Scan to Download ios&Android APP

Playing defense: How to keep your crypto digital wallet safe

By Paul Golden

Edited by Aaron Woolner

04:50, 23 May 2022

Share this article
In this article:

Have a confidential tip for our reporters?

A person using a digital wallet on their smartphone
How to keep your crypto digital wallet safe – Photo: Shutterstock

The Chainalysis 2022 crypto crime report notes that illicit activity’s share of cryptocurrency transaction volume has never been lower – but the report authors also acknowledge that illicit addresses received $14bn over the course of last year, almost double the $7.8bn stolen in 2020.

A significant chunk of crypto theft is from holders’ wallets. So what security features should digital asset holders look for when selecting a wallet to store their BTC or ETH?

Bitcoin to US dollar  (BTC/USD)

Dave Bitcoin is the pseudonymous co-founder of Wallet Recovery Services, which helps people recover access to password-protected wallets. 

He says best practice is to use a seed phrase-based wallet with a good reputation and write the phrase down and store it in a safety deposit box or similar.

“It would be best to never save the seed on a computer or phone that has an internet connection as it would be susceptible to being hacked and stolen,” he adds.

Securing your password

“For an extra level of security, one can also attach a passphrase to the seed words so that the wallet can only be restored if both are known.”

Dave Bitcoin recommends hardware seed phrase wallets such as Ledger and Coldcard, but acknowledges that they could be overkill for the casual crypto investor.

“Good options for software wallets include Exodus, Coinbase, and Atomic,” he says. “They support many different coins and have desktop and mobile apps and also use a seed phrase for backup.” 

Exodus for example supports over 185 types of digital currencies, including solana (SOL) and dogecoin (DOGE).

DogeCoin to US dollar (DOGE/USD)

When choosing a custodial or software wallet, crypto holders should make sure two-factor authentication or 2FA is provided as standard. 

Using 2FA provides an additional layer of security to online accounts by adding a second ‘factor’ to the login process, such as a numerical code sent to a device via email or text. 

Generally speaking, the more factors presented to authenticate an account the harder it is to compromise.

Using a cold wallet 

“For greater security, some platforms encourage users to set up separate passwords for login and transfers,” says Peter Kovac, senior researcher at cybersecurity software company Avast. 

“If a user decides to enable this feature, it is really important they follow good password or passphrase management and ensure the two are not the same.”

Another consideration is opting for a cold wallet instead of a custodial or software wallet. 

Cold wallets are physical devices – like a USB – that store the encryption keys for the cryptocurrencies purchased. 

They are designed to prevent hacking and come with a recovery sheet and a private key on a piece of paper, although as with any physical device losing the device is a risk.

Multi-factor authentication

Cyril Noel-Tagoe is principal security researcher at Netacea, which has developed a business logic attack definition framework to define how wallet attacks are carried out. 

He points out that multi-factor authentication should preferably allow use of hardware security keys or authenticator apps, which are more secure than SMS-based multi-factor authentication. 

“People can also look for wallets which allow multi-signature transactions,” he says. “This provides additional security by requiring multiple keys – distributed across different wallets – to authorise a transaction.”

Holders of coins like ADA or Shibu inu (SHIB) should be looking for a resilient platform and assessing whether it has relevant certifications such as ISO27001. 

What is your sentiment on BTC/USD?

19032.05
Bullish
or
Bearish
Vote to see Traders sentiment!

Shiba Inu to US dollar (SHIB/USD)

This will give a good overall indication of whether the platform is reliable and transparent and if it takes security sufficiently seriously to get certified, says Aaron Mulgrew, senior solutions architect at cybersecurity specialist Forcepoint.

Holding asset offline is important

He adds that it makes sense for long-term traders to hold their assets offline as this is much more secure than keeping coins on the live exchange where they are accessible to more people.

Kostiantyn Oleshko, product owner at cybersecurity ranking and certification platform CER.live suggests the following checklist:

Presence of security audit

  • Absence of security incidents

  • Presence of a bug bounty programme

  • Customisable mnemonic length – 12/18/24 words

  • The need for a user to re-enter the mnemonic phrase after writing it down

  • Hierarchical deterministic feature for address generation

  • Support for WalletConnect feature for DeFi services

  • Requirement for the password to contain at least one uppercase letter, one lowercase letter, and one digit and be more than eight symbols in length

According to Dave Bitcoin, choosing a hardware wallet is an option for reducing risk. 

A software wallet allows for the possibility of someone finding a bug in that software and exploiting it to steal funds by introducing malware into the crypto holder’s desktop or phone to steal the seed words saved in the wallet app.

Anyone who has a software wallet on a device should be mindful of other apps they install or websites they visit on that device.

“Operating systems have become better at sandboxing apps so one malicious app cannot steal data from another, but there is always a chance of someone discovering a bug and exploiting it,” he says. 

“Wallet owners should be alert to phishing attempts, especially when asking for help in an online community.” 

Beware of strangers 

“I am contacted frequently by people who say they asked a question in a Telegram or WhatsApp group and someone who offered to help them ended up being a scammer who stole their BTC or their ETH.”

Ethereum to US dollar (ETH/USD)

Kovac agrees that it is important to get clued up on social engineering attacks, particularly on mobile devices as hackers are increasingly targeting these devices in order to steal crypto credentials. 

These kinds of attacks can emanate from unsolicited messages over text or from social media, email and third-party messaging services.

“Generally speaking, if you receive a crypto-related message that uses an overdramatic sense of urgency, appears too good to be true, includes spelling and grammatical errors, and/or has been sent from an unrecognisable source, there is a high chance that it is a scam,” he says. 

Phising attacks become more ‘sophisticated’

“However, phishing is becoming more targeted and sophisticated making it harder to spot.”

Another logical step for crypto wallet holders to take would be to avoid unwarranted attention by posting content on social media that may give an attacker an upper hand to socially engineer them – such as details of what platform they use and/or screenshots of their holdings.

In addition to enabling security features such as multi-factor authentication, crypto wallet holders should use strong, unique passwords for each of their wallets. 

A final tip would be to look at spreading your assets across multiple providers and wallets, says Mulgrew. “If the worst happens and the infrastructure provider is hacked, then at least not all of your assets have been stolen,” he says.

Read more

The difference between trading assets and CFDs
The main difference between CFD trading and trading assets, such as commodities and stocks, is that you don’t own the underlying asset when you trade on a CFD.
You can still benefit if the market moves in your favour, or make a loss if it moves against you. However, with traditional trading you enter a contract to exchange the legal ownership of the individual shares or the commodities for money, and you own this until you sell it again.
CFDs are leveraged products, which means that you only need to deposit a percentage of the full value of the CFD trade in order to open a position. But with traditional trading, you buy the assets for the full amount. In the UK, there is no stamp duty on CFD trading, but there is when you buy stocks, for example.
CFDs attract overnight costs to hold the trades (unless you use 1-1 leverage), which makes them more suited to short-term trading opportunities. Stocks and commodities are more normally bought and held for longer. You might also pay a broker commission or fees when buying and selling assets direct and you’d need somewhere to store them safely.
Capital Com is an execution-only service provider. The material provided on this website is for information purposes only and should not be understood as an investment advice. Any opinion that may be provided on this page does not constitute a recommendation by Capital Com or its agents. We do not make any representations or warranty on the accuracy or completeness of the information that is provided on this page. If you rely on the information on this page then you do so entirely on your own risk.

Read next

Still looking for a broker you can trust?


Join the 400.000+ traders worldwide that chose to trade with Capital.com

1. Create & verify your account

2. Make your first deposit

3. You’re all set. Start trading