Unfortunately, this is part of the youth of the industry. The crypto domain is at a crossroads between the financial continent – is its cohort of induced risks, greed and dangerousness – and that of new technologies that are both complex and sometimes poorly mastered.
The cocktail can be explosive. It is thus common to hear in the world of crypto unpleasant stories where users wake up one morning and there, it is the drama: at the time of the connection to their platform of exchange of cryptocurrencies preferred, the their asset balances show zero claims, the account was siphoned off by a hacker or a malicious person.
It is obviously too late, but it is also inevitably the moment of a painful awareness: that of failures in terms of IT security and hygiene which it would not have been so difficult to implement .
Today, I’m going to take a few basics and explain some simple habits to implement in order to start by securing your main entrance door: the email address you use for your crypto-activities.
It happened close to you
Being hacked into your mailbox means offering a direct entry door allowing comfortable access to your crypto-assets if you store them directly on the exchange platforms where you bought them (and let’s be very clear right away: unless you are a compulsive day trader, leaving cryptos on the platforms is looking for trouble! We talk again about IDAX or everyone understood?).
Here is an example dating back to May 2019 and which made noise because the victim is none other than a high-ranking engineer of the company Bitgo, a solution of custody well known in the crypto world. Sean Coonce woke up one morning and all his bitcoins – the equivalent of $ 100,000 anyway – had disappeared from the exchange Coinbase. To learn more about the story of Sean Conce, he wrote an article where he details his mishap (“The most expensive lesson of my life”). In this article, Sean does not really incriminate Coinbase but himself: he should have been more vigilant and he highlights fairly common SIM card fraud in the United States.
Proof that having your bitcoins stolen can happen to anyone, especially you, esteemed reader, in this article I will suggest several steps to secure your mailbox (and in a next article, I will detail more steps to follow to buy your bitcoins safely #spoiler):
1. The creation of a dedicated email address
First, I recommend that you create yourself a dedicated email address for your crypto exchange platforms. Example: email@example.com (this is a simple example, leave this super-cool email address alone).
Why will you ask me? The reason is simple: we all use a primary email address with which we have already created tens or even hundreds of accounts on various platforms and third-party services. However, among these services, some have suffered hacks and seen the data of their users (email addresses, first names, names, passwords, etc.) being disseminated and made available on the dark web. Among the most well-known data hacks, we could cite that of Daily Motion which affected tens of millions of accounts that leaked in 2016 or more recently Reddit in 2018. For more information on this subject, I invite you to read this article from Dashlane’s blog which recalls the hundreds of millions of account information that were now lost in the wild.
You will understand, use an email address only dedicated to your few accounts on cryptocurrency exchange platforms will significantly limit the risk that hackers are trying to connect to your account using your email address since only you and the platform in question (if you create an alias, see point 2. below) have knowledge of this email address.
2. Create an alias for EACH cryptocurrency exchange
To go even further in this process and have a unique email address for each of your accounts on cryptocurrency exchange platforms, I advise you to use an alias when the platform allows it (this is for example not the case of Binance).
What is an alias? An alias is an email address that is used to redirect received messages to your main email account. For example, firstname.lastname@example.org and email@example.com are aliases.
In other words, all emails sent to these 2 email addresses will be returned to firstname.lastname@example.org. Magic. If you decide to create an account on exchange platforms Kraken and Coinbase, you can for example use the following email addresses:
- or email@example.com,
- or firstname.lastname@example.org for Kraken
- and email@example.com for Coinbase.
The email addresses associated with your accounts on these 2 platforms will be unique and you will receive all the emails sent by these 2 platforms to your address main firstname.lastname@example.org.
With an email address Gmail, all you need to do when registering on a crypto exchange (like Kraken for example) is to enter your email address with your alias by adding “+” after the email address. Example: email@example.com
You will receive all your emails (including the account creation confirmation email) on firstname.lastname@example.org. It also works for ProtonMail. For other messaging services, this remains to be verified.
3. Associate recovery phone numbers or email addresses is NOT a good idea
Even if it is a common practice and many services encourage you to do so, not recommended to associate a recovery phone number with your email address created to manage your accounts on the various cryptocurrency platforms. Similarly, I do not recommend that you associate another recovery email address. That represents as many front doors to your email address for hackers and other malicious people.
What is the recovery phone number / email address for? If you forgot your email address password, it will be sent to your recovery phone number or recovery email address. This means that if you have your phone stolen or if you have the recovery email address hacked, then the security of your email address is compromised. And if the security of your email address is compromised, so is the security of your accounts on the various cryptocurrency exchange platforms.
If you store the password securely of your email address or you learn it by heart, then the phone number and the recovery email address become useless.
If you still want to associate a recovery email address with your main account, remember to repeat other steps in this article for the recovery email address in question. If you’d like to associate a recovery phone number, consider activate password to access your smartphone (and also to access your desktop / tablet).
Finally, remember to log out when you open your mailbox on a device that is not yours.
4. Choose a complicated password
Choose a long password at least 16 characters if possible, with at least 2 special characters following (example: “@ #”).
How do I remember this password? To answer this question, 2 main choices are available to you (other more technical options are also possible but I will not go into this level of detail):
- Use a password manager: these are simple to download software, easy to use and encrypt all your passwords. You only need to remember one password – ? your master password (I recommend a password of at least 16 characters, with at least 2 special characters in a row)? – and all the other passwords are memorized by your password manager. Personally, I use Dashlane and I highly recommend it: it’s French, it has worked well for years and they offer a desktop and mobile application (as well as an extension for the browser Chromium). When you register for a new online service (such as a cryptocurrency exchange), Dashlane can automatically generate a “complicated” password for you if you wish (you can also decide the length of the password). pass and several special characters are in succession).
Here is a registration link to create an account on Dashlane.
- Write down all your passwords on a sheet of paper and put it in a safe. It is not practical but it has the merit of working well if you are reluctant to use a password manager like Dashlane.
NB 1: don’t write your password down on a file (Word, Excel or whatever) stored on your computer or on a cloud-hosted application like Evernote or Note. Why ? We are never safe from a virus on our own computer or smartphone (moreover, I strongly recommend that you download an antivirus on your computer and on your smartphone / tablet) or even from theft from this computer . It is therefore advisable to encrypt sensitive data such as your identifiers.
NB 2: choose a unique password that you will not reuse for another mailbox or another online account (imagine that you use the same password for all your online accounts and that one of these accounts leaked following a hack …).
5. Activate your 2FA
Activate the 2FA (this is double authentication, ” two-factor authentication »In English) to access your email address.
Concretely, this provides additional security in the event that a malicious person has discovered the password of your email address.
The 2FA (two-step verification) allows you to add a code to access your mailbox: at each connection, you will have to enter a 6-digit code. This code is displayed on a mobile or desktop application, it changes every 30 seconds. It is strongly recommended to activate your 2FA for your mailbox as well as for all your accounts on the various crypto exchanges.
When you activate 2FA on your different crypto exchanges accounts, prefer 2FA via mobile application, rather than by SMS (if the SMS option is available).
A secret key (character sequence) will be sent to you when your 2FA is activated. It is very important not to store this secret key on your computer (whether it is a Word, Excel file or on an Evernote or Note type application). I recommend that you write down this secret key on a sheet of paper that you will put in a safe place in a safe.
To enter the secret key or scan the QR code communicated when activating your 2FA, you need a smartphone or desktop application. The most used are Authy 2-Factor Authentication and Google Authenticator (both available on desktop and smartphone). Once the secret key has been registered via one of these 2 applications, a 6-digit code will appear on the application and change every 30 seconds.
Here is a tutorial to activate 2FA on a Gmail mailbox or on a ProtonMail mailbox.
Bonus 1: Check if your email address has not been leaked
Dashlane offers a feature called “Dark Web monitoring” (only available with the paid version of Dashlane Premium) which allows you to analyze the web continuously and check that your email addresses have not been compromised.
You can also type your email address in quotation marks on Google, (ex: “email@example.com”) and see if your email address does not appear in leaked databases.
Bonus 2: Use a VPN
In order to keep your anonymity when you browse the internet and protect your sensitive data, it is advisable to use a VPN (Virtual Private Network). Several solutions are available to you : Dashlane now offers a VPN option, you can otherwise opt for either paid SaaS software like NordVPN or free open source software like Tunnelblick.
We have come to the end of this little overview of the few standards of caution to apply to secure your email addresses and ensure that their compromise does not lead to the siphoning of your precious crypto!
I hope you have learned a few things. Be aware that 99% effective computer security requires compliance with simple common sense rules. See you soon on Bitcoin to continue to safely explore the virgin lands of the crypto universe!
Warning: the purpose of this article is to considerably reduce the risk of hacking your mailbox. On the other hand, keep in mind that there is no such thing as zero risk when it comes to IT security.
Ex-Product Manager of Paymium and Blockchain.io, 2 cryptocurrency exchange platforms based in France. I wish to share the knowledge acquired during this experience with the crypto community, and also a wider audience discovering Bitcoin and blockchain technology.