Free Guide:
10 Simple Steps To Keep Your
Crypto Super Safe
Including Wallet Security (2024)
DISCLAIMER:
This guide does not offer any guarantees and is not written by a “crypto or cybersecurity expert.” It represents the collective knowledge gained from continuous intrinsic learning through various sources and personal experience.
I can confidently say that I was never scammed through wallet drainers (explained later) or other very intelligent hacks once since I’m in the crypto and blockchain industry for the past 7 years.
I’m making an expert out of you which includes super easy things to do.
Let’s go.
I start with a differentiation. There are only two ways you can get scammed in crypto: It’s either a user error (failure by you) or it was a hack through different technologies developed by hackers.
In 99% of the time, it was through you setting “approvals” in your wallet for certain tokens to fully drain your wallet, or it was by downloading or executing malware you’ve downloaded on your machine. Those are then compromising (stealing) your seed phrase or private key which is the access to your wallet aka your cryptocurrency.
Here are the 10 most “human-related” security failures in cryptocurrency:
(Please read through all of them because that’s super important and in the end, it’s YOUR MONEY on the line which you worked hard for!)
1. Poor Password Management:
• Weak Passwords: Using simple or easily guessable passwords for crypto wallets or exchange accounts such as birthdays with your last name or stuff people could research about you on the internet or on Social Media Networks such as Meta or X.
• Reusing Passwords: Using the same password across multiple platforms, increasing the risk if one gets compromised.
• Failure to Use Two-Factor Authentication (2FA): Not enabling 2FA, which adds an extra layer of security.
2. Phishing Attacks:
• Email Scams: Falling victim to phishing emails that appear to be from legitimate sources but aim to steal login credentials.
• Fake Websites: Entering sensitive information on websites that look like legitimate exchanges or wallet services but are fraudulent.
To prevent both of the above, start to hover over potential links you are clicking or really start to read the full link. That helped me personally many times because every so often you need to do stuff fast, and you forget that. Make it a habit to read all links you’re clicking, and you’re super safe.
3. Social Engineering:
• Impersonation: Trusting and giving out sensitive information to individuals who pretend to be trusted entities or support personnel.
• Manipulation: Being tricked into performing actions, such as sending cryptocurrency to an address under false pretenses.
4. Insecure Storage of Private Keys:
• Digital Storage: Storing private keys in plain text on computers or mobile devices that can be hacked.
• Physical Storage: Writing down private keys on paper and not storing them securely, leading to loss, theft, or damage.
Mr. Beast once saved his seed phrase to his Bitcoin Wallet on a sticky note directly sticked on his laptop. Then his house got raided and a huge number of Bitcoin got lost. Later, I show you how to best safe those keys and seed phrases in combination with Hardware Wallets.
5. Use of Untrusted Software:
• Fake Wallets: Installing and using wallet software from unverified or untrusted sources, which may contain malware.
• Outdated Software: Using outdated wallet software that may have known vulnerabilities.
6. Failure to Verify Transactions:
• Blind Signing: Signing transactions without verifying the details, potentially sending funds to unintended recipients.
• Ignoring Alerts: Overlooking security alerts or notifications from wallet services or exchanges.
We’ll also get to the above later using Rabby Wallet instead of Meta Mask which is way more secure, and you can really read what’s your transaction about.
7. Lack of Backup:
• No Backup of Private Keys: Not backing up private keys or recovery phrases, leading to irreversible loss of access if the original keys are lost.
• Improper Backup Storage: Storing backups in insecure locations, making them vulnerable to theft or damage. I, personally, have my private keys or seed phrases stored in a Safe and that Safe is not even in my house.
8. Overlooking Security Updates:
• Software Updates: Failing to regularly update wallet software or other cryptocurrency-related applications, missing critical security patches. You get yourself very vulnerable through that.
• Firmware Updates: Ignoring updates for hardware wallets, which could close known vulnerabilities.
9. Improper Use of Public Wi-Fi:
• Unsecured Networks: Accessing crypto accounts or performing transactions over public Wi-Fi without using a secure VPN, exposing data to potential interception. Don’t ever use public Wi-Fi for crypto stuff. I’d go that far, don’t ever use public Wi-Fi anymore because it’s highly insecure for all your personal information.
10. Trusting Centralized Exchanges:
• Exchange Hacks: Keeping large amounts of cryptocurrency on exchanges, which are frequent targets for hackers.
• Regulatory Risks: Risking funds due to regulatory actions against exchanges, which can result in frozen or lost assets.
Different Wallet Types and Their Pros and Cons
Hot Wallets (Rabby, MetaMask, Phantom)
Hot wallets are digital wallets connected to the internet. They are usually apps on your smartphone or computer.
• Pros:
Convenient: Easy to access and use for daily transactions.
User-Friendly: Often come with intuitive interfaces.
• Cons:
Less Secure: Because they are always online, they are more vulnerable to hacks, phishing, and malware.
Hardware Wallets (Tangem, Keystone, Trezor, Grid+)
Hardware wallets are physical devices, like USB sticks, that store your private keys offline.
• Pros:
Very Secure: Combines the security of cold storage with the convenience of a digital wallet.
Protected from Malware: Since private keys never touch an online device, they’re safe from most malware attacks.
• Cons:
Cost: They can be relatively expensive compared to other types of wallets.
Physical Security: The device itself needs to be protected from loss or theft.
How to secure your Wallets
Strong Passwords and 2FA
Creating Strong Passwords:
• Use a mix of upper and lower-case letters, numbers, and special characters.
• Avoid easily guessable information like birthdays or common words.
• Example: Instead of “password123,” use something like “G7#bR9!jK2”.
• Two-Factor Authentication (2FA):
Adds an extra layer of security by requiring two forms of identification: something you know (password) and something you have (a code sent to your phone).
• How to Enable: Most wallet apps have a settings section where you can turn on 2FA. You’ll usually need to scan a QR code with an authentication app like Google Authenticator.
Backing Up Recovery Phrase
A recovery phrase is a series of 12-24 words generated by your wallet. It’s used to restore your wallet if you lose access to your device. Yes, you heard correct. Even if you lost your Hardware Wallet, you can still recover your funds with your Recovery Phrase (Seed Phrase). This is the most important Phrase in crypto. If you loose that, I highly advice (if you can) to send your funds to a new hardware wallet instantly.
Steps to Back Up:
• Write It Down: Physically write down the phrase on a wolfram plate. Yes, Wolfram. You can buy those on Amazon. Why Wolfram?
It even survives if your house burns down and your funds are safe.
• Store Securely: Keep the Wolfram piece in a safe place, like a safe and don’t put into a Bank key locker. The Bank is entitled to lock you out of that. Do not store it digitally (e.g., on your phone or computer), as these can be hacked.
Phantom Wallet Security (Enabling Security Features)
How to Enable:
• Open the Phantom Wallet App: Go to the settings menu.
• Security Options: Look for options like setting a strong password, enabling 2FA, and activating additional security layers like biometric authentication (fingerprint or face ID).
Recognizing And Avoiding Scams
Phishing
Phishing is a scam where attackers try to trick you into giving them your personal information, like your private keys or passwords, by pretending to be someone you trust.
• How it Works: You might receive an email or a message that looks like it’s from your wallet provider or a crypto exchange, asking you to log in or provide your private keys. This comes back in again on reading and hovering over all the links you’re clicking on.
• Example: An email that looks like it’s from Phantom Wallet, saying there’s an urgent issue with your account and asking you to click a link to log in. The link takes you to a fake website that looks real, but when you enter your details, scammers steal them and send the funds from your wallet to theirs.
Ponzi Schemes
A Ponzi scheme is a fraudulent investment scam promising high returns with little risk. It pays returns to earlier investors, using the money from new investors.
• How it Works: Scammers lure you with promises of high returns. Early investors do get paid, which convinces more people to invest. Eventually, the scheme collapses, and most investors lose their money.
• Example: A new crypto project promises 10% returns every month. They use money from new investors to pay returns to earlier investors. When new investments dry up, the scheme collapses, and most people lose their money.
Fake Initial Coin Offerings (ICOs)
An ICO is a way for new crypto projects to raise money. Fake ICOs are scams where fraudsters create a fake project and disappear with investors’ money.
• How it Works: Scammers create a convincing website and whitepaper for a fake project, promising huge returns. People invest in the ICO, but the project is fake, and the scammers disappear with the money.
• Example: A website promoting a new cryptocurrency with a professional-looking whitepaper and promises of revolutionary technology. After raising a lot of money, the website disappears, and the founders are nowhere to be found.
Examples of Phishing Emails and Fake Websites
• Phishing Email: You get an email that looks like it’s from your crypto wallet provider. It says there’s a security issue and you need to log in immediately. The email includes a link to a website that looks almost identical to the real one.
• Fake Website: You visit a website that looks like a well-known crypto exchange, but the URL is slightly different (e.g., “ph4ntomwallet.com” instead of “phantom.app”). When you log in, your details are stolen.
The easiest way to avoid scams in Crypto is, honestly speaking, to use your brain while moving in the industry. Again, I was never scammed once, because I have a sniff for Phishing Link, know how Tokenomics are working for scam projects and the Computer I use is super clean. I’m always surfing with a VPN on so make sure you also get one for yourself.
Understanding Token Approvals
Token approvals are permissions granted to a smart contract, allowing it to access and transfer a specific type or amount of a token from your wallet.
Examples include:
1. Granting an NFT Marketplace the permission to move your NFT aka. enabling you to sell it.
2. Allowing a DEX (Uniswap, PancakeSwap, 1Inch) access to your tokens, so you can perform a swap to other tokens.
Almost every token on the Ethereum network, except for ETH, is an ERC-20 token. One key feature of ERC-20 tokens is the ability to grant approval permissions to other smart contracts.
These approvals are necessary if you want to engage in core DeFi activities like swapping or bridging tokens.
NFTs, which are ERC-721 and ERC-1155 tokens, have approval mechanisms similar to ERC-20s, but they are used in NFT marketplaces.
When you first receive a token approval prompt from MetaMask (MM) or Rabby, it provides several crucial pieces of information, including:
• The token you are granting approval for.
• The website you are interacting with.
• The smart contract you are interacting with.
• The option to edit the token permission amount.
Detailed Token Approval Information
In the full details’ dropdown, an additional key piece of information is revealed: the approve function.
All ERC-20 tokens have similar characteristics and properties as defined by the ERC-20 standard. One of these properties is the ability for smart contracts to move tokens based on the approved amount.
The risk associated with these approvals is that if you grant token permissions to a malicious smart contract, your assets could be stolen or drained. Therefore, it’s crucial to review and understand the permissions you are granting to ensure the safety of your assets.
NFT Approvals
“setApprovalForAll” for NFTs
This is a commonly used but dangerous approval, generally granted to trusted NFT marketplaces when you want to sell your NFT.
This approval allows the NFT to be transferred by a marketplace’s smart contract. So, when you sell an NFT to a buyer, the marketplace’s smart contract can automatically transfer the NFT to the buyer.
This type of approval grants access to all NFT tokens from a specific collection or contract address. However, it can also be exploited by malicious websites or contracts to steal your NFTs.
If you ever got sent a NFT into your wallet which you didn’t buy or interacted with to get it, it’s most likely an NFT that is a drainer or the smart contract is malicious. If you try to send or sell this unknown received NFT, you “setApprovalForAll” your NFTs and your complete wallet gets drained. Keep an eye on those so that you’re safe from those attacks.
Why do I teach you this?
Allowing an approval for an unlimited amount of tokens can put your funds at risk.
By manually setting the token approval to a specific amount, you limit the maximum number of tokens the approved dApp can move until you provide another approval for a larger amount.
This helps reduce your risk if the smart contract is compromised. If an exploit occurs in a dApp for which you have granted unlimited approvals, you could lose all the approved tokens in your wallet.
If you set yourself the limit to only let the smart contract use $1000 of your funds in any coin, just do so. No more than this is at risk if you’ve interacted with a certain dApp. On the other hand, if you grant unlimited approval and you have $4 million in $USDC in your wallet, the smart contract could drain all of it instead of only $1000.
Keep this in mind, this is super helpful if later on a smart contract seems compromised.
I recommend everyone using Rabby Wallet because inside the wallet itself, or in the Desktop App, that you can get here, you can revoke access to tokens and NFTs to reverse those approvals and be safe again. Otherwise, you can also use the website revoke.cash, connect your wallet there and reverse your approvals.
Final Words
Make sure that the contract and the website you’re interacting with is 100% legit. In the Web3 space, we go by saying:”We trust, but verify”.
Always check your wallets and revoke access from NFT collections or smart contracts you are not interacting with regularly.
Start using Rabby Wallet and even multiple wallets in there instead of MetaMask. It’s way more secure.
Even more secure would be if you’re using Cold Wallets like Tangem, Keystone, Grid+, or Trezor.