Guarding Your Coin
Keeping your crypto safe doesn’t have to be daunting. Here we offers some best practices to stay one step ahead of hackers and scammers.
One of the primary benefits of cryptocurrencies is that they allow people to engage in online transactions without the need for an intermediary like a bank or credit-card company. Instead, anyone who wants to send or receive cryptocurrency creates a “cryptographic key” — a file containing a random secret code — that can then be used to authorize transactions from their cryptocurrency wallets. If an attacker gets access to that key, they instantly gain control the cryptocurrency wallet as if they were the owner. That’s why it’s critical to protect your keys if you manage them yourself, and lock down your accounts at trusted third-party services like Coinbase that help manage your keys for you.
Cyber criminals rely on a number of techniques to try to separate you from your cryptocurrency. They will sometimes pose as someone trustworthy and try to convince you to hand over account information, a kind of online threat known as social engineering. Or they might collect personal information you’ve shared on social media to impersonate you and access your email or mobile phone accounts. These threats pose the biggest risk to buying and selling crypto on trusted exchanges. In fact, the greatest threat we’ve seen to people losing their crypto is human error, not the technology itself.
Coinbase works hard to fight fraud from within the platform. For extra security, here are steps you can take to ensure your crypto stays in your hands, and only your hands.
Simple steps to keep your crypto safe
Create strong passwords
- Basic: Come up with long passwords (16 or more characters) that you haven’t used elsewhere on the internet
- Better: Use a password manager like LastPass, 1Password, or Dashlane to create and remember your passwords
- Bonus: Check to see if you’re using a risky password at haveibeenpwned.com/Passwords
Use 2-factor authentication (2FA)
- Basic: Require a one-time 2FA code sent to your device every time you login, so that someone can’t access your account even if they steal your password
- Better: Use an authentication app like Google Authenticator or Authy instead of SMS-based 2FA, as mobile carriers have known security weaknesses
- Bonus: call your mobile carrier and instruct them to put a phone porting and SIM swapping lock on your account
Check the URL
- Basic: Scammers create fake sites that look like real exchanges but are designed to steal account information. Double check the web address before you trade
- Better: Type in the exchange URL yourself rather than clicking any links emailed to you, or use a bookmark in your browser
Double-check the URL and triple-check GitHub URLs
- Basic: Check it. Then, check it again right before entering any information. This is especially important for any sites that require usernames, passwords, email addresses, private keys, or any other personal information. SSL certs do not mean a site is trustworthy, just that they bought an SSL cert.
- Better: Not sure about the correct URL? Cross-reference Reddit, Twitter, GitHub, Slack and wherever else the project hangs out.
Don’t fall for tricks
- Basic: Hackers posing as tech support may pressure you for your account credentials. Legitimate exchanges won’t ask you for passwords, 2FA codes, or for remote access to your computer
- Better: If someone reaches out to you and you’re not sure if it’s a scam, you can reach out to your wallet support team via email and/or phone to confirm whether it’s legitimate. And remember, Microsoft, Google, and Apple will never call you about your computer
Bookmark your crypto sites
- Basic: Use those bookmarks and only those. Don’t type in the addresses by hand.
Don’t run remote-access software
- Don’t ever ..especially not on a computer with keys on them. The number of security holes in these programs is atrocious. It would be a shame if you enabled 2FA on everything in your life but then let a single string of characters give someone access to your entire computer and every account.
Don’t unlock your account to check your balance.
- ONLY unlock your wallet when you want to send a transaction. Check your balance via blockchain explorers
Clean out your history.
- If you have accidentally visited or typed a malicious site, clean out your recent history and autocomplete. This will prevent you from typing kra… and having it autocomplete to the malicious krakken.com.
Install a good adblocker.
- Install an adblocker that actually turns off Google and Bing ads. If you are already using Adblock Plus, it does not hide Google Ads from you. Go into your Adblock Plus settings and uncheck the box that says “Allow some non-intrusive advertising.”
Don’t click on advertisements.
- With or without an adblocker, you should never, ever click on advertisements.
Don’t use brain wallets.
- Brain wallets are wallets where the key is derived from a word or phrase you choose. Human brains don’t have the ability to create high-entropy seeds. Using a phrase that you make up, even if it seems “rare” or “random” is not secure and these phrases can be brute-forced by the millions.
No one is giving you free or discounted ETH.
- Even for completing a survey. 😉
Be on the lookout for these common scams
Tech support scam
If someone calls you posing as a wallet support or computer support agent, watch out! This is most likely a tech support scam. The fraudster will tell you that there’s a virus on your computer or something wrong with your wallet account, and ask you to install remote desktop software or provide your login credentials so they can “diagnose the problem.” In reality, they’ll use the access you’ve granted to transfer your cryptocurrency to their own wallets. Remember, support teams will never call you.
Are you sure you’re actually logging into your account? Or is it just a lookalike website designed to steal your login credentials? Phishing websites, emails, and SMS messages are designed to make you think that you’re visiting the real website. But once you check the URL, you’ll notice that it’s something else entirely, like c0inbase.com with the number zero in place of the letter “o.”
Your online accounts are only as secure as your email password. If someone is able to log into your email account, they can send themselves password reset emails from your wallet providers and change your password to one that they control.
Pyramid schemes and giveaway scams
If something seems too good to be true, it probably is. Websites with a pyramid scheme structure promise high returns or other rewards in exchange for an initial investment of cryptocurrency. But they often make off with investors’ money entirely. Scammers will often pose as celebrities offering to double your cryptocurrency if you send them a small amount, but in reality, once you press “send” that cryptocurrency is gone forever.