Prevention Policies for Individuals
Below is a list of prevention policies for individual cryptocurrency users. Each of these policies is a standard template which can be included in the applicable case studies. We also have Prevention Policies for Platforms and Prevention Policies for Regulators.
To add a template to an article's Prevention section, select Insert > Template and Type "Prevention:Individuals:<title>" where <title> is the title below. You can also use "Prevention:Individuals:No Individual Funds Lost" if no individual funds were lost and "Prevention:Individuals:Placeholder" if no policy can be identified to mitigate the particular case.
Avoid Third Party Custodians
When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.
Protect Personal Information
Set up separate email addresses for each service, and avoid providing your phone number whenever possible. Any received emails or phone calls must be viewed with scrutiny, especially if unsolicited. Interact with companies only through their official websites and confirm anything with the company directly via multiple official sources, especially if it promises a significant incentive to take an action or threatens access to your funds if an action is not taken. It would be recommended to also establish a network of multiple trusted individuals who use the same services and have a strong level of security knowledge.
Store Funds Offline
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
Keep Multiple Backups
Ensure that more than one copy of your seed phrase is kept, and that each copy is in a distinct location. For example, you may keep a backup copy in a bank vault. A common scheme is to split the 24 word seed phrase into 3 sets of 16 words each, such that any two of the sets are needed to unlock the wallet.
Private keys can be obtained through seed phrases, mnemonics, private key files, mobile synchronization screens, wallet export features, wallet backups, etc... Never ever send these to anyone else who you do not intend to allow to take all of your money. Attackers will use a wide variety of tactics to convince you like pretending to be your wallet software, pretending they work for the wallet software, or asking you to screen share. Don't fall for them.
Question Unrealistic Profit
Any time that you are promised any profit or benefit in exchange for an initial payment, smart contract approval, or deposit, pay special care as to whether the entity making that offer is trustworthy, actually who they say they are, and has the means to fulfill what they're promising. There are no magic algorithms providing guaranteed returns from trading or mining. Trading on average will lose money. Mining is expensive and complex. No one is going to immediately send back more than you sent them. NFT projects will rarely announce a surprise mint in only a single location. Are you fully prepared for the event your money is kept and nothing is delivered in return?
Double Check Transactions
Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.
Always Verify Executables
Any time untrusted software is being run is an opportunity for abuse. It is recommended to always interact with cryptocurrency in a fully controlled environment, which is an environment where you have understanding of every piece of software running there. Using a hardware wallet, spare computer with all software wiped, and/or virtual machine with only the needed software greatly reduces your attack surface. Take the time to verify downloaded files come from the correct and expected source and match available hashes if provided. Any time you encounter a new file, always check if it can contain executable code prior to using it.
Safe Smart Contract Usage
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
Handling In-Person Transactions
When performing an in-person exchange, the risk level can be minimized by reducing the amount transferred at one time, performing the transfer in a more secure location, conducting the transaction with more individuals present, and retaining more identifying information about the counterparty. Having a large amount of cash in one area and improperly secured allows for theft to occur. Be sure that you have physical visibility of any cash to be received prior to authorizing any irreversible payment. Alternatives with lower risk of physical theft such as debit or eTransfer should also be considered.