A metric from the year 2022 states: “A total of over $1.3 billion in crypto assets have been stolen from a multitude of investors falling victim to hacks or cyberattacks!”
After navigating the cryptocurrency market for several years, attending various conferences on the security of cryptocurrency custody, and hearing the opinions and experiences of other investors and past mistakes, we have arrived at a concise classification of security levels for your crypto “vault.”
In today’s landscape, there are various fraudulent activities:
Phishing: Users are contacted via email, SMS, or websites resembling official channels of well-known platforms. The malicious content of the site, email, or message requests data input or contains links with viruses and malware that can compromise the security of your account, leading to loss of funds and theft of sensitive data.
Backdoors: Deliberate vulnerabilities in hardware. Users who purchase used, refurbished, or even new devices from lower-tier marketplaces are at risk of obtaining devices with pre-installed source codes designed to extract and disseminate personal data, passwords, and user activities once the device is activated and configured.
Private Keys: For web 3.0 investment security, your private keys are based on email and password combinations. Losing the password, experiencing theft, or forgetting it will undoubtedly result in loss of funds. Equally important is managing the email used to create various accounts in applications or for hardware wallet management. Using dedicated emails and differentiating emails for each use greatly reduces attempts by malicious actors to penetrate your accounts.
Wallets are divided into 2 major categories: cold and hot wallets, let’s explore them:
- Cold Wallets: These are offline devices that are highly secure and difficult to breach. Hardware wallets (the most widely used and secure brands being Ledger and Trezor) fall into this category. They are USB devices with memory capacity that support popular cryptocurrencies in the market, NFTs, on-chain staking, and facilitate token transactions.
- Hot Wallets: These are online connected wallets. Software wallets (like Exodus) and browser wallets/web extensions (such as Metamask) are in this category, requiring an internet connection to function.
Given that custody with third parties such as exchanges/lending platforms (Binance, Coinbase) or similar will not be considered here because in those cases, users do not possess the cryptocurrencies (not your keys, not your cryptocurrency), below is a ranking starting from the highest security level:
- 1st Level: A dedicated PC with a hardware wallet equipped with a customizable password. The password must be composed of 100 consecutive characters and numbers, drawn each time.
- 2nd Level: A dedicated PC for managing a hardware wallet, choosing the 12/24/36 words, preferably 36 words.
- 3rd Level: A regular-use PC for managing a hardware wallet.
- 4th Level: A dedicated tablet or smartphone for managing a hardware wallet.
In the world of crypto communities, we constantly hear about malicious transactions due to email phishing, purchases of hardware wallets on Amazon or other e-commerce sites with pre-set backdoors, fund losses, password theft, and hacking of accounts.
From my perspective, there will never be a perfect solution, but certain precautions can be taken. Always turn to official sites when purchasing a hardware wallet. For greater security, before connecting, always check the firmware version and proceed with updates before launching the cold wallet management software.
Another crucial aspect is keeping the dedicated PC offline and only connecting it to the internet for specific operations. Having antivirus software and using a reputable paid VPN can enhance security further. But the use of the PC should be strictly correlated with the use of the USB drive (e.g., Ledger).
Lastly, but equally important, is email: they constitute 50% of the “personal keys” that manage our crypto “vault” and investment portfolio. It is essential to configure a dedicated email solely for hardware wallet management (not the same as your personal PC account, for example) and not use it for other services. When registering your wallet on decentralized apps or specific exchanges, always use different email addresses from your primary email managing the hardware wallet.
Following the same principle as private keys, the password should not be stored on a server, desktop folder, Apple Cloud, Google Cloud, or in a screenshot (cases of hacking these clouds have occurred in the past). Instead, it’s advisable to resort to the good old-fashioned method of writing the password on paper with a pen.
An additional increase in security can be achieved by using multiple devices simultaneously. For example, one PC for interacting with the hardware wallet, another for managing the linked email, and yet another for Google Authenticator to approve wallet access and individual transactions. This way, an attacker would have to breach three dedicated devices, all of which need to be turned on simultaneously. In other words, the more obstacles between you and potential malicious actors, the more time they need to break through your security layers.
To save on hardware costs, instead of physical PCs, you can create virtual machines within your regular PC, turning them on and using them solely for their designated functions.
In summary, using the most complex password possible reduces the likelihood of it being guessed by hackers. We are aware that malicious bots generated by programming codes are widespread among wrongdoers, attempting to guess passwords. Since it always involves money, the more complex and nonsensical the password, the better, as it also buys you time. Being cautious in your actions is important. While setting up your security measures is necessary, it’s equally true that diversified email use or antivirus software won’t do most of the work – it’s us who might fall into traps due to distraction or emotions.
Absolute behaviors to avoid include clicking on wrong or suspicious links and opening scam sites. Always stay vigilant when navigating or conducting financial operations involving your crypto assets. The harsh reality is this: once lost, your cryptocurrencies cannot be recovered.
As mentioned at the beginning of this article, there’s no perfect solution; you need to balance security with responsiveness and usability. For everyday needs like trading, DeFi operations, participating in farming pools, and engaging in pre-sales, waiting to input a 100-character alphanumeric password is obviously impractical. Therefore, it’s advisable to segregate funds intended for daily activities from savings, applying maximum security measures to the latter.