Ethereum

Ethereum security and scam prevention | ethereum.org

page last updated: August 17, 2022

With the interest in the growth of cryptocurrencies, it is essential to learn the best practices when using cryptocurrencies. Cryptocurrencies can be fun and exciting, but there are also serious risks. If you do this small amount of upfront work, you can mitigate these risks.

Reading: Is ethereum a scam

web security 101

use strong passwords

Over 80% of account hacks are the result of weak or stolen passwords. a long combination of characters, numbers and symbols is best to keep your accounts safe.

A common mistake people make is to use a combination of two or three common and related dictionary words. passwords like this are insecure because they are prone to a simple hacking technique known as a dictionary attack.

Another common mistake is using passwords that can be easily guessed or discovered through social engineering. Including your mother’s maiden name, the names of your children or pets, or dates of birth in your password is not secure and will increase the risk of your password being hacked.

good password practices:

  • create passwords as long as your password generator or the form you are filling in allows
  • use a combination of uppercase, lowercase, numbers, and symbols
  • do not use personal data, such as family names, in your password
  • avoid common dictionary words

learn more about how to create strong passwords

use unique passwords for everything

A strong password does not provide as much protection if the password is revealed in a data breach. The Have I Be Pwned website allows you to check if your accounts were involved in any data breaches stored in their database. if so, you should change pwned passwords immediately. Using unique passwords for each account reduces the risk of hackers gaining access to all of your accounts when one of your passwords is compromised.

use a password manager

Remembering strong, unique passwords for every account you have is not ideal. A password manager offers secure, encrypted storage for all your passwords that you can access through a strong master password. they also suggest strong passwords when you sign up for a new service, so you don’t have to create your own. many password managers will also tell you if you’ve been involved in a data breach, allowing you to change passwords before any malicious attack.

Example of using a password manager

try a password manager:

  • bitwarden
  • keepass
  • lastpass
  • 1password

use two-factor authentication

To prove that it’s really you, there are different unique tests that can be used for authentication. these are known as factors and the three main factors are:

  • something you know (such as a password or security question)
  • something you are (such as a fingerprint or iris/face scan)
  • something that you have (a security key or authenticator app on your phone)

Using two-factor authentication (2fa) provides an additional security factor for your online accounts, so knowing your password (something you know) is not enough to access an account . Most commonly, the second factor is a random 6-digit code, known as a time-based one-time password (totp), which you can access through an authenticator app like google authenticator or authy. these work as a “something you own” factor because the seed that generates the timed code is stored on your device.

security keys

for those who want to take the next step in 2fa, consider using a security key. security keys are physical hardware authentication devices that work in the same way as authenticator apps. using a security key is the most secure form of 2fa. Many of these keys use the universal fido 2nd factor (u2f) standard. learn more about fido u2f.

see more in 2fa:

uninstall browser extensions

Browser extensions, such as chrome extensions or add-ons for firefox, can increase the useful functionality of the browser and improve the user experience, but they come with risks. By default, most browser extensions request access to “read and change site data,” allowing them to do almost anything with your data. chrome extensions always update automatically, so a previously safe extension can be updated later to include malicious code. Most browser extensions don’t try to steal your data, but you should be aware that they can.

stay safe by:

  • only install browser extensions from trusted sources
  • remove unused browser extensions
  • install chrome extensions locally to stop automatic updating (advanced)

more information about the risks of browser extensions

cryptographic security 101

level up your knowledge

One of the main reasons people get scammed in crypto is usually lack of understanding. For example, if you don’t understand that the ethereum network is decentralized and owned by no one, then it’s easy to fall prey to someone pretending to be a customer service agent who promises to return your lost eth in exchange for your private keys. learning about how ethereum works is a worthwhile investment.

wallet security

don’t give out your private keys

Never, for any reason, share your private keys!

your wallet private key acts as a password for your ethereum wallet. it’s the only thing stopping someone who knows your wallet address from emptying all the assets in your account!

do not take screenshots of your seed phrases/private keys

See also: What Is Avalanche (AVAX)? | Binance Academy

By taking screenshots of your seed phrases or private keys, you risk syncing them to the cloud and potentially making them accessible to hackers. Obtaining private keys from the cloud is a common attack vector for hackers.

use a hardware wallet

A hardware wallet provides offline storage for private keys. they are considered the most secure wallet option to store your private keys.

keeping private keys offline greatly reduces the risk of being hacked, even if a hacker gains control of your computer.

try a hardware wallet:

  • ledger
  • trezor

double check transactions before sending

Accidentally sending crypto to the wrong wallet address is a common mistake. A transaction sent in ethereum is irreversible. Unless you know the owner of the address and can convince them to return your money, there will be no way to get your funds back.

Always make sure the address you’re sending to exactly matches the address of the intended recipient before sending a transaction. It is also recommended when interacting with a smart contract to read the transaction message before signing.

set smart contract spending limits

When interacting with smart contracts, do not allow unlimited spending limits. unlimited spending could allow the smart contract to deplete your wallet. instead, set spending limits only on the amount needed for the transaction.

many ethereum wallets offer limit protection to guard against account depletion.

explore wallets with limit protection

common scams

Scammers are always looking for ways to take your funds away from you. it is impossible to stop scammers completely, but we can make them less effective by knowing most of the techniques used. There are many variations of these scams, but they generally follow the same high-level patterns. if nothing else, remember:

  • always be skeptical
  • no one will give you free or discounted eth
  • no one needs access to your private keys or personal information

gift scam

One of the most common cryptocurrency scams is the giveaway scam. The giveaway scam can take many forms, but the general premise is that if you send eth to the provided wallet address, you will receive your eth but in duplicate. for this reason, it is also known as the 2 for 1 scam.

These scams typically stipulate a limited window of opportunity to claim the gift to encourage poor decision-making and create a false sense of urgency.

social media tricks

A high-profile version of this occurred in July 2020, when the twitter accounts of prominent celebrities and organizations were hacked. the hacker simultaneously posted a bitcoin giveaway to the hacked accounts. Although the misleading tweets were quickly noticed and removed, the hackers still managed to get away with 11 bitcoins (or $500,000 as of September 2021).

A scam on Twitter

celebrity gift

Celebrity gifting is another common form the gift scam takes. scammers will take a recorded video interview or conference call given to a celebrity and broadcast it live on youtube, making it appear that the celebrity is giving a live video interview endorsing a crypto giveaway.

vitalik buterin is most often used in this scam, but many other prominent people involved in crypto are also used (for example, elon musk or charles hoskinson). including a known person gives the scammers’ live stream a sense of legitimacy (this seems sketchy, but vitalik is involved, so it must be ok!).

Gifts are always scams. if you send your funds to these accounts, you will lose them forever.

A scam on YouTube

support scams

Cryptocurrencies are a relatively young and misunderstood technology. A common scam that takes advantage of this is the support scam, where scammers will pose as support staff for popular wallets, exchanges, or blockchains.

A lot of the discussion about ethereum happens on discord. support scammers will usually find their target by searching for support questions on public discord channels and then sending the requester a private message offering support. By building trust, support scammers try to trick you into revealing your private keys or sending your funds to their wallets.

See also: The Mystery Behind Block Time. Block time defines the time it takes to… | by Prabath Siriwardena | FACILELOGIN

A support scam on Discord

As a general rule, staff will never communicate with you through private, unofficial channels. a few simple things to keep in mind when it comes to support:

  • never share your private keys, passphrases, or passwords
  • never allow anyone to remotely access your computer
  • never communicate outside of your designated channels an organization

phishing scams

Phishing scams are another increasingly common angle that scammers will use to attempt to steal funds from your wallet.

Some phishing emails ask users to click on links that will redirect them to imitation websites, asking them to enter their seed phrase, reset their password, or send eth. others may ask you to unknowingly install malware to infect your computer and give scammers access to your computer files.

If you receive an email from an unknown sender, remember:

  • never open a link or attachment from email addresses you don’t recognize
  • never give out your personal information or passwords to anyone
  • delete emails from unknown senders
  • li>

learn more about how to avoid phishing scams

cryptocurrency trading broker scams

Scam cryptocurrency trading brokers claim to be specialized cryptocurrency brokers who will offer to take your money and invest it on your behalf. promises of unrealistic returns often accompany this offer. once the scammer receives your funds, they may be prompted to ask you to send more funds so you don’t miss out on any more investment gains, or they may disappear altogether.

These scam brokers find their targets by using fake youtube accounts to start seemingly natural conversations about the broker. These conversations often get a lot of upvotes to increase legitimacy, but all of the upvotes come from bot accounts.

don’t trust strangers on the internet to invest on your behalf. you will lose your crypto.

A trading broker scam on YouTube

crypto mining pool scams

Mining pool scams involve people contacting you without your request and claiming that you can make huge profits by joining an ethereum mining pool. the scammer will make claims and stay in contact with you for as long as necessary. Essentially, the scammer will try to convince you that when you join an ethereum mining pool, your cryptocurrency will be used to create eth and dividends will be paid to you in the form of eth. what will end up happening is that you will notice that your cryptocurrency is making small returns. this is simply to entice you to invest more. eventually, all of your funds will be sent to an unknown address and the scammer will disappear or, in some cases, stay in touch, as happened in a recent case.

In a nutshell, beware of people who contact you on social media asking you to be part of a mining pool. once it loses its crypto, it’s gone.

some things to remember:

  • beware of anyone who contacts you about ways to make money with your crypto
  • inquire about staking, liquidity pools or other ways to invest your crypto
  • rarely, if ever, are such schemes legitimate. if they were, they would probably be popular and you would have heard of them.

man loses $200k in mining pool scam

‘eth2’ token scam

With the merger in 2022, scammers have taken advantage of the confusion around the term ‘eth2’ to try to get users to redeem their eth for an ‘eth2’ token. there is no ‘eth2’ or any other new token introduced with the merge. the eth you own today will remain the same eth after the merge, and there is no need to do any trading of your eth for the merge.

Scammers may appear in the form of “support” and tell you that if you deposit your eth, you will receive ‘eth2’ back. no official ethereum support, and no new token. never share your wallet seed phrase with anyone.

note: there are derivative tokens/tickers that can represent staked eth (i.e. rocket pool reth, lido steth, coinbase eth2), but it’s not something you should “migrate” to.

airdrop scams

Airdrop scams involve a scam project that airdrops an asset (nft, token) into your wallet and sends it to a fraudulent website to claim the airdropped asset. You will be asked to log in with your ethereum wallet and “approve” a transaction when you try to claim. this transaction compromises your account by sending your public and private keys to the scammer. An alternate form of this scam may ask you to confirm a transaction that sends funds to the scammer’s account.

more information on airdrop scams

See also: Investing In Maker (MKR) – Everything You Need to Know – Securities.io

further reading

web security

  • here’s why you shouldn’t use text for two-factor authentication: on the edge
  • up to 3 million devices infected with malware chrome and edge plugins – dan goodin
  • how to create a strong password, that you won’t forget – avg
  • what is a security key? – currency base

cryptographic security

  • protect yourself and your funds: mycrypto
  • four ways to stay safe with cryptocurrencies: coindesk
  • security guide for dummies and smart people too: mycrypto
  • cryptographic security: passwords and authentication – andreas m. antonopoulos

scam education

  • stay safe: common scams – mycrypto
  • avoid bitcoin.org scams

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button