Crypto Security Best Practices Checklist
This series of articles will help you operationalize all the ideas and suggestions from the 7 part crypto security series. Occasionally some new ideas are also incorporated and scored.
N.B.: This can never be considered a complete list, since new threats and information emerge all the time. It should be seen as an active and continuous process, where cost of implementing additional security is weighed against the size of possible losses caused due to insufficient operational security.
N.B.: The scores, especially the -ve one should be seen as a disincentivization against particularly risky methods and operating procedures. Print this sheet out, and revisit places you have -ve scores marked to make necessary changes gradually and reduce your risk.
The checklist below can be viewed and saved via a Google Sheet linked here: Crypto Security Best Practices Checklist v0.1 - By MetaversityOne
N.B.: It is recommended in the strongest terms possible that you copy this sheet to your own drive, print it and perform this analysis offline using pen and paper. By filling this out on a digital copy you are exposing all your digital vulnerabilities to those who might manage to see it.
Stage 1 - Repeat the following steps for each Email Account:
- Password not reused: Yes +1 No -1
- Password is 12+ characters in length: Yes +1 No -1
- Password uses lower case, upper case, numbers and symbols: Yes +1 No -1
- Password not stored in clear text on any device: Yes +1 No -5
- 2-Factor Authentication enabled: Yes +3 No -5
- Authenticator/Authy/Security Key 2-FA used, not phone SMS 2-FA: Yes +3 No -5
- Using Security Key over Authenticator/Authy: Yes +1 No -1
- If using Security Key - using Yubikey over Google Titan, etc: Yes +1 No -1
- If using Authenticator - ensuring you have some offline backup: Yes +1 No -1
- If using Twilio Authy - ensuring you have some offline backup: Yes +1 No -1
- If using Twilio Authy - ensuring your multi-device is switched off: Yes +1 No -5
- Not using the same email address for more than 1-3 crypto services (e.g. exchanges, marketplaces, product websites, etc.): Yes +1 No -5
Stage 2 - Repeat the following steps for each Social Media Account - Discord, Twitter, etc:
- Password not reused: Yes +1 No -1
- Password is 12+ characters in length: Yes +1 No -1
- Password uses lower case, upper case, numbers and symbols: Yes +1 No -1
- Password not stored in clear text on any device: Yes +1 No -5
- 2-Factor Authentication enabled: Yes +3 No -5
- Authenticator/Authy/Security Key 2-FA used, not phone SMS 2-FA: Yes +3 No -5
- Using Security Key over Authenticator/Authy: Yes +1 No -1
- If using Security Key - using Yubikey over Google Titan, etc: Yes +1 No -1
- If using Authenticator - ensuring you have some offline backup: Yes +1 No -1
- If using Twilio Authy - ensuring you have some offline backup: Yes +1 No -1
- If using Twilio Authy - ensuring your multi-device is switched off: Yes +1 No -5
Stage 3 - Repeat the following steps for each Cryptocurrency Exchange/Platforms/Funds - Binance, FTX, KuCoin, etc:
Part A: Fund Security via distributed Portfolio Holdings
- Less than 10% of your portfolio held by any one exchange/fund: Yes +5 No -5
- Less than 10% of your portfolio held by smaller exchanges combined (Rank lower than 5 per this list: https://coinmarketcap.com/rankings/exchanges/): Yes +5 No -25
- Once you are experienced in self-custody# (Refer Crypto Security Series Part 1 to 7: https://cryptosecurity.hashnode.dev/series/crypto-security) gradually moved out funds, especially from risky exchanges & funds, and self-custodying it: Yes +25 No -5
Not lending your crypto to centralized yield platforms e.g. Celsius: Yes +5 No -25 #Note: For some users with non-technical backgrounds, it may be advisable to take time to learn the ropes of self-custody and hardware wallets deeply before taking the leap to doing so.
Part B: Account Security
- Password not reused: Yes +1 No -1
- Password is 12+ characters in length: Yes +1 No -1
- Password uses lower case, upper case, numbers and symbols: Yes +1 No -1
- Password not stored in clear text on any device: Yes +1 No -5
- 2-Factor Authentication enabled: Yes +3 No -5
- Authenticator/Authy/Security Key 2-FA used, not phone SMS 2-FA: Yes +3 No -5
- Using Security Key over Authenticator/Authy: Yes +1 No -1
- If using Security Key - using Yubikey over Google Titan, etc: Yes +1 No -1
- If using Authenticator - ensuring you have some offline backup: Yes +1 No -1
- If using Twilio Authy - ensuring you have some offline backup: Yes +1 No -1
If using Twilio Authy - ensuring your multi-device is switched off: Yes +1 No -5
Part C: Advanced Account Security
- Withdrawal password has been setup*: Yes +3 No -3
- New withdrawal addresses have a 5+ day whitelisting delay*: Yes +5 No -5
- Email address is used on only 1-3 other accounts (helps to reduce phishing risk, in case customer data gets compromised by exchange/platform): Yes +5 No -5
- Anti-phishing code for exchange emails has been setup: Yes +3 No -3 Note: Not all exchanges/platforms have these features
Stage 4 - Repeat the following steps for each PC/Laptop or mobile phone you own (Refer Crypto Security Series Part 4 and 5):
- Jailbroken/warez/cracked software has never been installed on your device: Yes +5 No -25
- No unnecessary Browser Addons present in any of your browsers, you and are aware of what data access permissions you have given to the addons you do use: Yes +10 No -25
- Your browsers are up to date and automatic updates are on: Yes +3 No -25
- You use paid antivirus software such as McAfee, Avast, etc: Yes +10 No -25
- Your antivirus is scheduled to run deep scans atleast once a week, and quick scans atleast once a week: Yes +10 No -25
- Your antivirus has automatic updates turned on: Yes +3 No -25
- You use MalwareBytes along with the Browser Guard: Yes +25 No -25
- You use paid and branded VPN: Yes +10 No -25
- You use some form of trusted Ad Blocking software, e.g. AdBlock Plus (there is a trade off here since ABP will access your browser data as well, but you may be protected against phishing ads): Yes +5 No -5
- You have a PC/Laptop dedicated to only buying/trading crypto, with no other social media, which you keep offline most times: Yes +25 No -25
- You have removed Telegram from most devices, and turned off auto media download on Telegram on the device where do need to use it: Yes +25 No -25
- If you do need to browse risky websites, you have a separate device with nothing critical (email, socials, wallets) to do so: Yes +25 No -25
Stage 5 - Repeat the following steps for each Crypto Wallet you own:
- Genuine software wallets downloaded after thorough research: Yes +3 No -25
- Wallets downloaded after hardening + sanitizing your device, with no jailbroken software on it (Refer Crypto Security Series Part 4 and 5): Yes +3 No -25
- Seed phrases are not digitized: Yes +3 No -25
- Less than 1% of your assets are on software wallets (combined): Yes +3 No -25
- Purchased Hardware wallets from official company website: Yes +3 No -25
- Hid personal information (name, email address, home address, phone number, bank information) as much as possible while ordering hardware wallets: Yes +3 No -25
- Researched basic differences in Hardware wallet brands, trade offs, risks involved and made an informed choice: Yes +10 No -25
- Genuine hardware wallet software downloaded (Ledger Live or Trezor Suite): Yes +10 No -25
- Vetted the received hardware wallet for genuineness using Ledger Live or Trezor Suite (this step relies a lot on the above step): Yes +10 No -25
- Setup hardware wallet correctly and stored seed phrase offline: Yes +10 No -25
- Used Cryptosteel or other similar products to secure your seed phrase: Yes +10 No -25
- Transferred your tokens/NFTs off software wallets to Hardware wallet via the blockchain, instead of importing the seed phrase from a software wallet: Yes +10 No -25
References:
- MetaversityOne (2022). Security in Crypto, Hardware Wallets and Pseudonymity. [online] Crypto Security Blog. Available at: https://cryptosecurity.hashnode.dev/series/crypto-security [Accessed 23 Jul. 2022].
Subscribe to my newsletter
Read articles from MetaversityOne directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by