Protect Your Crypto Wallets With InfoSec - The Three-Tier Wallet System and Crypto-Hygiene

"Crypto-heists" are all over the news. In March, Arthur_0x, the founder of DeFiance Capital, had many NFTs and cryptocurrencies in his wallet to be stolen by mistakenly hitting phishing documents.

One month after, a Bored Ape holder lost NFTs worth $567,000 to a scammer after they were conned into trading valuable pieces for worthless PNGs in a fake swap transaction.  They were the latest in a series of high-profile cyber heists to hit the digital asset sector in recent years. Thus, securing your wallets is essential when protecting your digital assets against cyberattacks.

Let's combine them by using cybersecurity knowledge to strengthen your crypto-security! 🦾

Crypto Wallet & Public and Private Key 🔐 Pairs

Crypto wallets are fundamentally application software intended for holding and recovering crypto assets. Essentially, the crypto wallet acts as machine-readable proof of ownership of your crypto assets. Cryptocurrencies are never kept in a specific location or have a physical form. All we can find are the records of the transactions documented on the blockchain.

Public and private keys act as the basis of crypto wallets:

• 🔑 The public key is primarily your wallet address. You could share the public key so that others can make payments to your wallet. The public key can also allow others to withdraw funds from your account when authorized. The wallet address is, in fact, more like a compressed or hashed version of the public key. People could then view the public keys in the form of a wallet address.
• 🗝 The private key in a crypto wallet is the same as the password for your online banking account or the PIN for your ATM card. The private keys provide access to cryptocurrencies that belongs. Moreover, this private key is your digital identity to the cryptocurrency market, and anyone who gets hold of this can perform fraudulent transactions or steal your crypto coins.

Two Types of Wallets - Hot and Cold

Using hot and cold to describe a wallet is similar to what we call a hot site and a "cold site" with security. In short, "Hot" means online; "Cold" means offline.

1. Multi-Tier Wallet System

Cold Wallet is a great choice to store your private key, but it is not good enough. Although most people use the cold wallet as the main wallet, it is not as convenient as the hot wallet. Also, putting all your assets in one wallet creates a single point of failure. If someone gets access to the private key, they own you.

In cybersecurity, we have defense-in-depth (DiD). If we apply the same concept to the crypto world, the first thing is to make "segments" among their timeliness and risk. As a result, I will introduce a three-tier wallet system:

• Tier 1: Hot Wallet(s) (e.g. MetaMask, Brave Wallet)
• Tier 2: Warm Hardware Wallet(s) (Optional for collectors)
• Tier 3: Cold Hardware Wallet (Vault)

Tier 1: Hot Wallet MetaMask 🦊

Although I use MetaMask, you can have your own software wallet. The only rule is that you can execute most of your online activities with it. If you have multi-chain activities, you may own several hot wallets as your first-tier wallets. But remember, it is a wallet for all your day-to-day activities, including interacting with websites: buying, selling, and minting.

Despite all activities, ensure that the total value (USD, NFT) in MetaMask never exceeds what you can afford. Don't forget to move US dollars (or other stable coins) and NFTs when you have time. This is a wallet that assumes that you may lose everything.

Tier 3: Hardware Wallet (Vault)

Like the vault in a house to store all valuables, a third-tier wallet is a digital vault to keep your private key offline. The first-tier wallet is where you can afford to lose all, but a safe is where you keep all your crypto assets.

Tie to the first tier, and the third-tier wallet is where users:

• hold stable coins or USD,
• hold high-priced NFTs, and
• do nothing but receive/send assets from trusted wallets (i.e., your hot wallets)

For a higher level of security, it is recommended not to use the third-tier wallet to interact with public addresses. Instead, a hardware wallet Ledger would be a perfect choice. You may consider a 2-tier wallet system sufficient for beginners, assuming you do not have high-value crypto assets.

Tier 2: Hardware Wallets Between Hot & Cold

Some projects/websites require users to hold specific NFTs for minting, waiting for snapshots. For example, if you are an NFT collector, you do not want to keep high-priced NFTs in the first-tier hot wallet but also do not want to connect the third-layer vault wallet to the address, hence this second-tier wallet.

A warm wallet is a temporary vault with limited connectivity to the online platform. The rule of thumb limits access to trusted websites/projects only, and NFTs are still transferred to the vault wallet when idle.

Someone may argue a three-tier wallet system cannot protect you from signing a malicious contract authorization. I agree, but the point of a cold wallet is to protect you from the malware running on your devices, no matter it is your laptop or your mobile phone. 2.

2. Contract Interaction Needs To Be Cautious ✍️

Apart from a three-tier wallet system, the next thing you need to pay attention to is the smart contract. When using the first and second-tier wallets, it will interact with the project's smart contract, and authorization must be signed so that the platform can operate the tokens on its behalf.

For example, when OpenSea bids with WETH, the signed contract authorizes the platform to transfer the tokens. OpenSea is trustworthy, but investors should not trust all other sites innately; or, even better, distrust all the new platforms by default.

Fraudsters, scammers, and hackers know this very well. A seemingly ordinary contract may give hackers the right to move all crypto assets. The most common attack methods are malicious links shared in phishing, private messages, and emails.

Crypto-specific Phishing Attacks 🎣

The biggest threat of "crypto hack" is phishing. According to the Federal Trade Commission (FTC) Consumer Sentinel, from October 2020 through March 31, 2021, crypto-related scams skyrocketed to about 7,000 people reporting over $80 million in losses.

For most of us, if you have a crypto wallet, I am sure you see at least one phishing email/ message about freezing your wallet like the one below:

Zero Trust- Distrust and Verify

Like cybersecurity, reducing the attack surface is a continuous process; we can also adopt the Zero Trust mindset to interact with all crypto assets in the crypto era.

Scammers often apply high-pressure tactics to trick you into investing your assets quickly. For example, by promising bonuses or discounts if you participate in a limited time window. Take your time and do your own research before trading any NFTs or swapping your assets.

Moreover, crypto-scammers often use social media to boost their fraudulent schemes. For example, they may use unauthorized images of celebrities or high-profile business people (e.g., Elon Musk) to fake a sense of legitimacy or promise giveaways or free tokens. Thus, please maintain disbelief when seeing crypto opportunities promoted on social media and do your due diligence.

3. Security Tips For The Crypto Market - "Crypto Hygiene" 

We have something called "Cyber Hygiene" in cybersecurity, a collection of best practices that recommend users make habits to improve their security posture. Below are some "Crypto Hygiene" that should be kept in mind.

# Do Not Keep Your Mnemonic On Your Computer

Instead of dealing with a long string of characters, the wallet seed phrase, also known as a mnemonic phrase, comprises 12, 18, or 24 words that the wallet initially relies on to generate your private key. A user can then write down or memorize these words to quickly import or recover a wallet. On the contrary, if someone obtains the mnemonic of your wallet, they get complete control of your crypto assets in that wallet.

No matter typing or taking photos, malware lurking on an internet-connected device is digging for the passphrase. So, for example, if your computer is compromised, the malware will start looking for a mnemonic phrase in your device. Also, please don't keep the mnemonic of the hardware cold wallet on the computer; otherwise, it will only turn the cold wallet into a hot wallet.

# Use One Mnemonic Phrase For Each Wallet

Applying the three-tire wallet system, if, unfortunately, the second-tier wallet signs a malicious contract one day, only the second-tier wallet will be stolen. However, if you have a Ledger using the same mnemonic to create the second and third-tier wallets, hackers can simultaneously access the second and third-tier wallets.

Don't sign contracts with unknown sites found on Discord or other social media platforms to avoid mistakes. If you must sign, use a wallet that doesn't hold many crypto assets (i.e., only sign a contract with your hot wallets).

# Don't Use the Mobile Version of MetaMask

Your phone is usually connected to many random public WiFi, websites, and files; the attack surface is more extensive than your laptop or desktop. As a result, it will lead to wallet hacking.

Another reason is that the security controls on mobile devices are comparatively less effective, and thus, malware has a higher chance of success when targeting mobile wallets.

But if you think a mobile wallet is a must, I would suggest keeping your asset value in your mobile hot wallet as minimal as possible and, again, assuming that you may lose everything in the hot wallet.

# Use Revoke Authorization (Revoke) If Required

By the nature of blockchain, all transactions, including the malicious contracts, are still recorded on the blockchain. As a result, the user can check the once authorized agreement and revoke it.

Below are two sites that can revoke authorizations:

• https://revoke.cash/
• https://etherscan.io/tokenapprovalchecker

Once your wallet is connected to the platform, navigate to the Ethereum token standards tabs (including ERC-20, ERC721, and ERC-115) until you locate the token approval that wishes to revoke.

For each token on your wallet, you will be able to see the smart contracts that are approved to either access or submit transactions on your behalf. Finally, you can select the intended approval you want to cancel here.

# Avoid Airdrops If You Are Not Sure

All MintPass, snapshots, and airdrops are unsafe practices and may lose all your investment. According to Binance:

Some airdrop scams include asking you to send crypto to an unknown wallet address to unlock your free tokens in return. Legitimate airdrops will never ask for your funds or seed phrase. Be careful with airdrop emails or direct messages.

As most airdrops are from new tokens, it can be challenging to distinguish if it is legit or a scam. Thus, if you have doubt, avoid it. For extra security, you may consider setting up a new wallet and new email address reserved for receiving airdrops only.

Final Words - DYOR 🧐

If you are a frequent trader or NFT collector who owns high-value crypto assets, some rules mentioned in this article should become habits. As you all know, all crypto transactions are transparent in a blockchain - meaning that everyone can spot high-value wallets, including malicious adversaries.

Knowing different types of crypto wallets is essential for investing in cryptocurrencies. In addition, security is also occurring as a necessary concern for cryptocurrency investment after all the crypto heists in recent years.

The common variants of crypto wallets, hot wallets, and cold wallets, have their benefits and setbacks. Therefore, you need to find a suitable combination for dealing with crypto assets. Although it seemed useless, I would like to end my article with:

Do your own research before making any significant financial decision.

Reference:

NFT investor ycxc shared his precautions for investors who want to improve their security level.

Well-known NFTs Collector 6529 also gave several suggestions on Twitter.

---

Thank you for reading. May InfoSec be with you🖖.