Blog

July 02, 2019

Best Security Practices

Securing your online accounts has never been more important, and with cryptocurrencies  this should be your number one priority. Cryptocurrencies make it very easy to move huge sums around digitally, and extremely quickly. If someone gains access to your accounts and moves the funds out, there is little to no chance of getting it back so you need to make sure that you are the only person who ever has access.

Thankfully, there are steps you can take to make your account as secure as possible:

Two Factor Authentication (2FA)

When you only have a username and a password, all a hacker needs to gain access to your account are these two pieces of information. As they are static, this alone does not offer very good protection, particularly if you reuse these details somewhere else! 

2FA adds an extra layer of security by requiring another piece of information that changes every 30 seconds. This code is generated using an authenticator app such as Google Authenticator App. This program is completely free to use and you can download it via the Google Play store.

To go that one step further, you could also install the Google Authenticator app itself on a separate dedicated device that is kept completely offline. A cheap phone will do, but one with a camera is useful for scanning the QR codes. It doesn’t need to be powerful at all as it wont even have a sim card in it and you will only be using it for the google authenticator app. Once you have installed the app, put the phone on flight mode and disable wifi.

Some websites offer 2FA via SMS. This is much less secure than using the app because all a hacker needs to do is clone or port your phone number over to theirs to receive the codes by text.

2FA On Your Email

An increasing number of email providers have a 2FA option for logging in. Gmail for example, have been offering this for a while now. 

If your email provider offers this, use it! If they don’t, switch to one that does.

It is also a good idea to remove your phone number from your email account so hackers can not use it to ‘recover’ the account. To prevent a technique called sim-swapping it is also a good idea to remove your phone number from your email account so hackers can not use it to ‘recover’ the account.

To put it bluntly, not using two factor authentication when it’s available; free and adds so much security to your account and funds, is just plain stupid!

Use Unique Passwords

This one should be obvious, but you should be using a different password for every account you have. If you use the same password for everything, all that needs to happen for your information to be compromised is for one of the likely hundreds of websites/services you use, to be hacked.

When hackers steal information from one website, they will try many other sites with the same information. Anyone using the exact same details will have just handed the hackers a master key to their entire online lives. By using the same details everywhere, your security is only as good as the weakest of all those accounts.

Password Managers

Keeping track of all those passwords can be a real pain, and storing them online or on your computer in an easy to access format is not a good idea at all. Thankfully though, there is software out there that will do it for you. These software programs are called password managers. They store each of your login details in an encrypted database. And some of them also now offer 2FA as well. So you just need to remember one log in to this database, and the database remembers everything else for you.

You can also consider using encrypted external hard drives to store the information. This way it’s not even connected to the outside world.

Use Unique Emails

Following on from using unique passwords, using unique emails means that even if another website gets hacked, and all the user information is compromised, this hacker will have absolutely no useful information about you to try on other websites.

When you are choosing email addresses, try to avoid using your full name. By using your full name, you are handing over free information for no reason. Also avoid using predictable variations.

If for example a website is hacked and they have your email address as Mark.Smith.HackedWebsiteName@gmail.com, it’s not exactly going to be difficult for them to guess what your Deribit or any other website email is.

It doesn’t have to be a completely random string of letters, something as simple as M.S.RandomWord@gmail.com would suffice.

Gmail also have a handy feature for using multiple emails from a single inbox. You can read more about this on the Gmail blog here:
https://gmail.googleblog.com/2008/03/2-hidden-ways-to-get-more-from-your.html

By using this feature, you can maintain unique logins at each different website, while taking advantage of the protection 2FA on the main Gmail account provides, and manage the addresses from the same inbox.

As an added bonus using different emails for each site will also help you pin down which websites either sell your data to third parties or have poor security.


Storing Your Login Details

The following information should be treated as highly confidential information:
-Email
-Password
-Original 2FA key
-2FA backup codes
Do not store any of this information in plain text form or on any device that is always attached to the internet. It’s not going to do you much good to have all this security set up correctly if you leave all the keys a hacker needs in a handy text document on your desktop or in a google document online.

Private Messages On Telegram

There has been an increase in the number of users receiving private messages from fake support accounts on Telegram. They are often named things like ‘Deribit Support Team’. These accounts are all fake and the scammers will attempt to get you to either: send them money or hand over personal/login details. Under no circumstances should you do either of these things.

Deribit will never ask you to send us money, and we will never ask for your password/2FA codes. If you are in any doubt simply email us directly at support@deribit.com or ask in the main support chat room here: https://t.me/deribit
In the above chat room, users with ‘admin’ next to their name are Deribit employees.

Deribit – July 2019