#MyCryptoWinter

December 1^st

Get in a Secure Mindset

As 2018 comes to a close, MyCrypto and our friends at Etherscan, Infura, KeepKey, Ledger, MetaMask , Parity, ShapeShift, Status, The Bitcoin Podcast and Trezor want to help you be more secure. Each day we will give you a single security “action item.” Take action on each security tip you’ll see this month. Today, it’s easy: simply commit to spending a little bit of time every day securing yourself, your accounts, and most importantly your crypto during this winter.

December 2^nd

2FA Day

Enable 2-Factor Authentication on every account that allows it.

Download and install Google Authenticator for Android or iOS.
Go through your accounts: Coinbase, Poloniex, Google, Facebook, Twitter, Dropbox, iCloud, Amazon, GoDaddy, CloudFlare, and any other site you use.
Turn on 2FA with Google Authenticator.
Avoid SMS and Authy for 2FA. Your phone number can be easily stolen and used to gain access to your account, especially in crypto. If you absolutely must use Authy, turn multi-device support off.

This tip brought
to you by Status!

December 3^rd

Audit Your Extensions

Remove extensions you don’t use, don’t need, or don’t trust.
Disable ones you don’t actively use on a daily basis.
Turn off automatic updates. Update them yourself once a month or so.
Be mindful when installing new ones. Do you really need it? What access does it require?
For websites with sensitive or important information, consider using incognito mode or a different browser without extensions.

December 4^th

Call Your Cell-Phone Provider

Protect yourself from sim-swaps!

Inform your wonderful support agent that you work in an industry that has had a large number of sim-swap and porting attacks in the recent months.
Ask them to put a note requiring you to be in-store with your photo-id in order to activate a new device or port your number.
Respectfully demand they add put a pin number to the account.
If you are on an account with multiple people (e.g., your parent’s plan 😉), remove yourself as an authorized user. This makes it a little bit harder for attackers to guess your personal information.
Ask them again if there is anything else you can do to protect yourself.
Thank them for their time.

Pat yourself on the back. You are now a bit safer and (hopefully) made it a bit more clear to your phone company that security is something they should also be aware of.

December 5^th

Secure Your Cloud Storage

What is uploading automatically?

Disable features like “auto upload all screenshots.”
Disable automatic snapshots/backups of your entire system.
Disable syncing of high-level system folders.
Remove anything sensitive.

Make sure it is secure:

Change the password to a strong, unique password.
Enable 2FA with Google Authenticator or a hardware wallet or Yubikey if you have one.
Remove your phone number as a 2FA / recovery option.

This tip brought
to you by Trezor!

December 6^th

Treat Yo’ Self!

Get yourself a password manager. Your security is worth the small yearly cost. If crypto-winter has you down and you’re saving every cent, LastPass and KeePass have free versions.

LastPass: Free for most. Premium @ $24/year. Family @ $48/year.
1Password: Free trial. Then $36/year. Family @ $60/year.
KeePass: Free & open-source

This tip brought
to you by MetaMask!

December 7^th

Change Your Passwords

Don’t reuse passwords
Use unique, secure passwords that are 8+ characters and use a variety of uppercase letters, lowercase letters, numbers, and symbols.
LastPass & 1Password have fun wizards—“Security Challenge” and “Watchtower,” respectively—that will help you monitor accounts that have been found in data breaches and even change some passwords for you automagically! After you have added accounts (as you change the passwords), we strongly recommend following up with this wizard.

This tip brought
to you by The Bitcoin Podcast!

December 8^th

Walk through the Blockchain Graveyard

Take a look at the Blockchain Graveyard to better understand how dangerous the crypto-space still is. It’s important to have proper security.

These cryptocurrency institutions have suffered intrusions resulting in stolen financials, or shutdown of the product. Several closed down afterward. Many of these attacks could have been prevented:

Social Engineering / Credential Reuse
Account Takeover of Cloud Hosting
Application Vulnerability

December 9^th

Bookmark Your Crypto Sites

Bookmark your crypto websites and other important websites!

Never arrive at an important website where you are entering sensitive information via a link, private message, DM, etc.
Always use the bookmark that you created.
Similarly, be very careful when arriving at a website via Google. The topmost result is often an ad that leads to a phishing website.

This tip brought
to you by ShapeShift!

December 10^th

Look Yourself Up On haveibeenpwned.com

For any accounts that have been pwned, ensure that you are not using the same password.
Change specifically that password.
If other data is breached (e.g., address, phone number, or security questions), ensure that data doesn’t give anyone else access to an account (e.g., don’t protect your online banking with a security question that was revealed during the Adobe breach).
Consider creating a new general-purpose email address to disconnect yourself from the past breaches.

December 11^th

Stop Using Unsafe Tools & Applications

If you have a clipboard manager, get rid of it.
- Rationale: recording and saving everything you copy and paste, intentional or unintentional, is stupid.
If you have an auto-upload screenshot app (e.g., Cloud App), get rid of it.
- Rationale: uploading every screenshot you take, intentional or unintentional, to the web is stupid and puts your security in the hands of a random, insecure, screenshot app.
If you have a remote viewer (e.g.,Teamviewer), get rid of it.
- Rationale: putting in a door to your entire, unlocked computer is stupid and puts everything you store, access, decrypt, encrypt, or otherwise interact with at risk.

December 12^th

Treat yo’ self!

Buy yourself a Ledger, Trezor, or KeepKey Hardware wallet. You’re worth it!

Ledger
- The Nano S is 30% off through the rest of the year!
Trezor
- Save €48.00 by purchasing a 3-pack!
Keepkey
- Buy one get one free through the rest of the year!

December 13^th

Finders Keepers

Think about where you’ve put your cold storage and recovery passphrase. Whether it’s a paper or hardware wallet, it’s important to put these physical items in two, physically separate, secure locations. Maybe find a new spot around the house, open a safety deposit box, and/or invest in a fireproof document bag (less than $20 on Amazon).

Example 1: Your KeepKey lives with you at your house in your super-secret hiding spot. The words you wrote down for your backup phrase live in a safety deposit box.
Example 2: Make a copy of your existing paper wallet. Keep one at your house and one in a sealed, discreet envelope at a trustworthy relative’s house with important documents like birth certificates. You don’t have to let them know it’s crypto.

This tip brought
to you by KeepKey!

December 14^th

Install an Ad Blocker

We prefer uBlock Origin and Privacy Badger over the old favorite, Adblock Plus (because the company was sold & is even less transparent than it used to be).

Brave also blocks ads by default and is getting better every day. Available for your computer & on mobile.

These help you stay safe from malicious advertisements, especially the tricky phishing websites that so often appear at the top of Google results.

December 15^th

Google Yourself!

Hackers use personal information that is freely available on the web to target you for attacks like sim-swapping, phishing, social engineering, or recovering your account via 'security' questions. Google yourself and...

Remove as much personal information as possible. This includes personal information that may show up on old blogs or forums.
Go to Facebook - Settings - Privacy. Click 'Edit' next to 'Do you want search engines outside of Facebook to link to your profile?' and make sure the checkbox is not checked. Once you save, it should say 'No' underneath it.

December 16^th

Secure Your Google Accounts!

Go to https://myaccount.google.com/security

Click '2-Step Verification'
Set up a 'security key' (Yubikey), 'authenticator app' (Google Authenticator) and 'backup codes'.
Print out the backup codes and then delete them from your computer. Do not store them on an online device or cloud storage.
Do not turn on 'Recovery email.' If there is a recovery email there, remove it by editing it, clearing all the text from the field, and saving it empty.
Do not turn on 'Recovery phone.' If there is a recovery phone number there, remove it by editing it, clearing all the text from the field, and saving it empty.
Under 'Recently used devices' remove anything that isn’t your primary phone and computer.
Review 'Apps with access to your account.' Remove anything you aren’t actively using.
Scroll to the bottom under 'Devices that do not need a second step.' Click 'Revoke all'.

December 17^th

Add To Your Online Arsenal

Install MetaMask or EtherAddressLookup or Cryptonite by MetaCert.

These extensions will automagically warn you if you are attempting to visit a known phishing website, like fake MyCryptos, fake Binances, fake ShapeShifts, etc. You should still always double check the URL, but it never hurts to have another layer of protection!

This tip brought
to you by Infura!

December 18^th

Treat Yo’ Self!

Get a VPN!

A VPN is a great tool for browsing more securely and can remove prying eyes from the equation. VPNs can help you do things such as:

Keep you safe when using public Wi-Fi
Anonymize yourself wherever you browse
Hide your location
Bypass geographic restrictions

Learn more about VPNs with a few recommendations.

December 19^th

Secure Your Github!

Audit your auth’d apps & turn on 2FA:

Go to Github Application Settings
Audit Installed GitHub Apps. Remove anything you aren’t actively using (you can install later if needed).
Audit Authorized GitHub Apps. Remove anything you aren’t actively using (you can restore later if needed).
Audit Authorized OAuth Apps. Remove anything you aren’t actively using (you can restore later if needed).
Add 2FA via hardware device, Krypton, or TOTP (Google Authenticator).
Avoid SMS-based for 2FA or account recovery like the plague! 🙂

This tip brought
to you by Parity!

December 20^th

Secure Your Facebook
(or just delete Facebook 😉)

Facebook has tons of privacy and security settings. Here's one tip to get you started, but check out everything in the Privacy and Security tabs:

Go to https://www.facebook.com/settings?tab=security.
Turn on “Get alerts about unrecognized logins.”
Change your password to a new, strong, unique password.
Turn on 2FA via hardware device or Google Authenticator.

December 21^st

Back it up! 👯

Back up anything & everything that you don’t want to lose. Transfer it to a USB or an external hard drive that isn’t connected to the internet.

Cold storage is important for everything: your backup codes, now that you’ve removed phone and email recovery, 2FA QR Codes, and, of course, your crypto! Make sure that these things aren’t stored on your computer, phone, or cloud storage. They should be OFFLINE!

This tip brought
to you by Ledger!

December 22^nd

Encrypt It!

Encrypt your Computer / Laptop! This gives you another layer of protection, especially if your computer is ever lost or stolen.

Mac Guide: https://support.apple.com/en-us/HT204837
- Note: Use a “Recovery Key” not your “iCloud Account.” Back up this recovery key as you store your private keys or backup phrases. See December 21 for more information on proper backup storage.
Windows: https://www.windowscentral.com/how-use-bitlocker-encryption-windows-10
- Note: BitLocker is only available for Windows 10 Pro and Enterprise.
Linux Guide: https://www.tecmint.com/linux-password-protect-files-with-encryption/

This tip brought
to you by Etherscan!

December 23^rd

Share the Love

Share tips from previous days with your friends, family, and everyone else who uses the internet. They apply to everyone. The holidays are the perfect time to make sure everyone is a little bit more secure. Share the love!

December 24^th

Treat Yo’ Self!

Download the MyCrypto Desktop App and put your safety & security first.

It’ll help you avoid dangerous phishing attacks and malicious browser extensions. You no longer have to triple-check that you are on the correct URL or worry about a malicious chrome extension!

Thank You

Today is the final day of #MyCryptoWinter. If you participated in any way, shape, or form, we appreciate you. If you shared any of these tips on Twitter, with a friend, or applied them yourself to become more secure, you’ve done well.

We’d again like to extend a huge thanks to our friends at Etherscan, Infura, KeepKey, Ledger, MetaMask , Parity, ShapeShift, Status, The Bitcoin Podcast and Trezor for participating and helping spread these tips and providing swag to the prize pool.

Speaking of prizes, we haven’t forgotten. We’ll finish collecting all the entries, announce the winners, and ship prizes out when the MyCrypto staff are back from the holiday break. Stay tuned, and happy #MyCryptoWinter!

Get in a Secure Mindset

2FA Day

Audit Your Extensions

Call Your Cell-Phone Provider

Secure Your Cloud Storage

Treat Yo’ Self!

Change Your Passwords

Walk through the Blockchain Graveyard

Bookmark Your Crypto Sites

Look Yourself Up On haveibeenpwned.com

Stop Using Unsafe Tools & Applications

Treat yo’ self!

Finders Keepers

Install an Ad Blocker

Google Yourself!

Secure Your Google Accounts!

Add To Your Online Arsenal

Treat Yo’ Self!

Secure Your Github!

Secure Your Facebook (or just delete Facebook 😉)

Back it up! 👯

Encrypt It!

Share the Love

Treat Yo’ Self!

Thank You

Secure Your Facebook
(or just delete Facebook 😉)