Managing a Crypto Portfolio - With Safe(r) Crypto Best Practices

in #crypto7 years ago (edited)

Thinking of investing your money into "crypto currency"? Perhaps you are thinking of investing from a rollover of your retirement to a solo 401K or IRA retirement plan, or invest money from savings or a credit card. Whether you are thinking about it or have already jumped into the crypto world I will help you understand and avoid traps that could put your hard earned money at risk.

While not intended to assist you with what to buy, I will assist you in the process of going about it, and how to protect it. I will share with you my experience gained while managing a crypto portfolio, as well as some inside technical and "dark world" experience/insight that I used to my advantage, as a 25 year veteran software developer and skip-tracer.

Risk

This space is changing rapidly and there is great risk when HoDL'ing your crypto. These types of investments are subject to extreme price volatility, as well as volatility in relevance. A single event, rumor, video or news writeup (true or false) can giveth or taketh away while you sleep. Further, high tech criminals lurk everywhere and they want to steal your cryptos. Only bet what you do not need, and I don't recommend leveraging yourself to play the crypto game.

Investing in crypto isn't for everyone. For instance, I would not advise my mother to invest in cryptos of any significance, and the concepts described herein would be beyond her familiarity. That said, she has some crypto and allows the exchange to hold them for her. Although I do not recommend that, I would not feel comfortable advising her any of the best practices described herein. This article assumes the reader to be proficient with a computer, and understands what "crypto currency" is.

Coin Storage

Cryptos have recently become so highly valued that thieves are constantly getting more creative to steal them. Assume they understand this space better than you. Every day an investor will lose their crypto to thieves, and some their entire life savings.

Do not leave your coins on an exchange. It is my professional opinion that every organization can be hacked. Organizations are only as strong as their weakest link, and every organization has many. I witnessed it first hand, even (ehem, especially) from those responsible for the security of its data.

The safest method I have found to store crypto is by practicing the Glacier Protocol, using online and offline computer wallets. Unfortunately, this method is limited or impractical for diverse portfolios, and is not meant for mere mortals. It was designed to protect the serious Bitcoin wealth of seriously paranoid people (with good reason).

When an exchange is "hacked" regardless of the reason they will always cast blame to a ghost such as "we were hacked". Some actually are hacks resulting from their breach-able weakness, while others are likely the result of:

  • an inside job from a trusted employee
  • an inside job from an executive because the company leveraged themselves too much, and;
  • an event resulted in larger withdrawals from their customers than they could handle
  • ==Coming soon==: they were leveraged by inflation because of the existence of too much Tether (USDT) that has been magically created out of thin air like our fiat currencies

Soft Wallets

I don't trust software only wallets to hold more than I want to spend for the day. Pillar and Ethos and others are working on new wallets but NO wallet has been able to eliminate a rogue employee of the wallet maker from stealing your coins. Even the spend-able wallet that is coming from TenX has a trust dependency.

Hard Wallets

Hard wallet devices like Ledger Nano, Trezor, and several others provide a reasonable balance of ease of use and protection. That is, even though a trust dependency exists there too, it offers an alternative to needing the encryption key to unlock the wallet. For the initial setup, the device will generate (typically) 24 random dictionary words, which can then be used to completely restore on to a new device in case of damage, loss or theft. For daily use, you choose and use a PIN. So the device shields you from yourself by not allowing you access to the wallet private keys, which are the primary thing thieves are after. Many believe that the device physically stores the coin, but it doesn't. It is merely a method of accessing wallets on the blockchain -- nothing leaves the blockchain.

I use both the Trezor and Ledger Nano but they sell out fast. The Ledger offers more coin support (as of this writing), and its architecture offers better protection should the device be stolen (although I have not put it to the test). Whichever you choose, be sure to buy DIRECT from the manufacturer even if it means you must wait. Do not buy from Amazon, eBay, etc. There is nothing stopping a tech thief from manipulating a hard wallet or its packaging in some way (even if bought from the manufacturer's "store" on Amazon). Avoid wallet marketing programs. For instance, Salt Lending has a promotional offer to buy a Ledger Nano with their logo embossed on the device for a mere 5 SALT tokens; as of this writing that is quite the bargain.

When buying a hard wallet, purchase 3 if you can afford it (2 at the least). This because the device may become damaged, or get lost or stolen. With spare devices you can recover a wallet from seed words generated by the device during setup. Without spare devices, you might not get another opportunity or could be forced to buy from risky resellers. Spend the money and buy 3. Take your spares and place them in a safe place together with your seed words in a safe place such as a safe deposit box(es). Having 2 devices protect you from loss, theft or damage, while 3 devices may give you a fighting chance should your seed words become compromised.

UPDATE: Since I began writing this, at least 1 hard wallet "reseller" has stolen coins from an unsuspecting buyer. Expect to see other types of attacks on hard wallet distributors, device patches and replicas. Just buy direct from the manufacturer.

Privacy

Many believe that Bitcoin and others like it are inherently private because it is not associated to you. While that may be true today, tomorrow it won't be. There are efforts underway to identify you to any and all wallets you have interacted with. This list will start off sparse, but will fill in over time and soon our privacy will depend upon how well everyone we interact with over the blockchain has practiced safe crypto. Unlike receiving a discreet call from a clinic several months later, it will be made public for the world to see for all time. This is why anonymity coins such as Monero are getting additional attention (and many other privacy class coins).

Hard Wallets can aid in maintaining your privacy.

Seed Words

Assume your devices are or will be observed electronically.

Treat your seed words like a combination to a remote safe filled with your treasure. Seed words are a dead giveaway to common soft and hard wallets so you should assume that anyone that gains possession of these words will be able to steal your treasure. Therefore, do not:

  1. snap a picture of them (clipboard, smartphone, or camera)
  2. copy them to the computer's clipboard
  3. send them over TXT (iMessage or SMS)
  4. send them over email
  5. type or key them on any computer or other device
  6. leave them on a sticky note on your computer
  7. hand them to someone you do not trust to hold your darkest secrets
  8. keep them stored in one single location that can be burned to the ground by directed energy weapons

If on paper, laminate (safely and without prying eyes) and place in a fireproof box. Another option is to purchase the Cryptosteel which uses engraved letters to hold your seed words in a steel cradle. A third option is to use a letter stamp or electric engraver to engrave your seed words onto stainless steel or bronze sheets available from a hardware store. In the end I spent the money for a couple of Cryptosteel cradles.

Should you decide to live dangerously and print your words, consider that network printers are not secure and leave data behind to find later. If possible, use an old wired-only printer, otherwise cripple networking on the printer and reset to factory settings after use if able (although no guarantee the data is wiped). Consider printing to waterproof tear-resistant TerraSlate 4 MIL paper for laser or inkjet printers.

It is a good idea to have 2 or 3 copies, placed in safe and alternate locations. Keep in mind that a hurricane or flood can wipe out or displace an entire region.

Finally, each wallet initialization should be tested. That is:

  1. initialize the device as described above
  2. transfer a low value coin to the wallet via the device
  3. wipe the device
  4. restore the device using your seed words
  5. verify the coin is still in the wallet
  6. ready to rock

Compromised Device or Seed Words

Enough time plus physical access is all that is needed to breach the data. That said, I am not aware of any published hard wallet breaches and such a breach isn't for mere mortals without a published tutorial.

If your device is compromised then the PIN is needed to access your wallet. If there are multiple failed PIN attempts then the device should get wiped automatically, so there is at least some protection there. Not so if your seed words become compromised, since your PIN can be bypassed with a restore using your seed words. In this case you should assume that it is only a matter of time before someone gets ahold of a spare device to restore onto, and steal your coins. This is where it is important to have 3 devices; it allows you to quickly restore onto device 2, and transfer to device 3 as described next.

Here the source device is defined as device 1 when the seed words are compromised, or device 2 when the actual device is compromised. The destination device can be either device 2 or 3.

Should your device or ==seed words become compromised==, restore your source device from your backup seed words. If your coins are still present, ==immediately proceed to setup your destination device as a new device==. Then carefully transfer your coins from source device to the destination device.

Unfortunately, the Ledger Nano can only hold 3 to 5 coin applications on the device at a time. You may still hold coins from another application (such as Dash) even though you might have deleted the Dash application from the device to make room for another application such as Litecoin. Deleting the application doesn't cause the deletion of your coins, just the application. Therefore, use care to ensure you have secured the transfer of ALL your coins to the destination device.

Dedicated Access Device

Whether you use a hard wallet or not, do not use the family computer to access your coins. Code has or will be written to quietly breach computers for mass wallet sweeps. Reduce risk of breach by storing your coins on a dedicated device that is used ONLY for that purpose. I recommend something like a securely designed device that can be found on Puri.sm. If you cannot afford a device like that, consider purchasing something similar to a Raspberry Pi but with a little more power and RAM (such as the Banana Pi and others for under $100). Install a simple and secure(r) OS such as PureOS or Qubes, then install Chrome, or Chromium. Before installing your OS version, ensure Chrome or Chromium is available for your platform.

Hard Wallet Not Always An Option

Not all coins can be held on a hard wallet . For instance, the Ledger Nano and Trezor do not (as of this writing) support Monero and many others. This means you may be forced to a hybrid approach such as using a paper wallet or running a full node or "core" implementation. When running a full node client/wallet, use the dedicated system principals applied above, or if not an option, consider running a VM client such as VMWare, Virtual Box, or Parallels. Also pay close attention to the math on how large the blockchain data is (and growth rate) because you will essentially download the coin's entire blockchain data to your local disk. In this case consider also storing your VM's disk on a separate USB SSD or other external hard drive that can be disconnected. Enable encryption if supported. Also, dedicate that VM solely for it's intended purpose. Nothing is bullet proof but each additional layer helps.

Read Only or Watching Wallets

Some coins such as Monero provide the ability to create a "watching" wallet that is read only. This allows you to have 2 full nodes of where one has wallet read rights, and the other has wallet spend rights. If you implement this model, it is typically done with the notion that the spendable node does NOT have network access. This allows you to better protect your coins with "separation". Protect the spend keys on that device by ensuring that access to it is protected, not network connected, with an encrypted hard drive, and backup the wallet addresses, spend and read keys to an encrypted flash drive.

Choosing an Exchange

There are many exchanges being added all the time. Some can accept fiat currency, and others deal only in crypto. There is also a new breed of decentralized exchanges that do not hold your coins like centralized ones do. Decentralized exchanges are new and are under constant change and I will omit those from this article, mainly since you cannot avoid a centralized exchange; you still are likely to start and end with an exchange that trades with fiat currency.

I attempted to open a tier 4 "organizational account" on various exchanges only to have a bad experience with Coinbase, Gemini, and Poloniex, which were completely unresponsive. I received a general response from Coinbase 5-6 months later (shortly after they received a large funding round) but no real change in quality of service. Poloniex responded 7 months later with an automated response. To my surprise Kraken and Uphold were the most responsive, and Bittrex was also fairly responsive.

  • Binance.
    My favorite platform so far. They have a wide array of coins listed, and the best app with the highest availability (very scalable). As of this writing, withdrawals on unverified accounts are limited to 2BTC per day per account. This exchange operates in China.

  • Kraken. Kraken's support was the most responsive. I filed numerous support tickets on varying issues only to get prompt, professional service, and always to my satisfaction. Kudos to Kraken. I like their application but it was not designed to scale to the response it received. For much of 2017, it was constantly error prone or unresponsive. They have recently rolled out an upgrade in January 2018 which appears to be a big improvement. This exchange operates in USA.

  • Coinbase. Great to use until you need support, or until you want to buy/sell at the best price. Month after month I watched their site (and mobile app) fail to fulfill buy or sell orders when the price was to my significant benefit. Magically, the site would be responsive when the price came back into line with norms or outside of that sweet spot. I gave the finger to Coinbase and haven't looked back. This exchange operates in USA.

  • GDAX. An extended trading platform run by the Coinbase organization. You can expect the same problems as with Coinbase and Kraken, but without the honorable intent as Kraken. This exchange operates in USA.

  • Bittrex. Better than Coinbase, not as good as Binance. Still a required supplemental exchange.

  • Cryptopia. I like this exchange, but withdrawals on unverified accounts are limited to 5,000NZT per day per account (about $3,600 US). The first to use Litecoin pairs (buy or sell coins with or to Litecoin). This exchange operates in New Zealand.

  • Uphold. This exchange is probably the best kept secret, although it is not intended for traders like the other exchanges. You can also dabble in foreign currency. Uphold is also responsive to support requests with fast professional service. Probably the best choice if all you need is to buy and HoDL only the most common of coins. You will pay a little bit more than a trading platform but well worth the peace of mind it buys you. Also, I really like their application "tiles" model for first time users -- it's very well thought out and has an emphasis on usability for mere mortals. This exchange operates in USA.

  • Etherdelta. Recently hacked December 2017 by stealing their DNS nameservers and hijacking all site traffic to an evil twin site. Weeks prior to that redirected customers from original site etherdelta.github.io to etherdelta.com without a formal migration effort, and without warning (laughable considering crypto traders are already very paranoid). Use only if you have no other alternative.

  • HitBTC. This exchange would seem to be operating rogue. There are countless complaints of unanswered support requests, stolen wallets, and the like. I have personally experienced no response to support tickets after several weeks. Stay away. You've been warned.

Two Factor Authentication (2FA)

Two factor authentication extends existing security models from "something you know" (your authentication credentials) with "something you have" (a device such as a smartphone). It originally started as a key fob style device that issued a predictive token, and then later evolved to sending a code via SMS (TXT) messages to a telephone, mainly because the key fob device became expensive and impractical. The SMS method is still in use today, but shouldn't be. This because hackers are sometimes able to hijack the telephone service of your telephone number, thereby gaining access to your exchange accounts via SMS-based 2FA. One recent well known example is the purported hijacking of John McAfee's AT&T cell service and using his device in a coin pump via Twitter (the shame).

Most exchanges today offer alternatives such as Google Authenticator or Authy, which are applications you can download to your phone, or even your computer. During this process of setting up your 2FA authentication, you will be prompted with at least 2 pieces of information:

  1. a QR code that your phone would typically picture, and

  2. a backup key.

The 2FA app will typically add a new account for authentication by taking a picture of (or scanning) the QR code. Before going through this process it is VERY important that you record the backup key. This because if your phone is damaged, lost or stolen, you will not be able to gain quick access to your exchange accounts without it. With the 2FA key properly backed up, you can easily setup new phone service, install the 2FA app, and manually bind the exchange to it using the backup key. Be sure to record your key along with your credentials as described in Passwords and Password Managers. I also have a spare phone (with service) for this very reason.

Some like Authy because you can download it to your computer, whereas Google Authenticator is meant for your smartphone only. There are alternatives and tweaks to challenge this assertion but I do not trust them. The purpose of 2FA is to protect you, so as a best practice the secondary authentication device should NOT be the same device as the first. For instance, if you use your PC (⚠) or your iMac to access trade on Binance, then you should use your your smartphone to perform the 2FA authentication. So for me, that extra feature of Authy provides is moot. If you choose to live dangerously then make double sure you do not allow the browser to remember your exchange credentials.

An interesting debate exists concerning the likes of Authy vs. Googe Authenticator. Both have strengths and weaknesses, and the debate is beyond the scope of this article. Keep it simple, assume you will lose your device and assume you will want to restore service to your exchange accounts quickly and with the fewest possible failure points. For me, the answer is Google Authenticator when a choice exists. If you use Authy, be sure to understand the implications of the multi-device option, and also record your backup key.

If you are worried about Google Authenticator accidentally wiping out your keys because of an erroneous update (nah, that could never happen), I would argue this shouldn't be a serious issue with the best practices.

Be Paranoid

Sweeps

I'd welcome back the days when my face planted on the keyboard after a long night of BBS hopping, while a virus quietly disabled your modem's volume and then dialed 976-XXXX "hotlines". Since then, we have graduated to the big time with things like ransom based evilware (like ransomware), and something likely to happen I will call "clean sweeps". The potential for a single crypto hack could yield a massive payday; this means solo hackers, organized crime syndicates, and even government intelligence agencies have most likely put forth significant resources towards stealing your wealth.

I believe this new breed of evilware will attempt to replicate to every reachable computer. This code will scan files, images, network pipes/streams, the clipboard; essentially all data that:

  • contains a wallet (public) address, and
  • contains a wallet (private) key, and
  • contains wallet seed words, and
  • contains a QR code or an OCR'able image dereferencing for 1-3 above, and then
  • replicate itself anywhere it can to continue its deeds again later, and finally
  • connect and send data back to the mother ship

Meanwhile the mother ship:

  • cross references against well-known wallet types, and
  • places into a database for the clean sweep

Clean sweep day:

  • we wake up
  • eat some waffles
  • turn on the "news" to learn of the sweep
  • many cryptos are gone

Injections

To this end, open source will likely be one of the new exploits. Most think open source software is immune to such attack when in fact it is the perfect injection point for a mass delivery system and without much effort. Most development projects have numerous dependencies which in turn have many other dependencies, none of which the project developers know anything about. So much so that build and continuous integration systems (like Maven and Jenkins) are designed to manage these complex dependencies for us. Moreover, developers develop, while managers, leads, interns, associates or juniors often do the merges into the upstream source code branches (and less likely to know what they are looking at). Generally speaking, the serious developers write code and they do whatever they can to spend more time writing code than managing or testing code. For instance, I have watched numerous roles vastly expand over the past 10+ years to aid developers to focus on their development tasks (analyst, qa, etc). This is a generalization and not absolute for all organizations, but it's important to call out because open source dependencies are the perfect delivery system for rogue code.

Coordinated Attacks

Many years ago I was in the debt collection industry and "observed" the art of the gag. Skip-tracers would gag postal employees to pull box cards (for their address), gag bank account numbers from bank staff, etc. Crypto theft coordinated attacks operate on the same principals; work boldly from the shadows with enough inside data fragments to make the con believable. Crypto hacks are far more sophisticated, however, and each successive hack will be better and bolder than the last.

I was engaged in a conversation with a co-worker ("Rick" from Malta) about how helpful it would be to have access to the rumored "non pub directory assistance" number. We debated its existence. With boldness he said "Let's see", switched into character, dialed 411, impersonated a top Pacific Bell officer, and scored. Called the number, and they answer: "Non Pub". After doing a directory assistance lookup they respond: I have that information for you, what's your billing code?

Enigma Catalyst ICO

On the day of this long awaited ICO, sophisticated tech thieves:

  • hacked into Enigma's Slack channel obtaining their investor participants email list
  • attacked their Slack channel preventing the administrator to moderate the channel
  • posted lies to Slack channel that the ICO was now live
  • DDoS attacked the Enigma site making it unresponsive
  • Sent a pre-emptive email to the investor list prior to when the ICO was supposed to start

Mind you, this was at a time when ICO's were selling out in minutes. The slack channel attack prevented the administrator from moderating, and the downed website also prevented the notification of the fraud via the site. This had the effect of throwing chum in the water which created a FOMO frenzy for the investors because they thought the ICO was so successful that the site wasn't responsive. Many rushed to sending their Bitcoin and Ethereum right into to the thieves' wallet, never to be seen again.

FaceCoin

FaceCoin.tech appears on the scene and gets write-ups from unsuspecting (and some well-known) vloggers and bloggers. The website looks professional and well done (and the site is still up as of this writing). Turns out FaceCoin is really "FakeCoin". A simple domain registrar whois query shows that the "professional" website was posted just a few weeks before the ICO, and ditto for their Twitter page. Also, notice that the team members do not point to real LinkedIn profiles. On ICO day the ETH poured into the FakeCoin wallet. You might think you would never fall for that, but this highly experienced tech guy with an eye for this sh!t did (the shame).

Update: For those who got stung by this ICO you will be happy to know that the FaceCoin domain expired in August, 2018, and it no longer lurks to remind us of our rush to give scammers our coin.

Millie The Savage Hacker

Like Inception, this one goes deeper by spamming the email lists of well known YouTube'ers such as Suppoman's Udemy.com account, and sending email to his subscribers that masquerades ;-) ;-) as Suppoman, suggesting they should buy into FakeCoin using his referral code.

It's an ICO Wild Wild West right now. There is no protocol for ICO's and many of them repeat the same mistakes, while tech thieves dream up new ways to fool us, the new ICO managers, and anyone else they can manipulate along the way.

MyEtherwallet Click Scams

But wait, it goes deeper still. These same organized criminals that hack into Slack, etc., are not wasting a single email address. They are blasting the inboxes of their mail harvest with email that lure unsuspecting "prospects" into phish bait to sites that run evil clones of myetherwallet. They use FUD surrounding "real news and events" to lure the recipient to the evil site and giving away their private key. The site looks like myetherwallet, but it isn't. In fact, the source to their site is made available from the official myetherwallet site directly for those that wish to run a local copy of the site without being connected to the network.

The moral here is NEVER click on a link to take you anywhere, most especially a financial or crypto site. Also, don't rely on a search engine to serve up the right site address either. Navigate manually from the address bar, and once authenticated as legit, bookmark it. Assume any link is phish bait.

Running a local copy of the MyEtherWallet, etc., site isn't useful for hard wallet user's because the ssl over the https:// protocol is required when connecting to a hard wallet device (as opposed to the file:// protocol when run locally).

MyEtherwallet cannot access a hard wallet when run in Incognito mode.

Slack

Avoid creating an account at Slack. They are vulnerable, have too many weak points, and they will not delete your user record citing rubbish reasons for refusing to do so. You've been warned.

Passwords, Password Managers & Browser Extensions

==Use a different password for each exchange==, and that password should be VERY strong, not a recognizable pattern or dictionary word. Use randomly generated passwords that are 30+ random alpha+numeric+special characters. Did I mention random? This way if one exchange's credentials are compromised (perhaps even by the exchange itself), those credentials cannot be used to gain access to any other well-known exchange.

Do not use browser extensions or plugins except for those installed by your hard wallet device. Do not use online password managers such as LastPass to store your exchange credentials. Do not allow the browser to remember these credentials. Consider using a hardware password manager. Ledger has a password manager app that you can download directly onto the Ledger Nano, or install a local password manager that supports an encrypted database, preferably in a VM that is not internet connected.

Store your account id's, passwords and 2FA backup keys in the secured password manager. Export the database to a military grade hardware encrypted flash drive and store in a safe location(s) as backup. These devices can be found on Amazon for $50-$75, and the cheaper/smallest disk sizes available would be suitable for this purpose.

Exchange Support Desks

With massive customer growth comes massive support incidents and (some) exchanges are scrambling to keep their service levels up. I get that it's difficult for them to keep up. Unfortunately, they are outsourcing their support "site" to a third party without you realizing it. Here's how it works and why you should care:

You decide to open a support incident, and follow their site navigation. A popup or page opens prompting you for your credentials. With bewildered pause, you input your exchange credentials but they don't work. Some may eventually come to realize that you must create a separate "support account" but what they don't tell you is that the support site is actually outsourced to and hosted by a third party such as ZenDesk or FreshDesk. So when you input your exchange credentials this third party now has access to your credentials for your exchange account.

The exchanges know this, and do not care because it suits their needs. Otherwise they wouldn't use deceptive branding to make it appear as the exchange (instead of the third party), including using deceptive urls such as support.(exchangedomain).com. An exchange more concerned with your security than their needs would disclose this too you when prompting, and also encourage you to use a different password than your exchange password. I have reached out to a few exchange security departments to point this out, unfortunately my efforts were futile.

Most of the exchanges operate this way, although some (such as Kraken) appear to have a single sign-on token between the support and trading sites. In Kraken's case no credentials are stored by the support third party but it doesn't rule out that the third party's employee or agent couldn't make use of the token to authenticate. If the token could be used to breach your account, it would be more damaging because it would likely circumvent the 2FA requirement.

Just use a different password than your exchange account and if you host your own mail server consider using an alias email address for the support account too.

Although damning Kraken on this one, I actually commend their honorable intent. They openly state to customers that the explosive growth is resulting in their support being below what they consider good service levels (and without spinning it). They also appear to be holding the barbarians at the gate by responding to their support tickets far better than most. All things being equal, I give Kraken my trades.

Bank Account Credentials

When linking a bank account to an exchange, does it seem normal that Coinbase, Gemini and others should prompt you for your private credentials to your bank (as in your userid and password)? If you answered "NO" then good for you. After reviewing their code, it not only appears that you are providing these credentials to the exchange's developer's but they also provide those credentials to yet another "trusted" third party. So, that's 2 third parties that have access to what should be your very secret banking credentials; but that's OK because they are trusted. Clearly demonstrating making it as easy as possible to get you to part with your money is far more important than protecting your data and money. But don't worry, you can still trust them to hold your Bitcoin.

The irony here is staggering because it illustrates that Coinbase and others are merely pushers of a product that they do not care about. It's a sale, that's all. This lack of common sense is the very reason why we need trustless systems. Each month brings a new example of how the exchanges have no clue about data security best practices and highlights why you should not leave your coins on an exchange to "hold".

Coin Transfers

Even if you manage to avoid evil doers, you can easily send your coins into oblivion never to be seen again. We can be our own worst enemy sometimes.

When transferring coins between your local wallet and the exchanges, use care, take your time, and double check everything. Avoid making transactions with your heart racing, nothing good will come from that. If you are partnering with others (such as a spouse), agree on strategy, and then choose a single person to implement that strategy. Remove all outside stress and influences that can distract you from the task of moving crypto over the wire. For instance, I took a spare pair of ear muffs from my range bag and it sits permanently on my desk. When folks tap on my shoulder when I am in Cryptoland, they talk to the hand =).

Verify everything, twice. This includes the token identifier (for instance, PPT for Populous), the amount of transfer, and the address. I usually verify the first 4+ characters and the last four characters of the address. I do not hand key addresses, but I also do not put faith in the clipboard's accuracy (the developer in me knows better). If managing more than a single portfolio, also double check the account/wallet you are transferring to/from. For instance, co-mingling coins between your personal portfolio and your retirement trust isn't a good thing. If you do make this mistake, document it and return the coins and try again.

FOMO and Reverse FOMO

PAY < > PLR

I was excited that Pillar was finally getting some volume and decided to sell 1000 PLR tokens on HitBTC as a test; I had never used this exchange before. From Myetherwallet I sent 1000 PAY tokens to HitBTC. Wait, I meant to send over PLR tokens, not PAY tokens! Crap! I still have not been able to get my tokens back, and probably won't.

Verify everything. Test with small amounts regardless of cost.

It's A Trap

For months I had been concerned about my Bitcoin holdings for fear of it turning into Sh!tcoin; the transfer costs are so high and it takes forever to confirm. Somewhere in the back of my mind I have this sneaking suspicion that Bitcoin Cash (BCH) might seriously challenge Bitcoin. Suddenly I see a move on BCH and the price starts to move so I decide to move significant portions of Bitcoin and shift to BCH. The price triples that day and I begin to fear that it's a trap and decide to revert back to Bitcoin. I mistakenly sent my coins to Kraken to trade back for Bitcoin, and the Kraken site is exceptionally hammered with only 1 out of my 30 transactions go through. All the while I am watching the price spin down in high speed so I have to hand key the Satoshi value directly and preempt the price because the price is dropping faster than last price paid is updated. Come to find out someone at Coinbase leaks that BCH is going live on this day. Here are just some of the mistakes I made:

  • I painted a picture in my head that didn't exist at the time
  • I reacted with emotion and FOMO with significant amounts of Bitcoin
  • I hand keyed a Satoshi price in a rush when selling my BCH
  • I sold for less than I needed to
  • I thought I mistakenly sent my Bitcoin into oblivion when transferring to Kraken

In this scenario I actually walked away with much more Bitcoin than I started with but only by God's grace. There were so many failure opportunities here where things could have gone wrong. Take your time, breathe, make some chamomile tea, and block out your surroundings with headphones or ear muffs if needed.

Regulators Regulate

Government is likely to attempt to regulate the crypto space but it will take time to discern how to reach something that isn't there, there is no jurisdiction defined for it. From the "currency" perspective Bitcoin and alt-coins challenge central banks and our entire money system. From an equities perspective ICO's and Ethereum-type ERC20 tokens attract the attention of organizations like the SEC. We cant forget the taxing agencies that want their cut too. As of this writing, China and South Korea are the latest to take notice, with many more jurisdictional huffing and puffing to come. We can expect more government reach into both fiat and non-fiat based exchanges. "Anti-terrorism and anti-money laundering" efforts such as AML/KYC are bound to (over)reach even further. Moreover, decentralized exchanges will make this even more challenging for lawmakers. The concern doesn't stop there, for instance Substratum aims to decentralize the internet as a whole and others like Opus Foundation aim to decentralize internet music; two categories with regional censorship.

So, the decentralization movements may be perceived as an act of war against government sovereignty, while also posing a threat to the entire fiat based monetary system. It is reasonable to expect numerous sovereign's to try and slow it down.

Needless to say, this brings yet more risk to investing in crypto's.

The Kiss of Merchants and Wallet Makers

Scared? Don't be because a much bigger network effect is right around the corner. Back in my debt collection days every once in a blue moon I would actually get someone to send me the entire balance of their credit card on the first call ("talk off #1"). In that industry this was affectionately called "a kiss".

Much rides on crypto wallets for the next network effect. So far, we have merely witnessed explosive growth for purely speculative purposes. The next massive effect takes place when people actually use crypto; transactional use that scales far beyond the white noise of exchange-based transactions. To reach that there needs to be:

  1. (real) transactional scalability
  2. spend ability
  3. a universal wallet so easy a caveman could use it (without depending upon vendor trust)

Something wonderful will happen when these two meet. Get ready and get 'yer Safe Crypto on.

About Me

I am a software developer architect, with over 25 years experience designing and constructing business systems for the enterprise. Prior to software development I was a proprietor of a collection agency, with extensive background in banking and credit. I spent years in the banking system, and was an expert in enforcement of judgment. My awakening of our financial system and other things lead me to the world of crypto.

Disclaimer

This is not financial advice, I am not your financial adviser, this is insight from my personal experience that I am sharing with my readers.