SFM Labs - Wallet Security: Risks and Safety Precautions. Took place live on a Twitter Space on the 31st January 2022 - 2 PM EST / 7 PM GMT / 8 PM CEST
Disclaimer: All information given in this presentation is researched and intended to be educational and illustrative to the specific topic as always.
Every owner has to do their due diligence, as the decision and responsibility about any investment lie with the owner.
What is a Seed phrase?
A seed phrase is a series of words generated to give you access to your crypto associated with your wallet. It is a key to the blockchain where your cryptocurrencies are stored. By entering the seed phrase into a wallet, you can look at, store, or send your cryptocurrency. Be advised to never screenshot, upload or share your seed phrase with anyone, as they can gain full access to your cryptocurrencies if they have the series of words
What types of wallets are there?
There are two types of wallets: cold wallets and hot wallets.
Cold wallets are wallets where the information is stored offline. That means that cold wallet stores the user's address and private key and works in conjunction with compatible software e.g. on a computer.
There is a term that says "not your keys, not your coins" which aims exactly at a cold wallet, storage of your wealth where you have total access to it. That minimizes the chances for hackers and malicious attacks to get access to your tokens. For the use of cold wallets, you can either use specific devices specially produced for this case e.g. Ledger, ElliPal, or Trezor or you can create your cold wallet by using a device (most likely a mobile phone or a tablet) without any sim card, active connection to the internet or else to make it fully disconnected from the internet. You can read more about that in a recent article of our Senior Scholar CatsRUs on SafeMoon.Education. Cold wallets are more beneficial for Holders with long-term investments.
Hot wallets are wallets that are always connected to the internet and online. The most typical hot wallets are wallets on mobile phones and wallets on exchanges. They give access to quick transactions and are perfect for everyday cryptocurrency users. They are easy to use, quick to set up, and can be connected to nearly every crypto service out there. Exchanges hold your cryptocurrency in hot wallets as hot wallet providers, you do not have a seed phrase and gain only access through an application to see your cryptocurrencies stored at the designated wallet.
While exchanges are constantly trying to increase their security, it should be noted that additional mechanisms such as two-factor authentication, biometric scan, or anti-phishing phrases are mandatory to increase the security to a certain level. Storing a large number of digital assets in a hot wallet is not advisable as it leaves your funds exposed to potential security threats such as theft. It is advised to only hold smaller amounts on a hot wallet, such as currency for day trading, short-term trades, and quick swaps. Long-term investments should be held in cold wallets.
For every transaction, whether you are using your phone or using a hard wallet on your computer, it is advised to think of using and establishing a VPN to put that extra layer of security into your actions.
Make sure that you always check the address you want to send your transaction twice or more and make small test transactions, especially when you plan to transfer bigger amounts. This ensures that your transactions arrive where they are supposed to arrive and gives your actions additional security to avoid careless mistakes.
Why do people lose their cryptocurrencies?
Security is the most important thing while being a Holder. You are the biggest threat to your holdings, your actions determine what happens to your investments. Some holders carelessly screenshot or pass on their seed phrase, which gives others complete access to the cryptocurrencies within a few seconds without warning. Never share your seed phrases as you will lose your investments if someone enters it into their wallet.
The handling of data, the handling of security mechanisms in cold and hot wallets, and the precautions that a holder can take must be considered. However, there are also external threats that can quickly cause a reckless act to lose one's investment.
What are the risks from outside?
There are many methods for people who try to access your cryptocurrencies to disclose information through simple or even complex methods. One of them, and probably the most common method to gain information, is the "dusting attack".
In this method, the attacker tries to send small amounts of tokens, which you did not buy, to your wallet address. These tokens can be worth nothing or have astronomical numbers, which should be taken with a grain of salt. If you didn't purchase something, then you shouldn't assume that you accidentally got tokens that someone else was supposed to get. This also happens, but in this case, it is very, very unlikely.
The tokens of the respective dusting attack should not be sold, traded, or send. The attacker wants to learn information from your wallet by linking to other wallets or exchanges, which he can then use to elicit information in other ways and gain access to your investments with scam emails, links, or similar.
The next risk is the purchase of tokens, which are advertised in a presale. A ton of people offer the possibility to increase your basic, small investment by 10-1000x overnight, but the realism is mostly different.
Platforms like DXSale and Unicrypt offer the possibility to participate in a presale. Here, a lot of caution is required, because you should only invest if you have dealt extensively with the contract and the project, meaning to read the contract and review the project itself. While not everyone can read a contract, it is important to educate yourself on aspects such as renounced contracts, liquidity locks, or unknown developers presenting a project. Short-term profits are the intention of many holders with this investment possibility, but it can also be that you meet contracts that do not have long-term intentions but are riddled with traps or risks, such as a rug pull (theft of all liquidity by the creator of the contract at a certain point) or honeypots (contracts in which you invest money, but can not make sales and you are trapped in). Therefore, even with the feeling of "FOMO" (fear of missing out), common sense is always more important, because it is better to invest the 50 dollars in a meaningful, already established project with named targets than in a short-term, profit-priced adventure, which can end badly.
While there are contracts that will try to recruit everyone in the presale, there are also already launched projects that will later offer lucrative trading opportunities with self-provided dApps. These are applications where you can directly connect your wallet to their platform to buy or trade their or other tokens and coins. It is important to know that you only connect your wallet to the dApp that you are convinced of and know that it is a secure project so that the authorization during a connection does not cause your wallet to be emptied. Therefore, it is also important to disconnect manually after each connection and - if you want to be sure - to clear the cache of the browser or the cell phone.
The last aspect of risks (though it is the smallest risk) is allowances. Allowances are authentications that arise when a token is bought, exchanged, or sold. These are limited or unlimited and give rights to the contract from which the allowance originates.
These rights are usually the buying and selling of the token or coin and the associated exchange that one initiates. However, some allowances grant further rights such as free access to certain amounts of tokens in the wallet of the holder (e.g. if reflections for other tokens are transferred automatically). This is the lowest risk level because no malicious intent has taken place so far and this risk is more of a new type of danger. Allowances can be revoked on BSCScan for a very small fee (usually 10 cents) which does not affect the ability of the token or coin. Specific websites like Beefy or Unrekt are also known and have worked well for some users on Android and iOS devices.
I did not regard some of the security measures, for now, am I in danger? Should I transfer my funds to a new wallet to secure it?
If you have not followed some safety instructions so far, it is strongly recommended to correct them. Missing security like two-factor authentication and biometric scan can be easily hired and directly increase security measures. Security risks in the form of untrusted contracts should be reconsidered. There is the possibility to send the tokens you want to keep to a new, freshly created wallet, so you can eliminate the risk of connections or backdoors. DApps and active connections can be disabled manually. With all of these safeguards in place, there is nothing to worry about.