The vast majority of attacks in Web3 are of the phishing/social engineering variety, not a rootkit worm getting full access to the contents of your hard disk & memory.
Here are a few instances of real-world attacks:
In the following case, the author enters his seed phrase into a form claiming to be an airdrop for Olympus DAO after seeing a notification pop up on Discord:
Engaging in a screen sharing session with a scammer:
Signing a malicious API message:
A scammer claims an NFT trading contract doesn’t work, send the victim to a phishing site that looks similar:
A scammer reaches out in a private direct message on Discord, pretending to be an admin:
Spend a few minutes on any of these threads, and you will inevitably find a well-intentioned reply of the sort: “Next time, use a hardware wallet.”
The problem is that hardware wallets provide a false sense of security. Let us take each case one-by-one:
In all of these cases & many more, a hardware wallet is just a stumbling block for a scammer. We can anticipate more scammers becoming familiar with hardware wallets like Ledger & Trezor, and coaching victims into revealing their seed phrases. Hardware wallets may be able to protect from malware & side-channel attacks, but it’s important to note: these attacks are extremely sophisticated and rare in 2021. Malware nowadays is often of the ‘cryptolocker’ variety, encrypting your disk and requesting a ransom to decrypt it, not memory-scraping Metamask while unlocked (where we have over 25 years of operating system know-how to stop such an attack from succeeding), or reading the encrypted Metamask database on disk (which would be useless without a password). At the time of this writing, it is not clear to me that there has ever been an operating system root-level attack in the wild to which an ordinary in-browser Metamask wallet would be vulnerable and a hardware wallet would not. Side-channel attacks require the resources of a nation-state, not your average Discord/Telegram scammer. On the other hand, we have at least one case of customer mailing addresses being leaked in the Ledger hack of 2020. Although this doesn’t directly affect the device itself, scammers now have over 200K potentially very lucrative to-be-victims in their Rolodex.
To make an analogy: malware & side-channel attacks are like the sound of a mouse underneath your floorboards, while social engineering & phishing attacks are like the sound of a city-wide Air Raid siren going off in your room.
Just like how you should be more worried about dying in a car crash on the way to the airport than on the plane: start paying attention to how smooth-talking social engineering scammers will exploit your emotions & psychology to persuade you into making a critical error.
Don’t be “quick to please” when you’ve been asked to sign a transaction or message. In one of the Bored Ape thefts above, the scammer allegedly replied: “hey your link isn’t working.” The scammer uses your sense of politeness against you, the implication being: you have messed up in some way and provided the wrong link (in this case, to nfttrader.io), and that you’ve wasted valuable minutes of your counterparty’s time. Therefore, stop being rude and click on the scammer’s link instead! Understandable, but deadly. Always slow down & stall for time. If the counterparty is impatient, that’s a dead giveaway you are being scammed. “Urgent” is code for: “please move quickly, so you can make a mistake.”
Do research the contract address on Etherscan. Does the transaction history of this contract look like what you expect? Is it a popular contract with millions of daily transactions, or does it seem underwhelming? Does the contract have the type & magnitude of assets you would expect under its control, be it Ether or other ERC-20 tokens? (Unless you are directly sending assets into your counterparty’s wallet, whatever personal address they provide to establish a ‘valid’ identity is meaningless, in the Twitter thread above, the scammer supplied someone else’s legitimate address.)
Don’t be lulled into a sense of safety by using a hardware wallet. You’ve only added security to your signature pen, you are not, in any way, prevented from signing your assets away.
Do use a hardware wallet as part of a holistic security methodology, where you are triple checking what contract you are interacting with. The frontend website is just a pretty facade to interact with the backend smart contract, copy & paste the contract address into Etherscan and verify before proceeding.
Don’t reply to direct messages on Discord/Telegram/Twitter if they purport to be an admin trying to help, 95% of the time, they’ve impersonated a legitimate moderator’s profile picture & likeness. Ask yourself: why can’t this interaction be done in the main chatroom? Go back to the main chatroom and ask the moderators directly if they would ever DM you. (they will probably reply: “No, it’s a scam”)