Guide #2.3: Updated Security & Wallet Safety

Lex Luther
6 min readJun 28, 2021

--

StrongBlock 101

Things you need to know before you start…. and more

NEW! How to use a PASSPHRASE to increase your security with a Trezor and MetaMask. Watch the video. (Can NOT be used when moving a MetaMask, or other existing seed, on to a hardware wallet. Must be created with a fresh seed.)

Guide #2: Security & Wallet Safety…. Newly updated

The number one thing that everyone new to crypto needs to take seriously is understanding how to best protect yourself, and your hard earned funds. In this section we will cover some of the ways you can help protect yourself against the scammers and the tricks they use to rob you of your assets.

Even with a hardware wallet, if a thief gets your ‘seed words’ your assets are now THEIRS!

If you haven’t started creating nodes yet, start right away with a hardware wallet, and then you don’t need to import a MetaMask seed, and consider utilizing the PASSPHRASE option. A fresh seed is much safer than importing a MetaMask seed to a hardware wallet.

If you already have nodes created in MetaMask, or another HOT wallet, there are links at the end of this article on how to transfer your existing MetaMask seeds onto a Ledger or Trezor wallet, but read through this first!!

Do NOT ever share your ‘secret phrase’ or ‘seed phrase.’ Ever Ever Ever…Ever!

Do NOT ever share your QR code either… That IS your seed also!

Do Not save your seed words on anywhere digital. Even a photo of it!

Admins will NOT message you 1st….. YOU must message us, and make sure you see the “ADMIN” badge before doing so!

There is NO “SUPPORT” on Telegram. They are SCAMMERS!!!

People will give you FAKE StrongBlock website links, and tell you to submit a ‘SUPPORT’ ticket

If there is anything you remember about this section, those statements are it.

StrongBlock admins will NOT send you DM messages first! Why? Because the only way you can tell you are speaking to an admin is if YOU first check for the “Admin” badge, and then initiate the message. Scammers can choose almost any name, logo and username they want. So check, then you initiate it…

Click on the admins photo, then ‘SEND MESSAGE’

Always check for the “Admin” badge

Scammers will go to incredible lengths to make you feel comfortable with them, possibly impersonating an admin or project owner. Other times they will make you feel rushed, that if you do not do something ‘immediately’, you will lose all your assets. If you are in doubt, reach out and get a few opinions from people you have known for some time and trust. And remember that any assets you have safely stored in your wallet are almost certainly safe, until you let someone else have control of them. Other people NEVER, EVER, EVER need you to give them your seed phrase or QR code for ANY reason. Ever…. Got it?

But I didn’t tell anyone my ‘secret seed phrase’! I just needed to enter/confirm it in MetaMask or WalletConnect…. (Said the person that just lost ALL their stuff)

One way that scammers continue to have success with obtaining ‘seed’ phrases is by using tools you are already familiar with. One of the most common is the ‘WalletConnect’ scam. With this scam they have an identical looking copy of the WalletConnect website, except that instead of walletconnect.org the scammers site might be located at walletconnect.io, or walletconect.org both of which are NOT the official site.

Whenever you are going to be connecting your wallet to a Dapp (decentralized app) or website, be sure to check that you are connecting to the official site, and not a fake one. Simply Googling the name and clicking the link is NOT how you do this. Scammers pay good money to have their scam site listed on top in the AD section there…

Scammers will often wait in Telegram and Discord groups for a person to ask a simple question. Then all they need to do is simply respond or DM you with the correct answer to your question, but then they also post the link to their bogus scam site. Best practice… Don’t click on link others give you, find it yourself and double check it is legit.

If you ask a question in a chat, and someone DM’s you to “help”…. RUN!!

Since your ‘hot’ wallet (MetaMask, Trust Wallet, etc.) is connected to the internet, usually through your PC-tablet-phone, you need to be extra vigilant about the potential items you might be unknowingly allowing access to your computer. The most common threats are keyloggers and screen scrapers. A keylogger virus is a program that sits in the background of your computer recording every keystroke and mouse click. These may also record what website or programs were being used while the keystrokes were being entered. A screen scraper program also sits in the background and either takes pictures of your screen periodically, or ‘scrapes’ the data off the screen and sends it for the scammer to analyze. Obviously, if either of these happen to capture your ‘seed phrase’ or wallet password there is a good chance of having your wallet compromised.

Did you know that MetaMask and other common wallets save your ‘secret seed phrase’ right on your PC, tablet or phone?

Another area to be mindful of is with ‘token allowances’. Token allowances are created when you proactively give a contract or Dapp permission to interact with assets in your wallet on your behalf. These allowances can be set for a specific number of tokens, or even an unlimited amount. Care should be taken with these as bad actors, malicious code, or simply unintended mistakes could put some or all of your tokens at risk. It is recommended to use a token allowance research tool to periodically review the allowances on each of your wallets. While there are many tools available, Etherscan offers one that you can feel confident in using. You can find a link to that tool below.

Etherscan ‘token allowance’ tool.

So, when WILL you need to use your seed phrase?

There are really only two times I can think of that you will need to use your ‘secret seed phrase.’

  1. The first will happen if you somehow lose access to your wallet. Possibly your PC or phone broke, or you needed to format it. In that case you will need to enter your phrase in order to recover the assets associated with that wallet. But, once again, you will be the only one to see this phrase as you do it, and you should go to every length to ensure your equipment is free of any keylogger or virus software prior. NEVER give it to another individual to help you do this process. I personally recommend running your anti-virus scan first, and then disconnecting your internet connection while entering the seed words.
  2. The second time you may need your ‘secret seed phrase’ is if you are wanting to transfer your assets from a ‘hot’ wallet (connected to the internet, like MetaMask etc.) to a ‘cold’ hardware wallet (has NEVER touched the internet, like Trezor or Ledger). In this case you will need to “recover seed phrase” into the hardware wallet so that it is accessible from the hardware wallet. Most hardware wallets let you enter the seed words into the physical hardware device directly, instead of on the PC, so the PC safety is less important here. Just remember, once you have recovered your ‘seed’ into the hardware wallet, the wallet is STILL accessible and subject to exploitation from internet hacks through the original hot wallet (MetaMask etc). So, you will need to remove all traces of the seed there.

Interested in transferring your unsafe hot wallet to a much safer Trezor or Ledger hardware wallet?

Visit the TREZOR GUIDE or LEDGER GUIDE.

--

--