Crypto Security UK: A Practical Checklist for Non-Custodial Holders

A clear, step-by-step security checklist for UK crypto holders: accounts, devices, wallets, backups, and scam defences — without giving anyone your keys.

Reducing single points of failure

Crypto security is mostly about reducing single points of failure. The goal is simple: protect your keys, protect the accounts around your keys (email, cloud, SIM), and build a recovery path that works when you're stressed. This checklist is designed for UK holders using a non-custodial setup — you control keys; no one else holds them. For a structured approach to crypto security, start with the fundamentals below.

1. Secure the accounts that can reset everything

If an attacker controls your email, they can often reset exchange logins, drain accounts, or intercept recovery steps. Turn on 2-step verification (2SV) for your email and any exchange accounts. Use a password manager (or browser password manager) and unique passwords. Remove old recovery emails or phone numbers you no longer control. The UK National Cyber Security Centre (NCSC) recommends 2SV and password managers as foundational steps.

2. Treat your phone number as a target (SIM-swap risk)

Many crypto losses start with a stolen number. Ask your mobile provider what extra protections they offer (account PIN, port-freeze, in-store ID requirements). Prefer app-based 2SV where possible, not SMS. Keep your most important security controls tied to email protected with strong 2SV.

3. Separate spending from savings

Most people only need a small hot balance. Use a spending wallet with a small amount on a mobile wallet. Use a savings wallet with a hardware wallet (cold storage) and stronger backup controls. This reduces damage from a compromised device.

4. Hardware wallet basics (cold storage)

A hardware wallet helps, but only if you handle backups correctly. Buy direct from the manufacturer or a trusted retailer. Initialise the device yourself and verify the on-device prompts. Never type your recovery phrase into a website or 'support' form. If anyone asks for your recovery phrase, it is almost certainly a scam. Ledger's guidance is explicit: never share the recovery phrase, and beware phishing attempts pretending to be support.

5. Recovery phrase and backups (avoid single points of failure)

Your recovery phrase is the master key. Plan for fire, flood, and theft. Keep a primary backup in a secure home location. Keep a second backup in a separate secure location (not 'both in the same drawer'). Do not photograph or store the phrase in email or notes. Create clear instructions that do not reveal the phrase itself.

6. Anti-phishing habits that actually work

Most phishing succeeds because it forces urgency. Use bookmarks for key services (exchanges, wallet downloads). Slow down when you're asked to 'verify' or 'restore' anything. Treat 'we detected suspicious activity' messages as untrusted until verified through official channels.

7. Build a recovery plan that doesn't require you to be alive tomorrow

Security without recovery is fragile. Decide who should be able to help (partner, executor, professional adviser). Create a documented process so recovery doesn't depend on memory. Keep the recovery plan separate from the keys. Bitzo's approach is to coordinate a documented, verified recovery process while you remain non-custodial. See our crypto security page, inheritance planning, or how it works.

Quick checklist

Email protected with 2SV. Password manager in use with unique passwords. SIM swap protections enabled with provider. Spending vs savings separated. Hardware wallet initialised safely. Recovery phrase stored offline with duplicate in second location. Bookmark critical sites and slow down on urgent prompts. Written recovery process created.