Pages:
Author

Topic: General Crypto Safety + Wallet Guide - page 2. (Read 461 times)

BQ
member
Activity: 616
Merit: 53
CoinMetro - the future of exchanges
May 07, 2018, 10:18:36 AM
#2
added some more security things like firewall, but it could be redundant if your computer is up to date,
make sure for example Windows Firewall is active atleast!  Grin
BQ
member
Activity: 616
Merit: 53
CoinMetro - the future of exchanges
May 05, 2018, 11:09:15 PM
#1
I originally posted this in 'Altcoin Discussions' but I realised noone sees it there because people are just responding to various threads,
here in Beginner-category, there is a Bitcoin Wallet guide, so this seems like it would fit better here!
  Cheesy

I am no expert, but I believe this could be helpful as it was things I wondered when I started.
if you find any flaws/wrongs please write and I will edit!

The wallet-guide covers mostly Ethereum-wallets, but the same applies to most other cryptos!

MyEtherWallet is a popular wallet.
However, it's an interface, they don't save your keys, they can't help you if you lose your keys/funds.
MyEtherWallet is only a bridge to communicate with the blockchain easily.
I believe MyEtherWallet(short: MEW) is the most common way to interact with the ETH blockchain.
due to this DNS hack last week, and other hacks that has happened,
I thought I would make a simple guide about MEW, but also about general security!

I suggest that if you want to keep using MyEtherWallet, do it offline!
Here's a guide on how to use MEW offline: https://myetherwallet.github.io/knowledge-base/offline/running-myetherwallet-locally.html
Always make sure the lock icon next to the url bar is Green when visiting any site like MyEtherWallet!

MyEtherWallet allows you to 'generate' a wallet. The safest choice would be to download an encrypted keyfile and use that to login.
This means that even if someone were to access your keyfile, they'd require the password used to encrypt the file.
However, if you submit this data to a phishing site, you'd still lose your funds!
Entering your private key in plain text is unwise as a keylogger/middleman could read this data.

Another popular choice is MetaMask.
https://metamask.io/
MetaMask is a browser plugin which basically lets you do all your transactions in a little browser window, instead of going to for example MyEtherWallet.
MetaMask is great because it also allows you to easily interact with any type of dApps with ease.
MetaMask also protects you versus phishing sites.
As I understand it, MetaMask stores a file locally encrypted with a password.
The public key is seen in MetaMask, however you can also export the private key.


Hardware wallets
I personally advocate for Trezor as it is open source(therefore all code can be verified to be safe).
The most popular wallet however, I believe is Ledger Nano.

Basically how a hardware wallet works is, keys are generated inside it.
Whenever you want to do a transaction, all that happens is that the transaction is signed inside your hardware wallet,
and this signed transaction data is broadcasted. The private key never leaves your wallet.
The recipient address could still be changed by a virus!
Hardware wallets generally have a screen and buttons to confirm transactions and you can confirm the address.


In my personal opinion, hardware wallets are the best choice for most people - they are foolproof and safe.
You get a recovery phrase you write down in case you lose your wallet.
To access it, you need to enter a PIN that you choose on first time setup.
Trezor/Ledger supports many different cryptos, not only bitcoin/eth.

However, a physical device comes with a cost - ~$50-100 depending on which one you go for.
If you believe your crypto will one day be worth a lot, or already is - it's definitely a sound investment!

sites:
www.ledgerwallet.com
www.trezor.io

I know that many computer-people think hardware wallets are stupid, and sure they could be, but they are easy and safe.


Keeping funds on an exchange
This is quite popular, and I guess there is nothing wrong with it.
But, people need to be aware of the risks involved.
Any funds kept on an exchange, is not truly your funds!
All it is, is their database saying that your account holds [these cryptos].
It doesn't mean they actually have coverage to cover everyone in case a mass cashout(probably a small risk), or their wallets could be hacked, they could exit etc.
This happened in 2014 with Mt.Gox, the largest exchange at the time, and that is still shaking the market.

What is more important, is to consider what this means - they're in control of your funds,
and theoretically, they can very easily prevent you from ever receiving your funds.
Of course, this is not something that one has to worry about in general - however, just keep in mind that it's not actually yours.
It's like a bank.

If someone gained access to your account, they could steal your funds.
The basic requirement for this would be your account + email account.
Unless, you have 2FA (2 Factor Authentication), which requires certain actions to be confirmed on another device,
usually your phone. You should have this activated for maximum exchange-security!

This also means that if your account is hacked, or if the exchange itself is hacked, you might end up lose part of/all your funds.
Hot wallet: this is the wallet(s) the exchange uses to payout/receive to, and usually holds a small percentage(<10%) of all funds.
So if an exchange were hacked, they shouldn't be able to lose more than what is in their hot wallets.

Cold wallet: These are wallets that are not exposed to the internet (in terms of private key access by software etc).
An exchange should keep the majority of their funds here.

Summary
This is my personal opinion
Ordering by safety
1. Hardware Wallet (it protects people from themselves)
2. Paper Wallet (if you take necessary precautions)
3. MetaMask (simple because it protects more)
4. MyEtherWallet (still you are in control, but you are exposed to potential 3rd party hacks)
5. Exchange (you are not in control)

I would like to expand on one topic regarding safety:
a more 'technical savvy' person, could be perfectly fine with his private key in plaintext.

in general, one should be cautious of exposing your private key(in any form - plaintext, encrypted), to any sort of software.
If you have a virus, an encrypted file isn't enough, because the moment you decrypt it, it's exposed.
If you are using many different plugins in your browser, they might be reading your data(check permissions).

There are too many risks, and many people lose their crypto.
Don't do it too late, ensure that you're safe today, because in the end - noone can help you.
Part of what's great about crypto is this aspect; isn't it? You and only you are in control of your funds, in all aspects - including safekeeping.

Here are a few tips I think could be useful:
  • Scan your computer for viruses on a regular basis(Malwarebytes AntiMalware is a good choice)
  • If possible, use a second computer with a factory state OS
  • use a different browser without any plugins(apart from MetaMask if that's your choice)
  • always ensure that any site you access and intend to put your crypto information in, has a valid certificate.
  • (valid certificate: click the green lock next to the URL bar, check the info, confirm it's always the same).
  • no company handling money would let their certificate expire.
  • if you only want to check your funds, use etherscan.io and search your public address

if you are using Windows, you can also install a second OS - for example Linux Mint.
It's free, and only requires a CD/USB. You can have dualboot setup, so when you want to access your crypto,
just restart your computer, enter Linux Mint, do your business, and restart back into Windows!

Also, you can run Linux Mint without installing it, simply by inserting the medium(USB/CD), restart and boot from the medium.
There you have access to Firefox to do your crypto business. This is likely the best way to do it, even if you have Linux Mint installed.

A useful browser plugin is NoScript which prevents any site from running javascript without your manual approval.
Other useful plugins in my opinion(somewhat unrelated): uBlock Origin, Privacy Badger, Cookie AutoDelete, Disconnect  Roll Eyes

Finally, if you are not at all a technical person, it might be better to leave your crypto at an exchange.
Surely the exchange is not the safest place, but a virus riddled computer or general risk behaviour is definately not safer!


(Use at your own risk)
Wallets
https://trezor.io/
https://www.ledgerwallet.com/
https://myetherwallet.com/
https://www.keepkey.com/
https://metamask.io/

Other
https://tinywall.pados.hu/ - simple firewall
https://www.malwarebytes.com/ - virus scanning
https://www.ccleaner.com/ - clean up in general
https://linuxmint.com/ - free and secure OS

Plugins
https://noscript.net/
https://www.eff.org/privacybadger
Pages:
Jump to: