Cybersecurity awareness month is coming to a close, but good security hygiene is a smart investment all year round. As crypto becomes more mainstream, cybercriminals who target crypto holders are also getting more creative and persistent. That’s why Coinbase’s security team has put together a simple guide for protecting your crypto and all the other valuable data you store online. Here are the takeaways.
- Use a password manager. Humans are really bad at remembering passwords, which is why too many of us choose simple phrases and repeat them across multiple websites. Password managers (like 1password and Dashlane) generate strong, secure passwords and store them for you — no memorization required. Use one. (Want to see if your passwords have been exposed by a known data breach? Check out haveibeenpwned.com.)
- Enable 2-factor authentication (2FA). 2FA can protect an account even if a hacker steals your password. There are several types of 2FA, ranging from less secure (SMS-based, where a verification code is sent via text message) to more secure (an app that generates verification codes like Google Authenticator) to most secure (a hardware security key like a Yubikey). We strongly recommend choosing a stronger method than SMS, because hackers can steal texts with a common method called “SIM-swapping” — in which your phone number is transferred to another device. If no other option is available, enable SMS 2FA — but if that’s not possible, consider using a different service.
- Protect your seed phrase. A seed phrase is a string of 12 to 24 words that is literally the key to a non-custodial crypto wallet like Coinbase Wallet or MetaMask. Anyone with access to your seed phrase has access to the crypto in that wallet. If you lose or delete your wallet, you can restore it with your seed phrase — but if you lose your seed phrase, you lose your crypto. (For many users, keeping crypto in the “hosted wallet” that comes with every Coinbase account is a more convenient option. You can add another layer of security without having to manage seed phrases by moving some crypto into a Coinbase Vault.)
- Don’t click that link! One of the most commonly used tactics by cybercriminals is SMS phishing. Phishing is a type of online attack in which a cybercriminal impersonates a legitimate entity or authority and attempts to deceive their target into clicking on a malicious link or attachment.
- Be wary of “airdrops.” If you’re a fan of NFTs or DeFi, you’ve probably encountered airdrops — in which a project rewards early adopters by sending tokens to their wallets. But in recent weeks, our security team has been tracking an ongoing phishing campaign involving airdrops. In the scam, randomly airdropped tokens appear in your wallet. If you try to interact with them, you’re prompted to connect your wallet to a website that looks like a DeFi app — but actually gives hackers permission to drain your holdings. To protect yourself, don’t interact with airdropped tokens from unknown sources, don’t connect your wallet to websites advertised by airdropped tokens, and don’t keep too much crypto in a wallet you regularly use to interact with crypto apps.
- Don’t make yourself a target. Don’t brag about your cryptocurrency holdings online, just like you wouldn’t advertise inheriting $50 million. Review your online presence and see how much personal information someone could learn about you to steal your identity. (The good folks at Consumer Reports put together this self assessment.)
Security incidents aren’t unique to crypto, but when they happen, Coinbase works with industry partners to mitigate negative exposure. By following these few simple guidelines on protecting your crypto, you can also play an important role in not only protecting yourself but also the entire crypto community.