Email:
- Email Providers
- Any reputable email provider with 2FA will do
- If you want to get more into privacy and encrypting emails there is Protonmail or Preveil
- You can alternatively also hook up your current email with the Thunderbird email client (use to be managed by Mozilla Firefox) it is overseen by a volunteer board of contributors.
- 2FA - This is important, activating 2FA on your email is just as important as having it on exchanges.
- Create an email specifically for Crypto, but also avoid using crypto keywords / personal information in the email, treat your email address like its public information.
- Be on the lookout for Phishing emails, I made a post on how to identify phishing emails along with some useful tools here | How to spot a phishing email |
- Quick tips for emails:
- Don't trust email links
- Double check the address bar of login pages
- Know the levels of a domain
- Check to see if your crypto sites allow a anti-phish banner that displays a code with their emails that you set.
- Tracking pixels are also a thing, there not malicious in themselves, but they can potentially let attackers know if you have open an email / let them know the email exist and is active.
Passwords / PINs:
- Don't reuse them EVER
- Use strong secure passwords, passwords managers make these easy to manage and generate passwords.
- This includes your phone and 2FA app, if you have a weak pin (1234) for your phone and someone takes it, remember your 2FA app is then available (if same pin, or no pin/pass set), your email is automatically signed in (same for other accounts auto signed-in), and they can access your text messages.
- Don't use words relating to crypto or personal information in your passwords (or email), if they are compromised in a breach, assume they will search for these terms to target crypto users and try the same combo against crypto sites or figure who you based on the information (email & password) and pivot to finding public information that could lead to them answering challenge questions for password resets. (Your first pet, is it posted on Facebook? How about your car? Your first girlfriend/boyfriend?)
- Password Managers: These work wonders when managing passwords securely. They generate random strong passwords which can be adjusted, and its all kept in an encrypted database file, so even if a attacker gets access to it, they won't be able to access it without the password.
- KeePass
- BitWarden
- LastPass
- 1Password
- Don't save passwords in your browser
- Does it require verification for you to use the password? Also I tend to find extensions being more buggy as they have to interact with more 'moving' parts and changing configurations, and generally more people try to target and exploit browsers.
2 Factor Authentications (2FA):
- Enable on everything possible
- Use 2FA Apps instead of SMS whenever possible, SIM Swap attacks are real, and more common than you think.
- 2FA Apps
- Authy (Linux | Windows | macOS | Iphone | Android)
- Google Authenticator (iOS | Android)
- Microsoft Authenticator ( iOS | Android)
- LastPass Authenticator (Browser Extension | iOS | Android | Windows Phone)
-Hardware Keys
- These are physical 2FA device
- Backup codes:
- When you activate 2FA on any account you should have the ability to generate backup codes, these are used incase you lose access to your authenticator, TREAT these like your seed phrases. Use them by logging in with your user and pass, and use these backup codes in place of the 2FA code you usually enter.
- DO NOT take pictures of your QR codes, if you screenshot it, might end up syncing somewhere you don't want it to and if it ever gets compromised they have the ability to continually receive your 2FA code.
- Also, DO NOT sign up for your 2FA app or any crypto service for that matter using your work or school email address. You lose access to that email, then consider all accounts gone as you won't be able to access the codes if you switch devices.
Wallets
- Learn the difference between the different wallets
- Cold wallets will always be more secure than any hot wallets as they aren't connected to the internet
- Top trusted hardware wallets:
- Ledger
- Trezor
- Verify the details you are confirming on your hardware wallet device. the wallet app interacting with your cold wallet device could be compromised, but you would still be safe using it, as long as you verify each action on the cold wallet device, and reject the transaction if anything seems off.
Seed Phrases: Treat these as they are the keys to the kingdom (Keep offline and out of your notes app)
- Less Secure:
- Write down on paper and either break up the phrase and place in separate secure locations or hide them like the the FBI is going to come search your house
- Secure on USB
- Get a file shredder (securely deletes data, and overwrites it)
- Download password manager (optional)
- Disconnect device from internet
- Enter seed phrase into password manager / create encrypted file
- Put on a freshly reformatted USB / datalocker (Worms like to spread by USB)
- Save to USB, and shred the original using the file shredder software
- Hide USB
- Another device / old phone
- Factory reset
- Set Pin / Pass
- Download 2FA app and password manager / file encryption tool
- Disconnect from internet FOR GOOD (Treat this like a cold wallet)
- Back up 2FA and seed phrases
- Hide device
VPNs / TOR:
- Privacy vs Anonymity
- Privacy is the ability to keep your data and information about yourself exclusive to you (They know who you are, but not what you do).
- Anonymity is about hiding and concealing your identity, but not your actions. (They know what you do, but not who you are)
- Think about what your goal is, I commonly associate privacy with VPN and anonymity with TOR
- Both encrypt your data before leaving your device, then routes it through proxy servers to mask your IP/Location. VPNs you have to trust the provider (ensure they state there is a no log policy) while TOR runs through servers ran by volunteers (don't think governments don't run their own) and lets you access the dark web. Here is a more in-depth comparison on VPN vs TOR.
- Personally Its worth paying the few bucks a month for a paid tier of the VPN service.
- VPN Providers - Zero log VPN services:
- ProtonVPN
- Nord
- Mullvad
- TOR
- Brave offers TOR, but I would treat this more like a VPN
- If being anonymous is your goal the only real way to achieve this is running Tails off a USB.
Browsers (Excluding TOR):
- Top 3 Browsers built for privacy
- Firefox
- Epic
- Brave (I know Brave draws criticism but I made a technical post showing how the trackers didn't show up within the metamask extension through brave compared to Google Chrome.)
- Search Engine for privacy: DuckDuckGo
- Extensions
- One of the most dangerous threats I think that aren't taken seriously are extensions. These can start out legitimate, then through an update turn malicious. These will then be removed from the webstore, but not your browser.
- Some will be removed the store due to not being supported anymore which = no more updates, and no more updates = vulnerabilities that won't be fixed
- If you have Google Sync activated, these extensions will also sync to all those devices
- Remove any extensions you don't need, check to see there still available on the store, and even search them to see if some security article like this pops up about it.
- Check the privacy practice tab of the extension to see what data it collects.
Other General Safety Tips for PC and Phone:
- Harden your PC (Guide is for Windows 10, but can translate to other OS)
- Update OS and any software // turn on automatic updates - Everything you download is an attack vector
- Set firewall rules - Default deny, open only p855orts you need, disable rules you don't need
- disable remote access
- Install AV // Malwarebytes for removing malware
- Turn on encryption
- Setup user accounts // privileges'
- Strong password
- Whitelist addresses if possible (Some exchanges allow you to designate a address as 'safe' any other transactions besides those won't go through)
- If you use a encrypted messaging service, I highly recommend Signal, if you haven't seen their reply regarding a subpoena you should
- Lock down your social media accounts (go to security settings, turn off being able to be found via search engine, ad related settings, change who can view your posts, etc)
- Don't disclose your holdings and earnings
- Don't access your crypto on your work computer
- Don't answer PMs about winning some contest or some amazing opportunity
Phone:
- Unique pin / password for the phone
- download a password manager
- email account purely for crypto
- pin / password (different than getting into your phone) for your 2FA app.
- Don't lend phone out
- Avoid apps you don't need, read the 3 star reviews as they are the most honest)
- Download VPN / be aware of the wifi your connecting to
- Be aware of phishing
- Call your service provider and see if they can lock your SIM card and prevent SIM swapping.