Securing your self in the world of Web3

Blockchain/DLT technologies have paved the way for true financial freedom in ways never thought possible, it allows people to truly “own” their assets such that no legislative, legal or corporate bodies can hamper your ability to access your capital. However, this isn’t without its own unique set of problems. As YOU own those assets, YOU are also responsible to securing them.

Crypto scams, phishing attacks and smart contract exploits have become increasingly prevalent over the past few years. And learning how to secure your funds relative to your use case is extremely important.

In this article we will explore how to secure your funds in 2 primary forms.

1. Hardware Wallets
2. Cold Storage

As well as best practices for storing funds in “hot wallets” such as metamask.

What on earth are PUBLIC & PRIVATE keys?

To start, it’s important to understand a little about how the blockchain actually works in terms of WHERE your funds are stored and HOW they are accessed. This next part will be very high level and will not go into the more technical details, but should give you a very brief overview For this we will be discussing Ethereum based blockchains, such as the Ethereum Mainnet, Polygon (MATIC), Fantom and Binance Smart Chain (BSC)

You may have heard the terms “public key” and “private key” quite a lot, but these TWO values are both where your funds are located in the blockchain ledger, as well as a “password” to access them. You may often hear people ask for your address when performing transactions. your PUBLIC KEY IS YOUR ADDRESS.

Now, the private key is like your password (Technically it is more than that, but functionally you can see if as one)

Only difference is, if people have your PRIVATE KEY, they do NOT need your PUBLIC KEY(ADDRESS) to access your funds. The private key allows access & control to everything held within the PUBLIC KEY(ADDRESS), including signing transactions, sending tokens, funds, NFTs etc.

Due to this, it is extremely important to protect, hide and securely store your PRIVATE KEY as much as possible, depending on your risk profile.

For those that want some more technical information on keypair cryptography, this is an excellent article:

https://www.bitpanda.com/academy/en/lessons/what-are-public-keys-private-keys-and-wallet-addresses/

Your Wallet

Your wallet is the interface that stores your PRIVATE KEY, and allows you to interact with the blockchain. It is often the primary thing hackers abuse to obtain your private key and therefore your funds.

A common example of a wallet is MetaMask, which sits in your browser and allows for easy access to Web3 applications.

MetaMask is often referred to as a “Hot Wallet” which means it is usually always able to connect to the blockchain at any moment, and the only barrier from it doing so is your password. If the wallet is already unlocked, then malware on your PC may be able to interact with it directly and completely drain your wallet.

For this reason, it is incredibly important to spread your risk, and secure your funds that you do not always need immediate access to in things like MultiSig contracts, or cold wallets.

What is a cold wallet / hardware wallet?

A cold wallet means any storage device that contains your private key, but cannot access the blockchain without its contents being re-added to a system that can access the blockchain. Examples of a cold wallet can include:

• Ledger Nano S (This is a hardware wallet that provides extra functionality for ease of access compared to the other wallet options below, but is slightly less secure. I do not advise using the X for the very security conscious, but it is still technically a cold wallet)
• Ledger Capsule / CryptoSteel (I advise writing your PUBLIC KEY on a small piece of paper, and putting it inside these capsules for ease of reference)
• A piece of paper with your private key written on it (when you want to make transactions, open a VM, install MetaMask and restore the wallet using Metamask's restore wallet function and entering the key words you wrote down to make your transactions. once you close the VM, the MetaMask information is no longer stored, and your funds are once again secure)

These all provide a way for you to securely store your private key without being able to directly access the funds within, and therefore neither can a hacker.

These wallets can STILL RECIEVE FUNDS to their respective PUBLIC KEY (ADDRESS), even though they’re not “connected” as a hot wallet. Allowing you to have a secure place to receive funds, while not being able to directly access them unless you re-add the private key to a wallet yourself.

Mobile Wallets

If you are on iOS, I highly recommend Rainbow Wallet, due to the walled garden nature of apple products, your funds are often more secure on an iOS wallet then on a windows computer, if cold wallets seem too difficult. Though I will ALWAYS recommend any account with over $50,000 in assets stores them in cold storage of some kind, or split your funds between cold, hot, mobile etc. the more splits you have, the more you can mitigate various vectors of attack points. But make sure you manage this appropriately.

Scams

Now, scams are becoming extremely common in our industry, and learning what is a scam, and what isn’t, is a skill that is very easy to develop. Scammers will play on your emotions, they will have sob stories, they will be very friendly, they will ask questions about you. This is all part of their tactic.

Scams can range in complexity from incredibly stupid things such as directly asking you for your private key, to elaborate relationships that they will attempt to develop over several weeks in order to extract keys, funds, and INFORMATION.

Most hacking is less about technical literacy and more about social engineering, they will try to find out where you are from, your name, what your job is, your hobbies etc. This is where is gets rather difficult to determine if an individual is friend or foe.

Common things to look out for (This is long, but please do read it):

• If they send you files, do not download them, .zip files, .rar files etc. If they say they contain images, tell them to upload them to IMGUR and to send you the IMGUR link, then verify that link is real, and carefully check the domain name.
• If someone contacts you, thoroughly vet them in any way you can, for instance if someone is impersonating another person, contact that individual through their publicly posted contact information on their social media to ensure the account is real.
• If you receive “companies” contacting you with an @gmail, @outlook, or other public email providers, 95% of the time they will be scammers.
• If you cant find anything on them publicly, it is advised not to engage with them.
• Don’t sign any random transaction you receive, if you receive a “free” NFT and your metamask pops up asking you to sign a TX, DO NOT SIGN IT, and DO NOT ATTEMPT TO TRANSFER IT. The transfer function in that NFT contract will likely attempt to drain your entire wallet.
• Look at their profile picture, if it’s a picture of a person, use the Yandex reverse image search to find any other places it may have been posted. Also, many of these are AI generated people, see this link for an example of some of these generated examples, study them and find the common traits in the AI generated faces so you can evaluate yourself.
• If you receive emails asking you to resync your wallet with Foundation, OpenSea etc, never do it, always follow the OFFICIAL LINKS ONLY, and follow their social media to ensure you receive the correct news direct from the source.
• If someone asks you to send THEM money in order to pay YOU, it is 100% a scam, every single time. Do not listen to their sob stories. Report and block.
• If someone contacts you for a commission and you are able to see they have a public profile, thoroughly check their account, see when they posted, if they have any human engagement on their posts etc. Scammers often have either brand new accounts, or an old account that stopped posting (or never posted in the first place) several years ago, and recently began posting again
• If you do receive a file you think is legitimate, check the extension does ACTUALLY end with the file type shown, and it isn’t actually a .psd.exe or .psd.bat. The ending extension is ALWAYS the type of file that the computer will run it as. If everything seems ok from that point, it’s always a good idea to upload it to VirusTotal. However, DO NOT OPEN THE FILE ON YOUR COMPUTER, you can download it to upload, but DO NOT OPEN IT. VirusTotal is not infallible, but it can provide a very good baseline as it will check with multiple Antivirus engines on the same file. If VirusTotal comes back clear, then it is very likely that the file is legitimate.

This list is not every scam vector out there, but it covers most of the common scams and hacking attempts. It is important to be vigilant, and check suspicious files, even those sent from your friends, as in some more advanced attacks, attackers may have been able to compromise a discord account of one of your friends in order to send you a malicious file,

This seems like a lot in text form, but in reality it’s not. Just be vigilant, look out for the signs and is you feel something is off, trust your gut and follow these steps, or feel free to contact me below and I’ll do my best to help.

Scammers are a blight on our entire industry, and if there's anything we can do to foil attempts by these utter reprobates, my team and I will do our utmost to help where we can.

• Discord: Noro#4656
• Email: ethan@codetics.co

Just remember, always stay vigilant!