BlockChannel wants to remind you that information security is hard, and securely storing vast amounts of digital wealth is even harder. It’s important you’re familiar with the mistakes that even other smart people can make. Audit your personal security practices, and make sure you’re protected accordingly.
Obligatory Disclaimer: To modify a quote from Tim Ferris, “I am NOT a financial advisor, and none of this advice should be taken without speaking to a qualified professional first. Also, my results [are most likely] due to pure luck and zero skill.”
I got a little buzz on my phone today from Google letting me know my Gmail password had been reset. A few minutes later a “security update” was installed on my phone, and I could no longer receive calls or texts. I was the victim of a standard SIM card hijacking.
Due to some lazy crypto security mistakes on my part, someone was able to steal $9,000 worth of various cryptocurrencies from me. I’m writing to let you know you shouldn’t make the same mistakes. Here are four steps you can take to avoid my fate:
First, remove your phone number…from everything.
One of the reasons the entire scenario happened in the first place was most likely because my phone number was attached to my Gmail, my Twitter, Facebook, etc. etc. etc. And why not? We all love being connected, and we all love convenience.
Unfortunately, this convenience comes at a cost — hackers can easily use your number to take control of your phone through your accounts. Even though my cell carrier account had a pin on it, they were still able to get in and port my SIM card to their own phone. This gave them access to my text messaging, which is all they needed to reset the passwords to pretty much every account I have.
Second, don’t be the easiest target.
The reality is that it’s impossible to perfectly secure every account you have. Your goal should be to become a more difficult target. This is where I made my worst mistake. I got lazy and kept several private keys on my Google Drive, which the hacker had immediate access to. It was a piece of cake to log into those accounts, and clean everything out.
I recommend (and am currently in the process of) moving all my new private keys into encrypted documents that are stored on encrypted removable disks. And I’m doing this on several removable disks, and I’m storing them in multiple physical locations. I’m going so far as writing down some of my passwords on a piece of paper, and storing them in a lockbox. Any sort of “cloud service” IS NOT secure. Don’t trust any of them.
Third, store anything you’re not willing to lose offline.
I’ve been saying for years that I’m going to buy a hardware wallet. Well today, four hours after losing $9,000, I’m biting the bullet. I decided to order a Ledger Nano S, but I’ve been told TREZOR is another great option.
People may ask how much crypto you need to have before thinking about buying a hardware wallet. My answer after today? Whatever amount you’d rather not lose. For some people that may be $20. For others that may be $5,000. Either way, storing your crypto on a hardware wallet makes you a little less easier of a target. And that’s a step in the right direction.
Finally, listen to the experts.
I’ve known for quite some time that I should be more secure with my crypto. I’ve read it everywhere. I’m highly embarrassed that these mistakes cost me so much, but I hope that this situation helps you avoid the same thing.
If you’d like to read more about good crypto security practices, I’d recommend starting with Daniel Jeffries’ piece, “Eight Simple Rules for Protecting Your Cryptocurrency.” Don’t be a crypto fool like I was — listen to his advice and take steps to secure your hard earned crypto now.