3 mistakes to avoid when buying cryptocurrency

3 mistakes to avoid when buying cryptocurrency

One of the biggest issues plaguing the cryptocurrency world is a wave of scams, with U.S. government figures showing that 46,000 Americans lost a combined $1 billion to criminals last year.

Between pump-and-dump schemes, romance rip-offs and “rug pulls,” crypto scams are getting more brazen and sophisticated. Perhaps even more worrying is the rash of major heists, in which hackers have been able to steal billions of dollars’ worth of crypto from people’s digital accounts.

But good cybersecurity habits can minimize the risks, experts say. Here are three mistakes to avoid when buying cryptocurrency.

Receiving your login credentials via text message

Some cryptocurrency exchanges use two-factor authentication for online accounts. That requires users to first enter their username and password, and then entering a numerical code typically sent to their cell phone via text message.

The problem? Hackers can use what is known as a “SIM swap” scam to intercept your incoming texts, blockchain scam investigator Joe McGill warned. He recommends using a third-party service like Google Authenticator or Okta Verify; better yet, buy a “YubiKey,” which must be plugged into your computer to unlock your account.

“A YubiKey is just a small thumb drive that you plug into a USB port,” McGill said.

Ignoring the allow list

One step in setting up a crypto account is something called an “allow list.” That’s where a user can enter a list of IP addresses and designate which computers someone can use to withdraw funds from the account.

But users often bypass the list because they’re in a hurry to set up their account and are focused on the other steps in the process. But it’s an easy way to implement an extra layer of security, said McGill, who runs crypto scam reporting website Chainabuse. Don’t skip the allow list.

“All of these major exchanges now have all the security measures, from simple to the most paranoid of options,” McGill said. So use them all.

Storing your “seed phrase” carelessly

For crypto buyers using a digital wallet, it’s vital to guard your “seed phrase.” A seed phrase is a random set of words generated once a digital wallet is created. It allows the the user to retrieve their crypto assets in case anything goes wrong.

Too often, people store their seed phrase in their email, on a Google drive or in an online note, said Paul Sibenik, lead case manager for blockchain investigation firm CipherBlade. That makes an easy target for hackers.

Instead, hide the seed phrase in a secure place that isn’t connected to the internet. If you jot it down somewhere, be sure not to lose it — that can be a major headache, too.

“If another party accesses the seed phrase, your funds are gone,” Sibenik said. “That requires some planning. You have to think about that meticulously.”

Khristopher J. Brooks

Khristopher J. Brooks is a reporter for CBS MoneyWatch covering business, consumer and financial stories that range from economic inequality and housing issues to bankruptcies and the business of sports.