Safety and Security Tips
It's an unfortunate reality of this modern crypto world, that there are people out there who will stop at nothing to steal your crypto assets or scam their way into your wallet. We've compiled this list of tips to protect yourself and greatly reduce the chance of becoming a victim of theft or scams.
- Security Best Practices for your computer
- Hardware wallets
- 2FA for email accounts
- Secure Passwords
- Beware of Scams
- Securing your Private Keys
IMPORTANT SECURITY UPDATE 10/19/2017:
A recent vulnerability was discovered in WPA/WPA2 wireless encryption protocols that affects ALL devices that connect to wireless networks and it can allow a hacker to break into secured wireless networks. The vulnerability is called the Krack Attack and more information can be found here: https://www.krackattacks.com/
Make sure you have applied the latest firmware update from your wireless router manufacturer to patch this exploit, also make sure all your computers, phones and tablets are updated to the latest security updates and patches.
Security Best Practices
The most important thing to remember about Exodus is this:
Exodus is only as safe as the computer it resides on and the security practices you follow.
Downloading questionable or pirated software from the internet greatly increases the chance of accidentally installing viruses or malware onto your computer, which can range from harmless pop-ups to more sophisticated key-loggers, and even programs that can remotely control your computer. Ensure you use a good anti-virus and anti-malware detection program and keep it up to date with the latest virus signatures. Windows computers are more susceptible to viruses due to the fact that most viruses are written to target the Windows operating system. While there are fewer viruses written for Mac OSX they do exist and it is advisable to invest in a good anti-virus program.
Keeping your operating system up to date with latest security patches and application updates ensures that there is a reduced chance of being targeted with zero-day exploits that have been discovered and could potentially allow an attacker access to your system. With the recent and ongoing Vault 7 releases of NSA documents at WikiLeaks, there have been a lot of new viruses and malware popping up that are targeting un-patched operating systems.
Reusing many of the same passwords online and for email severely weakens your security profile and greatly opens you up to the possibility of identity theft, cleaning out your bank accounts or your Exodus wallet. If a hacker is able to compromise a website that you have used the same password for Exodus or your email, then it's possible to gain access to other websites that you've used the same password for.
If you use a password manager, generate a unique, strong password for every website, greater than 30 characters, comprised of uppercase and lowercase letters, numbers and special characters (if the website allows it). You can further protect your privacy by checking if any website that you login to has been compromised with the website https://haveibeenpwned.com/ - if your password has been compromised on any websites, change it immediately!
Firewalls and Wi-fi
Use a hardware or software-based firewall to prevent hackers from gaining access to your home network and never connect your computer directly to the internet without using a software-based firewall. Make sure that WEP passwords are not used on your wireless router. WEP is a very easy to crack encryption scheme that has been replaced with WPA/WPA2 which uses your wireless hotspot name (SSID) and your wireless password to create the hash, which makes it substantially more difficult to brute force attack your wireless network password. Do not use common dictionary phrases for your wireless password, ensure that there are special characters, number and a mix of uppercase and lowercase letters.
If your wireless router has WPS enabled (this is a simple PIN that you can use to allow access for new devices to connect to your wireless network) DISABLE IT IMMEDIATELY. A fork of the hacker program Reaver can break the WPS pin in several seconds and will then show your wireless network login password in clear text. Make sure that you change the administrator login to your wireless router from the default that shipped with the router, most new wireless routers will force you to change this when you first setup the router, but older routers allow for it to remain unchanged and easily guessed by an attacker. If your wireless router has an option to allow for WAN configuration, disable it, this allows for an attacker to connect to your Public IP address assigned by your Internet Service Provider and login to your wireless router.
Security is only as strong as it's weakest link!
Holding Large Amounts of Assets in Exodus
Only you can decide the amount of assets you are comfortable keeping inside any desktop wallet
From a security perspective, wallets can be sorted into two categories: hardware/cold wallets, and hot wallets. Hot wallets are constantly connected to the internet and are considered less secure because they're more vulnerable to attack by hackers, but usually, have more features than hardware wallets. Hardware wallets like the Trezor, Ledger Nano S and KeepKey are disconnected from the internet.
The reason we don't recommend holding large amounts of cryptocurrencies in Exodus is simple, it's a hot wallet. Anyone that gains access to your computer (locally or remotely) stands a strong chance of stealing your assets (a hacker will still need your Exodus password), especially if you export your private keys.
This is not the case with hardware wallets, as they are intentionally designed to prevent your private keys from ever contacting another device. To learn more, please read this article:
Once again, Exodus is only as safe as your computer it resides on and the security practices that you use. Some users have laptops dedicated solely for Exodus, and they make sure to only download necessary programs or none at all.
Another thing to remember is to be careful when sending your computer in for repair. We recommend either sending out your assets, or deleting the Exodus program entirely, and restoring your account after your computer has been returned.
Enable 2FA on your Email Accounts
If you have Google, Yahoo, or Outlook email accounts, you should immediately enable Two-Factor Authentication
If you haven't done so already activate 2FA for your email account. Upon activating 2FA, a 6-digit code will be sent to your phone even after you've put in your username and password, and only after you've entered the correct code can you enter your email.
The reason we recommend this is that most people use simple passwords and repeatedly use the same passwords across multiple online accounts. By enabling 2FA, you're preventing anyone from accessing your account unless they also have your 2FA key. We highly recommend the Google Authenticator app - Do not use text message based 2FA, as it has been proven to be exploitable through SMS spoofing.
Here's a video on how to use Google Authenticator:
And here's how to enable 2FA with the 7 top popular email platforms:
One of the best securities you can have is a password that is long and difficult to guess.
We recommend you generate a password using a program versus making your own. A password generated by a computer is usually harder to guess than a password created by a human.
There are many programs that can keep your passwords, but we recommend the following:
1Password - This application can save all of your passwords encrypted in one location, and it can generate different passwords for different sites, but you can unlock them all with one password. Check out their video here.
LastPass - This app works in your browser, and can generate new passwords on the fly without much hassle. This does not prompt you for a security password, so be careful and make sure you're the only person that uses your computer.
Check out this video about creating strong passwords:
Stay away from sites that ask for your Private Key.
A legitimate ICO will never ask for your Private Key, only for your Public Address. Your Private Key is like the password for your bank account, keep it safe and never share it with third-party sources. Another scam is sites that look very similar to a legitimate site.
Never click on links from strangers, or even from sources you trust - instead bookmark the legitimate sites and only access them from your saved bookmarks. Clever scammers like to copy the entire look and feel of a legitimate site, but usually, the url will have a few different letters to look like the legitimate site. Another type of scam are Slackbot scams. If you receive a private message on a Slack channel asking for your private key or sending a link to any website, even from what looks to be a moderator or admin of the channel, do not trust it.
A moderator on Exodus may ask you for your public address or screenshots of your wallet during a private discussion, but will never ask for your private key. You can safely assume that anyone directly contacting you on forums to give you too-good-to-be-true advice is a scammer.
Here are some examples:
This Fake OmiseGo site asks for your private key even though it says it's safe. Their comment that your Private Key is encrypted by SSL is a lie. Again, no legitimate site will ever ask for your Private Key!
Here's a person talking about a fake MyEtherWallet site that almost tricked him into giving up his Private Key.
Stay away from accounts on social media which ask you to send a small money in return for free ETH or BTC
There have been numerous reports of crypto users getting scammed from fake accounts on Social Media which appear to be a famous personality or company. Example: Fake accounts of Vitalik Buterin, Charlie Lee, John McAfee, Elon Musk, MyEtherWallet, Binance, Coinbase etc.
The basic rule to keep in mind is: No one will ever give you free money! Remember those scams where you received a SMS claiming you won a huge prize money but need to deposit XXX USD to a bank account to claim the prize? Ever seen anyone getting rich by paying the so called 'bank charges'?
If you see a post / direct message / comment which claims to send you free money in return for a small fee to their ETH or BTC (any asset for that matter), immediately block that account and report them as scam to the social media site!
Remember: Money once sent on the blockchain cannot be reversed by anyone - code is law in the crypto land. Hence, think three times before sending anyone funds via blockchain.Here are some examples:
Fake account of Tron (TRX) founder Justin Sun
Fake account of Bitfinex Exchange
Private Key Safety
There may come a time when you'd like to participate in an ERC20 ICO, but you can't see the unsupported tokens inside Exodus. You'll want to export your private keys to see your brand new tokens at myetherwallet.com or you may want to trade them inside EtherDelta.
Anyone that gets ahold of your private key also has access to your ERC20 tokens, so they can steal your Ether, Golem, Augur, SALT, OmiseGo, BAT, Civic, and Gnosis, and other Ethereum based assets.
If you do export them, then Exodus will create a desktop file with your private key. After using your private key online, delete the file from your computer and empty your trash/recycle bin or use a secure digital shredder.
If someone hacks your computer, they'll still need to know your Exodus password to get inside and if you have the file on your desktop, The hacker can just peek inside the private key file and steal your private keys. This is why it's prudent to permanently delete the private key file from your desktop after use. If you need it again, Exodus can just generate another copy, but again, make sure to delete the file permanently.
What are Private Keys? Here's a couple of videos that help explain why they are so important: