Using cryptocurrency gives you control of your own assets but the price to pay is that you are also in charge of your own security. And since most people are not security experts, they are very much often exposed — without knowing. I am always amazed to see around me how many people, even tech savvy ones, don’t take basic security measures.
You are at risk, even with a super secure Hardware Wallet, which is supposed to the the gold standard for security today. Indeed most issues happen in the “points of connection” with your wallet, not with the wallet itself. What is at risk is not necessarily your set up but your attention.
Here are a few tricks that hackers like to use to steal your private keys (the information required to steal your cryptos) or even trick you in wiring coins/tokens to the wrong destination.
1.Copy Paste: you see an address you want to send some bitcoins to. You copy/paste this address into your wallet. Except there are things like CryptoShuffler, a small program, that will replace the address you just copied with another that has nothing to do with the original. It would work to with any type of passwords including copying you master pass for your password manager.
Tip: Verify the address after you pasted it. Use the QR code if you know how to. Don’t install funky soft, or apps you’re not sure of. Run regularly an anti Malware on your computer (Bitdefender, MalwareByte) to clean your computer. Use an official ENS (more on this below) instead of a prone-to-error impossible-to-verify address. Some are cheap to buy, Some are not. But this is peace of mind.
2. Hacked mobile Apps: Hackers can publish real fake trading apps to buy assets on a crypto-exchange (eg Poloniex) but you re trading nowhere…you just sending money to a dummy hacker account. More generally Android is really prone to hack (more than iOS). you need to be careful on what you install and make sure to regularly clean your device of any junk.
Tip: Don’t get too fancy here. it’s obvious (but not for all), you need to protect your device with a PIN, Touch ID and/or FaceID, add add 2 factor authentication to any app you have that offer that, and avoid downloading junk.
3.Slack Hacking bots: Bots on slack are a plague. They will reach out warning about a security alert on your wallet (which of course does not exist) and they will link you to a URL where they will ask you your private key. Don’t touch
Tip: Ignore bots on Slack. Report them when they contact you. Also use Metacert to protect your slack channels
4. Browser extensions. Some extensions are claiming they will improve your user experience on trading sites. Except they may read at the same time all your typing there. Stick with the ugly user experience, you’ll be safer.
Tip: Do not download any crypto extensions. Browser in “Private mode” where usually extensions are disabled. Or use a fresh browser only for this. You can take a look at Brave which is a Blockchain native browser with built-in wallet
5. Clone Websites: you start to type the URL of a website, then your URL bar has been hacked by another close URL pointing to a very similar website with the same exact look and feel and logo.
Tip: Look for the https certificate + use Cryptonite Chrome / Firefox extension that can highlight fake URLS
6. Fake Google Ads/SEO: It’s a known technic. You’re searching for your favorite (or not) crypto sites on Google but hackers will squat the top paid results (or organic) with similar URLs (including a small change) and will trick you in going to their site instead.
Tip: Read carefully the URL after the click
7. Fake Social accounts: Careful there, only follow verified accounts or simply click on the social links from the official websites of the service you want to follow. Don’t trust any other source even Twitter/Facebook recommendation algorithms which could push new fake accounts.
8. Mobile SMS 2FA: This is a widely known issue. Services will ask your mobile phone number to register or activate 2FA (two factor security), but, especially in the USA, some hackers are very talented at fooling mobile operators support team and getting your credentials and from there getting access to any account linked to your mobile phone.
Tip: Ask your operator how your phone is protected. Never EVER use any service that requires your phone number and never set 2FA with SMS (use a software solution instead)
9. Email Phishing: You get an email from a service you know, except this is not from them. They will use the exact same format, template, design. Many times the service does not even have your email, but it does not matter, you will not remember. Remember, don’t click blindly.
Tip: Pay attention to the link you click on, watch them in the browser link section. If it looks weird, get out.
10. Wifi hacking: You may have seen the news but WPA, the security protocol for most wifi routers used has been compromised. With that “krack attack” anyone can see all the data that goes through your wifi network. Similar issues happen in public Wifi (eg airport wifi)
Tip: Fix your router, check for updates and never trade in public wifi areas (at least not without a secure VPN)
Here could be only one tip to summarize all this: making deal with crypto transactions you should be extra careful