Techniques to secure your crypto property

in #security8 years ago (edited)

trybe verification
Profile Link:
https://trybe.one/user/25528

All written here is from the lessons I’ve learned hard during the past years. With lots of newbies in crypto world attracted by Steem, I thought it’s a good idea to share my negative experience and techniques to avoid such, so people would not repeat my mistakes.


Picture: blog.orbitremit.com

Introduction

I was almost late to the party–it was May, 2013, when I’ve heard of bitcoin and other cryptos the first time in my life.


Year 2013 in one chart / Source: blockchain.info

Being somewhat a rebel and anarchist, perhaps since the kindergarten, I was excited about crypto world and freedom it brings. In the mid-2013 (right after the sharp drop of BTC value) I bought some GPUs and setup my first rig for bitcoin mining and then switched it to litecoin mining. The coins I was mining would hardly cover my own expenses for electricity, but I was mining them just for fun, just because I loved the ideas of crypto. To make a long story short in a year I had some ASICs, GPU rigs and dozens of different crypto wallets with some precious coins. I have been mining, minting and trading all the coins you can even imagine or find a reference in the history of crypto world or snapshot at archive.org website. During all these years I’ve got enough experience in securing my crypto possessions, which can fit into these three points from my lessons learned hard: never keep your coins on any exchanges, secure everything with different strong passwords and 2fa, and run all new software in a sandbox.

Never keep your coins on any exchanges

One of the coins I was mining back then was BlackCoin (BLK/BC), with almost all BC I mined (over 20k) were kept on Mintpal (some might remember that exchange and, perhaps, know about the coin I mentioned here) with some more bought later. Black coin was on the rise with some sharp drops, so I thought it was a good idea to “buy low, sell high, rinse, and repeat”.

Apart BlackCoin, I had some Bitcoins, millions of MintCoins, and some other coins, the names of which I can’t even recall now. I was lucky to avoid the MtGox disaster before, so I was reckless enough to hold most of the coins I had on Mintpal. One day I realized that I can’t withdraw a single coin from Mintpal. I was hoping for some time for a wonder just to realize finally that I was ‘goxed’ for some over 10 BTC worth of coins. Further I was loosing some small amounts of coins here and there after another exchange gone south all of a sudden, but I knew already how it may end, so I was pretty careful afterwards.


Picture from bbc.com


MintPal Shutdown / screenshot from cryptocoinsnews.com

So here comes the first friendly advise: never hold your coins with any exchange. Keep only some coins for day trading and don’t trust any exchange. Your favorite exchange may look adamant, but none knows what is going on currently behind the scenes. Have some bad feeling about your coins at the exchange–just withdraw to your encrypted wallet and sleep tight.

Still not convinced? Read some more here: http://bravenewcoin.com/news/36-bitcoin-exchanges-that-are-no-longer-with-us/ (the list is incomplete…)

Secure everything with different strong passwords and enable 2FA

You are a good boy or a girl (cheers girls!), keep your software always updated, have a bunch of antivirus applications, and several paranoid firewall? So, here is another story for you.

Some months ago I was trading my coins with another pretty big exchange as usual. Everything was fine and cheerful: the night before I’ve just increased my stash of SaLuS coin for cheap (hello @kushed!) and made some profit on other coins. That morning I woke up, checked my mail and one notification from BCT caught my eye: “several exchange accounts hacked, enable 2fa”. Do I have to say here that I hate 2FA and never used it, except when been forced by Gaw miners’ cloud mining? I was thinking that it’s enough to have a strong unique password to my e-mail account, since all withdrawals have to be confirmed through a confirmation link. Well, I was totally wrong! Some scum managed to hack another victim’s e-mail and traded all my and some other folks’ balances to dust in hours through that compromised account (he was selling my coins into his own low buy orders and buying his high orders repeatedly). Though I still don’t know, how he managed to get my password to that exchange (it wasn’t that easy–9 characters (5 letters with one capital, and 4 numbers), but the fact is that I’ve lost some 1.5 BTC here too.

So, the moral is clear: use unique strong passwords with every exchange / online wallets / services. Some password managers are mentioned in this article: https://steemit.com/steemit/@steemit3/third-update-to-july-14th-security-announcement-account-recovery-begins (we all know, why this announcement was published). Direct link to password managers review

I have one small addition here: you may have noticed this on your ‘change password’ section in your steemit.com account: “The fourth rule: If you can remember the password, it's not secure.” Yet, if you are kind of paranoid about all these password managers (just like me) and have several layouts for different languages on your keyboard (the case when you are not English native speaker or use several languages), you can switch to English layout and type some long stupid phrase in your native (second) language. The result will be something like this: Zrfcm[eqyzdb[jlbnmfktwtpf[bcn (Damn hard to bruteforce–I may have a bounty for you, if you can guess the correct phrase encoded here). The only drawback is that it may be hard to replicate same phrase on your smartphone.

Second: enable Two Factor Authentication, also known as 2FA! All exchanges have this option and it’s pretty easy to do. Just go to your profile, enable 2FA, scan that qr-code with your smart phone (I would recommend google 2fa, any smartphone app market has it), save it as a picture directly to a usb stick or print it out and put in a really safe place. Don’t leave copies on your local PC. I know it’s annoying to use 2FA, but it’s worth your time to do it!


QR-code is your key

Run all new software in sandbox

And here comes the last story (the most sad one for me).
In 2015 despite the fact that I’m a mediocre trader and all my misfortunes with tons of failed altcoins, by October last year I managed to put well over 20 BTC into my running Bitcoin Core wallet just to keep them as some kind of reserve. By that time, all my wallets were encrypted with strong unique passwords and I thought I have nothing to worry about.

One unusually sunny and beautiful October day I’ve installed another new crypto wallet. It’s announcement at BCT was much exciting, and instamining it hard seemed like a good idea. (By the way it’s still listed on yobit: https://yobit.net/en/trade/LUN/BTC)

Needless to say I’ve checked that wallet with virustotal.com and all 55 antiviruses told me it’s totally clean. So, I’ve just installed that new crypto wallet on my old machine I kept running specially for that purpose (shitcoins machine as I call it–I have several grades of machines for different purposes), pooled my rigs at this new wallet and went for a lunch.

Two hours later I was totally shocked and depressed to see that I just had an outgoing transaction from my strong encrypted Bitcoin Core wallet, which was running on a first grade machine with antivirus, firewall and password protection everywhere. I’ve spent the next half of the day figuring out how that can ever happen. The outcome was that I left some old unencrypted bitcoin ‘wallet.dat’ on that shitcoins machine, it wasn’t running and not synchronized for years. My stupid mistake was that I’ve used old keys in new encrypted wallet from that two years old ‘wallet.dat’ file. That shitcoin dev managed to pack a trojan in wallet in a manner it wasn’t recognized by any known antivirus and in less than two hours he stole my old bitcoin ‘wallet.dat’ sitting in an old machine, extracted old private keys, imported them into his own wallet and transferred funds to his address.


Some evil hacker here

So, if you are an adventurous person, who doesn’t want to mess with checking the code and compiling wallets all the time, just like me and install lots of wallets and other crypto-related software on your machines my best advises:

  • do not think that virustotal.com is panacea (universal tool) and use sandbox software (http://sandboxie.com/ is my choice currently, they explain it dead simple how it works on the their website);
  • you might just use hex-editor to manually search through the wallet .exe file as shown here:

  • never leave any copies of unencrypted wallets whether running or not, install them and encrypt right after installation (Love to make copies before encryption? Delete them after or put in a safe cold storage).

Summary

To conclude written above I wanted to say that it’s better safe than sorry. It may appear unnecessary, time-consuming, and boring, but better take seriously written above. I have lost dozens of bitcoins because of bad trades, failed coins, cloud mining sites and other misfortunes, yet believe me, I always felt much more sorry, when my funds were stolen than when the price of some coins I held dropped to several satoshis. Buy yourself several USB sticks, make copies of your wallets and passwords and place them in a really safe place. I never heard of any case, when cyber police would be helpful in finding a criminal who stole crypto (correct me, if I’m wrong), so only you are responsible for your crypto property. So stay healthy and safe, use strong unique passwords, keep only the coins you are going to trade now on any exchange, run all new software in sandbox, encrypt all your wallets and get rid of unencrypted copies on any storage that can be compromised.

May the Steem be with you!

Thanks for reading and don’t forget to upvote if you liked my post.

P.S. Some legendary members might say that I told basics known to every kid here.
But who knows maybe after reading about my experience you will become more careful.
I will be happy also, if I written above will save you some or all money and time!
Have something to add? Comment me!

UPDATE: In some hours after I published this post Bitfinex exchange made an announcement that they discovered a security breach and that some users have had their bitcoins stolen.
Read more here: http://blog.bitfinex.com/uncategorized/security-breach
Protect yourself and stay safe! @richman

Sort:  

Security practices tend to be ignored until there is a failure. After which, security becomes relevant to people.

Just remember: "Nobody understands the value of security, more than a victim"

We must all understand there is risk. If you have something of value, then PROTECT IT!

That's exactly what I meant writing this article!
I just hope my life stories were convincing enough to take it seriously.

Thanks for sharing. Without insights to how others have been victimized, the risks seem distant. I am sorry you have experienced the attacks, but grateful you are sharing them so others may learn a lesson.

couldn't be said any better :-)

Using Linux might be a good security measure too, since most targets use windows.

Thanks for your comment!
That's what I was thinking of too--should have written about installing linux or running a virtual machine with linux as a security measure. Yet, we all remember what happened with cryptsy and why...

Yeah, Thats what I do really, I keep a linux vm for the safe stuff, and a windows vm for testing new wallets.

Seems like the best idea, thanks!

wellcome

richman,
that is some real bad luck. i have lost some cryptos by someone stealing, lying about getting my coins, or being totally hacked where it brought down my computer. any advice on a good computer that can protect me better?

good article!

Linux. Just install Linux alongside your windows. It's easy and fun, and probably a lot safer. Any machine will do, although Intel can still steal everything if they want to.

Nice write up. Thanks for sharing.

Thanks, Kushed!

What length should the password have?

Here it's recommended to have 32 characters passwords: https://steemit.com/steemit/@steemit3/third-update-to-july-14th-security-announcement-account-recovery-begins
Some years ago I tried to bruteforce md5 hash of my own 8 characters password and it would take years...
But everything changes fast today ;-)

As a noob, these were certainly not basics to me. Thanks for the insights, especially the risk of holding large amounts in exchanges.

You welcome!
Thanks for stopping by!

Great article. Securely backing up your keys might be good to mention too, especially for newbies. I wrote an article on that myself (for Steemit accounts).

5 characters password... lol... the advice has been for at least the past 10 years at least 8 characters...

Just to comment a bit on wallet encryption... this is a joke in itself since it just need to have an old unencrypted wallet to bypass it (I learnt it at my advantage actually because I once forgot the password of some wallet :).

Actually, for my bitcoin wallet, I use a laptop which is offline most of the time and has no other purpose than accessing my wallet (on a fresh install). Actually other alternative would be to use specialized dedicated hardware such as Treasure or some other I forgot the name.

Well, it was 9 characters password (5 letters and 4 numbers)...
Please read what I'm saying about unencrypted wallet copies and all that story.
You meant trezor hardware wallet? https://bitcointrezor.com/
Thanks much for reading and your comment!

yes, that's what I meant. trezor

Coin Marketplace

STEEM 0.17
TRX 0.16
JST 0.029
BTC 76073.33
ETH 2917.65
USDT 1.00
SBD 2.64