1. Get Yourself a Hardware Wallet.
One of the safest and easiest ways to store your ETH, Tokens, ETC, BTC, and many other coins is via a Ledger Nano S or Trezor. Both are hardware wallets. Both work with MyCrypto.com and both cost less than \$100.
If you don't want one of these nifty devices, use cold storage for a majority of your savings. Please. Pretty please.
2. Bookmark Your Crypto Sites.
Use those bookmarks and only those. Don't type in the addresses by hand.
3. Install EAL or MetaMask.
5. Do Not Trust Random URLs.
Do not trust communications, addresses, or URLs sent via private message. Always verify information with a secondary source.
- Don’t click any link related to anything crypto, money, banking, or services like Dropbox / Google Drive / Gmail in any email ever.
- And if the scammy clickbait was simply too irresistible for you, don’t enter any information on the page.
- Never enter your private keys, passwords, or sensitive data on a website that you were sent via message.
6. Turn on 2FA for Everything.
- Go do it. Right now. Quit your excuses. Choose Google Authenticator over Authy. Don't use your phone number. Then, make sure your phone number is NOT tied to your Google account (look in privacy settings). Turns out, you and your BFF Mr. Hacker can "recover" access to your account via that number, completely destroying the point of 2FA.
- PS: MyCrypto is client-side, meaning 2FA won't do anything in our case. 2FA is for ensuring the security of your password on a server.
- PSS: Don't forget to cold store your backup words for these 2FA things. It's a huge pain when your phone goes for a swim and your entire life is 2FA'd.
7. For Token sales:
Do not trust any address except the one posted on the official site.
- Bookmark the URL before the sale. Get the address of the URL from your bookmark at time of purchase. Do not trust any other source (especially a bot on Slack). PS: When are token sales going to start using ENS names?
8. Double-Check the URL and Triple-Check GitHub URLs
- Check it. Then, check it again right before entering any information. This is especially important for any sites that require usernames, passwords, email addresses, private keys, or any other personal information. SSL certs do not mean a site is trustworthy, just that they bought an SSL cert. Not sure about the correct URL? Cross-reference Reddit, Twitter, GitHub, Slack and wherever else the project hangs out.
- GitHub URLs are much easier to fake and much easier to miss. Instead of downloading from that unverified URL on Reddit, seek out the URL on your own. Following the developers of these repos on Twitter, friending them on Reddit (lol ... but seriously it's nice because their name will be orange), or starring said repos on GitHub helps.
9. Always Verify that the Site You Landed on Is Legit.
- Especially if you are about to enter your private key or download an application. What is legit? A service that people have used for a decent period of time with good results. If the URL has been registered in the last week or the site "just launched," err on the side of caution and avoid it for a while.
10. Google the Service Name + "Scam" or "reviews."
- Scam sites rarely last long. Value real comments by real people over a random blog. Value a collection of information over a single source. Understand that legit services will likely have a mix of positive and negative reviews over a long period of time. Scam sites typically have either no one talking about them at all, a lot of yelling about how people got robbed, or the most perfect reviews ever. The latter one is just as much of a red flag as the first one.
11. Don't Run Remote-Access Software (e.g., TeamViewer).
- Don't ever ... but especially not on a computer with keys on them. The number of security holes in these programs is atrocious. It would be a shame if you enabled 2FA on everything in your life but then let a single string of characters give someone access to your entire computer and every account.
12. Don't Use Brain Wallets.
- Brain wallets are wallets where the key is derived from a word or phrase you choose. Human brains don't have the ability to create high-entropy seeds. Using a phrase that you make up, even if it seems "rare" or "random" is not as secure as using MyCrypto's randomness, and these phrases can be brute-forced by the millions. Read more. And more.
13. Install a Good Adblocker.
Install an adblocker that actually turns off Google and Bing ads.
- We recommend going with uBlock Origin. If you are already using Adblock Plus, it does not hide Google Ads from you. Go into your Adblock Plus settings and uncheck the box that says “Allow some non-intrusive advertising.”
14. Don’t Click on Advertisements.
- With or without an adblocker, you should never, ever click on advertisements.
15. Clean Out Your History.
If you have accidentally visited or typed a malicious site, clean out your recent history and autocomplete.
- This will prevent you from typing kra… and having it autocomplete to the malicious krakken.com.
16. No One Is Giving You Free or Discounted ETH.
- Even for completing a survey. ;)
17. Don't Trust Slack DMs.
The guys who just finished their token sale don't want to sell you tokens via Slack DM.
- Neither does that smokin' hot 125px x 125px avatar.
18. Don't Unlock Your Account to Check Your Balance.
19. Lastly: Use Your Brain.
- Think for a moment. Don't assume—ask. Don't blindly follow—question. If something doesn't seem right, if you feel like the luckiest person on Earth, or if you find yourself pondering, "I wonder why I haven't seen this on Reddit yet," there is likely a reason.