Owning cryptocurrency isn’t quite the Wild West experience it was at the beginning of the decade, but investors still face plenty of instability and risk. The threats aren’t just abstract or theoretical; new scams crop up, and old ones resurge, all the time. Whether it’s a fake wallet set up to trick users, a phishing attempt to steal private cryptographic keys, or even fake cryptocurrency schemes, there’s something to watch out for at every turn.
Cryptocurrencies can feel secure, because they decentralize and often anonymize digital transactions. They also validate everything on public, tamper-resistant blockchains. But those measures don’t make cryptocurrencies any less susceptible to the types of simple, time-honored scams grifters have relied on in other venues. Just this week, scams have arisen that divert funds from users’ mining rigs to malicious wallets, because victims forgot to change default login credentials. Search engine phishing scams that tout malicious trading sites over legitimate exchanges have also spiked. And a trojan called CryptoShuffler has stolen thousands of dollars by lurking on computers, and spying on Bitcoin wallet addresses that land in copy/paste clipboards.
A few simple steps, though, can help cryptocurrency proponents—be it Bitcoin or Monero or anything between—guard against a swath of common attacks. Just as you might keep your cash out of plain sight, or stash your jewelry in a safe deposit box, it pays to put a little effort into how you manage your cryptocurrency. The following won’t defend against every conceivable attack on your digital doubloons, but it’s a good place to start.
Cold, Hard (Digital) Cash
A key step to protecting your cryptocurrency is to store anything of significant value in a hardware wallet—a physical device, like a USB drive, that stores your private keys and currency locally, and isn’t connected to the internet. Experts caution against storing large amounts of coins through cryptocurrency exchanges, or in digital wallet apps on your smartphone or computer. The public-facing internet offers an attacker too many inroads to attempt to infiltrate your wallet, or trick you into giving them access.
Secure hardware wallets like Trezor or the Ledger Nano S cost about $100 or less and have a straightforward setup. You just choose a PIN number and a recovery “seed” (usually a set of words and numbers) in case you forget your PIN, or your wallet malfunctions. It’s pretty robust security, so make sure you keep copies of your PIN and seed somewhere accessible to you, but not to home intruders. Recovering currency stored on a hardware wallet after losing both the PIN and the seed is a whole thing. Emin Gun Sirer, a distributed systems and cryptography researcher at Cornell University, goes so far as to suggest that you should “keep a backup of the seed key in a fireproof safe.” This stuff is for real.
Your setup also doesn’t have to be fancy; you can store backups of your coins on any external storage device, like a portable hard drive. Just make sure to encrypt the data in case the device is lost or stolen. You might even consider making a backup to leave in a safe deposit box.
The downside to a hardware wallet is that it makes approving transactions a bit cumbersome. If you want more fluid access to your cryptocurrency, experts suggest storing a small amount in a wallet app to facilitate low-value transactions. The key here: Only keep an amount you would be willing to lose in the app, and never give anyone your private key.
Apps like Mycelium Wallet that are interoperable with popular hardware wallets can make your setup more seamless. And some app-based options like Samourai Wallet are working to prioritize robust encryption and privacy features. Still, don’t trust any app with too much cryptocash right now.
Additionally, consider where you store your private keys, the secret part of the public-private key set that lets you authorize revisions to a blockchain. Always keep them encrypted, and try to avoid leaving them lying around on devices that you use all the time for a lot of different tasks, like your personal PC.
Also consider your transactions carefully. There are tons of established, reliable institutions, but gimmicky new cryptocurrencies crop up all the time, as well as questionable Initial Coin Offerings that could have nothing behind them but scammers on the move. When the cryptocurrency OneCoin, marketed as a Bitcoin competitor, launched this year people bought about $350 million-worth of the coins—which has since drawn comparisons to a Ponzi scheme. And people are even being scammed during legitimate ICOs when attackers launch phishing attacks around the events, or trick would-be investors into sending money to fake wallets. (The Securities and Exchange Commission is poking hard on this.)
Nail the Basics
It’s also important to remember that all the small things you’re already doing (right?) to protect your general digital life help defend your cryptocurrency as well. “We encourage all customers to take a few foundational, and free, actions to put them on a much more stable security footing,” says Philip Martin, director of security at the cryptocurrency exchange platform Coinbase. “Use a password manager, use two-factor authentication, leverage enhanced security protocols for your email address.”
For the especially concerned, Martin even suggests turning on Gmail’s new Advanced Protection feature, and/or adding defenses like a PIN or password to your phone number to make it harder for attackers to grab control of your accounts by transferring your SIM to their own device.
All of these suggestions bolster your general digital security hygiene, but they are particularly helpful for reducing your exposure to the most simple (sometimes impressively so) cryptocurrency scams that can take advantage of small things, like a reused password and no second authentication requirement, to walk in the front door of one of your accounts.
Take that CryptoShuffler trojan, which originally emerged more than a year ago and has been making the rounds again this week. It shows just how basic cryptocurrency scams can be. The malware works by lurking silently on a victim’s computer and passively monitoring their clipboard, waiting for the victim to copy a Bitcoin wallet address. When it sees a string of numbers that looks right, CryptoShuffler simply starts swapping the wallet ID the victim copied for its own malicious wallet address in payment fields. If the victim doesn’t spot the change, the transaction goes through and the coins go to the crooks.
The best way to defend against an attack like that (if your malware scanner doesn’t detect the intrusion) is simply watching all transactions carefully, and taking steps to safeguard your assets so you know your data hasn’t been exposed.
And once you have the basics in place, make sure your friends adopt the same mindset. The more secure the ecosystem, the less attractive a target it is to bad actors. “Help newcomers to crypto with their security,” Cornell’s Sirer says. “The area is new and we need to support the people who are just finding their way in.”
Luckily, you don’t need to be a cryptography expert to take the basic security steps that will protect you against the majority of attacks. And seriously, if nothing else, don’t lose that wallet seed.