An in-depth guide on how to be safe in the crypto world. Because crypto truly is different.
Last updated: March 5 2021
The following is a mash-up of some of our internal policies, action items, and security-related stuff that we thought would be helpful or applicable to the larger community. For walkthroughs on how to secure your most valuable accounts we recommend our “SIM Swapping Bible,” which we co-authored with the famed investigators at CipherBlade. Specifically: Google account(s), Apple/iCloud account(s), password manager(s), Authy, Telegram(s), and all the other things.
Step 1: Upgrade your attitude and culture
Having a realistically paranoid mentality about your company’s security and your own personal security is the single most important thing you can do for yourself and your future—especially in crypto. Checklists and policies are necessary, but they don’t address new threats or every day-to-day decision every department makes. A strong security culture percolates through the entire organization so that you inherently make security-conscious choices without security, and/or security checklists, bogging down your productivity.
I understand that crypto is ruthless and terrifying.
- I take security seriously.
- I hold others accountable when I think we can do better.
- I understand that my employment, my personal security, my financial well-being, and my family are all threatened when I don’t take security seriously.
- I understand that my company’s viability is threatened when I don’t take security seriously.
- I will never be lazy or dismissive. I will not skim this or skip items. I will take the time to properly secure myself to ensure my company stays secure today and tomorrow.
I will walk through this industry’s graveyard.
- I understand that cryptocurrency companies are global anomaly to the security industry.
- I understand that these companies are hacked into deletion at a far greater rate than any industry.
- I understand that simply being involved with the cryptocurrency industry and/or holding cryptocurrency makes my company and me a target for teenage script kiddies, sophisticated hackers, and even nation-states.
- I understand that a compromise or hack can result in the loss of our business, our funds, and/or our users’ funds.
- I will look through the Blockchain Graveyard and The Bad Things™ Database to appreciate the scale of this problem and learn from others’ mistakes.
My understand my personal accounts may be the target of an attack.
- I see that this space has an unusual mixture of personal identities and professional identities.
- My identity, reputation, or personal accounts may be used to create confusion, panic, send phishing messages, or scam friends or strangers.
- For this reason I choose to be diligent about the security of my personal accounts, not just professional ones.
I will buy stuff (on the company’s dime!)
- Yubikey For 2FA on Google, Github, Facebook, Twitter, more: https://www.yubico.com/products/yubikey-hardware/
- USB Drives: For backing up keys and information so it is NOT on your daily-use computer. If you are good at not losing / breaking things. If you are bad at not losing / breaking things.
- No-Wifi Printer: Will be used for printing backups of wallets, really important keys, Google Authenticator backup codes, etc. No-Wifi Printer. Cable. Paper.
- Hardware Wallet: Ledger Nano S or TREZOR: Will be used for holding and managing your crypto day-to-day. You should also use the MyCrypto Affiliate link! Ledger. Trezor.
I will panic correctly.
- I understand that I will cause a security incident at some point and that forgiveness is applied towards those that escalate a problem correctly and immediately.
- When this happens, I’ll direct a calm and composed version of my panic towards our internal security incident channel immediately.
- I will use all available means (calling, paging, knocking on their door) to escalate the situation should I not receive an appropriate or prompt response in this channel.
I know our internal security channel is…
- Located front-and-center in the primary communication platform we use for our day-to-day business (Slack, Discord, Email, etc.)
- Confidential
- Blameless. Judgement or dismissal of items posted here is not tolerated.
- Contains all employees and contacts who have enough access be involved with a security incident as well as those who can investigate and address security incidents.
- All notifications are turned on for all members all the time—not just mentions and not just during a certain time of day.
- Only for potential security incidents and their relevant replies. Move all non-incident related discussions elsewhere to prevent people from ignoring the notifications in this channel.
- Safe. I will not be scared to create an incident. I will not judge people for creating an incident.
I will promptly post in the security channel if…
- One of my accounts or passwords is compromised.
- I think one of my accounts or password may be compromised.
- My phone number is hijacked.
- My phone carrier is calling me about making changes to my account.
- I lose my phone or computer.
- I am getting password reset emails that I did not initiate.
- Something weird is happening on the website or another site controlled by my company or myself that indicates something is compromised.
- Something weird is happening on another website in my industry. (Look out for each other!)
- Someone is acting out of character or messaging odd things (e.g. Hudson asking Harry to send him some ETH via direct message.)
- My funds are stolen or I think my funds might have been stolen.
- I think something bad is happening, even if I haven’t 100% confirmed that something bad is indeed happening.
I will use all available means (calling, paging, knocking on their door) to escalate the situation should I not receive an appropriate or prompt response in the security channel.
- Any charges incurred will be reimbursed by the company without question—international calls, text messages, gas, whatever. This is not the time to wonder if it’s worth it.
- No one will judge you or blame you if you call late at night.
- No one will judge you or blame you if you call multiple times.
- No one will judge you or blame you if you call due to something you think may be a security incident but it turns out it’s not actually a security incident.
- It is always better to call than to not call.
Step 2: Secure your computers and software.
- If you have a clipboard manager, get rid of it: Never, ever install one again. Recording and saving everything you copy and paste, intentional or unintentional, is stupid. Case in point.
- If you have an auto-upload screenshot app (e.g. Cloud App), get rid of it: Never, ever install one again. Uploading every screenshot you take, intentional or unintentional, to the web is stupid and puts your security in the security of a random, insecure, screenshot app.
- If you have a remote viewer (e.g. Teamviewer), get rid of it: Never, ever install one again. Putting in a door to your entire, unlocked computer is stupid and puts everything you store, access, decrypt, encrypt, or otherwise have or sometimes have at risk. Case in point.
- Audit your Chrome Extensions: Remove extensions you don’t use, don’t need, don’t trust. Frequently disable ones you don’t actively use on a daily basis. Don’t install new ones willy-nilly. Turn off automatic updates. Use incognito mode more often than not (especially when accessing super-secure things like hosting/registrar/banking/crypto). Don’t ever enter secrets into websites using a browser you use for daily use / that has extensions.
- Audit your Software: If you have an old computer that you’ve used for a while, do a brand-new install, or talk to management about getting a new computer
- Audit the software that starts on launch: Disable applications that start on launch that you don’t absolutely need.
- Remove unnecessary software completely.
- Be especially mindful about installing little “helper” tools and avoid like the plague. These include apps like: Clipboard managers. Auto-upload screenshot apps. Apps that control system-level things. Remote desktop apps like Teamviewer. Applets that show you the cryptocurrency price in your toolbar. Fun little shit to modify your desktop / icons. Stuff from untrusted developers.
- Do not install software gratuitously. Only install what you need and keep it up to date with patches. Don’t torrent or think about downloading and application from a non-legit site. Don’t install any application via a link in an email or deep in Google, but instead use the App Store or products’ official website.
Audit your Chrome Settings
Visit chrome://settings/content and ensure the following settings:
- [x] Unsandboxed plugin access: Ask when a site wants to use a plugin to access your computer.
- [x] Location: Ask before accessing
- [x] Camera: Ask before accessing
- [x] Microphone: Ask before accessing
- [x] Flash: Block sites from running Flash
- [x] Popups: Blocked
- Clear your cache, settings, history, etc.
- Be mindful when you give a website or extension permission to access things like your camera, location, plugins, etc. in the future.
Step 3: Encrypt Your Shit
Encrypt your Computer / Laptop
- Click Apple menu, System Preferences, then select Security & Privacy.
- Select the FileVault tab.
- Click the Lock button, it will ask for an administrator name and password.
- Click Turn On FileVault. (this will take a while, so don’t do this when you’re in a hurry)
- I believe it gives you like a backup key or something. Pretend this is a private key protecting millions of dollars. Do not copy it. Do not save it. Write it down on a piece of paper and keep it somewhere safe.
Encrypt your USB Drives
- Go to finder
- Select USB drive under devices
- Right-click
- Select: encrypt
Step 4: Secure Your Accounts
- Install a password manager (e.g. 1Password, LastPass, Bitwarden): Do NOT use your browser’s built in password manager to manage passwords, credit card details, or other information. Set it up properly on all devices. 2021 Edit: LastPass is no longer going to be free for multi-device use, which means that you can use it on one device for free and you’ll have to pay to have any more devices synced. If you’d like to explore a free alternative, we recommend taking a look at Bitwarden — they have similar features and a guide on how to import your data from LastPass.
- Protect your password manager itself with 2FA via Yubikey or Google Authenticator: Do NOT store MFA codes in your password manager. Do NOT store crypto private keys in your password manager. Do NOT store super high security things in your password manager. (e.g. SSH keys, hosting/registrar accounts, etc.)
Audit your Cloud Storage Software (Dropbox, iCloud, OneDrive)
What is uploading automatically?
- Disable features like “auto upload all screenshots”
- Disable automatic snapshots/backups of your entire system. Opt for a offline external hard drive instead.
- Disable syncing of high-level system folders that you may inadvertently place secret information in at some point without realizing it.
- Be mindful where you EVER put secret information when using your computer if folders are sync’d.
- Don’t sync your downloads or desktop or home directory; it’s too easy to accidentally have secret stuff sync’d there.
What is already saved there?
- Remove anything sensitive. Realize that things that have been uploaded once are there for life, even if you “delete” it.
- If you discover a password or private key in your Dropbox, start by deleting it.
- Then, immediately change the password or move your funds.
- If it could even slightly possibly create a security incident for yourself or the company, panic correctly and post in the internal security channel
Make sure it is secure.
- Change the password now.
- Enable 2FA now.
- If 2FA is already enabled, disable it and re-enable it freshly.
- If you can use a hardware wallet / U2F / Yubikey on the service, set that up.
- Remove your phone number from a 2FA option.
- Generate new backup codes and remove the old ones. Ensure the new backup codes are hand-written or printed via your no-wifi printer and securely removed from your device afterwards.
- Ensure nothing sensitive is ever saved there again.
- Audit yourself and what is stored their frequently.
Change your passwords to new, unique, strong passwords
- This is what a good password looks like: 3o*awM#A^9x&r61v.
- Use your password manager generate function with upper, lower, symbols.
- Do not use the password above. It is an example.
- Change all your passwords, even those for stupid random forums, Skype, Twitter, Instagram (see below for big list).
- Never reuse passwords.
2FA all the things!
If you are using Authy, stop using Authy. If you must use Authy:
- Make sure “multi-device” is OFF under settings.
- Change it to a new Google Voice number that no one knows.
- Ensure that this Google Voice number is in a Google Account that no one knows.
- Ensure that this Google account is 2FA’d with your Yubikey.
- Ensure that this new Google account doesn’t have your phone number linked to it for 2FA.
- Do not give this number to anyone, ever.
- Do not give this email to anyone, ever.
Enable 2FA on all the things via Google Authenticator
- How to Set Up Google Authenticator
- How to restore access to your accounts if you lose/destroy your device w/ Google Authenticator (2FA): https://support.mycrypto.com/best-of/restoring-access-to-your-accounts-if-lose-device-with-2fa.html
Remove your phone number and email as a backup option for your Google (and other) accounts
- Print backup codes via no-wifi printer or hand-write them.
- You will not recover via SMS.
- You will not use Authy.
- For any services that do not allow you to remove your phone number, change it to a new Google Voice number that no one knows.
- Ensure that this Google Voice number is in a Google Account that no one knows.
- Ensure that this Google account is 2FA’d with your Yubikey.
- Ensure that this new Google account doesn’t have your phone number linked to it for 2FA.
- Do not give this number to anyone, ever.
- Do not give this email to anyone, ever.
- Check on all your services (Dropbox, Apple, Skype, Amazon, Facebook, Amazon) and make sure you cannot log in, recover access, reset your password, 2FA, or bypass 2FA with your phone number.
- Seriously, a stupid amount of services now allow you to login with your phone number. Do not do this.
Update passwords & turn on 2FA for every service. Things like…
- Amazon (shopping) — Remove old credit cards, addresses, etc. while you are there.
- Apple
- Asana
- Atlassian
- AWS
- Bitbucket
- Box
- Calendar Apps
- Coinbase, Gemini, Bittrex, Kraken, Polo, all exchanges.
- Dropbox
- Evernote
- Github
- All your Googles
- Even your old Google’s
- And your yahoo’s or hotmail’s or whatever
- AOL, too?
- Heroku
- Email services
- Support services (Zendesk, Groove)
- HR services (Gusto, Zenefits)
- Banking services (Chase, Bank of America, Amex)
- Investment services (401k, Vanguard, Charles Schwab)
- Hosts / Registrars (GoDaddy, Bluehost, Cloudflare, whatever)
- LastPass / 1Password
- Skype (Install Microsoft’s Authenticator, see below)
- Slack
- Stack Exchange
- Telegram
- Keybase
- Every messaging app ever
- TransferWise
- Paypal
- Venmo
- Random forums
- Shit forums
- That old reddit account
- Gaming accounts
- Websites or applications that you haven’t re-logged into ages because your already logged in.
- Places you buy stuff. (Best Buy, Wayfair, etc.)
- Places you order food from (Uber, Uber Eats, Grubhub) — remove addresses, cc’s while you are in there.
Secure your Google, Github, Facebook, Skype, Twitter, etc.
For all of the above, check for authorized apps, logged in devices, and others.
Remove all authorized apps:
- “Apps” where you use a different service like Google or Twitter to sign into that service, or is otherwise linked (e.g. Fantastical Calendar app manages your Google Calendar).
- Remove all apps that you don’t recognize, haven’t used in a while, or are unsure about. It’s easy to re-auth later when you need it, so go to town!
- Whenever using this sign in / auth feature in the future, be very careful about what permissions you accept and who you give access to things.
- A throwaway email address is usually a better choice than “Sign in with Twitter”.
- Document somewhere what things sign in with what accounts. This will be needed if an account is ever compromised as it sheds light on what else an attacker may have access to.
- Twitter: https://twitter.com/settings/applications
- Facebook: https://www.facebook.com/settings?tab=security
- See below for more
Log out of all devices:
- Yes it’s annoying. Yes, you will have to re-log in on your current phone. Don’t be lazy.
Review forwarding and filters that are pushing data externally:
- e.g. Emails forwarding to Slack, customer support DM’s that are posted to Trello, whatever you set up at some point to try to make your life easier.
- Ensure the authentication/access is narrow as it can be: Ask yourself if write access is really necessary? Ask yourself what happens if that third-party is hacked: whats the worst that could happen to your team, customers, users, or company? Can you separate concerns: can support messages go to support platform, not Slack? Can Github authentication be done through a dedicated account that can reply to github issues but not push code?
Remove any “Application Specific Passwords” that will bypass auth:
- These passwords are less common these days but may still exist, unbeknownst to you. They were usually available so you could authenticate an account (e.g. Gmail) via a platform that didn’t support 2FA (e.g. your TV.)
- This feature is especially damaging in an account takeover scenario, because app specific passwords rarely, if ever, are destroyed in a password reset. This leaves simple access behind for an attacker pretty easily if they’ve created one.
Skype / Microsoft: Turn on 2FA
- Link your Microsoft + Skype accounts.
- Turn on 2FA
- Install their stupid Microsoft Authenticator app is available for Windows Phone , Android, and iOS.
- Click here https://account.live.com/SignInPreferences?amru=names%2FManage or go to security -> sign in preferences and UNCHECK the username-only option.
- Read, review, action on any items you haven’t already completed here: https://support.microsoft.com/en-us/help/12410/microsoft-account-help-protect-account
Google: Remove your phone number & email as a backup option
For all your Google Accounts! See these way more up-to-date instructions with screenshots!
- Go to https://myaccount.google.com/security
- Scroll down
- Change your password.
- Click “2 Step Verification”
- Set up: Security key (Yubikey), Authenticator app, Backup codes.
- Remove and/or do NOT set up: recovery phone or email, google prompt, voice or text message
- Print or write the backup codes. Do NOT store in password manager. Do NOT store on computer.
- Do not turn on recovery email. If there is a recovery email there, remove it.
- Do not turn on recovery phone. If there is a recovery phone there, remove it.
- Do not turn on “Google Prompt”
- Do not turn on “Voice or Text Message”
- At the very bottom, click “Revoke all” for “Devices you trust”
- Return to https://myaccount.google.com/security
- Under “Recently used devices” remove anything that isn’t your primary phone and computer.
- Return to https://myaccount.google.com/security
- Review “Apps with access to your account”. Remove anything you aren’t actively using.
Github: Audit your auth’d apps, turn on 2FA
- https://github.com/settings/applications
- Audit Install Github Apps => Remove anything you aren’t actively using.
- Authorized GitHub Apps => Remove anything you aren’t actively using.
- Authorized OAuth Apps => Remove anything you aren’t actively using.
- 2FA via hardware device
Some of these are best-practices and related to privacy and not security.
Must Do! https://www.facebook.com/settings?tab=security
- Turn on “Get alerts about unrecognized logins”
- Change your password if you didn’t do it before
- Turn on 2FA via Yubikey or Google Auth if you didn’t do it before
Must Do! https://www.facebook.com/settings?tab=privacy
- Future posts: Friends
- Review all posts and things you’re tagged in: On
- Limit past posts: Friends
- Who can see your friends list: Friends
- Who can look you up using email / phone number: Friends
- Do you want search engines…: NO!
Must Do! https://www.facebook.com/settings?tab=applications
- Audit list, remove anything out of date or not actively in use.
Must Do! Turn off Profile Picture Login. Holy fucking shit what a security nightmare that “feature” is.
Recommended! Make sure “Trusted Contacts” was set up intentionally
- This feature to allows you to regain access to your account via trusted friends. Make sure you use this feature very wisely.
Recommended! Make sure “Legacy Contact” was set up intentionally.
- Similarly you can have an account transition to someone else upon memorialization (if Facebook receives proof that you’ve died). Make sure it is set up carefully.
Recommended! https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
- Go to “Your Information” w/ green icon. Toggle all switches OFF
- Go to “Ad settings” w/ blue icon. Select: No, No, No one
- Click X’s in Your Interests & Advertisers until you get bored
Recommended! https://www.facebook.com/settings?tab=timeline
- Who can post on your timeline? Friends
- Who can see what others post on your Timeline? Friends
- Who can see posts you’re tagged in on your timeline? Friends
- When you’re tagged in a post, who do you want to add to the audience Friends
- Who sees tag suggestions when photos that look like you are uploaded? No One
- Review posts you’re tagged in before the post appears on your timeline? On
- Review tags people add to your posts before they appear on Facebook? On
Dropbox / Cloud Storage
- Turn on 2FA
- Turn off any out-of-date phones or computers
- Audit your https://www.dropbox.com/account/connected_apps
Call your cell-phone provider
2021 Update: See our Sim Swapping Bible!
- Inform them that you work in an industry that has had a number of phone number hacks in the recent months. You are concerned about their ability to protect you and are thinking about moving to a different carrier due to this risk.
- Ask them what protections they offer.
- Ask them to put a note requiring you to be in-store with your photo-id in order to activate a new device or port your number.
- Ask to put a pin on the account.
- If you have the option, remove yourself as an authorized user (e.g. if you are on your parent’s plan).
- If you have the option, insert “DO NOT PORT!” and “DO NOT ACTIVATE NEW DEVICE OVER PHONE!!!” in any fields you have access to (e.g. your “Phone name”, “Company” field, etc.
- Don’t use that phone number for any 2FA anyways. Use a brand new Google voice number that no one knows.
Step 6-∞:
Move any funds that have been created with an online computer to cold storage.
- Use your hardware wallet or air-gapped computer + paper.
- Do not keep funds on an exchange.
Sign up for https://keybase.io/
- Verify a few profiles. Install the phone app.
- Share with other people on the team.
- This may come in very handy in the future if something of yours in compromised and we need to verify you are who you say you are.
- It’s not the ultimate source of truth, though and is not necessarily inherently more trustworthy than a phone call, video chat, message on other platforms, etc. It’s just another method we can use if the need arises.
Never Use Public Wi-Fi
- Opt for your own personal mobile hotspot instead.
- https://motherboard.vice.com/en_us/article/evabb7/an-argentine-isp-was-hacked-to-inject-cryptocurrency-miner-code-into-starbucks-wi-fi
- If they can inject crypto-miners into your Wi-Fi, they can inject anything
Google Yourself
- Remove personal information, old forum links, etc.
- Remove your Facebook profile indexed by Google in FB settings
- Set up Google search alerts for your names, common usernames, etc.: https://www.google.com/alerts
Look yourself up on haveibeenpwned.com
- For anything that has been pwned, ensure that you are not using the same password
- Change specifically *that* password
- If other data is breached (e.g. address or phone number or security questions), ensure that data doesn’t give anyone else access to an account (e.g. don’t protect your online banking with a security question that was revealed during the Adobe breach.)
- Consider starting a new general email address to disconnect yourself from the past breaches
If you don’t use Chrome, install and use Chrome from now on.
Bookmark your sites.
- Only use these bookmarks. Do not click links. Do not trust email. Do not trust links in emails. Do not trust attachments on emails.
If you ever encounter a malicious crypto site that isn’t blocked, report it immediately to https://etherscamdb.info/
Install an adblocker
Encrypt your laptop because it can be lost or stolen.
Do not leave your laptop, keys, USBs, phones unattended, even for a moment.
Do not travel to crypto-conferences with laptops, keys, USBs, phones that have all your secrets on them.
Do not store super-secret things on the laptop.
Always check github commits for secrets before committing.
- Do not ever place keys, keystore files, ssh keys, secrets, passwords, access codes, auth tokens, or anything in any folder that you will be committing to Github. Ever.
- Do not place anything secret in the code itself.
- Do not hard-code that shit.
- Do not hard code it “just for testing”.
- Do not hard code it and tell yourself you will remember to remove it later.
Make sure you are part of the internal security channels.
- If not, ask someone on the team to add you.
My reputation and online identity are powerful
As I engage with the community and others working on projects, my words on social media, via Skype or Slack, or others carry more meaning. There is a level of trust you may have or build without realizing it.
When I speak, others may take it as I am speaking for the company.
- An off-handed comment may harm the company.
- A tongue-in-cheek comment may be taken seriously.
- People may take real action related to their Ethereum accounts due to something I say or recommend.
- I will be careful on the advice or recommendations I give and ask for feedback from others if I am unsure.
- I will be careful with the words I chose to use and opt for bullet points or numbered lists when possible.
- I will think about unintended consequences of things I do or say or recommendations I make.
- I will never engage in trading or price discussions or recommend someone buys or sells, no matter how harmless I think it is.
During a security incident related to our company or another company, I may be part of confidential conversations or learn about confidential items that I am not at liberty to discuss in the short-term, long-term, or both.
- I will be helpful, calm, and composed in these situations.
- I will avoid cluttering the chat and aim to be concise.
- I will do my best to reduce the stress of the situation and be helpful, not add to the chaos.
- I will avoid any public communication or comment without checking with others first.
- I will bring attention & share links to any tweets, reddit posts, forum posts, or emails related to the situation that I encounter as soon as I see them.
Other Resources / Sources
- The Sim Swapping Bible!
- Bad Things Database: https://www.notion.so/tayvano/72675e93bdb94748b2b980d5b3e1392c?v=d07e875005c64f2d8c40a44ca67010a5
- https://medium.com/starting-up-security/starting-up-security-policy-104261d5438a
- https://magoo.github.io/Blockchain-Graveyard/
- https://medium.com/starting-up-security/securing-local-aws-credentials-9589b56a0957
Have something to add? Find a typo?
Comment here. Or DM @ MyCrypto @ tayvano_ or @ sniko_on Twitter. Or join our Telegram.
Talk To Us & Share Your Thoughts