In this guest post by Pini Raviv, a software engineer and front-end team leader for an Israel-based startup, you will find the list of best practices that should be used for cryptourrency wallet security.
The cryptocurrency world is booming, and a massive number of new investors are streaming in, seeking to get in on the massive returns that these new investment vehicles have posted. For example, Coinbase, the most user friendly exchange available to Americans, has seen its user base rise to over 10 million in a matter of months.
However, with the influx of cash has come an influx of nefarious types, seeking to hack their way into the marketplace. The number of hacks of different currencies seems to be keeping pace with the growth in users. For example, nearly $225 million of ETH has been hacked and stolen this year alone.
These numbers aren’t anything new either. The cryptocurrency market is prime real estate for hackers, since the assets are stored digitally. Thieves wanting to steal diamonds, gold, or art, must first find them, and then put themselves in jeopardy to steal them. With digital currencies, however, hackers in their grandmothers’ basements can steal huge amounts of money, all while watching Leave It to Beaver.
Hackers have been able to access crypto wallets in varying ways. For example, a recent post on steemit provided details of how one anonymous hacker was able to steal hundreds of Bitcoins from various wallets using a variety of different penetration methods, including SQL injection attacks.
With all the risks for hacking being so clear, what are some of the best ways to protect yourself and your assets from being victims of this type of theft? Below are a list of best practices that should be used for wallet security.
- Security Exceptions, Whitelisting
Application developers need to be certain that they are setting security exceptions for the known types of hack attacks. Exceptions should be created for SQL Injection (SQLI) attacks, Cross Scripting (XSS), backdoors and others. For a more thorough list of potential areas of concern, as well as methodologies for setting appropriate exceptions, look here.
Developers can always whitelist a varying URLs for certain known event parameters that may be blocked by security exceptions. This provides a means for functionality during expected times of increased traffic, while at the same time providing appropriate levels of security control.
- Secure and Reputable Wallets
Non-technical users should be certain to sign up for appropriate wallets. For example, if a wallet has just been put onto the marketplace, users should steer clear, knowing that the wallet likely has many bugs and risk features which must be worked out. There are a number of applications that will allow users to track crypto markets, as well as reputable and safe wallets. Check app feedback scores, do a quick google search for hacking events, and be careful to distribute funds.
- Use Two Factor Authentication
This is a critical part of the security puzzle for cryptocurrency investors. It is critical that investors use wallets with two factor authentication (2FA). This feature requires that a user verify his or her identity with more than a simple password. Users can require a finger print, knowledge of personal data, or validation from a secondary device to be used for 2FA, but all users should enable this feature. While this may delay your login time, it may save you from a massive hack event.
- Using Hardware or Paper Wallets
Users who are not actively trading cryptocurrencies on the open market should keep the bulk of their investment in an offline wallet. This is a critical part of maintaining security. Hardware and paper wallets offer certainty of protection, since they require a private key for access which is held only by the user. Users can send funds from their hardware wallet to an exchange if they want to trade, buy, or sell, while at the same time ensuring security for the bulk of their investments.
- Securing Other Applications
Other applications can be used as attack vectors for cryptocurrency hackers. For example, hackers can access ISPs and find and change the Border Gateway Protocol (BGP) in order to redirect transactions to other wallets. Since ISP access can come through varying applications on a device, users must be certain that other applications are secured and managed before sending funds. It is also important to send a one-time micro payment to the wallet and have it verified before sending larger sums.
Since cryptocurrency transactions are immutably coded into the blockchain, the only hope of recovering funds is if the hacker ransoms them to you, or agrees to give them up himself. With these practices, users and developers alike will be able to control and manage the necessary security for their wallets and applications. Without these best practices in place, however, users stand to lose huge sums of money like others who have already been victimized by hackers.
Pini Raviv is a software engineer and front-end team leader for an Israel-based startup. When he's not coding, this Bitcoin aficionado spends his time researching altcoins, mining Ethrereum and blogging about blockchain technology.