Scan to Download ios&Android APP
By Paul Golden
Edited by Aaron Woolner
04:50, 23 May 2022
Share this article
In this article:
Have a confidential tip for our reporters?
Get In Touch
The Chainalysis 2022 crypto crime report notes that illicit activity’s share of cryptocurrency transaction volume has never been lower – but the report authors also acknowledge that illicit addresses received $14bn over the course of last year, almost double the $7.8bn stolen in 2020.
A significant chunk of crypto theft is from holders’ wallets. So what security features should digital asset holders look for when selecting a wallet to store their BTC or ETH?
Dave Bitcoin is the pseudonymous co-founder of Wallet Recovery Services, which helps people recover access to password-protected wallets.
He says best practice is to use a seed phrase-based wallet with a good reputation and write the phrase down and store it in a safety deposit box or similar.
“It would be best to never save the seed on a computer or phone that has an internet connection as it would be susceptible to being hacked and stolen,” he adds.
“For an extra level of security, one can also attach a passphrase to the seed words so that the wallet can only be restored if both are known.”
Dave Bitcoin recommends hardware seed phrase wallets such as Ledger and Coldcard, but acknowledges that they could be overkill for the casual crypto investor.
“Good options for software wallets include Exodus, Coinbase, and Atomic,” he says. “They support many different coins and have desktop and mobile apps and also use a seed phrase for backup.”
Exodus for example supports over 185 types of digital currencies, including solana (SOL) and dogecoin (DOGE).
When choosing a custodial or software wallet, crypto holders should make sure two-factor authentication or 2FA is provided as standard.
Using 2FA provides an additional layer of security to online accounts by adding a second ‘factor’ to the login process, such as a numerical code sent to a device via email or text.
Generally speaking, the more factors presented to authenticate an account the harder it is to compromise.
“For greater security, some platforms encourage users to set up separate passwords for login and transfers,” says Peter Kovac, senior researcher at cybersecurity software company Avast.
“If a user decides to enable this feature, it is really important they follow good password or passphrase management and ensure the two are not the same.”
Another consideration is opting for a cold wallet instead of a custodial or software wallet.
Cold wallets are physical devices – like a USB – that store the encryption keys for the cryptocurrencies purchased.
They are designed to prevent hacking and come with a recovery sheet and a private key on a piece of paper, although as with any physical device losing the device is a risk.
Cyril Noel-Tagoe is principal security researcher at Netacea, which has developed a business logic attack definition framework to define how wallet attacks are carried out.
He points out that multi-factor authentication should preferably allow use of hardware security keys or authenticator apps, which are more secure than SMS-based multi-factor authentication.
“People can also look for wallets which allow multi-signature transactions,” he says. “This provides additional security by requiring multiple keys – distributed across different wallets – to authorise a transaction.”
Holders of coins like ADA or Shibu inu (SHIB) should be looking for a resilient platform and assessing whether it has relevant certifications such as ISO27001.
You voted bullish.
You voted bearish.
Give BTC/USD a try
This will give a good overall indication of whether the platform is reliable and transparent and if it takes security sufficiently seriously to get certified, says Aaron Mulgrew, senior solutions architect at cybersecurity specialist Forcepoint.
He adds that it makes sense for long-term traders to hold their assets offline as this is much more secure than keeping coins on the live exchange where they are accessible to more people.
Kostiantyn Oleshko, product owner at cybersecurity ranking and certification platform CER.live suggests the following checklist:
Absence of security incidents
Presence of a bug bounty programme
Customisable mnemonic length – 12/18/24 words
The need for a user to re-enter the mnemonic phrase after writing it down
Hierarchical deterministic feature for address generation
Support for WalletConnect feature for DeFi services
Requirement for the password to contain at least one uppercase letter, one lowercase letter, and one digit and be more than eight symbols in length
According to Dave Bitcoin, choosing a hardware wallet is an option for reducing risk.
A software wallet allows for the possibility of someone finding a bug in that software and exploiting it to steal funds by introducing malware into the crypto holder’s desktop or phone to steal the seed words saved in the wallet app.
Anyone who has a software wallet on a device should be mindful of other apps they install or websites they visit on that device.
“Operating systems have become better at sandboxing apps so one malicious app cannot steal data from another, but there is always a chance of someone discovering a bug and exploiting it,” he says.
“Wallet owners should be alert to phishing attempts, especially when asking for help in an online community.”
“I am contacted frequently by people who say they asked a question in a Telegram or WhatsApp group and someone who offered to help them ended up being a scammer who stole their BTC or their ETH.”
Kovac agrees that it is important to get clued up on social engineering attacks, particularly on mobile devices as hackers are increasingly targeting these devices in order to steal crypto credentials.
These kinds of attacks can emanate from unsolicited messages over text or from social media, email and third-party messaging services.
“Generally speaking, if you receive a crypto-related message that uses an overdramatic sense of urgency, appears too good to be true, includes spelling and grammatical errors, and/or has been sent from an unrecognisable source, there is a high chance that it is a scam,” he says.
“However, phishing is becoming more targeted and sophisticated making it harder to spot.”
Another logical step for crypto wallet holders to take would be to avoid unwarranted attention by posting content on social media that may give an attacker an upper hand to socially engineer them – such as details of what platform they use and/or screenshots of their holdings.
In addition to enabling security features such as multi-factor authentication, crypto wallet holders should use strong, unique passwords for each of their wallets.
A final tip would be to look at spreading your assets across multiple providers and wallets, says Mulgrew. “If the worst happens and the infrastructure provider is hacked, then at least not all of your assets have been stolen,” he says.
The week ahead update on major market events in your inbox every week.
Got a trading idea? Try it now.
Simple and intuitive platform
Join the 380.000+ traders worldwide that chose to trade with Capital.com
1. Create & verify your account
2. Make your first deposit
3. You’re all set. Start trading
CFDs are complex instruments and come with a high risk of losing money rapidly due to leverage. 83.45% of retail investor accounts lose money when trading CFDs with this provider. You should consider whether you understand how CFDs work and whether you can afford to take the high risk of losing your money. Risk Disclosure Statement
The value of shares and ETFs bought through a share dealing account can fall as well as rise, which could mean getting back less than you originally put in. Past performance is no guarantee of future results.
Risk warning: transactions with non-deliverable over-the-counter instruments are a risky activity and can bring not only profit but also losses. The size of the potential loss is limited to the funds held by us for and on your behalf, in relation to your trading account. Past profits do not guarantee future profits. Use the training services of our company to understand the risks before you start operations.
Capital Com SV Investments Limited is regulated by Cyprus Securities and Exchange Commission (CySEC) under license number 319/17. Capital Com SV Investments Limited, company Registration Number: 354252, registered address: 28 Octovriou 237, Lophitis Business Center II, 6th floor, 3035, Limassol, Cyprus.
Start trading on BTC/USD now.