Keeping your crypto safe: basic security precautions
It’s a relatively long read, but there are no shortcuts when it comes to protecting your money. Here are 15 of our top recommendations for making sure you are not the victim of a crypto hack or lost funds.
1. Learn how it all works
Crypto works on a completely different model to traditional, centralised web services like PayPal or Facebook. With no middlemen or companies maintaining a database, responsibility for your money is yours alone. Educate yourself, gaining a high-level understanding of blockchain and cryptocurrencies. Try to stay up to date with the latest news and developments. And — especially if others are using your computer — make sure your friends and relatives also have a basic grasp of best security practices.
2. Backup your data
Make multiple copies of your private keys (in both electronic and physical form) and store them in different places. TimeX creates backups for your wallet: a printable seed phrase, and a wallet file you can backup digitally. When printing out sensitive data, it’s best not to use a printer that is connected to the web — printers can be hacked, just like computers.
3. Encrypt your wallet
Don’t make it easy for someone who gains access to your wallet file: setting a password takes seconds and can make a big difference. Similarly, don’t store your private key in plaintext on a device connected to the web. There have been many, many instances of crypto being stolen when an unencrypted private key or wallet file is hacked from a home computer or from cloud storage.
4. Use antivirus software and a firewall (if applicable)
If you’re running Windows, you’ll definitely need an antivirus app. There are several excellent ones you can download for free, which offer a good basic package and paid upgrades — search online for the ones with the best reviews. Viruses and other malware are generally less of an issue for iOS and Linux, but make sure you’re clear on best practice for your OS.
5. Be careful what you click on and what sites you visit.
Addressing malware promptly is only one part of the battle. It’s best not to get it on your computer in the first place. Do not click on links unless you’re confident they lead where they should, don’t open any suspicious email attachments, and be careful what websites you visit. (Generally speaking, the shadier the website, the more likely you are to pick up malware when using it.)
6. Keep your software updated.
Download security patches and other updates promptly, since these often prevent newly-found exploits. It can be tempting to let those seemingly endless updates wait for another day, especially when you’re in the middle of something important. Just don’t leave it too long. You can always leave your computer on overnight and let the updates happen while you sleep.
7. Ensure you have a strong password policy.
It is trivially easy for a hacker to crack weak passwords. Conversely, a strong password will be impossible to crack. You can find plenty of guidelines online about how to create a password that is both strong and memorable. You will likely be tempted to reuse the same password over and over, especially if it’s a complex one you have gone to the trouble of memorising. This is a bad idea — particularly if you use the same password for a service like an exchange and the email address with which you register for that service. You can use a Password Manager such as LastPass or KeePass to make life easier: you will only need to remember one master password and let the software generate (and remember) passwords for each application.
8. Secure your devices in the real world.
This isn’t CIA-grade spycraft. It’s just about making life that bit harder for would-be thieves. Remember to enable screen lock so that you’ll need to enter a password after a few minutes away from your desk; require a password on start-up; and take anti-theft measures like locking your device to something solid using its Kensington Security Slot.
9. Connect securely.
Public wi-fi is notoriously easy for hackers to compromise. If you are using public wi-fi, you can assume that anything you do is visible to an attacker. Think of it this way. It’s not that you might be compromised if you use public wi-fi: it’s more that, if you use it, then sooner or later you will be compromised. That could prove very costly. (If you need to do anything sensitive when you’re out and about, it’s best to tether to your phone and use that for your internet connection.) Even ‘private’ home wi-fi networks are not particularly secure. If you’re using cryptocurrency clients and moving value around, it’s far safer to use an Ethernet (wired) connection.
10. Don’t put all your eggs in one basket.
Do not hold all of your funds in one address or on one platform. If an attacker somehow gains access, you’ll be wiped out. You may want to hold funds on an exchange; if so, make sure you only keep what you need there. Too many people have lost their crypto because they used exchanges as wallets, only to find the company’s security wasn’t as good as they thought. Remove funds you don’t immediately need for trading to an external wallet. If you don’t need the crypto for some time, shift it into cold storage. Similarly, choose your exchanges and wallets wisely, checking their terms and security record. Decentralised exchanges remove the counterparty risk inherent in centralised exchanges. TimeX offers wallet-to-wallet trading.
11. Use an air-gapped system.
This is a computer that is not connected to the internet, and that has ideally never been connected to the internet. This makes it practically impossible for a hacker to gain access to it without physically being present. An air-gapped device is the best solution for cold storage transactions. Wallets are set up offline, transactions are signed offline, then the signed tx is broadcast to the web on a different machine. Hardware wallets essentially operate in this way. TimeX offers support for Trezor and Ledger hardware wallets for login and signing transactions.
12. Use 2FA and IP whitelisting.
Two-factor authentication requires that a transaction is verified by another, independent means. For example, an exchange may require that you enter a code sent to your email address before allowing you to withdraw funds. More sophisticated versions of 2FA pair your account with a separate device, using an app like Authy or Google Authenticator. (Timex uses Google Authenticator for 2FA.) This means a hacker would need access to both your exchange account and your mobile device before they could steal funds. IP whitelisting enables you to specify a list of IP addresses from which you are able to access the service — so hackers in other locations will have another layer of security to contend with.
13. Only use reputable exchanges.
The landscape is improving, but there are still plenty of small, anonymous and second-rate exchanges in existence. Needless to say, your chances of losing funds to hacking, exchange closure or insider theft rise dramatically in these cases — and your chance of recovering any funds if something does go wrong is minimal. Make sure the exchange is an officially registered company, working out of a jurisdiction that will be prepared to help you. Check their compliance statements, their legal approach to coins and tokens, and their core team. A decentralised exchange (DEX) will automatically mitigate many — but not all — of the problems of a centralised exchange (CEX). TimeX meets or exceeds the Cryptocurrency Security Standard (CCSS); TIME and LH have clear legal status as utility tokens; and ChronoBank has a strong, reputable team with broad experience in the field.
14. Never expose your private key, seed phrase or unencrypted wallet file to the web.
This is a favourite way for scammers to steal crypto: by posing as an online wallet service and encouraging you to enter your private key on their site. Unless you are absolutely sure that this is a legitimate service, and that the connection to the site is secure, you should never do this. Even then, be very careful — there are usually far safer options.
15. Have a security breach plan.
If the worst comes to the worst, you need to be ready to protect the rest of your funds. That will likely involve changing your passwords; checking all current crypto addresses and exchange accounts and moving funds if necessary; auditing your security and consulting a professional if required.
Maintaining good security is largely a matter of common sense, but getting it right does require some effort. It also involves never taking shortcuts. Very often, a breach will be caused by uncharacteristic complacency or acting in a hurry — a private key entered on a dubious website, or funds unnecessarily left on an exchange rather than being withdrawn, to save a few minutes. While you can always do more and you will need to find the appropriate balance between security and convenience for your circumstances and the quantity of funds that are at risk, you will seldom regret going the extra mile. And the history of crypto is littered with too many people who do regret not having made that extra effort. Make sure you’re not one of them.
And here is an infographic to visually check that you follow all the rules for excellent security: