The ATO is investigating the records of crypto traders to ensure they are correctly reporting…
Crypto Key Management: Keeping Your Cryptocurrency Safe
Cryptocurrency key management can be complicated. Here’s what you need to know to keep your crypto keys secure.
Cryptocurrency provides users with complete control over their capital, allowing anybody to “be their own bank.” While Bitcoin and other cryptocurrency provide unparalleled financial self-sovereignty, they also place the responsibility for security wholly in the hands of the owner. So excellent crypto key management is vital.
Cryptocurrencies almost all operate through the same fundamental management system — users maintain wallets, which store cryptocurrency. Wallets are accessed via dedicated applications or hardware and are protected by a complex “private key” password.
At a basic level, all wallets have a public key, which can be revealed publicly in order to receive transactions, and a private key, which is used to access the wallet and the cryptocurrency it holds. Anyone with access to the private key associated with a wallet is able to send or spend the cryptocurrency it contains.
It’s essential to take control over the private keys you use to access your wallets and store them in a highly secure manner. Managing multiple private keys, however, or storing private keys in a reliably secure way, can be a complicated process.
This article will break down the key practices that should be adopted in order to securely store cryptocurrency private keys.
The Importance of Crypto Key Management: What Can Go Wrong
The first and most important factor to consider when storing cryptocurrency is ensuring that you have access to your private keys. Most cryptocurrency exchanges provide users with access to an online exchange wallet that can receive and send cryptocurrency. While these wallets are simple and easy to use, they can’t be considered secure, as they do not provide users with access to private keys.
In simple terms: if you don’t own the private key, you don’t own the wallet — and therefore you don’t truly own the cryptocurrency it contains.
- When you allow a third party to take control over the private key linked to a wallet, you won’t eliminate responsibility over the security of your crypto. Instead, you’re allowing a third party to secure your assets for you, and therefore have no control over how threats and potential security risks are managed. Some of the threats presented by third-party wallet management include:
- Collusion against wallet users by custodians
- Internal attacks within a custodian organization that result in the loss of your cryptocurrency
- External attacks that target custodians and breach custodial systems, resulting in the loss of cryptocurrency.
1. Protect Yourself
Taking a proactive approach to online safety and cyber hygiene is a critical first step when establishing a secure cryptocurrency key management doctrine. It’s best to assume that all of the passwords you use to access online services will, at some point, be leaked.
Ensuring a high level of complexity and security for all your online accounts by using a service such as a secure two-factor authentication password manager and using a different complex password for each individual service will significantly reduce the likelihood that your personal accounts will be compromised.
2. Understand Your Wallet
When considering crypto key management it is also important to understand the various advantages and disadvantages of the many different wallet types available to cryptocurrency holders. Using a wallet app on your smartphone is suitable for day-to-day crypto transactions at retailers that accept cryptocurrencies but isn’t the best option for long-term savings.
Inversely, a dedicated hardware wallet is the best solution for storing cryptocurrency savings or long-term investments but can become frustrating to deal with when trading on a regular basis. In order to remain secure, it’s best to move trading capital on to exchanges when trading, then move it immediately back to a secure hardware wallet when not in use.
Cryptocurrency wallet addresses are long and complicated — it’s essential to always triple-check when copying and pasting wallet addresses in your browser or on your computer or smartphone. Specific types of malware that target the copy/paste clipboard functionality of your device may swap out copied addresses in order to steal your crypto gains, so it’s important to keep your antivirus software up to date.
While cryptocurrency wallets can differ significantly, almost all cryptocurrency wallets can be recovered with a backup seed phrase. When creating a cryptocurrency wallet with a dedicated hardware device, for example, the device will provide the user with a 12-word seed phrase that can be used to recover access to the wallet in the event that the device itself is lost, broken, or stolen.
Seed phrases should be treated in the same manner as highly valuable legal documents or deeds and stored in a secure location. Products such as CryptoSteel allow cryptocurrency holders to back up their backup phrase with dedicated fireproof seed phrase storage devices, adding another layer of security to key management.
For crypto key management, ensure that any software wallet you install on your PC, laptop, or smartphone is legitimate. Fake cryptocurrency wallet apps, for example, have resulted in the loss of hundreds of thousands of dollars in cryptocurrency. When downloading and installing crypto wallet apps, always ensure that you install apps via links provided by the platform you’re using — if you’re using the Coinbase app, for example, always navigate to the Coinbase smartphone app installation page via the Coinbase website.
3. Remain Vigilant Against Phishing Scams
Private keys and seed phrases provide full access to any cryptocurrency in the wallets they open — so it’s critical for crypto key management that you never ever save them in plain text format on any computer that is ever connected to the internet or type them into any website.
Cryptocurrency security practices have evolved rapidly over the last decade, causing hackers and attackers to target the easiest remaining target — human operators. Phishing scams are extremely common in the cryptocurrency ecosystem and take two primary forms.
Email phishing scams are the most common attack vector in the cryptocurrency ecosystem, and typically target cryptocurrency users via email addresses leaked via data breaches. Data breaches occur frequently in the world of crypto. Ledger, one of the largest crypto hardware wallet manufacturers in the world, exposed the emails of almost 10,000 marketing mailing list customers in mid-2020, resulting in a wave of cryptocurrency phishing scam emails to the exposed addresses.
Crypto phishing scams use a variety of methods to trick crypto holders into exposing their private keys, cryptocurrency exchange platform passwords, or private keys. Many email phishing attempts send out hundreds of millions of emails, using global botnets on exploited computers around the world to send spam attack emails.
If you receive an email regarding cryptocurrency or your crypto holdings, it’s essential to ensure that the email is from an authentic source. The Australian Signals Directorate provides detailed guidance on how to spot and avoid email phishing scams.
4. Pay Attention to Typo Squatters
Typo squatting is a common but little-known attack vector through which attackers present fake websites to crypto users in order to trick them into revealing their login information. A typo squatter will purchase a domain name that is a common misspelling of a large cryptocurrency trading platform, and then create a fake clone to present to users.
Typo squatting attacks are often paired with email phishing attacks, with emails directing crypto holders to fake versions of the exchange they may use. When using cryptocurrency trading platforms, it’s best to ensure you have navigated to the correct address each time you visit by checking the address bar carefully, or only using bookmarks to connect to the exchanges and platforms you use.
Typo squatters may also use search engine advertising to present their fake website before organic search results present legitimate sites. Google, for example, frequently allows phishing sites to run ads promoting cloned cryptocurrency exchange platforms. Always carefully check the address bar of a website before entering personal information to ensure the site is legitimate.
5. Be Wary of Malware
Be aware that your crypto key management may be compromised by malware. There are many different types of malware that actively target cryptocurrency wallet addresses, private keys, and seed phrases. Keyloggers delivered via exploits embedded in PDF documents are a common vector for malware — this technique is often paired with email phishing scams.
Browser extensions such as Metamask allow crypto users to interact with decentralized applications or use cryptocurrency online, but it’s important to carefully check wallet browser extensions to ensure they are legitimate. Many crypto browser extensions are outright scams that are able to steal passwords or private keys from unsuspecting users.
Secure cryptocurrency key management is a dynamic, constantly evolving process. If you’re concerned about security of your private keys, it’s best to store cryptocurrency on a hardware wallet and use additional security features such as two-factor authentication when accessing cryptocurrency exchanges or crypto-related websites.
Losing access to your private keys not only results in the loss of cryptocurrency but can also complicate tax obligations. In some cases, crypto holders may be able to claim a capital loss in the event that their cryptocurrency is lost or stolen.
Managing your cryptocurrency holdings can create complex tax obligations that can rapidly become confusing. If you’re currently transacting or investing in cryptocurrency for personal or business purposes and are unsure of your tax obligations, reach out to Fullstack for comprehensive guidance today.
Was this article helpful?
Stuart Reynolds is the founder of Fullstack Advisory, an award-winning accounting firm for businesses leading the future. He is a 3rd generation accountant who specialises in tech companies, crypto and entrepreneurs.