Part 1 of our 2 part series on keeping your cryptocurrencies safe.
10 Security Best Practices for Cryptocurrency Users
The decentralized model of cryptocurrency largely transfers power to users, and this is essentially why many users are drawn to it. However, with that power comes the responsibility of maintaining the privacy of your security keys. Effectively, by having complete ownership of your funds, you become solely responsible for the security of your funds. In the following sections, we will examine various best practices for practical user security.
Cryptocurrency users are susceptible to being targeted by hackers
As a digital asset, cryptocurrency has intrinsic value and can be stolen and diverted to new owners instantly and irrevocably. This creates a massive incentive for hackers to target users who do not take their security seriously.
In 2019, research data revealed that global cryptocurrency losses due to hacking exceeded US$6 billion. Most of these losses were incurred by trading platforms, wallet service providers and related enterprises. Due to the undeniable high risk of security threats and breaches, cryptocurrency trading platforms and wallet service providers are investing more in cybersecurity. The security systems they procure are like those used in traditional centralized financial institutions that come with complex and layered security features. As the security levels at the institutional level get harder to penetrate, individual users are gradually becoming the target of hackers.
10 Best Practices for Individual Security
1. Change your perception of cybersecurity
One fact that has existed for ages is that we are undoubtedly paying fees for the security of our funds in our bank account (though “security fees” will never appear on bank statements). Unlike traditional centralized banking financial institutions, decentralized systems such as cryptocurrencies transfer the control and responsibility of security to individual users.
With cryptocurrency, even when we might be excited to complete our first cryptocurrency transaction, we should not forget that there are no longer any security service providers similar to what banks have, and there may not even be enough regulations to provide any protection (depending on the national or regional regulatory regulations in which the holder is located). Therefore, it is recommended for cryptocurrency users to have crucial security practices in place such as buying simple and easy-to-use hardware security devices, mastering security protocols and implementing security best practices recommended in this article.
2. Choose a trusted trading platform with reliable security incident compensation or insurance mechanism.
The most apparent risk faced by cryptocurrency holders is the theft of coins. Assuming most individual users hold coins on cryptocurrency trading platforms, choosing a trusted platform is undoubted of the utmost importance.
Presently, there is no benchmark for international security standards or third-party agency ratings for trading platforms in the cryptocurrency industry. Therefore, it is necessary to properly understand the security mechanism of a platform before registration such as the company’s current security investment. Also, it is important to check if there is any user account security insurance or some form of guaranteed compensation for security breaches.
3. It is not enough to be well-informed on anti-phishing practices and scams, you need to complete a safety test.
As a cryptocurrency holder, you should be familiar with basic user security risks. Among them, phishing is the most common. To avoid being viewed as a “fish” in the eyes of perpetrators, you should be equipped with the knowledge about common “baiting-the-hook” techniques.
One example would be when you receive a phishing email, and the URL that invites you to click is a fake domain name that is similar to a trusted one e.g. www.goog1e.com (note that it is not www.google.com). It could even be a clone website of a commonly used trading platform. What is the probability of phishing success? The answer according to Reuters’ global phishing statistics for 2019 is 15% . If your email has been compromised, or if you previously had an account that was compromised, then phishing emails will be carefully designed to target you. Statistics tell us that the success rate of users getting baited is up to 29%.
How do you prevent this?
A reliable method for crypto holders is to complete an anti-phishing security test. The Google online test is a good benchmark and you can take the test here. It comprises a total of 8 questions and requires just 10 minutes of your time. Didn’t manage to score full marks? That just means that you need to increase your security awareness and try again. Many large companies also use this to test employees’ security awareness and corporate security status.
Sending gifts or bonuses through fake official social media channels, posing as customer support personnel or cloning social accounts of trading platform CEOs are other common methods of phishing.
4. Use of 2-Factor Authentication (2FA)
The good news is that most cryptocurrency trading platforms or wallet service providers will require users to use two-factor authentication, such as Google Authenticator or a hardware token like YubiKey; but the downside is that there will always be users who dislike the hassle of using these tools.
One of the most common mistakes is to bind a Google Authenticator to a personal computer, or a YubiKey-like hardware token that is always plugged into the computer instead of carrying it with you.
Taking the time to understand the principles of the 2FA security mechanism will allow us to understand that the correct usage of a 2FA. 2FA is an additional layer of security used to ensure that only legitimate owners can access their accounts. This “extra” layer means that in addition to some things you know (password, PIN, etc.), security verification will also verify the second layer (two-Factor). This two-factor can be something you own such as the Google Authenticator app installed on a mobile phone that you carry, a one-time password sent to your mobile phone via SMS or hardware tokens such as YubiKey. These features are used on top of your existing mobile security features (such as fingerprints, iris and/or facial scanners, etc.).
When we install Google Authenticator directly on the computer, every time we copy the verification code instead of using the smartphone app, we give up an extra layer of protection. It is very likely that once a hacker (remote) or a person who has physical access to your computer and gains access, your existing layers of protection will be penetrated.
5. Strong passwords independent of other Internet accounts
It is always the most economical choice for a hacker to try to hack with the target cryptocurrency account by using a user’s compromised account and password. Knowing this, a savvy cryptocurrency holder will have the following preventive measures in place.
First, register a new email account for the cryptocurrency platform, to circumvent any previous digital footprint that would allow hackers to successfully hack or clone your account. Secondly, do not use weak or common passwords.
A report from CipherTrace, a blockchain certificate company, shows that 65% of the Know-Your-Clients verification (KYC) processes in the world’s top 120 cryptocurrency trading platforms are weak. This means that once your crypto account password has been cracked, the hacker could easily obtain your crypto assets on the trading platform and transfer the assets to their wallet address thus leaving little to no chance of retrieving the assets.