Safety and Security Tips
It's an unfortunate reality of this modern crypto world, that there are people out there who will stop at nothing to steal your crypto assets or scam their way into your wallet. We've compiled this list of tips to protect yourself and greatly reduce the chance of becoming a victim of theft or scams.
- Security Best Practices for your computer
- Hardware wallets
- 2FA for email accounts
- Secure Passwords
- Beware of Scams
- Securing your Private Keys
IMPORTANT SECURITY UPDATE 10/19/2017:
A recent vulnerability was discovered in WPA/WPA2 wireless encryption protocols that affects ALL devices that connect to wireless networks and it can allow a hacker to break into secured wireless networks. The vulnerability is called the Krack Attack and more information can be found here: https://www.krackattacks.com/
Make sure you have applied the latest firmware update from your wireless router manufacturer to patch this exploit, also make sure all your computers, phones and tablets are updated to the latest security updates and patches.
Security Best Practices
The most important thing to remember about Exodus is this:
Exodus is only as safe as the computer it resides on and the security practices you follow.
That is a bit of a mantra around Exodus. We are passionate about using good security practices, and in this article we aim to share awareness so you can implement these practices and strengthen your security profile.
These tips are called “practices” because they require ongoing diligence. Much like you should apply sunscreen every day, you should also apply good computer security measures every day. In the long run, these habits could be your saving grace against scammers or prying eyes. I know, those update notifications have an annoying habit of popping up right when you are settling in to (re)watch the third season of The Office - use that update time to make a snack and crack open a beer, you’ll have the peace of mind knowing your apps are up-to-date.
Use this checklist to tighten up your computer security:
- Do not download any questionable, pirated, or cracked software
- If you’ve ever downloaded any pirated software, wipe your drive and reinstall (a legitimate version of) your operating system
- Use a good anti-virus and anti-malware detection program and always keep it up-to-date
- Keep your operating system and applications up-to-date with latest security patches
- This reduces your chance of being targeted with zero-day exploits (What are zero-day exploits?)
- Do not reuse the same password for multiple accounts online
- You can use a password manager to generate a unique, strong password for every website
- Passwords should be greater than 30 characters, comprised of uppercase and lowercase letters, numbers, and special characters
- Check if any website that you login to has been compromised with the website https://haveibeenpwned.com/ - if your password has been compromised, change it immediately!
- Do not follow links randomly sent to you in email, messenger, Reddit, Telegram, or any other communication platform, or open attachments in emails if you do not trust the sender.
- You can use https://www.virustotal.com to check links for security flags.
- While rare, visiting a malicious website can download and install sophisticated malware that can open a backdoor and give an attacker complete control of your computer.
Firewalls and Wi-fi
Network security settings are often overlooked or viewed as B-list security measures in comparison to anti-virus programs. Don’t make the mistake of ignoring these settings. These little soldiers quietly add layers of protection to bulk up your security profile and deter malicious activity. Learning how to increase security on your home network is a quick way to make huge strides in protecting your assets.
Of course, home networks aren’t the only thing you need to worry about nowadays. Nearly every restaurant, café, bar, and bookstore has WiFi available. While it’s fun to browse the web whenever and wherever you want, it’s important to consider the vulnerabilities with those public networks. It’s fairly simple to deploy malicious malware through shared networks, so learning how to protect your computer (and therefore, your crypto) is very important if you plan on using your computer outside of your private home network.
The below list will help you protect your network at home and give you the tools to protect your computer on public networks.
Use this checklist to tighten your network security:
- Use a hardware or software-based firewall to prevent hackers from gaining access to your home network and never connect your computer directly to the internet without using a software-based firewall
- Make sure that WEP passwords are not used on your wireless router
- What are WEP passwords? WEP is a very easy to crack encryption scheme that has been replaced with WPA/WPA2 which uses your wireless hotspot name (SSID) and your wireless password to create the hash, which makes it substantially more difficult to brute force attack your wireless network password.
- Enable WPA/WPA2 on your router
- See more info here: What's the difference between WEP, WPA, and WPA2?
- Do not use common dictionary phrases for your wireless password, ensure that there are special characters, numbers, and a mix of uppercase and lowercase letters
- Disable WPS on your router IMMEDIATELY
- WPS is a simple PIN that allows access for new devices to connect to your wireless network
- A fork of the hacker program Reaver can break a WPS pin in several seconds, and will then show your wireless network login password in clear text.
- Change the administrator login to your wireless router from the default that shipped with the router
- Most new wireless routers will force you to change the password when you first setup the router, but older routers allow for it to remain unchanged and easily guessed by an attacker
- Disable WAN configuration on your router
- WAN configuration allows for an attacker to connect to your Public IP address assigned by your Internet Service Provider and login to your wireless router
- Do not do any sensitive web browsing or work related tasks when using a free WiFi hotspot without a VPN
- It is very easy to create a fake WiFi hotspot that mimics the original hotspot name. The attacker will be able to see and decrypt all the traffic flowing over the fake WiFi hotspot. This will expose your passwords in clear text that are used to login to any website.
- If you must use a free WiFi network, NEVER conduct any sensitive transactions, such as financial transactions
- Always assume that any traffic you send over a free public WiFi network is being monitored. We've written a practical guide on using a VPN to rptect your internet traffic here: https://steemit.com/exodus/@exodus/why-a-vpn-matters-for-crypto-users
Security is only as strong as its weakest link!
Holding Large Amounts of Assets in Exodus
Only you can decide the amount of funds you are comfortable keeping inside any desktop wallet
From a security perspective, wallets can be sorted into two categories: hardware/cold wallets, and hot wallets. Hot wallets are constantly connected to the internet and are considered less secure because they're more vulnerable to attack by hackers, but usually, have more features than hardware wallets. Hardware wallets like the Trezor, Ledger Nano S and KeepKey are disconnected from the internet.
The reason we don't recommend holding large amounts of cryptocurrencies in Exodus is simple: because it's a hot wallet. Anyone that gains access to your computer (locally or remotely) stands a strong chance of stealing your assets (a hacker will still need your Exodus password), especially if you export your private keys.
This is not the case with hardware wallets, as they are intentionally designed to prevent your private keys from ever contacting another device. To learn more, please read this article:
Once again, Exodus is only as safe as your computer it resides on and the security practices that you use. Some users have laptops dedicated solely for Exodus, and they make sure to only download necessary programs or none at all.
Another thing to remember is to be careful when sending your computer in for repair. We recommend either sending out your assets, or deleting the Exodus program entirely, and restoring your account after your computer has been returned.
Enable 2FA on your Email Accounts
If you have Google, Yahoo, or Outlook email accounts, you should immediately enable Two-Factor Authentication
If you haven't done so already, you should activate 2FA for your email accounts.The reason we recommend this is that most people use simple passwords and repeatedly use the same passwords across multiple online accounts. By enabling 2FA, you're preventing anyone from accessing your account unless they also have your 2FA key. We highly recommend the Google Authenticator app - Do not use SMS based 2FA, as it has been proven to be exploitable through SMS spoofing. Do not use SMS as a forgot password recovery link when enabling 2FA. Cloning of sim cards has been on the rise in high profile hacks and if you have your gmail account setup to send you an SMS to reset your password, the attacker can now lock you out of your email account and then use that as a hopping point to login to your other accounts by using the forgot password on websites and email providers.
Here's a video on how to use Google Authenticator:
And here's how to enable 2FA with the 7 top popular email platforms:
One of the best securities you can have is a password that is long and difficult to guess.
We recommend you generate a password using a program versus making your own. A password generated by a computer is usually harder to guess than a password created by a human.
There are many programs that can keep your passwords, but we recommend the following:
1Password - This application can save all of your passwords encrypted in one location, and it can generate different passwords for different sites, but you can unlock them all with one password. Check out their video here.
LastPass - This app works in your browser, and can generate new passwords on the fly without much hassle. This does not prompt you for a security password, so be careful and make sure you're the only person that uses your computer.
Check out this video about creating strong passwords:
We've written this Steemit article with some practical ways that you can spot a Scam or Phishing attempt and protect yourself from them:
Stay away from sites that ask for your Private Key or 12 word phrase!!
A legitimate ICO will never ask for your Private Key or 12 word phrase, only for your Public Address. Your Private Key is like the password for your bank account and your 12 word phrase is like the password to ALL your various bank accounts, keep it safe and never share it with third-party sources. Another genre of scam involves duplicating a known and trusted website like MyEtherWallet and hosting it on a similar URL. Then inviting users to enter their private keys into this fake site.
Never click on links from strangers, or even from sources you trust - instead bookmark the legitimate sites and only access them from your saved bookmarks. Clever scammers like to copy the entire look and feel of a legitimate site.
You should also beware of Slackbot scams. If you receive a private message on a Slack channel asking for your private key or sending a link to any website, even from what looks to be a moderator or admin of the channel, do not trust it.
A moderator on the Exodus slack may ask you for your public address or screenshots of your wallet during a private discussion, but will never ask for your private keys or 12 word phrase. You can safely assume that anyone directly contacting you on forums to give you too-good-to-be-true advice is a scammer.
Here are some examples:
This Fake OmiseGo site asks for your private key even though it says it's safe. Their comment that your Private Key is encrypted by SSL is a lie. Again, no legitimate site will ever ask for your Private Key!
Here's a person talking about a fake MyEtherWallet site that almost tricked him into giving up his Private Key.
Stay away from accounts on social media which ask you to send a small money in return for free ETH or BTC
There have been numerous reports of crypto users getting scammed from fake accounts on Social Media which appear to be a famous personality or company. Example: Fake accounts of Vitalik Buterin, Charlie Lee, John McAfee, Elon Musk, MyEtherWallet, Binance, Coinbase etc.
The basic rule to keep in mind is: No one will ever give you free money! Remember those scams where you received an SMS claiming you won a huge prize money but need to deposit XXX USD to a bank account to claim the prize? Ever seen anyone getting rich by paying the so-called 'bank charges'?
If you see a post / direct message / comment which claims someone will send you free money in return for a small fee to their ETH or BTC (any asset for that matter), immediately block that account and report them as a scam to the social media site!
Remember: Any crypto asset (like BTC, ETH etc.) sent to the blockchain cannot be reversed by anyone - code is law in crypto-land. Hence, think very carefully before sending your cryptocurrency to anyone.
Here are some examples:
Fake account of Tron (TRX) founder Justin Sun
Fake account of Bitfinex Exchange
Private Key Safety
There may come a time when you'd like to participate in an ERC20 ICO, but you can't see the unsupported tokens inside Exodus. You'll want to view your private keys to see your brand new tokens at myetherwallet.com or you may want to trade them inside EtherDelta.
Anyone that gets ahold of your private key also has access to all of your ERC20 tokens, so they can steal your Ether, Golem, Augur, SALT, OmiseGo, BAT, Civic, and Gnosis, and other Ethereum based assets
What are Private Keys? Here's a couple of videos that help explain why they are so important: