1. 1. Know Who You Are Dealing With
   1. 1.1. Certificates of Authenticity
   2. 1.2. Initiate Contact Yourself
   3. 1.3. Use Security Tools
   4. 1.4. Host It Yourself
2. 2. Safeguard Your Keys
   1. 2.1. Loose Lips Sink Ships
   2. 2.2. Hardware Wallets
   3. 2.3. Backups
   4. 2.4. Encryption
3. 3. Operational Security
   1. 3.1. Social Engineering
   2. 3.2. Plausible Deniability and Duress Mode
   3. 3.3. Be Inconspicuous
4. 4. Conclusion

On Tuesday, April 24th, some users of My Ether Wallet (MEW)—the popular Ethereum web-based wallet—were subject to a DNS attack that redirected the site to a malicious copycat that stole keys. As a result, many people lost their coins.

Here are some tips to help you keep your coins safe from attacks like these and other dangers in the digital—and physical—world.

Information in this blog post is also covered in my visit to the Coin Chat podcast episode 22.

One of the backbone technologies of the internet is something called “Domain Name Services” (DNS). DNS is like a phone book for your computer. When your computer needs to talk to a site like “example.com” it asks DNS for the IP address, which is a string of numbers (four in most cases) such as 192.168.10.121. Someone hacked into some DNS servers so that the phone book returned the wrong address. This was most widely reported on—ironically enough—Google’s “Honest DNS” servers.

Know Who You Are Dealing With

Certificates of Authenticity

The first clue that something was wrong was when some browsers indicated that the SSL certificate didn’t match the site. Modern browsers use a technology that allows a website to prove it is the one it claims to be; for instance to ensure you are talking to your bank and not someone pretending to be your bank. It is very difficult (though not impossible) for hackers to get an imposter certificate and the hackers in this case did not have that certificate. Those that fell prey to this attack either ignored the warnings or used a browser that did not display the warnings prominently.

Before you enter private or important data into a web site make sure the site presents a valid certificate.

Initiate Contact Yourself

This technique only works if you are on the site you think you are. A common technique is to create a website with a name that is very similar to the site you are trying to reach, for instance www.myetherwa11et.com. If you aren’t paying close attention you might not notice the difference. Through clever tricks the illusion can be even more convicing. For high-security websites never trust a link someone gives you; always enter the link by hand. If a stranger comes up to you, hands you a phone and says “your bank is on the line, they need some information from you” it’s very likely you would walk very far away. Clicking on a link in email or Telegram is the equivalent.

Notice that I haven’t linked to My Ether Wallet in this post. I don’t want you to click on that link because…well…read the previous paragraph.

If you do a search on Google or another search engine be aware of the “ad” links. Anyone can pay money to show up at the top of this list and frequently these are used by scammers to direct you to a less-than-noble site. Always click the non-ad links to ensure you are going to the most relevant and highly-rated site.

Use Security Tools

An additional step you can use to protect yourself in the crypto world is install a browser extension like Cryptonite or EAL. These extensions can warn you of known phishing sites and are an extra layer of protection. Don’t rely solely on these extensions as they can take some time to propogate bad sites; if a site seems phishy you should just walk away even if the extension doesn’t say it is bad. You can find links to these extensions at the top of the MEW site.

Also make sure you are running malware-detection software on your system. Malware can make illegitimate sites look on the up-and-up and can steal information right from your browser.

Host It Yourself

Alternatively, MEW allows you to download the site to run locally on your own computer. You can keep this copy in a folder on your machine and transact with it there. This will ensure that network attacks like the ones above won’t affect you.

Safeguard Your Keys

First, the standard warning:

Your private keys are the only way to access your coins: If you lose your private key you lose your coins. If someone else gets your private key they can get your coins.

Your wallet does not “store” coins. The coins exist on the network in the blockchain and can be accessed by anyone, anywhere, at anytime as long as they present a valid key. This “proof” of access is all that is needed to take your funds. The network treats this proof as authorization from you directly and does not provide a mechanism for undoing the transaction. There is no 1-800 number you can call to get them back.

Loose Lips Sink Ships

You should never enter your private key or recovery seed into any computer or web browser. This is the least secure method of interacting with the blockchain and is the attack vector used in the above hack. Within seconds of entering a private key on the copycat site users had all of their funds stolen. A piece of malware or a rogue browser extension can also steal this information.

The TSA—a government agency with “security” in its name—posted photos of the master keys used to unlock travel padlocks allowing anyone to build a duplicate key. If you have a TSA lock it is only slightly better than using a ziptie to lock your luggage. If your private wallet key falls into the wrong hands you’ve just opened the door to your funds.

Avoid storing your private keys in the cloud, such as Dropbox or 1Password. If your keys exist in digital form there is likely a way to trick you out of them or malware that can grab them. If the entirety of your crypto holdings is behind your Gmail password “s3cr3tp@ssw0rd” then chances are your coins are going to be stolen. Use a secure password, such as those generated by Make Me a Password. For even more safety, generate the password offline.

Hardware Wallets

At the same time that people were getting their funds stolen from the fake MEW, others were using the exact same malicious site without issue. These people had hardware wallets and did not need to enter their private key into the website. In the presence of a malicious third party they made it through unscathed.

If you have an amount of cryptocurrency large enough that you’d be angry at yourself for not spending $100 to protect it then you should invest in a hardware wallet. A hardware wallet holds your private key and doesn’t share it with anyone and resists almost every attempt to access it, digitally and physically. When it comes time to make a transaction, the software sends the transaction to the hardware wallet for confirmation and signing. The signed transaction is then returned to the software to be posted on the network.

Once a transaction has been signed it can not be tampered with—doing so invalidates the signature and the transaction will be rejected by the network. Hardware wallets give you an opportunity to review the transaction before signing it so you can confirm the address in the transaction is the address you wish to send the funds. There can be no clever sleight of hand to make you see one thing and sign another.

Always make sure you confirm the address on your hardware wallet matches the intended address. All sorts of tricks can swap out the address before you sign it but there are no tricks to change the address once you’ve signed the transaction.

Any of the major hardware wallets will work, it’s mainly a matter of features and convenience. I personally have a Trezor, a Ledger, a KeepKey, and a Digital Bitbox.

An alternative to the hardware wallet is to keep your key offline and only enter it into a secure computer. This process is called offline signing and is supported by many cryptocurrency wallets.

Backups

The converse to “don’t share your keys” is “don’t lose your keys.” The network only accepts your private key as the means to accessing your funds. If you drop your mnemonic seed in a puddle your coins are gone. There is no tech support to help you.

In the world of disaster recovery, one is none and two is one. If you only have a single copy of data or a single failover then if you lose that instance you are done. If you have a single backup (two copies) and you lose one then you still have a copy—but now one is none. For your private keys you should have at least three diversified copies. If you have your seed written on three pieces of paper and they are all in the same filing cabinet they will all be wiped out in the same fire.

An example of a good backup strategy is to have a hardware wallet, a copy of the keys in paper (or metal) form in a location with frequent access, and a copy in a more secure place such as a bank vault or a lawyer’s office. Check regularly that all copies of your key are present and undamaged. If you discover one of the copies to be damaged replace it immediately.

In addition to geographical diversity you should diversify the technology. Having copies of your key on three Ledgers means you are out of luck if the software is no longer available or Ledger-specific malware renders your devices inoperable. For an alternative to a paper wallet I recommend the use of a device like Cryptosteel or you can get a cheap metal punch kit and make a keychain from punched metal discs.

Encryption

If you need to store your key with someone and you don’t fully trust them you can encrypt your mnemonic with a password. General rules apply: use a strong password and don’t forget it! You will want to keep this password in a safe place or two.

There are also more advanced options like erasure coding (m-of-n encoding) and multi-sig wallets (n-of-m signing) that allow you to spread the secret out across multiple people such that some number of parts must be used to get the whole secret. For instance you can give part of your key to three of your friends (e.g. every first and second word to Doug, second and third to Sarah, and first and third to Taylor). In order to steal your funds two of your friends would need to collude against you. Harsh.

Operational Security

Finally, to keep your coins secure, keep your mouth shut. If people don’t know you have crypto they probably won’t try to take it from you. If you tell people how and where you store your keys it is easier for them to go after it. If you use a unique and secure password to lock your keys people can’t look over your should when you log into Facebook.

Social Engineering

The easiest way to hack someone is to use social engineering techniques. You can get 1000 people to click on a fake email long before you can crack a WiFi password or break into a “firewall with 256 bit encryption” (thanks Hollywood). Arm yourself against these kinds of attacks by understanding how social engineers can manipulate you. Set an internal alarm to go off anytime someone asks for personal information, your password, or your keys. Don’t trust any web site, no matter how official it looks, until you’ve confirmed the address and certificate.

Plausible Deniability and Duress Mode

Many hardware wallets and some secure systems have a duress mode or plausible deniability. If someone has a knife to your throat and is making you unlock your wallet you can enter the duress password and it will unlock a wallet that you’ve filled with a trivial amount of money. The bulk of your coins are safe.

Be Inconspicuous

Your lambo with the “BTCMOON” license plate is probably going to draw attention. The amount of effort and money you spend on protecting your coins should be proportional to the value of your portfolio and size of your notoriety. It’s not worth spending $100 to protect $20 of Ethereum, no matter how vocal you are about your holdings. If you’ve been HODLing since 2012 you probably should invest is a good security and disaster-recovery plan even if no one knows your crypto secret; doubly so if your stage name is DJ Dogecoin.

Conclusion

The security of your coins rests solely in your hands. Crypto is not yet at the stage where safety is foolproof. Do your research, be on the lookout for suspicious sites, and keep your private keys private. Don’t trust random strangers bearing gifts. Not every fork is a friend.

Were you hit by this phishing attack or any other? Do you have any tips I missed? Leave them below.