NFT, DeFi and crypto hacks abound — Here’s how to double up on wallet security


The explosiveness and high dollar value of non-fungible tokens (NFTs) either distract investors from enhancing their operational security to avoid exploitation, or hackers are simply following the money and making it too complex to exploit collectors’ wallets. using strategies.

At least, that was the case for me long ago, when I fell for a classic message sent to me on Discord that caused me to slowly but all but lose my most valuable asset.

Most scams on Discord occur in a similar manner where a hacker takes a roster of members on a server and then sends them direct messages in the hope that they will bite the bait.

“It happens to the best of us,” aren’t the words you want to hear in relation to the hack. The top three things I learned from my experience on how to double-up on security, starting with minimizing hot wallet usage and simply ignoring DM’d links.

A Quick Crash Course in Hardware Wallets

After my hack, I was immediately reminded and I can’t repeat it enough, to never share your seed phrase. No one should ask for this. I also learned that I can no longer leave security at the privilege of the facility.

Yes, hot wallets are more intuitive and faster to trade, but they don’t have the added security of PIN and passphrase like they do on hardware, or cold, wallets.

Hot wallets like MetaMask and Coinbase are plugged into the internet, which makes them more vulnerable and susceptible to hacks.

Unlike hot wallets, cold wallets are applications or devices whereby the user’s private key is stored offline and not connected to the Internet. Since they work offline, hardware wallets prevent unauthorized access, hacks and specific vulnerabilities by the system, something that is susceptible when online.

Moreso, Hardware Wallet allows users to set a personal PIN to unlock their Hardware Wallet and generate a secret passphrase as a bonus layer of security. Now, a hacker not only needs to know one’s recovery phrase and PIN, but also the passphrase to confirm the transaction.

Pass-phrases are not talked about as seed phrases because most users may not be using a hardware wallet or may not be familiar with the mysterious passphrase.

Access to a seed phrase will unlock a set of wallets that match it, but a passphrase has the power to do the same.


How do pass-phrases work?

The passphrase is in many ways an extension of one’s seed phrase because it mixes the randomness of the given seed phrase with the user’s individual input to calculate a complete set of addresses.

Think of the passphrase as the ability to unlock an entire set of wallets hidden on top of wallets already generated by the device. There is no such thing as a wrong passphrase and an infinite amount can be made up. In this way, users can go the extra mile and create fake wallets as a plausible denial to spread any potential hacks targeting a main wallet.

Recovery seed/passphrase diagram. Source: Trezor

This feature is beneficial when separating one’s digital assets between accounts but terrifying when forgotten. The only way for the user to repeatedly access the hidden wallet is to input the exact passphrase, character by character.

Similar to one’s seed phrase, the passphrase should not be exposed to any mobile or online device. Instead, it should be put on paper and kept somewhere safe.

How to Set a Passphrase on Trezor

Once the hardware wallet is installed, connected and unlocked, users who wish to enable this feature can do so in two ways. If the user is in their Trezor Wallet, they will hit the “Advanced Settings” tab, where they will find a box to check-off to enable the passphrase feature.

Trezor Wallet landing page. Source: Trezor

Similarly, users can enable the feature if they are in the Trezor suite, where they can also check that their firmware is up to date and that their PIN is installed.

Trezor Wallet landing page. Source: Trezor

There are two different Trezor models, the Trezor One and the Trezor Model T, both of which enable users to activate the passphrase in different ways.

The Trezor Model One simply offers users the option of typing in their passphrase on a web browser which isn’t the most ideal in case a computer is infected. However, the Treasure Model T gives users the option of using the device’s touch screen pad to type in a passphrase or in a web browser.

Trezor Model T / Trezor Wallet Interface. Source: Trezor

On both models, after entering the passphrase, it will appear on the device’s screen, awaiting confirmation.

the other side of security

There are risks to security, although this seems counterintuitive. What makes the passphrase so strong as the second step of authentication of the seed phrase makes it weak. If forgotten or lost, property is as good as gone.

Sure, these extra layers of security take time and extra precautions and can seem a bit overhead, but my experience was a hard lesson in making sure every asset is safe and secure.

The views and opinions expressed here are solely those of the author and do not necessarily reflect the views of Every investment and trading move involves risk, so you should do your own research when making a decision.