The many possibilities of crypto aren’t worth much if your funds aren’t secure — and nowhere is that truer than in the case of Ethereum.
On November 7th of last year, just as many were learning about Ethereum and creating ether wallets for the first time, a user discovered a bug in the widely popular Parity wallet that indefinitely froze the funds in all of their multi-sig wallets. An error in Parity’s smart contracts left its multi-sig users — those who were trying to get the most security available — with no way to access their own funds.
More recently, on April 24, 2018, $150,000 USD of ETH vanished from the ether wallets of users on MyEtherWallet.com. In an elaborate phishing scam that involved hijacking services from Amazon, Google, and major ISPs, hackers quietly redirected traffic from the wallet provider’s URL in order to capture people’s account information when they entered it on the site — at which point their ETH was automatically transferred to the hackers’ wallet.
Ethereum is poised to revolutionize everything from fine-art ownership to early-stage startup funding, but its security norms haven’t quite caught up yet: even though the protocol itself is fairly secure, it’s very easy to get scammed out of your ETH if you don’t know how to properly secure your ether wallet.
If you own ETH, take 10 minutes today to make sure you’re following these best practices for storing and spending them. It might not seem like a priority now — but it’ll probably never feel like a priority until after you’ve lost all your ETH.
Choose your ether wallet carefully
Your choice of ether wallet isn’t like the difference between a leather and mesh wallet for your cash: different kinds of wallets are ideal for different ways of using ether, and a disreputable wallet is the crypto equivalent of a cash wallet with a giant hole in it.
- For ether you’re holding but not actively using, use a security-audited hardware wallet like Ledger Nano S or Trezor. It takes longer to send ether to and from these wallets, but it’s hard to get more secure than them. Case in point: hardware wallet users were unaffected by the MyEtherWallet.com scam because hackers couldn’t remotely sign transactions on users’ hardware wallets.
- For ether you’re actively using for ICOs, token-trading, or DApps, use a reputable software wallet that allows you to make transactions quickly and safely. The current “gold standard” here is MetaMask, a Chrome extension that lets you create encrypted, client-side wallets for ether and ERC-20 tokens. MetaMask also allows you to use Chrome to transact with ether on websites that make use of the Ethereum blockchain, which is an added bonus if you want to start using the DApp ecosystem within a familiar browser.
Keep in mind that you’ll usually face a tradeoff between transaction speed and fund security. That’s why you should only place as much ETH in a software wallet as you’re willing to lose — put the rest in a reputable hardware wallet for safe-keeping.
Constantly check that your ether wallet is “the real thing”
Remember the ether theft from MyEtherWallet.com this April? Even though the hackers were able to redirect users to their fraudulent servers while still using the genuine MyEtherWallet.com URL, users were likely to see this notification during the phishing debacle:
Notice the indicator in Chrome, to the left of the URL, that the user’s connection to the site is not secure. Despite this warning, many users simply checked that they’d typed in the URL correctly, entered their ether wallet info, and watched their ETH disappear.
Virtually every method of cryptocurrency storage is being constantly bombarded by various attempts to steal your crypto. That doesn’t mean you should avoid crypto altogether: it means that you need to practice vigilance when it comes to storing and spending your crypto.
- Set up Google alerts for the names of every ether wallet you use. If you’re using reputable, major wallets, and a security issue arises with one of them, it’ll probably make the news — and Google alerts will email you that news immediately so that you know whether or not you can safely use your wallet.
- Subscribe to the subreddits of your ether wallets. Most major wallets have subreddits dedicated to discussing them and mentioning any issues that arise, complete with community managers who will usually respond directly to user submissions. Subscribing to these is one of the best ways to make sure you know your wallets are secure on any given day.
- Listen to your browser and pay attention to red flags. If your browser gives you a warning about a site’s security certificate, like the one above, do not log in or provide any information. Instead, reach out to the ether wallet’s support team — for example, through a submission to their subreddit — with details about your issue. These days, most ether theft is the result of users taking unnecessary risks by ignoring red flags.
- Look out for scams that trick you by ripping off reputable brand names. A little while ago, Google accidentally unlisted the real MetaMask extension from the Google Chrome app store. That led to a number of scammers listing extensions in the Google Chrome store named “MetaMask” — but if you downloaded one of these and started trying to transact with it, you would have quickly found your funds spirited away to scammers’ accounts. Before you start using an ether wallet, do your research: look at reviews and consult recent news about the wallet to make sure you don’t fall victim to a copycat scam.
In these early days of ether and crypto, due diligence is half the battle: make sure your ether wallets are up to the best security standards out there, and routinely check to make sure that they haven’t been compromised.
Add ETH to your ether wallet directly — not through smart contracts
There are basically two ways to get ether:
- Directly, through a service like SFOX.
- Indirectly, through smart contracts that promise ether in return for other assets like ERC-20 tokens.
Be sure to use direct methods when you’re acquiring your ETH. Smart contracts are markedly less secure than the Ethereum blockchain itself, and there have been cases in which smart contracts have been used to fake transactions that never actually occurred on the Ethereum blockchain.
This past March, for instance, VI Company discovered and reported a smart contract bug that allowed some wallet users to credit themselves with an arbitrary amount of ETH by making it look like a faulty wallet had transferred ETH to them. A similar kind of bug could conceivably allow someone to make it look like they paid you via a smart contract, without actually giving you ay ETH at all—so it’s safer to avoid the risk and buy directly,
Lock down your ether wallet with strong passwords
A reputable ether wallet isn’t worth much if you don’t safeguard it with a strong password. These are the standards you should be using to make sure your ether is safe:
- Use a different password for every account. If someone learns one of your passwords, they get access to everything you use that password for.
- Make sure your password includes numbers, uppercase letters, lowercase letters, and symbols.
- Your passwords should be at least 40 characters long. That doesn’t mean they need to be impossible to remember: just think in terms of memorable passphrases rather than passwords. For example, instead of turning the words “babbling brook” into “B4bbl1ngBr00k!”, try adding numbers and symbols to “It’s fun to wash both of your hands and feet in a babbling brook”: “1tsFun2W4shB0th0fY0urH4nds&F33t1nAB4bbl1ngBr00k!”
If you’re worried about these password requirements being too hard to abide by, try a proven, security-audited password storage solution like Dashlane, 1password, or LastPass. This will allow you to maintain strong and varied passwords without needing to keep them all in your working memory. To state the obvious: make sure your master password for your password storage tool is especially strong!
Add a second layer of security to your ether wallet with 2-factor authentication—but not with a text or phone call
Even a strong password is susceptible to attack, which is why it’s crucial to enable 2-factor authentication (2FA) on all your ether wallets.
Do not enable 2FA via text message or phone call. Scammers have recently started calling phone companies and pretending to be other people — “verifying” their identity using information that is often publicly available online — in order to fake 2FA and break into crypto accounts. Instead, consider one of these two much more secure methods of 2FA:
- Get a universal second factor (U2F). These are encrypted USB drives that you insert into your computer as a form of 2FA. The industry-standard U2F right now is Yubikey, which is available from $20 USD and up. Google has also just released its own U2F, Titan, which is available for $50 USD.
- Get a reputable authenticator app on your phone. Google Authenticator, for example, generates a 2FA code that changes every 30 seconds — and, unlike a text message code or phone call, cellular providers can’t provide a scammer with a code from an authenticator app installed on your phone.
With two layers of security on your accounts and your own due diligence about the ether wallet provider, your ether should be safe from many major scams.
Pay for an established VPN on all your devices
Doing all of the above would make you fairly safe from threats to your ether wallet — but it doesn’t hurt to take steps to reduce the number of threats you have to deal with in the first place.
The best way to do this is by paying for a widely known and well-reviewed virtual private network (VPN). This will encrypt your internet connection, even if you’re on public WiFi, adding another layer of protection between your ether and the many hackers who stalk public WiFi connections. Consider one of the following VPN providers:
- NordVPN, headquartered in Central America
- ExpressVPN, headquartered in the British Virgin Islands
- VyprVPN, headquartered in Switzerland
There are free VPNs available, but the consensus is that these are vastly inferior to paid options. If you’re committing serious capital to ether and other cryptocurrencies, this kind of security isn’t the place where you want to skimp.
Use Web 3.0 safely
Since many like to consider Ethereum “Web 3.0,” consider this: nowadays, computers and web browsers come with a decent amount of built-in security measures to keep you safe when you use the web. Eventually, Ethereum will probably be this user-friendly, too, but it’s not there yet. While it’s exciting to be part of the Ethereum ecosystem in its first few years of existence, you should be ready and willing to take responsibility for keeping your ether wallet secure.
Take 10 minutes today and check off everything on this list — the next time a major ether theft happens, you might be glad that you did!
References in this article to products and services are not intended as endorsements. Always do your own research before deciding on any security provider for your cryptocurrencies and other assets.
The above references an opinion and is for informational purposes only. It is not intended as and does not constitute investment advice, and is not an offer to buy or sell or a solicitation of an offer to buy or sell any cryptocurrency, security, product, service or investment. Seek a duly licensed professional for investment advice. The information provided here or in any communication containing a link to this site is not intended for distribution to, or use by, any person or entity in any jurisdiction or country where such distribution or use would be contrary to law or regulation or which would subject SFOX, Inc. or its affiliates to any registration requirement within such jurisdiction or country. Neither the information, nor any opinion contained in this site constitutes a solicitation or offer by SFOX, Inc. or its affiliates to buy or sell any cryptocurrencies, securities, futures, options or other financial instruments or provide any investment advice or service.