Safety revision after the Hacks going around these days

[mmitech]

to people who think that they do take security seriously, please it is time to do some revision, I am reading around and I see a shocking amount of hacks and fraud going on for the last couple of days.

so you may consider:

1- check if you have all security features that your exchange offers already activated.
2- make sure that you use one of the best antivirus programs on the computer you use to browse around and make sure it is up to date.
3- don't leave funds on exchanges, if you daily trade and you have leave any funds there, then make sure to use e-mail confirmations and that your e-mail also has 2FA.
4- make sure that you use only one phone/device which is not rooted, and do not install garbage bitcoin apps or any other app games/garbage.
5- use paper wallets for your long term investment and save them in a safe place.
6- keep the for-daily use coins on an offline computer, use Armory, sign offline transaction and broadcast them on an online pc.
7- use different passwords on all sites, make them complicated and long (capital letters small letters, numbers and special characters)
8- don't keep any track of your passwords, keys or anything else on your computer, do it the old fashion way, write on a paper and save it somewhere safe.
9- encrypt about anything, I would recommend you to encrypt your entire dist as well, if you use linux this option is offered when installing the system, if you use windows then try PGP whole disk encryption, I use it and I recommend it.
10- use avg anti virus on your phone/device, activate the relocation option, there is also an option to wipe-out the device by sending a SMS to your phone if lost or stolen.
11- never trust anyone with your BTC, if you cant control the address then you don't own the BTC, any non reputable, non regulated online service can go offline, and you will lose all your funds (the new term is Goxed)
12- dont click on links without being sure where they direct, you can simply put the mouse cursor on it without clicking and check the address bar if it is a legit link, deactivate automatic redirection in your browser so you cant be tricked.
13- don't open e-mails from unknown sources, especially don't open spam e-mail, if you have to do so, then make sure to not open any executable attachment or any .pif extension, judge any site asking you to install "java plugin" or a "flash player" if YouTube works for you than you don't need any flash player or additional extensions, you are being a victim of a phishing attempt.
14- don't install any opensource software if you don't know what the code does, if can review the code your self then don't install without verifying the signature, especially don't install wallets of the daily created scam coins, some might be created just to steal your coins.


these are just some of the safety practices I can think about now, any user is welcome to add anything I might have forgotten to this list.

[1715660665]

1715660665

[1715660665]

1715660665

[1715660665]

1715660665

[1715660665]

1715660665

[Lauda]

If you have a lot of funds, just buy a laptop for trading only. Put a ton of security software, enable or possible security features on everything and you're good to go.

[dave3k]

Beware of browser extensions, especially bitcoin related ones.  
Don't run java/flash, if necessary use somthing like noscript (browser extension ).


Good post, it's definitely a good time for everyone to audit their own security.

It's not paranoia if they really are out to get you!

[Elwar]

If you have a lot of funds, just buy a laptop for trading only. Put a ton of security software, enable or possible security features on everything and you're good to go.

Or buy a laptop exclusively for cold storage only.

[amspir]

Or buy a laptop exclusively for cold storage only.

Why would a laptop be desired over using paper wallets for cold storage?   A hard drive/flash memory can fail, and a laptop makes a tempting target in a burglary.  Unless you keep it physically secure from other people when not under your supervision, you can't really be confident that the private keys will never been copied/compromised. 

I'm using paper wallets generated on an offline computer with clean install.  I'm 99.9999% sure that those private keys don't exist on any machine on this planet.   When I need to transact btc, for just receiving, I get a fresh paper wallet from the safe, and send it to that address.   To send BTC, I use the loaded paper wallets that I need to cover the transaction, scan in the private keys, do my business, and put the remainder on fresh paper wallets.  All the old paper wallets, once their private keys have been disclosed to the online computer and have been verified to contain no value, get destroyed to preserve anonymity and protect against reuse.  In practice, I keep several paper wallets with 1 BTC on each, with one holding a remainder of less than 1 BTC.   I keep both the loaded and unloaded wallets in sealed envelopes when they are in the safe.  The loaded wallets are treated like paper currency and are stored as such.

Scanning in QR codes from paper wallets is a relatively simple process, no more a burden than copying keys from a cold storage laptop to a hot wallet on an online computer via a usb drive -- and keep in mind that you would only copy the keys you would need, otherwise, you would be exposing your "cold storage" private keys to be possibly read by malicious software.  Encrypting these won't help if the online computer has been compromised by a keystroke logger.

Also, paper wallets are much, much cheaper than buying a single-purpose computer.

[mdude77]

This is good.  For #3, I'd revise it include don't leave funds on a pool _or_ an exchange.

M

[DeathAndTaxes]

Or buy a laptop exclusively for cold storage only.

Why would a laptop be desired over using paper wallets for cold storage?   ... To send BTC, I use the loaded paper wallets that I need to cover the transaction, scan in the private keys ...

into the malware infected computer and the attacker steals them the second the system becomes aware of the private key.

It might be overkill for a couple bitcoins but if you are talking hundreds or thousands it is well worth the money to have an secure dedicated laptop to perform offline signing.  The private keys never touch a computer connected to the internet .... ever.  Not just in storage but also in use.

This doesn't mean you can't also have paper backup as a backup to the offline signing device.

no more a burden than copying keys from a cold storage laptop to a hot wallet on an online computer via a usb drive -- and keep in mind that you would only copy the keys you would need, otherwise, you would be exposing your "cold storage" private keys to be possibly read by malicious software.

The keys NEVER leave cold storage.  The only thing copied to the hot wallet is the complete digitally signed transaction.  The hot wallet could be a cesspool of infection and the attacker would get nothing that isn't already public information anyways.

[acarterczyz]

My method may work. Everytime the wrong password is entered, the following image displays. This will deter those pesky thieves...

[Coins4life]

If you have a lot of funds, just buy a laptop for trading only. Put a ton of security software, enable or possible security features on everything and you're good to go.

Or buy a laptop exclusively for cold storage only.

This except with a tablet/net book that could be kept in a bank vault or home safe.

[amspir]

Or buy a laptop exclusively for cold storage only.

Why would a laptop be desired over using paper wallets for cold storage?   ... To send BTC, I use the loaded paper wallets that I need to cover the transaction, scan in the private keys ...

into the malware infected computer and the attacker steals them the second the system becomes aware of the private key.

True, but my assumption is that I will have done due diligence in checking that the online computer is clean.  I'm pretty tech-savvy, but I'm not arrogant enough to think that I can prevent every attack.  The idea would be that I would limit my losses to only the exposed keys; a mugging versus a steal-my-life-savings scenario.  A malicious software that instantly steals your bitcoin would be pretty impressive.  Most malicious hacks that I have read about involve stealing your encrypted wallet data, subject it to dictionary attacks or get your password from a key logger, all which would take time to process.  A private key would only be valuable for a short time, from the time the paper wallet is loaded until the remainder of the transaction is swept from the hot wallet.

When bitcoin merchant pay terminals become widespread, I would hope to be able to use a hot wallet on my phone and only put the amount that I think I might spend from a paper wallet.  I'll sweep it all back to a paper wallet once I'm done shopping.  I see it similar to only carrying around a $100 of cash vs. carrying around a roll of $100 bills.

It might be overkill for a couple bitcoins but if you are talking hundreds or thousands it is well worth the money to have an secure dedicated laptop to perform offline signing.  The private keys never touch a computer connected to the internet .... ever.  Not just in storage but also in use.

This doesn't mean you can't also have paper backup as a backup to the offline signing device.

I like the idea, but it's something I'd only do if transacting large amounts of BTC.   You would still have the burden of transferring the address (from an online source) to the signing computer and then back to the online computer to send the transaction without a direct connection.   I'd still be uncomfortable with leaving private keys to a large amount of BTC on a device that could be hacked onsite. 
 
If keeping bitcoin safe becomes too difficult, then it will impede bitcoin's adoption amongst non-technical people.   I am confident I could teach my mother how to transfer a paper wallet to a hot wallet app, spend some bitcoins, then sweep the remainder to a fresh wallet.  I am sure I'd get a glassy-eyed response explaining why should and how to transfer bitcoin from a cold-storage computer to an online computer.

[DeathAndTaxes]

You would still have the burden of transferring the address (from an online source) to the signing computer and then back to the online computer to send the transaction without a direct connection.

  It isn't that complex although when I am not working 60 hours a week I have been experimenting with alternate methods of passing infromation between the offline and online computers.   One method involves using animated QR codes and web cam, the other involves transfering it as an encrypted sound stream using mic-in port (same method square uses for their card reader dongle). 

I'd still be uncomfortable with leaving private keys to a large amount of BTC on a device that could be hacked onsite. 

Paper can be "hacked" onsite as well. 

If keeping bitcoin safe becomes too difficult, then it will impede bitcoin's adoption amongst non-technical people. 

  Your grandma won't be using a laptop.  What can be done with a laptop can later be done with a dedicated hardware wallet which is mass produced at a nominal cost and can provide her a level of security she could never possibly hope to achieve if she keeps clicking on lolz_cats.exe attachments.

[justusranvier]

these are just some of the safety practices I can think about now, any user is welcome to add anything I might have forgotten to this list.

Use Armory to store all but petty cash offline.

[Breaking6745]

As it was already said the best way is to use separate computer only for this purpose, I totally agree with it.

[runam0k]

Paper wallet to mobile phone feels safe enough for me, but then I'm not dealing in thousands of bitcoins.

I have an offline Raspberry Pi running Electrum (cheaper than a dedicated laptop!) but I worry about it failing. Then there is the question of how to back up the seed for the Electrum wallet.

[Aswan]

store your coin on a secure offline storage - www-pi-wallet.com

[mmitech]

store your coin on a secure offline storage - www-pi-wallet.com

nope, Wrong practice, read #11

[64dimensions]

Why wouldn't a simple blank CD be suitable for a poor man's cold storage? If you were really worried about damage, buy an offline CD duplicator.

Also by monitoring the directory file(s) size wouldn't that be a way to detect malware?

[S4VV4S]

Or buy a laptop exclusively for cold storage only.

Why would a laptop be desired over using paper wallets for cold storage?   ... To send BTC, I use the loaded paper wallets that I need to cover the transaction, scan in the private keys ...

into the malware infected computer and the attacker steals them the second the system becomes aware of the private key.

It might be overkill for a couple bitcoins but if you are talking hundreds or thousands it is well worth the money to have an secure dedicated laptop to perform offline signing.  The private keys never touch a computer connected to the internet .... ever.  Not just in storage but also in use.

This doesn't mean you can't also have paper backup as a backup to the offline signing device.

no more a burden than copying keys from a cold storage laptop to a hot wallet on an online computer via a usb drive -- and keep in mind that you would only copy the keys you would need, otherwise, you would be exposing your "cold storage" private keys to be possibly read by malicious software.

The keys NEVER leave cold storage.  The only thing copied to the hot wallet is the complete digitally signed transaction.  The hot wallet could be a cesspool of infection and the attacker would get nothing that isn't already public information anyways.

Hi, I currently don't have much coins to need a laptop as a cold storage, but can you please explain this process to me?

I am currently using an encrypted drive to store my wallet, but in case I get Bitcoin rich I would like to know how to do this 

[ReCat]

I think what would be ideal is to dual boot a linux distribution on your computer, encrypt the filesystem, disable ssh or any other network services, and use firefox without any plugins.

[RodeoX]

Most important advice, IMO.

Get exclusive control of your private keys. Until you have that, you do not own bitcoins. Back your wallet up and put most in a wallet that stays off the internet. Put it in a safe deposit box or something that safe.