TL;DR
You should always keep your crypto secure whether you’re purchasing, storing, or investing. Losing your coins and tokens is, in the vast majority of cases, permanent.
If you trade cryptocurrencies on centralized exchanges, use ones that are regulatory compliant with KYC and AML checks. Peer-to-peer trading and decentralized exchanges with audits have the best chance of security.
There are multiple options when it comes to storing your crypto securely. You can keep your crypto on a regulated exchange, which is practical for newcomers and traders. However, you don’t own the keys to the wallet.
A non-custodial wallet where you own the keys provides more security, and the more secure option is to keep it in a wallet not connected to the internet like a cold storage device. In both cases, keep your private keys safe in an offline, secure place.
Use audited DApps to improve your security and regularly check which DApps have permission to use your wallet. Remove these permissions as soon as you’re finished using the DApp.
Introduction
At the core of cryptocurrencies is the idea of self-sovereignty – the notion that a user can act as their own bank. Secure your funds properly, and they'll be harder to reach than even the most well-guarded of bank vaults. Fail to do so, and you run the risk of someone remotely emptying your digital wallet.
Learning to secure your digital coins properly is a vital step as you journey down the cryptocurrency rabbit hole. It's not just all about storage, either. Nowadays, many cryptocurrency holders interact with DApps in the DeFi world, so you should also learn how to use your coins securely.
Just like you wouldn't allow an untrustworthy business to handle your money, you also shouldn't trust your coins with any random DApp. The same goes for exchanges where you purchase and trade crypto. In this guide, we'll discuss some of the best techniques for keeping your crypto assets safe wherever they are.
Purchasing crypto securely
There are many places where you can purchase cryptocurrencies nowadays. The list includes centralized exchanges, decentralized exchanges (DEX), crypto-ATMs, peer-to-peer options, and more. Not every choice offers the same amount of security, and each has its advantages and disadvantages. For most users, using reputable, centralized exchanges provides the best mix of ease-of-use and security.
Picking a secure exchange
For a centralized exchange like Binance, increasing regulation, Anti-Money Laundering (AML) measures, and Know Your Customer (KYC) checks provide security. While exchanges in the early days of crypto had their issues, governments and exchange operators have since improved the situation significantly.
To use an exchange, you'll need to transfer your funds into its custodial wallet. Giving the exchange responsibility for your coins can provide some security depending on your outlook. If you aren’t familiar with wallets or are new to cryptocurrencies, you may be more secure using the exchange’s wallet. This saves you from accidentally locking yourself out of your wallet and losing your crypto.
However, some people prefer the security of controlling their funds directly. You may have already heard the phrase “not your keys, not your coins”. If you don’t actually own the wallet, then someone else can control your crypto. You can check our storage section later on for more information.
If you've decided on using a peer-to-peer service or a decentralized exchange, there are a few signs to look for to improve your security. With a DEX, check for an audit from a reputable source. We'll dive further into audits later on. Binance also offers a DEX leveraging the company's security and reputation.
If you need to use a peer-to-peer service, make sure it requires KYC for both buyers and sellers. Ideally, it should also offer an escrow service. While it doesn’t remove the risks completely, a third party holding your funds in escrow provides both the buyer and seller more protection from scams.
How to secure your account
If you signed up for your exchange or chosen trading method, follow standard good practices to keep your account safe. These tips are no different from those you would use for your online bank account or other sensitive information. Preventing people from getting access to your account and its funds is easy by:
1. Using a strong password you regularly change. The password shouldn't include identifiable personal information like your date of birth, for example. Make sure it's also long, is unique to that account, and contains symbols, numbers, and lowercase and uppercase letters.
2. Enabling Two-Factor Authentication (2FA). If your password is compromised, 2FA using your mobile device, authenticator app, or YubiKey acts as a second level of protection. You need to use both your password and the 2FA method together when logging in.
3. Watching out for phishing attacks and scams via email, social media, and private messages. Fraudsters frequently impersonate exchanges and trusted individuals to try and steal your funds. You also shouldn't download software from unknown sources as it may contain malware.
For more details on keeping your account secure, read our Secure Your Binance Account in 7 Simple Steps guide.
How to store your crypto securely
Once you've purchased or traded some crypto and secured your account, your next priority should be placing it somewhere safe. If you're not leaving it on the exchange to trade later, the only other option is a wallet. Wallets differ in the ownership of your private keys and their connection to the Internet. The choice between them depends on the level of security you're comfortable having.
What is a private key?
A private key, like a real key, unlocks your cryptocurrency for you to spend. Keeping your private key and access to it safe is the most important part of your overall security. The key is just a really long number – so large that it would be impossible for anyone to guess. If you flip a coin 256 times and write down "1" for heads, "0" for tails, you'll end up with a private key. Here's one we've just generated. It's encoded in hexadecimal (using numbers 0-9 and characters a-f) for a more compact representation:
8b9929a7636a0bff73f2a19b1196327d2b7e151656ab2f515a4e1849f8a8f9ba
If you look that number up on Google, you'll see the only occurrence is in this article (unless it's been subsequently copied elsewhere). That should give you an idea of how truly random the number is – the odds of anyone having ever seen it before are astronomically low.
That example still doesn't do it justice. The number of possible private keys is close to the number of atoms in the known universe. In a nutshell, this is a vital security principle in crypto networks like Bitcoin and Ethereum. Your coins are safe because they're hidden in a brain-meltingly large range.
If you've received funds before, you'll be familiar with public addresses, which are also strings of random-looking numbers. Those are obtained by doing some cryptographic magic on your private key to get a public key, which is hashed to get the public address.
We won't get into depth on how this is done in this article. All you need to know is that, while it's easy to generate a public address with the private key, doing the reverse is impossible today. That's why you can safely list your public address on blogs, social media, etc. No one can spend the funds sent to it without the corresponding private key.
If you lose your private key, you lose access to your funds. If someone else learns your key, they can spend those funds. As a result, keeping your private key away from prying eyes is of paramount importance.
Seed phrases
You should note that wallets today rarely have just one private key – they're hierarchical deterministic (HD) wallets, meaning they can hold billions of different keys. All you need to know is a seed phrase, a collection of human-readable words that can be used to generate those keys. It may resemble the following:
strike sadness boss daring voice connect holiday vintage quantum pony stable genuine
Unless you deliberately choose to use only one private key, you'll probably be asked to back up a seed phrase when you create a new wallet. When we discuss key storage later, the term keys will be used interchangeably to describe both private keys and seeds.
How to secure your seed phrase
Your 12, 18, or 24-word seed phrase is extremely important to keep secure and safe. Anyone who has access to the phrase can import your keys into their wallet and steal your funds. You may also have a JSON file or individual private keys that act the same as a seed phrase. Think extremely carefully about how you manage your keys by following our tips below.
1. Keeping your seed phrase saved on a device connected to the Internet isn't recommended. If you download a virus or your computer is hacked and controlled remotely, your phrase can be compromised.
2. Offline storage is much more secure. You could store the phrase physically or on an offline device. Even if you have a cold storage device that we'll discuss later, you should also backup the key if your device breaks.
3. If you decide to store your phrase physically, think about the material you'll use and where you'll keep it. Writing the words on a piece of paper that can be destroyed or easily lost at home isn't a good idea. You might want to use a safety deposit box in a secure location or store the phrase with your bank. Some people will even engrave their seed phrase onto metal as it can't be easily destroyed or use metal letters on a seed board.
Hot wallets vs. cold wallets
Wallets fall into two categories: hot wallets and cold wallets. Both differ in the security that they offer. The two types encompass a broad range of different solutions – check out Crypto Wallet Types Explained for some examples. Let's now explore the differences between the two.
Hot wallets
A hot wallet is any cryptocurrency wallet that connects to the Internet (e.g., smartphone and desktop wallets). Hot wallets tend to provide the most seamless user experience. They're convenient when it comes to sending, receiving, or trading cryptocurrencies and tokens. But this convenience often comes at the cost of security.
Hot wallets are inherently vulnerable because of their Internet connectivity. Though private keys aren't broadcast at any point, there's a possibility that your online device can be infected and remotely accessed by malicious actors.
This isn't to say that hot wallets are completely insecure – they're just less secure than cold wallets. Hot wallets are superior on the usability front and thus are the generally preferred option for holding smaller balances.
Cold wallets
To eliminate the significant online attack vector, many opt instead to keep their keys offline at all times. They do so with cold wallets. Unlike hot wallets, cold wallets don't connect to the Internet. Previously, some cryptocurrency holders would keep a paper wallet: a printed piece of paper containing the wallet's private key, usually in the form of a QR code. However, we now see this as an outdated, risky security method. Your best option for cold storage is definitely a hardware wallet.
Hardware wallets
Hardware wallets (such as the Trezor One or Ledger Nano S) aim to provide a better user experience while adopting a similar principle of keeping the private key offline. These are more portable, cheaper than a full PC, and custom-made for cryptocurrency storage.
The physical devices store your private keys securely and never need to connect to the Internet. A good hardware wallet ensures that private keys never leave the device. They're usually held in a special place in the device that doesn't allow them to be removed. See What is a Hardware Wallet (and Why You Should Use One) for a more detailed explainer.
The hardware wallet industry has grown considerably in recent years, bringing dozens of different offerings to the market. You can check out reviews of these devices on Binance Academy.
Custodial vs. non-custodial
Your wallet can also be custodial or non-custodial. This refers to whether you have access to and can control your private keys. If you use an online service like a cryptocurrency exchange, then, at the protocol level, you're not really in possession of your coins. Instead, the exchange holds your funds and keys in custody and manages them on your behalf (hence the term custodial wallet). In most cases, the exchange uses a combination of hot and cold wallets to keep your coins safe.
So, if you want to trade BNB for BTC, the exchange reduces your BNB balance and increases your BTC one in its database. But there is no blockchain transaction involved. When you decide to withdraw that BTC, you request that the exchange sign a transaction on your behalf. They will then broadcast a transaction that sends your coins to the Bitcoin address you provide.
Crypto exchanges provide a much more convenient experience for users that aren't concerned with third-party custody of their funds. One of the risks of being your own bank is that no one can come to your rescue if something goes wrong.
If you lose your private key, you'll never recover your funds. If you lose your account password, on the other hand, you just need to reset it. You're still at risk of having your credentials stolen, so you need to ensure that you're taking the suitable precautions we mentioned above to secure your account.
What's the most secure storage option?
Unfortunately, there's not a single answer to that question – this would be a much shorter article if there was. The answer largely depends on your risk profile and how you use your cryptocurrency.
For instance, an active swing trader will have different requirements from a long-term HODLer. Or, if you run an institution that handles large amounts, you'd probably want a multi-signature setup, where multiple users need to agree before funds can be transferred.
For regular users, it's a good idea to keep the funds you're not using in cold storage. Hardware wallets are the most straightforward options – but make sure you test them out with small amounts to get comfortable first. You'll also want to keep your keys backed up elsewhere as per our tips above in case the device itself is lost or fails.
Online wallets are great for small amounts that you're using to buy goods and services. If your cold storage is like a savings account, your mobile wallet is like the physical wallet you carry around. Ideally, it should be an amount that, if lost, would not cause you serious financial issues.
For lending, staking, and trading, custodial solutions are your best bet. Before putting your funds to use, though, you should come up with a plan for how much you're allocating (e.g., with a position sizing strategy). Remember that digital currency is highly volatile, so you should never invest more than you can afford to lose.
Using Decentralized Finance and DApps securely
If you want to stake your tokens, use them in blockchain games, or participate in decentralized finance (DeFi), you'll need to interact with DApps and smart contracts. Users must give DApps permission to use funds in their wallets. You can see an example below using SushiSwap.
For example, giving PancakeSwap permission allows it to automate transactions like adding multiple tokens to a liquidity pool. The DApp can complete different steps all in one go, saving you time. While this is useful, there are some risks associated with it.
Unless you've studied the smart contract yourself and understand exactly what it does, there's always a chance of a backdoor exploit. Typically, projects go through auditing to prove that their smart contracts are safe. Certik is a famous provider of audits, but this reputation still doesn't always guarantee safety.
A compromised project will ask for permission to move unlimited or large amounts of tokens. Less experienced users are more likely to accept these and become victims of fraud. Even if you remove your funds from the DeFi platform, the project may still have some control and be able to steal them. Hackers can also attempt to manipulate and abuse smart contracts. Once again, if you've given permission to a project, you could be at risk in this situation.
How to revoke wallet permissions
You should regularly check what permissions you have given out in your wallet. If you're using BNB Smart Chain (BSC), BscScan has a token approval checker tool that lets you inspect and remove any permissions.
First, copy and paste your public BSC BEP-20 address. Then, click the search icon on the right.
You'll now see a list of smart contracts that have permissions in your account and how much they are approved for. To revoke the permission, click the button circled in red below.
Use audited projects that offer more security
As we mentioned above, audited projects are more secure options to invest your tokens and coins with. If you're interacting with smart contracts, staking in pools, or providing liquidity, it's recommended you always look for projects with audits.
An audit analyses a DApp's smart contract code. The auditors will look for backdoors, exploitable scripts, and security issues. These are reported to the project founders, who then make changes to the code. Any changes are added to the final report to show users the complete, transparent process. The final report can then be made public.
While an audit cannot guarantee a project's safety, the chance of your funds being more secure does improve. It would be unwise to invest money in a project that has no audit available. Some smart contracts handle a massive amount of funds which makes them attractive to hackers. If auditors don't check the code, they become easy targets.
Certik regularly updates their list of audited projects, along with their rating out of 100 and other important information.
How to avoid scams
Cryptocurrencies, unfortunately, attract many scammers. People look to exploit other users and take their crypto, and once the funds are stolen, there is usually no way of getting them back. Scammers abuse the anonymous nature of cryptocurrencies and the fact that many users directly control large amounts of funds.
You should always be vigilant and never send money to users you don’t know. You should also always check the identity carefully of anyone you do send money to. Here are some of the most common scams to look out for:
1. Phishing - You may receive an email from an exchange or other service you use, asking you to log in or provide personal information. However, this may be a scammer looking to steal your information.
2. Fake exchanges - These are often mobile apps or websites which imitate the look of an exchange. Once you enter your details, a scammer will then use it to access your real account.
3. Blackmail - A scammer may send you malware that holds your files for ransom. To pay, you will most likely have to send Bitcoin or another currency to get them back. You may not even receive the files after payment.
4. Pyramid and Ponzi schemes - You may be offered to participate in a new project and purchase its coins or enter a special deal requiring you to make a crypto payment. However, a deal that’s too good to be true often is. Do your own research to make sure what you’re investing in is safe.
5. Impersonation - Someone may pretend to be an official, person of trust, or even friend. They will then ask you for crypto or information that you would not typically give out. In this case, always double-check someone is who they say they are.
For more information on these scams and what you can do to avoid them, read our 8 Common Bitcoin Scams and How to Avoid Them guide.
Closing thoughts
When it comes to keeping your cryptocurrencies secure, the blockchain industry today provides many security measures. From trading through to storing and using your crypto, simple tips are effective in keeping your funds safe. In terms of storage, each alternative has its benefits and drawbacks, so it's essential to understand the trade-offs. As always, make sure to do proper research into anywhere you’re putting your money or crypto.