#MyCryptoWinter

December 1^st

Get in a Secure Mindset

As 2018 comes to a close, MyCrypto and our friends at Etherscan, Infura, KeepKey, Ledger, MetaMask , Parity, ShapeShift, Status, The Bitcoin Podcast and Trezor want to help you be more secure. Each day we will give you a single security “action item.” Take action on each security tip you’ll see this month. Today, it’s easy: simply commit to spending a little bit of time every day securing yourself, your accounts, and most importantly your crypto during this winter.

December 2^nd

2FA Day

Enable 2-Factor Authentication on every account that allows it.

Download and install Google Authenticator for Android or iOS.
Go through your accounts: Coinbase, Poloniex, Google, Facebook, Twitter, Dropbox, iCloud, Amazon, GoDaddy, CloudFlare, and any other site you use.
Turn on 2FA with Google Authenticator.
Avoid SMS and Authy for 2FA. Your phone number can be easily stolen and used to gain access to your account, especially in crypto. If you absolutely must use Authy, turn multi-device support off.

This tip brought
to you by Status!

December 3^rd

Audit Your Extensions

Remove extensions you don’t use, don’t need, or don’t trust.
Disable ones you don’t actively use on a daily basis.
Turn off automatic updates. Update them yourself once a month or so.
Be mindful when installing new ones. Do you really need it? What access does it require?
For websites with sensitive or important information, consider using incognito mode or a different browser without extensions.

December 4^th

Call Your Cell-Phone Provider

Protect yourself from sim-swaps!

Inform your wonderful support agent that you work in an industry that has had a large number of sim-swap and porting attacks in the recent months.
Ask them to put a note requiring you to be in-store with your photo-id in order to activate a new device or port your number.
Respectfully demand they add put a pin number to the account.
If you are on an account with multiple people (e.g., your parent’s plan 😉), remove yourself as an authorized user. This makes it a little bit harder for attackers to guess your personal information.
Ask them again if there is anything else you can do to protect yourself.
Thank them for their time.

Pat yourself on the back. You are now a bit safer and (hopefully) made it a bit more clear to your phone company that security is something they should also be aware of.

December 5^th

Secure Your Cloud Storage

What is uploading automatically?

Disable features like “auto upload all screenshots.”
Disable automatic snapshots/backups of your entire system.
Disable syncing of high-level system folders.
Remove anything sensitive.

Make sure it is secure:

Change the password to a strong, unique password.
Enable 2FA with Google Authenticator or a hardware wallet or Yubikey if you have one.
Remove your phone number as a 2FA / recovery option.

This tip brought
to you by Trezor!

December 6^th

Treat Yo’ Self!

Get yourself a password manager. Your security is worth the small yearly cost. If crypto-winter has you down and you’re saving every cent, LastPass and KeePass have free versions.

LastPass: Free for most. Premium @ $24/year. Family @ $48/year.
1Password: Free trial. Then $36/year. Family @ $60/year.
KeePass: Free & open-source

This tip brought
to you by MetaMask!

December 7^th

Change Your Passwords

Don’t reuse passwords
Use unique, secure passwords that are 8+ characters and use a variety of uppercase letters, lowercase letters, numbers, and symbols.
LastPass & 1Password have fun wizards—“Security Challenge” and “Watchtower,” respectively—that will help you monitor accounts that have been found in data breaches and even change some passwords for you automagically! After you have added accounts (as you change the passwords), we strongly recommend following up with this wizard.

This tip brought
to you by The Bitcoin Podcast!

December 8^th

Walk through the Blockchain Graveyard

Take a look at the Blockchain Graveyard to better understand how dangerous the crypto-space still is. It’s important to have proper security.

These cryptocurrency institutions have suffered intrusions resulting in stolen financials, or shutdown of the product. Several closed down afterward. Many of these attacks could have been prevented:

Social Engineering / Credential Reuse
Account Takeover of Cloud Hosting
Application Vulnerability

December 9^th

Bookmark Your Crypto Sites

Bookmark your crypto websites and other important websites!

Never arrive at an important website where you are entering sensitive information via a link, private message, DM, etc.
Always use the bookmark that you created.
Similarly, be very careful when arriving at a website via Google. The topmost result is often an ad that leads to a phishing website.

This tip brought
to you by ShapeShift!

December 10^th

Look Yourself Up On haveibeenpwned.com

For any accounts that have been pwned, ensure that you are not using the same password.
Change specifically that password.
If other data is breached (e.g., address, phone number, or security questions), ensure that data doesn’t give anyone else access to an account (e.g., don’t protect your online banking with a security question that was revealed during the Adobe breach).
Consider creating a new general-purpose email address to disconnect yourself from the past breaches.

December 11^th

Stop Using Unsafe Tools & Applications

If you have a clipboard manager, get rid of it.
- Rationale: recording and saving everything you copy and paste, intentional or unintentional, is stupid.
If you have an auto-upload screenshot app (e.g., Cloud App), get rid of it.
- Rationale: uploading every screenshot you take, intentional or unintentional, to the web is stupid and puts your security in the hands of a random, insecure, screenshot app.
If you have a remote viewer (e.g.,Teamviewer), get rid of it.
- Rationale: putting in a door to your entire, unlocked computer is stupid and puts everything you store, access, decrypt, encrypt, or otherwise interact with at risk.

December 12^th

Treat yo’ self!

Buy yourself a Ledger, Trezor, or KeepKey Hardware wallet. You’re worth it!

Ledger
- The Nano S is 30% off through the rest of the year!
Trezor
- Save €48.00 by purchasing a 3-pack!
Keepkey
- Buy one get one free through the rest of the year!

December 13^th

Finders Keepers

Think about where you’ve put your cold storage and recovery passphrase. Whether it’s a paper or hardware wallet, it’s important to put these physical items in two, physically separate, secure locations. Maybe find a new spot around the house, open a safety deposit box, and/or invest in a fireproof document bag (<$20 on Amazon).

Example 1: Your KeepKey lives with you at your house in your super-secret hiding spot. The words you wrote down for your backup phrase live in a safety deposit box.
Example 2: Make a copy of your existing paper wallet. Keep one at your house and one in a sealed, discreet envelope at a trustworthy relative’s house with important documents like birth certificates. You don’t have to let them know it’s crypto.

This tip brought
to you by KeepKey!

December 14^th

Install an Ad Blocker

We prefer uBlock Origin and Privacy Badger over the old favorite, Adblock Plus (because the company was sold & is even less transparent than it used to be).

Brave also blocks ads by default and is getting better every day. Available for your computer & on mobile.

These help you stay safe from malicious advertisements, especially the tricky phishing websites that so often appear at the top of Google results.

December 15^th

Google Yourself!

Hackers use personal information that is freely available on the web to target you for attacks like sim-swapping, phishing, social engineering, or recovering your account via “security” questions. Google yourself and...

Remove as much personal information as possible. This includes personal information that may show up on old blogs or forums.
Go to Facebook -> Settings -> Privacy. Click “Edit” next to “Do you want search engines outside of Facebook to link to your profile?” and make sure the checkbox is not checked. Once you save, it should say “No” underneath “Do you want search engines outside of Facebook to link to your profile?”

December 16^th

Remove Unsafe Recovery Options From All Your Google Accounts!

Go to https://myaccount.google.com/security

Click “2-Step Verification”
Set up a “security key” (Yubikey), “authenticator app” (Google Authenticator) and “backup codes”.
Print out the backup codes and then delete them from your computer. Do not store them in your password manager or any online device. Store them with your paper wallet or hardware wallet backup phrase.
While still on the 2-Step Verification page, scroll to the bottom under “Devices that do not need a second step.” Click “Revoke all”.
Return to https://myaccount.google.com/security
Do not turn on “Recovery email.” If there is a recovery email there, remove it by editing it, clearing all the text from the field, and saving it empty. This will effectively “remove” it.
Do not turn on “Recovery phone.” If there is a recovery phone number there, remove it by editing it, clearing all the text from the field, and saving it empty. This will effectively “remove” it.
Under “Recently used devices” remove anything that isn’t your primary phone and computer.
Review “Apps with access to your account.” Remove anything you aren’t actively using.