The Pipeline Knowledge Graph

Best practices for crypto security

7 min read

From: thepipeline_xyz

The crypto space is highly susceptible to exploits and hacks due to the nature of programmable money [02:07:00]. It combines traditional Web2 attack vectors like phishing, web exploits, network issues, and cloud security, with Web3-specific issues like smart contract execution vulnerabilities [02:39:00]. As such, users should be extremely prudent and paranoid to avoid compromise [00:24:00].

General Principles for Security

The most crucial step is a critical self-audit to understand your own vulnerabilities [02:25:00]. Attackers typically target three main areas:

  • Funds: Whatever is stored on-chain, exchanges, or wallets [03:35:00].
  • Access: Using your accounts as an interception point to compromise colleagues, friends, or family [03:44:00].
  • Data: Sensitive credentials and where they are stored [04:16:00].

Users should map out all potential points of failure to identify and mitigate risks [04:32:00]. A common mistake is overconfidence, assuming familiarity with scams, which can lead to mistakes when new varieties emerge or when tired [05:00:00]. Always assume you are a target, and maintain a humble mindset regarding your knowledge compared to attackers [0:21:25].

Key Security Measures

Multi-Factor Authentication (MFA)

Enable MFA on every account that holds funds, important data, or access [06:41:00].

  • Avoid SMS-based MFA: If your phone number is compromised (e.g., via a SIM swap attack), attackers gain access to accounts with SMS MFA, including Google, exchanges, and bank accounts [06:57:00].
  • Prefer Hardware-based MFA: Use U2F keys (YubiKeys) for the highest level of security, as they provide a physical second verification method [07:55:00].
  • Authenticator Apps: If hardware keys aren’t feasible, use apps like Google Authenticator, ideally on a secondary, separate device [08:28:00]. Back up your codes securely and prudently [08:31:00].

Secure Recovery Methods

Ensure all accounts are recoverable and recovery methods are locked down [09:09:00]. For SIM cards, set an access code and inform your phone provider not to allow access or changes without it [09:41:00].

Password Management

  • Password Managers: Use a credible password manager like Bitwarden [08:48:00]. Avoid those with known compromises like LastPass [08:44:00].
  • Air-Gapped Storage: For highly sensitive information, consider storing it air-gapped on physical paper or in a crypto capsule, ideally in a fireproof location [08:57:00]. Never put recovery phrases or keys online for a cold wallet [13:47:00].

Wallet Strategy

  • Cold Wallets: Use cold wallets as much as possible, especially for significant funds. Private keys are offline, making them highly secure [10:00:00].
  • Hot Wallets: Minimize funds kept on hot wallets because they are constantly connected to the internet, increasing their vulnerability [10:05:00].
  • Segregated Wallets: Maintain a burner wallet, a trading wallet, and a separate storage wallet. Ideally, conduct all operations from multiple cold wallets [10:13:00].
  • Multisig Wallets: If using a multisig, ensure keys are not all accessible in one place and are stored on different hardware wallets [44:21:00].

Software and System Updates

Keep all software and systems up to date, including Twitter, Discord, operating systems, and browsers [10:40:00]. Enable automatic updates to avoid browser or operating system vulnerabilities, and protect against zero-day exploits [10:57:00].

Understanding Attack Vectors

Crypto security challenges are diverse and constantly evolving.

Phishing Attacks

Phishing is the most common attack vector, with threat actors becoming increasingly sophisticated, creating full-scale businesses around it [14:59:00].

  • Spoofed Websites: Be wary of websites that look legitimate but are fake [18:19:00]. Attackers buy ad space, so clicking the first search result for a crypto service (e.g., Uniswap) can lead to a spoofed site [18:48:00]. Always bookmark official websites and use those [16:34:00].
  • Domain Spoofing: Attackers mimic official domains using subtle visual tricks (e.g., ‘rn’ for ‘m’, ‘l’ for ‘i’) in links or email addresses [19:21:00]. Always verify the exact domain [20:19:00].
  • Email Links: For actions like password resets, go directly to the service’s website rather than clicking links in emails, even if they seem official [20:57:00].
  • Spear Phishing: Targeted attacks, often using job offers or meeting invites, can lead to malicious links that compromise your device or accounts [23:03:00].
  • Malicious Downloads: Never download executables (e.g., “test this game”) [24:20:00]. Be cautious with documents (PDFs, DOCX) as they can contain macros that execute code. Use tools like dangerzone.rocks to safely inspect PDFs [24:42:00].

Smart Contract Execution Risk

Vulnerabilities in smart contracts pose a significant risk [15:39:00]. If unfamiliar with code, be extremely prudent about which contracts you interact with [15:56:00].

Address Poisoning Attacks

Attackers monitor transactions and send small amounts of crypto to addresses that look very similar to legitimate ones (matching first/last characters) [39:28:00]. If you’re not paying close attention, you might accidentally copy the malicious address from your transaction history when sending funds, leading to losses [40:12:00]. Always use the direct source for addresses and verify them character by character [40:48:00].

MFA Bypass Attacks

Even MFA can be compromised through sophisticated methods:

  • Prompt Bombing: Attackers repeatedly send MFA requests to your authenticator, hoping you’ll approve one out of annoyance or confusion [34:08:00].
  • Man-in-the-Middle (MITM) Attacks: On public Wi-Fi (e.g., Starbucks, airports), attackers can set up malicious access points that mimic legitimate ones [35:57:00]. When you connect and try to log in, they intercept your username, password, and MFA code, allowing them to replay your login [36:11:00]. Avoid public Wi-Fi for crypto activities [36:37:00].
  • Service Desk/SIM Swaps: Attackers gather information about you and impersonate you to service desks (e.g., Twitter support, phone carriers) to gain control of accounts or SIM cards [37:40:00].

Specific Platform/Scenario Advice

  • Chrome Extensions: Malicious extensions can have access to your cookies and credentials [22:01:00]. Only download credible and trusted extensions, and regularly audit and remove any you don’t recognize or that don’t need access [22:33:00].
  • Mobile Devices: While phones are generally less susceptible to certain compromises due to their isolated environment, a compromised iCloud account can grant attackers access to your entire digital life [25:40:00].
  • Telegram/Discord: These platforms are rife with impersonation attempts, especially from fake support personnel [26:25:00]. Always verify usernames and be suspicious of DMs. Never click links or download files from unverified sources [26:38:00].
  • QR Codes: Avoid scanning QR codes in public places like airports, as they can lead to malicious sites or actions [32:51:00].
  • Lumos (chainlight.io): A website that tracks different attack vectors in crypto [14:45:00].
  • Fishing.therktgames.com: A crypto phishing quiz by Tincho Abate (The Red Guild) to test your knowledge and identify common phishing techniques [41:28:00].
  • Tavano: An “OG of crypto security” with incredible resources, including a Medium article on securing crypto [49:04:00].
  • OfficerCIA: Provides extensive resources on Telegram and Discord security [49:29:00].

Mindset for Safety

  • Verify Before Trusting: Always verify the source and legitimacy of any link, email, or request before interacting with it [20:38:00]. Take extra steps like asking someone or dissecting the link [20:48:00].
  • Emotional Regulation: Attackers capitalize on urgency and the desire for quick profits (e.g., “quick 23x” or “alpha”) [28:51:00]. Take a deep breath and verify; 15-30 seconds of due diligence won’t significantly impact your P&L [29:35:00].
  • Human Error: Be aware that human error, especially when tired or chasing dopamine, is a significant vulnerability [50:48:00]. Avoid making financial decisions when not fully focused, such as trading at 2 AM [50:40:00].
  • Continuous Education: Given that user education in crypto is not yet where it needs to be, constantly educating yourself is crucial for improving your security [48:54:00].

While user experience and retention in crypto improvements like account abstraction (e.g., Fuse Wallet) are making interactions simpler and adding layers of security like two-factor verification, the fundamental truth remains: the crypto space is filled with malicious actors [30:22:00]. Embrace a paranoid mindset and strive to reduce your risk of compromise as much as possible, as an attack will likely occur at some point [31:57:00].

Graph View

Backlinks