Responsibility is the price of freedom
Let’s be honest – cryptocurrencies aren’t user-friendly just yet. Securing crypto assets isn’t as easy as we’d like it to be; it takes some skill, dedication and a bit of patience to secure your bitcoins properly.
Every now and then we hear a newsworthy story of some guy who lost a considerable amount of money because he lost the private keys to his wallet, got hacked, or the third-party service provider that had custody over his private keys got hacked.
The first in a series of heists – the 2011 hack of the infamous Mt.Gox crypto exchange – resulted in a loss of more than $8.7 million worth of Bitcoin. Given the fact that Mt.Gox controlled approximately 70% of all bitcoin transactions in the world at the time (and did so under terrible management) the second, vastly bigger attack did not come as a surprise. In 2014, Mt.Gox’s security was breached again, resulting in a mind-boggling $470 million robbery. And this was just the beginning.
In 2016, Hong Kong-based crypto exchange Bitfinex announced that roughly 120,000 bitcoins worth $72 million were stolen from the exchange. A year later, on December 6, 2017, Slovenian-based mining company NiceHash got robbed out of 4700 bitcoins worth $80 million, and a year after that, on January 26, 2018, Coincheck reported that hackers had stolen $520 million worth of NEM coins from the wallets hosted on their servers.
You get the point. Trusting third-party service providers with your money isn’t exactly a great idea. Cryptocurrencies gave us the freedom to be our own bank, which is excellent, but now we’re the only ones in charge of our security. Granted, we might have had less financial control before, but we had less responsibilities too.
With that in mind, if you want to learn how to protect your bitcoins, you’ve come to the right place. This article lays out the precise step-by-step process to complete bitcoin security.
Whoever holds the private key owns the funds
Cryptocurrency transactions are peer-to-peer, meaning there’s no official authority acting as an intermediary between the sender and the receiver of the funds. On top of that, blockchain immutability makes cryptocurrency transactions irreversible; once the transaction is verified and the block is added to the blockchain – it’s over. There’s nobody you can call for help and reverse the transaction to get your money back.
To fully understand how Bitcoin security works, we first need to explain how and where your bitcoins are stored.
There’s a common misconception in the cryptocurrency world that your bitcoins are stored in your wallet. That is not the case. Bitcoins or, rather, Unspent Transaction Outputs (UTXO) are recorded on the blockchain. In order to access and spend your bitcoins, you need to prove your ownership over them; you do that by signing the transactions with your private keys, which are stored in your bitcoin wallet. The concept of a user’s Bitcoin balance is a derived construct created by the wallet application. A wallet, therefore, is just a software application that is used to facilitate bitcoin transactions by managing the private and public keys of the wallet owner.
Consequently, your vital concern regarding the security of your bitcoins is the protection of your private keys. A private key is, essentially, a randomly derived string consisting of 51 alphanumeric characters. It’s main use is to create the signatures that verify ownership over the bitcoins in the transaction. In other words, he who holds the private keys – owns the bitcoins. For this reason, you must never, under any circumstances, disclose your private keys to anyone. Not only will you be giving away your bitcoins, but you will also be drawing a connection between you and the financial activity of the account.
Keeping your private keys private is no laughing matter. Bitcoin is a multi-billion dollar industry, and dedicated teams of hackers are spending their days construing ways to steal your money.
Before you implement the security measures we suggest, you need to know what you’re up against.
Most common Bitcoin security threats
Many newcomers are ignorant of how shady cryptocurrency hackers can be. Therefore, we’re going to lay out the most common risks and security holes you should be wary of.
A keylogger is a software or a hardware tool used to record keystrokes. Although keylogging tools are legal and can be utilized for legitimate purposes, they’re most commonly used by hackers as a part of Trojan viruses and other forms of malware to steal victim’s passwords. Screen loggers, on the other hand, are software tools that are used to make covert screenshots of the victim’s screen. They can be programmed to take screenshots of the whole screen periodically or take screenshots when the user clicks their mouse. Ordinarily, hackers will use keyloggers in conjunction with screen loggers. The best protection against this is an anti-keylogger software, which is a tool designed specifically to detect keyloggers, and does so with a much higher success rate than common anti-virus software.
Hackers use phishing as a prevalent clandestine method to trick victims into unknowingly surrendering their sensitive information such as usernames, passwords, credit card numbers, sensitive information about their business, home address or/and phone numbers by disguising as a trustworthy entity in electronic communication. The most common form of phishing is email spoofing, whereby the attacker directs the victim to a fake website that looks identical to its legitimate counterpart (usually a high-profile email service, financial corporation, or some other website that the victim might have an account with), at which point they’re asked to enter their sensitive information. In some phishing schemes attackers will create a clone email address similar to the email address of the victim’s boss, coworker, or a friend in order not to raise any suspicion, hide malware in the attachment files, and instruct the victim to download those files. Be careful: there are many software apps designed to protect your PC from phishing attacks, but there’s no software in the world that can protect you from your own thoughtlessness.
You really need to watch out for this one; cryptocurrency users are especially prone to phone-porting attacks. The biggest mistake most of us are probably guilty of is that we don’t think of our phone numbers as personally identifiable sensitive information, but you’d be surprised how much damage hackers can do merely by obtaining your phone number. Typically, hackers will snoop around various cryptocurrency-related social media groups, phishing for naive investors that will give their phone numbers and emails for easy contact. After the attacker acquires the phone number, they call up the phone provider impersonating the victim and ask the customer service representative to transfer the phone number to a device they control. More often than not, the representative will ask the impersonator to answer a few simple security questions such as the date of birth, home address, or the last 4 digits of the victim’s social security number, which the impersonator may be able to answer after some phishing, mail theft, and/or a little bit of social engineering. Once the hacker gets ahold of your phone number, he can change the password to your cryptocurrency exchange account, locking you out and stealing the bitcoins from your exchange wallet. Therefore, the best protection you can take against phone-porting attacks is to keep your phone number secret, keep your cryptocurrency business to yourself, or if you’re going to talk about it on social media – use a far removed pseudonym.
In the past few years, Trojans and other forms of malware have been spreading like wildfire. Pony Loader 2.0 and CryptoShuffler are just two known examples of cryptocurrency-stealing Trojan infections that have caused trouble to crypto users. A Trojan is a specific form of malware that infects a user’s computer and sits there idly, doing nothing but what it was programmed to do. The CryptoShuffler, for example, is a Trojan programmed to scan a user’s computer for clipboards containing strings of numbers that look like crypto wallet addresses. When the Trojan finds such a number, it replaces it with the hacker’s bitcoin address so that when the victim wants to make or receive a payment, he copy-pastes the fraudulent address without notice, and any funds sent to that address are now transferred to the hacker’s wallet. Installing an anti-virus software can certainly help, but it is best that you never keep your private keys in easily accessible clipboards. Instead, store your private keys on an offline device or even on a piece of paper.
Exit scams and ICO scams
Although exit scams and ICO scams have nothing to do with your private keys, they have everything to do with the security of your bitcoins. If you’re new to the game, and you’ve decided that you want to invest your money into the latest “revolutionary” new project that will “decentralize the world” or “cure AIDS through blockchain,” take a step back and ask yourself: Have I done a fundamental analysis on the project? Are the founders of the project public and what’s their reputation? Where is the company registered? Is the development team any good?
If you know the answers to these questions, then proceed with caution. If not, just stay away from ICOs because most of them are outright scams. Furthermore, you should be very cautious about the third-party service providers you use. Many young companies will offer a polished new product such as a crypto exchange, crypto wallet, or gambling site where customers can create accounts to hold Bitcoin. For a year or so, they will act like a legitimate business and promote themselves aggressively to attract as many new customers as possible. And then, all of a sudden, the company pulls an exit-scam and vanishes with all of their clients’ Bitcoin – claiming they’ve been hacked or simply disappearing into the darkness. This is only possible because the regulatory framework surrounding cryptocurrencies is still under development in many countries around the world. With that in mind, always do your research before investing in a highly volatile industry such as the cryptocurrency one and always, always think twice before you consign your bitcoins to a third-party service provider.
Even if you’re “doing everything right”, things can go wrong. Various natural disasters such as fires, tornadoes, or floods could destroy your home along with the equipment you’ve used to store your private keys, your hard drive could stop working, your USB drives could be stolen… You can never prepare yourself for all the things that could go wrong. But, you can anticipate most of them, and in the following part of our guide we will help you do exactly that.
How to secure your Bitcoins properly
As we’ve said already, the primary concern with Bitcoin security is where and how your private keys are stored. The private key to your wallet is nothing but a string of characters and, therefore, it can be stored anywhere. Memorising your private key in your head is probably the best way to “store your bitcoins,” but since most of us are not even able to memorize our best friends’ phone number, this is probably out of the question.
If you’re not storing your private keys on a piece of paper, the most important factor to the safety of your bitcoins will be the general security status of your hardware device. Let’s get the no-brainer out of the way: Installing an anti-virus program and enabling the firewall on your computer is a must. However, securing your computer might not be enough, and you might want to consider kicking things up a notch and leaving the grid all together. After all, the best way to protect yourself from the dangers of the Internet, is to stay off it!
When we think of bitcoin storage, we differentiate between two different kinds that serve two different purposes – hot and cold storage.
A hot wallet is a wallet that’s connected to the Internet. This includes exchange wallets, web wallets, desktop wallets, and mobile wallets since they all require an Internet connection to work. Centralized online (hot) wallets are a big no-no for anyone even remotely concerned with the security of their bitcoins. They store your private keys on central servers, creating a single point of failure that hackers (or even the service providers themselves) can exploit. With decentralized wallets like Mycelium and Electrum, on the other hand, you’re in sole custody of your private keys, but they require an Internet connection to operate so you’re still vulnerable to attacks. Third-party service providers such as exchanges and online wallets are prone to hacker attacks and exit-scams, so you should choose such services very carefully, and use two-factor authentication whenever possible.
Cold storage in the context of Bitcoin refers to keeping the private keys to your bitcoins offline. So, following that definition, cold wallets are wallets that aren’t connected to the Internet. This includes (but is not limited to) hardware wallets, offline implementations of core wallets, and paper wallets, as they are physical alternatives designed to keep your bitcoins outside the reach of the Internet. We will look at all of these options and the advantages that they have over hot wallets when it comes to securing your coins.
Hard wallets are the most secure and user-friendly way to store your bitcoins. They’re like little banks that fit into your pocket. Hardware wallets are small, portable, air-gapped devices that generate your private keys offline.
Trezor and Ledger Nano S and KeepKey are three of the most reputable hardware wallets that support Bitcoin (among other currencies) and that employ two-factor authentication to further secure your funds. The devices are password protected, which means you can regain access to your bitcoins and keychain in the event that you lose the physical device by providing the password.
Because of the many security features of hardware wallets, approving multiple transactions during the day with can be a little bit annoying. Like most cold storage alternatives, hardware wallets are better fitted for long term storage, so we suggest you keep small amounts of bitcoins on less secure wallet apps for everyday use.
Ideally, the Bitcoin core wallet should be your first choice for cold storage for three simple reasons: Bitcoin core wallet is secure, stable, and subject to very few changes over time. Core wallets are designed to be conservative, and this is a good thing. When you hold your bitcoins in cold storage over many months or even years, there’s a small possibility that, when you want to access your funds a year later, the company that built the hardware wallet disappeared, or it doesn’t run the latest operating system. If this happens, you’re doomed.
The downside to core wallets is that they need to download the whole blockchain to operate. This means that you’ll need to free up around 145GB of space on your hard drive just to install the Bitcoin core wallet, and as time passes and the bitcoin blockchain gets bigger – that number will only go up. Also, core wallets take a very long time to sync, which can be very frustrating when the market is crashing and you’re trying to sell your bitcoins as fast as possible. They are, however, a valid option for a less active user that’s simply looking to store their funds in a safe, air-gapped environment. A cold implementation of Bitcoin’s core wallet is best utilized if you install it on a dedicated hardware device, but more on that later.
Put simply, paper wallets are nothing but pieces of paper with your private and public keys printed on them. It may sound silly, but paper wallets are one of the most secure ways to store your bitcoins. That is, of course, if you take great care of that piece of paper. Unlike hardware wallets, paper wallets are not fit for everyday use. They are the coldest of cold storage methods, the deep-freeze of bitcoins if you will.
Generating a paper wallet is rather simple:
- Open bitadress.org or walletgenerator.net;
- Create some randomness using random keystrokes on your keyboard or by moving your cursor around;
- You will be presented with your public and private keys and their respective QR codes;
- Click the ‘Paper wallet’ tab, select the number of addresses you want to generate and click ‘Generate’;
- Print your paper wallet;
Make sure that your PC and your printer are not connected to the Internet while you generate your paper wallet; simply turn off your WiFi once the page is loaded, and turn it back on after you’ve written down the information and closed the tab. When you want to check your balance, just type your public address in the search box of blockchain.info.
Recommended safety measures
Now that you’ve learned how to store your bitcoins, it’s time for some very important safety measures.
Separate your bitcoins in hot and cold wallets
A good way to secure (at least the majority of) your coins is to store them in different places. This way, even if one of those places is compromised, you won’t lose all your coins at once. Our suggested strategy is as follows: keep a small amount of bitcoins in a hot wallet that you can quickly use for day-to-day transactions, and transfer the rest of your savings to a cold wallet that you won’t use very often.
While hot wallets are easily accessible and convenient for everyday use, they are susceptible to cybercrime. In this day and age, hackers are a force to be reckoned with; any device that’s connected to the Internet could fall victim to a cyber attack masked as an antivirus program, a password recovery emergency, or even an email from a dying Nigerian prince begging you to accept his inheritance. You could see how keeping a large amount of money in a hot wallet isn’t exactly smart since, either due to your negligence or a hacker attack on the exchange of your choosing, you could lose it all in the blink of an eye. Hot wallets are handy but susceptible to risk, which is why you should only use them for transacting with a small amount of bitcoins.
Use cold wallets to store most of your funds that you don’t plan on spending any time soon. Depending on your preferred model, you can get a hardware wallet for about $100-$200. The cheaper (or rather, free) alternative is a paper wallet, which doesn’t make as good of a conversation piece, but at least keeps your bitcoins off the grid. Cold wallets are a bit of a hassle compared to hot wallets, as they either require you to carry a special physical device or to type in your private key every time you want to make a transaction. They aren’t as suitable for day-to-day use, but rather for storing a large amount of your crypto for a long period of time. They are susceptible to external damage and misplacement, but that can easily be solved by storing them in a dedicated safe space like a locked drawer or a safe, and only using them on the rarest of occasions when it’s absolutely necessary.
Make backups of your wallets
Another important measure you should consider to further secure your bitcoins is to backup any information regarding their storage — and not just once. If you have a paper wallet, issue a couple of copies and keep them in different places. If you have a desktop wallet, burn a copy of all its data onto a CD or a dedicated USB drive (more information on that here). In fact, make a copy of all your private keys and passwords regardless of what kind of wallet you’re using. You should also make backups frequently so that all new data (like new Bitcoin addresses) you’ve generated since the last backup is properly synchronized. Plan ahead and don’t rely on a single access point; when you’re dealing with money, you can never be too cautious.
Encrypt your wallets
The next safety measure you should consider is encryption. Bitcoin core has a feature that lets you encrypt the wallet.dat file which contains all sensitive information regarding your account. Any attempt to access the encrypted wallet requires the newly generated passphrase. This adds another layer of security; even if someone gains access to your computer, they still need to provide the passphrase to gain control over the wallet. Encryption is also available for mobile wallets.
It’s not a bad idea to encrypt your backups, too. And then create a backup of your encrypted backup — and encrypt that as well. Just kidding. You should, however, encrypt your backups precisely for the aforementioned reason — especially the ones you keep online or on a device that’s connected to the Internet. Offline backups aren’t excluded, though; in the event that someone finds their way to your hiding place, nothing stops them from just loading the contents of your USB or CD and going wild with it. A backup is a hardware-based security measure, and encryption is a software-based one. The two are best used in conjunction with one another to make sure you’re tackling the security issue on all fronts.
Don’t forget to use a strong password – one that contains letters, numbers and punctuation marks, and is at least 16 characters long. It’s best that you avoid birthdays, personal names, or common words to construct it; your best bet is to use a random password generator for this purpose.
Use dedicated hardware for offline transaction signing
If you want to take your bitcoin security up a notch, you can use two different computers for offline transaction signing. With the first computer, you will be creating unsigned transactions, while the second one will be used to host the entire wallet along with the private keys used to sign the transactions. When you want to make a payment, create a transaction on the first computer connected to the Internet and save it to a USB drive. After that, transfer the transaction to the offline computer hosting the entire wallet using the USB, sign it with the private key, and then transfer it back to the online computer to execute the payment. This method air-gaps your private keys and minimizes your exposure to malware while protecting you from potential malicious attacks. Needless to say, in order for this to work properly, never connect the PC hosting your wallet to the internet, and never use USB drives that might have been exposed to unprotected devices in the past.
Take advantage of multi-signatures
Multi-signature is a useful Bitcoin feature that allows transactions to require multiple signatures in order to be spent. It means that a transaction can’t be carried out unless M of the N keys (M<N) comprising the multi-signature sign it, thus preventing a single agent (owning a single key) or K agents (K<M) from spending the funds.
This feature is particularly convenient for organizations. Let’s say a company has an accounting department consisting of five members; a multi-signature can be put in place so that it takes three of those five members to sign off on any activities regarding the company’s funds. You too can implement multi-signature to secure your bitcoins: simply store the N keys on different devices so that you can avoid a single point of failure. Even if a hacker or a thief gained access to one of those points, he wouldn’t be able to gain control over your funds since he would still need the remaining M-1 signatures necessary to complete the multi-signature.
By now you should understand the role of private keys, and why keeping them secret is of the utmost importance. To maximize your bitcoin security, use all of the aforementioned methods cumulatively and stick to the basic rules of bitcoin safekeeping:
- Private keys are for your eyes only.
- Don’t rely on exchanges or bitcoin clients for security; hot wallets are only for small amounts of bitcoin that you’re willing to lose.
- Invest in air-gapped hardware or just stick to paper; big amounts of bitcoin are better off in cold storage.
On another note, you might consider sharing your private keys (or their hiding places) with a single family member or a friend you trust. In the event that something happens to you or you’re physically prevented from accessing them, they could take care of things for you.
Finally, don’t forget to take care of your biggest liability: yourself. No external safety measure can prevent or undo careless and negligent behaviour; do your research, and think long and hard before putting in money.
Best of luck on your crypto journey and stay safe!