# OPSEC for CryptoCurrency Enthusiasts
by MiW - 2017-12-01

Hello Dear Reader,

Today we will discuss some steps you can take to improve your operational security (OPSEC),
especially if you are involved with cryptocurrency communities. There are many reports of
folks getting hacked if they maintain a public account and discuss cryptocurrency.

With bitcoin at all time highs, the bad folks will try anything to get hold of your private keys!

Id like to run this as a series of posts on security within the cryptocurrency space. 
Please let me know if there is a particular topic you would like discussed, or if you
would like to be interviewed (specifically about project or operational security).

## Step 1.
## NEVER ADMIT TO OWNING ANY CRYPTOCURRENCY

It is almost impossible to prove that a person is in control of a private key. 
Many private keys have been lost, rendering the money unspendable.

If anyone asks, you lost it all in a Tragic Boating Accident. (thanks fluffypony).

## Step 2.
## NEVER ADMIT HOW MUCH CRYPTOCURRENCY YOU HAVE
The need to brag is innate human behavior. Be above this. 
You might be rich now, but nobody needs to know.
Possibly your mother, so she knows she brought you up as a responsible, forward planning adult.

## Step 3.
## Rotate addresses where possible
Some cryptocurrencies use a single public address for the wallet (Eth, LISK, Ripple, Stella, etc) 
and work with the 'brainwallet' model -- 
a seed is sufficient to recreate the one private key that secures the account.
Be aware that by nature of the public ledger, it is possible to observe the balance and all transactions involving this address.
Use multiple seeds [(single address = single wallet) x n seeds] to preserve privacy.

By rotating addresses (which is /Satoshis Original Vision(tm)/) you provide some disconnect between transactions, 
as long as these do not co-mingle funds. It is wise to compartmentalize your transactions in different wallets where possible.

With a [Hierarchical Deterministic wallet](https://en.bitcoin.it/wiki/Deterministic_wallet#Type_2_hierarchical_deterministic_wallet) it should more difficult to identify associated addresses in a wallet.

## Step 4.
## Compartmentalize identities
Where possible, use pseudonyms and try not to link these to your real world identity. 
Use separate email accounts for sensitive accounts like exchanges, wallets, etc.

If you are having trouble coming up with a new pseudonym, you can try a Code Name Generator.

Examples of ‘Code Name Generators’
http://projectcodename.com/#
https://killercup.github.io/codenamer/
https://divergentdave.github.io/nsa-o-matic/
https://rumandmonkey.com/widgets/toys/namegen/10712

## Step 5.
## Strong Passwords - Use a password manager
You should be using unique, random, hard to guess passwords (ie: Whz0g,j~8eN!5H&r9|26) for ALL your accounts.
There is no such thing as 'a low valued account'. All accounts, when in aggregate can be used to defeat password
reset or account recovery procedures. [The story of the Mat Honan hack](https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/)
demonstrates that every little fragment of information learned by the attacker can be used to leverage access to other accounts.

Because humans have difficulty remembering complex passwords, we defer to a Password manager to generate and store these strings.
Do not use notepad, excel or another non-secure way to store these. My personal recommendations are:

* [KeePass](https://keepass.info)
* [1Password](https://1password.com)

* Use a VERY strong master passphrase. It is recommended to use something like Diceware to generate the master passphrase.
http://world.std.com/~reinhold/diceware.html 
	* Generate it with real dice too if you can, to avoid compromise by a bad random number generator!
Whatever you pick, make sure its long and complex. 
**You cannot reset or recover this passphrase, so do not forget it!**

Note: Do not use Evernote, Dropbox, or similar service for storing cleartext passwords, passphrases, seed, or other sensitive info.
There have been reports of security failures on cloud providers, where user data has spilled. 
Do not let these very sensitive fragments of data out of your control! 

*Lock down all accounts, as much as possible.*

## Step 6.
## Avoid 2FA from cell phone
Try to avoid using 2FA associated with your mobile phone number. You have likely given this number out to at least one bad person, 
who can leverage this knowledge to attack your accounts.

* If possible, use a FIDO U2F security key, eg: [YubiKey](http://yubikey.com) or [U2F Key-ID ](https://www.adafruit.com/product/3363). 
* If possible, use Google Authenticator (TOTP mode, which unfortunately is not immune to 'Man-In-The-Middle' like a FIDO U2F).
	* Back up your TOTP Seeds in case you lose your phone settings

## Step 7.
## Have telephone service provider lock down your account
Contact your telephone provider (in store, in person is best) and have them write
"Sensitive Customer: DO NOT PORT NUMBER OR SIMCARD OVER PHONE. REQUIRE ID IN STORE"

This should prevent an attacker from hijacking your phone number, thus gaining access to 2FA and account reset functionality. Of course, humans will make mistakes, so it is best to follow Step 6 if at all possible.

## Step 8.
## Use gmail over personal vanity domains for sensitive accounts
Google has one of the best security teams in the industry, and provides a great service to the public with gmail.
Google has also fought for customer rights, [challenging User Data requests by authorities](https://arstechnica.com/tech-policy/2013/01/google-stands-up-for-gmail-users-requires-cops-to-get-a-warrant/)
They have, and will go to court to protect your data, where they can.

A vanity domain and associated email might look cool, but the security of email is based on domain ownership.
If an attacker can social engineer your domain from the registrar, they will hijack your domain name, and point it to their servers.
Sometimes all this takes is a FAX. Yes, a FAX. 
(For those too young, a FAX is a waffle iron with a phone attached.)  

From this point its game over, as they will divert all your email, 
reset all your accounts and take over what they can.

By using gmail, you avoid this risk as it should not be possible to hijack gmail.com

IMPORTANT: Make sure you remove your cellular number from the gmail account. 
Gmail requires a cellular number these days as an anti-spam feature. Do not let them use it as a security feature!
By removing it, it prevents your it from being used as a 2FA/account recovery pathway. 
Ensure that your gmail is locked down to use 2FA with U2F or Google Authenticator only.
Store the 'recovery codes' somewhere safe (not online!).
 

Thank you for reading -- please reach out with any questions or other tips, and ill try to include them in the next post in this series.

MiW