0xNerdery
Cover photo

Personal security foundations for web3 and beyond

Top tips for protecting your self-sovereign assets and identity

iSpeakNerd

iSpeakNerd

Cybercrime is an ever-present threat in the digital world. Wallet scams are often the most common and damaging, leaving victims financially and emotionally vulnerable. Fortunately, there are steps you can take to protect yourself from becoming a victim of cybercrime. By understanding the actions you can take ahead of time, you can better shield yourself from potential losses and preserve your peace of mind. Here are my top eight tips for securing your digital life in web3.

Basic Security

1. Use a quality password manager

Securing online accounts with strong and unique passwords is number one. Passwords leak online via data breaches or can usually be easily guessed by hackers.

Unfortunately, keeping track of all these passwords can be a challenge. That is where a quality password manager comes in. A password manager can help you create strong and unique passwords for each account and store them in one place, secured by your single master password. This way, you only need to remember one password and never have to worry about forgetting passwords or using the same password for multiple accounts again.

Use a quality password manager.

2. Use 2FA everywhere possible

Two-factor authentication (2FA) adds an additional security layer to your digital life. With hackers running rampant, two-factor authentication (2FA) is a must. SMS-based (text message) 2FA is still a popular method of authentication, but it is vulnerable to SIM swap attacks. App-based 2FA is a more secure solution. Finally, using a physical security key for 2FA offers the ultimate protection.

post image
@iSpeakNerd

Avoid copycat sites + addresses

3. Bookmark sites

In recent years, scammers have found an easy way to target unsuspecting victims through sponsored Google search ads. Using these ads, they trick people looking for legitimate websites, directing them instead to fake versions of those sites to steal their wallet contents. Protect yourself by bookmarking the legitimate version; then navigate to the site via the bookmark rather than using search.

4. Use the Address Book

The wallet Address Book is the web3 equivalent of a bookmark, it allows people to save approved addresses with a human-readable name. Later, when sending a transaction, they can (re)check the address before proceeding. Copycat sites with fake contracts will appear in the wallet as a 0x.... address and not as the named address that got saved earlier. This way, you can ensure that you only interact with addresses and contracts you know about and protect yourself from malicious smart contracts. Don't trust, verify!


web3 security

5. Install wallet warning browser extensions

One of the best things you can do to keep your cryptocurrency safe is to use a browser extension like Pocket Universe, Revoke.Cash, Fire, and/or Stelo. These extensions are designed to help protect users from malicious activity by decoding transactions ahead of time to provide real-time warnings about what the transaction is about to do in plain English. With the help of these extensions, you can have peace of mind knowing that your wallet is secure and that you're fully aware of its activity at all times. Know before you FOMO.

6. Revoke infinite approvals

I know what you're thinking now, "Well, I just won't sign any transactions then!" You can do that, but you won't get much done in web3 and it won't protect you from all scams either.

Even gasless message signatures can result in your wallet getting drained if you have infinite approvals on erc20s or have already given OpenSea approval to sell your NFTs. Little known fact, OpenSea uses the setApprovalForAll method, which means that when you allow OpenSea to list an item for sale on your behalf, it can do that for ALL assets from that collection (contract).

This is how the recent Kevin Rose hack happened, he already had approved those assets for sale; one gasless signature later, oops! OpenSea accepted the hacker’s 0 ETH offers for his NFTs.

Revoke infinite approvals using revoke.cash or etherscan.io/tokenapprovalchecker to protect yourself from this exploit.

7. Maintain assets in "wallet silos"

The single best practice a user can do is to maintain the separation of their assets by purpose into different wallets. Basically, as more money gets stored in a single wallet, you should be extra cautious and restrict what you use that address for.

post image
@BowTiedPickle

High-value assets ("blue-chips") and large amounts of crypto should be kept in a hardware wallet, a VAULT account that is not directly connected to the internet. This is the least-accessed account, think of it as your safety-deposit box at the bank.

Your day-to-day funds can be kept in an operational wallet, a separate internet-connected account that you use to interact with trusted entities, be they dapps, exchanges, or people.

Finally, you want to have a third, risky "degen" wallet. This is the condom for all your other assets, preventing those untested NFT minting contracts, those unsafe airdrops, etc. from putting the rest of your money at risk. If you interact with the wrong contract and lose ALL the funds in this account, it shouldn't hurt too bad because your funds are elsewhere.... they are elsewhere, right? :|

8. Delegate provable ownership

Tools like Delegate.cash and Warm.xyz allow proving ownership of vault-stored NFTs at a different registered wallet. This means you can safely connect your vault and degen wallets via a read-only connection. This is essential when meeting conditions to claim airdrops and mint NFTs. Scammers use those carrots to get people to connect their wallets and then drain them. With delegated ownership, you can prove you meet requirements indirectly and use a degen hot wallet to mint while keeping your high-value NFTs in a separate wallet.


Extra

Take the Bankless Academy security lesson to earn a non-transferrable NFT proving your understanding.


Notes

iSpeakNerd is an educator, wordsmith, and DAO techie at Collab.Land. He does community education, documentation, UX, IT, security research, and helps with Operations and tooling for multiple DAOs. His background is in physical science and education.

This article was originally published on iSpeakNerd's Mirror.

security
social
wallet security
web3 security

Collect this post as an NFT.

0xNerdery

Subscribe to 0xNerdery to receive new posts directly to your inbox.

Over 400 subscribers

SageFarcaster
Sage
Commented 11 months ago

As a rookie, some topics I find it hard to get started with: 1. How to bridge (especially to degen L3, but also DEX recommendations for other stuff) 2. How to store crypto (hot wallet or hardware wallet, which one?) 3. Storing keys and seed phrases 4. As a FC new user, load eth on OP / Base? Help appreciated!

SageFarcaster
Sage
Commented 11 months ago

Have been reading online but what do the veterans of FBI do? Would love to know.

Kunal 👑🎩Farcaster
Kunal 👑🎩
Commented 11 months ago

Great questions! I am writing a detailed thread on this here today.

iSpeakNerd 🧙‍♂️Farcaster
iSpeakNerd 🧙‍♂️
Commented 10 months ago

great qs 333 $DEGEN 1 - info is on degen.tips 4 - dont understand what you're asking 2,3 - check out my security article Top Tips for Securing your Digital Life 🔐 https://paragraph.xyz/@ispeaknerd.eth/personal-security-for-web3-and-beyond?referrer=0x3eEFAa9d6e2ab7972C1001D41C82BB4881389257

Sumedha 🎩Farcaster
Sumedha 🎩
Commented 11 months ago

honestly, how to bridge has been my biggest problem. Debridge is reliable but if you have most of your crypto on chains like solana - there is no direct route to bridge to base. Bridging from polygon to base is easy on debridge though.

SageFarcaster
Sage
Commented 11 months ago

What I did for Solana to Base: Swapped to USDC on Solana, bridged using wormhole to ETH, then bungee exchange to Base. Not easy at all.

Sumedha 🎩Farcaster
Sumedha 🎩
Commented 11 months ago

Omg yes I tried this and instantly was sick of it haha

Sumedha 🎩Farcaster
Sumedha 🎩
Commented 11 months ago

Hardware wallets are useful once you’ve crossed a certain small milestone (like for me personally it’s like $1500/2000$). Storing key phrases in a trusty password manager (like proton pass) And I usually load ETH on base.

iSpeakNerd 🧙‍♂️Farcaster
iSpeakNerd 🧙‍♂️
Commented 11 months ago

Keep your stuff secure folks I've been moving to 1password OTP progressively for a while, don't leave yourself vuln to sim swaps

Jordan 🦊Farcaster
Jordan 🦊
Commented 1 year ago

Do you use the same SRP on your phone as you do on desktop? I'm thinking my personal optimal wallet setup might be to have three separate SRPs: - Mobile hot wallet - Desktop hot wallet - Cold storage Though I imagine many people combine mobile/desktop hot wallet into one SRP.

iSpeakNerd 🧙‍♂️Farcaster
iSpeakNerd 🧙‍♂️
Commented 1 year ago

SRP?

iSpeakNerd 🧙‍♂️Farcaster
iSpeakNerd 🧙‍♂️
Commented 1 year ago

Degen wallet Daily driver - shared bw mobile/desktop Cold storage

Jordan 🦊Farcaster
Jordan 🦊
Commented 1 year ago

is your degen wallet also mobile/desktop?

iSpeakNerd 🧙‍♂️Farcaster
iSpeakNerd 🧙‍♂️
Commented 1 year ago

Tbh bad opsec left over from my early days, daily driver and degen are same SRP and desktop/mobile shared

Jordan 🦊Farcaster
Jordan 🦊
Commented 1 year ago

resolve that before you regret it! at a very minimum make sure you're not keeping too much valuable funds/nfts on that SRP. at best, sit down for a day and start fresh with new SRPs/wallets/backups.

KPFarcaster
KP
Commented 1 year ago

I have 4. -desktop (for development) (flask) -laptop (personal) -mobile -cold

fredwilsonFarcaster
fredwilson
Commented 1 year ago

Hi Casters. I got scammed and lost a bunch of NFTs a few weeks ago. I posted about the experience and the valuable lessons I learned from it https://avc.mirror.xyz/VUu7-BOTlH2J-qF9SctXr17CLBFx9Xu5xr6sACXehr8

timdaubFarcaster
timdaub
Commented 1 year ago

omg nooo, did they also remove your Kiwi News NFT?

fredwilsonFarcaster
fredwilson
Commented 1 year ago

Don't think so

timdaubFarcaster
timdaub
Commented 1 year ago

justin.ahn.ethFarcaster
justin.ahn.eth
Commented 1 year ago

asking the real questions 🥝

dfFarcaster
df
Commented 1 year ago

lol no they burned that one 😂

timdaubFarcaster
timdaub
Commented 1 year ago

@fredwilson.eth liked that, ok 😂😭

timdaubFarcaster
timdaub
Commented 1 year ago

Anyways, I have you know that the posting rights on Kiwi go to the minter of the NFT and it stays that way whereever you send the NFT 😇

Mac Budkowski ᵏFarcaster
Mac Budkowski ᵏ
Commented 1 year ago

Sad to hear that, thanks for sharing your lessons learned. For minting via hot wallet I highly recommend delegate.cash

dustmrtnFarcaster
dustmrtn
Commented 1 year ago

scammers must be banned! sorry to hear that 🥹

petar.xyzFarcaster
petar.xyz
Commented 1 year ago

Oh dear… I guess you’re one of us now. I got scammed last November and lost all my crypto and NFTs. Hard lessons learned.

Connor McCormick ☀️Farcaster
Connor McCormick ☀️
Commented 1 year ago

what was the scam?

petar.xyzFarcaster
petar.xyz
Commented 1 year ago

I got socially engineered to download a file on my laptop which granted the scammer access to it without me noticing anything. Then, I guess the scammer exported my private keys from MetaMask and drained all my wallets.

itai (building dynamic.xyz)Farcaster
itai (building dynamic.xyz)
Commented 1 year ago

Really sorry to hear that. Probably not helpful at this point, but I found Zengo's pro offering (https://zengo.com/pro/) pretty compelling for added security.

sonso.ethFarcaster
sonso.eth
Commented 1 year ago

Thank you for sharing this is a very good reminder, about best practices and I am happy to hear that many nfts are now back in your possession

bennetFarcaster
bennet
Commented 1 year ago

sorry this happened - appreciate you sharing lessons learned

tian7Farcaster
tian7
Commented 1 year ago

Be careful and sorry for hearing your story. I hope your suffer can lead a bull market

czar Farcaster
czar
Commented 1 year ago

So it was coinbase wallet. Any cb folks here can comment on whether changes are coming? As it is, messages are unuseable. Ability to whitelist addresses, and keep everything else in Other could be a good start. https://warpcast.com/czar/0xec9e5f

WNXFarcaster
WNX
Commented 1 year ago

Sorry to hear that 🙏🏼

mkFarcaster
mk
Commented 1 year ago

I’m really sorry to hear that, Fred. Thank you for sharing. In the not too distant future, imo devices should have a local LLM that can analyze and warn you of potential scams in all apps.

JorgeFarcaster
Jorge
Commented 1 year ago

There are good tools already available. For example, all @safe transactions are scanned by Redefine for potential threats. https://safe.mirror.xyz/rInLWZwD_sf7enjoFerj6FIzCYmVMGrrV8Nhg4THdwI

memes4airdropFarcaster
memes4airdrop
Commented 1 year ago

Solid write up, thanks for sharing. Sorry you had to go through any of it. But yeah... Everyone with significant holdings should vault them up, pronto. These scams won't get any less convincing, prevalent, or pernicious with the help of AI. Vault. Your. Shit. Folks.

Ryan LackeyFarcaster
Ryan Lackey
Commented 1 year ago

Ouch. We are trying to solve some of these problems (Evertas, insurance); I got scammed for one NFT once and it was somewhat embarrassing too on top of the $30 loss.

Ryan LackeyFarcaster
Ryan Lackey
Commented 1 year ago

Kind of timely to post this here since right now there is a compromise of @dwr.eth twitter account running a similar scam against innocent victims. I tried contacting him and can’t get to him.

emmaFarcaster
emma
Commented 1 year ago

oh no! so sorry that happened to you

siskFarcaster
sisk
Commented 1 year ago

Very nice of you to thank the thief at the end.

Renjith NairFarcaster
Renjith Nair
Commented 1 year ago

So sorry to hear that . Thank you for sharing

dbFarcaster
db
Commented 1 year ago

Oh that sucks…

CBobRobisonFarcaster
CBobRobison
Commented 1 year ago

I fell for the same attack, almost the same day. They stole my most valuable NFTs, as well, including my CryptoPunk. I was able to buy it back I'm currently putting together an analysis that I'll be presenting at https://cryptoconsortium.org/ Honestly, the mechanisms they used were extremely clever. It was impressive