NFT, DeFi and crypto hacks abound — Here’s how to double up on wallet security


The explosiveness and high dollar value of non-fungible tokens (NFTs) seem to distract investors from increasing their operational security to prevent attacks, or hackers simply track money and use very complex strategies to exploit collectors’ wallets.

At least that was the case for me a long time ago, when I fell for a classic message I was sending via Discord that made me slowly but very quickly lose my most valuable assets.

Most scams in Discord happen in a very similar way, where a hacker takes a list of members on the server and then sends them direct messages in hopes that they will bite the bait.

“Go to the best of us,” are not the words you want to hear in relation to a hack. Here are the top three things I learned from my experience on duplicating security, starting with minimizing the use of a hot wallet and simply ignoring DM links.

A quick intensive course in hardware portfolios

After my cut, I was immediately reminded and I can’t repeat it enough, never share your initial phrase. No one should be asking for it. I also learned that I could no longer give up security with the privilege of convenience.

Yes, hot wallets are much smoother and faster to swap, but they don’t have the added security of a pin and a password phrase like they do in a hardware or cold wallet.

Hot wallets like MetaMask and Coinbase are connected to the Internet, making them more vulnerable and susceptible to hacking.

Unlike hot wallets, cold wallets are applications or devices in which the user’s private keys are offline and do not connect to the Internet. Because they operate offline, hardware wallets prevent unauthorized access, hacking, and vulnerabilities typical of systems, something they are susceptible to when online.

In addition, hardware wallets allow users to set a personal PIN to unlock their hardware wallet and create a secret passphrase as an additional layer of security. Now, a hacker not only needs to know the recovery phrase and PIN, but also a password to confirm a transaction.

Passover phrases are not spoken as much as startup phrases, as most users may not use a hardware wallet or be familiar with the mysterious passphrase.

Accessing a seed phrase will unlock a set of wallets that match it, but a passing phrase also has the power to do the same.

How do passwords work?

Passphrases are, in many ways, an extension of the initial phrase, as it mixes the randomness of the given initial phrase with the user’s personal input to calculate a completely different set of addresses.

Think of passphrases as an ability to unlock an entire set of hidden wallets in addition to the ones your device already generates. An incorrect password does not exist and an infinite number can be created. This way, users can make an extra effort and create lure wallets as a plausible denial to spread any possible hacking of targeting a main wallet.

Seed diagram / recovery password phrase. Source: Treasury

This feature is beneficial when separating your own digital assets between accounts, but it is terrible if you forget. The only way for a user to access hidden wallets repeatedly is by entering the exact passphrase, character by character.

Like the initial phrase, a passphrase should not contact any mobile or online device. Instead, it should be stored on paper and stored in a safe place.

How to set up a passphrase in Treasury

Once a hardware wallet is installed, connected, and unlocked, users who want to enable the feature can do so in two ways. If the user is in your Treasury wallet, tap the “Advanced Settings” tab, where you’ll find a checkbox to enable the passphrase feature.

Treasury portfolio landing page. Source: Treasury

Similarly, users can activate the feature if they are in the Trezor suite, where they can also see if their firmware is up to date and their pin installed.

Treasury portfolio landing page. Source: Treasury

There are two different Trezor models, Trezor One and Trezor Model T, which allow users to activate passwords in different ways.

The Trezor Model One only offers users the option to type their password into a web browser which is not the most ideal in case the computer is infected. However, the Trezor Model T allows users the option to use the touch screen pad of the device to type the passphrase or type it into the web browser.

Trezor Model T / Trezor wallet interface. Source: Treasury

In both models, after entering the passphrase, it will appear on the device screen waiting for confirmation.

The other side of security

There are security risks, even if it seems counterintuitive. What makes the passphrase as strong as a second authentication step for the seed phrase is exactly what makes it vulnerable. If they are forgotten or lost, the assets are as good as they are gone.

Of course, these additional layers of security take extra time and caution and may seem a bit overdone, but my experience has been a hard lesson in taking responsibility for ensuring that every asset is safe and secure.

The views and opinions expressed herein are solely those of the author and do not necessarily reflect the views of Cointelegraph.com. Every investment and trading move involves risk, you must conduct your own research when making a decision.