Securing your assets on the blockchain can really be broken down into three simple rules. Following those rules vigorously helps to be as safe as possible from hackers, phishers and scammers.
1. Safely store your private key
When you receive or generate a new private key write it down using your preferred key storage method. It could be a password manager or another encrypted key store on the same or another machine, or it could be a piece of paper or an even more secure method. It should be future proof in that they don't get destroyed, virus infected or found by others, but also that you yourself remember where they are.
Whatever the case make sure to write the private key down 100% correctly, especially when not using copy and paste. If you get only 1 character wrong it might get very annoying or near impossible to figure out what the correct private key was supposed to be.
Also note the associated public key that belongs to that private key for your convenience. In theory you can always regenerate the public key from the private key, but if you made a mistake in writing down the private key then having the correct public key can go a long way.
Additionally it's recommended to add a short comment on what the key is used for, e.g. EOS account name or Binance address.
2. Only enter your private key in trusted apps
Never enter your private key in an app that wasn't properly vetted by the community for security vulnerabilities or worse being an outright scam.
Ask around in community channels but also don't believe just one or two users, ask many and also read official blog articles or github code repositories if possible.
There are apps and websites that steal your ownership within seconds automatically if you ever enter your private key in them, scripts from malicious people can automatically detect if something looks like a private key and test it out in the background.
It should be obvious but never accidentally mistake your public key for your private key, it can happen to the best of us in the heat of the moment. Treat your private keys with the respect they deserve!
3. Double check each transaction
If you secure your private keys and don't ever do any transactions (i.e. not really using any wallet besides maybe storing the private key in it) your job would be done now. You could just accumulate and keep sending more tokens to those addresses.
But because you typically also actively use the blockchain then you are sending transactions. Be it sending tokens or calling a smart contract action, everything is a transaction and needs to be signed by your private key. That transaction could potentially have devastating consequences in theory so it's up to you to look at it multiple times.
Whenever your wallet software asks you to approve any kind of transactions double check it carefully:
- Is the sender and receiver correct?
- Are you sending any tokens, and if so the right amount?
If you're calling a smart contract action that is not just about transferring tokens:
- Do you have any information yet on what that kind of action it is going to do?
- Is there Ricardian contract maybe that explains in human readable words what is supposed to happen?
- Does whatever it's trying to send in that transaction look suspicious in any way? Or are you sending it similar options like other actions you have used in the past?
- Is it clear if tokens could also be sent in that actions?
If it's not 100% clear if the smart contract action could cause an unwanted token transfer or worse changing ownership of the account then reject it for now and try to get more information from the community and official related websites.
This is a very simplified overview of how to keep your crypto assets secure, but it covers most of the typical easy attack vectors. If you have any additional recommendations or questions feel free to post them below.
Excellent article!
You are the number one man in Crypto Security
👏👏👏👏👏👍 Keep us posted!