Security Recommendations for Bitcoin hodlers
After my appearance on the Cryptocast where my recent research article was discussed, I received a few PMs through Twitter and LinkedIn, with general or specific questions on what my recommendations to Bitcoin hodlers who want to improve their security would be. To follow up on that I wrote this blog post to describe some general steps you can take. Please note that security is always dependent on personal circumstances and risk appetite, just like your investment decisions are.
But first a little rant on non-cyber, but equally important operational security. Not beating around the bush: it really amazes me how many people still openly tell how many Bitcoin they’re holding. They even seem to like this, while most of the (same) people are pretty reluctant to disclose the amount of dollars or euro’s in their bank account or the cumulative value of their stock equity portfolio. Of course this is common sense, which is why I don’t get that many people are still bragging at birthday and office parties about the number of full Bitcoin they’re holding. Just don’t do it. If you want to have a better reason, take a look at Jameson Lopp’s Github repo, where he keeps track of all physical attacks to steal Bitcoin.
Storing your Bitcoin on a hardware wallet is simply the go-to security recommendation for most people. Sure, storing your Bitcoin on your own full node can be more secure and offer more functionality, but you’ll have to appreciate to get a bit geeky at times, as your node needs to be kept up to date. Optionally, look at multisig wallets such as Electrum or Carbon Wallet. While your at it, create a new address for each transaction. This is a functionality most hardware wallets have now.
Overall, it makes sense to opt for a hardware wallet of which the software is open source, because this increases the auditability of the software. Based on this, any Trezor is preferred above Ledger, as Ledger is based on proprietary software. This means Ledger’s wallet software is effectively a black box and its security can only be audited on behalf of Ledger. You think Trezor’s limited altcoin support is a downside? If you want to get scammed through shitcoins, why store them properly anyway? ;) Regardless of the hardware wallet you use, store it in a safe place.
Many people are still carrying their wallet on their keyring in the assumption this is safe as one still needs a BIP39 passphrase in addition to physical access. This is true, but side-channel style attacks are reported for most hardware wallets such as this one for the Trezor and this one for the Ledger.
It makes good sense to use an ad-blocking browser extension. uBlock Origin would be my go-to recommendation here, as it is compatible with most browsers. While the revenue model of many websites run on advertising income, over the years online advertisements have also been used to serve malware and to invade user privacy unnecissarily. From the Binance hack last summer we know that users were attacked through Google Ads that were served on top of the Google result for the actual Binance login page. These ads linked to phishing login pages that captured the user’s credentials, after which the attackers could exfiltrate funds from their Binance custodian wallet.
If you want to take ad-blocking a step further, you can also take this out of the browser and save precious CPU cycles by installing Pi-hole or AdGuard Home on a Raspberry Pi. As these solutions live in your network, they block ads for all your network devices and also allow for additional privacy through DNS over HTTPS.
Other browser extensions
Apart from a trustworthy adblocker, be highly selective towards the browser extensions you choose to use. It is good security practice to only enable those you really use. Countless stories of users of malicious Trezor browser extensions who have lost money have passed my Twitter feed, like this recent one. Even if you’re using an array of browser extensions of which you’re pretty sure they’re safe, each of them introduces an additional attack surface through common bugs such as XSS vulnerabilities.
Over the past years, many popular services have been breached, through which credentials of hundreds millions of users have been made available online. On Have I Been Pwned, you can check if your account got compromised through one of the breaches that have been publicly disclosed. In most cases this means that the combination of your username and password for this service is now available to bad actors. For people who recycle their passwords with very limited variation throughout multiple services, you now have a higher risks to have your other accounts breached as well. In anyway you need to be cautious, as this is juicy stuff for bad actors as Brian Krebs has explained perfectly.
So if you want to take an additional step towards increasing your Bitcoin security, create a dedicated email account for your Bitcoin related stuff. This significantly decreases the risk of collateral financial damage if one of your social media accounts gets hacked. If you want to set yourself up for the future, create an account with ProtonMail or StartMail, which are known not to practise upon your privacy.
Strong, unique passwords and 2FA
This recommendation goes hand in hand with the one above. Never re-use passwords and make them so complex that you can’t remember them. For this, you can use a password manager such as KeePass (local) or BitWarden. Of course, also choose a strong master password.
It is also recommended to enable second-factor authentication at all services supporting this. Usually this means you will need to enter a TOTP password that gets generated through an algorithm supported by apps such as Google Authenticator. In addition to this, if you already own a hardware wallet that supports U2F, you can also use that device to do this. Please be very cautious at using SMS codes as a second authentication step. Some telecom operators are known to be vulnerable to SIM swapping. If you’re with one of those operators, this means an impersonator can request a new SIM card for your phone number, after which he might be able to control your online accounts as some websites use your phone number for identification.
The use of Linux for your interaction with any Bitcoin-related services will drastically decrease your attack surface. While Windows is a perfect OS if you keep it up to date, an installation with many user-installed applications is less secure than a Linux distro with only applications from the second-party respository (e.g. Main in Ubuntu, which is maintained and supported by Canonical). This doesn’t need to be a drastic overhaul: most distros can be run ‘live’ from USB storage. This is ideal to boot up for your Bitcoin stuff. If you want to take this a step further, you can also boot up Tails to browse via Tor.
Is using a VPN service safe? Well, this depends on your threat model. Out of privacy concern, many people think they are better of surfing via a VPN service that costs them a few bucks a month. The competition in the VPN market is fierce, so the prices are unrealistically low. I would argue here that when it looks to good to be true, it also is. Your ISP, especially if you live in Europe, is bound to strict privacy regulations such as the GDPR. Many VPN providers show off with servers located in DCs in plenty countries internationally, but regardless of the country you connect to, you aren’t routing your DNS traffic with your ISP anymore, but through a shady entity usually located legally in jurisdictions known as tax havens, not known for their excellent privacy legislation.
Of course this is different if you’re interacting with your Bitcoin via wifi. At least make sure the service you’re using is encrypting traffic with a SSL/TLS certificate (the well-known green padlock symbol in your browser’s address bar). You can enforce this by using the HTTPS Everywhere browser extension.
Each security measure you take affects ease of use. It is up to you which tail risks you judge acceptable. This normally depends on how many Bitcoin or satoshi’s you’ll have to secure and their significance towards the rest of your capital. But as a rule of thumb, never believe in something that is too good to be true. For example, only last week it appeared that quite some users had been lured into using a fake QR code generator for Bitcoin. This relatively simply deployed scam proved to be quite lucrative. Treat fancy tools like these like black boxes. They are abstraction layers, which are a potential risk: if you don’t know what’s going on internally, don’t use it.