Casa Blog - Bitcoin Security Made Easy

The operational security (OpSec) basics that bitcoin OGs consider second nature are often lost on newcomers. This can create dangerous situations.

That's why we're sharing several basic security practices that we review with clients before going deeper into advanced cold storage and OpSec schemes. Follow these OpSec tips and you’ll be safe from many common threats.

"Privacy is the power to selectively reveal oneself to the world."
— Eric Hughes, "A Cypherpunk's Manifesto"

What is OpSec?

Operational security (OpSec) is a process for protecting sensitive data and personal information to prevent unintentional disclosure to adversarial parties.

For our purposes of securing digital assets, adversarial parties consist of anyone who might be interested in taking your assets, such as hackers, burglars, or untrustworthy confidants. When you shield information from these parties, you greatly reduce their ability to target or exploit you for financial gain.

1) Generate unique, random passwords and change them often.

Never use repeat passwords, especially for accounts with personally identifiable and sensitive information (e.g. Facebook, Gmail, Apple ID, Twitter, banks/payments, crypto accounts). Use passwords that are randomly generated and 20+ characters long.

If you see suspicious password activity or failed log-ins on any of your accounts, it's a good idea to rotate all of your passwords, starting with sensitive and authorization accounts, such as your primary email and bank/crypto accounts.

2) Use a password manager.

If you’re overwhelmed by the requirements of tip #1, try using a password manager. A password manager is an encrypted, online vault that takes all the difficulty out of:

  • Randomly generating secure passwords
  • Remembering unique, secure passwords
  • Identifying where you’re still using insecure passwords
  • Quickly changing insecure passwords when needed

1Password and LastPass are both good options. I usually recommend LastPass for password manager beginners because the interface is more user-friendly. 1Password has a more advanced security model around account recovery, so it can be the preferred option for those that prioritize security over usability.

Important: Don't use password managers to store seed phrases. There have been instances of bad actors draining assets from seed phrases started in compromised password manager vaults. Keep seed phrases offline for better protection.

3) Do not use SMS for two-factor authentication.

Using two-factor authentication (2FA) is a great way to improve your digital security. However, you should never use SMS text messages for your 2FA. SMS-based 2FA authentication is an extremely insecure method of securing your accounts. You’ll find out why in the next tip.

Instead of SMS-based 2FA, use Google Authenticator or Authy apps for iOS or Android. Google Authenticator is quicker and easier to set up, but Authy offers more robust account recovery options.

Keep in mind the codes generated by 2FA apps are device specific. Your account is generally not backed up to Google or iCloud, so if you lose your phone, you’ll need to spend some time proving your identity to restore your 2FA. The added security is worth the hassle.

Another option beyond simple authenticator apps is to use security keys such as YubiKeys, which can be paired with Yubico Authenticator. This can be an excellent method to lock down exchange accounts.

4) Practice phone safety — lock down your SIM with your mobile phone carrier

Using SMS for 2FA makes you a vulnerable target for SIM porting attacks.

SIM porting is when an attacker calls up your mobile phone provider pretending to be you, and convinces them to port (transfer) your phone’s SIM into a new device, giving them control of any accounts that use SMS 2FA.

Locking down your phone with your carrier isn’t guaranteed to be foolproof, but it’s definitely a good security precaution. It’s best to never use SMS for anything related to your account credentials, but there are sometimes cases where you can’t avoid it. For this reason, security professionals often use multiple phone numbers to segment exposure.

To lock down your SIM, contact your mobile phone carrier. Ask them to NEVER make changes to your phone number/SIM unless you physically show up to a specific store with at minimum two forms of identification. This (should) prevent hackers from calling up your carrier, claiming to be you, and asking them to port your phone number to a new phone.

5) Never store funds on an exchange or online wallet. Use multisig or at least a hardware wallet.

You should never store your cryptocurrency on an exchange or online wallet, and never keep significant funds on a mobile or web hot wallet. Exchanges get hacked and online hot wallets are similarly vulnerable to digital attack.

Hardware wallets like Trezor, Ledger, or ColdCard keep your private key safely stored in a resilient and portable hardware device that never connects directly to the internet. The downside of using a single device is the added responsibility of protecting a paper seed phrase in addition to a device.

Casa's multi-key vaults allow you to bypass seed phrases and single points of failure for more complete protection. Using a multisig protocol, Casa adds an existing level of protection to your existing cold storage and keeps your keys offline until you're ready to send a transaction. Read more here.

6) If you’re not using seedless multisig, store backup seed phrases carefully.

Never store your seed phrase digitally. Seed phrases are intended to be stored on the paper card included with hardware wallets! That means never type it up, store it online, or take a photo of the card.

Write the phrase down on paper, seal it in a tamper proof bag, and store it in a safe. You always have the option of storing multiple copies or pieces of your seed in different locations. But keep in mind that the more you replicate or split up your seed phrase, the more attack vectors you’re creating.

The safer option is to use seedless multisig like Casa.

7) Be careful sharing your home address

This one is a little more advanced, but worth putting into practice for certain types of products.

Be careful about using your real home address online for delivery purposes. Data breaches are now a daily occurrence, and many breaches include customer names and addresses. Your physical address is not as easily changeable as a phone number or email address, so be especially mindful about where you use it on the Internet.

If you’re ordering pizza with Lightning, order it for pickup instead of delivery. When online shopping, use a different (and publicly available) address for package delivery. Options here include your workplace or drop boxes at delivery service providers like FedEx and your local postal service.

Concluding note... “I never thought it would happen to me!

If you can put all 7 of these tips into place—fantastic! You’re protected against the most common security vulnerabilities bitcoin holders face.

The last thing I want to stress is mindset. I’m willing to bet the #1 thing preventing average cryptocurrency holders from putting these tips to action is the “it will never happen to me!” mindset.

DO NOT fall into this trap. It’s very easy for the mind to rationalize that there are always people more visible than you, with more crypto than you, and a much more attractive target for attackers. Many of the victims of hacking that we hear from knew what basic precautions to put in place, but didn’t prioritize activating these precautions because they didn’t think they were “important enough” to be at risk.

Lack of OpSec knowledge is an easy thing to fix, but "it won't happen to me" mindset is the riskiest vulnerability of all.

Join today!

If protecting your privacy while securing your bitcoin sounds appealing to you, we’d love to have you as a Casa member.

Email with any questions or to schedule a free demo of our 3-of-5 multisig.