Table of Contents
- The Hackening
- The Hack
- One Month Rule
- It’s Not Cold Storage If You Keep Private Info Online
- Flaunting Your Wealth = A Recipe for Disaster
- Google 2FA is Your Friend
- Double-Check Everything
1. The Hackening
If you follow cryptocurrency and blockchain social media influencers and investors on Twitter or Instagram, there’s a chance you’ve heard the name Ian Balina and hack thrown around in the last twenty-four hours.
Around 4am EST, popular cryptocurrency investor, advisor, and blockchain evangelist Ian Balina posted this message on Twitter:
From his frequent Blockfolio snapshots – a crypto portfolio tracking application for your phone – it’s estimated he was hacked to the tune of over USD $2 million over the course of just a few hours.
Here’s just a few snapshots from his portfolio for reference – starting with the most recent.
Balina came into the spotlight after turning a USD $90,000 investment into $4 million in just a few short months.
2. The Hack
So, how exactly was he hacked?
With Balina’s crypto security and storage, there were several points of failure – coupled with a lack of due care – making his crypto an easy target for hackers, specifically;
- He backed up his main email with an old college email,
- His college email could be used to reset his main email password, and;
- He stored his private and public crypto keys on cloud storage app Evernote.
Once hackers accessed his college account and subsequently, his main email, it was as simple as resetting his Evernote password and voilà, the above screenshots were at the hacker’s disposal.
There’s also speculation buzzing around the internet that Balina orchestrated the hack himself in order to evade having to pay U.S. taxes. However, on 4/17/18, Balina refuted such claims in his first post since the hack on Twitter, stating, “Any suggestions that I would fabricate a hack to avoid tax evasion are [sic] flagrantly wrong and should know better.” And, not longer after, he followed that up with a Tweet about currently working with experts in law enforcement to locate the hackers.
Here are five key lessons we can learn from this unfortunate incident and apply to the storage and security of your crypto.
3. The One Month Rule
First off, you shouldn’t be investing more than you are prepared to lose – and for most people, that’s one month’s salary. If you keep more than one month’s salary of cryptocurrency on exchanges or online wallets, we at CoolWallet highly recommend you move it to cold storage. Some even go as far to say that you should online keep as much online as you would in your leather wallet or purse.
Exchanges aren’t immune – even Binance, hailed as one of the most reputable exchanges out there experienced irregular trading in early March due to phishing and the suspected accumulation of compromised accounts by hackers. Investing $100 in cold storage is worth it if you aren’t prepared to lose your crypto – no matter how small the amount.
4. It’s Not Cold Storage If You Keep Private Info Online
As was the case with Balina, it’s not actually cold storage if you use a hardware wallet but keep your private keys and other sensitive information online – it’s then considered a hot wallet, a wallet that is connected to the internet. Storing your private key or private seed on a system accessible over the internet opens you up to a handful of security issues and should be avoided at all costs.
Instead, we at CoolWallet recommend that you:
- Write or print your key or seed on a piece of paper (or laminated piece of paper),
- Engrave or etch them on a piece of metal,
- Store them on a flash drive,
- Or purchase a piece of cold storage hardware, such as CoolWallet – where your private keys are stored in the card itself.
5. Flaunting Your Wealth = A Recipe for Disaster
Just as you wouldn’t openly walk down the street in an unsavory neighborhood at 2 a.m. flashing a wad of $100 bills and your new iPhone-8, you shouldn’t be boasting of your cryptocurrency wealth and portfolio online. We even recommend when engaging in discussions on popular forums, such as Reddit and BitcoinTalk, to refrain from mentioning the quantity or total value of your holdings.
Letting it slip how much crypto you HODL could open you up to:
- Targeted phishing attacks,
- Social engineering,
- Ransomware, and; even
- Robbery attempts.
Think about it, would you really be letting people know how much money you have in your bank account? If the answer is no (which it should be), then you shouldn’t be divulging the specifics of your crypto holdings. As the old saying goes, “Loose lips sink ships.”
6. Google 2FA Authenticator is Your Friend
If you do keep crypto on an exchange, make sure to set up your two-factor authentication when logging in, also known as 2FA. When setting up 2FA, there’s a clear winner in terms of security – and that’s Google Authenticator.
Recently, it’s come to light that hackers have been able to bypass and hack a user’s SMS 2FA by exploiting known flaws in cell phone networks, and intercepting text messages – resulting in hackers seamlessly logging into users’ accounts and transferring funds.
Google Authenticator creates time limited codes for every thirty seconds when logging in, ultimately leaving a narrow window of time for hackers to access your code, and thus, account.
A word of caution, remember to back up your Google Authenticator keys (by writing it or storing it in a safe place), in case you lose or break your device.
7. Double-Check Everything
Phishing scams are the most popular method employed by malicious actors looking to steal a piece of your crypto portfolio, and the scary thing is, they’re getting more advanced – take a look at this Tron Twitter account which amassed over 250k followers and was later found out to be fake. Whether sending transactions or simply typing in an exchange or wallet’s website, double check everything.
Taking an extra second to glance over your input and the subsequent results is a simple and effective way to make sure you aren’t interacting with any malicious sites or actors. Here’s just a few tips to look for when surfing the web for crypto:
- Look for the green ‘https’ and ‘Secure’ before a website’s URL address. Green = legitimate & trustworthy and indicates the website obtained the necessary SSL (security & trust) certificates.
Notice the two small dots under both ‘n’s in Binance? This form of Unicode character is particular tricky and hard to spot when logging in.
- Bookmark the legitimate website to use as a short-cut. Doing so will remove typing error or misidentification.
Although the above five lessons may seem simple enough, countless investors and “HODLers” commit these faux pas every day, availing themselves to risk and ultimately, loss of their cryptocurrency. Next time you make a purchase online, make sure to keep these five tips in mind. Stay vigilant, stay secure, and happy hodling.