Keep Your Bitcoin Safe by Making Security a Habit

2020-2-5 16:00

When considering how to keep your bitcoin safe, most users think about the hard stuff like buying a hardware wallet, using complicated passphrases, buying bulletproof safes and backing up seed words on steel … but most users ignore the easy stuff because it doesn’t seem to be linked to your coins. Unfortunately, it’s ignoring the easy stuff that causes the most loss. The biggest threat to personally owned coins is the threat of impersonation and the dozens of ways attackers use impersonation to steal funds. 

The most complicated passphrase and the most secure hardware wallet won’t stop you from sending your own coins to the attacker yourself.

Protecting your own accounts from impersonation can have an “infectious” quality for your friends and coworkers. When my accounts are secure, my friends are safer because my accounts can’t be used as a springboard to attack them. Since impersonation is the most successful method of attack, I’ve found that training employees to keep themselves secure actually helps keep the company secure too.

When looking at all of the successful thefts (from both businesses and individuals), there are two common root causes: bad security habits and/or insecure configuration of accounts.

This means that the most successful defense you can mount is to both adopt secure habits and secure your account configurations.

Let’s dive in!

Secure Habits Strong Authentication

The single most effective habit you can adopt is what we call “Strong Authentication” or StrongAuth. Put plainly, StrongAuth is the act of making sure you are talking to the person you think you are. 

There are many situations where this is helpful. These include 

Sending money Altering someone’s accessDiscussing confidential information 

We use the acronym MAC to remember when we need to use StrongAuth: Money, Access and Confidential information.

Mapping this habit to our personal lives, let’s take the example of receiving a message from your sister saying she needs you to send money for any reason. Before you send it, you should make sure you’re really talking to your sister! So how do you do that reliably?

In Person: The easiest form of StrongAuth is talking to your sister in person. If the situation can wait until you see her, you’ll have 100 percent confidence you’re sending that money to the right place. Sometimes, however, you can’t wait. Video/Audio Call: The next best way to perform StrongAuth is to have a video+audio call with them where you simultaneously see and hear them. In 2020, there is no shortage of video messaging apps, and if you are able to see your sister and hear her on video asking for the money, you will know you’re sending it to the right person. There are other ways to perform StrongAuth too that involve prearranged secret phrases, GPG keys, digital message signatures, or other more complicated methods, (but those require a lot more work to set up and require differing sets of assumptions, so we’ll skip them for this article).

So many thefts could have been prevented if the participants exercised this simple habit. As my chief engineer puts it: “It’s better to spend 15 seconds double-checking than to send 15 million dollars to the wrong person!” Although the amounts may be different for individuals than businesses, the theory is the same.

Password Hygiene

Another secure habit to adopt is using a password manager for all of your passwords. Password managers are unicorns in the security world. Most of the time, if you want to increase security, it comes at the cost of annoying extra steps that take more time or effort. Password managers, however, simultaneously increase your security while taking LESS time AND effort. With one click, your username and password is automatically entered into your app/website and you are logged in effortlessly. No other measure increases both security and convenience together.

Here are some tips for using password managers:

Use your password manager to generate completely unguessable passwords with one click. Since you never need to type it yourself, you can maximize the length and complexity for the service. For example, ShapeShift supports a maximum of 128 character passwords, so setting a 128 character password will maximize the security of this account.Never reuse a password. This is as easy as one-click with a password manager using the “generate password” feature. Never use a password algorithm. I’ve seen people choose a simple password (i.e., “a1b2c3!”) and tack it onto the end of the site they’re visiting for passwords like “googlea1b2c3!” or “facebooka1b2c3!”. The problem with this is, once I get one of your passwords, I get them all! A password manager makes password algorithms unnecessary — which is good because password algorithms are not secure! Secure Configurations

The next thing you can do to protect yourself against the most common attacks is to change the settings on your various accounts. As has been widely reported over the last few years, the most successful attack against individuals is “SIM swapping” or “number porting.” This is when an attacker calls your cell phone carrier and impersonates you, telling them you have a new phone and SIM card. Then they arrange for your phone number to be reassociated with the attacker’s cell phone. 

This attack is always followed by using the Account Recovery feature of your email account. Once they have control of your inbox, they go after all the crypto exchange accounts you have by clicking “I Forgot my Password” on each one. Account recovery uses email by default, so if your attacker controls your email, they control every account you have linked to that email address.

Unfortunately, there’s not much we can do to stop attackers from swapping your SIM because the carriers themselves simply don’t protect our accounts. However, there is something we can do to prevent attackers from inflicting harm after taking over your cell number.

Lock Down Your Recovery Options

Most accounts have the ability to specify recovery cell phone numbers, recovery email addresses or recovery questions so that you have a way to get into the account if you forget the password. These recovery options are the easiest way for attackers to hack their way into your account.

Here’s some advice for locking down recovery options:

Remove all cell phone numbers. If there is no phone number attached to the account, then SIM swapping can’t be used to take over the account.Remove all recovery emails OR lock down the recovery email account. A chain is as strong as its weakest link, and if [email protected] is locked down but specifies [email protected] as a recovery account, [email protected] should have equal security.

Unfortunately, some accounts don’t let you remove cell phone numbers, making it impossible to secure these accounts reliably.

Enable Multi-Factor Authentication (MFA or 2FA)

If an account offers Timed One-Time Passwords (TOTPs) as a 2FA method, use it! Google Authenticator or Authy are the most common apps for TOTPs and they’re easy to use on phones. Enabling 2FA on all of your accounts will enhance the security and help keep attackers out. 

Just beware: TOTPs should not be stored in your password manager alongside your passwords: Storing these beside your passwords turns the 2FA into 1FA. Keep these separate, or if you want to get advanced, put your TOTPs into a Yubikey instead of into your phone.

Buy (and Use) a Yubikey

This one device allows you to secure many things in many different ways. It’s a more secure replacement for Google Authenticator (via Yubico Authenticator), it stores your SSH keys for servers (via the GPG module), and — when configured correctly — can act as a physical key for your accounts and laptops (via U2F and PIV). When a Yubikey is properly configured, even if a hacker cracks your password, he will still be locked out. 

There are far too many features that would each take lengthy articles to explain, so be prepared to put time into learning how to maximize the use of your Yubikey if you choose to buy one.

Keep Your Bitcoin Safe: Bringing It All Together

Security is more than just the tools you use. It is a mindset. It’s a habit. It’s a constant effort to remain vigilant because, while you and I need sleep every night, an attacker’s scripts continue to attack 24 hours a day, seven days a week without a holiday. 

Locking down your recovery options, enabling 2FA and adopting secure habits with strong auth and password managers will thwart most things in an attacker’s bag of tricks and send them looking for an easier target to rob.

This is an op ed by Michael Perklin, the Chief Information Security Officer of ShapeShift. Views expressed are his own and do not necessarily reflect those of Bitcoin Magazine or BTC Inc.

The post Keep Your Bitcoin Safe by Making Security a Habit appeared first on Bitcoin Magazine.

Similar to Notcoin - Blum - Airdrops In 2024

origin »

Bitcoin (BTC) на Currencies.ru

$ 95742.75 (-1.47%)
Объем 24H $40.289b
Изменеия 24h: -1.76 %, 7d: -6.90 %
Cегодня L: $95742.75 - H: $97458.26
Капитализация $1895.671b Rank 1
Цена в час новости $ 9447.71 (913.4%)

bitcoin security safe keep habit your making

bitcoin security → Результатов: 126


Is this the end of Bitcoin? Google unveils quantum chip 'Willow' — Is Bitcoin’s security at risk?

Imagine a new kind of computer that doesn’t just run faster than your laptop, but so fast that it can solve certain problems practically impossible for normal computers. This is what scientists callThe post Is this the end of Bitcoin? Google unveils quantum chip 'Willow' — Is Bitcoin’s security at risk? appeared first on AMBCrypto.

2024-12-10 08:47


In a Tale of Two Opposing Views, Bitcoin Enthusiast Says Security Won’t Suffer Due to Block Reward Reduction

Linux Kernel developer, also part of Blockstream, Rusty Russell, expressed his concerns regarding block rewards and how they are decreasing. He shoots back at original post published by Dan Held, who made arguments as to why Bitcoin’s security is fine, and it seems like Giacomo Zucco is siding with the latter. Fears of #bitcoin security […]

2019-5-30 19:05


Bitcoin [BTC], Litecoin [LTC], Ethereum [ETH], Bitcoin Cash [BCH], Zcash [ZEC] now accepted by Freedom of the Press Foundation

Freedom of Press, on June 18th, tweeted that it will accept donations in five cryptocurrencies – Bitcoin, Litecoin, Ethereum, Bitcoin Cash, and ZCash. It was founded for the purpose of protecting and defending the adversarial journalism and does so through crowdfunding, digital security, and internet advocacy.

2018-6-21 05:02


Фото:

Confirmation Regarding Ripple XRP As A Security, What’s Been Said?

The security debate continues to surround Ripple and Ripple XRP, the native currency to the Ripple network. Very recently, the United States Securities and Exchange Commission (SEC) have spoken out stating that both Bitcoin and Ethereum do not carry the necessary attributes to be considered a security however, there’s still no official news regarding XRP.

2018-6-18 14:00


Vatalik Buterin denies reports that the NSA created Bitcoin.

Ethereum co-founder Vitalik Buterin hit out at mainstream media Friday after an article appeared suggesting he thought the US National Security Agency (NSA) invented Bitcoin. The evidence it gathered came in the form of messages from popular forum Bitcointalk — but Buterin had written them over eight years ago in 2011. “My opinions have obviously changed

2018-6-17 23:30


Фото:

Vitalik Buterin Derides Misleading Reports Regarding the NSA’s Creation of Bitcoin

Ethereum co-founder Vitalik Buterin hit out at mainstream media Friday after an article appeared suggesting he thought the US National Security Agency (NSA) invented Bitcoin. ‘My Opinions Have Changed A Lot’ On June 15, UK tabloid publication Metro published what it described as a “discovery” that Buterin had made remarks about Bitcoin’s being created by the US National Security Agency (NSA).

2018-6-16 20:00


If Bitcoin isn’t a Security According to SEC, Which Coins are? : IOTA, EOS, Stellar Lumens, Litecoin and Tron Technical Analysis (June 16, 2018)

Overly, sellers did spring back to action and completely reversing June 14 gains in some coins as IOTA. However, in the midst of all sells, Stellar Lumens is resilient losing three percent. On the other hand, IOTA reversed 100 percent of their 24 hours gains with lows testing minor support at $1.

2018-6-16 03:02