Security in Crypto, Hardware Wallets and Pseudonymity

Security in Crypto, Hardware Wallets and Pseudonymity

This is a primer on all things security when it comes to 1. Holding, 2. Transacting and 3. Safeguarding crypto and NFTs. This is not meant to be a complete compendium. But it allows for all the necessary information needed to get started.

First things first: since crypto are digital assets, and they can be stolen digitally (which is a very smooth, silent and low risk operation for a skilled scammer/hacker). The very first rule as a crypto/NFT holder is “Don’t talk about your net worth in crypto to anyone.”

Since there are myriad methods of hacks and scams, and as a non-cybersecurity expert user, you will most likely be unable to keep up with the fast-evolving pace of scams and hacks, revealing your crypto net worth puts an “number on your head” for a scammer/hacker to target. Given a sufficiently high value, this becomes the reward for which one or more hackers may then try to target you.

So the rule number one, is never say out loud, type in a Twitter thread or Discord channel a $ value of your holdings. And as much as possible, keep your real name and address off all social media channels. The second part is important, because if a real-life name and address can be tied to your wallet addresses, the open nature of the blockchain puts you at a risk of being targeted.

The following points will cover different aspects about wallets (hot wallets, hardware wallets, etc.) and private keys. We will cover a bunch of introductory topics before we move on to wallets and private keys. Having thorough working knowledge of the introductory topics, will help make it a breeze to actually use the hardware wallet. This actual usage will be covered in a follow up post.

1. Introduction: Take the case of passwords. It is commonly accepted that “easily guessable passwords” and password reuse across websites is the number on reason for a victim losing big when a single password of theirs is compromised. A secondary fail safe is the use of 2-FA (2 Factor Authentication), such as Authy/Google Authenticator based 2-FA.

2. A side quick note: It has been seen that phone number based 2-FA are easily hacked by scammers, by using the loop holes in mobile phone provider systems, such as reissuing a sim card to an impostor without doing a full verification of the person authenticating them as the original customer.

3. Hence, the recommendation is to always use 2-FA and always use the Authy/Google Authenticator based 2-FA. Additionally use hard passwords and don't reuse them across websites.

4. Asymmetric Encryption: Before we can discuss Wallets (Public Key) and Spending Passwords (Private Key) in crypto, we need to understand Public Key or Asymmetric Encryption. Since this topic is beyond the scope of this primer, I will refer you to the smart contributors on Wikipedia: https://en.wikipedia.org/wiki/Public-key_cryptography

5. Bitcoin and Crypto – An example of applied Asymmetric Encryption: If you understand all the salient points of Asymmetric Encryption, then Bitcoin (and most other blockchains) can be understood as simply a distributed form of public key/private key pairs. Once again for the practical implementation details, I will refer you to our friends who created the Bitcoin network architecture and consensus algorithm, and explained it in the Bitcoin Whitepaper:https://bitcoin.org/bitcoin.pdf

Note: If you are even remotely interested in working in Web 3, and/or investing in Crypto and NFTs, you need to do yourself a big favor and read and understand the Bitcoin whitepaper in whole. Read it a few times and understand it in full. This is seminal work, and will be remembered as such for ages to come. You need to know exactly what it says technically.

1. Wallet (Public Keys) and Spending Password (Private Key) Every wallet address on the Bitcoin network is a public key. Digitize the wallet address by saving it to a cloud back up service. Share it. Email it. Tweet it. It doesn’t matter, and the contents of the wallet cannot be compromised just because the address it shared or digitized.

The private key or spending key on the other hand is a totally different beast. The knowledge of the private key allows for the complete control of the assets within a wallet. A private key needs to be treated with the highest secrecy.

Note: To be technically specific, when creating any type of wallet, you will be shown a “seed phrase” that is 12 words (or 15 words, or 24 words) long. These words are selected from a known and fixed dictionary of 2048 English words, called the BIP-39 (Bitcoin Improvement Proposal - #39) word list. Knowledge of the seed phrase allows for the “private key or spending password” to be regenerated.

Important: The seed phrase should not be digitized, either as clear text or as a photograph. This means never saving it to cloud services like Google Docs, Microsoft OneDrive, Apple iCloud, or any other type of cloud service. If you save it in clear text (even if it is a digital image), you will 100% lose your wallet contents. It is not a matter of “if”, it is a matter of “when”. Even if you encrypt the seed phrase, the encryption will likely be poor and will be easily brute forced.

DO NOT DIGITIZE YOUR SEED PHRASE.

The one and only method to store a private key, is to "write down" the seed phrase offline, e.g., physically in a note book (using pen and paper). And additionally using products like CryptoSteel (https://cryptosteel.com/), which allows you to use alphabetical letters etched in stainless steel to be custom arranged in a series to constitute the seed phrase. Cryptosteel ensures that a mishap like a fire or water damage will not destroy your seed phrase stored on paper. This is not a trivial point, there are thousands of people from the early days of crypto, who have lost/forgotten/thrown away their Bitcoin wallet seed phrase, and are locked out of from their assets.

1. Crypto Self-custody empowers you to be your own bank

But with great power comes, great responsibility…

A final meta theme I want to convey to those who might still not be aware of it is: By using a crypto wallet, you are opting for “Self-custody”. Now this saves you from all manner of frauds and mismanagement by a central party or a middle man. This includes banks, centralized exchanges, and so on. But in the same stroke, you are also responsible for your own actions – actions that cause you financial damage due to a 1. lack of knowledge, or 2. due to actions done by you when you were stressed/sleepy/tired and entered a wrong address/made a sloppy mistake, 3. or interacted with a scam contract with your wallet, 4. or GAVE AWAY YOUR SEED PHRASE in a confidence scam.

Another, major threat is phishing. The security conscious exchanges use some form of user defined anti Phishing code word to uniquely identify their emails as legitimate. But there are newer threats, such as placing “real looking fake ads” for legitimate websites using Google Ads on important websites like etherscan.io. A distracted or lazy user, will spot an ad from MetaMask, Binance, etc and quickly click on it and type their password on the webpage that opens by clicking the Ad, but it might not be the real deal. Instead, you have just given away your login id and password, or worse your seed phrase because you believed you had to “verify” or “sync” your wallet.

ALL THESE ACTIONS ARE IRREVERSIBLE AND NOT INSURED BY ANY MEANS.

YOU ARE YOUR OWN BANK.

This is a very significant responsibility. Do not take it lightly. Do not make major financial decision in crypto, when you might be unsure about what you are doing, or tired/stressed/sleepy. Do not greed let you drop your guard, when you think you have to mint or stake or buy a token/NFT within the next 5 minutes. There is no financial instrument that has a 5 minute buy-in windows. Even Bitcoin was below $100 for 4 years, and BAYC was below 1E for 3 months.

The number of long-term crypto investors I know, who have given away their seed phrase willingly by trusting a “helpful” looking stranger on Discord and Telegram is mind numbing. Many of them were in a rush to get a wallet connection working, and their tiredness/inattention cost them big.

There are a several dozen variation of the seed phrase scam. Almost always, the victim knowingly shares it with someone who has gained their confidence OR the victim enters their seed phrase into a phishing website when in a hurry and pressured to “verify their wallet” or “sync their wallet”, before they can receive some type of airdrop or some support. Almost universally, there is nothing called "syncing your wallet", the wallet lives on the blockchain. And the blockchain is syncing and reaching consensus by itself with every block. Verifying wallet ownership is a real task, and most happens with the Collab Land bot. You must ensure that you are on the correct website and not interacting with a fake bot.

The more targeted scams involve hacking into your computer and taking control of your Hot wallet, such as MetaMask. This is a risk, if you own significant amounts of crypto: read as anything above $2000, or you happen to be the lucky dude/gal, to own a Blue Chip NFT such as Bored Ape Yatch Club (BAYC), or one of the newer Blue-Chip contenders NFTs – Azuki, Doodles, MAYC, etc.

Once again you need to obsessively protect your devices from viruses, malware and trojans. The only way to do it is by using good paid Anti-Virus software, such as McAfee or Avast. Using anti-Malware software such as MalwareBytes. Together, they should protect you from most types of keyloggers, trojans and web exploits. The capstone in self-protection software is using a VPN. Again, paid and branded VPNs are preferred, as compared to cheap, fly-by-night VPNs.

But even though you use anti-virus, anti-malware and VPNs, if you are keeping anything more than $2000 in a MetaMask Hot Wallet, you are still at risk. The only solution is a 2-FA type of Crypto Wallet – these are called as Hardware Wallets.

If your crypto portfolio is anywhere above $2000, you need to invest in buying a Ledger Nano X and learning to use it. Procrastinating on this important step, and taking an over confident approach to your crypto, and thus continuing to hold it in a Hot Wallet, exposes you to significant on-going risk of losing all your crypto. There are countless horror stories on Twitter, where people have lost 300-500 Ether worth of tokens, because they were using MetaMask and not a Hardware Wallet.

1. Hot Wallets vs. Hardware Wallets

We discussed about how the seed phrase allows your wallet to regenerate your “private key” and allows you to spend the assets in your wallet in section 6. In a Hot Wallet, this private key is on an internet connected device, such a laptop or a mobile phone.

These are some examples of Hot Wallets on leading blockchains: Ethereum: MetaMask, Trust Wallet

Cardano: Nami, Yoroi, Daedalus

Solana: Phantom

Let us focus on Ethereum and MetaMask for now. MetaMask is a browser addon, and can be added to leading browsers such as Mozilla Firefox, Chrome, Brave, and Edge. It is a Hot Wallet because the seed phrase is entered into the UI of the browser addon, and the private key lives on memory in the Laptop or Desktop. The utility of the hot wallet is that it can be readily used to make transactions. And thus has a lot of ease of use. The seed phrase only needs to be entered once, and it is encrypted on device with a second password, that needs to be entered each time the MetaMask addon needs to be used/unlocked.

But this ready usability and ease of use, comes at the cost of security. Modern operating systems have way too many moving parts and also a lot of security vulnerabilities arise from the added complexity. Most importantly, the user’s security habits have a significant bearing on the vulnerability of the device. A user who installs cracked or warez software, or uses jail breaking techniques to circumvent limits of major software and hardware, or visits porn websites, has a significantly higher risk of having their device affected with a virus, trojan or keylogger.

Let us take an example of a person using a simple jail-breaking technique who can have keyloggers installed into his computer: Youtube expressly forbids downloading of YT videos in to devices as a standalone file. But yet, if you go to any browser addons page, and search for Youtube downloaders, you will get dozens of results. You can now circumvent YT and Google’s usage policy and store standalone videos from YT uploads. But what cost have you paid? If you never read the fine print, you must know that these YT Downloader Browser addons and many other browser addons take your permission to “view data from all websites”. This is a very significant privilege and can basically beat all your security countermeasures, and snoop on your seed phrase and MetaMask password from right under you. The developers of these addons may even be legitimate, but they are probably doing it part time, and are most likely not compensated well enough to maintaining it for them to accurately assess all commits to their code base. A clever hacker can add malicious code to the YT Downloader Github, get it approved surreptitiously, and thereby get added privileges and snoop on all users of the addon.

Such vulnerabilities are rarely discussed and yet, large swathes of people are at risk from these types of attacks. Most are unaware of the risks of giving sweeping permissions to browser addons, using jail-breaking techniques, cracked software and the risk of malicious software from porn websites.

The simplest solution is to use a clean device for all your crypto activities and airgap this device as much as possible from other devices. Do not install unnecessary applications and addons on this device, and keep its use limited to crypto.

If you have read this far, congratulations. Thanks for reading this far, and hopefully this has shed some light on all the vulnerabilities and modes of attack one needs to safeguard their digital assets from.

You have arrived the final step and most important security step when using and storing crypto and NFTs: using a Hardware Wallet.

A hardware wallet ensures:

1. Your seed phrase is only ever visible on the device itself when a new wallet is first created on the hardware wallet.
2. You only have to enter the seed phrase again, if you have to reset/replace the device, and again you enter it directly into the device. Thus you never need to digitize it.
3. The device will securely encrypt the private key, and the private key will never leave the device by means of remote actions from the internet or other applications being installed on the device.
4. The encryption of the private key is achieved by using a 4-8 digit secret PIN that the user sets on the device. This PIN once again never leaves the device and neither should you digitize it anywhere else.

Now, if you can ensure the security of the seed phrase while backing it up in a secure offline location, for your future use when you need to restore the wallet on a new hardware wallet – you are basically having state of the art encryption for your crypto and NFT assets.

1. Choice of Hardware Wallets

I will stick to comparing and describing the two hardware wallets that are most popular and also that I have been able to purchase and test.

Before, I go there, the “too long didn’t read” version is: Get a Ledger Nano X, from the official website: https://www.ledger.com/ Don’t ever purchase a hardware wallet from a marketplace like Amazon or eBay – you don’t know who the seller is this case, and hence many people have reported receiving tampered hardware wallets, that arrive with a seed phrase already set up and written out on a card.

Finally, while ordering your wallet from Ledger’s official website, ensure that you purchase it under a pseudonym or a friend/relative’s name who don’t transact in crypto. Also, use a shipping address that is not your home address. Don’t reveal your phone number and use a crypto specific burner email address that can’t identify you while placing this order.

Now for the scenic route…

The most popular hardware wallets are Ledger Nano X and Trezor Model T. Ledger and Trezor also have other models, that a bit cheaper than their top-of-the-line models. Ledger Nano X stores the private key on an encrypted chip on the device, and this chip is custom built for doing this task. The firmware of this secure chip is not public, and is under NDA between Ledger and their manufacturer. But Ledger claims that the rest of the Nano X device design is public. It comes with a companion software called Ledger Live, that must be installed on a desktop/laptop computer to update the firmware of your hardware wallet. Since this an ultra-critical step, you must take care to go to the correct website and download the legitimate version of Ledger Live.

Ledger Live will allow you install small utility apps corresponding to each blockchain for which you wish to create a wallet – think an app for Bitcoin, an app for Ethereum, Cardano, Solana, so on. If you purchase the Ledger Nano S, which is about $60 cheaper than the Ledger Nano X, you will have very little space on your device, and it will only support 3-5 blockchain wallets at any one time. If you are a power user, it is better to pay the extra cost and purchase a Ledger Nano X. Ledger Nano X comes with both USB and Bluetooth connectivity. Apple devices like iPad and iPhones forbid the USB connection, and you must use Bluetooth to connect. Windows Desktops and Laptops will ask you to use the wired USB and cause problems with Bluetooth. Ledger Nano S only has USB support and no Bluetooth support – thus once again if you need to use the Ledger with both Apple and Windows devices, this rules out the Ledger Nano S and you need to chose Ledger Nano X.

Coming to Trezor Model T. Trezor does not use a specific encryption chip to store the private key/user PIN. It uses a general-purpose ST Microelectronics microcontroller to use a portion of its non-volatile memory (NVM) to store the user PIN. Though Trezor has several additional features like Shamir Key Splitting and Multi-sig features – features that Ledger doesn’t have, I discovered a very disturbing fact.

The Kraken Security Lab, was able to find a serious vulnerability in Trezor Model T. The chip used in Trezor Model T is not a chip specifically made to encrypt data. It is a general purpose microcontroller with several dozen features, one among which include on board NVM memory (also known to people as Flash memory, the same technology as pen drives). Now, due to the complexity of this microcontroller, Kraken Security Lab were able to override the normal boot sequence by doing something called Fault Injection, by apply very high voltages. This disrupted the NVM read, and made it possible to snoop into the NVM contents by repeated brute force fault injection attacks. They were able to read out the user defined PIN out of the device, in as little as 15 minutes of physical contact with the device. Since this PIN is what encrypts the seed phrase of the wallets restored on the hardware wallet, once they had the PIN, they were effectively able to access the wallets as well, there by gaining full access to the wallets.

This is an unacceptable design flaw, and cannot be fixed unless Trezor does a complete redesign of the device. Trezor for their part claims that the solution of this problem is to have the customer set a 25th word, in addition to the 24 word seed phrase. This is called as the pass phrase. Since this 25th word is not stored on the Trezor Model T, the company claims that wallets used by using this 25th word, are safe – since they cannot be brute forced out of the device, as the 25th word is not present in the first place.

Nonetheless, this was a major reason for me to stick to Ledger Nano X. You can read more about the Trezor Model T hack here: https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets/

I encourage the reader to definitely do their own research. And to find their own acceptable trade-offs.

For Ledger’s part, while the Ledger Nano X device has not been hacked thus far; Ledger did suffer a data breach and customer data was stolen from their e-commerce partner Shopify. This is the official Ledger response on the data hack + data leak online: https://www.ledger.com/message-ledgers-ceo-data-leak

Since customer data was used to target customers who had purchased Ledger devices, and we need to prepare for the case that this can happen again: Try as far as possible to remove personally identifying information while ordering your Ledger. This means:

1. Use a burner email address with no real name and profile picture
2. Use a delivery address that is not your residence. Maybe it could be a PO Box, or an office address, or a temporary address or a shop’s address.
3. Don’t provide your mobile phone number.

We cannot guarantee this will be enough. But it should be mostly sufficient from being targeted in the future.

Now that you know why you need a hardware wallet and how to choose and purchase one, we will discuss the steps on how to properly use in the next discussion.

NB: The contents of this document have taken me over 8 months of research and interviewing people to gather. I have spent full time using protocols across blockchains and speaking to victims of scams to understand why and how they fell for it. If it has been useful to you and please leave a comment, and share it with your friends.

If you would like to support my work (and only if you are able to do so), and would like me to continue to provide such content please consider making a donation to this Ethereum wallet: 0xB86D7ebc89affa8C1801079729Efd0a9c70e508c