Originally published on The Voyage newsletter on January 26, 2022.
Secure Yourself in Web3
I remember the first time I heard about cryptocurrency. It was 2013 and a coworker was buying some bitcoin. He had a crazed excitement about him. The wide-eyed look of a man possessed. He went on and on about bitcoin being the future of money. He was doubling and tripling his money month to month.
I thought to myself, “What a fucking Ponzi scheme!”
Four years later, I was doing the same. I had that same deranged spark in my eyes. I was spending every moment I could scrolling through Reddit and Telegram chats, reading about the technology, soaking in the conspiracies, and engaging in passionate discussions with others who were into it.
As the saying goes, every generation rejects the previous generations' Ponzi scheme.
In the 1970s, the US dollar was decoupled from gold — a rejection of the previous scheme.
Before that, central banks and government-issued currencies were formed in rejection of the financial structures before.
We’re in accelerated times and we’re just seeing it happen more frequently.
Let’s say you buy my spiel or you’re already getting involved with the space. I’m going to save you some headaches by sharing what I’ve learned about security in the web3/ crypto space.
You are your own security
The first thing you need to understand about Web3 is that you are your own security.
In Web3, you are your own security
If you lose your account access, there’s no place to turn. If you are scammed by a fraudster, there’s little to be done about it.
But security isn’t only password security or some type of unbreakable cyber-security system, it also requires exercising some judgment. There’s a popular meme in the crypto space called the $5 wrench attack illustrated below.
In Web3 your data is open and exposed for anyone to see. Today there are hundreds of companies emerging onto the scene that mining the public data on blockchains.
Transactions can be traced easily from account to account. When you start getting involved in the Web3 community, you’ll be asked provide some details on who you are. Usually your name, email, and social media accounts. In some cases, the information is then linked to your public address and openly accessible. Once you share those details anyone can trace your personal identity and link it to your crypto holdings and activities.
I expect, at some point, we will see better solutions that balance public exposure with privacy, but for now, this is what the community offers.
For most of us today, that’s a manageable risk, but not for everyone.
As you scale and grow influence and accumulate financial value in the space it becomes a greater concern since the assets in your account are fully transparent.
Here are some considerations to secure your participation.
When getting into Web3, many of the best security practices in the current internet world still apply. Remember, when you start to get active, you are also increasing the size of the target on your back from scammers and fraudsters. If they can’t get your crypto keys, they’ll go for other things like email.
A password manager is a great way to create hard-to-hack unique passwords for each account without having to remember each one. My go-to password manager is 1Password. It syncs with all of your devices and web-browsers. You can use biometric authentication on your cell phone or laptop as well to login to websites through 1Password.
LastPass is another often recommended password manager.
I recommend setting up multi-factor authentication on all of your essential accounts to create another layer of protection. It might seem inconvenient at times, but it could save you a lot of trouble down the line.
Virtual Private Networks are also essential. They encrypt data across the network while disguising your IP address and location. They are absolutely necessary if you are logging into any public wifi. Your devices are especially vulnerable in those situations.
I’ve heard stories of people instantly losing all of their cryptocurrency through a one-time transaction executed on a public network. I’ve been using NordVPN for over three years and I’m happy with it. ExpressVPN is another I’ve heard recommended from trusted sources.
Don’t get one of those free VPNs, who knows what they are doing with your data.
Another thing to keep in mind with VPNs is that they don’t protect you from malicious links. When you go to a website, you are opening a direct connection with them. The VPN disguises you, but the VPN has no impact on the information passed through that connection.
That’s where the web browser can help. A good web browser will detect suspicious websites and warn you if they break standard security protocols. But this is not dependable, bad judgment will still be costly.
I’ve recently switched to Brave and I’m happy with it. Everything that works on Google Chrome works on Brave, so the transition is a low lift for many. Brave doesn’t allow websites to track your activity from site to site. It also blocks ads and is faster than any browser I’ve used before.
Firefox is another solid browser. Mozilla has always stood strong in its mission for privacy. They don’t block ads or limit tracking to the same extent Brave does, but there are plug-ins for ad-blocking.
Safari is probably okay since Apple has always stood in their same mission of keeping your data within the Apple ecosystem, but it wouldn’t be at the top of my list.
Don’t click suspicious links!
This should go without saying, but scammers are much savvier now and will continue becoming more sophisticated. I recently heard an artist share how he regrettably clicked a link that ended in .lo instead of .io. That’s easy to miss!
You’ll eventually start getting emails or messages on Discord for ‘life-changing’ opportunities. Approach with caution.
Secondary email address
As I mentioned, in Web3 you’ll find yourself publicly revealing your email address. It’s hard to fully grasp the implications of that exposure. Use a secondary email address for your Web3 participation. It’s simple to create and could save you from a whole world of hurt down the road.
Wallets, keys, and accounts
Typically, when you get into web3 there are three critical accounts where cryptocurrency is stored. Each account type serves its own purpose.
Let’s start with the cryptocurrency exchange. This is your entry point.
The exchange is where cash is exchanged for crypto. Some of the standard exchanges are Coinbase, Gemini, and Binance. There are many more with new ones launching all the time.
Protecting your exchange account is just the same as any Web2 account — strong secure password, multi-factor authentication (MFA), etc.
The next type of account you’ll have is a wallet. Securing a wallet is much different than securing your Web2 accounts. No one will have the key to your wallet except you and the people you tell.
If you lose your key, there is no recovery. A wallet typically provides you with a set of words, usually between 12-24 words. Your job is to secure the words in the exact order and spelling you receive them.
Many people recommend writing down the seed, securing the paper copy, and never storing it digitally. Others are comfortable saving it in their password manager or some form of digital security vault.
There are pros and cons to each, I’ve included links to some different perspectives at the bottom so you can weigh in different trade-offs.
The Cold Wallet
The next thing I strongly recommend is getting a hardware cold wallet. I use the Ledger Nano that I’ve had for years now. They now have multiple products and more options. Ledger is still one of the most trusted cold wallet makers.
Your cold wallet should be used sparingly. I would recommend storing the majority of your crypto there and never using it to log in to websites.
If you decide to buy a Ledger, do it directly from their website and not a second-hand source. If the device has been tampered with, your whole security is already compromised.
The Hot Wallet
A hot wallet is the best way to access Web3 resources like the NFT exchanges, websites, or DAOs. They usually have a website, a browser extension, and an app to allow use on multiple devices. Hot wallets are often specific to the cryptocurrency you’re connecting with, but some store multiple cryptos.
Some popular ones include Metamask for Ethereum, Phantom for Solana, and Kukai for Tezos.
I recommend not holding too much of your assets in the hot wallet. Send NFTs to the cold wallet if they all of sudden explode in value. But if you want to sell, do it through your hot wallet.
General Web3 security
Complete guide on cryptocurrency security
Crypto security can be a pain, but a few safeguards will go a long way
4 Key Cryptocurrency Security Measures: Are You Following Them?
Best practices to storing your seed phrase
The best way to store your seed phrase
Best ways to keep your recovery phase secure
7 secrete places to securely store your recovery seed phrase
Ways to store your seed phrase securely