It’s happening. Businesses want in on crypto.
Big players like PayPal are dabbling in crypto payments, a historic number of companies are holding cryptocurrency on their balance sheet, and even NBA teams like the Sacramento Kings are offering bitcoin wages to players and staff. It's clear that institutions want to capitalize on this revolutionary technology.
The benefits of using blockchain for payments are immense, but when it comes to transacting with crypto — particularly as a business — safety and security must be top of mind.
The looming threat of theft, hacks, and phishing attacks can be intimidating, but don't let that steer you away from making the most of crypto. By practicing proper crypto security hygiene, much of that risk can be mitigated.
Here are eight ways to keep your company's crypto secure.
8 Steps to Keep Your Company’s Crypto Safe
1. Understand the risks
The crypto ecosystem has matured, but most the common exploits and malicious tactics remain the same. The first step to safeguard against them is to understand what you're up against.
A phishing attack occurs when a bad actor poses as a well known brand or entity in order to steal funds or information. Some of these dupes are very sophisticated and well executed—even successfully spoofing legitimate email domains. Never reveal sensitive info like passwords or private keys over email. Reputable companies will never solicit this information via email or chat.
In 2019, a phishing spoof of blockchain.com was able to steal $27M in crypto by replicating the website on a domain with a typo in the address. Victims entered their details on the bogus domain and thieves gained access to their wallets. This specific phishing tactic is known as typosquatting. Always pay attention to the domain name when logging in.
Malware is a piece of nefarious software that can spy on your activities and steal your data and your funds. There are all kinds of malware out there, including worms, trojan horses, keyloggers, ransomware, bots, and spyware. In one such instance, a remote-access trojan called InnfiRAT was programmed to target cryptocurrency wallets. These days, it's not uncommon for malware to specifically target crypto.
The best protection against malware is common sense. Don't click on suspicious links. Don't download suspicious software. If you frequent dodgy websites, make sure you access your dodgy websites on a separate device that never interacts with your crypto wallets and accounts.
Copy and paste attacks
A copy and paste attack is another form of malware. This sort of malware functions by hijacking your clipboard when it detects a crypto address, replacing it with a scammer's address. You copy a crypto address, the scammer's address is pasted, and you unknowingly send the funds to the scammer. Always double check that you're sending funds to the correct address.
If you're still reeling from the Mt. Gox days, you're not alone. An exchange hack occurs when an entire cryptocurrency exchange is hacked and funds are stolen directly from the exchange. While larger entities like Coinbase assure us that they're well secured and insured, it's important to be aware that the possibility exists. Avoid leaving large amounts of crypto on any exchange, particularly smaller ones.
SIM Card Swaps
A SIM card swap occurs when a bad actor gets ahold of your SIM card information and has it switched to their device, granting them access to accounts connected to your phone number. This is typically done remotely. Some SIM swap attacks have been as simple as a scammer calling up a wireless provider and impersonating the account holder. Many wireless carriers have instituted safeguards like SIM specific passwords and PINs to prevent this, but often you must specifically inquire to activate this.
Sim swap attacks makes two factor authentication (or 2FA) that's not connected to your phone number particularly important. We'll go into more detail about this later.
The bottom line is that most crypto theft happens when someone unknowingly leaves themselves vulnerable. Below, we'll explore security strategies to make sure you've got your bases covered.
2. Choose the right crypto wallet(s)
It’s important to select the safest crypto wallet for your business. Think of crypto wallets like you would any regular wallet: it’s where you hold your funds. There are two general types of wallets, hot and cold wallets. You can choose between one or the other, or take advantage of both.
Hot Crypto Wallets vs. Cold Crypto Wallets
Hot wallets typically live on your browser, desktop, or mobile device. They're connected to the internet, which makes them easy to use for transactions but this also makes them more vulnerable to attacks than cold wallets.
Cold wallets are offline, tougher to access and transfer funds from, and generally more secure as a result.
You can use both types of wallets for different purposes. Hot wallets can be used to make regular transactions. Think of hot wallets like the wallet you carry on your person: you wouldn't stuff your life savings in your back pocket. Only store the amount of crypto that you need to transact with in your hot wallet. Cold wallets are a better choice for longterm fund storage.
Custodial crypto wallets vs. non-custodial crypto wallets
Another consideration is whether to use a non-custodial or custodial wallet (or both). Do you want control of your keys (self-custody) or do you want to give control to a centralized service like Coinbase (a custodian)? Although non-custodial wallets are typically considered more secure, many businesses prefer custodial wallets and accounts because they’re easier to access and monitor with less responsibility. It ultimately comes down to how comfortable your team is with managing private keys.
Again, while every business is different, we suggest using non-custodial, hardware wallets like Ledger or Trezor wallets to store your funds (i.e. if you’re HODLing in your treasury). But for regular transactions like paying employees and bills, we recommend using either a custodial wallet like a Coinbase account or a non-custodial browser wallet like MetaMask. If you're using multiple wallets, make sure you're keeping track all of your accounts and transactions with Gilded.
Another important note about wallets. If you're purchasing a hardware crypto wallet, make sure you're purchasing the wallet directly from the company itself and not a third party vendor. To be sure you're using a clean uncompromised hardware wallet, you can restore the wallet from the seed phrase before using it.
3. Define and set up proper controls for access to funds
For businesses, it’s essential to have multiple controllers in order to limit liabilities. Only releasing a certain number of funds from cold storage or designating how many signers are needed to move funds from a hot wallet to cold storage creates multiple layers of security for your business.
That’s why it’s a good idea to have a multisignature wallet (or multisig), like Gnosis, that requires two or more private keys to send a transaction. This security method requires multiple team members to confirm a transaction in order to execute it. Again, this helps to ensure one person doesn’t have full control of your funds and limits the liability.
4. Decentralized vs. centralized exchanges
Similar to custodial vs. non-custodial wallets, decide whether you want to use decentralized exchanges like Uniswap or Sushiswap (also called DEXs) or centralized exchanges like Coinbase or Gemini (also called CEXs) or both. Each has carry their own benefits and tradeoffs.
With decentralized exchanges or DEXs, you don’t have to worry about exchange hacks or theft, but personal responsibility becomes much more important. You will need to store your private keys in a safe, offline place and be responsible for your keys.
Centralized exchanges or CEXs, keep your private keys safe, but you don’t ultimately hold your money and may lose funds if the exchange is hacked or if there is a dispute preventing you from accessing your funds. Furthermore, CEXs are not known for their customer service if you have an issue. By using a CEX, you also might risk your personal information being leaked by exchanges due to the AML/KYC processes.
So what type of exchange should you use? Similar to types of wallets, it’s ultimately up to you which type of exchange you want to use and how comfortable you are holding your private keys.
5. Use a password management app to generate and remember unique passwords, but store private keys (i.e. the keys to your crypto) offline in a notebook
It’s important to note an important distinction between private keys and passwords. Private keys are the way you access your cryptocurrency on the blockchain — it’s essentially your claim to your funds. On the other hand, passwords and password phrases are another layer of protection to your private keys and accounts.
Although we recommend storing your private keys or phrases in a physical notebook, you should store passwords that you frequently use in something more accessible and secure like 1Password. 1Password is a secure and intuitive way to create and track your passwords, especially for crypto passwords. Generate long obscure passwords with special characters and never use the same password for more than one account.
6. Set up 2-factor authentication (2FA) for all crypto accounts
Most wallets and exchanges give you the ability to set up a two-factor authentication — a one-time use code that's required to log in to your wallet or account. 2FA simply adds another layer of security besides your password.
Do NOT use SMS as your 2FA option unless it’s the only option. SMS leaves you vulnerable to SIM card swaps. Instead, you should use app-based or device-based codes instead and an authenticator app or device to store your passcodes.
If you're holding crypto in an exchange like Coinbase or an interest bearing account like BlockFi, consider enabling whitelisting. Whitelisting is an opt-in security feature that only allows crypto withdrawals to approved addresses. It takes a certain amount of days for a newly added address to be whitelisted, so if a bad actor were to gain access to your account, they wouldn't be able to immediately withdraw the funds to their own wallet and you would be notified that a new address was added. Keep in mind that this will increase the amount of time it takes to withdraw funds, so if you might need immediate access to those funds, this is not the best option.
7. Keep your computer up to date
Make sure you’re using an up-to-date computer to avoid malware. Best practice is to use a device with a modern operating system like Windows 10, MacOS, or Linux if that's your jam. If you’re using Windows XP, Windows 7, or a version of Mac OSX, then it’s time to upgrade. Also, make sure you don't neglect periodic updates to your computer's operating system. These updates patch vulnerabilities to keep you safer from exploits.
8. Make sure you're sending crypto the correct address
When transferring funds to a wallet for the first time, it's not a bad idea to send small test amounts first to ensure you're sending it to the correct address.
If you're sending funds to the same addresses, it’s a good idea to use software like Gilded to seamlessly add your frequently used addresses as contacts. This reduces the possibility of losing funds due to user error or copy and paste malware.
Crypto is changing the way we do business. It's finally possible to transact globally, near instantly, 24/7 — without banks and intermediaries. But just like in the world of traditional finance, cyber attacks are a real and present danger. The best time to take security seriously was before you ever touched crypto. The second best time is today.
If you're reading this article, you've either been tasked with overseeing your company's crypto transactions or are looking for ways to protect your business's assets. Some of the practices mentioned are general in nature and can apply to both you as an individual user or the financial controllers of your company.
There are many facets of crypto security and we know all the information can be overwhelming but don't fret — we're here for you if you've got any questions.
Founded in 2018, Gilded is backed by Techstars and the Association of International Certified Public Accountants (AICPA). Gilded helps global companies scale by automating cryptocurrency payments and accounting. In 2020, Gilded announced partnerships with TrustToken, Paxos and Stablecorp to offer the world’s first B2B payment solution powered by stablecoins.