You’ve probably heard all the talk about cryptocurrency these days. You may even have joined the many people trading and mining digital currencies like Bitcoin. And it’s true that many people have seen astounding returns on their investment.
But if you’re trying your hand at cryptocurrency, there are also lots of risks and threats you should understand. Not only is cryptocurrency a volatile, risky financial investment (which of course has the potential for great payoffs), there are also security threats you should be aware of. Stories abound of hacking, social engineering, theft, and fraud in digital currencies.
By knowing what you’re getting yourself into and the potential security pitfalls of cryptocurrency, you can better counteract them. By building a strong foundation of good cyber hygiene, you can keep your money – and your identity – secure. Whether or not you’re into cryptocurrency, the below tips are generally good ones to follow. But when you’re making a risky investment in digital currencies, it’s even more important to be cautious.
Do your homework on trading websites.
You wouldn’t make a random purchase on a sketchy looking ecommerce site, or open a checking account with a disreputable bank. So do your homework on cryptocurrency trading websites, too. Though no cryptocurrency is federally insured, some are more reputable than others. Some have been around longer, weathered some storms, or have built up a positive reputation in the community. Learn from other investors and proceed cautiously.
Chose the right type of wallet to store your assets.
There are three types of wallets: Software, hardware, and paper. Technically there is a fourth option, which is storing them online at the exchanges. I don’t recommend doing that unless you actively need them for trading. Hackers attack exchanges often, and the level (or lack thereof) of customer support on many of these exchanges varies. Hardware wallets are your best bet – these are a lot harder to attack than software wallets, and they are bound to a 24-character key phrase for access. For maximum security, we recommend storing the key phrase in 2 separate parts, in a safe, secure location such as in LastPass notes.
There are many stories out there of people losing access to their Bitcoins (and a lot of money) because they forgot passwords or lost their two-factor authentication device, thus can’t recover their tokens. So be sure you’ve stored that information somewhere safe but not so difficult to access when you need to. The LastPass password vault and secure notes are perfect for this.
Enable two-factor authentication on every related account
Not all exchanges and wallets offer two-factor authentication (2FA) but try to choose options that do and always turn it on when it is available. It makes it much more difficult for someone to target your specific account and break in using, for example, a stolen password, as they’d also need access to your physical 2FA device (typically your phone). App-based two-factor authentication options are more secure than SMS, so use an app like LastPass Authenticator whenever possible.
The same advice is true for all other related services. We strongly recommend to set up 2FA for the email account that you used to sign up, the exchanges, and needless to say, LastPass itself.
Back up your two-factor authentication codes.
If your 2FA method requires a seed number, which is usually presented as a QR code scan at setup, make sure that you back it up! Otherwise, if your phone goes missing or breaks, you’ll be locked out of your wallet or crypto exchange and accessing them again will be entirely up to the owners of that exchange. In some cases, we’ve heard that a few days will pass before support will help you regain access. In other cases, it could take months, or you may never regain access.
We recommend using LastPass Authenticator for this method of 2FA, as it has a built-in backup capability that will save your seed numbers to your LastPass vault. In case you lose your phone, you can restore these backups to your new device.
Practice good online account hygiene & beware of phishing.
It should go without saying, but it’s imperative to use a different, random password for every account, especially when it comes to protecting your money. Every password should be long, and as complex as the website will allow it to be. Store the passwords in a password manager where they’re encrypted and protected with a zero-knowledge security model. Never use the “remember me” option on websites as this reduces security.
Phishing attacks are a common attack method for those using crypto sites. If you store your credentials in a password manager like LastPass, it will detect that the URL is not correct and will not autofill the credentials. If LastPass doesn’t show a matching site or isn’t autofilling, always take that as a sign to first carefully check the URL you’re on.
Protect your computer like your money depends on it. (It does).
Practicing device-level security is just as important as protecting your accounts themselves. First, do not share computer accounts with others. Create a separate profile/account for every user, even in your family. For everyday use, log in with a non-privileged computer profile instead of the default admin account. This contains most malware, as they won’t be able to change system settings, install new applications, hide in memory, and similar. Then, create a separate local account (not tied to your online accounts) for admin tasks and elevate that to install something or change a system setting as needed (Windows makes this easy).
Needless to say, keep your OS and Antivirus/Antimalware applications fully up-to-date.
Don’t forget about mobile security, too.
We recommend you do not jailbreak your phone, and only install apps from trusted vendors from the app store. Set the passcode on your phone to 6 digits or longer, and use a code not used anywhere else.
Though not exhaustive, this list is an essential starting point. Implement these tips to protect your money and identity as you get started with cryptocurrency. Already been trading or mining for a while? Be sure to regularly revisit your cyber hygiene and update those passwords if it’s been a while. Good luck out there!
CTO, Identity and Access Management at LogMeIn
Sandor Palfy serves as CTO of LogMeIn’s Identity and Access Management business unit. In this role, he is responsible for the technology vision, innovation, engineering and security of all LogMeIn IAM products including, market leading password manager, LastPass, and remote access and management solutions, LogMeIn Pro, GoToMyPc and LogMeIn Central. With more than 18 years of experience working in technology and development, he joined the company in 2004, initially focusing on the Pro and Central product lines, and later taking ownership of Platforms, IT and Security. From 2014 he served as the company’s CTO, and now most recently the newly formed IAM business unit.