Bitcoin Forum

I've had enough of seeing people who have been hacked and lose coins on blockchain.info so here is a guide for beginners to make your coins 100% secure and safe from hackers.

1.) Use a gmail account with google auth 2FA to sign up for your blockchain wallet

2.) Buy a Yubikey (https://www.yubico.com/products/yubikey-hardware/yubikey-2/) and use this for 2FA to further secure your wallet at blockchain. You now have TRUE 2FA on both your wallet and your email account associated to the wallet. You can also recover the private keys to your blockchain wallet via email if you need to recover your wallet in future

3.) Do NOT lose your Yubikey or your google auth code. Back up your google auth code and Yubikey is virtually indestructible so take it everywhere with you and keep it safe.

4.) Do not have too many coins on blockchain.info. They have very good security but they may be internally hacked one day.

5.) For full security for beginners I recommend something like Trezor https://www.bitcointrezor.com/

Do NOT use TOR as rogue nodes may steal your information. This has happened many, many times to many different people!

Remember email is NOT 2FA as it is too easy for your email to become compromised. You MUST use TRUE 2FA like Yubikey at blockchain + google auth on email is a good combo. Even if you do get a keylogger on your PC your coins will be safe but always scan for viruses often and use a professional anti virus suite like Kaspersky.

NOTE: You can also use SMS 2FA on blockchain.info instead of Yubikey but I prefer Yubikey and as some have mentioned below SMS is not entirely secure.

DISCLAIMER: This guide is based on my understanding of these technologies only and I cannot make any guarantees. However if you follow the steps above you will be MUCH MORE secure and protected from most vulnerabilities your average hacker will go for.

2FA is not the best way to secure your coins, especially if u r using SMS authentication.


Source: https://twitter.com/wiz/status/528806600941662209

But they would need to know your number in the first place.

How is this possible? Do sites state your number?

Social engineering is the way :)

Email still is 2-factor though it is easier to compromise, but I would recommend using the sms 2-factor if you can. Much safer.

You cannot think of email as 2FA. All it takes is a keylogger or virus to get your password and bye bye Bitcoins. Never rely on email for so-called 2FA!

So, it seems, neither email nor sms is good for 2FA. Better dont use 2FA. Create an offline wallet for cold storage.

Yes well that is why I recommend Yubikey in my guide.

You can. It still provides an extra layer. Plus, my 2-factor email goes to an address I only check on my phone so it's safe and completly unlinked to my computer.

If your email has 2FA as well like I recommend then it is much more secure. However email without 2FA it doesn't provide an extra layer at all as if someone has your email they can reset your wallet password. However you should also have another form of 2FA (like Yubikey) on your online wallet as well. Then you have double 2FA and less chance of you becoming the next horror story.

Your phone is more secure than computer because they are not linked ? U must be a funny guy. Ur security is just awaiting to get broken... AMEN

This is why I like Yubikey and recommend it ;)

Not to put too fine a point on it, but blockchain.info doesn't support any (decent) 2FA.

Logon-only 2FA (such as supported by Blockchain.info) does help protect against online password brute-forcing attacks, but it does practically nothing to help protect against malware (e.g. keyloggers), which seem to be the more ominous threat.

Per-transaction 2FA (such as supported by GreenAddress.it and BitGo.com) means that each transaction that sends bitcoin out of your wallet must use a new 2FA code. This type of 2FA offers very effective protection against malware (although it's not necessarily perfect).

You should keep all this in mind when weighing your wallet options....

You have heard of Yubikey right? That protects against keyloggers and is used on blockchain. But as I say you should not store large amounts of coins on ANY online wallet.

It isn't. For reference, true two factor authentication means having any two of the following factors:

* What you know (usernames and passwords)
* What you have (mobile phone, security tokens)
* What you are (fingerprints, iris/retina patterns, etc)

Email access is always the first factor only, unless you email account itself uses 2FA. This is bad because the first factor is what is compromised by keyloggers (which is the whole reason for using 2FA in the first place). If you have a keylogger, your email is almost certainly compromised, and is thus useless as a form of authentication.

Unfortunately, it's not that simple (and it's a bit misleading IMO).

When you log into Blockchain.info (even if you use good 2FA such as Yubikey), the private keys for your wallet are sent to your computer. This means that your computer (and any decent malware that's running on it) has access to those private keys, and can use them to relieve you of any funds.

By default, Blockchain.info doesn't save those private keys to disk (if you have 2FA enabled), and that does protect you against stupid malware, but it remains much less secure than per-transaction 2FA used by multisig wallets (where only a portion of the necessary key material is ever on your computer and available for malware to abuse).

How does one backup a google auth code? I didnt see a easy way.

I use the IP lock along with other measures.

Ahh good to know. Thank you. Seems like Trezor is the way to go then.

See over here (https://bitcointalk.org/index.php?topic=201082.0), in particular the posts by DeathAndTaxes and the ones that mention TitaniumBackup (root only).

better use authy as 2fa you don't have to worry about backups.

Thanks, it takes some work but anything for safety.


authy?

Yup, Authy. https://www.authy.com/users

You forgot the most important step: either don't use TOR to access your Blockchain.info wallet, or use their new onion URL: *questionable link removed*

I would say don't use TOR and also DO NOT use the link above that has posted by a new account here. Do not click it!

But thank you I forgot that and have updated the OP with do not use TOR information.

I've always told people to enable the second password. Where you have to enter it to send coins from the wallet. You have to type it in using the on screen keyboard. I was wondering, how hard is it for a hacker to get this password? Do they just record your screen and watch the mouse move around and try to guess where you clicked? Or is that pretty hard to do?

Due to the alleged questionability of that link (blockchatvqztbll.onion (http://blockchatvqztbll.onion)), I questioned it, and found the answer is that it is genuine. It is the link provided by Blockchain.info if you connect to their regular site via Tor (and check the certificate to avoid MITM attacks). Is it really that hard to give newbies any credit whatsoever? Wait, what am I thinking? Of course it is. Never mind.

You sure sms 2FA is much safer? I think you just lucky guy because hacker don't attack you, so you think sms 2FA is much safer :P wait for some weeks :P

There is malware that waits until you have unlocked your wallet and then bye bye bitcoins. Better use Linux and have a closed down system for your coins if you are keeping them on your computer to decrease the chances of this happening to you.


Ha ha well it is nice to see that hitton had the best of intentions. I would still recommend NEVER using TOR even if a link may supposedly be safe.


Email is NOT true 2FA as all an attacker needs is your email password and bye bye Bitcoins. Real 2FA like Yubikey, Google Auth or SMS (although seems there are vulnerabilities with SMS) on BOTH your email and blockchain account is required at the very least.