I came across this plea by Eric Savics, a Bitcoin holder in Canada, who was using the Keep Key Wallet to store his Bitcoin offline like you're supposed to in order to keep them secure.
On June 10th, I had all my Bitcoin stolen in a hardware wallet phishing scam. I built up my position over 7 years. I was planning on using it to buy an apartment…I know whoever has my BTC will likely never see this video. None the less below is my plea: pic.twitter.com/7U56yHbSU2
— ericsavics (@ericsavics1) June 12, 2020
Every so often, you're prompted to update the device's firmware to the latest version and he went to download the latest plugin from the Google Chrome store.
He ended up falling for a phishing scam - installing a malicious extension that had been pushed to the top of the ranking on Google's chrome extension store.
Sadly, Eric ended up losing 12 BTC or ~$120,000 USD - 7 years of his life's work building up his Bitcoin position - in a matter of seconds.
And this happened to an experience user.
In this post, I'm going to examine how to best to store your crypto and best practices around keeping your funds safe especially with increasing attempts at theft by hackers.
But first....a recap
Recap
Our first post was almost 2 months ago!
How time flies.
We started off by explaining how Bitcoin created true digital scarcity and why this was game changing for trust and finance. We then ran through some valuation models for Bitcoin before turning our attention to buying our first stablecoin and trading for ETH or BTC on a DEX.
We then explored the value of dollar cost averaging and how you could put smart contracts to work doing it for you. In the last two weeks, we starting exploring how to monetize your tokens and put them to work for you earning interest or trading fees on a DEX.
I highly recommend you jump into the links below.
It's on thing to sit and watch this all happen from the sidelines but every day you don't start you're missing out on a once in a lifetime opportunity to be at the vanguard of a new monetary system.
Have a look:
TLDR;
After researching crypto-key security over the past week, I've come to realize just how difficult it is and how broad the attack vectors currently are for both physical and remote threats.
It should hardly have been a surprise given there are companies with dedicated businesses towards key custody including Casa Hodl and institutional custody like Coinbase Custody.
Nonetheless, I'm going to break down my three best options depending on your exposure as defined by your risk tolerance.
Small
🥇Smart Contract Wallet + Insurance
I would probably stick with a smart contract wallet like Argent or Gnosis Safe. Argent specifically has social recovery options so you can recover your funds if you lose your phone. It also does away with seed phases which need to be secured themselves and pose another attack vector.
You'll still be exposed to the smart contract itself failing but for most users with small balances, this will be a risk worth taking given the benefits of convenience. Throw in some insurance and you have a pretty strong option for 95% of the population.
Medium
🥇Smart Contract Wallet + Cold Storage + Insurance
For larger amounts of funds, I would recommend the aforementioned smart contract wallet along with a cold storage solution like a Trezor or Ledger device (more on this below). You will also want a Blockplate or similar device on which to record your mnemonic phrase that can withstand any physical damage (fires, corrosion, etc). I would keep the funds mainly on one or many cold storage devices and use the smart contract wallet for daily use.
Large
🥇Smart Contract Wallet + Cold Storage + Custody with Insurance
The final option is just like the above but I would consider adding a professional custody solution. The aforementioned Casa Hodl is a well known. I haven't explored it personally but many institutional custody solutions have insurance included. In this way, you can offload a portion of your funds and let professionals handle them. Although this goes against the ethos of the space, in reality, I think people will have peace of mind knowing they have help managing their assets.
What is a cold storage device?
A cold storage device is typically a USB type drive that is not connect to the internet and stores your private keys offline. It can be used to sign or confirm transactions when sending funds or initiating smart contract calls with the amount and address shown on the device for confirmation.
On initiation, you are given a mnemonic key phrase that is between 12-24 words in a precise order that you can used to recover lost private keys in the event you lose access to the device. Often you can add an additional word (a passphrase on the Trezor) to create an entirely new set of addresses.
This is a well covered so I won't get into it much more but you can read more here.
Suffice to say, having a hardware device to store your private keys is much safer than using a hot wallet on your desktop or phone.
Two good options are the Trezor or Ledger devices:
Ledger
Trezor
Common Threats
In this post, I borrowed heavily from Jameson Lopp who is with Casa Hodl and an expert in this field. You can read his post entitled "The Dos and Don'ts of Bitcoin Key Management" for a more in-depth look at security but let me just explore 3 common threats you should be aware of.
Phishing Scams
Eric was hit with a phishing scam where a party pretended to be Keep Key and installed a malicious program to harvest his recovery seed. He would still have been safe if he didn't enter the phrase directly on his computer. Phishing scams can come in many forms but you just have to assume that any connected device could be compromised.
Recommendation: Never give your recovery seed to anyone and only enter your seed phase directly on the hardware device. A non-malicious entity will never ask for the straight sequence during a hardware wallet recovery on an internet connected device like your desktop or mobile.
Lost or Stolen Recovery
There is the potential to lose or damage your recovery phrase that you wrote down when you initially setup the hardware device. It could be lost in a fire or damaged with a water leak. Moreover, it could be stolen giving anyone who has it complete access to all your private keys. Consider the recovery seed as cash that can be stolen if anyone finds it and that will help you frame the challenge.
Recommendation: Use a passphrase (remember the extra word) to salt your recovery phrase and add enough entropy to survive a brute force attack. Etch your recovery seed into steel using any of the following devices to prevent damage and don't split your recovery seed up as it reduces the entropy and allows for a smaller search space for a brute force attack.
Buying a Compromised Device
One of the more ingenious attack vectors I've come across is compromising the actual hardware device users initially purchase. Here's a story of a user that purchased his device on Ebay, which shipped with the recovery seed already created, and lost his life savings - $34,000. Most people wouldn't think twice about this as they aren't versed in private key management.
Recommendation: Never purchase a device from anyone other than the vendors - Trezor or Ledger. Never trust it if it comes with a recovery seed included. When the device arrives ensure it has a seal as shown on the Trezor box below. Here is guidance on checking for tampering with your Ledger.
Summary
There are many more threats including SIM swaps, malware, swapped devices and much more but they are mostly mitigated by following the recommendations above.
If you would like to read more about security threats you can review them on the Trezor.io Security Wiki.
This can seem like a rather cumbersome process but I highly recommend you take it seriously if you are holding larger amounts of crypto. This space gives users a lot of privilege but it also carries with it serious threats as well.
Having a hardware wallet gives you the peace of mind knowing your funds are being securely stored away from remote hackers.
Grab them now - Trezor / Ledger
What do you want to see me cover next week?
Post in the comments and I’ll explore the topic in a future edition of this newsletter.
Make sure to subscribe to stay up-to-date.
Around the Space
European bank using USDC instead of SWIFT
Bank Frick, a leading blockchain bank in Europe, is pivoting to using USDC as a settlement layer as "compared to the classic SWIFT procedure, the processing time is significantly reduced". The digitization of the dollar is going full steam ahead with or without government approval as companies around the world realize they can settle transactions faster and cheaper while also retaining more control than the legacy SWIFT system that has been running since the 1970s.
Hackers hold an exchange hostage
Earlier this week, several users flagged two bizarre transaction fees of $2.6M emanating from a single address prompting speculation of an error by the owner. However, what likely happened is that a hacker gained entry to an exchange and wasn't able to steal funds as only transfers to whitelisted addresses were allowed. To circumvent the block, they submitted massive transactions fees to hold the exchange hostage in having to pay the hacker to regain access.
sDEFI derivative up 47.3% this month
One of the more interest developments out of DeFi are derivative instruments which could potentially expand the domain of crypto to many more things. For instance, if you wanted to place bets on decentralized finance broadly, you could purchase sDEFI which is built on Synthetixs to track the growth of the whole sector. With price feeds from LINK or UMA protocol along with the soon to be launched Augur 2.0 - the universe of betting on trends in the sector is set to explode.
Crypto credit cards going mainstream in 2020
A host of new crypto credit cards are being rolled out from industry leaders including Coinbase, Wirex and Uphold. These pre-paid debit cards allow users to spend in any cryptocurrency including stablecoins like DAI or USDC. With the emergence of DeFi, where people can save and earn by lending funds coupled with a way to spend this new money in the real world - we are starting to see the bridges being built between the legacy world and the new dynamic crypto space.
WalletConnect rolls our mobile linking in v1.0
Wallet Connect finally rolled out of beta and came with a goodie baked into version 1.0. Mobile links can now be used to connect to the wallet of the users choice right from inside a mobile browser. If you remember, we used a QR code to connect to our Argent Wallet in our post on DEX trading which used Wallet Connect as a bridge. With support for 25 wallets and over 50 dApps along with support fo layer 2 connections - cross industry standards like this really push the whole space forward.
Make sure to share this post! 🚀🚀🚀
Disclaimer: Statements on this site do not represent the views or policies of anyone other than myself. The information on this site is provided for discussion purposes only, and are not investing recommendations. Under no circumstances does this information represent a recommendation to buy or sell securities.