Protecting Yourself and Your Funds
1. Get yourself a Ledger or TREZOR Hardware wallet.
One of the safest & easiest ways to store your ETH, Tokens, ETC, BTC, and many other coins is via a Ledger Nano S or TREZOR. Both are hardware wallets. Both work with MyCrypto.com. And both cost less $100 ( < 0.1 ETH ).
2. Bookmark your crypto sites.
- Use those bookmarks and only those.
3. Install EAL or MetaMask or Cryptonite by Metacert to warn you if you go to a malicious website.
5. Do not trust messages or addresses or URLs sent via private message. Always verify information w/ a secondary source.
- Don’t click any link regarding anything crypto, money, banking, or a service like Dropbox / Google Drive / Gmail in any email ever.
- And if the scammy clickbait was simply too irresistible for you, don’t enter any information on the page.
- Never enter your private keys, passwords, sensitive data on a website that you were sent via message
6. Turn on 2FA for everything.
- Go do it. Right now. Quit your excuses. Choose Google Authenticator over Authy. Don't use your phone number. Then, make sure your phone number is NOT tied to your Google account (look in privacy settings). Turns out, you and your BFF Mr. Hacker can "recover" access to your account via that number, completely destroying the point of 2FA.
- PS: MyCrypto is client-side, meaning 2FA won't do anything in our case. 2FA is for ensuring the security of your password on a server.
- PSS: Don't forget to cold-storage your backup words for these 2FA things. It's a huge pain when your phone goes for a swim and your entire life is 2FA'd. ?
7. For Token Sales: do not trust any address except the one posted on the official site.
- Bookmark the URL before the sale, get the address from the URL from your bookmark at time of purchase. Do not trust any other source (especially a random bot on Slack). PS: When are token sales going to start using ENS names?
8. Double check the URL & Triple check Github URLs.
- Check it. Then, check it again right before entering any information. This is especially important for any sites that require usernames, passwords, email addresses, private keys, and any other personal information. SSL certs do not mean a site is trustworthy, just that they bought an SSL cert. Not sure about the correct URL? Cross reference Reddit, Twitter, Github, Slack and wherever else the project hangs out.
- Github URLs are much easier to fake and much easier to miss. Instead of downloading from that random URL on reddit, seek out the URL on your own. Following the developers of these repos on Twitter, friending them on reddit (lol...but seriously it's nice because their name will be orange), or starring said repos on Github helps.
9. Always verify that the site you landed on is legit.
- Especially if you are about to entire your private key or download an application. What is legit? A service that people have used for a decent period of time with good results. If the URL has been registered in the last week or the site "just launched", err on the side of caution and avoid it for a while.
9b. Always verify that the Twitter account is legit (look for the blue checkmark!)
- Be aware that even a blue checkmark can be misleading. More and more verified Twitter accounts (with the blue checkmark) get hijacked by bad actors, and get their name and profile picture changed to make them look legit. Double check that you're viewing the correct Twitter account.
10. Google the service name + "scam" or "reviews"
- Scam sites rarely last long. Value real comments by real people over a random blog. Value a collection of information over a single source. Understand that legit services will likely have a mix of positive and negative reviews over a long period of time. Scam sites typically have no one talking about them, everyone yelling about how they got robbed, or the most perfect reviews ever. The latter one is just as red of a flag as the first one.
11. Don't ever run remote-access software (e.g. TeamViewer)
- Don't ever...but especially not on a computer with keys on them. The number of security holes in these programs is atrocious. You 2FA your entire life, but then let a single string of characters give someone access to your entire computer & every account. ?
12. Install an adblocker that actually turns off Google/Bing Ads.
- I recommend going with uBlock Origin. If you are already using Adblock Plus, it does not hide Google Ads from you. Go into your Adblock Plus settings and uncheck the box that says “Allow some non-intrusive advertising”.
13. Don’t click on advertisements.
- With or without an adblocker, you should never, ever click on advertisements.
14. If you have accidentally visited or typed a malicious site, clean out your recent history and autocomplete.
- This will prevent you from typing kra… and having it autocomplete to the malicious krakken.com.
15. No one is giving you free or discounted ETH.
- Even for completing a survey. ;)
16. The guys who just finish their token sale don't want to sell you tokens via Slack DM.
- Neither does that smokin' hot 125px x 125px avatar.
17. Don't use brain wallets
- Brain wallets are wallets where the key is derived from a word or phrase you choose. Human brains don't have the ability to create high-entropy seeds. Using a phrase that you make up, even if it seems "rare" or "random" is not as secure as using MyCrypto's randomness and these phrases can be brute forced by the millions. Read more. And more.
18. ONLY unlock your wallet when you want to send a transaction. Check your balance via https://etherscan.io/, https://ethplorer.io/
19. Lastly: use your brain
- Think for a moment. Don't assume, ask. Don't blindly follow, question. If something doesn't seem right...if you feel like the luckiest fucker on Earth...or if you find yourself asking, "I wonder why I haven't seen this on reddit yet", there is likely a reason.