A Personal Crypto Security Checklist

A guide to securing your privacy and identity on the blockchain

The rise in cryptocurrency comes with increased cybercrimes that only proper crypto cybersecurity can solve. Decentralised digital assets operating free of central banks are affordable and void of additional fees. However, this fact also presents a haven for criminals as there is no central authority to monitor transactions and overall crypto activities. Users could risk making bad trades that can result in significant losses.

The best way to protect yourself from these cyberattacks is by implementing proper crypto cybersecurity protocols and practices. We provide some areas that a Web3 developer and investor - or anyone concerned with their privacy - should consider in order to protect their sensitive data and accounts on the blockchain.

TL;DR on OPSEC

• OPSEC stands for operations security. It is a military term, signifying the process of identifying and protecting critical information that could be used by enemies.

• In the context of crypto, personal OPSEC covers information that could be used by cybercriminals hoping to access your account and steal your funds.

A Personal Crypto OPSEC Checklist

Investors can take a number of steps to protect themselves from potential attackers on the blockchain.

1. Secure your DNS server

2. Connect your device to a VPN and/or Tor

3. Test with a virtual machine (VM) and disposable wallet

4. ncorporate best practices on wallet authentication and password storage

5. Avoid scams and phishing attempts by securing your social media accounts

6. Use a multisig or at least a hardware wallet

7. Be careful when sharing your home address

---

Web Usage

DNS

The Domain Name System (DNS) is what converts human-readable domains (e.g. cwps.com) into an IP address to connect to (e.g. 104.27.136.180). It is also an easily overlooked attack surface, and bad actors are using this to their advantage.

Threat research teams report that over 80% of malware utilise DNS to identify a command-and-control (C2) server to steal data and spread malware.

Recommended Actions

1. Change your DNS settings to a server that has ad-blocking and tracker-blocking features, such as:

   • Mullvad’s DNS server

   • DNSCrypt

   • Adguard DNS

   • Cloudflare Warp

   A great option that does not significantly increase latency is a DNS proxy, such as dnsscrypt-proxy. It can be used to encrypt and authenticate requests using the DNSCrypt protocol. This makes it so that internet service providers (ISPs) will not be able to see details about the communication between a miner and a mining pool. The only visible information is that there is a connection made.

2. Set up your browser to disable DNS pre-fetching. This is a technique used by browsers, like Chrome and Firefox, to speed up browsing. It is done by resolving URLs before they are requested by the user. Pre-fetching is an issue because a DNS lookup can serve as a communication channel for an adversary. Having this setting enabled can inadvertently trigger a callback.

VPN & TOR

Both VPNs (virtual private network services) and Tor have many similarities, but they provide different uses. Common features include the use of encryption and the ability to hide a user’s real IP address and location from third parties. On the other hand, VPNs focus on privacy (hides what you do) while Tor emphasises anonymity (hides who you are).

We have summed up the best uses for each below:

Use Cases of VPN and Tor

With regards to VPNs, a lot has been already said about its necessity. Ben Schmerler gives an important breakdown of the benefits and limitations of VPNs. Some VPNs to check out are Adguard VPN and Nord VPN. However, one crucial thing to note is that VPN is a centralised service. A central authority (i.e. the VPN provider) still controls and manages connections. To some extent, users are required to trust the VPN provider. In contrast, Tor is decentralised as no individual or entity owns or manages the network. Thousands of volunteers across the world operate the proxy servers.

BROWSER

Most of the advice on crypto Twitter regarding pertaining to the use of browser has already been beaten like a dead horse. We have filtered out the key points here:

• Clear your browsing and cookie data from the browser at the end of each session. (Your private mode ain’t that private.)

• Use web apps instead of downloading the official apps. (You don’t really know what you are downloading.)

• Use a browser that doesn’t track you, such as:

  • UnGoogled Chromium

  • Snowhaze

  • Bromite

---

Virtual Machine

The intention behind connecting to a website using a virtual machine (VM) and a disposable hot wallet is to test the waters. It will allow you to see if everything behaves as expected before committing more money. If things do go sideways, only one wallet has been compromised, a small number of funds lost, and the browser as well as the VM can be safely deleted. This prevents dealing with a whole system compromise.

Examples on the use of VM and disposable wallet

• Installing Ubuntu

• Using Tails

Recommended Action: Harden the VM to isolate the guest OS from the host OS

Given the guest operating system (OS) will run potentially malicious software, extra precautions must be taken to harden the boundary between the guest and host OS (i.e. the virtual machine and the ‘base’ machine). The following steps are advised:

1. Disable shared folders, if enabled. This should not be enabled by default, especially without installing extra software within the guest OS to assist with enabling certain functionality between the host and the guest.

2. Disable clipboard sharing.

3. Take a snapshot of the final configuration. The guest OS may be rendered unusable or modified in undesirable ways in the course of its use. To ensure a pristine base version of the virtual machine is available to revert to in these instances, create a snapshot of the machine once it is ready. You can refer to VirtualBox on how to execute this step.

Important Reminder

• Assume all files on the VM are infected a d malicious. Do not transfer any files out of the VM.

• Assume all files on the VM can be sent to a malicious third party (exfiltrated). Do not transfer any files in to the VM, especially sensitive data.

• Assume the software running on the VM is infected and malicious. Do not provide any network share or file access outside the VM unless needed.

Further Considerations

• Connecting to a Flashbots Protect RPC to protect yourself from bots lurking in the Ethereum dark forest that are monitoring the mempool and front-running your transactions.

• If you are somewhat paranoid and do not care much about UX, you can install the Tails Operating System on a USB drive or on a VM. Tails runs fully on memory, which means it does not touch the hard drive. Tails is also focused on extreme privacy and does not save your data.

---

Passwords & Keys

It is a no-brainer that stolen passwords are often the fastest way to lose your funds and personal data. There are three main aspects that you should consider as best practices.

1. Avoid SMS as an authentication factor

There is a common SMS scam called SIM swapping, where malicious actors will take over a phone number to intercept SMS-based multi-factor authentication. In general, do not use SMS as an authentication factor for anything that matters like bank account. You should actually view SMS not as an added layer of security, but as a vulnerability.

2. One-time-use codes

For every account you use on an authenticator app (e.g. Google Authenticator, Authy, Okta) you should physically print out the one-time-use codes. This is per account, so you will need to back up every single account you have on your authenticator app. Once you print them out, you need to keep them safe. Do not put them online anywhere.

3. Password managers

Do not use the same password for every service because the moment one password is compromised, then all of your logins are compromised. Most, if not all, password managers utilise a master password to secure and manage your login information. Comparing the trade-off between using a master password versus reusing passwords, it is clear that a password manager is much more secure. Password managers, such as LastPass, have additional security features. They include security keys (e.g. Yubikey), where you will need to use both a password and a security key to access your logins.

---

Online Privacy

For many hackers, social media is seen as the perfect way to access personal information and execute cyberattacks like phishing or scams. In order to prevent these threats, you will need to be mindful about who and what you interact with whenever you are online.

Recommended Actions

1. Create pseudonymous usernames

2. Provide dummy answers to security questions

3. Disallow access to contacts

4. Force app to ask permission for camera, microphone and location access

5. Use a burner email address

6. Use sites like textverified.com when phone numbers are necessary

---

Wrench Attacks

Alas, the most primitive form of crypto theft - the $5 wrench attack. No matter how advanced the encryption, hardware, or software, if someone comes at you with a wrench, you will probably just log into all your accounts for them.

In order to minimise the possibility of criminals physically paying you a visit, do not put any personally identifiable information (PII) or any other identifying tags on your hardware wallet. In the event of an actual wrench attack, a dummy PIN and account would be a useful decoy to mislead the attacker. In these dummy or "false" accounts, you can put small amounts of crypto assets. Ledger supports this functionality as an advance passphrase option.

---

Wallet-related Attacks

Despite hardware wallets being one of the safest methods to safeguard against cybercrimes, people have been hacked through their Ledger devices. Attacks have come from the intermediary (e.g. Metamask) where the computer itself was hacked, not the Ledger device itself. The display that victims saw may have looked legitimate on screen. However, the intermediary was actually authorising a message to send their assets to a malicious address.

The takeaway here is to ensure that you use at least basic computer security no matter what you do. This means use a private computer, be careful about phishing attacks, and so on.

---

OPSEC Tools

Feeling lost on how to start going down the Crypto OPSEC checklist? We recommend the following products to check out:

• Aegis Authenticator: a secure, free and open source 2FA app for Android.

• Azteco: buy bitcoin vouchers without KYC from a local distributor.

• CalyxOS and GrapheneOS - Both are private Android mobile operating systems that prioritise security and privacy. CalyxOS offers a firewall that allows users to control network access on a per app basis. It also offers a built-in VPN, encrypted calls and messages, Tor browsing and more. There is also an option to enable microG, which replaces some functions of Google Play Services while maintaining more anonymity and privacy. GrapheneOS does not include any Google replacements.

• Tutanota: an ad-free, encrypted and open-source email service. Users can register for an email account without providing personal information, including a phone number.

• YunoHost: a platform for self-hosted email and web domains. YunoHost simplifies self-hosting by allowing users to manage their own internet server through the service’s web interface. Users can deploy apps, self-host email, send messages and manage domain names.

---