17 Ways to Keep Your Data and Crypto Safe

Image by JanBaby via Pixabay.

Keep your data and digital assets safe, and improve your overall internet security by following these tips. I have divided these recommendations into general online-usage and crypto-specific tips.

For general online usage:

1) Ensure that you activate two-factor authentication (2FA) when creating an account. This often comes in multiple forms: an authenticator app (such as Google, Authy, and FreeOTP to name a few); a physical security-key (Yubikey and Google Titan are two that come to mind) and SMS verification, linked to a phone number. Whilst the latter is still better than no 2FA at all, I would advise against it, particularly with the risk of a SIM-swap attack.

2) Check for (and implement) the latest system updates for your computer, laptop, mobile (cell) phones, etc. Most operating systems should automatically prompt you when an upgrade is available. Nonetheless, you should also periodically look out for any pending upgrades.

3) Frequently create a back-up of your entire data, both online (via a secure cloud service) and offline. Between the two, I generally prefer the latter, in the event of a cloud service being offline or losing data, especially when you need to access it.

In the event of a hacker compromising your computer system, or you potentially getting involved in a ransomware attack, you will still have full access to your important files that can be readily transferred to a new computer or laptop.

In regards to ransomware attacks, never pay the criminal in any way, shape or form, as it simply encourages them to re-offend, and there is no guarantee that they will fully return the stolen data. It is best (and usually cheaper) to take this to a licenced computer-repair store and/or seek assistance from a knowledgeable and trustworthy friend who could help you remove this virus.

4) Install antivirus/internet-security software: Similar to VPNs, there is a vast array of service providers to keep your personal data safe, and can significantly minimise the risk of your computer or mobile device getting infected with a virus.

Several free and paid options are available across all major operating systems. Which one suits you depends on the volume of sensitive information stored on your device, how much protection you would require from a range of viruses (malware, ransomware, spyware, etc.) and how confident you are with computers/technology overall.

Scams are becoming increasingly sophisticated, and all it takes is a brief lapse in judgement for a nefarious actor to fraudulently access your system, to then subsequently sell that information on the dark web. Unless you have an advanced knowledge of computer security and are very switched on, then it is recommended to get Internet AV as an extra layer of protection.

5) Use a Virtual Private Network: There is a plethora of choices out there, each with their pros and cons. A VPN is designed to re-route your Internet data through remote servers (run by the VPN provider), and in the process, mask your actual IP address.

These offer varying degrees of security and features, usually depending on how much you pay for their services, access to basic and/or premium servers (the latter usually having less impact on your Internet speeds), and how many devices are protected as part of a given subscription.

An additional benefit offered by several VPN providers includes a dual-layer VPN re-routing system (i.e., connecting through two different servers simultaneously). A major drawback of this is that it will (probably) considerably slow down your Internet download and upload speeds.

6) Reduce how much sensitive data you disseminate on the Internet: When registering for accounts or doing online shopping, for additional protection, it is best to:

– use an email address that does not contain your real name and is not linked to social media;

– provide as little information as required (how often do you need to provide your real date-of-birth online?)

– opt for a secondary phone number

– (where practical and applicable) choose parcel collection and mail delivery to a post-office (PO) box and/or parcel-collection facility.

Perhaps this sounds over the top, but I speak from personal experience and thus take a cautious approach. I was one of the users involved a Ledger data breach, but as I followed the above-mentioned steps, barely any personal details were exposed from this.

7) Be alert for any suspicious emails and fraudulent email addresses

Scammers often use a cunning technique to trick people into believing an email has been sent from a legitimate entity such as a financial institution, a government department, e-commerce company, cryptocurrency exchange and so on.

The letterhead/logo, style of writing, format, etc. are designed to mimic what is usually followed by a standard online business to deceive you into believing that it is an official email.

Spam filters used by email providers generally do a good job at directing most junk mail to its rightful place, but these are not fool-proof.

A common scam involved here is getting people to click on a link to direct them to a bogus website, masquerading as something official. In the process, by simply clicking a link or an attachment, a hacker can install a type of malware and/or encourage victims to enter sensitive information (in the form of a phishing attack).

Major steps to prevent this from happening:

– Be cautious with all email correspondence received by a company, especially if it is unsolicited. Do not click on any link or icon directing you to a website. It is best to log into your account and check for any messages or notifications directly through that.

– Check the sender to see if it is something that is officially from the company or not. If in doubt, contact the institution to check if this is legitimate or not. They would also appreciate you checking with them as it rapidly alerts to any potential scams and could pass on this information to their clients.

These principles also relate to any suspicious phone calls and (to a lesser extent nowadays) letters. I have also seen instances where elderly relatives and acquaintances have received bogus mail, such as the typical “receiving a major inheritance from a (recently-deceased) long-lost wealthy relative on the other side of the world”.

8) Set a secure password: This should be a stock-standard step that everyone should be taking by now. You know the drill: A lengthy, case-sensitive alphanumeric password with special characters (? ! . , % $ …) that you can still remember or easily reset if required.

9) Use an on-screen keyboard for an added layer of security when entering highly-sensitive passwords. This is a precaution that people can take to mitigate the risk the risk of keyloggers potentially intercepting these through their keystrokes.

Ideally, as we approach 2022, all financial institutions should be, by default, opting for, or at least offering, their in-house, floating on-screen keyboard that moves after entering each character.

Perhaps another act of excessive Internet security for some, but it is a small sacrifice to make when large sums of money and/or highly-sensitive details are involved. Whilst many would argue this should not be mandatory, banks and related business should be offering this as a choice. Alternatively, operating systems usually have an on-screen keyboard ready for use.

For cryptocurrency exchanges and wallets

Alongside these aforementioned points, for any specifically interested in buying, selling or trading cryptocurrencies, you will most likely need to use an exchange at some point. Here is a list of additional safety measures to adopt when interacting with one of these:

10) Seek a reputable and regulated exchange: Binance, Coinbase and Kraken are three of the world’s largest exchanges in this sector. They and several others are gradually expanding their range of trading pairs and supported cryptos, and are seeking greater regulation with several jurisdictions around the world to legally operate.

Consider an exchange’s insurance policy (if applicable, albeit limited); where they store most of your digital assets (i.e., almost all offline in ‘cold storage’ or online in a hot wallet, whereby they should opt for the former as much as possible); relevant regulatory licences within a certain state/country; customer reviews from trustworthy websites, and so on. Following these measures should help you make a well-informed decision about which exchanges are safe to use.

11) Whitelist your crypto addresses: Once you have opened an account and setup a wallet with your preferred exchange, you will either need to purchase crypto directly from them or deposit it into your account. For the latter, a trustworthy exchange would require you to ‘whitelist’ an address, i.e., double check that an address used to deposit funds into your exchange is the correct one that you have approved in advance.

Conversely, you should also blacklist any addresses linked to criminals, scammers, etc. There is a useful website called Bitcoin Who’s Who to alert people of any illegitimate BTC address. Two limitations with this are that this relies on victims sharing this information with the website to inform others, and that this only applies to Bitcoin, not other blockchains.

Most well-known exchanges apply this control to eliminate the risk that a hacker could remotely change a wallet address in real-time, without the victim realising in time. If conducting a transaction through a non-custodial wallet (where you have and maintain 100% control of the funds at all times), notably with a hardware wallet, you will need to double check the public key, transaction amount, fee, etc. on your device before proceeding.

Image by JanBaby via Pixabay.

12) Dusting attacks: When trading cryptocurrencies through an exchange, there are often miniscule amounts of crypto left over (‘dust’) from these trades within your account.

The abovementioned attack involves a hacker distributing dust across thousands of wallets at random.

Users who hold non-custodial wallets should also be alert for any suspicious micro payments that could resemble dust attacks. By trading/converting this tiny amount, hackers (let alone anyone) can monitor any movements of funds from one wallet to another, which will generate public keys on a given blockchain every time a transaction is carried out.

If this or a similar unsolicited deposit occurs, there are a few actions you can take to remain safe. Firstly, by utilising hierarchical-deterministic (HD) wallets, this can help maintain anonymity, or at the very least, mask new transactions being made from a given wallet. Moreover, a VPN and specifying unspent transaction outputs (UTXOs) can also be implemented to respectively mask your real IP address and avoid spending the crypto dust.

Additional details about dusting attacks are available here.

13) Use multiple wallets: You should never keep your crypto all in one place. Considering the portability of desktop, mobile and hardware wallets, there is no excuse to simply have all of your digital assets linked to just one set of private keys (that is to say, in just one location).

If opting for self-custodied choices, you can still distribute your crypto on multiple devices (ideally hardware wallets). For those who have crypto on an exchange, whereby you are that the mercy of their security protocols (or lack thereof), it is best to only have a tiny amount that you can easily replace on one of these.

14) Regularly monitor for any suspicious activity: For any crypto you might have on an exchange, keep an eye out for any alerts about ‘unusual login activity’ or ‘unauthorised activity’ on your account. These above-said notifications are usually sent to the registered email address that corresponds to your hot wallet on a crypto exchange.

A common occurrence with these notifications is the login from a different IP address, which is expected for anyone using a VPN.

15) Have backup recovery seeds: When you initialise a non-custodial wallet, you will be prompted to write down a recovery phrase/seed (the list of 12, 24 or sometimes 18 words to restore your accounts) linked to your digital assets’ private keys.

A common recommendation is to write down the recovery phrases on paper and store them somewhere safe, offline. However, we know that paper is susceptible to being irreversibly damaged or could simply go missing. Thus, you should have multiple backups, or at the very least, a paper copy contained within a waterproof, shockproof and fireproof safe.

There are companies that offer highly-durable stainless-steel capsules and tags, built to withstand multiple extremes within its surrounding environment. This could be useful when planning to manage large amounts of cryptocurrencies via these wallets.

16) Cryptojacking involves a hacker gaining unauthorised access to a person’s CPU, GPU or hard drive to discreetly mine crypto. As a result, this often slows down a person’s computer and/or leads to higher electricity bills.

Measures to minimise the risk of falling victim to this include installing a reputable internet security program, monitoring for changes in your computer’s performance, and unexpectedly high GPU usage through a web browser (details via your system’s Task Manager). Further details about this phenomenon are available through this article.

17) Giveaways

I have witnessed several cases of fraudsters coming across as legitimate, high-profile people in the space. There are cases of legitimate giveaways from celebrities, exchanges and organisations, but there are many instances of bogus distributions.

A classic pattern associated with fake giveaway is sending x amount of crypto to an address, and they (some random person) lure people into this scam by convincing unsuspecting individuals that they will receive twice the amount in return.

If it’s too good to be true, it probably is.

Conclusion

Implementing a combination of the above-said strategies will most likely help keep your details safe online, and considerably lower the risk of being involved in a hack.

One option I have not yet explored is the incorporation of an extra layer of security in the form of three-factor authentication (3FA). Eventually, as malicious actors find ways to circumvent numerous forms of 2FA, 3FA should be applied to remain at least one step ahead.

Whilst this is still years (and possibly decades) away, quantum computing will most likely play a pivotal role in cracking encrypted data. Where possible and relevant, companies will need to apply quantum-resistant encryption once this threat becomes apparent and begins to pose a significant risk; ideally sooner, to remain proactive.

I am sure there is a vast swathe of scams that did not feature here. I have covered 17 (unfortunately) popular ones that I hope people will learn from and avoid making. If you would like to add input to this and offer some novel information to supplement this article, I encourage you to share this with our audience.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

P.S. Strictly speaking, a common misconception with non-custodial wallets is that your devices ‘store’ your cryptocurrencies. In reality, then don’t have any crypto on them. Rather, they contain the private key(s) to access your digital funds being held on a blockchain (or multiple ones, assuming you hold more than just one cryptocurrency)