Security Tips from MyEtherWallet Team
While I don't recommend MyEtherWallet (MEW) for cold storage exclusively, they are a great open source project and team with a wallet that everyone is using nowadays. I’ve repeated some of these tips throughout this document. They wrote a fantastic reddit post about some basic security practices. Here are the post's main points:
"How can you protect yourself?
Get yourself a Ledger or Trezor Hardware wallet. They are less than 0.5 ETH now and a variety of wallets support them. There is really, really no excuse. https://www.ledgerwallet.com & https://shop.trezor.io/
If you don't want one of these nifty devices, use cold storage for a majority of your savings. Please. Pretty please.
Bookmark your crypto sites. Use those bookmarks and only those.
Turn on 2FA for everything. Go do it. Right now. Quit your excuses. Choose Google Authenticator over Authy. Don't use your phone number. Then, make sure your phone number is NOT tied to your Google account (look in privacy settings). Turns out, you and your BFF Mr. Hacker can "recover" access to your account via that number, completely destroying the point of 2FA.
- PS: Don't forget to cold-storage your backup words for these 2FA things. It's a huge pain when your phone goes for a swim and your entire life is 2FA'd. 😊
Do not use cloud storage (Dropbox, Drive, iCloud) for storing your keys :( Now your keys would only be protected by your cloud storage password. Also, see #4.
For Token Sales: do not trust any address except the one posted on the official site. Bookmark the URL before the sale, get the address from the URL from your bookmark at time of purchase. Do not trust any other source (especially a random bot on Slack). PS: When are token sales going to start using ENS names?
Double check the URL. Check it. Then, check it again right before entering any information. This is especially important for any sites that require usernames, passwords, email addresses, private keys, and any other personal information. SSL certs do not mean a site is trustworthy, just that they bought an SSL cert. Not sure about the correct URL? Cross reference Reddit, Twitter, Github, Slack and wherever else the project hangs out.
Triple check Github URLs. These are much easier to fake and much easier to miss. Instead of downloading from that random URL on reddit, seek out the URL on your own. Following the developers of these repos on Twitter, friending them on reddit (lol...but seriously it's nice because their name will be orange), or starring said repos on Github helps.
Always verify that the site you landed on is legit. Especially if you are about to entire your private key or download an application. What is legit? A service that people have used for a decent period of time with good results. If the URL has been registered in the last week or the site "just launched", err on the side of caution and avoid it for a while.
Google the service name + "scam" or "reviews". Scam sites rarely last long. Value real comments by real people over a random blog. Value a collection of information over a single source. Understand that legit services will likely have a mix of positive and negative reviews over a long period of time. Scam sites typically have no one talking about them, everyone yelling about how they got robbed, or the most perfect reviews ever. The latter one is just as red of a flag as the first one.
Don't ever run remote-access software (e.g. TeamViewer) ever...but especially not on a computer with keys on them. The number of security holes in these programs is atrocious. You 2FA your entire life, but then let a single string of characters give someone access to your entire computer & every account. 😱
Don’t click any link regarding anything crypto, money, banking, or a service like Dropbox / Google Drive / Gmail in any email ever. And if the scammy clickbait was simply too irresistible for you, don’t enter any information on the page.
Install an adblocker that actually turns off Google/Bing Ads. I recommend going with uBlock Orgin. If you are already using Adblock Plus, it does not hide Google Ads from you. Go into your Adblock Plus settings and uncheck the box that says “Allow some non-intrusive advertising”.
Don’t click on advertisements. With or without an adblocker, you should never, ever click on advertisements.
If you have accidentally visited or typed a malicious site, clean out your recent history and autocomplete. This will prevent you from typing kra… and having it autocomplete to the malicious krakken.com.
No one is giving you free or discounted ETH. Even for completing a survey.
The guys who just finish their token sale don't want to sell you tokens via Slack DM. Neither does that smokin' hot 125px x 125px avatar.
Lastly: use your brain. Think for a moment. Don't assume, ask. Don't blindly follow, question. If something doesn't seem right...if you feel like the luckiest fucker on Earth...or if you find yourself asking, "I wonder why I haven't seen this on reddit yet", there is likely a reason. 👍"
You may read the full text of the post at:
https://www.reddit.com/r/ethereum/comments/6fr2lx/updated_its_time_to_get_real_stop_relying_on/