7 ways to level up your bitcoin OpSec
The operational security (OpSec) basics that bitcoin OGs consider second nature are often lost on newcomers. This can create dangerous situations.
That's why we're sharing the top 7 basic security practices that we review with clients before going deeper into advanced cold storage & OpSec schemes.
Follow these OpSec tips and you’ll be safe from many common threats.
1) Generate unique, random passwords and change them often.
Never use repeat passwords, especially for accounts with personally identifiable and sensitive information (e.g. Facebook, Gmail, AppleID, Twitter, banks/payments, crypto accounts). Use passwords that are randomly generated and 20+ characters long.
If you see suspicious password activity or failed log-ins on any of your accounts, change all of your passwords, starting with sensitive and authorization accounts, such as your primary email and bank/crypto accounts.
2) Use a password manager.
If you’re overwhelmed by the requirements of tip #1, try using a password manager. A password manager is an encrypted, online vault that takes all the difficulty out of:
- Randomly generating secure passwords
- Remembering unique, secure passwords
- Identifying where you’re still using insecure passwords
- Quickly changing insecure passwords when needed
1Password and LastPass are both good options. I usually recommend LastPass for password manager beginners because the interface is more user-friendly. 1Password has a more advanced security model around account recovery, so it can be the preferred option for those that prioritize security over usability.
3) Do not use SMS for two-factor authentication.
Using two-factor authentication (2FA) is a great way to improve your digital security. However, you should never use SMS text messages for your 2FA. SMS-based 2FA authentication is an extremely insecure method of securing your accounts. You’ll find out why in the next tip.
Instead of SMS-based 2FA, use Google Authenticator (iOS/Android) or Authy apps for iOS or Android. Google Authenticator is quicker and easier to set up, but Authy offers more robust account recovery options.
Keep in mind that the codes generated by 2FA apps are device specific. Your account is not backed up to Google cloud or iCloud, so if you lose your phone, you’ll need to spend some time proving your identity to restore your 2FA. The added security is worth the hassle!
4) Practice phone safety—lock down your SIM with your mobile phone carrier!
Using SMS for 2FA makes you a vulnerable target for SIM porting attacks.
SIM porting is when an attacker calls up your mobile phone provider pretending to be you, and convinces them to port (transfer) your phone’s SIM into a new device, giving them control of any accounts that use SMS 2FA. You can read more about the dangers of phone porting attacks here and here.
Locking down your phone with your carrier isn’t guaranteed to be foolproof, but it’s definitely a good security precaution. It’s best to never use SMS for anything related to your account credentials, but there are sometimes cases where you can’t avoid it (e.g., apps like Uber or Lyft).
To lock down your SIM, contact your mobile phone carrier. Ask them to NEVER make changes to your phone number/SIM unless you physically show up to a specific store with at minimum two forms of identification. This (should) prevent hackers from calling up AT&T or T-Mobile, claiming to be you, and asking them to port your phone number to a new phone.
5) Never store funds on an exchange or online wallet. Use multisig or at least a hardware wallet.
You should never store your cryptocurrency on an exchange or online wallet, and never keep significant funds on a mobile or web hot wallet. Exchanges get hacked, and online hot wallets are similarly vulnerable to digital attack.
Hardware wallets like Trezor, Ledger, or ColdCard keep your private key safely stored in a resilient and portable hardware device that never connects directly to the internet. The downside of using a single device is the added responsibility of protecting a paper seed phrase in addition to a device.
If you’re not yet using seedless multisig like Casa Keymaster, read on for seed phrase storage best practices.
6) If you’re not using seedless multisig, store backup seed phrases carefully.
Never store your seed phrase digitally. Seed phrases are intended to be stored on the paper card included with hardware wallets! That means never type it up, store it online, or take a photo of the card.
Write the phrase down on paper, seal it in a tamper proof bag, and store it in a safe. You always have the option of storing multiple copies or pieces of your seed in different locations. But keep in mind that the more you replicate or split up your seed phrase, the more attack vectors you’re creating.
7) Be careful sharing your home address.
This one is a little more advanced, but worth putting into practice for certain types of products.
Be careful about using your real home address online for delivery purposes. Data breaches are now a daily occurrence, and many breaches include customer names and addresses. Your physical address is not as easily changeable as a phone number or email address, so be especially mindful about where you use it on the Internet.
If you’re ordering pizza with Lightning, order it for pickup instead of delivery. When online shopping, use a different (and publicly available) address for package delivery. Options here include your workplace or drop boxes at delivery service providers like FedEx and your local postal service.
Concluding note... “I never thought it would happen to me!”
If you can put all 7 of these tips into place—fantastic! You’re protected against the most common security vulnerabilities bitcoin holders face.
The last thing I want to stress is mindset. I’m willing to bet the #1 thing preventing average cryptocurrency holders from putting these tips to action is the “it will never happen to me!” mindset.
DO NOT fall into this trap. It’s very easy for the mind to rationalize that there are always people more visible than you, with more crypto than you, and a much more attractive target for attackers. Many of the victims of hacking that we hear from knew what basic precautions to put in place, but didn’t prioritize activating these precautions because they didn’t think they were “important enough” to be at risk.
Lack of OpSec knowledge is an easy thing to fix, but "it won't happen to me" mindset is the riskiest vulnerability of all.
If protecting your privacy while securing your bitcoin sounds appealing to you, we’d love to have you as a Casa member.
Email firstname.lastname@example.org with any questions or to schedule a free demo of our 3-of-5 multisig.