Crypto security basics: Staying safe in Web3
We walk you through some best practices to protect your crypto assets and personal details while participating in the world of Web3.
By Marc de Miguel
Geoffrey Lyons also contributed to this article.
One of the reasons people can be reluctant to engage with crypto is a lack of basic education around how to keep their holdings and personal information secure.
Web3 is a new and fast-growing space. To the newbie, it can be very daunting indeed.
This hesitancy is partly well-founded: there is a level of personal responsibility required on the part of anyone who wishes to transact cryptocurrencies and NFTs. And as we all know, there are bad actors who seek to exploit the unwary.
The good news is there are many precautions you can take to minimize risks.
This article details some of the crypto security best practices recommended to help stay safe in the budding world of Web3.
Please note that risks are ever-evolving, so you should do your best to stay apprised of new best practices.
Secure your wallet
Your wallet is the most important component of your entire crypto journey. With a non-custodial wallet, your private keys give you access to your assets and your public keys allow you to interact with other wallets in the crypto ecosystem. Since losing access to your wallet is game over, safeguarding it should be your number one priority.
For introductory reading on choosing a crypto wallet, see our article How to choose a crypto wallet
Here are a few tips to help you secure your wallet:
1) Never EVER share your seed phrase
A seed phrase, or recovery phrase, is a string of 12-24 random words generated by your wallet that give you full access to all of your holdings. Because it provides complete access, there is absolutely no possible reason for you to ever be required to share it.
Pro tip: Always keep a physical copy of your seed phrase, and avoid storing it in online media and cloud services.
2) Invest in a hardware wallet
Hardware wallets, also known as “cold storage”, are secure hardware devices on which you can store your assets, thus adding an extra layer of security to your portfolio. Always execute transactions using a hardware wallet, as this will protect you from most online attacks.
Below are some of the most commonly used hardware wallets. Be sure to do your due diligence when finding a hardware wallet that works best for you!
3) Diversify your wallets
It’s important to always remember that lost private keys are unrecoverable. It’s therefore generally safe practice to avoid having all your eggs in one basket, since losing access to your only wallet would mean losing all your holdings.
Always diversify and use multiple hardware wallets to hold your most valuable assets.
4) Keep control of apps and smart contracts with access to your wallet
Use services like Etherscan's Token Approval to check which smart contracts have permissions over your wallets and remove any unnecessary or unknown applications.
To learn more about Etherscan, see our article What is Etherscan and how do you use it?
5) Avoid unknown tokens
You should never interact with airdrops of unknown tokens that appear in your wallet. Some scammers will use this tactic to get you to buy more in a scam that’s known as a “rug pull”, where the project’s developer disappears with all the money and you’re left with worthless cryptocurrency.
Tokens can also be used to lure you into shady websites that should be avoided at all costs–they’re designed to drain your wallet.
Do your own research
There’s a reason why “DYOR” is such a common refrain in crypto communities. Too many people have fallen victim to scams, rugpulls, and FOMO spread by influencers or big accounts.
Be sure to do thorough research before investing and only invest in projects that you truly believe in.
Guard your personal information
It’s one thing when your crypto assets are at risk but quite another when it’s your identity. Guarding your personal information is imperative to ensuring a single leak or breach doesn’t result in identity theft.
The best way to guard your personal information is to use common sense: never, under any circumstances, share personal details with strangers or on social networking sites. In general, you should also avoid transactions on public networks that might attract attention from bad actors.
Practice good password hygiene
Good password hygiene is one of the most important factors to ensuring your crypto assets and personal information remain secure. In these early days of Web3, bad actors are eagerly waiting in the wings for an opportunity to exploit easy-to-crack passwords.
There are a number of ways you can practice good password hygiene:
1) Use long and complex passwords
When possible, use long passwords. The longer and more complicated your passwords, the more difficult it is for bad actors to hack into your account. Google recommends making passwords at least 12 characters long.
2) Never reuse passwords
Reusing passwords is one of the most dangerous practices. If you do this, then a single leaked password can lead to multiple separate security incidents on different platforms.
Simply coming up with different passwords for each new account will save you a ton of headache in the future.
Pro tip: Besides ensuring that you don’t reuse any passwords, you should also check sites like www.haveibeenpwned.com to see if your email or phone have already been involved in a data breach.
3) Always enable two-factor authentication
Two-factor authentication (2FA) is a way to strengthen security by requiring two separate methods to verify a user’s identity. You should avoid using SMS-based 2FA as telecom companies are a well-known attack vector.
Instead, use Google Authenticator or other reputable 2FA apps to store your credentials.
4) Use a password manager
Avoid the hassle of remembering different passwords by storing them in a password manager. This will also incentivize you to create more complex, i.e. stronger, passwords.
Be cautious when browsing the web
Although we’re no longer in the wild west of the mid-90s when viruses were a bigger threat, you should always be careful when you’re on the web.
Here are some precautions that you should take each time you open your browser:
1) Never download files sent from strangers
While this may seem obvious, files and harmful links are commonly used in the sort of phishing scams that are prevalent in the budding Web3 space. You need to use the utmost caution here and avoid downloading files from people you don’t know.
2) Know what you’re clicking in Google
Always be mindful of Google search results: the first results are usually ads and might lead you to a fake site. After searching a keyword, make sure you thoroughly browse the results before clicking a link and being redirected to an external webpage.
3) Be wary of social media direct messages
This, again, is a popular method for phishing attacks. Always be mindful of DMs on social networking sites like Twitter and Instagram. If something seems too good to be true, it’s probably a scam.
Pro tip: Apply this same reasoning to texts, emails, and any other online communication systems.
4) Remove unnecessary chrome extensions
When it comes to Chrome extensions, you should only install those that are reliable and well known and remove all the others, as these browser add-ons can be yet another tool for scammers.
In March 2020, for example, a fake Chrome extension for Ledger asked users to enter their 24-word recover phrase, resulting in up to $2.5M in stolen XRP.
Watch out for fake NFT collections
When browsing NFT collections, always use verified or reputable links and never trust projects that look strikingly similar, or even identical to, trusted collections.
While NFT marketplace OpenSea is rolling out features that will help screen for fraudulent NFTs, you should still do your due diligence before purchasing an NFT.
Pro tip: Check out SolSea’s brief tutorial on how to spot a fake NFT.
Don’t respond to unsolicited DMs
Do not reply to unsolicited DMs and if they contain links, don’t click them.
Also, bear in mind that owners of crypto projects will never reach out to you via direct message, so if someone in your DMs claims to be running a project then it’s almost certainly a scam. These owners will typically only communicate through official channels.
Pro tip: Should you choose to engage in peer-to-peer trades, unsolicited or not, always use escrow services or private offers if the marketplace has this option.
Spotting and avoiding crypto scams
Crypto is revolutionizing the way that value is exchanged, but its rapid growth has also created opportunities for malicious actors.
Read our article How to spot and avoid crypto scams to learn all about the most common scams and how to spot them.