Don’t be an easy target, keep your coins safe.

Published in

Trezor Blog

4 min readDec 5, 2016

We’ve all heard stories about people losing (some of) their coins by having their exchange account hacked. I’m not a security expert, and I don’t claim to be one. I do however see many people not taking their security very seriously.

Kraken wrote a blogpost about this a while ago… And even though there is a lot of information in it, for most of us it seems a bit over the top. Burner Phones, Google Voice (not available outside of US),… Yeah I don’t use that or even have access to that.

I’m not saying you have to become a tinfoil hat guy, but there are some basics that can make everything a lot more secure.

Don’t keep coins on an exchange that you don’t actively trade.

I’ve heard this one so many times: “Oh you kept coins on an exchange and it got hacked? Well that’s kind of your fault.” Wrong. If you actually trade those coins and you’ve used all of the security measures provided by the exchange, it’s really not your fault. How are those people who say you shouldn’t keep any coins on an exchange going to sell them/buy more? They need buy/sell orders, they need liquidity. Active traders provide liquidity and they are crucial.

Good practice here is to send your profits once every 2 week or once per month to a hardware wallet. If you make profit obviously… Many don’t.

The Password

A password needs to be unique and complex. Please don’t reuse passwords, many of us who aren’t security experts have been doing that for years. Easy to have the same password for your Gmail, Twitter, Facebook,… Even though that’s just bad practice it probably won’t immediately make you lose a lot of money if those get hacked. If your exchange account gets hacked, it’s so much worse.

Since no one can remember all those different complex passwords it’s best to use a good password manager. I personally use Dashlane and am happy about it, I have some friends who use Lastpass and that works fine too. Dashlane offers the ability to generate complex passwords which can come in handy.
Obviously you do need to have a masterpassword for it. One that you save nowhere and don’t write down. Best practice would be that it’s a sentence (20+ characters) that you memorize and that only makes sense to you. Additionally you can add 2FA to Dashlane.

The Email

Don’t use hotmail/outlook or Gmail for things that need to be secure and private like an exchange account. Just don’t. I still use them… But only for personal things since everyone already has those addresses and now it’s just annoying to switch. You know how you get ads in Gmail related to the subjects you’ve written or received mails about? How does that happen you think? Do you really trust Google or Microsoft with your emails?

Good options here are Protonmail and Hushmail. They both provide extra layers of security and don’t forget to turn on your 2FA for this one as well.

Make sure that you need to confirm all your withdrawals from exchanges by email.

The 2FA

Don’t use SMS for 2FA. That’s the easiest one to “hack”. Instead use other 2FA tools like Authy. I‘ve been using it for a while now and it’s really handy since it allows you to back everything up easily and it’s easier when you switch phones. Make sure to use 2FA everywhere possible. On the exchange, on your email, on your password manager,…

The Hardware wallet

There are quite a few options for hardware wallets out there: Trezor, Ledgerwallet, keepkey,… I personally have 2 Trezors and will be looking to buy the new one when it’s released. Trezor also started supporting some of the bigger altcoins like ZCash and additionally you can use it as a 2FA device which is a really cool feature. And of course the lovely Alena Vranova is my crypto-crush.

The Exchange

I personally don’t trade on the smaller (read: scammier) crypto exchanges (and potentially easier target for hackers). The big ones have plenty of security options available, even though some might not always be visible. One option I try to use everywhere if it’s available is the fixed withdrawal address. This option allows you to withdraw your coins to only 1 specific address. Ideally this address is of course a very secure one, like on a hardware wallet. If you try to change that address there is usually a period of time that all withdrawals are locked.

This option is for example also available on Poloniex if you do the enhanced verification (which means >$25,000 limit) with a skype interview with a compliance officer. Even though it’s not visible (yet) on the website itself.

Conclusion

If you stick with these security measures you’re pretty safe. If you’re an altcoin trader and keep local wallets, it’s always best to run them in a VM. Other than that use common sense, don’t get too relaxed. I’ve heard people say that setups like the one I described are “annoying because I can’t execute a trade quickly”… Well it’s a risk/reward thing, what’s more important? Missing a trade or losing all your coins?