Security Tips for Crypto Newbies

[Hodor]

While the topic of security isn't specific to XRP, I felt it would be a good idea before our next massive rally to bring up the topic of security - in general, but especially for crypto traders and owners. 

My latest blog is a collaborative effort with Ray Watson, an XRP fan and noted Infosec researcher, lecturer and expert. 

Hope you enjoy - please leave any feedback below, and feel free to share with a friend or on any other platform.  For those of you that share my blog with a friend or republish on another platform - thank you! 

Twitter

 

[pucksterpete]

I'm just going to send you all my crypto, you Hodl it for me, okay?    

[Guest]

Thanks, Hodor. 

[pucksterpete]

Here for you noobs out there, my little experience with a hack put on me, a letter to the Exodus Wallet Team

Quote

Hello,

I am writing this to you today, to make you aware of a 11,000.00€ BTC (0.7btc) theft that has happened to me.

https://blockchain.info/tree/302205017

Follow the tree out and you can see how much was stolen from others.

I have been storing my BTC and some other coins in your Exodus Wallet.

Back in November 2017 I exported my private keys to the Coinami wallet so I could get the free air drops of BTG.  All went smooth, so I thought.

Since November I have been still using Exodus for my BTC and the balance has been updating with the price increase in BTC.

The other day I went to exchange BTC to BCH, and I was getting an error that prevented me from doing the transaction.  Within Exodus from the help menu, it told me to refresh the BTC wallet, so I did and to my surprise the balance was 0 BTC

I felt sick!!!

I would have thought the Exodus app would automatically update each wallets assets everytime I ran the app.  
Would this be correct?

Now, I know that I should have transferred my BTC to a different address before I imported the old keys into coinami.  That part I failed to do.

I can't think how the thief got my private keys.  It wasn't until 5 days later after I did the sweep into coinami that the thief transferred the BTC out.

But, I was always under the impression that my coin balance in Exodus was correct, but in fact it wasn't.

I hope this gets fixed in Exodus, because I really like the interface for Exodus and the other supported coins.

I was referred by a user on the Eden slack channel by the name as 'Fanatid' to contact you and 
he also recommended that my story get put into the investigate list for stats.  Not sure how that can be done.

Anyways, live and learn in this wild west of crypto.

Thanks for your time and have a Great holiday

Pete

 

Edited April 23, 2018 by pucksterpete

[pucksterpete]

Here is the response I got back

Quote

Hi Pete, Wow, I'm incredibly sorry to hear that, man. I've had some coins stolen from me before... not a good feeling. Perhaps it wasn't on your scale, but still I understand what you're experiencing. It's that sudden stomach drop =(

Yes, unfortunately any time you export your private keys, even just briefly, there is always a risk of the keys being leaked. All it would take is a small piece of malware running on your computer that looks for files containing private key strings and sends them somewhere. 

While Coinomi is a trustworthy and open-source wallet, here are some ideas for how we could explain this:
- Did you text/email the private keys to yourself to get them on your phone for access via coinomi?
- Did you share the private keys via a QR code? 
- If not, how did you get the private keys onto your phone? 
- Also, did you leave your exported private keys on your phone or computer once you finished the claim process?

I realize there’s nothing I can say that could console you right now, so the only thing left to do is secure your wallet from future attacks.

Moving forward, the first thing you should do is move any remaining assets out of your Exodus wallet, so we can safely delete it and create a fresh, secure one. Your current wallet is compromised - Whoever took your funds could do this again if you send more into your current BTC wallet. To ensure the safety of whatever funds you still have, we are going to delete your wallet and create a new one, which the attacker won't have access to.

The simplest option here is to install Exodus on a different computer, and send any remaining assets there for the meantime. You could also try sending your coins to an account you hold with an exchange, such as GDAX or Kraken, or a web-wallet. 

Once your compromised wallet shows a 0 balance, you can safely delete it and create a new wallet using the process outlined here:

http://support.exodus.io/article/80-how-do-i-delete-my-wallet-and-start-over

Now, when you re-open Exodus you'll have a freshly generated wallet. Just send your coins back to this new wallet and you're good to go. If you borrowed someone else's computer to install Exodus for your 'middle-man' wallet, make sure to delete that installation and it's Exodus data folder, just for privacy's sake.

Again, I'm terribly sorry that this happened to you. It would certainly be nice if Exodus maintained a constant background refresh, but the way our insight servers work wouldn't let this function properly; If it did, it would mean BTC would be unavailable to send in the wallet for several minutes after opening, which is bad news for user experience. Perhaps a toggle switch to enable such a feature would be nice, I would absolutely opt in to that. 

Thanks so much for your insight here, and let me know if you run into any trouble securing your wallet again! I'm more than willing to help if you need anything else.

Yours, sincerely,
Konnor K

 

[SGoldstein]

"Hold it all!! Hold it all!! Hold i' all.... Hold i' all..... Hold all... Hold all... Hodall... Hodall.. Hodor... Hodor..." 

Been lurking for too long on your very in depth analyses, extra information, detailed explanations and very interesting opinions. Passionate as fuck!!! Pardon the vulgar expression but not pardon at all actually.

Keep going. 

[Zedy44]

I really enjoyed that embedded video.  Neat stuff and as usual a good reminder how technology opens as many holes as it plugs depending on who is looking to do what with the tech.

[xrphilosophy]

Good reminders -even for the initiated.

[Hodor]

9 minutes ago, xrphilosophy said:

Good reminders -even for the initiated.

Even astute, smart traders can benefit from tightening up their security. 

That second video from the Ted Talk always scares me - it's a demonstration of just what is possible by hackers. 

[mistatee2000]

All that said, I suppose the kid in me still liked the tech that could identify a mosquito in the air and lazer it out of the sky. Now that brings benefits in many ways without dwelling too much on the doom and gloom. Thanks again for a great contribution on many levels.

[Nooner]

Long time lurker here. I never post, but I always enjoy these articles by Hodor, and good productive discussion.

On a somewhat related note:

I bought some XRP several years ago based on my frustration with sending funds overseas. I forgot about it. I never told my wife & kids I had it. It occurred to me last December during the big run up, that if anything unfortunate were to happen to me, none of my family would know what I(they) had. None of them knew anything about cryptos, and if they were to find my Ledger Nano - they might have just thrown it away.

There was a younger guy on another forum that I frequent who was considering buying Bitcoin back when it was under $1,000. He disappeared from the forum for a few months, and another member found out that he was tragically killed in an accident. We have no idea if he ever made the purchase, but can you imagine if he did and never told his family about it? That may be more horrific than having it stolen.

You have to take secure measures to protect yourself, however, you also have to be sure that someone you can trust has some idea of what you have and how to access it. I spent some time with my college-aged sons over the Christmas break explaining the world of cryptos, wallets, exchanges, 2FA, etc. I also documented some steps for them in the event that they had to access my cryptos. Most importantly, I gave them the phone numbers of a few other trusted friends in the crypto world that they could call if they needed help navigating the crypto-waters. 

That's my 2 zerps.

[Guest]

2 hours ago, Hodor said:

Even astute, smart traders can benefit from tightening up their security.

The distributed exchange on the XRP ledger allows you to place limit orders from a cold wallet. Can any of the better-known exchanges do this? Not that I'm aware of.

[crypto2libertas]

cold wallet and only cold wallet is the way. 

[WhentheBoat_ComesIn]

“Our prime purpose in this life is to help others. And if you can't help them, at least don't hurt them.”
― Dalai Lama XIV

I take my hat off to you sir!