Security in Crypto, Hardware Wallets and Pseudonymity - Part 7

Security in Crypto, Hardware Wallets and Pseudonymity - Part 7

In Part 7 we will discuss the steps on how to properly setup and use a new hardware wallet.

MetaversityOne's photo
MetaversityOne
·Jul 22, 2022·

8 min read

Play this article

In Part 7, we will discuss how to correctly set up and use a new hardware wallet.

Receiving the hardware wallet shipment & initial sanity check

When you receive the package, inspect it for any signs of tampering. The plastic wrap should be unaltered and well packed. On the Trezor device, you should look for an untampered holographic security seal on the device after opening the box. For both Ledger and Trezor, the package should not have shipped with a preset seed phrase or PIN under any circumstances. The devices should be uninitialized [1,2].

CS S1 P7 1.png A brief overview of salient points covered in this article

Ledger Live/Trezor Suite download and setup

As detailed in Part 6 of this series, carefully install the genuine version of Ledger Live [3,4] or Trezor Suite on the appropriate device [5,6].

As a reminder, Ledger Live is available for Windows, macOS, and Linux computers; iOS and Android phones [3]. You must ensure your Ledger Live is legitimate by following the instructions here [4].

Trezor Suite is available only for macOS, Windows 10, and Linux [5]. You must ensure your Trezor Suite is legitimate by following the instructions here [6]. Beware of fake Trezor apps on Apple App Store [7] and Google Play Store [8], due to which people have lost substantial sums of money.

New wallet setup on a new hardware wallet and seed phrase offline backup

Review details in Part 5 of this series about the seed phrase generated by a new wallet initialized on a hardware wallet never being shown or entered anywhere apart from the hardware wallet. If it is the first time you are using a hardware wallet, you must create a new wallet from scratch: first, the user sets a PIN on the device, and the hardware wallet will give you a 24-word seed phrase that you must note down offline and backup with a Cryptosteel (Refer Part 2).

CS S1 P7 2.png Screenshots from a Ledger Live mobile app detailing steps on setting up a new Ledger device

CS S1 P7 3.png

N.B. 1: As you can see above, creating a new wallet in a new Ledger hardware wallet does not need interaction with an external device (PC or mobile phone). The Ledger Live software merely guides you on what to do. The exchange will only happen in the next step when you are required to install/update device firmware and blockchain apps.

N.B. 2: As noted in the last sub-image above, you must neverenter your hardware wallet-generated seed phrase into any other PC, mobile phone, or Metamask wallet.

N.B. 3: Contrary to some Youtube videos, you must not attempt to restore the 12-word seed phrase from a Metamask Software (Hot) wallet into a Ledger device. This is a very naive and uninformed approach. Always set up a hardware wallet with a new seed phrase that the device generates randomly. Don't attempt to invent your own seed phrase since; humans are not at par with machines in creating randomness.

Device genuineness check and firmware update

The Ledger device arrives with functional firmware (that may use a version update using the Desktop version of Ledger Live).

CS S1 P7 4alt.png

Trezor devices arrive with no firmware and need the Trezor Suite to install and get it functional [9].

For the Ledger device, both Ledger Live on a computer and a mobile phone perform a device genuineness check - the user ensures their Ledger Live is legitimate, and the Ledger Live ensures the device is legitimate [10].

On the other hand, for the Trezor device, the user needs to ensure the holographic seal on the USB port of the Trezor device is genuine and untampered with. The user also ensures their Trezor Suite is legitimate, and the Trezor Suite will help confirm that the newly shipped Trezor device has arrived without firmware.

Install apps to support wallets of different blockchains

Next, install apps for all the blockchains you wish to use on the hardware wallet via Ledger Live/Trezor Suite - e.g., Bitcoin, Ethereum, Cardano, etc.

CS S1 P7 5.png

Importing Hardware Wallet's Public key to Metamask

You must still use interfacing software such as Metamask to use the Ledger/Trezor device with Ethereum DApps like Uniswap and marketplaces like Opensea, etc. [11]. This is because Ledger Live allows no direct interaction of the hardware wallet with Uniswap and only allows limited interaction with Opensea (only Ethereum, no Polygon, etc.) [12]. Trezor Suite allows no interaction of the hardware wallet with Uniswap, Opensea, etc. [11].

CS S1 P7 6.png

N.B.: Please note how Metamask only serves as an interface between the DApps and the hardware wallet. Also, note how you never need to enter your hardware wallet's seed phrase into Metamask. The private keys stay on the hardware wallet; transactions are sent via Metamask to the hardware wallet to sign; you - the user - need to physically sign the transactions to send them to the network and mined on the blockchain.

Importing additional wallets into Metamask

Each 24-word BIP-39 seed phrase generates only a single wallet address but can generate many more (usually 25 are accessible) independent hierarchically deterministic (HD) wallet addresses. Thus you can import multiple independent Ethereum wallets into Metamask as separate accounts [12]. They all are independent in terms of signatures and token approvals performed; this protects assets distributed across wallets against one signature from a single wallet going awry (approving wallet draining contracts, etc.).

Multi-device + multi wallet setup for minting, compartmentalized storage, Discord interaction & staking

It is critical to separate the holding of assets like cryptocurrency and NFTs into independent wallets. I strongly advise using a wallet exclusively for minting - it is okay to use a software wallet for this purpose. It might be helpful to further divide this between two minting wallets, one for high-risk/low-confidence contracts and a second for medium to low-risk contracts. Remember to quickly transfer valuable NFTs mints to a hardware wallet after minting [13].

Next, for your cryptocurrency that has no need for staking (e.g., Bitcoin), and NFTs that do not need staking or Discord interaction, it is preferable to use one hardware wallet device (HW-D1) exclusively as cold storage ('cold' meaning there is no blockchain/internet interaction for 99.99% of the time) [14].

For your cryptocurrency and NFT that need staking, use designated wallets from your non-cold hardware wallet device (HW-D2). Split up assets so that a single sub wallet doesn't have more than 10% of your portfolio. Reserve a specific sub wallet of the non-cold hardware wallet device to only trade coins on Uniswap/DeFi (HW-D2-W1), a second sub wallet to only stake coins (HW-D2-W2), a third sub wallet to only trade NFTs on Opensea (HW-D2-W3), and a fourth sub wallet for only staking and storage of NFTs (HW-D2-W4), and so on. Don't interact with new platforms and unknown contracts with HW-D2-W4; do that solely with HW-D2-W3. Remember to move out any valuable NFT purchases via Opensea on HW-D2-W3 to HW-D2-W4; similarly, to sell some NFT on HW-D2-W4, move it to HW-D2-W3 and then proceed to sign token approvals and list for sale. Use websites like [15]: revoke.cash to periodically review and revoke unnecessary token approval and smart contract permissions from your wallets that have on-chain interaction.

Avoid wallet interaction with low-confidence Discord servers and their verification bots. If you absolutely must verify wallet ownership for a Discord server, then carefully follow the steps mentioned in Part 3 of this series. A final recommendation is to avoid trading/negotiating NFTs in Private/Direct Messages (PMs/DMs) on Discord/Twitter/Telegram - trading in DMs is the root of most of the unfortunate events that happen to NFT holders.

Thank you for your time and attention in reading this series of articles on crypto security. I hope this content has been educational to you. If so, share it with your friends and discord community. It took year-long research to gather all this data and write it up; thus, if you would use this series to onboard your friends and family to crypto, it would make it worth my time.

Acknowledgments: The author thanks K. from Developer DAO Writer's Guild for valuable feedback and for editing all this series's articles. His help is greatly appreciated.

References:

  1. Ledger Support (2022). Is my Ledger device genuine? [online] Ledger Support. Available at: support.ledger.com/hc/en-us/articles/440438.. [Accessed 4 Jul. 2022].
  2. Satoshi Labs (Trezor.io) (2018). [PSA] Non-genuine Trezor One devices spotted. [online] Trezor.io. Available at: blog.trezor.io/psa-non-genuine-trezor-devic.. [Accessed 4 Jul. 2022].
  3. Ledger Support (2022). Download And Install Ledger Live. [online] support.ledger.com. Available at: support.ledger.com/hc/en-us/articles/440438.. [Accessed 3 Jul. 2022].
  4. Ledger Support (2022). How To Verify The Authenticity Of Ledger Live? [online] Ledger Support. Available at: support.ledger.com/hc/en-us/articles/440480.. [Accessed 4 Jul. 2022].
  5. Satoshi Labs (Trezor.io) (2022). Trezor Suite - Managing crypto just got safer and easier. [online] Trezor.io. Available at: suite.trezor.io [Accessed 4 Jul. 2022].
  6. Satoshi Labs (Trezor.io) (n.d.). Apps:Trezor Suite. [online] Trezor.io Wiki. Available at: wiki.trezor.io/Apps:Trezor_Suite#How_to_ver.. [Accessed 4 Jul. 2022].
  7. Albergotti, R. (2021). He believed Apple's App Store was safe. Then a fake app stole his life savings in bitcoin. Washington Post. [online] 30 Mar. Available at: washingtonpost.com/technology/2021/03/30/tr.. [Accessed 4 Jul. 2022].
  8. Partz, H. (2021). Trezor crypto wallet warns users of doppelgänger scam app on Google Play. [online] Cointelegraph. Available at: cointelegraph.com/news/trezor-crypto-wallet.. [Accessed 4 Jul. 2022].
  9. Satoshi Labs (Trezor.io) (n.d.). Initialization process for Trezor Model T in Trezor Suite. [online] Trezor Wiki. Available at: wiki.trezor.io/Initialization_process_for_T.. [Accessed 4 Jul. 2022].
  10. Ledger Support (2022). Is my Ledger Device Genuine? [online] Ledger Support. Available at: support.ledger.com/hc/en-us/articles/440438.. [Accessed 6 Jul. 2022].
  11. Satoshi Labs (Trezor.io) (2022). How to use NFTs with a hardware wallet. [online] Trezor.io. Available at: blog.trezor.io/how-to-use-nfts-with-a-hardw.. [Accessed 4 Jul. 2022].
  12. Ledger Support (2022). Managing Your NFT Collection With OpenSea. [online] Ledger Support. Available at: support.ledger.com/hc/en-us/articles/440811.. [Accessed 4 Jul. 2022].
  13. TeaSea1 (2021). How to transfer your NFT's to a Hardware Wallet. [online] TeaSea1 on Medium. Available at: medium.com/@TeaSea1/how-to-transfer-your-nf.. [Accessed 5 Jul. 2022].
  14. 4lteredBeast (2022). twitter.com/4lteredbeast/status/15293625827... [online] Twitter. Available at: twitter.com/4lteredBeast/status/15293625827.. [Accessed 5 Jul. 2022].
  15. Revoke.cash (n.d.). Revoke.cash - Revoke your Ethereum token allowances. [online] Revoke.cash. Available at: revoke.cash [Accessed 4 Jul. 2022].

The author holds an M.S. in Engineering from Columbia University and has a decade of research and industry experience in software and hardware design. He has been researching crypto security since early 2021. You can follow him on Twitter: @MetaversityOne and also on his Hashnode Blog: https://cryptosecurity.hashnode.dev/

 
Share this