Cybercrime is an ever-present threat in the digital world. Wallet scams are often the most common and damaging, leaving victims financially and emotionally vulnerable. Fortunately, there are steps you can take to protect yourself from becoming a victim of cybercrime. By understanding the actions you can take ahead of time, you can better shield yourself from potential losses and preserve your peace of mind. Here are my top eight tips for securing your digital life in web3.
Basic Security
1. Use a quality password manager
Securing online accounts with strong and unique passwords is number one. Passwords leak online via data breaches or can usually be easily guessed by hackers.
Unfortunately, keeping track of all these passwords can be a challenge. That is where a quality password manager comes in. A password manager can help you create strong and unique passwords for each account and store them in one place, secured by your single master password. This way, you only need to remember one password and never have to worry about forgetting passwords or using the same password for multiple accounts again.
Use a quality password manager.
2. Use 2FA everywhere possible
Two-factor authentication (2FA) adds an additional security layer to your digital life. With hackers running rampant, two-factor authentication (2FA) is a must. SMS-based (text message) 2FA is still a popular method of authentication, but it is vulnerable to SIM swap attacks. App-based 2FA is a more secure solution. Finally, using a physical security key for 2FA offers the ultimate protection.
Avoid copycat sites + addresses
3. Bookmark sites
In recent years, scammers have found an easy way to target unsuspecting victims through sponsored Google search ads. Using these ads, they trick people looking for legitimate websites, directing them instead to fake versions of those sites to steal their wallet contents. Protect yourself by bookmarking the legitimate version; then navigate to the site via the bookmark rather than using search.
4. Use the Address Book
The wallet Address Book is the web3 equivalent of a bookmark, it allows people to save approved addresses with a human-readable name. Later, when sending a transaction, they can (re)check the address before proceeding. Copycat sites with fake contracts will appear in the wallet as a 0x.... address and not as the named address that got saved earlier. This way, you can ensure that you only interact with addresses and contracts you know about and protect yourself from malicious smart contracts. Don't trust, verify!
web3 security
5. Install wallet warning browser extensions
One of the best things you can do to keep your cryptocurrency safe is to use a browser extension like Pocket Universe, Revoke.Cash, Fire, and/or Stelo. These extensions are designed to help protect users from malicious activity by decoding transactions ahead of time to provide real-time warnings about what the transaction is about to do in plain English. With the help of these extensions, you can have peace of mind knowing that your wallet is secure and that you're fully aware of its activity at all times. Know before you FOMO.
6. Revoke infinite approvals
I know what you're thinking now, "Well, I just won't sign any transactions then!" You can do that, but you won't get much done in web3 and it won't protect you from all scams either.
Even gasless message signatures can result in your wallet getting drained if you have infinite approvals on erc20s or have already given OpenSea approval to sell your NFTs. Little known fact, OpenSea uses the setApprovalForAll method, which means that when you allow OpenSea to list an item for sale on your behalf, it can do that for ALL assets from that collection (contract).
This is how the recent Kevin Rose hack happened, he already had approved those assets for sale; one gasless signature later, oops! OpenSea accepted the hacker’s 0 ETH offers for his NFTs.
Revoke infinite approvals using revoke.cash or etherscan.io/tokenapprovalchecker to protect yourself from this exploit.
7. Maintain assets in "wallet silos"
The single best practice a user can do is to maintain the separation of their assets by purpose into different wallets. Basically, as more money gets stored in a single wallet, you should be extra cautious and restrict what you use that address for.
High-value assets ("blue-chips") and large amounts of crypto should be kept in a hardware wallet, a VAULT account that is not directly connected to the internet. This is the least-accessed account, think of it as your safety-deposit box at the bank.
Your day-to-day funds can be kept in an operational wallet, a separate internet-connected account that you use to interact with trusted entities, be they dapps, exchanges, or people.
Finally, you want to have a third, risky "degen" wallet. This is the condom for all your other assets, preventing those untested NFT minting contracts, those unsafe airdrops, etc. from putting the rest of your money at risk. If you interact with the wrong contract and lose ALL the funds in this account, it shouldn't hurt too bad because your funds are elsewhere.... they are elsewhere, right? :|
8. Delegate provable ownership
Tools like Delegate.cash and Warm.xyz allow proving ownership of vault-stored NFTs at a different registered wallet. This means you can safely connect your vault and degen wallets via a read-only connection. This is essential when meeting conditions to claim airdrops and mint NFTs. Scammers use those carrots to get people to connect their wallets and then drain them. With delegated ownership, you can prove you meet requirements indirectly and use a degen hot wallet to mint while keeping your high-value NFTs in a separate wallet.
Extra
Take the Bankless Academy security lesson to earn a non-transferrable NFT proving you understand.
Notes
iSpeakNerd is an educator, wordsmith, and DAO techie at Collab.Land. He does community education, documentation, UX, IT, security research, and helps with Operations and tooling for multiple DAOs. His background is in physical science and education.
This is essay 1 of 4 for the Bankless Academy Writers Cohort.