Coinbase, one of the largest cryptocurrency exchanges, added about 1.9 million new users in the last two months. In the same period, Blockchain.com, the leading digital wallet to store cryptocurrencies, saw its users grow just slightly less than that.
Many are newcomers, unaware of the risks and security holes in the complicated yet lucrative world of cryptocurrency, making them easy prey for hackers and cyberthiefs.
One common crime that’s carried out on cryptocurrency investors is the phone-porting attack. Hackers snoop around social media, looking for cryptocurrency conversations in which investors post their phone and email for easy contact. Then, posing as the victim, they call up the phone provider in an attempt to fool the customer service representative into transferring the phone number to a device they control.
Once the hackers take over the phone number, they can go into the victim’s cryptocurrency exchange account by resetting the password, ultimately stealing cryptocurrencies from the account. Cody Brown, a virtual reality developer, blogged about how he lost around $8,000 worth of cryptocurrencies on Coinbase in 15 minutes, triggered by a phone porting attack on his phone account.
A cellphone number is not the only point of weakness. Adam Dachis, a former writer for Lifehacker, says his Coinbase account was ransacked in May by hackers who took control of his home computer, costing him $10,000 worth of cryptocurrencies.
“Computer hacks, phishing attacks and cryptocurrency Ponzi schemes are all common types of cryptocurrency theft,” said Jonathan Levin, co-founder of Chainalysis, an intelligence software firm that specializes in tracking and solving cryptocurrency crimes.
So what’s the best way to protect your cryptocurrency investments from hacks?
To find out, we reached out to three cryptocurrency investors and three cybersecurity experts. All three investors have lost some cryptocurrencies due to different hacks. One of the experts, Amir Bandeali, also is an investor, lost about 18 percent of his investments because the exchange (Bitfinex) he was trading with was hacked. That incident inspired him to build decentralized exchanges, which he believes will be the future for trading cryptocurrencies.
All of them admitted there’s no perfect solution to the problem. In the age of cryptocurrency, hard drives and personal computers have become the new bank vaults. And our real-world knowledge of protecting money from theft is not enough in the virtual world. The following suggestions can serve as a safety pamphlet for new cryptocurrency investors.
Here’s the advice of investors and experts, edited for clarity and style:
Jonathan Levin, co-founder of Chainalysis
1. Before you open up an account on Coinbase [or other exchanges], set up an unique email that you are going to use for that account.
2. Make sure to set a really hard and long password, and you are the only one to access it from a piece of paper that you control.
Dan Romero, VP of operation at Coinbase
1. On Coinbase, turn off SMS-based two-factor authentication and account recovery for your email account. If you move to Google Authenticator but don’t turn off SMS account recovery, a phone port attack can still lead to an email compromise.
2. On Coinbase, setup the Coinbase Vault and two-factor authentication for any sends off-site.
Sean Everett, VP of product management, Coinbase account was hacked by phone porting attack
1. Don’t talk about cryptocurrency publicly, especially on social media.
2. Call your cellphone provider, put every level of security you possibly can, and add a passcode to it. The next level protection is to add a “do not port” SIM card to your account. That can last for a year.
3. Even though Coinbase says it takes security seriously and has system designs to protect customers, it’s not a bank. Don’t trust it as such.
Adam Dachis, digital consultant, Coinbase account was raided by a computer hack
Don’t keep all your cryptocurrency investments in one place. Diversify among exchanges. It’s unlikely you are going to get hacked at the same time through all of them. Especially if you have different emails and passwords for each.
Sanjay Beri, CEO of Netskope, specialize in enforcing security across cloud applications and network.
Keep your cryptocurrency off the internet, in a “cold wallet.”
“Cold wallet” is not a brand, it’s a concept of storing bitcoins offline (not connected to internet) so that it reduces the opportunities for hackers to steal via online techniques.
“Hot wallet” is connected to the internet, for daily transactions. Think about “hot wallet” as a checking account and “cold wallet” as the savings account.
Here is how to create a cheap “cold wallet” on a dedicated computer:
First, download a cold wallet application to a new, secure usb drive.
Then, take a computer, reset it to factory setting, disconnect it from the internet and keep it offline.
Last, load the cold wallet application onto the computer, keep your cryptocurrencies on that clean and offline computer. You can make transactions offline, using the cold wallet application.
Amir Bandeali, CTO and founder of 0x project
1. If you must use a centralized exchange, withdrawal often, store your tokens on a hardware wallet, which is a hardware device, creates transactions without connecting through the internet.
2. If you are trading tokens on ethereum, I recommend looking into decentralized exchanges. The biggest difference between centralized exchanges (like Coinbase, Kraken and Bitfinex) and decentralized exchanges is that decentralized exchanges do not hold users’ funds. No one can ever access your funds other than you. So it can’t be stolen unless your private keys are compromised.