Navigating the crypto landscape can be an absolute minefield to those unfamiliar with the technology. Scams are rife. Technical errors are commonplace. Even the infrastructure itself can appear to be fickle at times. Cryptocurrencies are only just beginning to emerge out of their nascent stage of development. Things are a lot better than they used to be, but there is still a long way to go before most people will feel comfortable using crypto on a day-to-day basis. Until such a time, let us go over some general practices that will help people secure their funds.
                                                                                                 “Not your keys, not your coins”

The mantra of crypto. Perhaps also the origin of the first schism within it. The saying represents the long-defended position that one is not in control of their cryptocurrency if one is not in sole possession of the private key securing it. Self-custody is a foundational pillar of the crypto sphere. The entire point of blockchain technology is to enable users to be in full, inalienable control of their assets. Concretely, this means that users transact and interact with the blockchain via a password, or key, the absence of which prohibits them from doing so.

This immediately raises the question: what if the key is lost or stolen. This is where opinions begin to diverge. There are essentially two schools of thought on this. The first, fundamentalist approach is that the user needs to step up to the mark and take responsibility for safeguarding their finances, otherwise what is the point of using crypto at all. Harsh but fair.

The second approach is both more pragmatic and more lenient. Most people can barely remember where they left their car keys, let alone a 24-word seed phrase or similarly obfuscated string of data. The user abdicates such responsibilities in favour of a third-party custodial solution, e.g. Coinbase.

Non-custodial wallets

Should the user opt for the former approach, they must adopt some vital habits. No matter what other security measures one employs, access to a crypto wallet ultimately lies with a seed phrase. The seed phrase unlocks the wallet and enables full control of the assets within. It is the master key and should only be used when absolutely necessary.

A seed phrase should never be shared with anyone, online or offline. It should not be stored anywhere that is not secure. Do not store a seed phrase on a phone or computer, unless heavily encrypted with audited software. Do not take a picture of a seed phrase. Do not store a seed phrase on the cloud. Ideally, keep the seed phrase away from any device with an internet connection. Even typing out the seed phrase can be dangerous if a machine is infected with a key logger for example. Write it down on a piece of paper and leave it in a safe.

All well and good but hardly practical for those interacting with crypto regularly. This is why many users use a cold wallet (meaning offline) for storage purposes, and a secondary, hot wallet for day-to-day operations. The hot wallet is usually a software wallet that stores the private keys on the device in question and typically will not have too many funds in it. Spreading out crypto assets is a good practice in general and there are no real downsides in doing so, other than organisational ones.

An increasingly endorsed solution is the hardware wallet, such as a Ledger or Trezor. A hardware wallet is a small USB-compatible device that stores private keys on a dedicated, secure element chip designed to prevent unauthorised access. Using such a device typically requires the user to input a short PIN to validate each transaction. The signing process occurs offline, isolated from other hardware. In many ways, this offers the best of both worlds, all the security of a private key, but without having to expose it upon every use.

Custodial wallets

Many crypto users are content to opt out of self-custody altogether, placing their faith firmly in exchanges, custodial wallets and various other third parties. With custodial solutions, users do not possess the key to their wallet, meaning that all the security assumptions discussed above are irrelevant. Here still, there are many practices that users can adopt to avoid mistakes.

Given that the user is essentially just interacting with a website, all general online safety advice applies. When creating accounts with these services, always use a new password, one that is not tied to any other online account. Use a separate email address to limit phishing attacks.

If the option is available, activate two-factor authentication. More precisely, use 2FA with Google authenticator. SMS based 2FA is not as secure because of SIM swap attacks. This happens when a hacker impersonates the victim by pretending to have lost the phone, contacts the service provider who then switches the phone number to a new SIM card owned by the bad actor. The hacker can then receive legitimate 2FA messages to sign in. It is far more common than most people imagine.

Of course, none of the above advice helps if the owners of the exchange get bored and decide that they all want private jets. There is very little to stop them from selling all their customers’ funds on the open market and fleeing to the Bahamas. It would take a while for most users to even realise something was amiss.

It is unfortunate to say that the crypto industry has been plagued with all too many instances of collapsing exchanges. The earliest and perhaps most famous happened all the way back in 2014, when Mt. Gox suddenly went dark. The event cast a shadow that continues to blacken the crypto landscape to this day. Since then, not a single year has gone by without at least one crypto exchange or moneylender going down. The year 2022 was exceptionally dreadful for crypto. The collapse of FTX was devastating enough by itself, but it was so intertwined with other entities that it ended up dragging down everything around it, including regular hedge funds. The damage was catastrophic.

Contrary to money in a traditional bank, crypto funds are not insured by government bodies, such as the Financial Services Compensation Scheme (FSCS) in the UK or the Federal Deposit Insurance Corporation (FDIC) in the US. Class action lawsuits are normally the only recourse, but the legal groundwork is often lacking for situations involving cryptocurrencies, not to mention the technical difficulties of actually retrieving crypto in the first place.

There are no good answers here. Take full responsibility and risk losing everything to technical error or delegate such burdens away and risk losing everything to a distinctly more human outcome. Pick your poison - or a little of each.