“Yet Another Theft From A Cryptocurrency Exchange” – Forbes.com
“Cryptocurrency investors risk security issues like theft, loss” – CNBC.com
“Risk of Bitcoin Hacks and Losses Is Very Real” – Fortune.com
Fear. Vulnerability. Insecurity.
Media outlets and security companies elicit these emotions for a reason: it weakens our ability to think rationally, making us more susceptible to their narrative.
Let’s try changing the headlines slightly:
“Yet Another Theft From A Convenience Store”
“Home owners risk security issues like theft, loss”
“Risk of Online Banking Hacks and Losses Is Very Real”
Not so scary, huh? Stating the obvious, one may say. Despite these things occurring on a daily basis, we have come to accept them as normal. Granted, we have learnt to mitigate these risks by putting better locks on our doors, using stronger passwords, and educating ourselves. And there’s no reason why we can’t do that with cryptocurrencies. Read on.
What is security?
A padlock? A hardware wallet? Some may answer “marriage” or “holding down a job”. Security is a concept. And the way it’s perceived differs from person to person, just like happiness. One can even go as far to say that security is an illusion: we believe we have it, until that belief is shattered.
So how does one deal with this? How do we obtain “security” in the cryptocurrency space?
First, we educate ourselves. We then determine our risk tolerances. And we remember to always keep one eye on the bigger picture.
Let’s start with education. Below I have summarized some current cryptocurrency security risks, with tips for each. Most are common sense, and may be applied not only to cryptocurrencies but any type of investment. The list may be long, but don’t let that scare you. Read it, take it in. Knowledge is power. And it will drastically reduce the chances of you losing your money.
The number of scammers is increasing everyday, along with the methods they use. The methods mostly aren’t new. They’ve existed for many years, and are simply being applied in a new target area.
Fake links, websites and accounts
It’s incredibly easy to hide another address beneath a link, like this: www.google.com. Scammers use this technique, along with creating fake exchange websites in order to catch out unsuspecting users.
Can you spot what’s wrong with this URL? Look closer. No, it’s not dirt on your screen; there is actually a dot beneath each n. The rest of the site is identical to the official Binance website. Once you enter your username and password, they are sent straight to the scammers, who now have control of your account and any funds within it (assuming you don’t use two-step verification).
The ETH giveaway scam on Twitter is also now extremely widespread. A fake account almost identical to the original is created and used to announce ETH giveaways in replies to official tweets. Several more fake accounts subsequently like and retweet the tweets:
Fake accounts posing as Telegram admins, team members or exchange support staff are also on the rise:
In this case the scammer duplicated the account of Ioana Frincu, one of the founders of Persona. They started off chatting with the user about the project, and then offered either a special token discount, or requested donations for the project. Firstly, it’s very strange for a project founder to be asking for feedback through private messages. And it’s even more unusual to offer discounted tokens in this way.
- Use two-step verification
- Always ensure you’re using the https version of a website
- Check website addresses and account names for differences in spelling etc.
- Bookmark websites: don’t use external links to access them
- Be cautious when anybody contacts you suddenly via private message
- Ignore advertising posted in Telegram and other social groups
- Nobody is giving away free ETH (or any other coin!)
- Be wary of airdrops
- If it sounds too good to be true, it probably is
We’ve all read news of exchanges being hacked, and it’s only a matter of time before another high-profile case. Another risk associated with exchanges is the risk of fraudulent behaviour by the exchange staff themselves, including the failure to properly maintain/update wallets (leading to users’ coins being trapped).
- Don’t leave your funds on an exchange. It’s just not worth the risk. Invest in a hardware wallet.
- If you really have to store funds on an exchange (e.g. for trading purposes), spread your funds across multiple exchanges.
- Use well-known, reputable exchanges
- Always check the status of exchange wallets before using them
ICO (initial coin offering) risk
Again, a well known issue. Exit scams are perhaps the most common of these. Scammers create hype around a mostly fake project, only to run off with investors’ money.
There have also been a number of cases where ICO websites have been hacked to display the wrong deposit address, and also phishing campaigns that have sent out fake announcements to ICO mailing lists, offering discounted tokens etc.
- Always DYOR (do your own research). Don’t simply ask some random people in a Telegram channel for advice.
- Check out the project’s team and join their Telegram community. Most of the time you can speak directly with the project founders
- Check the project’s code repository for activity etc. (if open source)
- Non-existence of a roadmap or white paper (or poorly-written ones) may be an indication of a scam
- Of course no single point above is a clear indicator of fraudulent activity: you will need to consider all of these factors and more in your research (check out this handy graphic for some more tips)
- Be careful when depositing funds to an ICO address. Double check the address across several mediums, e.g. official emails from the team, the website, and their official Telegram channel.
Hacking of your device, viruses etc.
Malware and viruses are as rife as ever, with hundreds of variants floating around. For example, copy-paste malware that pastes the scammer’s wallet address instead of the one you copied. Hackers have also created fake trading apps which send your funds to their wallets, and browser extensions that claim to be securing your browser when they are in fact doing the opposite.
- Keep your device up-to-date with the latest software updates and use a well known antivirus application
- Double check addresses after pasting, and use address books when possible
- Don’t use 3rd party trading apps or crypto browser extensions. Use your browser’s inbuilt functions (e.g. chrome’s “Incognito” mode)
- Always use two-factor or two-step authentication
- Don’t trade on public WiFi networks if possible
- Use a hardware wallet
Email account hacking
This is a very important one. Not only is it incredibly troublesome and embarrassing to lose control of your email account, but it also opens the door to hackers potentially allowing them to gain access to any of your crypto accounts. They simply need to enter your email address into the password recovery tools on exchanges and other sites to be sent a new password or verification link.
- Use a strong password
- Use two-step authentication
- Try to reduce the public visibility of your email address
The risks above can be considered traditional online security risks. At the beginning of the article I wrote about security being a concept. The following highlights some other indirect security risks that usually don’t get a mention when discussing cryptocurrency security. But they are very relevant when considering their influence on your overall sense of security. These are also risks that are much simpler to address.
Physical risk includes the risk of robbery or theft. That is, having your hardware wallet, recovery phrase, paper wallet, etc. stolen, or you or a loved one being physically targeted. Don’t worry though, the chances of this happening are extremely small for most of us! If you’re holding massive bags though, gloating about it isn’t advised.
- Don’t divulge the size of your holdings (it usually makes you look like a tool anyway)
- Don’t divulge personal information
- Don’t divulge information on how or where you store your private keys
2FA access loss risk
Passwords are usually quickly and easily recovered, however losing access to your two-step authentication codes can be a nightmare – especially if it causes you to miss out on the trade of a lifetime!
- Write down the recovery codes you are given when enabling two-step authentication, and store them in a safe place
- Set up your two-step authentication on more than one mobile device. If one is lost or breaks, you will have a working backup.
- Back up your codes using tools such as Authy or Authenticator Plus
We’ve all read stories of people losing their funds because they didn’t have a backup, or their backup didn’t work. Don’t let that be you!
- Make more than one backup of your wallet or passphrase etc.
It may not seem like it at first, but this one has perhaps the largest influence on investors’ overall sense of security. It consists of the following behaviors:
- Investing without an idea of your risk tolerance (i.e. how much volatility you can handle / how much you’re prepared to lose)
- FOMO investing (fear of missing out)
- FOLIA (fear of losing it all, i.e. panic selling)
I’m sure you’ve heard the saying “only invest what you can afford to lose”. There’s a reason why sayings like this exist: they are true. Disregard them at your peril. Cryptocurrency is high risk, with massive volatility and a number of security concerns. Invest accordingly. Knowing you can live without that money should it disappear will do wonders for your sense of security. If you can’t bear to watch your investment drop to less than half its value in a matter of days (or hours), maybe crypto isn’t for you. Don’t put all your money into crypto. Diversify into less risky assets such as stocks and bonds. If your investment increases in price and becomes scarily large, take profit. Keep an eye on the bigger picture: having a life that revolves solely around your crypto investment is something few people can handle.
Don’t succumb to FOMO. That is, don’t give into temptation and buy when coins are mooning (skyrocketing in price). Blockchain is here to stay and you will not miss out if you invest rationally. If you succumb to FOMO, chances are you will buy at ATH (all time high) and the next day your investment will be worth half what you paid. Similarly, don’t give in to FOLIA. Panic selling only locks in your losses. If you DYOR and invested wisely, the price will bounce back. Buy the rumor. Sell the news. Not the other way around.
I hope after reading this article that you have gained a new appreciation for the concept of security. In particular, that you’ll agree it’s much more than using a strong password or hardware wallet. Remember, you are in control. Continue to educate yourself on the risks, determine your risk tolerance, and keep an eye on the bigger picture. It’s a powerful strategy, if you choose to properly embrace it.