Security of the cryptocurrencies users is a tricky question. Blockchains are different from central banks because they have no central authority governing the system. It is a solution to the problem of central authority becoming corrupted over time. However it creates another issue of enforceable legal action.
If you are dealing with a bank and money get stolen from your account then you can ask a bank to investigate and return money to you. It’s up to the bank whether they actually going to do it. However having a central authority over the money flow means we can appeal to this authority to fix the events that are deemed unjust. The bank has means to reverse any transaction that happened between it’s accounts. So hypothetically a bank can return your stolen money back to you. Which happens sometimes in some banks. The drawback of banks is you are helpless if the bank is the one stealing your money.
With decentralized blockchains things are different. The blockchain itself is a piece of code that governs how a large network of independent nodes processes transactions of users. There is no central authority over the network. There is no one in the system to know you in the face and confirm that your funds are your funds. Account (public key) and a password from this account (private key) is everything that a decentralized system can know of it’s users. Therefore from a decentralized blockchain point of view everyone who knows the password is the one who has the right to take the money from an account.
For you this means that keeping your password/passphrase/private key safe is your and only your responsibility.
This responsibility implies taking time and effort to develop several skills and habits.
Part 1: Basic information security awareness
Knowing which information have to be shared and which information must never be shared.
Always question whether any emails about your account make sense. If anything seems off - do not respond. You should always contact your service provider directly if you are unsure. It is important to let them know about any suspicious messages.
Tech support or customer service never asks your passwords or private keys.
Sometimes, support may request confirming your identity for security reasons. We do this by verifying info that only the account owner would know.
Part 2: Data protection basics
A chain is as strong as its weakest link. All the rules provided below are equally important. This is about making your phone and computer safer.
These things get stolen. There are tools to make sure a stolen laptop will not lead to your exchange account being cleared. Make use of them.
Enable drive encryption
For Mac users:
- Enable FileVault
- Read Enabling FileVault for instructions.
- Select "create a local recovery key". Do NOT allow iCloud to store your encryption key. Keep the letters and numbers of the key in your password manager.
- Go to the "General" tab. Choose to require a password immediately after sleep. You should also require a password when waking from a screensaver.
If you use Windows:
- Use BitLocker
- Read Enabling BitLocker for instructions.
- Make sure that you know your startup PIN. Print the recovery key and keep them secure.
- Go to the Control Panel and select Appearance and Personalization. Click on "Change Screen Saver". Check the box "On resume, display login screen."
- This will encrypt your laptop's content and help to keep you safe. Never tell your password to anyone. Never record passwords on papers/notebooks which you carry around.
- Ensure web browser safety
- Keep your operating system up to date.
- Use Google Chrome or Safari as your primary web browser.
- Keep away from unreliable extensions that could spy on all your content. Always do a quick research on the web before installing any extension on whether it is safe or if it has malware duplicates. Do the same research before installing phone apps.
- Use encrypted storage for passwords (1password, LastPass, Passpack or similar).
- The connection should be considered compromised if you see an SSL warning in the browser. Close these pages as fast as possible.
- Enable two-factor authentication (2FA, OTP) wherever possible, but avoid SMS authentication.
- Your phone number can be stolen in multiple ways.
- Stay away from open Wi-Fi networks if possible. Always use a VPN from a trusted provider if possible.
- Never click on advertisements.
Protection from phishing
Phishing messages contain URLs that link to fake websites. Scammers design these websites to mimic services you use. They use these sites to steal information from unsuspecting users.
Install MetaMask. Metamask warns you when accessing a known malicious website.
Add all relevant crypto websites to your bookmarks. Use these bookmarks to access the site. Links in search engines and emails could lead to a malicious copy of a website.
Always verify the URLs of services that you use.
Trust only information posted by official sources. Blind trust to telegram spam bots and phishing sites are the reason scammers get millions.
Do not trust URLs sent via private messages. Always verify information with a secondary source. Check any suspicious links or files before opening.
Never enter sensitive data on a website sent via message. Especially passwords and private keys.
Use a password manager to store passwords. Some options include 1password, LastPass, and Passpack.
Use a new randomly generated password for each new account. Make sure each password is the maximum acceptable length.
Subscribe to notifications on https://haveibeenpwned.com/.
Consider your passwords compromised if sent over SMS, email, or any other messenger.
And HODL safe.