Protect Your Crypto Assets with a Quick OpSec Guide
Posted by Ambire on November 11th, 2021DeFiInsights
We recently came across Twitter user @jurad0x’s neat guide on protecting crypto assets and we found it to be an excellent read. While we are familiar with most of the tips in the thread and follow them strictly, we figured this advice would be very useful for people who are making their first steps in crypto.
This is why we got Jurad’s permission to publish the guide here (see the original guide on Twitter).
Some of the tips may seem a bit weird or complicated if you are a crypto novice but the deeper you dip your toes, the more they will make sense.
Jurad’s personal OpSec guide
- Password manager of choice: Dashlane. Why? They are transparent and have a considerable security budget compared to their competitors like 1Password.
- Email provider: Gmail but with Google Advanced Protection enabled. And mobile phone 2FA should be turned off.
- Do not use SMS/Call 2FA anywhere! Your only choices of 2FA should be an App like Authy or Google Authenticator, or hardware 2FA like Yubikey. I use Authy + a bunch of Yubikeys.
- Do not buy hardware 2FA keys, Ledger devices or Trezors from eBay or Amazon. Instead, please do your best to buy it directly from the manufacturer’s website. This lowers the chance of supply chain attacks. A note from the Ambire team: Do not buy used or unpacked hardware wallets!
- If you cannot purchase a dedicated 2FA device due to financial reasons, or need a quick fix until it arrives, your Ledger device can double as a hardware 2FA key. More on this here. A note from the Ambire team: So can a Trezor; more info here.
- To know what services support hardware 2FA, you can use this handy site. Most crypto exchanges, including Binance, support hardware 2FA.
- There are some cons to using hardware 2FA. If you lose your keys, you’re pretty much screwed and in most cases not even the customer support will be able to help you. So add multiple keys, keep one with you and a few in a safe.
- Before purchasing 2FA, ensure you get an NFC 2FA key if you want to log in with your phone. Most phones, including new iPhones, support NFC 2FA.
- Remove the metal shroud on your Ledger to make it look like a cheap-ass USB stick. This helps with airport security, customs and/or the common thief trying to bust your kneecaps for you to unlock the Ledger.
- If you ever need a second phone number, for example for Telegram or to start a new Alt account on Twitter, https://hushed.com offers phone numbers from around the world with little to no KYC.
- Mobile phone of choice: I use an iPhone because I’m too far into the ecosystem, and security is alright if you keep your phone updated. Apple panic-sends security updates, so you should be relatively safe with an iPhone as long as you keep your iOS up to date.
- But if you are hell-bent on using Android, Google’s Pixel line is your only choice.
- Laptop/Default OS: My main laptop is a Macbook Pro. I use Parallels Desktop with “Isolated instances” to log into my crypto discord/twitter alt account. I also use a Parallels instance to log into my crypto work email, so in case I click on a PDF, the incident is isolated.
- I use the host environment on my MacBook to do transactions on my Ledger with Metamask.
- I have a Chromebook which I use only for Metamask with no Ledger. So I basically imported the private key directly to Metamask.
- This is really convenient for a quick NFT mint or just going around farming: I keep a small amount of funds on the Chromebook and keep rotating the profits. You get what I mean.
- I have a Trezor, which I touch once a month, and it stores the majority of my wealth. I’ve stored it off-site with Shamir’s backup. I consider this my personal bank; it does not interact with any contracts.
- I use https://privacy.com/ to generate visa cards for Discord and other services where I have to pay subscription fees.
- And if you’re like me and have private banking, the bank is pretty much willing to suck your 🍆.. You can ask for a debit card with your alt name instead of your real name. Yes, this is a thing. I was pretty shocked.
- Pretend to be an idiot in IRL. And don’t show you know much about crypto besides “OMG, bitcoin is so expensive!“.
- Avoid wearing crypto merchandise! Avoid attending crypto events unless you have to. Ego boost and flex are nice, but you will regret it 100x if you ever find yourself held at gunpoint.
- Someone in crypto wants to send you something, maybe merch? Don’t get it to your IRL address; instead, use a proxy address or a P.O. box.
- Shop and Ship is a service by Aramex which allows you to get access to addresses around the world, sign up as a company in Delaware or under a fake name to be fully anonymous here.