The Crypto Rollercoaster
Cryptocurrencies can feel secure, because they decentralise and often anonymise digital transactions. They also validate everything on public, tamper-resistant blockchains. But those measures don't make cryptocurrencies any less susceptible to the types of simple, time-honored scams grifters have relied on in other venues. Just this week, scams have arisen that divert funds from users' mining rigs to malicious wallets, because victims forgot to change default login credentials. Search engine phishing scams that tout malicious trading sites over legitimate exchanges have also spiked. And a trojan called CryptoShuffler has stolen thousands of dollars by lurking on computers, and spying on Bitcoin wallet addresses that land in copy and paste clipboards.
A few simple steps, though, can help cryptocurrency proponents, be it Bitcoin or Ethereum or anything between, guard against a raft of common attacks. Just as you might keep your cash out of plain sight, or stash your jewellery in a safe deposit box, it pays to put a little effort into how you manage your cryptocurrency. The following won't defend against every conceivable attack on your digital assets, but it's a good place to start.
A key step to protecting your cryptocurrency is to store anything of significant value in a hardware wallet, a physical device, like a USB drive, that stores your private keys and currency locally, and isn’t connected to the internet. Experts caution against storing large amounts of coins through cryptocurrency exchanges, or in digital wallet apps on your smartphone or computer - just this week BitGrail, an Italian exchange shut up shop sighting 'bugs' in its trading floor software with over $170mln in missing Cryptocurrency. The public-facing internet offers an attacker too many inroads to attempt to infiltrate your wallet, or trick you into giving them access.
Secure hardware wallets like Trezor, Ledger Nano S or the Keepkey afew hundred pounds or less and have a straightforward setup. You just choose a PIN number and a recovery "seed" (usually a set of words and numbers) in case you forget your PIN, or your wallet malfunctions. It's pretty robust security, so make sure you keep copies of your PIN and seed somewhere accessible to you, but not to home intruders. Recovering currency stored on a hardware wallet after losing both the PIN and the seed is a whole other thing. If you can, you should keep a backup of the seed key in a fireproof safe. This stuff is for real.
Your setup also doesn't have to be fancy; you can store backups of your coins on any external storage device, like a portable hard drive. Just make sure to encrypt the data in case the device is lost or stolen. You might even consider making a backup to leave in a safe deposit box.
The downside to a hardware wallet is that it makes approving transactions a bit cumbersome. If you want more fluid access to your cryptocurrency, experts suggest storing a small amount in a wallet app to facilitate low-value transactions. The key here: Only keep an amount you would be willing to lose in the app, and never give anyone your private key. An alterniative is to use the Coolwallet Hardware Wallet which connects via Bluetooth to your smart phone allowing access to your Bitcoin quickly and even on the move!
Apps like Mycelium Wallet and MyEtherWallet that are interoperable with popular hardware wallets can make your online setup more seamless. And some app-based options like Samourai Wallet are working to prioritize robust encryption and privacy features. Still, don't trust any app with too much cryptocash, offline is always better.
Additionally, consider where you store your private keys, the secret part of the public-private key set that lets you authorize revisions to a blockchain. Always keep them encrypted, and try to avoid leaving them lying around on devices that you use all the time for a lot of different tasks, like your personal PC.
Also consider your transactions carefully. There are tons of established, reliable institutions, but gimmicky new cryptocurrencies crop up all the time, as well as questionable Initial Coin Offerings that could have nothing behind them but scammers on the move. When the cryptocurrency OneCoin, marketed as a Bitcoin competitor, launched, people bought about $350 million-worth of the coins which has since drawn comparisons to a Ponzi scheme. And people are even being scammed during legitimate ICOs when attackers launch phishing attacks around the events, or trick would-be investors into sending money to fake wallets. (The US Securities and Exchange Commission is showing signs of cracking down hard on this with a meeting between the US Senate and the Commodity Futures Trading Commission just last week)
It's also important to remember that all the small things you're already doing to protect your general digital life help defend your cryptocurrency as well. We encourage all customers to take a few foundational, and free, actions to put them on a much more stable security footing. Use a password manager, use two-factor authentication, leverage enhanced security protocols for your email address as a start.
For the especially concerned, you can even turn on Gmail's new Advanced Protection feature, and/or adding defenses like a PIN or password to your phone number to make it harder for attackers to grab control of your accounts by transferring your SIM to their own device.
All of these suggestions bolster your general digital security hygiene, but they are particularly helpful for reducing your exposure to the most simple (sometimes impressively so) cryptocurrency scams that can take advantage of small things, like a reused password and no second authentication requirement, to walk in the front door of one of your accounts.
Take that Copy/Paste trojan, which originally emerged more than a year ago and has been making the rounds again over the last few months. It shows just how basic cryptocurrency scams can be. The malware works by lurking silently on a victim’s computer and passively monitoring their clipboard, waiting for the victim to copy a Bitcoin wallet address. When it sees a string of numbers that looks right, CryptoShuffler simply starts swapping the wallet ID the victim copied for its own malicious wallet address in payment fields. If the victim doesn’t spot the change, the transaction goes through and the coins go to the crooks.
The best way to defend against an attack like that (if your malware scanner doesn't detect the intrusion) is simply watching all transactions carefully, and taking steps to safeguard your assets so you know your data hasn't been exposed.
And once you have the basics in place, make sure your friends adopt the same mindset. The more secure the ecosystem, the less attractive a target it is to bad actors. Luckily, you don't need to be a cryptography expert to take the basic security steps that will protect you against the majority of attacks. And seriously, if nothing else - don't lose that wallet seed!