As more nontechnical people enter the NFT and cryptocurrency world, we’re going to see more and more wallets being compromised and thefts occur. We are in the wild-west-1849-gold-rush phase of NFTs and unfortunately the scammers and swindlers are around every corner. But doing a few things can dramatically improve your odds at being safe in this new world.
Here are the links if you’re returning to this post to find the URLs to purchase a Ledger hardware wallet or a Cryptotag titanium plate to record your seed phrase securely; please kindly note both are affiliate links and help support me and the time it took to write this blog. If you’re reading this for the first time, keep going to see why these things are important!
This post is designed to give the lay person and quasi technical person strategies and tips around NFT security and securing their crypto wallets. If you are technical and wish to provide more context or amendments, please DM me on Twitter at @niftypins. However, I believe that this post will help the average user instantly reduce their risk posture when it comes to storing cryptocurrency and NFTs.
I would consider myself a quasi-technical person—while I cannot code or administer servers, I have been in the high-tech world as a project manager and marketer for the better part of a decade. It was through this experience that I’ve learned a lot of these concepts and have created this guide.
This post is designed in a good, better, best format—depending where you are on your NFT/crypto journey, you may want to choose things kind of a la carte. Regardless, doing this should be able to help you gain a little more security.
The NFT Security Basics
If you’re new to this space, there are some basic commandments that you should always follow:
- Never store your wallet’s seed phrase digitally. This means not taking a digital photo of it and storing it on your hard drive, not recording it to a word file and saving to your desktop and not even storing it on a password keychain application. If someone gets your seed phrase, your wallet is completely compromised. Not storing your seed phrase digitally presents a host of challenges, which I will address later on in the post.
- Never ever, EVER give your seed phrase to anyone online. This is one of the most common hacks—a person goes to Twitter saying that they are having problems with their wallet. Suddenly, a “customer support representative” will reach out to you and either ask you for the seed phrase outright, or “troubleshoot” the issue for you where you invest a bunch of time before they request the seed phrase. Don’t ever give it to anyone.
- Always purchase hardware wallets from the original manufacturer’s site. Don’t ever buy a hardware wallet from a marketplace, like Amazon or Ebay, as the seed phrase could be compromised.
- Use “trustless” systems for trading. This is a common scam where someone will propose a trade with you but will request you send your asset first. Avoid this if you don’t know the other party and use trustless systems like NFTtrader.io or sudoswap.xyz as a way to escrow the items that can be released when both people submit them.
- Never click or connect your wallet to a private DM attempting to give you something free. This is a super common scam where a person tries to impersonate a popular project (such as Crypto Punks) and offers a giveaway. They take you to a site that looks familiar, maybe swapping out a .com with a .io and after you connect they drain your wallet. This con has affected n00bs and OGs alike. This Twitter thread from @stazie is sobering to read through.
- Never download and open random zip files. This is just good practice in general, but more damning if you use a wallet stored in your in your browser. A well written Trojan horse virus has the potential to wreak havoc on your crypto wallet that is stored there—this is the hack that happened to prominent NFT artist fvckrender.
- Do not connect to public wi-fi to do NFT/crypto transactions without a Virtual Private Network (VPN). You probably shouldn’t be doing this anyway, but especially if you are using a browser-based wallet (more on that later) because a malicious actor could compromise your system and drain your wallet.
These are some of the basic things that all NFT collectors should be aware of, especially if you are new to the game. Adhering to these basic tenets will most likely secure you starting out, but as you quickly grow your collection or begin investing real money, you are most likely going to want to put better measures in place.
Browser-based wallets are usually an extension to an Internet browser. One of the most popular wallets is MetaMask, and recently Rainbow has become a popular option for iOS devices. When setting up a browser-based wallet, you will be given a seed phrase for the wallet that will generate your primary keys. At the time of writing, MetaMask used a 12 word seed phrase based on the BIP 39 word list. This seed phrase gives complete access to a user’s wallet (and the contents inside it) and there will be a further discussion on keeping this phrase secure later.
After setting up the wallet, you will be able to create a password to access it inside your browser. This password is independent of your seed phrase—think of it like the password that is used to lock your computer when the screen saver comes up. That password only “wakes up” your computer, but doesn’t give you access to your email. The MetaMask password is akin to that, allowing you to easily connect to your wallet without having to type in a cumbersome seed phrase everytime.
With browser-based wallets, such as MetaMask, your keys are stored inside your own browser. This provides a pretty lightweight experience for users to connect and purchase NFTs, simply connect a wallet and you are able to instantly buy NFTs and transfer tokens with a few clicks. However, it does put you at risk on public wi-fi or even if your machine is compromised on a private network. If a bad actor gets access to your machine and you’re logged into your browser-based wallet, that individual can drain your account.
One interesting development to a browser-based wallet is a multisig wallet, such as Argent or Gnosis Safe. Essentially, you can delegate certain responsibilities to entities that they dub as “guardians” who have to countersign transactions. These transactions could be authorizing transactions, recovering a wallet or even locking a wallet. And the definition of a guardian can be a separate MetaMask or hardware wallet that you control, or even a wallet of a friend/family member. And the owner of the Argent wallet has the ability to designate or deprecate a guardian at any time. This has created a paradigm of “social recovery” and is something that Ethereum founder Vitalik Buterin supports and wrote about on his blog.
Full disclosure: I do not have any personal experience with this kind of wallet and only recently learned about it from @emrecolako and @0xyay. So I cannot provide a firsthand account. However, if the founder of Ethereum is bullish on it as a way to help protect your assets, I would be foolish not to include it in an article about security.
The next level of security then is a hardware wallet. Essentially, a hardware wallet is a form of two-factor authentication. Not only do you need to have access to the particular Ethereum wallet, all transactions have to be confirmed on a hardware device. The keys to your wallet are stored on a hardware device that must be connected to a computer and all transactions have to be authenticated by clicking buttons on that hardware device. This essentially makes it harder for someone online to compromise your wallet.
The leaders in this space are Trezor and Ledger; I am partial to Ledger and have both a Nano S and Nano X wallet (disclosure: the link on Ledger is actually an affiliate link and I get compensated if you make a purchase). And remember Basic Rule #3: only purchase your hardware wallet directly from the manufacturer.
As opposed to MetaMask, Ledger has a 24-word seed phrase to generate the private keys for the wallets stored there. Ledger also supports an array of cryptocurrency beyond Ethereum, including Bitcoin, Doge and Tezos, so it is a way to secure a number of different crypto.
But in order to use Ledger, you have to connect it to a gateway—MetaMask works well in this instance. You can easily connect the device by going through some prompts inside that browser extension. And because it is facilitating a connection to the Ledger device, MetaMask doesn’t have persistent knowledge of that device—in other words, re-seeding a MetaMask wallet on another browser (ie typing in the seed phrase of your Meta Mask wallet on a separate computer to bring in all your accounts there) will not automatically bring over your Ledger wallet.
Ledger tends to work best with the MetaMask/Firefox combo—you now have to open up a socket on Google Chrome in order to make Ledger work there and is just a little cumbersome. Because you have to approve every transaction/signature by clicking on your physical Ledger device, it can slow you down during an NFT mint that looks to sell out fast. That is the tradeoff with the hardware wallet: the security does cost a little bit of speed.
It is worth speaking about the one thing that a hardware wallet does not protect against: malicious contracts. This goes back to the fifth point in the Basics section: if you choose to connect to a contract that can exploit your wallet, a hardware wallet will provide little protection after you click to sign that transaction. That is where you must be wary of what you connect to.
Keeping Your Seed Phrase Secure
Whether you use a browser-based wallet or a hardware wallet, one thing that you have to keep secure is the seed phrase that generates your wallets keys. In the crypto world, there are no username/passwords; there are just wallets/keys. And there’s not one of those magical “recover seed phrase” buttons! So you have to make sure that you keep your seed phrase safe and sound.
Now’s a good time to remind you of two of our basic rules:
- Never store your wallet’s seed phrase digitally.
- Never ever, EVER give your seed phrase to anyone online.
In today’s world where we take photos, use the notes app or a password storage system like LastPass, it becomes quite tricky on how to store your seed phrase in an analogue style! But it is imperative that you do so because if any of those digital storage systems are compromised, even once, and a bad actor gets your seed phrase, they will have access to your wallet. In crypto, there is no option to “reset your seed phrase” like you can reset your password. The seed phrase is permanently tied to keys of your wallet address, for better or worse.
So don’t ever do something like @kryptokixs jokingly did below:
So, what are you to do? Here are the options for least secure to most—choose your own adventure depending where you are:
Write your seed phrase down on a piece of paper and stuff it somewhere. This is where we all start out, and it is fine if you don’t have a ton of assets. But if that paper goes missing or gets caught in a fire, you’re totally hosed.
Write your seed phrase down on multiple pieces of paper. This helps provide some redundancy to issues of getting lost or destroyed, but having your seed phrase in multiple places means that if someone gets even one of those papers, they have access to your wallet (assuming they know your wallet address).
Use a RAID 0 technique and stripe your wallet’s seed phrase across three sheets of paper. RAID 0 is an IT data storage technique of striping information across three different hard drives. While this is primarily used for hard drive performance in the IT world, you can apply this striping technique to achieve security for your crypto wallet seed phrase. Striping allows you to spread your seed phrase out across multiple locations without having the complete phrase in any one location. If you stripe across three different pieces of paper, you’d have to have two of the three in order to reconstruct your seed phrase. Let’s look at an example of how you could stripe the phrase “I Do Not Like Green Eggs And Ham”:
|Paper 1||Paper 2||Paper 3|
So, in this example none of the sheets of paper have that complete phrase. Instead, you have to have two sheets of paper together to construct that phrase. This provides two major benefits:
- The ability for a thief to not know your entire seed phrase if they acquire one of the sheets of paper.
- Disaster recovery in the event of theft/fire/misplacement of one of the sheets of paper.
In my opinion, this is where most newbies should start as it pertains to securing either their MetaMask and/or Ledger seed phrases. It is cheap (only paper) and you are able to gain a tremendous amount of security and peace of mind. You can create multiple cards and spread them out geographically to friends/family along with placing some in secure locations (like a safe or a safety deposit box at a bank). Just make sure no two people know they have them, otherwise they can construct your seed phrase! And to make this easier for you, I have created a file that can let you easily “stripe” your seed phrase—click here to download it!
Getting away from paper and using Titanium! One of the biggest risks as it pertains to the aforementioned ways of recording your seed phrase is the medium. Paper is not very tolerant to fire or water and can degrade over time. The answer to that is TITANIUM! There are a number of options out there, but for my money I like CryptoTag.io (this is also an affiliate link by the way). They have a great starter kit that allows you to punch four-digit numbers that correspond to the BIP 39 numeric value for the word of your seed phrase.
While Titanium is more resistant to the elements, you still may want to have redundancy and disaster recovery. You can follow the same path I laid out with paper, but this time using these titanium plates: single plate with all seed phrase words, multiple plates with all seed phrase words or multiple plates striped in a RAID 0 fashion. Again, that level of protection is up to you.
Test Your Recovery Plan
One of the best adages in IT is, “don’t wait for a disaster to test your disaster recovery plan.” As you embark on your crypto/NFT adventure, it’s imperative that you know how to recover/restore a wallet from a seed phrase. And the best time to do this is before you have a ton of assets inside your wallet!
I would advise doing this by putting a trace amount of Ethereum (like maybe 0.0001 ETH) in a wallet. Have your seed phrase recorded for your browser-based or hardware wallet (in any of the aforementioned ways), then delete your wallet from the browser or restore your hardware wallet from factory settings.
Then go through the process of reconstituting the wallet from that seed phrase and see if you can do it. This is particularly important if you have “striped” your seed phrase in that RAID 0 fashion. I would highly suggest restoring from the three different card combinations to make sure that all the information is marked correctly. There are three combos in total: Cards 1/2, Cards 1/3 and Cards 2/3.
Scratching the Surface of Security
While I feel that this list is a good primer, there are always other things that can be discussed when it comes to online security. I have seen conversations about holding your most valuable assets in a wallet that is rarely connected to the internet at all, moving valuable assets to a completely separate wallet than one that you use for day-to-day minting/transactions (this should help protect those assets from those Trojan horse kind of contracts) and even hiring Sly Stallone and Arnold to stand watch over your wallet (joking on the last one).
There are also most certainly security topics that I am not even aware of at the moment. Folks are always welcome to drop me a line on Twitter at @niftypins to let me know other things that I should include.
However, even though we have just scratched the surface on security, I’m hopeful that this post is helpful and can mitigate some of the more common wallet security issues. If you like it, I’d love it if you could give this article a retweet and me a follow @niftypins on Twitter!