The Justice Department on Monday reported it successfully retrieved $2.3 million in bitcoin paid by Colonial Pipeline to ransomware hackers in April.
But the news caused a stir of confusion online — some speculated that bitcoin was “hacked,” and on Tuesday, the price of bitcoin seemed to slide due to concerns over security of the cryptocurrency.
Though it isn’t exactly clear how it was done, experts say the FBI’s ability to retrieve the bitcoin ransom was due to the criminals’ storage of their private keys, rather than any vulnerability with the cryptocurrency itself.
Private keys, or a string of letters and numbers similar to a password, are used to unlock access to a holder’s cryptocurrency. In turn, it’s extremely important that your private keys remain undisclosed to the public.
“Anybody, anytime, that gets a private key can move funds,” Parker Lewis, head of business development at bitcoin custody and loan firm Unchained Capital, tells CNBC Make It. “The only way that funds can be moved is if you have the private key, and that’s why securing private keys is so important.”
According to the Federal Trade Commission, nearly $82 million was reported lost to crypto scams during the fourth quarter of 2020 and first quarter of 2021. That is more than 10 times the amount from the same period the year before, the FTC reported.
To protect your crypto from hackers or any outside threat, it’s important to understand the type of wallet options available and how to secure your private keys.
Non-custodial vs custodial wallets
First, it’s important to understand the different types of wallets out there.
If you decide to buy cryptocurrency, you can use a non-custodial wallet or a custodial wallet to store your funds. It’s a choice that’s dependent on your personal preferences, both with pros and cons.
What’s a non-custodial wallet?
With a non-custodial, or self-custody, wallet, you are in control of your private keys and you own your cryptocurrency holdings.
When using a non-custodial wallet service, you’re fully responsible for remembering your private keys and maintaining security measures to protect your funds. If you forget your private keys, which is common, you will be unable to access your cryptocurrency — no exceptions.
“You have the responsibility to make sure you don’t lose your keys, and you’re really the only person with that responsibility,” says Nick Neuman, CEO of bitcoin security and self-custody company Casa.
That means you’re responsible for making sure you employ back-up mechanisms like cold wallets, including hardware wallets, which are physical devices that store your keys offline, Neuman says. Many hardware wallets look similar to a USB stick.
Though hardware wallets are widely considered to be the safest option to store private keys, there are still risks. It’s important to use a trusted hardware provider and secure your hardware wallet in a safe place, since a physical device can still be stolen or destroyed.
“If my bitcoin keys are somehow connected to the internet, then, as I’m sleeping, there could be a hacker that’s trying to get access to my keys,” Lewis says. That’s why hot wallets, or those connected to the internet, are considered to be much more risky than cold wallets.
To physically secure their keys, some investors use a hardware wallet, while others write their private keys on paper and lock it in a vault. Some also prefer non-custodial wallets that offer multisig, or multi-signature, protection.
Most bitcoin wallets require one private key to gain access and move cryptocurrency, but with multisig, multiple keys are required. Each key is held on different device, typically a mix of your phone and offline hardware wallets, that are stored in different locations.
“The main point is, no matter how you are backing it up, you need to find some way to back-up your key in case you lose it so that you don’t lose all your crypto from a mistake,” Neuman says.
What’s a custodial wallet?
With a custodial wallet service, a third party, such as exchanges like Coinbase, Kraken or Gemini, is in control of your private keys.
This means that if you buy cryptocurrency through an exchange, you are given a sort of “IOU” for the cryptocurrency, while the exchange owns the private keys and holds the cryptocurrency in their wallet.
For example, if you buy bitcoin on Coinbase, then “Coinbase owes you bitcoin until you decide to withdraw it,” Neuman says.
Although some in the bitcoin community like to say “not your keys, not your bitcoin,” many prefer a custodial wallet since you don’t need to worry about storing or forgetting your private keys and permanently losing funds.
If you decide to use an exchange, “spend the time to do the research, understand which exchanges have stood the test of time and have some sort of a regulatory framework around it,” says Philip Martin, chief security officer at Coinbase.
You should also understand the potential risks. With a custodial wallet, a hacker wouldn’t need your private keys to move funds from your account, since the exchange owns the keys, not you. That eliminates one wall of protection to your funds, Neuman says.
However, many exchanges invest heavily in security, and there are other ways to protect your account from being hacked individually, such as two-factor authentication.
How to protect your wallet
Regardless of where you decide to store your cryptocurrency and private keys, be aware of bad actors in the space. Though there are many different scams, a common one is sim swapping.
Here’s how a sim swap scam typically happens.
When you sign up with an exchange, you set a username and password and can add two-factor authentication, or two FA, to protect your account. If a hacker is able to get your login information, they’d also need to pass the two FA to gain access to your account. To do this, they’ll call your phone company and convince them to transfer your phone number to theirs.
“It’s pretty unfortunate, but it’s not very difficult for them to convince your telecom company to transfer your number, which is why we flat-out say never use SMS text message for two FA if you can avoid it,” Neuman says.
However, for some exchanges, the SMS two FA is the only option. If you can’t avoid it, call your carrier and ask to add a password or other barrier to your account, Martin says.
If the exchange offers it, Martin also recommends using a YubiKey, which he calls “the gold standard for two-factor authentication.” The YubiKey, created by security company Yubico, is a USB hardware authentication key that can be plugged into a device.
Martin also recommends using password managers and warns to not use the same password across your accounts.
Once you pick a wallet service, its software will also often generate a unique seed phrase, or a collection of 12 to 24 random words, which could be used to recover your crypto wallet. Your seed phrase should also be kept completely private and in a secure location offline.
Along with security measures, you should also remain skeptical when receiving outside messages regarding your crypto wallet.
“If it’s too good to be true, it definitely is,” Martin says. “No one on Twitter is going to send you back double what you send to them.”
Lastly, “be very skeptical if someone offers to install remote screen viewing software on your laptop. I can tell you for sure Coinbase will never do that.”