Bitcoin Forum

I've been doing this for years, but I still catch myself leaving some security vulnerabilities to my wallets and email addresses. You would probably think your security is adequate, it's not. Hackers and thieves always find a way to fool even the veterans. Let me tell you if you've been in this space for long enough, you probably had been hacked once or twice before. Hackers are getting very imaginative every year since because the booty they get from a successful hack is very enormous.

Wallet security

• RE: Online wallet tools/services - NEVER EVER SHARE YOUR PRIVATE KEYS ONLINE - don't even upload your keystore and password.
  
  You might think the site is well-known and trusted like myetherwallet.com (MEW), but their DNS can be hijacked and you can be re-directed to a fake MEW. Once you send your private keys or passphrase, you gave away your wallet access. Etherdelta was a victim of this and thousands of ETH were stolen from Etherdelta traders. Because you can upload your private keys to trade with the Etherdelta smart contracts. Of course, there are also many straight-up imposter sites where the would-be thieves will send you a phishing email and saying you have to click this link to go to their site. Your private keys should never be online as much as possible.
  
  a. For Bitcoin: all you have to do is to generate a transaction and sign it with your private key offline. And then you can broadcast the signed transaction (TX) anywhere online that offers a broadcast service or push transaction.
  
  b. For Ethereum and ETH tokens, a service like Metamask keeps your wallet encrypted in the browser, you can use it directly to send ETH or for tokens you can use it in tandem with MEW. It does not share private keys, only signed transactions.
  
  c. For other types of blockchain, I'm sure there could one or two that provides signed TX broadcasting and propagation. If not, download your own wallet - better be safe than sorry.
  
• Online Seed Generation - Those online bitcoin/crypto seed generation or address generators - Don't use them online!!!
  
  The site owner of the service you are using can record your seed/address generation and store your private keys. It has happened to new IOTA wallets from certain online services. The best practice here is to turn off your internet access when you generate.
• Always encrypt your local wallets. Don't assume it hasn't happened to you, it won't happen to you. And if someone was able to install backdoors to your machine, it's going to be an expensive lesson. Frankly, your personal laptop is the least secure place to store your private keys since you're not a security expert and other people might use your machine too.
  
  Personally I prefer paper wallets. I don't mind the extra hassle as long as its highly secure. Anyway, there are number of ways to encrypt your private keys. Most wallets provide encryption. I'm so paranoid. I even encrypted my paper wallets with PGP encryption.

Exchange account security

• Put 2FA on all of them exchanges! - As we become much wired than before, Username/email address/passwords combo are easily hacked nowadays. Especially if you're still using the same email address and username from the year 2005. There is a combo list out in the internet with your username and password hacked from sites you long forgotten.
  
• Never use the same email address and password for all exchanges and crypto-related sites such as this forum.
• If you use Gmail or your email provider provides 2FA, enable email 2FA. This is the last piece of the puzzle for hackers, after gaining access to your exchange account, they will need access to your email too.
• And lastly, never put all your coins in exchanges!  I don't have to tell you the number of exchange hacks that has happended throughout the history of crypto. You're not the exception, if you're in crypto for a long time, you will be targeted, directly or directly.

Good luck!

---

Update:

For Chrome, install Cryptonite by MetaCert https://chrome.google.com/webstore/detail/cryptonite-by-metacert/keghdcpemohlojlglbiegihkljkgnige

The service verifies the correct DNS entries for many crypto-related sites. It will warn you if the site you are on is a phishing site.

Good post, security is key be smart people...

Thanks for the write up on security of our wallets. I  have picked some points that i was not observing before now. We keep trying to safe guard our wallets
all the time.

A WHOLE BUNCH of great advice here on security for crypto! So many people get taken by scams and easily avoidable situations. If they just had some of this knowledge they would probably fair a bit better. We have been working on our Totle platform to help with this as well so people can invest safely and securely no matter who they are!

The most important aspect as you say safety , you're right . Now a great many scams . Everyone is trying to cheat and steal our money

Really nice article here and some very sound advice - so thanks very much for sharing. To tell you the truth, I wasn't aware of the potential holes in MyEtherWallet... and I was pretty sure that if I just made sure I was using a service like MetaCert everything would be OK. However, you are quite right that the scammers and criminals are becoming more and more audacious, because the rewards are so incredibly high, so I think I will switch over to using MetaMask. In fact, my long term play (I say long term only because of the fact they are sold out everywhere) is to make sure I put all assets onto a hardware wallet, and I've had a Nano Ledger S on order for about 2 months now.

What do you think of hardware wallets - do you have any particular recommendations or practices you'd use for them?

Sorry, I'm old school - paper wallets. If I must for convenience's sake, I have another wallet in which I split the private keys/passphase in two and stored into two separate encrypted text files.

I bought a nano ledger s which I absolutely love and I would reccomend . The only thing I would add is that if someone is looking to buy one or any hardware wallet please do not buy them from ebay or Amazon as they could be hacked. Only buy one from the official retailer.

do not keep the private keys in emails, or in cloud service like Evernote or Dropbox.
Paper wallet is the best way for security

worthy to know.. thanks for the informative post

Thanks for the guide.

Not enough people are secure when it comes to their wallets/privacy and should definitely read this post!

Update:

For Chrome, install Cryptonite by MetaCert https://chrome.google.com/webstore/detail/cryptonite-by-metacert/keghdcpemohlojlglbiegihkljkgnige

The service verifies the correct DNS entries for many crypto-related sites. It will warn you if the site you are on is a phishing site.

Easily avoided if you apply best practices at OP.  :'(

Good supportive / necessary share on securing wallets. Thanks dude. Yes, has hackers are around looking for loop hole to hack wallets / exchanges / trading sites etc, its individual responsibility to keep his or her wallets and etc secured with all possible option given by the respective wallets sites. Always activate 2FA authentication factor in mobile. This would help keep the wallet so secured.

This post is really helpful thanks for the advice, just changed my password after reading you just can't be too sure you know ;D ;D

This safeness must put on to practice and make this as a hobby to avoid scammers, hackers and wallet Hijackers.
For more safety practices on securing your CRYPTOCURRENCIES and WALLETS just hit the link.
https://bitcointalk.org/index.php?topic=1631151.0#post_bp 

Thanks for all the help, aside from that. Really appreciate for the MetaCert, the DNS Hijack is really something that is kinda hard to avoid because people normally check the URL but not DNS

Already installed the MetaCert, thanks!

Also I would add.  If you earn on crypto currency, then get a separate laptop for this. With it you will be go to exchanges and purses with your links in bookmarks.  2. Do not register social networks and messengers to your phone number, which is linked to exchanges.  There have already been cases of hacking.

This one is crucial. Bitcointalk was hacked in 2015, and loads of people ended up getting hacked on exchanges because they were using the same email address and password on the exchanges as they were using here.

And after Cryptsy went down, there were phishing emails for other exchanges send to email addresses held on Cryptsy - so either these were sold or hacked.

Also - don't boast about how much crypto you have. You are just inviting someone to dox you.

nice article, enjoy your merit :) perhaps you can also mention the way you store your keys offliine, that's something I have been pondering recently. How many back ups to do and where to put them.

I have a lot of altcoins and tokens because I believe it's just the beginning of a multi-year bull market for crypto. The tech is so revolutionary that it's a no-brainer to invest at some of the most promising projects.

Now the problem is each of these tokens started with small or of little value. But after a year (from early 2017), they already amount to $100k plus. It's quite risky to leave them in an exchange or even on a single ETH wallet (because many are ETH tokens).

So basically, what I did is spread the risk or avoid putting all my eggs in one basket for a thief to steal. Imagine one slip up and all your wealth gone.

1. Use hardware wallets for the most valuable coins. (Trezor)
2. Never use those deterministic wallets for ETH and ETH tokens - a thief only needs to steal your 12 word seed and he has all the coins in all those addresses. Use independent addresses for each type of token.
3. I print out private keys on paper, split into two parts (so two pieces of paper), stored into two different locations.

Anyway, the key objective is to diversify security.

FYI, 2FA all your crypto-related email, the world is a more dangerous place than 5 years ago. And never never tell anyone you got hundreds of thousands dollars worth in your flash drive. You could also be robbed at gun point.

I was almost upload my private key on Google doc today in the place of my ethereum wallet but I thank God I discover early and correct it if not my tokens and ethereum could have been stolen. I will advise us to adhere to op recommendations in other to come out of the activities of scammers and criminals. Many people are loosing they private keys in the application they are summiting with the aim of joining signatures and bounty.

Holy shit! Avoid submitting ETH addresses with tokens in them if you constantly join bounties. One slip up and bye bye coins. It's a hassle I know, but the consequences are bad. Just like riding a motorcycle without helmet.

b. For Ethereum and ETH tokens, a service like Metamask keeps your wallet encrypted in the browser, you can use it directly to send ETH or for tokens you can use it in tandem with MEW. It does not share private keys, only signed transactions.

[/quote]

You can use offline version of Myetherwallet too. It's very safe, but you need one offline computer and online computer.

Security is very important but the ugly truth is, if technology on securities improves then hackers too.I can only suggest that hacking should have a heavy penalty so they will get discouraged.