Cybercrime is an ever-present threat in the digital world. Wallet scams are often the most common and damaging, leaving victims financially and emotionally vulnerable. Fortunately, there are steps you can take to protect yourself from becoming a victim of cybercrime. By understanding the actions you can take ahead of time, you can better shield yourself from potential losses and preserve your peace of mind. Here are my top eight tips for securing your digital life in web3.
Securing online accounts with strong and unique passwords is number one. Passwords leak online via data breaches or can usually be easily guessed by hackers.
Unfortunately, keeping track of all these passwords can be a challenge. That is where a quality password manager comes in. A password manager can help you create strong and unique passwords for each account and store them in one place, secured by your single master password. This way, you only need to remember one password and never have to worry about forgetting passwords or using the same password for multiple accounts again.
Use a quality password manager.
Two-factor authentication (2FA) adds an additional security layer to your digital life. With hackers running rampant, two-factor authentication (2FA) is a must. SMS-based (text message) 2FA is still a popular method of authentication, but it is vulnerable to SIM swap attacks. App-based 2FA is a more secure solution. Finally, using a physical security key for 2FA offers the ultimate protection.
In recent years, scammers have found an easy way to target unsuspecting victims through sponsored Google search ads. Using these ads, they trick people looking for legitimate websites, directing them instead to fake versions of those sites to steal their wallet contents. Protect yourself by bookmarking the legitimate version; then navigate to the site via the bookmark rather than using search.
The wallet Address Book is the web3 equivalent of a bookmark, it allows people to save approved addresses with a human-readable name. Later, when sending a transaction, they can (re)check the address before proceeding. Copycat sites with fake contracts will appear in the wallet as a 0x.... address and not as the named address that got saved earlier. This way, you can ensure that you only interact with addresses and contracts you know about and protect yourself from malicious smart contracts. Don't trust, verify!
One of the best things you can do to keep your cryptocurrency safe is to use a browser extension like Pocket Universe, Revoke.Cash, Fire, and/or Stelo. These extensions are designed to help protect users from malicious activity by decoding transactions ahead of time to provide real-time warnings about what the transaction is about to do in plain English. With the help of these extensions, you can have peace of mind knowing that your wallet is secure and that you're fully aware of its activity at all times. Know before you FOMO.
I know what you're thinking now, "Well, I just won't sign any transactions then!" You can do that, but you won't get much done in web3 and it won't protect you from all scams either.
Even gasless message signatures can result in your wallet getting drained if you have infinite approvals on erc20s or have already given OpenSea approval to sell your NFTs. Little known fact, OpenSea uses the setApprovalForAll method, which means that when you allow OpenSea to list an item for sale on your behalf, it can do that for ALL assets from that collection (contract).
This is how the recent Kevin Rose hack happened, he already had approved those assets for sale; one gasless signature later, oops! OpenSea accepted the hacker’s 0 ETH offers for his NFTs.
Revoke infinite approvals using revoke.cash or etherscan.io/tokenapprovalchecker to protect yourself from this exploit.
The single best practice a user can do is to maintain the separation of their assets by purpose into different wallets. Basically, as more money gets stored in a single wallet, you should be extra cautious and restrict what you use that address for.
High-value assets ("blue-chips") and large amounts of crypto should be kept in a hardware wallet, a VAULT account that is not directly connected to the internet. This is the least-accessed account, think of it as your safety-deposit box at the bank.
Your day-to-day funds can be kept in an operational wallet, a separate internet-connected account that you use to interact with trusted entities, be they dapps, exchanges, or people.
Finally, you want to have a third, risky "degen" wallet. This is the condom for all your other assets, preventing those untested NFT minting contracts, those unsafe airdrops, etc. from putting the rest of your money at risk. If you interact with the wrong contract and lose ALL the funds in this account, it shouldn't hurt too bad because your funds are elsewhere.... they are elsewhere, right? :|
Tools like Delegate.cash and Warm.xyz allow proving ownership of vault-stored NFTs at a different registered wallet. This means you can safely connect your vault and degen wallets via a read-only connection. This is essential when meeting conditions to claim airdrops and mint NFTs. Scammers use those carrots to get people to connect their wallets and then drain them. With delegated ownership, you can prove you meet requirements indirectly and use a degen hot wallet to mint while keeping your high-value NFTs in a separate wallet.
Take the Bankless Academy security lesson to earn a non-transferrable NFT proving your understanding.
iSpeakNerd is an educator, wordsmith, and DAO techie at Collab.Land. He does community education, documentation, UX, IT, security research, and helps with Operations and tooling for multiple DAOs. His background is in physical science and education.
This article was originally published on iSpeakNerd's Mirror.
Over 400 subscribers
As a rookie, some topics I find it hard to get started with: 1. How to bridge (especially to degen L3, but also DEX recommendations for other stuff) 2. How to store crypto (hot wallet or hardware wallet, which one?) 3. Storing keys and seed phrases 4. As a FC new user, load eth on OP / Base? Help appreciated!
Have been reading online but what do the veterans of FBI do? Would love to know.
Great questions! I am writing a detailed thread on this here today.
great qs 333 $DEGEN 1 - info is on degen.tips 4 - dont understand what you're asking 2,3 - check out my security article Top Tips for Securing your Digital Life 🔐 https://paragraph.xyz/@ispeaknerd.eth/personal-security-for-web3-and-beyond?referrer=0x3eEFAa9d6e2ab7972C1001D41C82BB4881389257
honestly, how to bridge has been my biggest problem. Debridge is reliable but if you have most of your crypto on chains like solana - there is no direct route to bridge to base. Bridging from polygon to base is easy on debridge though.
What I did for Solana to Base: Swapped to USDC on Solana, bridged using wormhole to ETH, then bungee exchange to Base. Not easy at all.
Omg yes I tried this and instantly was sick of it haha
Hardware wallets are useful once you’ve crossed a certain small milestone (like for me personally it’s like $1500/2000$). Storing key phrases in a trusty password manager (like proton pass) And I usually load ETH on base.
Keep your stuff secure folks I've been moving to 1password OTP progressively for a while, don't leave yourself vuln to sim swaps
Shameless self-plug, check tip 8 https://paragraph.xyz/@ispeaknerd.eth/personal-security-for-web3-and-beyond
Sorry, frame not working, here's the relevant section