Crypto Security
Education about wallets, storage and general security for your crypto
Investor Education Notice
Crypto Security
Devices, Numbers, Passwords, Accounts & Cold Storage
In crypto, you are the bank, and that makes you the target. Attackers do not need to break the blockchain. They go after the weak points around it: your phone, your number, your passwords, your email, and the apps you trust. This guide hardens every layer, from the device in your hand to the cold wallet in your drawer, so that no single failure can cost you everything.
Public Education Advisory · Defend Every Layer
The mindset: defense in layers
Good security is not one strong lock. It is many layers, each one assuming the one before it might fail. A determined attacker who gets your password should still hit a second factor; one who clones your SIM should still find no SMS codes worth stealing; one who reaches your hot wallet should still find your savings sitting in cold storage they cannot touch.
Assume you are already a target. Build so that no single failure is fatal.
The goal is simple: remove single points of failure. Spread your defenses so that any one mistake, breach, or stolen device is survivable. The sections below take each layer in turn, from the most exposed to the most protected.
None of this requires expertise. It requires a few deliberate choices made once, calmly, before anything goes wrong. That is always cheaper than the alternative.
Your devices: phone and computer
Every key you touch passes through a device. A compromised phone or laptop can read your screen, your clipboard, and your keystrokes. Keep the device clean and the rest gets far easier.
Install operating-system and app updates promptly. Most real attacks use known holes that a patch already closed.
Use a strong passcode plus biometrics, and a short auto-lock. A device that locks itself protects you when it is lost or stolen.
Install wallets and tools only from official stores or the maker's verified link. Never sideload, and never jailbreak or root a device that touches crypto.
For meaningful sums, keep a clean phone or computer used only for crypto, with no random apps, no browsing, no email.
Avoid public Wi-Fi for anything sensitive. Use your own connection, and a reputable VPN when you must use someone else's.
Address-swapping malware silently replaces a copied wallet address with the attacker's. Always check the full address after pasting.
Your phone number: the SIM-swap weak point
Your phone number was never built to guard money. It is one of the easiest things for an attacker to steal, and one of the most damaging.
An attacker convinces your carrier to move your number to their SIM, often with stolen personal details. Every SMS code then arrives on their phone, not yours.
Ask your carrier for a port-out or transfer PIN, and a note requiring in-person or password verification. This is the single best defense against a swap.
Take your phone number off your accounts as a login, recovery, or 2FA method wherever you can. If it cannot unlock anything, stealing it achieves little.
Do not publish or hand out the number tied to your financial accounts. Consider a separate number that is never linked to crypto.
Passwords: long, unique, and managed
Reused passwords are the most common way accounts fall. One leaked site hands attackers the key to all the others.
Use a different long passphrase for every account. Length beats complexity; a string of random words is both strong and survivable.
A reputable manager generates and remembers unique passwords for you, behind one strong master password you never reuse.
Reusing a password anywhere undermines everything. Never type a password into a link someone sent you.
Use a breach-notification service. If a password is exposed, change it everywhere it was used, immediately.
Two-factor authentication done right
A second factor stops a stolen password on its own. But not all second factors are equal, and the most common one is the weakest.
Use an authenticator app that generates time-based codes. SMS codes can be intercepted by a SIM swap, so avoid SMS 2FA wherever a better option exists.
A physical security key (FIDO2) is the strongest second factor. It cannot be phished or copied, because it proves presence on the real site only.
Keep your 2FA recovery codes on paper, offline, so a lost phone never locks you out. Never store them in the same place as a password.
Accounts and email: the master key
Your email controls every account that can reset through it. Whoever owns your inbox can often reset the rest. Guard it harder than any single account.
Most password resets flow through email. If an attacker holds your inbox, exchange and account logins fall one by one.
Use a separate email only for crypto and finance, never shared publicly, locked with a unique password and a hardware key.
On exchanges, set a withdrawal address whitelist and an anti-phishing code, and check active sessions, linked devices, and API keys regularly.
Hot wallets vs cold wallets
The single most important storage decision is how much sits online. The rule of thumb: small and spending money hot, savings cold.
Hot wallet
Connected to the internet: a mobile, desktop, or browser wallet. Convenient and quick, but always exposed to the device and the network around it.
Use for: small everyday amounts, active trading, on-chain activity. Never your life savings.
Cold wallet
Kept offline: a hardware device or an air-gapped setup. The private keys never touch an internet-connected machine, so remote attacks cannot reach them.
Use for: savings and any meaningful holding you intend to keep. This is where the bulk should live.
Hardware wallets (Trezor, Ledger, and the like)
A hardware wallet is a small dedicated device that holds your keys and signs transactions inside itself, so the keys never reach your computer. Used correctly, it is the strongest practical protection an individual has.
The private keys are generated and kept on the device. When you send funds, the device signs the transaction internally; the secret never leaves it, even when plugged into an infected computer.
Purchase only from the maker or an authorised seller. Never buy a used or pre-set-up device, and never one whose seal or packaging looks tampered with.
Set it up from scratch so the device generates a fresh seed in front of you. If it arrives with a seed already written, it is a trap; never use it.
The PIN protects the device if it is lost or stolen. After a few wrong tries a good device wipes itself, leaving the thief nothing.
An optional passphrase (a 25th word) creates a hidden wallet on top of the seed. It adds strong protection if you fully understand and back it up.
Always confirm the receiving address and amount on the device's own screen before approving. Update firmware only through the maker's official app.
Threats and the defense for each
These are the attacks that actually empty wallets. Each has a defense already covered above. Know the move, and you can block it.
Run your security audit
Personal Security Audit
Tick only what is genuinely true for you.
Be honest. The bar fills as your defenses get real. The items marked Essential are non-negotiable.
Security is not a product you buy once. It is a set of habits that make you a harder target than the next person. Layer your defenses, remove the single points of failure, and the attacker moves on.
EWC INVESTMENTS · INVESTOR EDUCATION
This guide is general educational information about cryptocurrency and account security. It is not financial, investment, legal, or security advice, and EWC Investments is not a financial adviser or a law firm. Security tools and threats change over time. You alone are responsible for your devices, keys, and security decisions. Verify every wallet, app, and address independently, and never share your recovery phrase with anyone.
