What does security mean to you? If I were to ask you, "What would you want free from danger or threat?", what are the first things that come to mind? Is it your yourself? Your family? Your identity? Your finances? Your Crypto assets? You'd probably be able to shoot off a list for an hour straight. All of which would be important. While it's impossible to secure something 100%, there are measures you can take to minimize risk. In this article, we'll be summarizing security best practices for crypto traders.
Keep anything not being traded in a wallet
If you've followed the tech behind cryptocurrency, you know that it's built on the foundation of the Blockchain. The Blockchain is quite secure due to it's usage of cryptography and decentralized ledger. Where the vulnerability lies is the mechanism to prove you "own" a particular asset. Each transaction in the blockchain is verified by a signature, also known as a private key. A private key is analogous to an "access code" or "combination" to a safe that stores your crypto assets. If you were to lose your access code or give it to someone, that person would have the ability to take everything they want out of your safe. The most common scenario where your access code is not in your full control is when you trade on crypto exchanges.
In this case exchanges are handed the "access code" to the assets and you are handed an IOU. Because you are only handed an IOU, the exchange has full control of the assets that you have bought or sold. The risk is if the exchange were to go under or get hacked, which unfortunately happens often, you'd potentially lose all of your holdings. This is why we recommend you:
- Move any assets you are not actively trading off the exchanges
- Keeping trading assets spread across multiple exchanges.
By taking these steps, you can minimize risk and potential losses if an exchange were to be hacked or worse, disappear.
Fortunately, most crypto exchanges give you the ability to cash out your IOUs and move your holdings out into your preferred "safe." The most recommended safes are crypto wallets - secure digital wallets used to store, send, and receive cryptocurrency. There are many different types of crypto wallets out there and if you're already using one, your crypto assets are leaps and bounds more secure than the majority of traders out there.
The wallets we most often recommend are hardware wallets - small devices that store your private keys offline. Because hardware wallets are offline, they cannot be attacked by remote hackers but rather only susceptible being physically stolen - so keep your virtual safe in a actual safe:) Two of the better known hardware wallets out there are Ledger and Trezor. Either should cover a majority of coins out there.
Use bookmarked site addresses
Phishing is when a site or email is disguised as a reputable company's site or email in an attempt to deceive users to enter their private information. Phishing is one of the most common techniques for hacking. For a good comedic explanation, we've included the video below:
In the case of crypto, exchanges have been a large target of phishing attempts. The most recent and largest known phishing attack was against the world's largest exchange, Binance. A site was created to look appear like Binance with very similar looking domain (ie Bïnance). Users logged in thinking it was the real Binance site and had their credentials stolen . With those credentials, the malicious individuals pumped the price of VIA and dumped it for profit. Fortunately, Binance was able to reverse all the nefarious actions. As you can see, regardless of all the measures taken on any exchange or portfolio tracker, there are hacking techniques to access one's assets.
For this reason, we recommend you bookmark any site that would require you to enter your username, password, or MFA (Multi-Factor Authentication) and ONLY enter the site via the browser menu. By doing so you reduce the risk of mistyping a website address and accidentally going to a phishing site. You also reduce the risk of being targeted with other phishing tactics such as emails, Google ads, and fake marketing campaigns. If you feel that going to bookmarks are a nuisance, then we'd advise that you double or triple check the address you go to.
Grant Least Privilege on Api Keys/Secrets
API keys and API secrets are generally used to authorize third parties (users, applications, bots, etc.) to take action on the behalf of the actual user without handing out secret information like passwords or other secret phrases. The advantage of using keys/secrets is that the account's owner can restrict access of those keys and ultimately remove them altogether if needed at anytime. Neither of which can be done by handing out a username and password. Some common use cases in the crypto space for API keys and secrets are portfolio trackers and trading bots. Portfolio trackers require access to view your exchange accounts in order to show your portfolio, and trading bots (typically used for arbitraging) need access to view balances and make trades on your behalf. These two use cases require different levels of permission in order to do their jobs. One requires only "read" permissions to view your portfolio and the other requires access to view and make trades.
A majority of exchanges allow for different levels of permission when creating API keys (see images below).
The most common levels of permission are: read, enable trading, and withdraw/transfer. This can be likened to the different types of keys that an apartment building my have. You, as a building owner let's say, have the master key which to access all the apartments in the building, but you only hand out certain keys to certain individuals you only want to access certain apartments. Similarly, when creating keys you want to grant the least amount of permissions possible for the user or application to do its job. In the example above, the portfolio tracker would require only read access (no trade, no withdrawals) and the bot would need read and trading access (no withdrawals). By doing so, you can ensure the user or bot can not accidentally take an action you do not want it to. For most cases, you never want to create a key with withdrawal permissions.
Another point of emphasis is where you store your API keys and secrets. Many people make the mistake of storing their keys in locations that are public. A quick search on your favorite repository or security tool and you'll see thousands of API keys/secrets, and in many cases, wallet private keys. Secrets and keys should always be stored in a private location. There are many different tools out there that you can encrypt and secure your keys for free, but double, triple, quadruple check that your keys are not accessible to anybody but you.
By now you should be aware of some basic procedures you can take to keep your crypto assets safe. There are many more beyond what's mentioned above and we recommend you do your due diligence to cover your bases. If you have any questions, need help, or have your own insights and experiences regarding security, please reach us out on Twitter, Telegram, Facebook, or email.