Category: Bitcoin & CryptoCurrency

11 Essential Security Practices to Keep Your Bitcoin Safe

The recent explosion in the price of Bitcoin and other cryptocurrencies has inspired me to start a new hobby: helping people recover lost Bitcoin wallets.

As might be expected of early adopters in an anonymous Internet cryptocurrency, many of my customers are information security professionals. It seems that many of them set up so many security measures that they locked themselves out of their Bitcoin. On the other hand, I’ve also heard from many more people who lost their Bitcoin or had it stolen because they either did not follow basic security practices or followed them without understanding their implications and also lost their coins. The inherent balance in information security is that you need walls in place to protect against threats, but the walls you put up to protect yourself can lock you out if you forget your way in.

I, therefore, want to suggest a list of steps that you can take right now to secure your crypto stash. These measures should be both comprehensive enough to keep you safe without being so complicated that you will be locked out of it, or tempted to disable security altogether.

1: Store your wallet seed somewhere safe.

People come to me when they lose their Bitcoins any number of ways, but the one common element in their stories is that they failed to save their recovery seed. Most modern wallets ask you to save your recovery seed/mnemonic phrase somewhere safe when you set up your wallet. You can keep it in a safe place (such as an actual safe) or an encrypted flash drive (I use Veracrypt). Triple-check both the words and the word order, as one person I worked with wrote down his seed incorrectly and lost all of his coins.

2: Use a hardware wallet — or a strongly encrypted software wallet.

A hardware wallet (an electronic device dedicated to storing Bitcoin) such as a Trezor or Ledger is the safest place for your Bitcoin. Read my Trezor review on Amazon to understand the pros and cons of using one.

If you don’t use a hardware wallet, use a wallet which supports strong encryption. The JAXX wallet, for example, can be easily hacked and your coins stolen. I use the Electrum wallet, which allows me to encrypt my wallet file.

3: Encrypt your hard drive.

Encrypting your whole hard drive is essential if you don’t want anyone with physical or virtual access to your computer to be able to extract all of your data. Modern versions of Windows and Apple iOS make this easy.

If you have a Mac, encrypt your hard drive with FileVault. If you have Windows, you can use BitLocker to do the same thing. Personally, I do not use Windows to make any Bitcoin transactions because securing the operating system is too cumbersome, specifically because of the steps below.

4: Set a firmware password.

Apple computers allow you to set a firmware password which prevents your computer from being accessed without your password or using an external device. This is an additional security measure which makes your computer a lot less useful to thieves as it requires a visit to an Apple store and a proof of purchase to reset it. While older Apple computers had some simple workarounds to disable the firmware lock, modern ones are much more difficult for criminals to unlock.

5: Automatically lock your computer when you’re away.

Hard drive encryption will not help you if someone installs a keylogger when you’re away from your keyboard. Set your computer to auto-lock after a few minutes AFK.  Mine is set to auto-lock after five minutes

Here are instructions for Windows and Mac. I also have a “panic button” via a Touch Bar customization which locks my screen on command. I use it whenever I walk away to get coffee, go to the bathroom, etc.

6: Disable automatic login.

Locking does no good if your computer logs in as you when you turn it on. Make sure auto login is disabled.

7: Use a password manager.

I use the password manager LastPass to store the over 600 passwords of every service I use. I generate a new, strong password for each service I use it with it.

LastPass will offer to suck in and audit all your passwords. My score is not great because, like everyone else, before LastPass, I used the same password for most sites before I started using a password manager. LastPass passwords are encrypted using a master password, which for me is a quasi-random list of words which I don’t use for any other purpose.

However, even if someone gained access to my LastPass credentials, they would not access any of my important services because I also use the following step.

8: Enable multi-factor access.

I use LastPass Authenticator in combination with other passwords to access all my important accounts. The LastPass Authenticator iPhone app works with the LastPass Chrome extension to auto-enter credentials for many sites. Multi-factor authentication apps work by cycling a code every 30 seconds which must be entered in addition to the password to access a service. For some services, I also have a physical security token (my Trezor wallet does this, but most people use a YubiKey) which must be physically plugged into my computer to access a site.

9: Keep your computer up to date.

Mac OS had a nasty root access bug a few weeks ago. Keep your OS up to date to protect against the latest threats.

10: Use private, offline mode for sensitive operations.

I occasionally need to create a paper wallet or perform other sensitive operations in my web browser. This has two risks:

  1. The web page may have malicious code which leaks my keys.
  2. One of my browser extensions may have malicious code (this happened to me a few month ago).

To work around both of these issues, I perform security-critical operations in an Incognito Chrome window. Incognito disables extensions unless you specifically whitelist them.

Furthermore, I perform any paper wallet operations with ethernet/Wifi disabled. This prevents malicious code in the wallet from secretly sending your Bitcoin keys to a third party. I then completely quit my web browser before going back online. I also download any browser-based crypto software directly from GitHub rather than random websites.

11: Setup automatic backups.

I’ve set up my MacBook for triple-redundant encrypted hourly backups with Apple Time Machine. This is not nearly as easy with Windows. CrashPlan (available on Windows and Mac) allows encrypted backup to local storage devices. Windows has a built-in backup app, but it’s not nearly as simple or powerful as Time Machine.

While this is not strictly security advice, automating your backups is important from a security perspective. I’ve noticed that people who are not 100% confident in their backups tend to backup important files over flash drives, work computers, email, DropBox, and other services where it is at risk of theft. Some of my clients thought they’d backed up their wallet, but couldn’t figure out which of the 10 flash drives they had actually held their Bitcoins years later. A complete system backup will allow you to restore both the wallet file and the software you used to open it.

Reposted from Vellum Capital

Why I’m betting on the future of Bitcoin

Five years of living in China spoiled me in terms of financial transactions. Most people don’t use debit or credit: they either use cash or more commonly, send money electronically via mobile apps. Mobile wallet apps are often used for large payments, and your landlord or utility company is just as likely to accept them as the friend you’re splitting lunch with.  You can login to your bank’s website or ATM and send someone a million dollars as easily as a few bucks.

Then I moved back to the U.S.

I owe several thousand dollars to a friend. At first, I tried to find a way to send the money electronically through my bank. You need a business bank account to send via ACH transfer. I could do a wire transfer, but my bank charges the sender $30 and the recipient $15, and requires a lot of information about the recipient’s bank account. I tried this thing called “Zelle” — a new payment network that most major banks have introduced. Much as we tried, we could not get a $5 test transaction to reach my friend. Zelle also has a $2000 daily limit. I looked into Venmo – the daily limits are too low. PayPal charges 2.9% of each transaction.

Dejectedly, I wrote a check. A check is a piece of paper dating back to the ancient Roman empire on which you — get this — just write down the amount to be transferred to someone else’s bank account. In theory, only the recipient of the check can cash it, but there are exceptions, and not all financial institutions are strict about this.

I thought that was the end of the story until my friend informed me that he had not received my check. Actually, before that, my letter bounced back to me because the stamp somehow fell or was detached. Apparently, I did not apply enough of my saliva to last to its destination. I occasionally have my emails bounced, but at least I don’t need to worry about expending sufficient bodily fluids for my messages to reach their independent recipient.

Anyway, we now have a real mess. A check lost in the mail means one of four things:

1: The United State Post Office lost the letter.
2: The letter was delivered, but someone had taken it from the mailbox (my friend was on vacation at the time it was delivered)
3: The sender lied about sending the check.
4: The recipient lied about receiving the check.

Now, I’d like to think that my friend is trustworthy, but how well do I really know him? And how well does he know me? And what about the teenager that he asked to watch his house while he was away? A single failure in our payment system has thrown our whole relationship into doubt.  And what about the USPS? I just learned that you’re supposed to wrap checks in a sheet of paper so USPS workers don’t steal your money. Since when do I need to worry about the US Government stealing my money? (Don’t answer that.)

So here is what I did next: first I drove to my bank to put a stop payment on the check ($30 fee).  Then I drove to a UPS store and send another check via certified mail (another $10).  After hours of lost productivity and $40 in fees, I need to wait another week to see if we can put this behind us.   That’s not the end of the story.  Banks are required to report all transactions over $10,000 to the U.S. government, and if the FinCEN or the IRS finds my transaction record suspicious, I may be investigated.  That’s the real reason why financial transactions are outdated, expensive, and buggy — a massive amount of government regulation deters innovation in the Western financial system.  While politicians claim to do this in the name of safety, it’s really all about preserving tax revenue.  Countries like Hong Kong, Luxembourg, and Singapore with the fewest financial regulations also have simple tax systems with low rates. Politicians want their cut, and they have no problem forcing us to use an expensive and unreliable financial system to get it.

What if we used Bitcoin instead? My friend could send me a payment request with his address.  I open it and click “Send” and we’re done. I can be absolutely certain that the transaction was successfully sent to the intended recipient, and the recipient can be certain that the funds are irreversibly his.  It costs the same (under a dollar) and works equally well for $5, $50, or $5 billion dollars.  If done properly, the transaction can be completely anonymous.  Can you imagine if the entire finance sector worked like this?  Many people are working to make this happen.