Millions of dollars are being stolen daily due to private keys mismanagement. How do they work? What measures should you take to avoid getting hacked and having your wallet drained?
As you may already know, the security of the most used wallets nowadays relies on private keys. Private keys are a string of alphanumeric characters that protect the assets in your wallet. If you lose it or it gets stolen, your coins are gone.
When we configure a wallet for the first time, we are usually given 12 or 24 words to be stored safely, this is called seed-phrase. This list of words, should be saved securely and in order, let's your wallet recreate the private key. It's easier to backup than a private key
It's very important to store these seed-phrase securely: never send it by email, whatsapp or telegram, do NOT take a photograph, do not save it in a computer, mobile device or password manager. Just copy it in 2 pieces of paper and store them in different secure places.
So, we have a seed-phrase, which is used to generate the master private key and with that master private key, we will be able to create N pairs of private and public keys. Then the public key is converted to your address. That's why we can have many accounts under the same seed.
To be able to sign transactions, hot wallets like Metamask or Rabby, need to save your private key in your device (computer or mobile). This is usually stored in the keystore file, encrypted with the password you configured in the wallet. Use a complex and long password.
So, having said that: cybercriminals are after your private keys, with which they will be able to steal your funds. They have many techniques to achieve this: we are going to understand them and explain how to protect yourself.
The most common nowadays is malware: installing cracked software from torrent or pirate sites, or downloading fake software from phishing websites. This software usually carries malware.
This malware will search your computer for installed wallets, will extract the keystore file from them, log your password with a keylogger and send that information to the attacker. It will also search for files with names or contents related to crypto, passwords and seed phrases.
How do we avoid this? NEVER download cracked software and install as few applications as possible: only the ones that you really use and that come from a trusted source.
Next attack is social engineering: this comes in many ways, the most common is someone pretending to be your wallet's support and asking you for your seed phrase. This is basic for most of us, but let's say it again: only a robber will ask you for your seed phrase. NEVER share it.
Browser extensions: there are a lot of harmful Chrome extensions that will be able to steal information from other extensions (like private keys), from the websites you visit and even make you think you are navigating an official website when you are not.
Recommended by LinkedIn
What should we do? Uninstall all the extensions you don't use and the ones you don't trust it's source. Having millions of downloads is not enough: there are many cases of malware in widely adopted extensions. Keep them updated: Settings > Extensions > Developer mode > Update
It's also recommended to compartmentalize: create different Chrome profiles for you: one for crypto, one for work, and another one for personal stuff. This way, if an infected extension is installed in my personal profile, it won't affect my professional and crypto profile.
Next: phishing. Phishing is the art of tricking victims into revealing private information or installing malware, by masquerading as a trustworthy entity. Most phishing in crypto comes from Twitter, Discord, Telegram, email and Google ads.
If you are being targeted, phishing attempts will be far more sophisticated: they will come from people and entities you know, with information that is not public. Eventually, you will be distracted and will click on a phishing link.
How do we protect ourselves? Bookmark the important websites you use and never google them or click on links from social media, emails, discord, etc. Use a tool to detect phishing and scam websites, like Blockfence. It will also check for the safety of the smart contracts and addresses you interact with. Check both the chrome extension and the snap:
Lastly but not least: exploits. Exploits are tools designed to break into systems with security vulnerabilities. If the vulnerability is not public yet, it's exploit is called 0day, these are especially dangerous as it's very difficult to protect from.
How do we avoid exploits? Update all your software regularly: operating system, software, apps, extensions, and especially your internet browser. If you are being targeted, you should be especially careful and don't even click suspicious links or open PDFs in your laptop or mobile.
As we have seen, attackers have many ways and resources to try to steal our private keys and funds. But if we apply these security measures we talked about and behave carefully, we will be probably safe.
Keep up to date regarding security, these are some of the Twitter accounts we follow and recommend: @officer_cia , @zachxbt, @Mudit__Gupta, @lopp, @Jon_HQ and @blockthreat.
Before closing this article: remember that hot wallets should only be used to store small amounts of cryptocurrency, for daily use. If you wanna store large amounts, yo will need to use a hardware wallet like Ledger , Trezor or a multisig like Safe , but we will talk about that kind of wallets soon in another article.
We hope you liked this thread, in that case, share it with your friends! And let us know if you have any doubts or ideas! We are here to help and to make the ecosystem a more secure place Follow us > Blockfence
