How to Keep Hackers Out of Your Cryptocurrency

 

Ten OpSec Things You Want To Know





One day I woke up to one of my wallets drained – over $1,000 in crypto gone. Poof. I suppose it's a rite of passage in web3 to be "rug pulled" or scammed at least once. But it doesn't have to be. 

In this article, I'll review some tips to up your OpSec. OpSec is short for operations security, originating in the military but is popular in the top 10 blockchain development companies. In this context, it refers to strategies to protect your assets and transact safely.


Why does OpSec Matter?


First, bad actors exist in this space. Fortunately, most folks are awesome people working on amazing technology. But it is imperative to maintain a high level of caution because of those with malicious intent.
Second, with so many people generating life-changing wealth, it is easy to see this space as a get-rich-quick scheme, making it tempting to fall for some of these scams. After all, who doesn't like making money? 
Third, the onus is on you. This is because best crypto developers allow for self-custody, in which you can possess your coins in your wallet that nobody else can access. This is unlike traditional finance where your assets are custodied by an institution like a bank or brokerage. This is great to be truly self-sovereign, but it is also the digital analog of walking around with all your money in your back pocket. Even some of the best solutions are only as good as keeping your life savings under your mattress. As a result, if your keys are compromised, there is no recourse; Ethereum has no customer support team to freeze your account or refund unauthorized transactions. With great power comes great responsibility.

The Basics


Use a password manager.

Password managers generate secure passwords for your accounts and safely store them. It's imperative to make complex passwords with many letters, numbers, and symbols such that it is difficult for a hacker to brute-force or socially engineer out of you. It's also imperative to have different passwords for each account, as otherwise if one password is exposed, all your accounts are compromised. Security breaches are common, and there are even sites that allow you to see if your password for a particular site has been compromised. 

Employ Multifactor Authentication.

Multifactor authentication involves verifying that you are logging in by entering a code on a different device, typically your cell phone. This adds another layer of security because even if your password is compromised, someone would need access to your phone.

Utilize Biometrics.

I'm also a fan of biometrics such as fingerprint or facial recognition as an additional layer of defense, as it is difficult to spoof someone's face or thumb.

Nine More Things To Be Aware Of…


Celebrity shills !== reputable projects.

While you might be tempted to buy an NFT that your favorite athlete or musician is promoting, I see it as a red flag. Influencers often use their following to promote scammy projects to make a quick buck. They're usually being paid a lot to post about these projects and not posting them in good faith with due diligence. A notorious example was Ethereum Max, shilled by Kim Kardashian and Floyd Mayweather. Ultimately, it was a rug pull, and they are facing lawsuits for deceiving people to buy into this token.

Social Media Messages.


On Twitter, there are more and more scam accounts popping up, tagging and DM-ing millions of people on posts to mint an NFT or buy a particular coin. It would help if you did not trust these. Sometimes it is easy to see if the account is a scammer: telltale signs are low follower count, no profile picture, no mutual followers, recent account creation date, and only posting about the project they are shilling. However, some scammers are getting smart, making their profile pictures Bored Apes, buying followers, and copying reputable people's bios and posts. Double-check the handle, as often, they will have one similar to the account they are impersonating. EX: my Twitter is @thedanhepworth, so a scammer might make an account called @lhedanhepworth, which from a glance, looks the same but is not. 
Similarly, Discord is a common vector of attack. My advice here is to turn off direct messages. 99.999% are scams; I've never had a valuable interaction through DM. If you need to reach someone from Discord, friend requests them or move the conversation to another platform. 
Moreover, I have been added to many scammy and spammy chats on Telegram. Be leary of who has access to your telegram username. It's best to leave these immediately and report sketchy group chats.

Gone Phishing

Phishing is when a scammer creates a deceiving website or email to get you to log in, on which they obtain your account information. OpenSea faced a recent phishing scam where people were emailed about migrating their NFTs, for which they had to sign a transaction. This malicious transaction resulted in over a million dollars in NFTs being stolen. Double-check that the sender of an email is trustworthy. Even then, it is possible to spoof someone's email address, so look for any inconsistencies in the body of the message. 
It's common for attackers to spin up sites of popular dApps with incorrect URLs. For example, opensea.io is OpenSea's URL, but a scammer can buy the domain for opensea.com or openseaa.io, as those are common typos. They can then spin up a fake landing page, on which you can sign in via Metamask. However, when you transact on this imposter app, your wallet will likely have been compromised.
There have even been cases of scammers buying Google Ads, so their fake URLs rank above the real ones. For safety, you can find the real URL through a project's official Twitter or CoinGecko listing.

Suspicious Airdrops.

These are common on cheaper blockchains like Polygon, where sending tokens to millions of wallets en masse is not expensive. Generally speaking, do not touch any tokens or NFTs that have been sent to you from someone you do not know.
When you try to transfer or sell, the consequences could be harmful. This is counterintuitive, as you might want to "clean up" your wallet and get rid of those tokens, but there is no harm in them being in your wallet.
They may also have manipulated price feeds so your airdrops look valuable, thus egging you into FOMOing going to their website. The attacker wants you to transact with their malicious smart contracts to drain tokens from your wallet. Never sign a transaction inside a dApp you haven't verified as legitimate.

Be Alert To Social Engineering.

Fraud in crypto is coming from all angles. One common scam beyond crypto events is for someone to impersonate someone you know and ask for help. It's unfortunate that this is the world we live in, but if your friend, relative, or colleague is asking for financial information, please verify that it is them. If it's someone you know only online, beware of trusting them because some criminals are good at what they do.

Pay Attention To Wallet Hygiene

Browser Wallets


The most popular browser wallet is MetaMask. How it works under the hood is your private keys are stored in the metadata of your browser. While they are convenient for interacting with, keeping large sums of money in this wallet isn't recommended. In addition to being connected to many different sites, there is also the chance that your private key could be breached. A vulnerability was recently discovered in an old version of Google Chrome that potentially exposed your private keys. Scammers have also impersonated Apple to retrieve your AppleID password, which gives them access to your iCloud, which can also contain private key backups.

Hardware Wallets

The most popular ones are Ledger and Trezor, and how they work is that they are small devices like a USB drive that contains your private keys. When you transact, the data to sign is sent to the device, and then it is signed, and the signed transaction is sent back to your computer and then broadcasted on the blockchain. These are recommended for dealing with larger amounts of money. Make sure to buy a hardware wallet from their official site.

Hot vs. Cold Wallets

Another method of separating concerns is designating a wallet as the "hot" wallet and another as the "cold" wallet. The hot wallet is the one you use to transact regularly on the blockchain for activities such as staking, DeFi, buying NFTs, and swapping tokens. The cold wallet is one-way funds sent and never interacts with smart contracts. This is analogous to having a checking and savings account. It's convenience vs. security, like having a smart WiFi lock on a rental property but only a physical "cold" key for your home.

Multisignature Wallets

Multisignature wallets, or "multi sigs" for short, are smart contracts. They're an abstraction in which the smart contract can do everything a regular wallet can. However, for a transaction to be executed, it must be approved by a certain number of signers. They're great for families, friends, and DAOs. The most popular one is Gnosis Safe, available on EVM blockchains (Ethereum, Polygon, etc.). You can also use a multi-sig for your funds by having multiple wallets as the signers. It's effectively multifactor authentication for the blockchain! Even better if one of the signers is a hardware wallet.

Keep Exchange API Keys Secure.

We've all used centralized exchanges to buy and sell crypto – think Coinbase, Binance, etc. Most of the time, you do so from their website or mobile app. But they also offer API keys; an API key is a string of letters and numbers you can exchange without their site. This is mainly used for serious traders using bots or third-party platforms to implement complex strategies. Don't worry about making API keys if that isn't you. Sometimes they're needed for connecting crypto tax accounting software.
If this is you, you should do a few things to keep your API keys secure:


  • Never give transfer/withdrawal permissions. Otherwise, if your key is exposed, the hacker can trade on your behalf and send all your assets to their wallet.

  • Whitelist IPs. If your bot is running on a server in California, but the attacker is in New York, they cannot use your account.




Comments

Post a Comment

Popular posts from this blog

Game Physics: The Rigid Body Dynamics

Image
Game Physics: The Rigid Body Dynamics Video games developed by game app development companies often simulate physics because real-world phenomena inspire most games. Rigid body dynamics, which simulate the movement and interaction between rigid, inflexible objects, is the most common type of simulation in video games . This article will focus on rigid body simulation. It starts with simple rigid body motion and continues to cover interactions between bodies via collisions and constraints in subsequent installments. Physics simulation is a branch of computer science that attempts to replicate physical phenomena using computers. These simulations use numerical methods to existing theories to produce results as close to the real world as possible. As game developers of game app development companies , this allows us to accurately predict how something will behave before building it. This is usually easier and more affordable. Physics simulations can be used in many different ways. It was...
Read more

A guide to MVC Architecture in 2023

Image
Introduction In this article we're going to go over several key elements that are part of MVC Architecture. It will help you understand  top software development companies in the world  its basic principles and the advantages over the conventional approach. What is MVC? MVC, or Model-View-Controller, is an architectural pattern used in   top custom software development companies'  software engineering.   It is commonly used in  web-based applications . It is an effective method of disaggregating functions or concerns in different areas of the application.   MVC is composed of three elements that are the model, the view as well as the controller.   The model contains the information, and the view is how the data is presented as is the controller, which contains a program which interacts with the model and view.   MVC is a method to organize code so it is simpler to extend and maintain.   It also serves as a method to ensure that the vario...
Read more

Estimated Mobile App Development Cost - 2023

Image
  Estimated Mobile App Development Cost in 2023 What is the cost of developing an app? Most likely, this is one of the primary questions that app developers and developers must have the answer to before they start a project for app development . Estimating app development cost is the most fundamental but essential element of estimating the budget for any app development project. It is not uncommon for a business owner to face these two questions: How much will it cost me to develop an app for my company by hiring an app development firm versus what is the cost to create an app in-house? Each approach has advantages and disadvantages. Let’s go over each to clarify how each can impact an app’s development cost or is mobile app development dead? App development companies can create the right set of abilities to tackle multiple mobile application development efficiently. However, app projects can be very complex and may require advanced technology for mobile, such as Machine Learn...
Read more