With the recent news of Kevin Rose falling victim to a phishing attack, losing over 685 ETH ($1.1 million) of assets in the process, there’s no better time than the present to look at some basic good security practices which will keep your crypto and NFTs safe.
Unfortunately, scammers are relentless in their pursuit of thievery, using many different methods from malware to social engineering to get their ill-gotten gains. Sometimes though, events such as the FTX scandal taught us that no one can protect you but yourself.
Let’s dive in to how you can avoid becoming a victim:
1. Use Centralized Exchanges as an on/off ramp only
Centralized Exchanges (CEXs) such as Coinbase, Binance and crypto.com all have their uses. Certainly, they’re the most convenient form of custody, but with that convenience comes a cost. “Not your keys, not your crypto” is the saying that was repeated endlessly during November 2022, as FTX imploded – taking billions of dollars of customer funds with it.
As the news spread that FTX was in trouble, more and more FTX users logged on to try and withdraw their crypto away from the platform. Most of these withdrawals were never executed, leaving users high and dry.
Coinbase and Binance, although looking stable, are not impervious to such an event. No exchange is, and so the simple solution is to use CEXs as on and off ramps only. This means using their platforms as a means to purchase/sell coins from/to fiat, and then shifting the assets away from the platform to your own self-custody wallet immediately.
Ideally, you should never have a large portion of your portfolio on a CEX for an extended period of time.
2. Use Cold Storage
Self custody of your assets is a great responsibility that requires the highest level of care and attention. A great way of reinforcing your security is to use a cold storage device to add an extra layer of protection.
A cold storage device, or hardware wallet, ensures that a transaction cannot be signed for unless the person executing the transaction is able to physically sign for it in a second prompt which is enabled by the device. Usually, transactions only require one confirmation which is done through the Metamask extension – which means if a scammer has your credentials, they can sign away the contents of your entire wallet to their own. However, this isn’t possible if the hacker doesn’t physically have the cold storage device linked to the wallet.
With this said, a cold storage device will not make you invincible. You still need to keep the seed phrase of the wallet stored in a safe and offline location, preferably split into two and separated. If you sign a malicious transaction with your device, then there’s no protection from that.
3. Scams and Social Engineering
All day, every day, scammers are trying their luck with crypto and NFT holders to trick them into signing their assets away. It’s not a pleasant outlook to take, but the best thing you can do while navigating this space is to be paranoid that every unsolicited DM is an attempt to scam you. Speaking from experience, most are! So it’s not an unreasonable stance.
A popular method can involve approaching you to make a trade on an asset you’ve advertised for sale. The scammer will always insist on setting up the trade – this is so they can do so on an unofficial version of the trade site which they’ve built themselves. There, the contract you will sign is not for a trade to take place, but to allow the exploiter to transfer over a large number of tokens. Incidentally, this is how Kevin Rose got stung.
Scammers can sometimes approach you in DMs on Discord saying they are part of a projects team, or sometimes posing as the project itself advertising a flash mint or token buy. Again, these are wallet drainer contracts and projects/moderators will almost never DM you first as a general rule.
Just exercise some healthy paranoia, and you’ll be fine!
4. Use official links only
To follow on from the last point, only using official links from a project’s social media bio and/or their discord server is the way to go.
Needless to say, clicking on unknown links from strangers in DMs is a recipe for disaster, but even Googling a project or Web3 related website can prove to be dangerous. Scammers have been known to buy ads on Google and Twitter to promote their fake versions of popular websites. The website, title, description looks identical at first glance, but the URL will have a discrete typo which indicates it’s not the official version.
Scammers will use ads in order to ensure their site ranks highest on the page when the search results appear – instilling a sense of trust in the user. The best course of action to avoid this pitfall is to cross reference the official URL from trusted sources against the one you are about to click on.
5. Use Protection Software
MalwareBytes is highly regarded as the best and most affordable antivirus protection software for your devices. There are others out there, but I’ve personally used this one for a year and it’s done the job nicely. The $30 p/year price tag is a small price to pay also.
If you’re an active trader/minter in the crypto and NFT space, there are a couple of options to give you extra peace of mind too. MintDefense, although not yet available to the public, has been working well to protect its users from malicious websites by flagging them instantly once clicked through on. The team there is still working behind the scenes on improving the product for release, but this is certainly one to keep a tab on.
Another is Stelo, who reverse engineered the signature that Kevin Rose signed before losing his assets. A big issue with signing for transactions is that they’re not immediately clear on what is about to be executed, to the untrained eye. Stelo have built something that does away with the confusing and often complicated content populated in Metamask, and have replaced it with a bold visual representation explaining what you are about to sign on.
11/ We reverse-engineered the signature that @kevinrose signed and passed it through Stelo.
— Stelo – Keep your crypto safe (@stelolabs) January 26, 2023
Those were five very simple ways you can protect your digital assets.
Ultimately, being overly cautious is much wiser than rushing through any task when it comes to due diligence. Additionally, the relatively small amount to pay for a cold storage device and protection software is insignificant when compared to the potential cost of losing your prized assets.
This is a Contributor Post. Opinions expressed here are opinions of the Contributor. Influencive does not endorse or review brands mentioned; does not and cannot investigate relationships with brands, products, and people mentioned and is up to the Contributor to disclose. Contributors, amongst other accounts and articles may be professional fee-based.