The Chainalysis 2022 crypto crime report notes that illicit activity’s share of cryptocurrency transaction volume has never been lower – but the report authors also acknowledge that illicit addresses received $14bn over the course of last year, almost double the $7.8bn stolen in 2020.
A significant chunk of crypto theft is from holders’ wallets. So what security features should digital asset holders look for when selecting a wallet to store their BTC or ETH?
Bitcoin to US dollar (BTC/USD)
Dave Bitcoin is the pseudonymous co-founder of Wallet Recovery Services, which helps people recover access to password-protected wallets.
He says best practice is to use a seed phrase-based wallet with a good reputation and write the phrase down and store it in a safety deposit box or similar.
“It would be best to never save the seed on a computer or phone that has an internet connection as it would be susceptible to being hacked and stolen,” he adds.
Securing your password
“For an extra level of security, one can also attach a passphrase to the seed words so that the wallet can only be restored if both are known.”
Dave Bitcoin recommends hardware seed phrase wallets such as Ledger and Coldcard, but acknowledges that they could be overkill for the casual crypto investor.
“Good options for software wallets include Exodus, Coinbase, and Atomic,” he says. “They support many different coins and have desktop and mobile apps and also use a seed phrase for backup.”
DogeCoin to US dollar (DOGE/USD)
When choosing a custodial or software wallet, crypto holders should make sure two-factor authentication or 2FA is provided as standard.
Using 2FA provides an additional layer of security to online accounts by adding a second ‘factor’ to the login process, such as a numerical code sent to a device via email or text.
Generally speaking, the more factors presented to authenticate an account the harder it is to compromise.
Using a cold wallet
“For greater security, some platforms encourage users to set up separate passwords for login and transfers,” says Peter Kovac, senior researcher at cybersecurity software company Avast.
“If a user decides to enable this feature, it is really important they follow good password or passphrase management and ensure the two are not the same.”
Another consideration is opting for a cold wallet instead of a custodial or software wallet.
Cold wallets are physical devices – like a USB – that store the encryption keys for the cryptocurrencies purchased.
They are designed to prevent hacking and come with a recovery sheet and a private key on a piece of paper, although as with any physical device losing the device is a risk.
Cyril Noel-Tagoe is principal security researcher at Netacea, which has developed a business logic attack definition framework to define how wallet attacks are carried out.
He points out that multi-factor authentication should preferably allow use of hardware security keys or authenticator apps, which are more secure than SMS-based multi-factor authentication.
“People can also look for wallets which allow multi-signature transactions,” he says. “This provides additional security by requiring multiple keys – distributed across different wallets – to authorise a transaction.”
Holders of coins like ADA or Shibu inu (SHIB) should be looking for a resilient platform and assessing whether it has relevant certifications such as ISO27001.
What is your sentiment on BTC/USD?
Shiba Inu to US dollar (SHIB/USD)
This will give a good overall indication of whether the platform is reliable and transparent and if it takes security sufficiently seriously to get certified, says Aaron Mulgrew, senior solutions architect at cybersecurity specialist Forcepoint.
Holding asset offline is important
He adds that it makes sense for long-term traders to hold their assets offline as this is much more secure than keeping coins on the live exchange where they are accessible to more people.
Kostiantyn Oleshko, product owner at cybersecurity ranking and certification platform CER.live suggests the following checklist:
Presence of security audit
Absence of security incidents
Presence of a bug bounty programme
Customisable mnemonic length – 12/18/24 words
The need for a user to re-enter the mnemonic phrase after writing it down
Hierarchical deterministic feature for address generation
Support for WalletConnect feature for DeFi services
Requirement for the password to contain at least one uppercase letter, one lowercase letter, and one digit and be more than eight symbols in length
According to Dave Bitcoin, choosing a hardware wallet is an option for reducing risk.
A software wallet allows for the possibility of someone finding a bug in that software and exploiting it to steal funds by introducing malware into the crypto holder’s desktop or phone to steal the seed words saved in the wallet app.
Anyone who has a software wallet on a device should be mindful of other apps they install or websites they visit on that device.
“Operating systems have become better at sandboxing apps so one malicious app cannot steal data from another, but there is always a chance of someone discovering a bug and exploiting it,” he says.
“Wallet owners should be alert to phishing attempts, especially when asking for help in an online community.”
Beware of strangers
“I am contacted frequently by people who say they asked a question in a Telegram or WhatsApp group and someone who offered to help them ended up being a scammer who stole their BTC or their ETH.”
Ethereum to US dollar (ETH/USD)
Kovac agrees that it is important to get clued up on social engineering attacks, particularly on mobile devices as hackers are increasingly targeting these devices in order to steal crypto credentials.
These kinds of attacks can emanate from unsolicited messages over text or from social media, email and third-party messaging services.
“Generally speaking, if you receive a crypto-related message that uses an overdramatic sense of urgency, appears too good to be true, includes spelling and grammatical errors, and/or has been sent from an unrecognisable source, there is a high chance that it is a scam,” he says.
Phising attacks become more ‘sophisticated’
“However, phishing is becoming more targeted and sophisticated making it harder to spot.”
Another logical step for crypto wallet holders to take would be to avoid unwarranted attention by posting content on social media that may give an attacker an upper hand to socially engineer them – such as details of what platform they use and/or screenshots of their holdings.
In addition to enabling security features such as multi-factor authentication, crypto wallet holders should use strong, unique passwords for each of their wallets.
A final tip would be to look at spreading your assets across multiple providers and wallets, says Mulgrew. “If the worst happens and the infrastructure provider is hacked, then at least not all of your assets have been stolen,” he says.