Z3ncurity
Incomplete Crypto-Related Security Advice

Incomplete Crypto-Related Security Advice

Zen Chan's photo
Zen Chan
·

6 min read

Regarding the Recent High Profiles Incidents

Photo by DrawKit Illustrations on Unsplash

Not only is this true of many platforms, but many friends also have fallen into traps due to operational mistakes, resulting in severe property losses and even zero in the bull market, which is appalling. Today, I will give you a few typical examples, and I hope you can learn from them and avoid these traps.

Low-security Level of the Trading Platform

Some time ago, the crypto assets of a friend on a trading platform were stolen, resulting in heavy losses. So I asked about the security settings, but there is only one option of mailbox verification, and no secondary google verification (2FA) and SMS verification are added.

It may be that the mailbox's password is the same as that of the trading platform, which leads to the leakage of the password, and the assets are directly taken away by the hacker.

Unfortunately, many people ignore these verification details. Therefore, it is usually recommended that you set the security level to SMS + mailbox + Google secondary authentication (especially when transferring money) and turn off all API functions.

It is easy for those just getting started to lose their private keys due to their lack of knowledge about crypto wallets. Therefore, it is recommended to put assets on a large trading platform. The platform is similar to the various online platforms we use every day.

However, a few more thresholds (mailbox and Google secondary authentication) are still set for security. At the same time, if possible, it is recommended to use different mobile phones for the SMS verification code and the Google secondary authentication code to

  • prevent the mobile phone from being hijacked or
  • the SMS verification code and the Google secondary authentication code are leaked simultaneously.

Therefore, although it will be more troublesome for you to use, the cost of hacking will be very high.

Lossing Private Keys and Mnemonics

[Protect Your Crypto Wallets With InfoSec: Introduction of The Three-Tier Wallet System and…
Leveraging Cybersecurity Concepts to Safeguard Your Crypto Assetblog.blockmagnates.com](https://blog.blockmagnates.com/protect-your-crypto-wallets-with-infosec-introduction-of-the-three-tier-wallet-system-and-7553b44a65f8 "blog.blockmagnates.com/protect-your-crypto-..")

On October 4th, 2020, the founder of Crypto Jobs List lost tens of millions of bitcoins because the mnemonic was placed in the cloud notes. It is relatively forbidden for the private key or mnemonic to access the Internet.

If you want to use your wallet to save your assets, the easiest way is to find an unused mobile phone, download the wallet, and copy down the wallet address and mnemonic phrase. After these steps, you can put this phone in airplane mode. Don't forget the password, but the mnemonic cannot be known to anyone. The assets will be lost if the mnemonic or private key is leaked.

To understand the advantage of this approach, consider the following conditions:

  1. Two stored mnemonics can be recovered if your mobile phone is broken or you have forgotten the transfer password.
  2. If the two mnemonics are lost, the mobile phone and transfer password are also used.
  3. If the phone is lost, the two mnemonics are gone, and the assets are completely gone.

Some friends directly send the private key or mnemonic through instant messengers and other channels for convenience. However, if the security of their mobile phone is not good enough, it is easy to leak their private key.

Therefore, send only the middle section if they want to ship it separately. Then, the first and last characters are notified to the other party by telephone, which is also a more secure solution.

Another friend mistakenly sent the mnemonic directly to a chat group. Fortunately, an acquaintance saw it, transferred his assets in time, and informed him. Otherwise, the consequences would be severe.

Similar incidents will be very troublesome to recover. Moreover, due to the particularity of digital assets, it is a little disconcerting for relevant agencies to file a case, so it is better to take precautions.

Enter the Phishing Website

This year, many people are delighted with the airdrop, but many bad people use this to phish. Saying that the airdrop requires you to enter a mnemonic or private key, and then all the assets disappear. Use your wallet to play Defi or other NFTs, etc.

Please remember that the private key of the mnemonic phrase is everything. If you give this to others, you are giving money to others. Even if you want to airdrop, you do not need the mnemonic phrase and private key.

Operating through ordinary mobile wallets is recommended if it is an accurate airdrop. This advantage is that many Defi projects can be carried out through our ordinary wallets (such as MetaMask, Coinbase Wallet, etc.) The possibility of phishing is less, and there is no need to enter the mnemonic and private key, and you only need to verify whether you are eligible.

Suppose the commonly used wallets do not have this project. In that case, I think you should be cautious about whether this airdrop is worth investing in, especially when it requires you to use the private key of the mnemonic phrase; you must be very vigilant.

Can't Tell the Difference

There are also some cases where it is found to be a fake Token. For example, I entered a telegram group before and said that there was a token brick-moving project. So you need to send ETH to the other party's wallet address, and you can receive several times the value of the token.

Moving bricks or something, the content of the chat in the group is:

  • how much XXX earns and;
  • how much does YYY earn;
  • Hurry up and operate it; it will be gone if it is too late.

However, when I questioned, was your token official? What is the principle? As a result, I was kicked out of the group chat. This is a fake, you can indeed receive the token, but that is a phony token; it is not what we think it is; it is a scam.

When you recharge, you find that you can't get into your account for a long time. Then when you contact customer service, the customer service says you have been cheated, which is fake, so sometimes we have to open our eyes to see the corresponding contract address and the official announcement whether the contract address is the same.

Because it is too simple to send a project on Ethereum at present, and there are many scams, it is necessary to compare the contract address carefully. The other situation is similar. There are many hot projects 1EO. Some people say that there is a quota that can be released in advance. It may be false.

Computer Was Hacked / Address Tampered

Another situation is that when many of us operate, the address is copied and pasted, but sometimes our notepad will be lost if it is hijacked and tampered with. A friend of mine lost more than 100 ETH for this reason. So, it is also a pity.

Therefore, we must repeatedly confirm that the address is correct when we transfer money. Even if you move money by scanning the code, we must check whether the target address is valid. Unfortunately, if we inadvertently relax our vigilance and the target address is tampered with, we will go to someone else.

Final Words

The above five situations are some traps that are easy to encounter in operation. These are some living examples. For the safety of your property, I hope everyone can be vigilant and not be greedy for small gains so as not to lose significant because of small things.

Did you find this article valuable?

Support Z3ncurity by becoming a sponsor. Any amount is appreciated!