You would like to explore Web3, buy cryptocurrencies and tokens, use Dapps and start exploring. All of us have reached this point, for different reasons and with different levels of conviction. No matter where you live, it is important to learn the basics and take some lessons from others who have gone before.
Let me start by saying that this space should be explored at your own pace. It could take months to understand even 10%. It’s okay. You should not be able to trust someone who appears to understand everything. This is fine. This is all-new, and many of those who are involved in building it will admit that they don’t know much about the process. Let’s start with the basics and scroll down for more information for those who are already in the area.
You will need a wallet no matter what you do in this area. There are many types of wallets. I will try to explain the differences and benefits of each one. You will likely use multiple wallets for different purposes.
Hot wallet (online wallet)
Register at your exchange to get started with Coinbase, Kraken, and Gemini. Although these wallets offer the best convenience, you have to log in anytime and can access your funds from anywhere. These wallets don’t allow you to control your private keys, so you are not the one that acctually control your assets. This makes them more vulnerable to hacking. These assets are very, really, really vulnerable to hacking. You should immediately move assets from an exchange to a hardware wallet if you have purchased them. While many of these companies have excellent security practices, I encourage you to still move your assets off an exchange and put them into Metamask, Keplr, Phantom, etc. Learn how to setup a crypto wallet here.
A cold wallet (offline wallet), is the safest type of wallet
These physical hardware devices allow you to interact directly with Ethereum and other blockchains. Your private key is never ever shared. These devices are highly recommended and I recommend you to get one. A Ledger is the best option for integration with many services.
If your private key is not stored on the device or is accessible via the internet, it can be difficult to lose or steal it. There are many hardware wallet scams. You can either purchase the hardware wallet directly from the provider or through one of its trusted affiliates.
You should ensure that you have the original box and firmware, as well as a new seed phrase if you purchase it from Amazon or eBay. Each company has attempted to keep up with the attacks by avoiding all these vectors.
Do not use the following unless you significant reason
- A mnemonic phrase is a list of 12-24 words that is one of the best ways to create a wallet. This master seed is a list of words. If your wallet supports HD compatibility, you can create unlimited public-private key pairs to address unlimited numbers of addresses. These words are unlikely to be guessed, but they can often also be password protected. If you don’t wish to purchase a hardware wallet, this is a great alternative. Again, you can buy a hardware wallet.
- Json file or Keystore: This file can be used with most browsers, such as Metamask. It often allows you to password-protect the file. These files are created at one address and can be transferred, though insecurely, from one service to the next.
- Private Key: Unencrypted private keys are not secure, so I don’t recommend that you use them. However, a private password is a direct password associated with the public keys. This key should not be used if you don’t intend to.
Not your keys, not your crypto
An exchange can be used to convert fiat currencies into cryptocurrency. You can also trade on them with sophisticated investment tools. Unfortunately, almost every hack has occurred at an exchange. While some exchanges offer compensation for losses, others have to declare bankruptcy. If you take custody of your keys, you are responsible for them. However, most people don’t have multibillion-dollar honeypots to aim at. These tips are also very serious and we don’t usually have to worry about any internal bad actors. Choose a wallet and secure it. Only leave cryptocurrency on an exchange that you can lose or need immediate access to.
Keep your seed safe
If someone has this access, they have access to all the information. It can be locked in a safe and taped under your desk.
I apologize if you feel paranoid and don’t want your seed stored on a nightstand or safe at home. If anyone in your home has access to it, I’m sorry. If you plan to place it in a safe deposit box or other secure location, be aware that it can still be affected by fires and floods.
Here is where the debate begins over best practices. While it is possible to write the seed in a word document offline and store it on a USB, this does not work. Hard drives fail and standards evolve. Think about the passwords that you have saved to a floppy drive. While the paper is susceptible to floods and fires, it can also be used for paper. However, the paper has been around for thousands of years and is still being found in tombs. While you can laminate the paper to protect it from water damage, it doesn’t protect against fires. The plastic used in lamination can also eat away at the paper. My favorite way to store my seed is in a metal container. However, I’m not trying to make you spend a lot of money.
Protect your Google account
You can hack yourself by removing your email address and recovery phone number. Log in, click for the forgotten password, then hit the next button. Your passwords and payment information can be accessed if your Google account is compromised. The next step is to log in to www.passwords.google.com, and secure it!
Use a Chromebook
Chrome OS uses a method called verified boot. This means that Chrome OS checks every time it turns on your device to make sure it is running the correct version. Each tab and each application are protected from other parts of your computer by running in a secured sandbox. Let’s suppose the worst-case scenario. It would be detected and removed when the device is restarted if malware was found on the device that could send your private keys to an attacker or track your passwords.
Save your favorite sites to bookmark
We are used to entering the wrong website in a world that uses Google and autocorrect. In a world of immutability, would it be worth risking your entire wallet to do so? Many phishing websites that appear to be the same site as yours are fake. How can you tell if you’re bookmarking the right site? Cross-reference URLs from multiple sources. It is easy to Google. Next, check Twitter to find the founder or another employee linking to the site. This Google Jigsaw phishing quiz will prove you are not susceptible to this.
Do not click on links
Many links are being shortened by bit.ly or other services so you don’t know where it takes you. If you don’t plan to bookmark your favorite websites, my recommendation is to hover over each link to see where it will take you. Make sure it is the correct URL. Never click links sent to you via Twitter, Slack, or other social media. Most projects won’t DM you.
Do not click on advertisements
Many phishing websites are ad-based. Click on the organic link instead of the ad.
Add two factors to everything
Two-factor authentication, or 2FA, relies on two forms of security. One form is a password. The secondary form is often a code taken from something you already have. As passwords can often be leaked following hacks, this secondary layer of protection slows down attackers. A second problem is that password reset security questions are easily accessible online.
The Physical Second Factor: This option is the best as it has the least risk and is easily remembered. I recommend purchasing a Yubikey Security Key or Google Titan Security Key. Trezors can also be used to secure your hardware wallet and your online accounts. In case of loss, I recommend purchasing more than one.
Time-based One-Time codes: While this is a secure option, it’s not as user-friendly as a U2F device. However, these services are available for free to anyone with a budget. You should download an authenticator app like Google Authenticator. A string of letters, such as WICEUIDWJFPMWU, or a QR code will appear. You can either enter the string of letters or scan the QR code with all your devices. You will receive six digits that you need to enter on a website. These codes are easy to remember for anyone who has ever texted a code. However, they will change every 30-60 seconds, unlike the codes you get from the text.
SMS-based two factor: While this is better than nothing, there are serious risks due to Sim Porting. Sim porting is a fraud where someone pretends to be you and convinces your phone provider to activate your phone using your number. As soon as the code is sent to their phone, they can access your two-factor codes. Your assets are then gone in minutes.
Cautions to Time-based One-Time Codes. Although Google Authenticator offers a better solution than SMS codes it does have its limitations. This is technical but the main concern is how data is stored and protected if the device and server are in sync. You can have your Time-based One Time codes accessed by anyone who has access to the data in transit. Google Authenticator should be installed on a secondary device, which has not been connected to the internet.
Make sure you have antivirus software
You may not be at risk if you visit a website and notice that the security certificates have changed from the company name to the simple green s following HTTP. First, you should give yourself a big pat on the back for being attentive. Your antivirus software might be interfering so you can disable it temporarily and refresh your browser or do something else. You may also be able to disable the SSL scanning and web security portions of your antivirus software. You can still get protection against most things, but you can also confirm that you’re on the right site.
Verify the security certificate
When a website is secure, the security certificate is indicated by the green lock or name in the URL bar. Each certificate is unique and cannot be faked. MyEtherWallet Inc would be the page you see on the MyEtherWallet site. While phishing sites may mimic the site’s layout, it is much more difficult to falsify the security certificate. You don’t have to remember every security certificate on the internet so bookmark these websites.
You can use two browsers and have an ad-blocking feature on one. Pop-ups and ads are something we all hate. It is an inconvenience that will need to be dealt with until there is a better way. However, you can keep your preferred browser and install an adblocker in a secondary browser. This secondary browser should be used for all cryptocurrency-related tasks.
Audit your passwords. This Password Alert will force you to use unique passwords on each site. This Chrome extension is open-source and was created by Google’s Jigsaw. It looks at your passwords and alerts you if you enter the same password on a different website.
Make complex passwords that are difficult to crack. PwndPasswords can be a great tool for this. You can enter your password to see how long it would take for a computer (but don’t worry, it is safe and open-source). You want a password that is high in entropy, which is an acronym for randomness. For each site, a password manager will create a unique and complex password.
You can check to make sure your email has not been hacked. You can see if and where your password has been compromised by entering your email address at haveibeenpwned.com. Click the Notify Me tab to be notified about any future breaches.
Audit your permissions. Are you able to trust your extensions’ producers? Are you confident in the websites with which you have used the Facebook login button? While most permissions granted to an app are limited in use, bugs can occur and things change. Developers selling their chrome extensions can be attacked and the new owner may add malicious code to them. It is most likely a virus, but an attacker could copy your Bitcoin address and modify info. you copy or paste. This blog explains how to control Chrome extension permissions.
Multiple wallets. Multiple Wallet. A Hierarchical Deterministic wallet is a good choice. It allows you to generate multiple addresses from the same seed phrase. This allows you to place your assets across multiple addresses so that if an attacker forces you to give the password to one of your wallets it doesn’t wipe out your account.
Other Security Concepts
Double-check. This is also true for tokens and cryptocurrencies. Double-check the address before you copy and paste it. You could make a mistake if you type an address. As you can see below, there are millions of dollars worth of stuck tokens in many smart contracts. This is because someone sent it to an incorrect address. The EIP is for an ERC223 token standard. This would prevent accidental transfers of tokens to smart contracts. However, it’s best to double-check.
There is no free lunch. Airdrops can be a powerful tool. This allows companies to create liquidity and a two-sided marketplace. To receive your tokens, you will not have to send your private keys. Every project handles it differently, but tokens will be distributed based on balance, activity, or registration to their site. You will need to register for it. Only use a public address to access a wallet you control. To receive your tokens, you cannot use an exchange wallet. Instead, get a hardware wallet. Not only is it possible to send private keys to get tokens for free, but other scams are also popular on social media. Twitter is full of scams that claim to be 10x. This scam involves sending a 0.1 or 3.0 ETH address and receiving 10x the amount in ETH back. They won’t return it. I promise. These scams are easy to fall for because the user names look just like the celebrity or business, but they are misspelled.
Be careful with Cloud. Use a block explorer such as Ethplorer to verify your portfolio or a portfolio manager such as Blockfolio. This is the phishing attack issue. Every time you visit a site to unlock your wallet, there’s a chance of an attack. You don’t have to send anything if you don’t intend to. Instead, you can use a block-explorer to view the address’s value.