Crypto Wallet Security 101: Essential Tips for Protecting Your Crypto Assets
In August 2022, the renowned password managing platform, LastPass (LP), where hundreds of thousands of crypto holders store their recovery phrase, suffered a data breach from an “unknown threat actor”. After this, many LP users scrambled to shift their recovery phrase out of their vault. Unfortunately, some users have claimed that their tokens have been stolen following the attack. One user claims that the LastPass breach drained $53k worth of Bitcoin from their wallet. Stories of such hacks and scams are rife in the current crypto landscape. So, what can you do about this to keep your funds safe?
Many hacks occur due to the theft of private keys, which is a secret numerical code that gives users access to their funds. When you create a Web3 wallet like Omni for example, you are given 12 words as your recovery phrase, which are the backups to your private keys. If anyone else gets access to your secret phrase, that person will be able to control the associated funds. Let’s explore how to secure your wallet and keep your private keys from getting in the hands of an unauthorized party.
Hardware for large amounts, software for small amounts
Hardware wallets are physical devices that securely store private keys offline via encryption. They are not vulnerable to cyberattacks. Protecting your private keys is crucial in ensuring the security of your crypto wallet. Although software wallets offer improved security compared to centralized exchanges, they are still vulnerable to malware and hacking attacks. With software wallet private keys being stored on the device, a hacker could gain access to the associated funds through phishing scams, malware, or social engineering tricks. To minimize the harm of such risks, store the bulk of your funds in a hardware wallet. Hardware wallets store your private key in an encrypted, offline environment, making it much more challenging for a hacker to access your funds. This is because assets stored in a hardware wallet cannot be transferred unless the device is physically connected to either a computer or mobile device, and the transaction is verified on both the hardware wallet and the connected device. For everyday transactions, you can maintain a smaller amount of funds in a software wallet to gain added convenience. This combination of hardware and software wallets provides a balance of security and ease of use.
Many software wallets (like Omni) also provide the service of integrating your hardware wallet to your software wallet. As such, you will be able to adventure Web3, including participating in DeFi activities like staking and lending, and buying NFTs with your hardware wallet.
Keep your recovery phrase safe
The method you use to store your recovery phrase matters. Going back to the Lastpass story, thousands of users stored their recovery phrases in an online vault. But, these vaults may not be full proof. So what are the best practices for storing your recovery phrase?
Never share your recovery phrase with anyone
Imposters can pose as reputable wallet providers and request your recovery phrase to gain control of your funds. They may even manipulate you through tactics like fake customer support requests. Always be cautious when sharing your recovery phrase. Remember, once you share it, you are giving the other person equal ownership of your funds.
Avoid saving your recovery phrase online, or if you must, encrypt it
Storing your recovery phrase in the cloud creates a potential vulnerability for hackers to access. Although many users are drawn to the convenience of cloud storage, it is not the most secure place to save your recovery phrase. Any gadget that is connected to the internet increases the risk of hacking. The best alternative is to keep your phrase entirely offline. Consider using a seed storage solution like the Safepal Cypher Seed Board or the Ledger Cryptosteel Capsule for added protection and peace of mind, as they offer protection from elements like fire, water, and corrosion. Some users might not think it's important to go to the extra trouble of keeping their recovery phrase offline if the quantity of money in their account isn't very large. If you do decide to keep your recovery phrase online, make careful to encrypt it first before saving it. By encrypting your recovery phrase, you may ensure that even if someone gains access to your online files without your permission, they won't be able to read the data.
Store split recovery phrase in three separate locations
You can also play some hide-and-seek with your recovery phrase to increase its security. Divide your phrase into three parts and hide each one in a different place. Make sure that you would need at least two out of the three parts to form your recovery phrase. With this method, even if one piece is lost or stolen, your full recovery phrase can still be reconstructed from the remaining parts. However, the stolen one alone will not be enough for the thief to get your full recovery phrase. The number of parts is up to you, but make sure to keep track of each one and divide the recovery phrase correctly.
Protect yourself from malicious dApps
Practice caution when connecting to dApps as the malicious ones may employ phishing scams or use malicious smart contracts and put your funds at risk. Scammers tend to impersonate popular dApps to trick unsuspecting victims, as evidenced by the $40M worth of assets that were stolen in an Instagram phishing attack targeting the Bored Ape Yacht Club NFTs.
In instances of such phishing attempts, scammers create a fake website or URL that looks similar to a popular dApp and convince users to enter their login details and private keys. To avoid this, always double check the URL of the dApp you want to use and only access it through trusted sources.
→ Omni users can use the Explore screen to directly access their favorite dApps so that they never enter the wrong website. Not only that, with the Explore screen, you also get access to the latest updates, recommendations of useful apps and tools, and native & liquid staking yields across all supported ecosystems!
Revoke smart contracts allowances
If you're a frequent user of decentralized applications (dApps), it's important to be mindful of the smart contract allowances you grant. Smart contract or token allowances give dApps access to move tokens in your wallet on your behalf. You can take steps to minimize the risk of giving dApps allowances by regularly revoking authorization to the smart contracts.
To revoke access, you can go to the 'Token approval checker' section of the block explorer for the network you're using and revoke access through the platforms.
There are also several websites that let you view and revoke smart contracts connected to your address:
Cointool (multiple networks)
Revoke (multiple networks)
Unrekt (multiple networks)
EverRevoke (multiple networks)
Stay alert and updated
Lastly, stay vigilant! Although the crypto industry is exciting and game-changing, it also evolves rapidly. At its current maturity stage, many scammers are on high alert to find a vulnerability. If you suspect a hack in your wallet, take these steps right away:
Quickly disconnect your wallet from the internet
Set up a new wallet on a completely different device
Transfer the seed phrase from the hacked wallet and move all assets to the new wallet
Ensure that you stay informed about the latest crypto news and updates. You can best do this by keeping up with large crypto media outlets like Coin Telegraph and The Block. You can also keep out an eye on the Omni Explore screen for latest news about in all supported ecosystems. If you hear about a hack on the platform you're using (think LastPass or the BAYC hack), act fast by moving your funds and following the steps above to secure them.