How do I keep my crypto secure?

Tracey: [00:00:20] Welcome to the crypto curious podcast designed to help you navigate the dynamic world of cryptocurrency. Hello, my name is Tracey, and I'm joined by my pals, Blake and Craig. How are you going, guys? 

Blake: [00:00:31] Hey, Tracey, pretty well. 

Craig: [00:00:32] How are you Trace?

Tracey: [00:00:34] Hi boys. Today we talk about security, but what we thought we'd do is we'll fill you in on a few of the not so great stories over the last few years so we can all learn from their mistakes. And then what we'll do is take you through a few steps that you can take to make sure your crypto portfolio stays safe. Craig, do you want to kick things off? 

Craig: [00:00:56] You hear a lot about crypto being full of scams, and you may have even received scam emails or seen scam tweets of Elon Musk giving away bitcoin. So it is rife in the sector. But this is no different to what's been around the internet for years. And, you know, online scams has been a huge issue on the internet and traditional banking. 

Blake: [00:01:18] That's right. That's in part why we kind of use services like PayPal that really help with for prevention, because before services like that, you know, there are so many people losing money by putting their credit card details onto the internet and those credit card details being stolen or being skimmed off the top from hackers. And over the past five or so years, the security with regards to online payments has become far more robust and a lot safer for people to participate. But it did take a long time for that to mature. 

Tracey: [00:01:53] But right now, crypto is a little bit more on the unknown side, and there are many people entering the market uneducated to the risks and how they can keep themselves and their funds safe. So let's talk about a few funny and perhaps not so funny scams and accidental losses that have occurred over the last few years. And these are to do with different ways in which you can keep your crypto safe. So the boys and I have gone away and looked at a few different things that have happened, and we've all got one or two to tell you today. So we'll start with you, Blake. What have you got for us? 

Blake: [00:02:25] I'm going to touch on exchange hackings, and there's one in particular that has created a lot of trauma in the industry over the past 10 years. And it's the Mt. Gox story. And Mt. Gox was an exchange from 2010, founded by a guy named Jeb McCaleb. And it was actually a website initially designed to trade fantasy game cards. And he was based out of based out of Japan at the time, and he basically changed the function of the website to then start trading bitcoins. And at this time, it was the biggest bitcoin exchange on the internet, and he was running it from his personal computer, and he was doing most of the global trading volume for bitcoin at that point in time. And back then, there was an exchange hack where 850000 bitcoins were stolen. And this is at a point in time when security wasn't at the forefront of people's minds. They everyone that was using the exchange just assumed it was safe. But really, it was extremely unsafe and had very little fraud prevention or security in place. And ever since then, it's created, you know, trauma within the industry and a saying that everyone says that if you don't have your keys, your private keys, then you are in the crypto. And it all came from this incident of Mt. Gox being hacked. So since then, there's been a much stronger push towards people understanding how to manage their own crypto and not leaving their coins on exchange because there is the chance if they are on an exchange, then they can be stolen by third parties. And you know, this has continued not just from the Mt. Gox incident, but also many other exchange hackings, including Bitfinex, which is a big trading exchange. They lost about 2200 bitcoins in 2016. And even here in Australia, with an exchange that one of the founders stole all of the coins from the exchange. So I think there's an overarching lesson to to learn here is that never keep too many coins on an exchange and only keep what you have to in an exchange because technically, if they are an exchange that they're not your coins. 

Tracey: [00:04:57] So like with the Mt. Gox one, which is to. Ten, and that's a lot of bitcoin. How much has been paid back or is it all? You know, what's what's the process there? 

Blake: [00:05:08] Not exactly sure. I know some of the coins have been recovered, and the Japanese government has spent many years working towards getting those bitcoins back to the people who made a claim. As I understand it, they weren't. They weren't all recovered, and it may still be still be in process now. 

Tracey: [00:05:29] Yeah, okay. It's a lot of bitcoin. Craig, what have you got for us? 

Craig: [00:05:33] I've got one as well. Another exchange hack that was Quadriga. Have you guys heard about this one? The Canadian one? 

Blake: [00:05:40] No, not, no. 

Craig: [00:05:41] Yeah. So Quadriga lost equivalent to $135 million in crypto, and there's actually documentary about it on Netflix called the Looking for the Crypto King. It's super interesting to see the story of like how crazy it was back in the 2010 to 2014 days for these exchanges. But also what we see now for me especially is phishing is a real big problem in crypto at the moment. So there's these things called spoof websites, and they trick you into putting your seed recovery phase in. So a spoof website is a website that pretends to be a legitimate website. So I actually have a friend who went on a fake PancakeSwap exchange, which is a legitimate, decentralised exchange. He went on there thinking it was the real thing, but it wasn't. And the website prompted him to put his recovery phase in, and since he gave and his recovery phase, they were able to log in to his wallet and take the coins out. So hard lessons to be learnt there. 

Blake: [00:06:52] Yeah, yeah. I think it might be just really important to touch on. MetaMask is a cryptocurrency wallet that people can integrate into their Chrome browser, and your recovery phrase is basically your backup for your crypto. And you never you never want to share this with anybody. And the lesson here in this circumstance, Craig, I think, is that you never share your recovery phrase, which is a 12 word backup password for your wallet and you absolutely never want to share that with anyone. Even if a website prompts 

Craig: [00:07:26] you or in saying that you should only put it into the official wallet, you know website when you're recovering your wallet on a new device or a new browser that you should never, ever put it on a website. 100 percent. 

Tracey: [00:07:41] And just on that, how do they tell whether a site is legitimate? How can they tell that they're doing the right thing on the right site? 

Blake: [00:07:47] There's a couple of ways that you can do that. Firstly, make sure you are rail line. There's a little lock in safe next to the website name. And the second one is that when you do a Google search, make sure it's a verified website. And all the major crypto wallets have been verified by Google, such as Trezor and MetaMask. And when they have the blue little tick, that's, you know, the one to select. And then another way that you can further prevent yourself from being spoofed in this way is that when you go on to the official website, make sure you save it to your bookmarks. So then you're always going back to the same website. And even if a fake website with a similar name pops up, it won't be the one that you always navigate to. 

Tracey: [00:08:34] Yep, some very good advice there, and you might have heard a story that was going around last year about a guy in the UK who was begging his local council to dig up eight years of trash at his local tip. So this gentleman claims to have lost a hard drive that was similar to he had two, apparently two hard drives and he threw the the wrong one out and the one that he threw into the trash had seven thousand five hundred bitcoins on there. So, you know, at current price, that's $450 million worth of bitcoin. So he's been in conversation with his local council, begging them to to go through and and wade through this trash. I don't know how he thinks he'd find it after eight years, and he's his promise to them was he'd give them twenty five per cent. So I mean, that's that's a lot of money. But they've just said obviously for health and safety reasons and the money that would take to do it, they're not they're not really interested in doing that. And then similarly, a guy in San Fran also similar amount seven thousand on his hard drive, but he's just forgotten or misplaced the details of his recovery phrase. So both of these people have actually lost their recovery phrase, so they both cannot access their bitcoin. And funnily enough, they both work in it, so they should have known better. 

Blake: [00:09:53] Exactly right. Tracey and I think there's a lesson here just to recap and that whenever you're setting up a new. A currency will it you will get a 12 word recovery phrase. And this is something that you want to be very carefully in writing down and then storing somewhere that's very safe so that if you ever do have an issue with your wallet, it's like a backup. You can always recover the wallet and it's always best practise as well to do a test recovery every six to 12 months just to make sure that you've done it correctly. Because the last thing we want to do is end up like one of these guys losing, you know, a life changing amount of money 

Tracey: [00:10:31] and actually one of my neighbours. He went to the effort of shouldering his phrases into a bit of metal in case there was a house fire. And then he put that into his site and then his safe got stolen. So, oh, I know. Yeah, so what are the odds? 

Blake: [00:10:48] There's another story that I'd like to touch on as well, and that kind of feeds into this, you know, always making sure that you have a backup. And I know someone that was part of the Etherium ICR and he didn't put much in, but he ended up, I think, with about 9000 Etherium and it was stored on an old computer and he forgot about it for several years. And then when he saw the price of Etherium, he, you know, obviously wanted to recover where they were on his old computer and the old computer wasn't working anymore. It was in his garage. They couldn't get it started. So he said to a friend of his that if he was able to get the Etherium off the old hard drive that he would give him half. So the gentleman was able to help him out and get the theory. And the 9000 etherium of the hard drive and then the first gentleman who who owned the bitcoins actually reneged on the offer. He didn't end up giving him half the I think he gave him. I think he gave him 100 grand. But you know this, these stories happen all the time where people have saying that's maybe not valuable when they buy them, but several years later, you know, it's a life changing amount of money. So we just always have to be really careful about with all the crypto that we store. 

Tracey: [00:12:04] Yeah. And look, I've got one more which I'll talk about, which was a hack that was publicised quite a bit earlier this year, which was the ledger hack. So we spoke a little bit in previous episodes about the hard wallet and the two main hard wallets Ledger Nano and Trezor. So Ledger was hacked late last year as a company, and the files that were hacked were originally publicised as email addresses, and they originally had said that there was something around 9000 emails that were distributed. It came to light that it was more like a million that were that were distributed and went out onto the web. So a million emails of people who had bought ledgers and and then it came even further to light that it was not just emails, but it was phone numbers, names and even addresses of people. So that's a huge security breach that's happened with Ledger. And you know, as you can imagine, anyone that has bought Ledger started to get, you know, scamming and phishing emails because obviously then the people on on the dark web that have of making use of these email addresses know that these people obviously have cryptocurrency. So this was a huge deal. And a lot of people very unhappy with ledger at the time, all getting these these phishing attacks and what what happened also was that they assumed that people who had bought a ledger may also have a traceable. So they were getting a little bit more sophisticated in attacking people that, you know, perhaps had trestles as well. But the takeaway on that one is the the ledger and the Trezor. All the units themselves have never been compromised. This hack was purely from Ledger as a company. But the Trezor and the ledger that you have at home, that you're storing your crypto on themselves, I've never been hacked. We're going to go to a break now. But when we get back, we're going to talk about all the steps that you need to take to make sure that your crypto remains safe. So security works differently on different platforms, so let's start off with those of you who might have started with a micro savings app like bamboo.

Blake: [00:14:19] So the industry is really evolving, Tracey, where you know, many apps and exchanges use institutional custody providers, and these are basically like digital vaults that, you know, set up the infrastructure for banks and, you know, cryptocurrency exchanges and cryptocurrency apps and bamboo uses one called Fireblocks. They hold about $80 billion in cryptocurrency and they're, you know, industry leading. And they make it very easy for others to store crypto extremely safely, while at the same time being able to move them around when necessary. And this means that, you know, platforms like ours don't have to manage physical devices, which takes a big burden off and makes it much safer for our customers 

Tracey: [00:15:10] so that apps like bamboo and rays and things like that that we don't have to worry about security on.

Craig: [00:15:17] Yeah, that's right, trace. And you know, when you're ready to move off these apps or you're using an exchange, you can be assured that you know, exchange hacks are becoming less and less likely with these companies like Fireblocks and really high grade security solutions. But in saying that, if you're using an exchange, there is a lot of personal responsibility, things like having a two factor authentication, having a recovery phase written down for exchanges as well, and having a LastPass where you're not just putting in your dog's name and your favourite drink, you're actually putting in a random numbers and letters on your last pass, which you know cannot be guessed by anyone. 

Blake: [00:15:59] Yeah, LastPass is a password manager, and it can randomly generate passwords for you with like 24 random letters and numbers. And that makes it really strong and difficult for people to hack.

Tracey: [00:16:12] And just looking at two factor identification, and most people would be using the Google Authenticator app on their phone for that, which still has a long way to go for development because at this point in time and correct me if I'm wrong, guys, if you have the app and you've got the authenticator set off in the moment, I've got, say, a dozen in there that I use if I then change phones, which I'm due to do very soon and I can't bring that across, I lose all of those. You can can you bring it across because I couldn't last time I did this two years ago and I had to.

Blake: [00:16:44] So the way that it works is that when you do set up you two factor authentication for any website, it's going to give you a recovery phrase or a string of numbers and letters that you can use to then produce the two factor authentication on any device. Right. And it's really important that you copy this and put it somewhere very safe. For example, in a password holder like LastPass, so that if the situation happens where you lose your phone or you need to upgrade, you can then still reinstall, you know, the two a for any particular website on a new device. 

Tracey: [00:17:25] So two, if I generally can be a text message to your phone and a phone number, but a lot of the exchanges prefer it to be sent to an app on your phone and won't let it be just a text to you. And some even want it to be a text and something that's sent to your app as well. So therein lies the problem. 

Blake: [00:17:45] I'll quickly talk about an example where to save me. So I have a Binance account, and one day I got an email through to my personal email account saying that someone's just tried to attempt to log in to my Binance account. And I was like, Oh, that's weird. And I thought that was a spoof email or a fake email. But then I went into Binance and had a look at the logs, and it looks like someone actually brute forced my password right and got into the second stage. But then they weren't able to get into my account because I had to, if enabled. And it's very, very difficult. 

Tracey: [00:18:22] What does brute force mean? Like what is brute force? 

Blake: [00:18:25] Brute force essentially means that they're running millions of combinations of letters and numbers to try and break your password. So they use quite a lot of computing power to try and get in. And so if you're making very simple passwords like your dog's name, then they're going to be brute forced very easily. Now, I had a pretty cruddy password on my Binance account and it was brute forced and I was lucky that my 2FA saved me. And this is it's this is its purpose. 

Tracey: [00:19:00] Wow. 

Craig: [00:19:01] I'm very lucky. Cool. 

Tracey: [00:19:03] Yeah. OK, so we've talked about the micro savings apps and how the owners there is. On the company in the most part, and we look the exchanges who have become much more secure in recent times, but you still need to make sure that you have password protection and you have activated your two factor identification. So now let's look at what you can do when you have maybe got to the point where you've made some purchases of crypto and got to a point where that money that you've got, you know, is a significant amount and means something to you, and you should probably be taking that offline and using something like a hard wallet. 

Craig: [00:19:39] Yeah, a hard wallet is essentially a little USB locked device that you store your crypto on. Now we spoke about it before, but with these little hard wallets, you get a recovery phase, which is essentially the phrase that you use to recover your assets if you were to lose your device. So with this solution, it's a solution that requires the most responsibility because if you, as we said before, if you lose your keys or your hard wallet, there's no support desk. There's no live chat to ask for it back. If it's gone, it's gone. So this is probably the most secure way, but definitely the most, you know, high responsibility way. 

Blake: [00:20:26] And the key reason why it's most the most secure method of storing your crypto is because it's offline, it's cold. It's not touching the internet, it's in your safe. So that means it's almost impossible for somebody to hack and steal your bitcoins. However, then as you said, Craig, the onus is on you to keep that device safe. 

Tracey: [00:20:47] And has there ever been an instance where someone's hardware has been hacked? 

Blake: [00:20:52] Not that I've heard of. Yeah, not that I've ever heard. 

Tracey: [00:20:55] No, mate. I'm sure we would have heard of it by now. 

Blake: [00:20:57] So if you want to buy a hardware wallet and Ledger or Trezor, it's really important that you go to a certified reseller. I know the trousers are made in Europe and it can take some time to get here. But if you do buy it from every seller here in Australia, just be very, very careful who you purchase it from. Because there have been circumstances where people have made fake devices and sold them to people so they could steal their bitcoins that they load up onto them.

Craig: [00:21:28] Yeah, even then, you know, PayPal, if you buy one of Amazon, Avon or eBay, you can also get in to the risk of buying one that's already pre wired that someone can just easily take your bitcoins from you after that. So, as Blake said, making sure they're the legit reseller.

Tracey: [00:21:46] So hopefully you've come away from this episode understanding a bit more about how to keep your recent purchases safe. So now let's move on to this week's listener's question, which comes from Shane, who has asked I'm curious to learn more about what burning is and refers to, and I'm going to pass this one over to Blake. 

Blake: [00:22:06] Yeah, no worries. I can talk about burning Tracey. So in the crypto sphere, burning a token means that you digitally destroy a token forever and you might ask your Why do you want to do this? And the key reason is that most cryptocurrencies have a fixed supply, for example, with bitcoin. There's 21 million coins. Now, if I was to burn one, bitcoin means destroy it forever, send it to a burner address. Then that would reduce the supply of bitcoin. Now, projects now use this mechanism to manipulate the economics of the circulating supply. And two things really dictate price of a particular asset. It's supply and demand. Now, if the supply is reducing and the demand is increasing for any particular asset, then the assumption is that the price would go up. So many projects, including a theorem, automate a burning mechanism so that over time the amount in circulating supply reduces. And therefore the assumption is that the price will go up 

Tracey: [00:23:19] and hopefully that cleared a few things out for you there. Shane Burning can be a hard topic to understand, and that's it for today's episode. But before I go a bit of exciting news. Check out our blog, which will have more resources to help you on your journey. Go to the show notes to find out the link. Please keep the questions coming. We want to know what you want to know about crypto, so send us an email at podcast I Get Bamboo Io or follow us on social media. And don't forget to write and review us on your podcast app. And that's it from us. See you next week! 

Craig: [00:23:50] Bye.