Wallet hygiene is the top priority when getting into cryptocurrency and NFTs. This is important because there are many bad actors out there who are looking to hack or steal your digital assets away from you.
The main thing to note is that for digital wallets such as Metamask and Rainbow, the web app itself does not hold your assets, it only connects to your wallet using a seed phrase or the private key. Hence it is important to know that Metamask is not your wallet, your wallet is your seed phrase and you should never under any circumstance share this phrase with anyone.
Here are some tips, tricks, and general habits to take your wallet security protocol to a whole new level and provide the best possible protection to your digital assets residing on your digital wallet.
Getting started
When creating a wallet for the first time, make sure you write your seed phrase in a physical form, and never store your seed in a digital format. Protect this seed phrase, as it’s the access code that grants complete control over everything you have.
Make sure you wrote your seed phrase down correctly, and even perform a wallet recovery exercise just to make sure you got the right words. Reset the wallet and try importing your wallet again.
Now that you’re sure, make extra copies and make sure you store them in secure locations only you know about. You can go as far as splitting the seed in two and store each part in different places (e.g: Safety deposit box in two different banks). This is in case one location burns down and gets destroyed, you’ll still be able to recover your assets.
There are 3 ways someone can externally access your wallet and have full control of it. These include: seed phrase, private key and private key QR code. These are all found in your MetaMask settings and you should never share these with anyone, not even if Garyvee sends you a DM asking for them so he can send you something.
The most common mistakes people make when storing their seed phrase include taking a screenshot, writing it in the notes app, a text file on the desktop, using a password manager, etc.
See Rule #1, never store your seed in digital form, assume your wallet can and will be compromised at any point.
You will eventually have multiple wallets, and it is worthy to consider having a wallet you use exclusively with the MetaMask extension. The MetaMask extension is the least safe of all the options — not due to the extension itself, but because of how much it is exposed to attacks from hackers and scammers.
Second, you should have a main wallet like Rainbow that’s not connected to the extension at all, this is the wallet you use on a daily basis and where you store most of your assets (You can import your MetaMask wallet here as well, but don’t import your Rainbow wallet into the extension).
Finally you should have a vault. This will be your Hardware wallet(s) completely off the grid, offline and never fully imported or synced into any app or extension, or it defeats the purpose.
This wallet, hopefully, will only be used to receive and not send, and you can import into Rainbow in watch mode. Enable 2FA on all possible accounts. Use something like Google Authenticator or Authy.
For added security, you can incorporate a second hardware wallet to sync with MetaMask and require every transaction to be approved on the physical device.
I know that’s a lot of wallets but trust me, the more scattered your assets, the more safe they are online. It’s worth the effort if you’re looking to into the space seriously.
Hardware Wallets
If you’re getting serious about crypto and NFTs, you should definitely invest in a Hardware wallet to store your most valuable assets and keep them offline.
Think of it as having your eggs in different baskets. If one of your wallets were to be compromised, the attacker will not have access to all your funds. Hardware wallets also have seed phrases and this too should be saved and stored in physical form.
Make sure you get your Ledger wallet from its official site. Never buy on Amazon or secondary markets just for a 5-10% discount.
Attackers have been known to list compromised wallets to Amazon or on secondary market and wait for them to be resold to customers who later get their assets stolen. Always use the official website and bookmark them.
Staying away from scammers
All these security measures ultimately depend on the human brain, and humans are subject to error. Thus, it’s really important to become educated on what techniques scammers and hackers use, read up on other people’s scam stories and learn from them. The more prepared you are, the harder it is to make you fall for it.
There are two main platforms where scammers find their targets — Twitter and Discord. They will often pose as customer support and talk you into sharing your seed phrase. Some scammers might even talk you into going to your settings and exposing your private key QR code.
It is common for some scammers to pretend to be a captcha bot, and require some inputs to “verify” your identity to lure you into clicking random links.
Sometimes, scammers might pose as MetaMask support and tell victims that they have not verified their wallets. These scammers will then proceed to send a link (or a Google Form) that looks very similar to the original, and victims will be asked to “verify” the wallets, leading to a reveal of their seed phrase.
Remember, Discord and Twitter scammers can and will impersonate anybody, including NFT influencers, project founders, project moderators, celebrities and developers. Always make sure you interact with the real account and you’re interacting with official accounts.
A key tip here: Customer Support will never DM you, always make sure you are in the right Discord, and always double check if you’re talking to the real person. If you need help, contact the Discord’s admins directly, and do not click on random links sent to you.
Other tips
1. Never share your seed phrase or private key with anyone. Paper can get wet or get burned. If you want an extra layer of security, try using a metal solution like Cryptosteel or Blockplate. These things are fire, rust, water and probably nuclear resistant. You might want to research a bit.
2. Opensea, Uniswap, Ledger or any other accounts will never ask for your seed phrase. Make sure you are interacting with the official sites/apps and bookmark them. Many people have been scammed connecting their wallet to a fake Opensea site and giving their seed phrase to “connect”.
3. Never click on random links. This one is easy, someone send you a link? Don’t click it. You’ll end up on a site that’s gonna ask for your seed and your wallet will be compromised.
4. Never download and/or open strange files. Hackers will send a file (usually an .exe) that you’ll have to download and open. After that, they’ll have access to all the files in your computer, including that seed phrase in your desktop.
5. Get in the habit of performing a wallet security audit. Basically, just practice the steps of recovering your wallet so you don’t forget how it’s done and more importantly to make sure your system is working. I sometimes delete my wallet, download Rainbow again, go looking for my seed and import the wallet again. Just making sure everything is working smoothly like how we conduct fire drills back in school.
I’m sure there are more useful tips, tricks and hacks that I’m forgetting or am just not aware of, but following the previous information you’ll be more secure than most folks in the crypto world and more importantly, it will be harder to hack or scam you, you’re prepared and educated.
But this is not all, I suggest you keep learning about security, wallet hygiene, ask other in the community how they handle their security, learn from other scam stories and keep developing your knowledge.
Featured Image Credit: Hacker Noon
Also Read: I Got Rug Pulled and Scammed By A NFT Project, Here’s What I Learnt