The crypto-ecosystem demands responsibility and constant learning. Blockchain technology is evolving by leaps and bounds, providing ever greater economic and financial opportunities for people. The often-quoted phrases in the crypto space, “you are your own bank” has a connotation of autonomy and “not your keys, not your cryptos”, of responsibility for the custody of one’s own funds.
I am not a cybersecurity expert, nor should this article be a substitute for seeking professional expertise for best security practices for anyone’s specific situation. What I set out to do is to pass on my knowledge and experience to give you a greater share of security for your crypto money.
Don’t be distressed if you find too many concepts, you can read it several times, and gradually implement them.
There is no such thing as absolute protection, bad actors constantly renew their skills, but by maintaining these basic best practices, you can raise your cybersecurity quotient.
Security is not only related to theft of funds, but also to one’s own negligence. We read a lot of news about hacking or phishing, scams or giveaways, in which victims are robbed, but also other news about loss or forgetting of private keys.
We can distinguish security from two approaches, one is technological and the other is privacy.
The technological one is about procedures and understanding of computer code issues, about which I will not go into too much depth so as not to confuse or overwhelm. Many of the caveats are ones you apply, surely, when you browse the internet, and if you don’t know them you will learn them, but some of these are novel and unique to blockchain.
Privacy-based security has a common sense argument, but in some cases it requires some knowledge of the technology.
Implementing Different Security Measures
If you have your cryptocurrencies in an exchange you are a creditor of the exchange. When you buy cryptocurrencies on an exchange, you do not own the keys. The company credits an internal registry with your holdings. They hold the cryptocurrencies, with custody of the private keys in the blockchain, you do not. In this way the exchange posts a debt with you for that amount, and it is settled when you withdraw.
The biggest risk of leaving your funds in an exchange is the possibility that a hacker manages to change your account password and steal all your money. This is easier than you think, by hacking your cell phone or your pc.
A 2FA (second factor authentication) minimizes risks, but it should not be SMS, but Google Authenticator or Yubikey type, but not all platforms allow it.
There is also the risk of hacking the exchange itself, stealing funds that can bankrupt it, which is more likely in those with a low volume of clients.
It has happened that exchanges have to temporarily disable operations for maintenance. You will have problems if this happens just when you need your funds.
Another problem can be the intervention of a government over the company that owns the exchange, which can complicate operations with regulations, or confiscate your funds for legal reasons, or freeze your account for different reasons.
In short, there are several situations that can occur if you are not the one who controls your keys in a non-custodial wallet, so my suggestion is not to use exchanges as long-term custody for your funds. In Cardano you can choose among almost 3 thousand stake pools to delegate, contributing to the consensus and decentralization of the network, and getting rewards every epoch (5 days).
The most secure wallets for the Cardano network are the official Yoroi and Daedalus, and then AdaLite. Download the software to install and update your applications from the official sites, and access the platform by typing the address in your browser bar, and never use links received by mail or from a social network.
Yoroi: https://yoroi-wallet.com/#/
Daedalus: https://daedaluswallet.io/
AdaLite: https://adalite.io/
The place where you set up your wallet should be totally private, and on your own devices and not shared. Installing your wallet in your office pc is a bad idea, unless that device is for your exclusive use and is not connected to a server (intranet) of the company you work for, since connecting to the network with this intermediary can expose your activity and data of the application.
It is also not a good idea to think that it is a solution to delete the wallet, after having created it on a shared device, (having the seed you can restore it later), because having created it on an electronic medium leaves traces, and in some cases the screen recording may be active.
Those devices that you use in your daily life are permanently connected to the network, and are vulnerable to computer attacks. Having a dedicated wallet device and keeping it off-line is ideal, and connecting it to the internet only when you make transactions, greatly increases the level of security.
You can add a higher level of security by factory resetting the mobile device or formatting the PC disk, and then installing an antivirus and keeping it active before installing your wallet. Perform, periodically, a full system scan, because it can detect malicious programs that were not blocked.
By the way, the device you choose for your wallet must have a startup password in its operating system. Your passwords must have at least 10 alphanumeric characters, with some sign and some capital letters. Adding the number of characters from the ninth character onwards increases exponentially the security against brute force hacking. To remember better you could use a phrase instead of words, for example (with uppercase, lowercase and spaces): #My phrase is 100% secure.
If the device on which you have your wallet installed is lost or stolen, you should restore it on another device you trust, then generate another new wallet, and send all funds to the latter, as they can access your wallet on the lost device and steal from you.
If you take your device to be repaired, uninstall your wallet, but if you don’t have that possibility, don’t give your password to enter the operating system. You can also do what I told you in the previous paragraph.
Update your operating system software periodically, since the developers are aware of new vulnerabilities, and correct them with patches.
Activate your system firewall, which is designed to block unauthorized access. In certain configurations, and for some wallets like Daedalus, which is also a network node, the firewall can affect your connection, well in those cases you must disable it, you have no choice but to find the right configuration to keep it active. A good antivirus has a firewall.
The safest option is a hardware wallet, Trezor or Ledger, which do not replace the Daedalus or Yoroi wallets, but give them a second layer of security, you must use these devices, together with Daedalus or Yoroi, in every operation.
Buy your devices in official stores, including hardware wallets, never from unknown persons, nor used, nor in various virtual stores. Verify the manufacturer’s indications about the security of the package when you receive it, install the firmware, and keep it updated.
When you configure the wallet, a mnemonic phrase of 12, 15 or 24 words will be generated, depending on which one it is. These words are set in the application’s encryption protocol. In most cases the bip-39 standard is used, and the application software chooses from the total of 2048 records for encryption. You can see them on GitHub, just for your curiosity, you don’t need to know them, the wallet will give them to you.
There are many tutorials on the internet to install the wallets and it is not a complicated task.
When you create a new wallet make sure that no intruder near you can see your screen, because he will see the passphrase. When I talk about intruders, I am also talking about cameras on the pc and closed circuit in the environment.
So, the safeguarding of the passphrase is the main issue, since it is the access to your funds, and if you lose it there is no way to decrypt it, nor your funds.
You can restore your wallet with the seed phrase on any device, and even on several at once, operating interchangeably between them, but I do not recommend this option, as you open more possible doors for the theft of your funds. It is like having several access doors to your safe deposit box, what’s the point, one is enough.
Many recommend keeping the mnemonic phrase on paper, in (at least) 2 different places, distant from each other and of your trust (the same physical place can suffer fire or flood). Paper degrades, but you can laminate it and keep it in a fireproof container. Others increase safety by proposing to write it on an aluminum plate with an awl.
I recommend a very secure method, but which requires a bit of learning, and that is to encrypt your phrase in PGP, (pretty good privacy) with SHA256 security. This encrypted file can even be stored in the cloud, since it is the same protocol used by Cardano in its blockchain. Do you trust Cardano’s security, then you will not be afraid to upload it to the cloud and also have it on your pendrive. The key is the PGP certificate, which is necessary for encrypting and decrypting.
Here you can learn how to encrypt. Download the encryption application, executable on Windows operating system or for different operating systems.
What you definitely should not do is to save the seed in your daily use pc, in a simple text, neither with password access, since it is easily violated. Nor on an unsecured flash drive.
When you create the wallet, it will ask you to generate a spending password, i.e. a password that you will use on that wallet every time you send your funds. Respect the strength settings I mentioned before for passwords. This password can be different when you restore your wallet on another device, but the seed, it cannot be different. If you have several wallets you can use the same spending password, for convenience, but it is not recommended, it reduces security.
When sending cryptocurrencies from your wallet, verify at least the first and last 8 characters of the destination address, there are malwares that divert funds. The ideal, of course, is to verify the total of the long address.
In case of sending a large amount of cryptocurrencies, and to avoid errors, you can split the operation into 2 shipments, where the first one with a small sum, proves its correct crediting to the destination account. It will only cost you one more sending fee, and considering that we are talking about a large sum, the cost is well deserved.
If you have a very large amount of funds in cryptocurrencies (the amount is subjective), manage them in different wallets. This diversification raises your security coefficient. Conventional wisdom says don’t keep all your eggs in one basket.
If you make frequent movements of funds, (payments and collections), leave a wallet for it, do not mix your savings with your daily payments, do not take your home safe deposit box to the supermarket, just carry your small pocket wallet.
Privacy is Part of Security
Finally, let’s talk about privacy as part of security. You don’t walk down the street telling anyone how much money you have, or where you keep it. Don’t talk about how many cryptocurrencies you have. Talk about ADA, but not about your ADAs.
Cryptocurrency is cryptographic money, the safest, non-counterfeitable kind. Have you ever received a counterfeit bill and not realized it? Cryptocurrencies cannot be counterfeited, you will not receive counterfeit money in your crypto wallet, because network validation does not allow it.
The KYC (know your customer) that regulators force exchanges is an issue that you should consider for your privacy. Your movements and funds are reported periodically, with your name. That information (although they say it is protected) travels from your exchange to the entity that regulates the activity, and there are officials who see your data, people with their virtues and defects.
Avoid operations in open and public networks, as they can intercept and collect your data.
Use VPN for your privacy. Although some configurations may affect the connectivity of certain wallets, it is not common. In that case, switch VPN applications. Free VPNs often have data leakage, I don’t recommend them. The ones offered by the most renowned antivirus developers are suggested.
Do you close the door of your home when you leave? Close sessions at the end of use. Disconnect the Internet when not in use.
Do not give to anyone your public addresses, that although with them it is not possible the theft of your funds, they can reveal the amount.
With the staking key in the Cardano blockchain, you can know all the addresses of a wallet, that is to say that knowing it, they will see all the funds in your wallet.
Use new addresses for new transactions, wallets like Yoroi or Daedalus generate them at your request. They are called Hierarchical Deterministic (HD) Wallets.
Finally, keep in mind that if you are offered assured earnings after a while, in exchange for handing over your cryptocurrencies, it is surely a scam. Giveaway is a word you should read carefully, nobody gives away anything valuable, there is no free lunch.
