Today, you'll discover a somewhat unusual essay where I deviate from my typical advices to store your cryptocurrency in an airgap-self-custodial, paper, or cold wallet and instead focus on the security of the exchange (CEX) or exchanger mobile application!
Only useful advices are provided in this post! Let’s get started!
Use a separate, clean device! Never install on it anything non-important, keep it updated, do not use for chatting & browsing!
Choose yourself a reliable phone! Read my article on the subject!
Learn about 2fa (and 3fa!), turn it on in the exchange, also turn on limits and SMS alerts. Ideally, you should be able to set up everything else by yourself according to guides from the security blogs of any of the major crypto exchanges, but what I listed at the beginning is something that everyone needs to know!
If you see suspicious password activity or failed log-ins on any of your accounts, change all of your passwords, starting with sensitive and authorization accounts, such as your primary email and bank/crypto accounts!
In other words, protect your email, 2FA token, SIM card and internet connection! Study threat modeling!
Everyone has different tasks, but you can protect yourself from sim-swapping! Ask them to NEVER make changes to your phone number/SIM unless you physically show up to a specific store with at minimum two forms of identification.
This (should) prevent hackers from calling up AT&T or T-Mobile or Vodafone, claiming to be you, and asking them to port your phone number to a new phone. That is a standard that has been tested by telecommunications operators in the US, the UK, Poland, and China - also check out this tweet and this article.
You just need to insist on it or visit the head office, and I’m sure that the support manager on the phone mayn’t know about it!
Never link phone numbers to crypto platforms. Use trusted multiple e-sims if you have to link the phone. To lock down your SIM, contact your mobile phone carrier.
As a 2FA I advise to choose Aegis, as a phone operator - at your discretion. Aegis Authenticator is open source (licensed under GPL v3) and the source code can be found here.
The issue with Authy is that it depends on a phone number which can be changed through an email request, allowing anyone access to HOTP/TOTP after an approximate 4-day wait period. To avoid that, disable multi-device function in Authy's settings!
For 2FA one can use KeePass + Yubikey as well. KeePass allows setting up TOTP to any entry in your .kdbx file. Yubikey could be used in company with KeePass to add a bit of entropy on each re-encryption when adding an entry in your db file: Ref No.1; Ref No.2; Ref No.3.
Somewhere along the line, the 'stop writing passwords on sticky notes' narrative got misinterpreted as 'never write them down'. There's nuance to it!
For a perfect-level privacy, always generate complex passwords and write them down on a notebook. It takes time but saves headache.
Don't forget that the VDS/RDP + VM combination can replace all of this, but it is not available to everyone. If you know how to do it correctly - choose this way. Check out this article as well.
Don’t use 3rd party VPN, rent a VPS and bootstrap open source VPN server!
Unfortunately you can not protect yourself from SS7 attacks (this old technology is still used in many places, e.g. LTE).
Unless you move to Germany, where you can become a telco and issue your own SIM card and monitor your own SS7 gateway. That's probably not the way for everyone.
You also can not protect yourself from IMSI catchers unless you prohibit your phone to work in 3G and 2G in the settings. And then - there are already such devices for 4G are being sold on blackmarkets.
It is important to remember that you can be scammed on the exchanges. Do not click on links from the dialogue, in case of any suspicions - report them to support.
Protect your Wi-Fi as well!
Think about what hackers might find out about your passion for cryptocurrency from leakages or through other methods…
Think ahead, don't use your phone or email anywhere except the exchange!
I don’t have as much money as the fictional character in our essay, but your support helps me to exist 🙂
If you want to support my work, you can send me a donation to the address:
4AhpUrDtfVSWZMJcRMJkZoPwDSdVG6puYBE3ajQABQo6T533cVvx5vJRc5fX7sktJe67mXu1CcDmr7orn1CrGrqsT3ptfds — Monero XMR