EP021 – Best Secure Practises for Crypto
Episode by Peter Bui on August 18th, 2021
I’m enjoying your podcast and want to start investing in Cardano. However, I’m a very cautious investor and want to make sure everything is secure before I invest any money.
There are so many options for exchanges and wallets, as well as different advice for the security of those things.
I’m wondering if you would release a podcast episode discussing the first steps to investing with Cardano. How to compare different exchanges, wallets, and what security you should have set up on your computer/phone. For instance, should I make a new secure email account for 2FA, or is my phone number sufficient?
Some basic steps to investing in Australia for complete newbies would really help in giving me the confidence to start.
Thanks for all you’ve done so far!
Different Cardano Wallet & Security
At the moment there are two main wallets that people use in the Cardano ecosystem, Daedalus & Yoroi.
They’re two very different types of wallets with Daedalus being a full node wallet and Yoroi being a light wallet.
Full node wallets will download a copy of the blockchain to your computer. This means it will only work on a desktop or laptop computer and will not work on a tablet or mobile device.
On the other hand, we have Yoroi which is a light wallet which means it connects to a third party server. In this case, it is managed by Emurgo, the creators of the Yoroi light wallet.
The choice of wallet all depends on what devices you have available to use. For example, if your only device is a smartphone, then Yoroi is the best option for you. If you have a PC with decent hard drive space and a good internet connection, the Daedalus is a good option.
Whatever you choose, they’re both excellent and secure options.
There are occasions when there may be downtime or issues with the servers that are used for the Yoroi wallet. There was one occasion when a popular NFT sale caused a huge lag on the Yoroi servers and another drop our recently when the spike in the Cardano price as people were buying, selling and moving their ADA around during that peak period causing the servers to be down for up to 5 hours at a time.
If you have an existing wallet on either app, you can actually restore it on the other. For example, if you have a Yoroi wallet, you can restore that wallet on Daedalus and interact with the same wallet on either app. This is something you may want to do so that you always have access to your assets.
Ensure you are downloading from the official websites:
Seed Phrase Storage
When you create a wallet for the first time, you are prompted to save a 24 word seed phrase. This is extremely important to keep safe and secure as it is used to restore your wallet. If you get a new computer or new mobile device, you will need to use those phrases to restore the wallet to be able to access your assets.
If you lose this seed phrase, your assets are gone forever. Protect it.
Avoid saving your seed phrase on your computer. If your computer or device gets hacked, then that seed phrase may be compromised.
Avoid writing the phrase on a sheet of paper. Ink can fade leaving your phrase almost impossible to read. Pets and small humans can destroy your piece of paper and paper will burn.
There are various hardware devices for storing your seed phrases in a secure manner. These are made out of high-grade steel or other metals that burn at an extremely high temperature. This will ensure it doesn’t melt in the event of a fire.
In the first month of starting my stake pool and the podcast, I gave away a Crypto Steel Capsule which is a small cylinder device that allowed you to store the first 4 letters of your seed phrase.
Links to devices
You can also get pieces of aluminium from a hardware store and an engraving tool for less than $50 Australian and create multiple copies of your seed phrase for storage.
You can also use an encrypted USB hard drive to store the seed phrases and other passwords. The device itself is encrypted and password protected and you can also individually encrypted each file with a unique password on your encrypted drive. Double the level of passwords required.
Hardware wallets are unique in that they store the secret keys of your wallet on the hardware device itself. This ensures that it never is exposed to the Internet and makes it that much harder to hack.
When you restore a seed phrase on Daedalus or Yoroi, you have to enter it on a device such as a computer. If that computer has been compromised and your keystrokes are being tracked, then a hacker can gain access to your seed phrase, restore it on their own computer and withdrawal all your assets.
To do the same on a hardware wallet, you will need to physically get your hands on the hardware device.
There is one weakness though, and that is the seed phrase that exists when creating your wallet for the first time on your hardware device. You still need to store that somewhere and it comes back to storing it on a piece of metal or a device that allows for the storing of it such as a Crypto Steel Capsule.
Emails are one area where hackers can use social engineering techniques along with fake scam emails to try and get into your accounts.
When you set up accounts on crypto exchanges, you will have to use some sort of email address. This email address will be used for two-factor authentication and notifications for when things happen on the exchange that you are using.
It is really important that your email account is using a very strong and unique password that isn’t used anywhere else. If you can remember your email password, it probably isn’t strong or secure enough. There have been many large data breaches around the world on many different platforms and websites and your email and password combination could have been leaked and a hacker getting into your email will mean they can reset your account passwords to whatever they want and access all of your exchange accounts.
Use the strongest password possible for your emails.
Use an email provider that has built-in spam and phishing scam detection to protect yourself.
Use two-factor authentication on your email so that you need a second device to authenticate your login to your email. Gmail allows for the authentication app to be your Gmail app on your phone. It will physically push a notification to your phone for you to authenticate a login on a new device. If you get one of these and you’re not trying to log in, then there could be a problem.
Password & Password Managers
Use long and strong passwords.
If you have to use a password that you need to remember, try using a multiple word phrase separate by hyphens and spaces.
A good example is “microphone dancer-drill mug charger 6352”
This is a long password but made up of memorable words.
Use a password manager!
There are many password managers to choose from. Some are free with paid tiers, some are fully paid. Whatever you use, just use one. Every website that you create an account on should have a unique username and password combination. No two websites should be using the same password.
Two Factor Authentication
Two Factor Authentication is an extra layer of security that can be added to your accounts. In fact, it should always be added to every account. What this does is forces you to use a secondary device, such as your smartphone which will produce a rolling unique code every minute and submit that to be able to login in along with your username and password.
This second layer of authentication only exists on your phone. It is offline from your computer that you’re logging into and makes it that much harder for a hacker to gain access to your account.
Google Authenticator app is the most commonly used but there are others such as Authy and it is also built into Password managers as a feature.
If you’re using your phone and the Google Authenticator app, it is a good idea to get a secondary backup phone where your authentication codes are exported to that device as well. This is a backup device that can be used just in case you lose your smartphone and can no longer log into your accounts.
SMS/Text is an option as well as a two-factor authentication mechanism, but too often it is too easy to steal someone’s identity data and uses that to get a phone number swapped to a new SIM card into perhaps a hackers phone. They’ll be able to trigger that mobile 2FA and there goes your account.
This is usually done via a little bit of social engineering to a customer service rep at your phone company with a little bit of data that the hacker may know about you.
Sometimes the security questions and answers such as, “What is your mother’s maiden name?”, or “What is the name of your pet?” are too easy to answer and as a result too easy for a hacker to bypass and get into your accounts. This goes for any account that may use this technique to identify you.
When choosing these questions and answer combos, go for the harder combinations that is a lot harder to answer. This helps stop some social engineering. It isn’t foolproof but better than nothing or the really simple question and answers.
Exchanges are the points where you buy and sell your cryptocurrencies with fiat currency.
This is a place that you want to ensure that you’re being as secure as possible.
Many of these exchanges have a high level of security features to help stop hackers from getting into your account and taking all your funds.
Between all the different exchanges that I have used, Binance has a high level of security with multiple security levels that are required to do almost anything. In Australia, I also like to use CoinSpot and Crypto.com as they both have a good buying and selling experience as well as good security options with different forms of two-factor authentication.
Use a security key. Binance has the ability to use a device that is called a Yubi key. This small USB device generates a unique one time code each time you press it and it can be linked to your Binance account. If this is enabled, you will need the Yubi key each time to log into your account. This is a physical and robust little device that can be used to protect your login. Similar to a hardware wallet, without this device, you won’t be able to get into your account. The downside to a Yubikey is that you may lose it and at this moment I don’t know where mine is. You can replace them and connect new devices but you may again lose them.
Enable google authenticator. That’s a must. Just do it.
Phone verification, you know my stance on SMS hijacking
Email verification is a must. This forces you to verify withdrawals that happen on your account via email. As long as your email account is highly secure with strong passwords, and 2FA you should be good there. A hacker will need to hack both your Binance account and your Email account both protected with 2FA and strong passwords.
Withdrawl Whitelist is a feature not only in Binance but in many crypto exchanges. Before you can transfer crypto out of our account, you must first set up a withdrawal address. When adding an address, you must provide your password, your 2FA and authenticate it to be added via your email address. It’s a multi-step process before you can move funds out of your exchange account.
Anti Phishing Code. A hacker can copy emails that come out from an exchange with fake content and websites asking you to reset your password because of some update they had to do. This will take you to a fake version of the site, that looks and feels the same as the real thing but isn’t. It simply asks for your current username and password and then will take you to an error screen, where you may enter it in again. This allows the hacker to verify that you entered in your username and password correctly, but into the fake site and use those credentials to try and log into your real account. The anti-phishing code is something that you set in your account and only is know in the account. When emails are sent out from the exchange, it must have this code on the body of the email to ensure it actually come from the exchange, as only they would have that data.
Phishing Scams and Social Engineering
This happens all the time, from online tech support scams and not YouTube live events where hackers promise to send double the ADA that is sent to their address that may appear on the video.
In this interview with Nick Nikifarakis, the professor at talks all about these scams and how to spot them.
Never tell someone your personal information. Be wary of anything that sounds too good to be true. No one will give you something for nothing.