/ Ecosystem

Security Tips for Crypto Newbies

Hodor

Hodor

I blog about Ripple & XRP. FULL DISCLOSURE: All views are my own. I do not work for Ripple; I am not a professional financial analyst, and the majority of my crypto holdings are XRP.

Read More

The new crypto market has attracted a large number of new investors.

These new investors may not always know about the basic security precautions that are wise to take to avoid hacking.  In traditional modes of investment, this absence of online and network security knowledge probably has very little consequence.  For example, so what if a hacker gains access to your eTrade account; what would they do with it?  If they try to withdraw it, it will set off multiple fail-safes.

Even if they succeed, it's easily tracked through the traditional finance channels.hacker

Criminals don't want to be caught, so even skilled hackers view traditional financial channels as a no-go.  You've heard about massive credit card data being stolen from Target and the like, right?  And occasionally this information may be used by desperate criminals to try and defraud Amazon or other online retailers, but it doesn't last for long; the authorities are usually only one step behind these traditional data breaches.

But crypto is different.

The Uniquely Dangerous World of Cryptocurrency

To understand cryptocurrency, you have to understand a basic concept in cryptography - one that used to have its counterpart in the physical world, but now (usually) only exists in the digital world: a signature.

Throughout history, the security of our financial system and the ability of one individual to transfer value to another - or to a business - relied on a written signature.  I'm old enough to remember my parents writing out checks with a signature at every gas station and grocery store - it was the most common mode of payment in the suburbs at one point.

Of course, all of this has changed now, and credit cards and debit cards have taken over.  Even for this industry, we've only recently abandoned the physical signature to indicate that you are the person in charge of a bank account, and that you're personally authorizing credit or debit to the account.  Now we have chip readers and the cashiers have been recently trained not to ask for a signature.

But what does this mean, really?  It just means that the signature is no longer physical - it is digital.

Private Keys - The New Signatures

Signatures haven't actually gone away; they've just been replaced by a cryptographic representation of your identity that only you should have knowledge of; a private key.

Public-private key encryption was created in 1976 in response to challenges of transmitting information securely over insecure networks.  Basically, the usual method of encryption is symmetric encryption; but symmetric encryption doesn't work if communication of the symmetric keys take place over an insecure network, such as the Internet.  That means that anybody could intercept the data packets and determine the necessary keys for encryption/decryption. 1

So to keep using symmetric key encryption, another layer on top was devised, whereby the symmetric keys could be securely communicated from one computer to another.  This is known as public-private key encryption, and it is used in almost every facet of the Internet; transmission of email, or the browsing of a secure site.

Basically it works like this:  only your computer knows its own private key.   The private key can be used to decrypt a message.  The public key can be used to encrypt a message that needs to be sent to you, so you share your public key with everybody freely.  That way, they can send you information that only you can decrypt.  To anybody else on the network, encrypted data is unintelligible.

Here is a diagram of how public-private keys work: 2

public_private_key_encryption

Used For Email - And For Crypto

If you're new to crypto, you may be wondering how each cryptographic network - whether it's Bitcoin, XRP, or some other network - prevents you from sending the same tokens twice, or how it even knows that you are... you.

The concept is straight-forward at its basic level; it knows this by use of a public-private key pair.  The network assumes that if you know your private key, then the tokens - whatever type they are - must belong to you.

It's that simple.

No other passwords are necessary (normally), and no other "login" information is necessary, either, in most cases.  In every crypto network I've seen, all you need to know to gain access to the digital assets is the private key.  That's only one piece of information.

Implications for Personal Security

Because crypto networks grant you access and ownership rights based solely on knowledge of a private key (one piece of information), the security implications are profound.

It is imperative that individuals know and understand that keeping their private keys secret is the only way to secure their cryptographic value.  While crypto networks like the XRP Ledger are revolutionary, they also leave the securing of private keys up to the individual account holder.

Keep Your Private keys Secret and Safe

Needless to say, the first recommendation to give to friends and family that may be investing, owning, or transmitting crypto is to keep their private keys secret and safe.

Like your Facebook password, you'll need to keep your private key a secret.  Unlike your Facebook password, however, your private key cannot be changed or recovered if lost!

No, it's not enough to put it in a Word document.  It's not enough to put it in an Excel document.  Desktop applications may come with some level of security, but it is not the same as industrial-scale security, and it can quickly result in a hacker or other person obtaining your private crypto keys and hence your digital assets.

I recommend a secure password storage device.

Your next question may be "well, which one?" and that is a good question.  There are many on the market; it's up to you to do your own due diligence on one of them and choose one to protect your highly secure information. Here is one review article: https://www.cnet.com/news/the-best-password-managers-directory/

And here is a long Wikipedia listing of password managers:

https://en.wikipedia.org/wiki/List_of_password_managers

For many people, transitioning their many passwords to a secure storage software package is a step in the right direction.  While having your passwords in one location narrows an attack vector for a hacker, it also serves to conveniently and securely store your sensitive information.

Is a secure storage device - hardware or software - the ultimate answer?  Unfortunately, no - you still have to watch out for other threats as well, such as keyloggers.

Security Threats

Taking precautions and securely storing your private keys and other passwords is a great step in the right direction, but there are many other security considerations to think about as well.

Weak Passwords

when people are choosing a password with the goal of choosing one that they'll remember later, the end result typically tends to be a weak password.  Combinations of names, pets, birth-dates, and lucky numbers are all bad ideas for strong security.

Most password storage devices and software have strong high-entropy passwords that will be difficult for automated hacking programs to guess.

Two-Factor Authentication

Always enable two-factor authentication whenever possible.

Two factor is basically what it sounds like - a secondary way that a computer system or network can identify you.  This can take the form of custom software (Authy or Google Authenticator) or even standard text messaging.

It should be pointed out that standard text messaging through SMS is not considered secure due to hackers' ability to spoof people's phone numbers in some instances. 3

The general tip here is to enable secondary authentication wherever it is offered, to improve your security.  For crypto traders, this means that you should enable secondary authentication on your exchange & trading accounts as well as wallets if it is a choice.

Generally, both Ray and I advise enabling two-factor authentication on all exchanges that support it, and do not support exchanges (or other websites and social media) that do not.  If an organization doesn't take your personal security seriously, you should question whether you want to do business with it.

Two industry-standard means of secondary authentication is Authy or Google Authenticator.  This software is quite cutting-edge when it comes to security; for example, you can even use Authy on your watch, or even on a "cold" Android device that is not connected to the Internet.

Situational Awareness

Keep in mind that although it's almost impossible for a person to glance at your laptop and memorize a long string of numbers (private key), it's very easy to take a photo surreptitiously of somebody's computer screen.  This could be at a coffee shop, on an airplane, or in a library.

Then, later, the hacker may zoom in and be able to ascertain a private key if you had it visible.

Coffee shops are notorious for caffeine and bran muffins.  You get the picture.  If you have to use the bathroom, take your computer with you.  It's very easy for anybody to plug a USB device into your computer or otherwise tamper with your electronics if you leave it unattended for any length of time.

It would be unfortunate if a bathroom break resulted in a key logger being installed on your computer.

Social Media Conservatism

Social interactions are always rife with security threats.

It may seem relaxing to have a beer and start exchanging viewpoints on Reddit, Twitter, Discord, or XRP Chat.  But don't get too relaxed.

Hackers are notorious lately for using social media to obtain information enough to steal from you; try to reveal as little as possible about your investments, the value of your crypto holdings, or the specific steps you take to secure your information.

Even if you feel confident that you've taken all necessary steps to protect your data and information, never brag about the specific measures you've taken to secure your information, data, or accounts.  Even if it is secure and has secondary authentication, revealing enough details to a hacker may end up harming you if they manage to obtain enough "pieces of the puzzle" so to speak.

Most importantly: Do not underestimate the persistence, capabilities, or amount of social betrayal from a hacker.  The less you reveal, the better.

Choosing a Crypto Wallet

I will never be the first one to 'try out' a new wallet.  I do not have the time to review the underlying code, and as such, I place myself in a situation where I have to somehow either trust the organization that created the wallet, or I have to verify that it was compiled from a trusted source.

In any case, choose your wallets carefully, as you honestly never know if there is some code or backdoor in the wallet that will compromise your secret key.

This is one area where the only thing I can do is issue a general warning for users to do their own due diligence.  Have you done Google searches to find out if there's been any security incidents in the past with the wallet?  Have you asked around on different forums about the wallet?  Do you know how many others use the same wallet you are using?

These are all factors to consider when choosing a wallet to access a crypto network like Bitcoin or the XRP Ledger.

Sources of Wallets

One reader noted that he's concerned about newbies purchasing hardware wallets from individuals or third parties (think eBay or Craig's List).  While hardware wallets are a popular, highly secure option, you need to buy directly from the company, not a third party.

A third party could have (possibly) installed their own software on the device which might compromise its security.  Do not purchase hardware wallets from eBay or Craig's List.

Further Learning and Research

If you're new to investing in cryptocurrency or digital assets, it's very important that you set aside some time and learn more about online and digital security.  To that end, it's good to get a broad overview of hacking and security as a starting point, so that you know just how inventive some hacking techniques are - it should definitely be eye-opening for you if you are new to this topic.

Ray Watson helped me with this article, and is a noted InfoSec (Information Security) researcher and public speaker. In the following video, he provides a great and in-depth history of hacking from its origins to the present day:

https://www.youtube.com/watch?time_continue=865&v=0lHLvxsbohs

In addition, several presentations are freely available on YouTube that demonstrate the very real threat that hackers represent - not just to crypto investors, but to everybody that has personal data floating around in cyberspace.  One of the most educational - and shocking - videos I've seen is the following TED talk by Pablos Holman, a former hacker:

https://www.youtube.com/watch?v=hqKafI7Amd8

Next Steps

Altering your security and behavior requires an investment of time and effort, but it is clearly worth it if it prevents you from losing a material amount of value through theft to a hacker.

Once you've had your crypto tokens stolen, it's very difficult to recover them; in some cases it is impossible.  Unlike physical cash, police will have a  much more difficult time following up on where the money went - in some cases it requires specialized knowledge of digital forensics to track down modern hackers.

It's worth it to take a look at these tips and take steps to secure your online identity, passwords, and secret keys.  Taking a series of small, prudent steps can help prevent a lot of unnecessary heartbreak and trouble for you, so I recommend you strongly evaluate your security - especially if you have recently entered the world of crypto investing. ripple-symbol3

Sources:

  1. https://computer.howstuffworks.com/encryption3.htm
  2. https://www.quora.com/How-does-SSL-and-website-certificate-work
  3. https://en.wikipedia.org/wiki/Multi-factor_authentication

Did you like this post by Hodor?

Send some love:

Hodor

Hodor

I blog about Ripple & XRP. FULL DISCLOSURE: All views are my own. I do not work for Ripple; I am not a professional financial analyst, and the majority of my crypto holdings are XRP.

Read More