguard and IPVanish. Go with the best reputation and not the lowest cost provider. With a VPN service, you can activate from your phone or computer to create a secure private connection. An additional layer of protection to ensure all your devices are protected is to have a good anti-virus software installed on it and that you have downloaded the most up-to-date version as these programs are updated often.
The digital world continues to evolve and develop, and since the emergence of cryptocurrency, so many possibilities are being created each day.
Cryptocurrency gives everyone, regardless of age, sex, location, and socioeconomic status to transact peer to peer without the need for access or authorization from a third party, such as banks or government. With this great freedom, I urge you to, first and foremost, make sure you take the steps necessary and discussed above to protect your accounts and your financial data.
As mentioned, hackers will look for the path of least resistance when trying to access accounts. Don’t make yourself an easy target. If you already have made some of the mistakes listed above, it is not too late to go in and fix it. Each step you take gives another layer of protection to make you and your accounts more bulletproof.
Yes, it is easier to screenshot your backup keys, or copy and paste them into the notepad on your phone, but each time you do this, you are creating a centralized honeypot for hackers to flock to. I hope you find this information useful and helpful. Set aside some time today to do a checkup on your accounts and wallets.
Content written by Blockchain Wayne and NewsCrypto Team