Casa Blog - Bitcoin Security Made Easy

The operational security (OPSEC) basics bitcoin OGs consider second nature are often lost on newcomers. This can create dangerous situations.

That's why we're sharing several basic security practices we review with clients before going deeper into advanced cold storage and OPSEC schemes. Follow these tips and you’ll be safe from many common threats.

"Privacy is the power to selectively reveal oneself to the world."
— Eric Hughes, "A Cypherpunk's Manifesto"

What is OPSEC?

Operational security (OPSEC) is a process for protecting sensitive data and personal information to prevent unintentional disclosure to adversarial parties. Loose lips sink ships, as the saying goes.

For our purposes of securing bitcoin and other assets, adversarial parties consist of anyone who might be interested in taking your assets, such as hackers, burglars, or untrustworthy confidants. When you shield information from these parties, you greatly reduce their ability to target or exploit you for financial gain.

1) Avoid sharing specifics about your bitcoin

Bitcoin is fun to talk about, block by block. And when its price is on the move, it's tempting to tell everyone you know. But this can invite personal security risk.

OPSEC is about keeping information confined on a "need-to-know" basis, and there's some information most people in your life don't need to know. Whatever your intention may be in sharing, you may never know what your audience's intentions are, whether you encounter them on social media or at meetups and conferences.

It's okay to discuss bitcoin on a conceptual or technical level. We recommend, however, that you refrain from disclosing details about your personal stash such as:

  • Size of holdings
  • Bitcoin addresses
  • Screenshots of balances
  • Exchange accounts
  • Device models and locations

If you're a OG bitcoiner, public figure, or content creator, your security is in a different arena from the rest of the population. Casa offers personal guidance for at-risk individuals with material wealth as our Private Clients. This program includes a 7-step security overhaul for hardening your digital life. Learn more here.

2) Generate unique, random passwords and change them often

Are you using the same password for everything? If so, it's time to stop.

A main way hackers target victims is through leveraging data breaches for email addresses and passwords. In many cases, they have combed through email accounts to snoop on victims before proceeding with digital or physical attacks.

Never use repeat passwords, especially for accounts with personally identifiable and sensitive information (e.g. Facebook, Gmail, Apple ID, Twitter/X, banks/payments, crypto accounts). Use passwords that are randomly generated and 20+ characters long.

If you see suspicious password activity or failed logins on any of your accounts, it's a good idea to rotate all of your passwords, starting with sensitive and authorization accounts, such as your primary email and bank/crypto accounts.

3) Use a password manager

It's hard for humans to come up with airtight passwords that high-powered computers can't easily crack. Password managers make that a breeze. A password manager is an encrypted, online vault that takes all the difficulty out of:

  • Randomly generating secure passwords
  • Remembering unique, secure passwords
  • Identifying where you’re still using insecure passwords
  • Quickly changing insecure passwords when needed

1Password and KeePassXC are good options to consider.

Important: Don't use password managers to store seed phrases. There have been instances of bad actors draining assets from seed phrases started in compromised password manager vaults. Keep seed phrases offline for better protection.

#4 — Do not use SMS for two-factor authentication

Using two-factor authentication (2FA) is a great way to improve your digital security. However, you should never use SMS text messages for your 2FA if at all possible. SMS-based 2FA authentication is an extremely insecure method of securing your accounts. You’ll find out why in the next tip.

Instead of SMS-based 2FA, use Google Authenticator or Authy apps for iOS or Android. Google Authenticator is quicker and easier to set up, but Authy offers more robust account recovery options.

Keep in mind the codes generated by 2FA apps are device specific. Your account is generally not backed up to Google or iCloud, so if you lose your phone, you’ll need to spend some time proving your identity to restore your 2FA. The added security is worth the hassle.

yubikey-next-to-laptop-and-phone
YubiKeys provide a much more secure option for two-factor authentication than text messages to your phone.

Another option beyond simple authenticator apps is to use security keys such as YubiKeys, which can be paired with Yubico Authenticator. This can be an excellent method to lock down exchange accounts.

Did you know you can also use a YubiKey to secure bitcoin? Casa's new integration brings a smooth signing experience to self-custody through a simple alternative to hardware wallets.

#5 — Lock down your SIM with your mobile phone carrier

Using SMS for 2FA makes you a vulnerable target for SIM swap attacks.

SIM swaps are when an attacker calls up your mobile phone provider pretending to be you and convinces them to port (transfer) your phone’s SIM into a new device, giving them control of any accounts that use SMS 2FA.

Locking down your phone number with your carrier isn’t guaranteed to be foolproof, but it’s definitely a good security precaution. It’s best to never use SMS for anything related to your account credentials, but there are some cases where you can’t avoid it. For this reason, security professionals often use multiple phone numbers to segment exposure.

Today, there are dedicated providers that offer service on major carriers with enhanced protection against SIM swaps. Through our partner Efani, you can lock down your number with a 11-step protocol preventing changes. Get started with Efani at a discount here.

6) Never store long-term holdings on an exchange or online wallet

You should never store your bitcoin on an exchange or online wallet, and never keep significant funds on a mobile or web hot wallet. Exchanges get hacked and online hot wallets are similarly vulnerable to digital attack.

Hardware wallets like Trezor, Ledger, or ColdCard keep your private key safely stored in a resilient and portable hardware device that never connects your key directly to the internet. The downside of using a single device is the added responsibility of protecting a paper seed phrase in addition to a device.

Casa vaults allow you to bypass single points of failure for more complete protection. Using a multisig protocol, Casa adds a level of protection to your existing cold storage and keeps your keys offline until you're ready to send a transaction. Get started with your own bitcoin vault here.

7) Store backup seed phrases carefully

Seed phrases are a double-edged sword for your private keys. On one hand, they allow you to easily regenerate your key if a cold storage device is lost or stolen, but they also create a back door for your key if you don't store them properly.

Additionally, it's easy to introduce single points of failure in your storage plan. Never store your seed phrase digitally or enter them into a internet-connected device. That means never type it up, store it online, or take a photo of the seed.

Write the phrase down on paper, seal it in a tamper-proof bag, and ideally store it in a secret location. If you're using one seed phrase, keep multiple copies or pieces of your seed in different locations. But keep in mind that the more you replicate or split up your seed phrase, the more attack vectors you’re creating.

Jameson Lopp, our co-founder and chief security officer, has written extensively about backing up seed phrases, their pitfalls, and considerations for securing them.

8) Keep cold storage devices in access-controlled locations

When bitcoin first came around, it was relatively unknown. Very few people outside of a small niche of believers knew how to store it. You could get away with leaving a hardware wallet in plain sight in your home in the early days.

Today, this is definitely not the case. Bitcoin is mainstream and bad actors are taking it seriously. Burglars, muggers, and even gangs are much more likely to target individual bitcoiners and know what a hardware wallet looks like. Furthermore, friends, family, or contractors working in your home may feel tempted to sneak off with a device if you leave it lying around.

When you're not transacting, secure your devices with a PIN and store them in an access-controlled location, such as a home safe or safety deposit box. This keeps your keys away from wandering eyes.

Concluding note: “I never thought it would happen to me!”

If you can put all of these tips into place, you'll be protected against the most common security vulnerabilities bitcoin holders face.

The last thing worth emphasizing is mindset. Complacency is arguably the greatest threat to your OPSEC and, in turn, your bitcoin. Many HODLers puts themselves at risk by believing “it will never happen to me!”

Avoid falling into this trap. It’s very easy for the mind to rationalize how there are always people more visible than you, with more assets than you, and a much more attractive target for attackers. Many victims of bitcoin-related attacks knew what basic precautions to put in place, but they didn’t get around to putting them into practice because they didn't believe they'd ever be a target.

Lack of OPSEC knowledge is an easy thing to fix, but the "it won't happen to me" mindset is the riskiest vulnerability of all. Stay vigilant and you'll be well on your way to staying safe.


Keep reading

Can duress wallets stop physical attacks on your bitcoin?
Will a duress wallet protect your and your bitcoin from an attack? Not necessarily.