Everyone wants your Bitcoins, including bad guys. Let's make it as hard as we can for them!
I have split this guide into 3 sections, basically in order of importance. If you own less than $1000 of crypto, you can probably stop reading after the first section, otherwise read on to section 2. The last and third section is more theoretical or for the ultra-paranoid but if Bitcoin keeps rising like this I'm sure some of us will end up there eventually!
If you haven't, please also check out @notsofast 's security guide. My guide is basically an extension to his and I'm going to be somewhat brief on topics that @notsofast has already covered.
1. The Essentials
Spread your bets
As a regular trader you will probably have some money sitting on exchanges. This is of course needed to trade but be aware how vulnerable exchanges are to hacks, theft, fraud or incompetence. The best way to protect yourself is to withdraw when not currently trading, and when you do use exchanges, spread your money across several different exchanges in case one fails.
If you think hacks are only a concern for the smaller exchanges or the shady ones, think again: Bitfinex got hacked last year for over 100000 Bitcoins. Poloniex had a vulnerability this year that could have emptied all of their Ethereum (ETH) tokens. Lucky for us, good guys found it first and reported the vulnerability.
Decentralised exchanges are not immune to hacks either so this advice also applies to them.
2FA all the things
2FA or two-factor authentication for exchanges and email is your best line of defense if you happen to be compromised. The point is not to add an extra 'password', but storing its secret on an independent device so that a hacker would need to gain access to both devices rather than one. This is why its important to never store a backup of your 2FA seeds on your computer, this defeats the entire purpose. Only store it on your 2FA device (e.g. phone) with a backup on a piece of paper. If you want to be extra vigilant, use a dedicated and offline phone for 2FA.
Never ever use SMS-based 2FA which can easily be rerouted to an attacker's phone just by impersonating you on a customer support line. Yes, this happens: How to lose $8k worth of bitcoin in 15 minutes with Verizon.
On passwords
Okay, the topic of passwords is already extensively covered elsewhere so I'm going to keep it short. Never use the same password twice, use a password manager to generate strong passwords and keep them safe. That's about it. And as always, there's a relevant XKCD.
Choose your OS wisely
Your Operating System is your first line of defense and also one of the largest attack surfaces for a motivated attacker.
Unfortunately, many people I know are still using Windows which I strongly recommend against. Even if we ignore how negligent Microsoft has been in patching older versions of Windows against security issues, Windows is simply considered less secure based on the principle that more people use it, it is a bigger target.
Linux is rumoured to have only around 1% of the market so is a much safer choice, even if we ignore its superior security features. One such great feature is full disk encryption which we will come back to later in this article. When it comes to Linux distributions, the most secure choice in existance is probably TAILS. I plan to write a dedicated post on TAILS so look out for that. In the meantime any choice of Linux is probably fine.
Secure your applications
Unlike Phones, Desktop OS's do barely anything to sandbox applications, or in other words, to prevent one application from accessing another's data. So no, your 5 year old workstation with hundreds of Steam games and who knows how many other untrusted applications is not the place to store your crypto. Move your gaming stuff and everything else to a separate PC, then use a fresh install to do crypto related things. There are really cheap laptops these days; I see no excuse not to separate your workflows this way.
To reduce attack surface, always turn off / uninstall any applications or features you are not using. Did you know about BlueBorne, a recent vulnerability that could have made an attacker take over all Bluetooth devices in the world? Scary huh.
That new wallet for an altcoin you downloaded? Better to run it in a VM if you don't completely trust it. This is how the Cryptsy exchange was infamously hacked, a trojan in a wallet. And no, an Anti-Virus will not protect you from this.
Secure your Email
Your Email is, like it or not, another crucial piece of the security puzzle. If someone gets into your email they can lock you out, reset passwords on exchanges to get into them, etc. Whoever invented Email probably never intended them to be used like this, now we have to deal with the fallout. I recommend:
- Use a separate email address for crypto-related things (even better, separate address for every service/exchange!)
- Avoid revealing these email addresses to anyone
Ever wondered how often your email/passwords have been compromised in a data leak? Look it up on HaveIBeenPwned or sign up for notifications.
Everything about links
If you are active in any Slack channels, Twitter, etc., it is important to be vigilant of clicking links.
Shortlinks (like goo.gl) have no place in crypto circles. It is literally impossible to know where such a link leads to before you click it. Beware!
Assume that any unsolicited or unknown link from someone you don't know is a scam or worse, malware/exploit. Use a virtual machine to investigate such links.
Whenever you visit an exchange/wallet site, make sure to carefully check the URL every time. Attempts to register one-off URLs are getting really popular lately. They even get advertising slots which I am shocked that Google isn't doing more about this. (How hard would it be to force a manual review of ads for certain terms/URLs like cryptocurrency exchanges?). Needless to say, using an ad-blocker is another step that can't hurt.
2. A Step Further
So far we've basically assumed the person out to get us is a bad person on the internet. But if we want to sleep extra safe, there are much more attack surfaces to worry about. What about our real life acquaintances? What about the trust we place in software and hardware manufacturers?
The first rule of Bitcoin Club
Don't tell anyone. Seriously, no one, as tempting as it may be. That friend you jokingly told of your Bitcoin stash back when they were worth nothing? Yeah, he knows you're loaded now.
If you really can't resist talking about Bitcoins, never tell amounts. Measure your successes as percentage gains, like 'Cool, I made 200% on this trade!'.
Browse safely
Use a VPN to protect your network activity from being monitored or profiled by your internet service provider, and to prevent attackers from knowing your physical location from your IP address.
Do note that most VPN's rely on trusting a centralised provider to not give up your info if asked. In the spirit of Bitcoin, TOR does not rely on trust and is probably a safer option. It is also free (as in free beer) to use.
Transaction privacy
No, don't 'use bitcoin whenever you pay'. Bitcoin is notoriously bad for privacy. Because the blockchain is public, everyone you transact with (let's say you buy a coffee) will instantly know how many coins you have, where you got them from and what you do with them in the future. If that doesn't sound like a bad idea to you...
For day-to-day transactions, coins like Monero, ZCash or Dash are much better. Monero basically has a mixer inbuilt to its protocol which makes it hard to link a payment, but with enough evidence you can still build a case. Monero also hides the amount of a transaction by a feature called 'RingCT'.
ZCash uses complex cryptography that makes for provably unlinkable payments, assuming their math is correct, anyway. However, you need to trust the founding members of ZCash that they actually burned their keys or the whole system falls apart.
Dash I have not really looked into that much, I hear it has private payments but not as its main selling point.
Personally I'd go with Monero in this case. xmr.to is useful to paying with Monero at places that only accept Bitcoin.
Encryption
Use full disk encryption with a strong passphrase to protect your computer against unauthorized physical access. Logins and lock-screens are not enough, they are too easy to circumvent in 2 minutes with physical access to the machine. Shut down your PC while you sleep.
Cold Storage
Cold Storage refers to moving crypto to a wallet that has never been exposed to an internet connection. Cold Storage is no doubt an invaluable tool if you store many bitcoins. The methods to use are up for debate and depends on your level of paranoia of course. That paper wallet you printed - how much do you trust your printer? If you used a laptop to generate the key, how much do you trust the laptop manufacturer? Consider, simply being offline does not equal perfect security: you could still be comprimised by generating a weak private key. With that said, cold storage is univocaly more secure than internet-connected wallets.
3. Pure Paranoia
This section is more theoretical for me and I don't know anyone who goes to these lengths, but surely there are some out there.
Build it yourself
Any software you use must be built from source code that you have reviewed yourself or use a reproducible build that was provably created from that source code.
Assume everything is compromised
Consider every piece of your personal information you have ever entered somewhere is compromised and known. There is no proof to say it's not, is there? Cloudbleed was a rather scary source of leaks recently.
Keep Moving
Going by the last paragraph, you consider our home address to be compromised and known to be associated with your Bitcoin stash. So unless you want to be kidnapped and ransomed, you have to leave. Something like: move across the world, live in hotels (never pre-booked and paid in cash of course). Don't fly commercial airlines, do hire a private jet, etc.
Research your destinations
Here's a shocker: did you know there are countries with Key Disclosure Laws that make you a criminal for not revealing your passphrases when asked by law enforcement? It is unclear how this applies to Bitcoin keys. Until this is known for sure one should probably steer clear of these countries.