MyCrypto’s Security Guide For Dummies And Smart People Too
By Millena Miller
An in-depth guide on how to be safe in the crypto world and the online world in general.
The following is a modified mash-up of some of our internal policies, procedures, action items, and security-related stuff that we thought would be helpful or applicable to the larger community. This is just a sliver of MyCrypto’s security policies and has been modified to not create a security incident in itself. We hope you find it helpful, no matter who you are.
I understand that this is ruthless and terrifying.
- We must take security seriously.
- I will hold others accountable when I think we can do better.
- I am aware that my employment is threatened, my personal security is threatened, and the company’s security and viability is threatened if I violate this policy.
- I will not be lazy. I will not skim this or skip items. I will take the time to properly secure myself and ensure the company stays secure today and tomorrow.
I will walk through this industry’s graveyard.
- I am aware that cryptocurrency companies are global anomaly to the security industry.
- I am aware that these companies are hacked into deletion at a far greater rate than any industry.
- I understand that a compromise or hack can result in the loss of our business, our funds, or our users’ funds.
- I will look through the Blockchain Graveyard and appreciate the scale of this problem.
- I will have a basic understanding of what caused these incidents an work to avoid their mistakes.
I will buy stuff (on the company’s dime!)
Yubikey
- For 2FA on Google, Github, Facebook, Twitter, more: https://www.yubico.com/products/yubikey-hardware/
USB Drives
- For backing up keys, information so it is NOT on your computer
- If you are good at not losing / breaking things.
- If you are bad at not losing / breaking things.
No-Wifi Printer (if you don’t have one)
- Will be used for printing backups of wallets, really important keys, Google Authenticator backup codes, etc.
- Cable
- Paper
Ledger Nano S or TREZOR (if you don’t have one).
- Should use the MyCrypto Affiliate link! (below, or in the footer on mycrypto.com)
- https://www.ledgerwallet.com/r/1985?path=/products/
- https://shop.trezor.io/?a=mycrypto.com
I will panic correctly.
- I acknowledge that I might someday probably cause a security incident, and that forgiveness is applied towards those that escalate a problem correctly and immediately.
- When this happens, I’ll direct a calm and composed version of my panic towards our security committee in the internal channel
- This is a confidential channel that includes our employees
- This channel is blameless. Judgement or dismissal of items posted here will not be tolerated.
- I will not be scared to create an incident.
- I will not judge people for creating an incident.
- I will turn on all notifications for this channel and move all non-incident related discussions elsewhere
I will post in our internal security channel if…
- One of my accounts or passwords is compromised.
- I think one of my accounts or password may be compromised.
- My phone number is hijacked.
- My phone carrier is calling me about making changes to my account.
- I lose my phone or computer.
- I am getting password reset emails that I did not initiate.
- Something weird is happening on the website or another site controlled by MyCrypto that indicates something is compromised.
- Something weird is happening on another website in this space. (Look out for each other!)
- Someone is acting out of character or messaging odd things (e.g. Hudson asking Harry to send him some ETH via Twitter DM.)
- My funds are stolen.
- I think something bad is happening, even if I haven’t confirmed that something bad is indeed happening.
I will call the security team / management / anyone and everyone if I don’t receive an immediate response in the internal security channel.
- Any international charges will be paid by the company. Don’t be scared to call.
- No one will judge you or blame you if you call late at night.
- No one will judge you or blame you if you call multiple times.
- No one will judge you or blame you if you call due to something you think may be a security incident but it’s not a security incident.
- It is always better to call than to not call.
Audit your processes, software, extensions
If you have a clipboard manager, get rid of it
- And never, ever install one again.
- Rationale: recording and saving everything you copy and paste, intentional or unintentional, is stupid.
- See https://coinjournal.net/pc-malware-steals-funds-modifying-ethereum-addresses/
If you have an auto-upload screenshot app (e.g. Cloud App), get rid of it
- And never, ever install one again.
- Rationale: uploading every screenshot you take, intentional or unintentional, to the web is stupid and puts your security in the security of a random, insecure, screenshot app.
If you have a remote viewer (e.g.Teamviewer), get rid of it
- And never, ever install one again.
- Rationale: putting in a door to your entire, unlocked computer is stupid and puts everything you store, access, decrypt, encrypt, or otherwise have or sometimes have at risk.
Install a password manager (e.g. 1Password, LastPass)
- Do NOT use your browser’s built in password manager to manage passwords, credit card details, or other information
- Set it up properly on all devices.
- Protect your password manager itself with 2FA via Yubikey or Google Authenticator.
- Do NOT store MFA codes in your password manager.
- Do NOT store crypto private keys in your password manager.
- Do NOT store super high security things in your password manager. (e.g. SSH keys, hosting/registrar accounts, etc.)
Audit your Chrome Extensions
- Remove extensions you don’t use, don’t need, don’t trust
- Frequently disable ones you don’t actively use on a daily basis.
- Don’t install new ones willy-nilly
- Turn off automatic updates
- Use incognito mode more often than not (especially when accessing super-secure things like hosting/registrar/banking/crypto)
- Don’t ever enter secrets into websites using a browser you use for daily use / that has extensions
Audit your Software
- If you have an old computer that you’ve used for a while, do a brand-new install, or talk to management about getting a new computer
- Audit the software that starts on launch. Disable applications that start on launch that you don’t absolutely need.
- Remove unnecessary software completely.
Be especially mindful about installing little “helper” tools and avoid like the plague. These include apps like…
- Clipboard managers.
- Auto-upload screenshot apps.
- Apps that control system-level things.
- Remote desktop apps like Teamviewer.
- Applets that show you the cryptocurrency price in your toolbar.
- Fun little shit to modify your desktop / icons.
- Stuff from untrusted developers.
Do not install software gratuitously.
- Only install what I need and keep it up to date with patches.
- Don’t torrent or think about downloading and application from a non-legit site.
- Don’t install any application via a link in an email or deep in Google, but instead use the App Store or products’ official website.
Audit your Cloud Storage Software (Dropbox, iCloud, OneDrive)
What is uploading automatically?
- Disable features like “auto upload all screenshots”
- Disable automatic snapshots/backups of your entire system. Opt for a offline external hard drive instead.
- Disable syncing of high-level system folders that you may inadvertently place secret information in at some point without realizing it.
- Be mindful where you EVER put secret information when using your computer if folders are sync’d.
- Don’t sync your downloads or desktop or home directory; it’s too easy to accidentally have secret stuff sync’d there.
What is already saved there?
- Remove anything sensitive. Realize that things that have been uploaded once are there for life, even if you “delete” it.
- If you discover a password or private key in your Dropbox, start by deleting it.
- Then, immediately change the password or move your funds.
- If it could even slightly possibly create a security incident for yourself or the company, panic correctly and post in the internal security channel
Make sure it is secure.
- Change the password now.
- Enable 2FA now.
- If 2FA is already enabled, disable it and re-enable it freshly.
- If you can use a hardware wallet / U2F / Yubikey on the service, set that up.
- Remove your phone number from a 2FA option.
- Generate new backup codes and remove the old ones. Ensure the new backup codes are hand-written or printed via your no-wifi printer and securely removed from your device afterwards.
- Ensure nothing sensitive is ever saved there again.
- Audit yourself and what is stored their frequently.
Audit your Chrome Settings
Visit chrome://settings/content and ensure the following settings:
- [x] Unsandboxed plugin access: Ask when a site wants to use a plugin to access your computer.
- [x] Location: Ask before accessing
- [x] Camera: Ask before accessing
- [x] Microphone: Ask before accessing
- [x] Flash: Block sites from running Flash
- [x] Popups: Blocked
- Clear your cache, settings, history, etc.
- Be mindful when you give a website or extension permission to access things like your camera, location, plugins, etc. in the future.
Encrypt Your Shit
Encrypt your Computer / Laptop
- Click Apple menu, System Preferences, then select Security & Privacy.
- Select the FileVault tab.
- Click the Lock button, it will ask for an administrator name and password.
- Click Turn On FileVault. (this will take a while, so don’t do this when you’re in a hurry)
- I believe it gives you like a backup key or something. Pretend this is a private key protecting millions of dollars. Do not copy it. Do not save it. Write it down on a piece of paper and keep it somewhere safe.
Encrypt your USB Drives
- Go to finder
- Select USB drive under devices
- Right-click
- Select: encrypt
Change your passwords to new, unique, strong passwords
- This is what a good password looks like: 3o*awM#A^9x&r61v.
- Use your password manager generate function with upper, lower, symbols.
- Do not use the password above. It is an example.
- Change all your passwords, even those for stupid random forums, Skype, Twitter, Instagram (see below for big list).
- Never reuse passwords.
2FA all the things!
If you are using Authy, stop using Authy
If you must use Authy:
- Make sure “multi-device” is OFF under settings.
- Change it to a new Google Voice number that no one knows.
- Ensure that this Google Voice number is in a Google Account that no one knows.
- Ensure that this Google account is 2FA’d with your Yubikey.
- Ensure that this new Google account doesn’t have your phone number linked to it for 2FA.
- Do not give this number to anyone, ever.
- Do not give this email to anyone, ever.
Enable 2FA on all the things via Google Authenticator
- How to Set Up Google Authenticator
- How to restore access to your accounts if you lose/destroy your device w/ Google Authenticator (2FA): https://support.mycrypto.com/best-of/restoring-access-to-your-accounts-if-lose-device-with-2fa.html
Remove your phone number and email as a backup option
- Print backup codes via no-wifi printer or hand-write them.
- You will not recover via SMS.
- You will not use Authy.
- For any services that do not allow you to remove your phone number, change it to a new Google Voice number that no one knows.
- Ensure that this Google Voice number is in a Google Account that no one knows.
- Ensure that this Google account is 2FA’d with your Yubikey.
- Ensure that this new Google account doesn’t have your phone number linked to it for 2FA.
- Do not give this number to anyone, ever.
- Do not give this email to anyone, ever.
- Check on all your services (Dropbox, Apple, Skype, Amazon, Facebook, Amazon) and make sure you cannot log in, recover access, reset your password, 2FA, or bypass 2FA with your phone number.
- Seriously, a stupid amount of services now allow you to login with your phone number. Do not do this.
Update passwords & turn on 2FA for every service. Things like…
- Amazon (shopping) — Remove old credit cards, addresses, etc. while you are there.
- Apple
- Asana
- Atlassian
- AWS
- Bitbucket
- Box
- Calendar Apps
- Coinbase, Gemini, Bittrex, Kraken, Polo, all exchanges.
- Dropbox
- Evernote
- Github
- All your Googles
- Even your old Google’s
- And your yahoo’s or hotmail’s or whatever
- AOL, too?
- Heroku
- Email services
- Support services (Zendesk, Groove)
- HR services (Gusto, Zenefits)
- Banking services (Chase, Bank of America, Amex)
- Investment services (401k, Vanguard, Charles Schwab)
- Hosts / Registrars (GoDaddy, Bluehost, Cloudflare, whatever)
- LastPass / 1Password
- Skype (Install Microsoft’s Authenticator, see below)
- Slack
- Stack Exchange
- Telegram
- Keybase
- Every messaging app ever
- TransferWise
- Paypal
- Venmo
- Random forums
- Shit forums
- That old reddit account
- Gaming accounts
- Websites or applications that you haven’t re-logged into ages because your already logged in.
- Places you buy stuff. (Best Buy, Wayfair, etc.)
- Places you order food from (Uber, Uber Eats, Grubhub) — remove addresses, cc’s while you are in there.
Audit your Google, Github, Facebook, Skype, Twitter
For all of the above, check for authorized apps, logged in devices, and others.
Authorized apps:
- “Apps” where you use a different service like Google or Twitter to sign into that service, or is otherwise linked (e.g. Fantastical Calendar app manages your Google Calendar).
- Remove all apps that you don’t recognize, haven’t used in a while, or are unsure about. It’s easy to re-auth later when you need it, so go to town!
- Whenever using this sign in / auth feature in the future, be very careful about what permissions you accept and who you give access to things.
- A throwaway email address is usually a better choice than “Sign in with Twitter”.
- Document somewhere what things sign in with what accounts. This will be needed if an account is ever compromised as it sheds light on what else an attacker may have access to.
- Twitter: https://twitter.com/settings/applications
- Facebook: https://www.facebook.com/settings?tab=security
- See below for more
Log out of all devices:
- Yes it’s annoying.
- Yes, you will have to re-log in on your current phone.
- Don’t be lazy.
Review forwarding and filters that are pushing data externally.
Remove any “Application Specific Passwords” that will bypass auth.
- This feature is especially damaging in an account takeover scenario, because app specific passwords rarely, if ever, are destroyed in a password reset. This leaves simple access behind for an attacker pretty easily if they’ve created one.
Skype / Microsoft: Turn on 2FA
- Link your Microsoft + Skype accounts.
- Turn on 2FA
- Install their stupid Microsoft Authenticator app is available for Windows Phone , Android, and iOS.
- Click here https://account.live.com/SignInPreferences?amru=names%2FManage or go to security -> sign in preferences and UNCHECK the username-only option.
- Read, review, action on any items you haven’t already completed here: https://support.microsoft.com/en-us/help/12410/microsoft-account-help-protect-account
Google: Remove your phone number & email as a backup option
For all your Google Accounts!
- Go to https://myaccount.google.com/security
- Scroll down
- Change your password.
- Click “2 Step Verification”
- Set up: Security key (Yubikey), Authenticator app, Backup codes.
- Remove and/or do NOT set up: recovery phone or email, google prompt, voice or text message
- Print or write the backup codes. Do NOT store in password manager. Do NOT store on computer.
- Do not turn on recovery email. If there is a recovery email there, remove it.
- Do not turn on recovery phone. If there is a recovery phone there, remove it.
- Do not turn on “Google Prompt”
- Do not turn on “Voice or Text Message”
- At the very bottom, click “Revoke all” for “Devices you trust”
- Return to https://myaccount.google.com/security
- Under “Recently used devices” remove anything that isn’t your primary phone and computer.
- Return to https://myaccount.google.com/security
- Review “Apps with access to your account”. Remove anything you aren’t actively using.
Github: Audit your auth’d apps, turn on 2FA
- https://github.com/settings/applications
- Audit Install Github Apps => Remove anything you aren’t actively using.
- Authorized GitHub Apps => Remove anything you aren’t actively using.
- Authorized OAuth Apps => Remove anything you aren’t actively using.
- 2FA via hardware device
Some of these are best-practices and related to privacy and not security.
Must Do! https://www.facebook.com/settings?tab=security
- Turn on “Get alerts about unrecognized logins”
- Change your password if you didn’t do it before
- Turn on 2FA via Yubikey or Google Auth if you didn’t do it before
Must Do! https://www.facebook.com/settings?tab=privacy
- Future posts: Friends
- Review all posts and things you’re tagged in: On
- Limit past posts: Friends
- Who can see your friends list: Friends
- Who can look you up using email / phone number: Friends
- Do you want search engines…: NO!
Must Do! https://www.facebook.com/settings?tab=applications
- Audit list, remove anything out of date or not actively in use.
Must Do! Turn off Profile Picture Login. Holy fucking shit what a security nightmare that “feature” is.
Recommended! Make sure “Trusted Contacts” was set up intentionally
- This feature to allows you to regain access to your account via trusted friends. Make sure you use this feature very wisely.
Recommended! Make sure “Legacy Contact” was set up intentionally.
- Similarly you can have an account transition to someone else upon memorialization (if Facebook receives proof that you’ve died). Make sure it is set up carefully.
Recommended! https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
- Go to “Your Information” w/ green icon. Toggle all switches OFF
- Go to “Ad settings” w/ blue icon. Select: No, No, No one
- Click X’s in Your Interests & Advertisers until you get bored
Recommended! https://www.facebook.com/settings?tab=timeline
- Who can post on your timeline? Friends
- Who can see what others post on your Timeline? Friends
- Who can see posts you’re tagged in on your timeline? Friends
- When you’re tagged in a post, who do you want to add to the audience Friends
- Who sees tag suggestions when photos that look like you are uploaded? No One
- Review posts you’re tagged in before the post appears on your timeline? On
- Review tags people add to your posts before they appear on Facebook? On
Dropbox / Cloud Storage
- Turn on 2FA
- Turn off any out-of-date phones or computers
- Audit your https://www.dropbox.com/account/connected_apps
Call your cell-phone provider
- Inform them that you work in an industry that has had a number of phone number hacks in the recent months. You are concerned about their ability to protect you and are thinking about moving to a different carrier due to this risk.
- Ask them what protections they offer.
- Ask them to put a note requiring you to be in-store with your photo-id in order to activate a new device or port your number.
- Ask to put a pin on the account.
- If you have the option, remove yourself as an authorized user (e.g. if you are on your parent’s plan).
- If you have the option, insert “DO NOT PORT!” and “DO NOT ACTIVATE NEW DEVICE OVER PHONE!!!” in any fields you have access to (e.g. your “Phone name”, “Company” field, etc.
- Don’t use that phone number for any 2FA anyways. Use a brand new Google voice number that no one knows.
Miscellaneous
Move any funds that have been created with an online computer to cold storage.
- Use your hardware wallet or air-gapped computer + paper.
- Do not keep funds on an exchange.
Sign up for https://keybase.io/
- Verify a few profiles. Install the phone app.
- Share with other people on the team.
- This may come in very handy in the future if something of yours in compromised and we need to verify you are who you say you are.
- It’s not the ultimate source of truth, though and is not necessarily inherently more trustworthy than a phone call, video chat, message on other platforms, etc. It’s just another method we can use if the need arises.
Never Use Public Wi-Fi
- Opt for your own personal mobile hotspot instead.
- https://motherboard.vice.com/en_us/article/evabb7/an-argentine-isp-was-hacked-to-inject-cryptocurrency-miner-code-into-starbucks-wi-fi
- If they can inject crypto-miners into your Wi-Fi, they can inject anything
Google Yourself
- Remove personal information, old forum links, etc.
- Remove your Facebook profile indexed by Google in FB settings
- Set up Google search alerts for your names, common usernames, etc.: https://www.google.com/alerts
Look yourself up on haveibeenpwned.com
- For anything that has been pwned, ensure that you are not using the same password
- Change specifically *that* password
- If other data is breached (e.g. address or phone number or security questions), ensure that data doesn’t give anyone else access to an account (e.g. don’t protect your online banking with a security question that was revealed during the Adobe breach.)
- Consider starting a new general email address to disconnect yourself from the past breaches
If you don’t use Chrome, install and use Chrome from now on.
Bookmark your sites.
- Only use these bookmarks. Do not click links. Do not trust email. Do not trust links in emails. Do not trust attachments on emails.
Install an adblocker
Encrypt your laptop because it can be lost or stolen.
Do not leave your laptop, keys, USBs, phones unattended, even for a moment.
Do not travel to crypto-conferences with laptops, keys, USBs, phones that have all your secrets on them.
Do not store super-secret things on the laptop.
Always check github commits for secrets before committing.
- Do not ever place keys, keystore files, ssh keys, secrets, passwords, access codes, auth tokens, or anything in any folder that you will be committing to Github. Ever.
- Do not place anything secret in the code itself.
- Do not hard-code that shit.
- Do not hard code it “just for testing”.
- Do not hard code it and tell yourself you will remember to remove it later.
Make sure you are part of the internal security channels.
- If not, ask someone on the team to add you.
My reputation and online identity are powerful
As I engage with the community and others working on projects, my words on social media, via Skype or Slack, or others carry more meaning. There is a level of trust you may have or build without realizing it.
When I speak, others may take it as I am speaking for the company.
- An off-handed comment may harm the company.
- A tongue-in-cheek comment may be taken seriously.
- People may take real action related to their Ethereum accounts due to something I say or recommend.
- I will be careful on the advice or recommendations I give and ask for feedback from others if I am unsure.
- I will be careful with the words I chose to use and opt for bullet points or numbered lists when possible.
- I will think about unintended consequences of things I do or say or recommendations I make.
- I will never engage in trading or price discussions or recommend someone buys or sells, no matter how harmless I think it is.
During a security incident related to our company or another company, I may be part of confidential conversations or learn about confidential items that I am not at liberty to discuss in the short-term, long-term, or both.
- I will be helpful, calm, and composed in these situations.
- I will avoid cluttering the chat and aim to be concise.
- I will do my best to reduce the stress of the situation and be helpful, not add to the chaos.
- I will avoid any public communication or comment without checking with others first.
- I will bring attention & share links to any tweets, reddit posts, forum posts, or emails related to the situation that I encounter as soon as I see them.
My personal accounts may be the target of an attack
- I see that this space has an unusual mixture of personal identities and professional identities.
- My identity, reputation, or personal accounts may be used to create confusion, panic, send phishing messages, or scam friends or strangers.
- For this reason I choose to be diligent about the security of my personal accounts, not just professional ones.