As the popularity of cryptocurrencies grows, so does the level of activity of cybercriminals who seek to steal cryptocurrency in any way possible: by launching phishing attacks, finding vulnerabilities in the source code, or impersonating people who work for companies to obtain confidential user information such as private keys, passwords, seed phrases, and more. Therefore, the problem of security when using crypto wallets is especially acute now.
Hacks are rare, and the most common ways to steal cryptocurrencies are phishing and fraud. Often, users themselves provide private information, not suspecting that there is an intruder in front of them. Let us illustrate how to protect your wallet and avoid becoming a victim of crypto scammers.
Part 1. Creating and protecting a crypto wallet
First, you need to create a cryptocurrency wallet - this will be your personal safe, which only you can access. Therefore, the responsibility for the safety of funds lies entirely with its owner: non-custodial wallets store private keys only on the user's device, and neither the developers nor the company will help restore access if you lose your private keys and seed phrase.
Note: The creation process may differ depending on the client used. Some wallets require you to immediately save your seed phrase and install additional protection measures: 2FA(Two-factor authentication), PIN, or password. Other clients allow you to do this later to simplify and speed up the wallet creation process.
Often the process of setting up a wallet happens in several stages:
- Generation of a new wallet;
- Saving and confirming the seed phrase (optional);
- Creating a password or PIN to be used to enter the wallet. In this case, the wallet file remains encrypted and can be decoded only after entering the password/PIN. Otherwise, you will have to restore the wallet using a recovery phrase.
After that, the crypto wallet is created and ready to go, but this is only the first step. Now you need to protect it by any means necessary. First of all, you need to create a backup copy of the wallet called a seed, if this was not accomplished at the initial stage of creating the wallet.
What is a seed phrase
A seed phrase is a sequence of 12 or 24 pseudo-random words generated by the wallet. It is also called a recovery phrase, a secret phrase, a mnemonic password, or simply a seed. There are other sequences as well, and some wallets allow you to customize the sequence yourself. The seed phrase stores the information necessary to restore the wallet in case you forgot your password or lost access to the device on which the wallet is installed.
More modern clients and devices such as hardware wallet Trezor T allow you to expand a mnemonic password with a passphrase. This is another (extra) customized word that is created by the user. This allows you to create an unlimited number of hidden addresses to store cryptocurrencies more securely. This method is suitable for those who plan to store cryptocurrency for one or several years.
The main thing that every cryptoholder needs to remember is that if your seed phrase is compromised, then the funds will most likely be stolen soon. A mnemonic password allows you to access your funds in any wallet and on any device. This is why how you store your recovery phrase is just as important.
Part 2. How to store a seed-phrase and other confidential information
The first rule is: do not store the mnemonic password in digital form, for example, like a screenshot or text on a device or in the cloud. The same goes for flash drives. Hackers can intercept traffic, gain access to your device or account. The safest way to store funds is offline. Anything on which you can write or print words will do:
- Paper;
- Laminated card;
- Special device for storing seeds.
And one more key rule that every crypto holder must memorize like a mantra: never give a seed phrase to anyone! No matter how fervently you are asked to. Fraudsters introduce themselves as technical support employees or use other methods of manipulation. For example, they can manipulate you using fear, saying that your client has been hacked, and you urgently need to restore the wallet by entering a secret phrase on the site using the link they conveniently provided. Of course, this will be fake, and your funds will be irretrievably lost. The same applies to any other personal information: secret keys, PIN codes, logins and passwords, and so on.
A similar situation happened with owners of Trezor and Ledger, who inadvertently entered a seed phrase on a fake site, not noticing that the domain was different from the original domain of the manufacturers.
Please note that the domain is different from Trezor.io. And the bottom-level domain is actually io-restoretrezor.com. This means you have a phishing site in front of you. If you connect a wallet to it and enter private information, your funds will be stolen immediately. Another important rule follows from this:
Always check the domain of the site on which you use or download the wallet.
It is best to save the wallet address in your bookmarks and follow only this link. And one more thing: beware of advertising links in Google Ads. Most often, fake sites are found there, because it will be difficult for attackers to bypass the original site in the SERP.
This also applies to Android apps. Google Play is much less strictly moderated than iPhone's App Store, so scammers can publish a fake app. That situation happened with Trezor (again). Moreover, the attackers managed to publish the application on behalf of the manufacturer Satoshi Labs. Download applications only from links on official sites.
Tip: You can avoid losing funds by using a fake wallet with a small number of funds inside, with which you can check if a real site is in front of you or not. This wallet will act as a sapper. This will save you the bulk of your funds. But the best thing is to just be careful and not enter personal information on any sites.
Here are more useful tips for storing your seed:
- Put your secret phrase in a safe place that only you know about: a safe or a safe deposit box. This is the safest way;
- Make several copies in case one gets damaged or lost;
- Do not use the seed phrase in public places: in the office, waiting room or cafe;
- Do not take screenshots while recording the mnemonic password and do not copy it to the clipboard;
- When recording a seed, there should be no unauthorized persons nearby;
If you suspect that your wallet may be hacked or has been compromised in some way, transfer the money to your backup wallet immediately. If you do not have it, then needless to say you should create it.
Nobody should know the mnemonic password but you! As a last resort, you can pass it on to close people you trust.
Protect your wallet in all available ways: set a PIN, password, Touch ID or Face ID, and set up two-factor authentication. It is preferable to use an app like Google Authenticator instead of a phone number or email. This will make it difficult for attackers to gain access, even if they manage to take over your electronic device. Some wallets even provide biometric security.
Public and private keys
When you enter a crypto wallet, it displays a long sequence of numbers and letters. It is called a public key. It encrypts only the address of your wallet, to which other users or you yourself will send coins. It can be disclosed and transferred to strangers since this address does not contain any confidential information that provides access to your funds. Using your public key, other users can verify your signature to make sure that the address belongs to you. Here is an example of a public key for bitcoin:
17RXw2h4LuhqbTKM93GVsv3DkzUTVH2Ag9
Note: advanced wallets allow you to create and use multiple addresses. If you are concerned about privacy, it is best to generate a new address for each transaction. This will help obfuscate the trail and make it difficult to track transactions.
The private key is hidden, so only the owner of the wallet can get it. Private keys allow you to spend cryptocurrency, so in no case should they be transferred to anyone.
Don't confuse a private key with a mnemonic password. The private key looks like a public key, but most often holders use a seed phrase and open wallets using a PIN, password, Touch ID, or Face ID (when using mobile wallets). In fact, public and private keys differ only in length and only slightly in format. Bitcoin legacy addresses start with the number "1", and private keys with the letter "L". An example of a private key for bitcoin:
L4FyYRU6pRj4xoFw6pJhRAcDxdrdvoZzhB7ftFaLypnUBpa3Ko2U
Conclusion
Be careful and do not trust anyone in the crypto environment if someone writes to you in private messages with a request to provide them with a seed phrase or any other available private information that your wallet provides. Only scammers do this. Support will never write to you directly. If you need any help, write only to the general chat. Admins and moderators will come to your aid.
We repeat: never give your seed phrase, private key, and passwords from your wallet to unknown persons!
Subscribe to Everstake's social media channels, read the latest information from the blockchain world and always be extremely vigilant! First of all, the security of your cryptocurrencies depends only on you!