Hello readers,
In this report, we’ll be covering security in crypto - probably the most important topic for anyone new to the space to grasp before diving in too deep.
If you’re new to the program and getting value from these reports, please consider subscribing below to receive them directly to your inbox as they are published
Let’s go.
If you’re new to the space, you may have observed that it can feel a little uneasy getting started. I know it did for me. Everything about crypto is new, and as an early adopter, you always run the risk of making a rookie mistake or being the unknowing target of a scam. Engaging with crypto takes extreme ownership. You are the bank, and there is no FDIC insurance.
The goal of this report is to help you understand the risks and avoid any negative outcomes.
The first thing to keep in mind with crypto is that while the industry is maturing, there are still a lot of scammers in the space. These are the people that will DM you on LinkedIn or Twitter and ask you to send some crypto to them to “earn a yield,” or offer some odd consulting service. Never, ever send your crypto to anyone you do not know. And never, ever, give away your 12 or 24-word seed phrase for your wallet (your private key).
Some folks see the scammers and criminal activity around crypto as a reason to stay away from it. Or they believe that it’s only used by criminals. This couldn’t be farther from the truth. What these people are missing is that just about every disruptive technology throughout history was adopted first by criminals. When we see criminals using new technology, it is a great indicator that the technology probably has real utility and value. We saw this in recent history with pagers, cell phones, the internet, and Bitcoin in the early days (silk road). Criminals typically adopt new technologies first, and law enforcement and regulation catch up later.
There are 3 types of wallets for retail investors in the market today:
Hot wallets
Hardware wallets (cold storage)
Multi-sig wallets
Hot Wallets: these are wallets that you keep on your phone or a computer/laptop. When you download a wallet to your phone or computer, your 12 or 24-word seed phrase (private key) is given to you on the phone or computer. Which means it is susceptible to a hack. For this reason, if you are using a hot wallet, it should only be for small amounts of crypto. If you hold any meaningful amount of crypto is should be kept in cold storage. The Coinbase wallet that can be downloaded on the app store is likely all that you need regarding a hot wallet.
Metamask is the most popular hot wallet for Ethereum based assets. Metamask is very user-friendly and you can connect your hardware wallet to easily transfer assets to safer security after initially using Metamask (which integrates with many decentralized exchanges) to acquire the assets. Phantom is the most user-friendly wallet for users of Solana.
Hardware Wallets (cold storage): this is where you should be holding your cryptoassets. I recommend Ledger or Trezor as two companies that provide excellent hardware wallets (though there are many others). These wallets should be purchased directly from the manufacturer (instead of Amazon or any reseller). The key takeaway with hardware wallets is that your 12 or 24-word seed phrase never touches the internet. You eliminate the chance of a hacker being able to access your private key with cold storage. These wallets take longer to set up but it is well worth it to have the peace of mind that your assets are safe and will always be safe.
Multi-Sig Wallets: These wallets were created with the intent to solve issues around folks losing their private keys and hence their cryptoassets. Users of these wallets are primarily really big retail investors or companies in the crypto space. With multi-sig, there are typically at least 3 private keys associated with the wallet. 2/3 are needed to access the assets and sign a transaction. Companies like Casa and Unchained Capital provide industry-leading multi-sig wallets today.
My recommendation is to set yourself up with a hot wallet on your phone/computer like the Coinbase wallet. This should only be used to hold very small amounts of crypto. If you want to purchase and hold Ethereum based assets (as well as other chains), I recommend setting up a Metamask wallet and connecting a hardware wallet (ledger or trezor) to it.
Otherwise, when assets are purchased on exchanges (Ethereum based or any chain), they should immediately be sent into cold storage for safekeeping.
Your keys should be written down and never stored on a phone or computer. This includes taking a photo of your seed phrase or putting it in the notes on your phone. Don’t do this. Just write it down and keep it somewhere safe like a lockbox or safe.
The other option is to purchase something like a cryptotag. Crypto tags are made of titanium. You can scribe your seed phrase on it and it can withstand water, fire, or any other type of damage that could occur to it.
If you are dealing with crypto and are leaving digital footprints around the internet, you could become a target of a hacker. The most common attack is a sim swap. This essentially means that someone can hijack your phone without ever touching it physically. This most commonly happens when a criminal calls your phone company and pretends to be you. Customer support should absolutely never give away your SIM card, but it does happen. Criminals are always finding ways to dupe these people.
Most importantly, you should put a PIN on your SIM card. You should be able to set this up with your service provider.
If a criminal did get your SIM card, the first thing they would do is try to get into your email account. If they get into your email, they will likely be able to see who you bank with, and which exchanges you use for crypto. *Never leave your crypto on exchanges for this reason.*
The next thing they will do is attempt to change the passwords on your accounts and steal your crypto (if it was left on the exchange). How to prevent this:
Put a PIN on your SIM card
Use 2FA for your email and any important financial accounts or crypto exchanges
If you have the option to use an Authenticator instead of SMS text message 2FA, always use the authenticator. I recommend Authy or Duo.
The key here with the Authenticator App is that in the settings on it, you can turn off “allow multi-device.” This means that if someone did get your SIM card, the 2FA accounts will not port over when they add your SIM to the phone they are using. You do not have this level of control with SMS text message 2FA. So, with the 2FA authenticator turned on, even if your SIM card was stolen, the criminal would not be able to get access to your email and other important accounts.
And if you’re looking for guaranteed protection from SIM Swaps, there is a company called Efani that provides this service.
Use a VPN
Finally, if you are trying to optimize security to the nth degree, you can purchase something like a yubikey. Yubikeys are USB sticks that use biometric authentication (fingerprint) to access any sensitive accounts. Yubikey supports most major crypto exchanges as well as email providers etc. Similar to how a hardware wallet keeps your private key off of the internet, with a yubikey there would be no way for a hacker to get into your accounts unless they had your fingerprint. For example, if you set one up for Coinbase, you would plug the USB into your computer and place your finger on it to access your account.
Bridges (moving assets from one blockchain to another) tend to be where most hacks occur in crypto today. When you bridge an asset, you are essentially locking it in a smart contract, and then receiving an “IOU” synthetic/derivative coin on the new chain. Your new coin represents the asset you had, and is compatible with the chain you are moving to. For example, if you want to send some BTC into DeFi on Ethereum, you would need to use a bridge. You would lock your BTC up, and receive WBTC (wrapped BTC in an ERC20 format compatible with Ethereum). The smart contracts that lock up these coins for accounting purposes can be (and have been) hacked, draining the funds/collateral which represents the real, bearer asset. If a smart contract that you used to bridge assets is hacked, you’ll be left holding a synthetic/derivative asset that has a claim on the real asset — that a thief has now run off with. The tech is still very nascent and bridges have shown many vulnerabilities so far. For this reason, take a lot of caution before moving assets from one chain to another.
If you connect your wallet to your favorite app and are prompted to sign a transaction you should immediately stop. Sort of like when you receive an odd link from your “bank” via text. Just stop. Think about what is happening. If you don’t understand, ask about it on the projects Discord server. There have been scams where a crypto application's front end is duplicated. This spoofs users and when they connect their wallets they then become vulnerable to a rug-pull, where they sign a transaction to send assets to another wallet. Always remain vigilant when asked to sign a transaction you did not initiate.
Keep in mind that by engaging with crypto you could be making yourself a target for hackers. Follow these security best practices to avoid any rookie mistakes and to prevent any attack from escalating. You’ll be able to sleep well at night and engage with this exciting new innovation in a safe manner.
___
Thanks for reading and for your continued support. Have a question, comment, or thought? Leave it here:
And if you’re getting value from these reports, please consider sharing them with your friends, family, and social networks so that more people can learn about crypto and blockchains.
___
Take a report.
And stay curious.
Individuals have unique circumstances, goals, and risk tolerances, so you should consult a certified investment professional and/or do your own diligence before making investment decisions. Certified professionals can provide individualized investment advice tailored to your unique situation. This research report is for general investment information only, is not individualized, and as such does not constitute investment advice.