I've spent a good deal of time trading crypto coins in the past couple years. I got heavily into it just before the fall Mt. Gox (Feb 2014) and have been hooked ever since. Recently i've had an especially great time riding the Ethereum waves. Combined with my 'professional' security experience I felt like it might be helpful for me to share the details of my trading setup.
I'm going to keep it pretty high level for now but if you have specific questions or would like more details please find me on twitter (@nopslip) or comment below.
1. Set up a Virtual Machine to trade from
The full details of how to do this are beyond the scope of this post but I'll highlight a couple reasons why I choose to go this route. By isolating your trading to a dedicated VM you don't have to worry (as much) about possible security issues from daily internet usage. So, don't use your trading VM for other things and you get to realize this security benefit.
I'm currently running a Debian8 VM through Virtual Box. What ever OS you choose, just make sure to run updates frequently and keep and eye on security advisories. Another route, that really is more secure is to boot into a Read Only or Live OS. Between you, me and the internet, I don't take it to that level for trading crypto coins though. If you're interested, here is a nice link with more info on these topics: https://www.deepdotweb.com/2015/03/02/tutorial-high-security-virtual-machines/
A couple other points of interest for your VM: If you travel frequently and don't already have your Host drive encrypted it would be a good idea to encrypt your VM. Probably unnecessary to mention but this but don't reuse account names or passwords for you login on your on your VM! and use a password manager to help generate complex, lengthy passwords! Also, I don't run crypto wallets on the same VM that you trade from.
I'm going to leave networking out for now but hope to update the post with info how to best network your VM as well. Using the standard NAT settings is not the best idea.
Here is also a good place to mention VPN's. For the sake of keeping this concise (VPN's are worth a whole post of their own) I'll just throw out a couple top level points of interest. VPN's are great to encrypt your traffic from you machine to exit server of the VPN but that's it. After that it's back to clear text. Perhaps i'm paranoid but I'm wary of those sitting outside known VPN providers servers watching the traffic.
Also, while any reputable exchange will have HTTPS over TLS/SSL setup and configured properly and giving you HTTP level encryption it's still good to understand what traffic from your machine is being encrypted, by what protocols and where. I don't usually use a VPN when trading but there are times when it might make sense. If you're trying to use SatoshiDice or something run the VPN from your VM so that traffic is isolated.
2. Connecting to your trading site
I've traded on a number of different sites and have recently ended up on Poloniex. Besides the presence of ETH (for bitcoin I used to love btc-e) I really like the layout, usability, feature set and mods in the trollbox. More on site selection in a bit though. For now, here are a couple things to keep in mind in respect to browser choice and how you connect.
Some generic points:
- Make sure your browser is fully updated!
- Don't click links in the trollbox and don't open any other tabs in your browser. If you absolutely must browse other sites in your VM use a completely separate browser (ie, trade in Chrome and open other tabs in firefox). Really, you should surf and check links on your Host or another VM.
- Run your browser in Private/Incognito mode In alignment with the above point as well, let's say you click a link from the trollbox or open a new tab in the same browser, or some other random site. We're pretty confident Polo isn't hacked but if that other site is malicious (by design or flaw) it could be possible for the other site to dump your login session information from your trading exchange and authenticate as you. While incognito mode doesn't protect you 100% from si
3. Exchange/site specific considerations
Do some research before you select a site to trade on. Pull up your favorite search engine and try things like "poloneix hacked", "btc-e security", "who owns Kraken".
Do they have a bug bounty? How to they handle security vulnerabilities? Can they prove that they have they coins they say they have? Do they have two factor authentication?
Most exchanges will have offer different security settings (Bitfinex is doing some really cool stuff right now) but one thing that you really need to make sure you enable is two factor authentication (2FA). Yes, it is a pain in the ass to have to pull up your phone and type in a 2FA code every time you login but if you're going to be trading an amount of bitcoin that you don't want to have stolen it's a must.
Okay, that's it for now. If you found this post helpful feel free to send me some BTC or ETH!