Protecting Your Cryptocurrencies – Online and Offline

The cryptocurrency universe continues to grow in popularity in the wake of global turmoil and COVID-19. Despite such uncertainties with the economy and unemployment levels soaring following the first outbreak of COVID-19, younger individuals in the workforce are eyeing cryptocurrencies as a method of investment. Just last week I was pleasantly surprised to hear both my older and younger brother asking me, a three-year cryptocurrency HODLer, the best and practical way of dipping their feet into cryptocurrencies. As I was explaining cryptocurrencies and its risks and how to properly HODL them, I noticed this topic can be extensive and would benefit the masses if compiled into an article such as this one.

So here it is: a live post on tips and advice to secure and protect your crypto from falling out of your hands. Owning cryptocurrencies not only involves risk with its price, but also how it is handled – a small hack or simply a wrong transfer can cause your entire portfolio to vanish in an instant, and once the transactions are verified and carved into the crypto’s ledger one will undoubtedly be at the mercy of the recipient.

Read on to prevent the above from ever happening to you.


This guide is split into online and offline sections. The online portion mainly involves handling cryptos on exchanges but also goes into generic device security. The offline section touches more on the “human” side of how to make sure your crypto wallets won’t be hijacked by somebody else. Those who currently don’t use hardware wallets should still go through the offline section since there are specific guidances on how to secure private keys.

Online

Beware of Virus/Malware on Device

We’ll start off with one that is common knowledge to everyone but is worth mentioning anyway: making sure the device used to transfer crypto isn’t infested with viruses or malware. Assuming one uses a laptop it is important to run antivirus software frequently and clean out any suspicious software. Even keeping Windows Firewall and Windows Defender on and updated can help immensely to prevent malware from searching the file system for contents that look like private keys and transferring them across the network.

The above is a “duh!” concept for everyone who is savvy enough with computers to want to buy crypto, but many often overlook this next potential vulnerability – that browser extensions may be potential avenues for attack. Recently there are a lot of news such as this one where companies – intentionally or not – are snooping on what users type on their devices. Just because the above news is for iOS devices doesn’t mean it won’t happen on Android or laptop (which is arguably easier to develop in the form of browser extensions).

So what can one do? It is a lot of trouble to look through each installed extension and audit them for bad behavior, so one potential solution to mitigate this risk is to limit active extensions to the bare minimum via private/incognito mode on your browser to access crypto exchanges or when entering any kind of sensitive information. There is an added inconvenience of the crypto exchange not recognizing your device and having to authorize it via email verification, but it is a small price to pay for securing your assets.

Careful of Untrusted Sites and Phishing

Untrusted sites are very easy to recognize – modern browsers will blatantly tell you whether the site accessed is not secured. It goes without saying that when dealing with crypto one should never enter affiliate with any sites that use an insecure connection. There are two reasons: the first is that any viable crypto exchange or crypto website has SSL certification and is transferring data via Secure HTTP, so sites which are not are phishing at its worst and untrustworthy at best. The second reason is that insecure HTTP is vulnerable to network sniffers who can extract one’s private information – and one won’t be any the wiser.

One can check whether a site is secured usually by referring to the browser’s URL bar. The following is an example of this site secured with an SSL Certificate from the free and open-source project LetsEncrypt:

Figure 1-1 : This site’s secure connection prompt (Chrome 83)

However, there is a caveat that must not be overlooked – there have been cases where fake sites acquired users’ private information by using a URL that looks very similar to the real site. By replacing a letter in the URL with a unicode character, hackers can design a front page of a crypto exchange which looks strikingly similar to the real site, and pass this fake URL via email or other methods to entice unsuspecting users. While this fake site may have an SSL Certificate registered and is transferring data via secure connection, it alone isn’t enough to identify a site as the real one.

The crypto community advises all crypto owners to bookmark crypto exchanges and other commonly used sites after verifying that it is real to prevent such a situation from happening. Additionally, never click any links inside emails if one has not requested or isn’t sure of its origin. A common example is a hacker group obtaining a list of email addresses of users on a crypto exchange and sending fake password reset emails to everybody. Remember to register for increased security such as 2-factor authentication (2FA) for every crypto exchange account so that hackers will not have access to funds even though login information is compromised.

Use Credible Exchanges

At the present circumstances crypto adoption is not high enough to the point where one can use it to exchange for goods and services. Thus, to a majority of crypto users (and barring direct exchanges with friends and family), the only way to turn crypto to something of value is still to translate it to fiat currency via an exchange. It should be a no-brainer that one should use reputable, secure, transparent, and licensed exchanges to purchase and sell coins.

Personally, my go-to options are Coinbase for exchanging fiat into crypto, and Binance for crypto-to-crypto transactions. Especially with fiat, KYC will likely be necessary in which identity, bank, and phone verifications are required. However, excluding fiat, it is likely possible to deposit, trade, and withdraw (with a limit) crypto in many exchanges such as Binance.

To summarize, check for the following very important points when picking exchanges:

  • Check exchange has license to operate in the country it is based in.
  • Ensure exchange has secure methods such as blocking unknown IP logins and 2FA authentication for login, trade, and withdrawals.
  • Pick exchanges which has funds protection in case exchanges get hacked (believe me, it happens a LOT). For example, here is Coinbase‘s page on insurance of user funds.
  • Understand the exchange’s crypto daily withdrawal limits for unverified users. For example, Binance has a 24-hour withdrawal limit of 2 BTC worth of crypto.
  • Check it is legally possible to use the exchange (in case one resides in a different country or is a different nationality from the place the exchange operates out of).

Test Deposit/Withdraw/Transfer With Tiny Amount

Once a crypto transaction is signed and verified on its blockchain it CAN NOT BE REVERSED. This is an important concept one must understand when dealing with the transfer of crypto from wallet-to-wallet or wallet-to-contract. While an unverified transaction can still be cancelled, don’t bet on being able to spot the mistake and send another transaction to the blockchain to cancel it within the seconds it takes for a miner or staker to spot and write into the coin’s ledger.

To ensure the funds are transferred and received properly, it is highly advised to send a tiny tiny amount (in the range 0.01 ETH or, if using an exchange, the minimum amount they allow) and check the recipient’s wallet for confirmation of the funds. For deposit into exchanges, typically it would require a certain amount of confirmations – this depends on the exchange and the coin to be transferred – but it is fine to just only note the exchange has received and is awaiting more verifications. This safety check becomes ever so important the more value one transfers in a single transaction… don’t skip this step!

Not Your Keys, Not Your Coins

Recently more and more licensed and reputable exchanges offer insurance or customer funds protection in the event of a hack or unexpected loss of exchange funds. However, insurance will only cover for so much, and claiming the lost funds requires an extensive amount of time, resulting in a potentially high opportunity loss.

Not Your Keys, Not Your Coins is a mantra widely chanted amongst the experienced within the crypto community. The individual is ultimately responsible for all of the security and storage of their crypto assets, but such responsibility can be a huge burden for some to bear. Similar to a huge amount of cash, most people are more comfortable with storing it in a bank or other authority than handling it themselves. However, crypto regulations are still lax and/or virtually non-existent in many countries around the world – laws and adoption has not yet caught up with the likes of cash. So until that day comes, one is responsible for any private keys, recovery pass-phrases, maintenance of hardware wallets, seeds, and backups of all crypto wallets in possession.

Crypto can be the Next Big Thing™ to happen and may make one rich, but such doesn’t come with a proportionate amount of risk and responsibility. Many articles and guides (and including the one you’re reading right now) attempts to help newcomers make their first dip into the crypto universe, so it is important to understand what is at stake and to properly guard against all possible risks.

Keep Long-Term Holdings in Cold Wallet

A cold wallet (or cold storage), otherwise known as hardware wallets or offline wallets, have the added requirement that they be connected to a laptop or other device in order to access the funds inside it. It is an extra layer of security due to two reasons: one must have the physical wallet device to interact with their crypto funds, and the private keys for crypto wallets inside are protected and can never be retrieved (instead, if the cold wallet is lost, a seed is required to restore its contents). Just like how one wouldn’t keep thousands of dollars in their wallet when going out, one should keep long-term HODLs in a cold wallet and lesser funds in a hot wallet/exchange to react to price changes.

A good practice is to assume that contents in any hot wallet (exchange funds also count as being stored in hot wallets) may be lost in its entirety due to some unexpected event, which may include but not limited to any of the following:

  • Leakage of private key
  • Hacking
  • Theft
  • Forgotten password
  • Lost cold wallet device
  • Leakage of cold wallet passphrase/seed

DeFi and Staking

Lastly, a note on the risks of DeFi and staking. For those who may not know, DeFi is short for “Decentralized Finance” and is an adaptation of financial instruments for the crypto universe. Things like P2P loaning, lending with collateral, and others are possible in a transparent (via code) and decentralized manner. The ability for some cryptocurrencies such as Ethereum to maintain contracts allows for such projects to exist, and is an alternative way to generate dividends and interest on your crypto investment.

Staking, which is more commonly known to everyone, is simply securing the blockchain by offering ones coins as collateral when validating transactions. Penalty in the form of losing rewards and sometimes losing a portion of the staked coins only happen when the blockchain identifies one being a bad guy and attempting to overwrite the contents of the ledger. Staking ones coins is normally safer than dealing with DeFi because staking is a basic feature of a coin which supports Proof-of-Stake (PoS) whereas DeFi involves the additional development and usage of smart contracts.

That said, in addition to the risks associated with staking and using these financial instruments in a traditional, non-crypto sense, there are some extra points to consider when delving into the crypto world of passive income. For the realm of staking, it is best to search for coins in which the funds never leave one’s wallet, such as Tezos, because of the “Not Your Keys, Not Your Crypto” principle mentioned in an earlier section. Other coins, such as the newly Stake-able Matic from end of June 2020, require that funds be transferred to a delegate, with smart contract commands to re-invest earnings or withdraw funds or un-bond from the delegator. In other words, funds leave your wallet in these types of staking, so be careful of any potential exit scams especially for not-so-popular coins (BitConnect comes to mind – although not a staking scam, BitConnect did require one to lock up funds for a minimum of 120 days). Use similar judgement when eyeing DeFi projects.

Offline

Secure Your Private Keys and Seeds

The ultimate key to securing one’s crypto funds is to ensure nobody has access to one’s private keys or recovery seeds/passphrases. Often the way to do so is to encrypt them using a tested and standardized encryption mechanism. There are many cryptographic libraries available to use, but a simple yet effective way is to use RAR. To encrypt file(s), use the following command in the terminal:

rar a -hp [NAME OF RAR FILE] [PRIVATE KEY 1] [PRIVATE KEY 2] ...

This ensures that both the filenames and all contents are encrypted. As an added bonus, set the name of the RAR file to something not related to crypto private keys to reduce suspicion.

To decrypt a rar file, use the following:

unrar x [NAME OF RAR FILE]

Decentralize Your Secured Keys

Now that a secure, encrypted file containing private keys and seeds have been created as mentioned above, it is time to consider the various secure places to backup. To reduce the risk of a single point of failure, decentralization of your keys is highly important. The following places can be ideal to place a single backup to – the more places the better:

  • Locally on laptop
  • To an external HDD
  • Google Drive (BONUS: enable 2FA or phone authentication for Google account)
  • To a secured USB drive, to be carried around with your house/car/etc keys.

Have a Backup, Unused Hardware Wallet

If the hardware wallet happens to be misplaced and funds need to be accessed immediately, then a way to restore your crypto wallets within a hardware wallet is to input seed/passphrase generated from the previous wallet into a new hardware wallet. Having to purchase another one requires a lot of time, so be sure to have a spare, unused hardware wallet for such situations.

NEVER SHARE YOUR KEYS WITH ANYONE

Just don’t. Never trust anyone else with your private keys. Enough said.