MetaMask x Wallet Guard: State of Security Recap - Q3 2023
The official quarterly state of security discussion with MetaMask and Wallet Guard took place on 9/20/23.
Listen to the full recording on X https://twitter.com/i/spaces/1BRJjZgjddeJw and get all the security alpha shared in the recap below. It's time to breakdown the latest security alerts and the best practices to keep your assets safe, along with a discussion on the newly released MetaMask Snaps platform!
Over 3,000 users joined during the hour session. Guest speakers from MetaMask and Wallet Guard included:
The discussion kicks off with a review of device security and best practices, essentially focusing on getting your web2 security in-check before you operate in web3.
Your first layer of defense is your password. Using a password manager helps with having strong, unique, randomly generated passwords for all of your accounts.
"...it's practically impossible to remember passwords to begin with, so a password manager is the solution to this." - Michael
BitWarden and KeePassXC are two great options for free open-source password managers. Both are available on multiple operating systems, browsers and devices. They are also both open-source which adds to the transparency and trust that we inevitably look for in the software we choose to use.
After you have a secure password, your next layer of defense is 2 factor authentication (2FA). Enabling 2FA on your accounts adds the requirement to enter a random code that is generated upon logging in with your password. Using software or hardware based 2FA instead of text (SMS) based 2FA is essential due to the risk of being SIM swapped which we will review later in the discussion. Microsoft Authenticator and Authy are great options for free software based 2FA.
Remember to save your backup codes when enabling 2FA on your accounts as backup codes will help you get back into your account if you ever lose access to your 2FA software or hardware. Syncing or backing up your codes to the cloud, for example with Google Authenticator to your Google account, should also be disabled so that your backup codes are managed by you directly and stored nowhere else!
Having an antivirus is an essential step to your device security. Malwarebytes, specifically the premium version (this is not an ad, this is our professional opinion), provides proactive detection and automatic file scanning. Generally users believe that their new device has security or an antivirus already built-in; this is not the case. Having an actual antivirus like Malwarebytes is crucial when you self-custody given the nature of the space.
An adblocker also goes a long way. When you perform a Google or Bing search, 99% of the time the first results are actually a sponsored ad or link to a scam. uBlock Origin, a free open-source adblocker, eliminates accidently clicking on fake ads and results.
"It's all about what your risk tolerance is; if you're keen on safeguarding your assets it makes sense to employ device segregation, or for example not putting your entire seed phrase on a single piece of paper or keeping all your assets in one wallet - it's convenience over security." - Ohm
Device and account segregation is an easy win. It's the concept of not keeping all your eggs in one basket. For example, having hot wallets for your occasional mints while keeping a completely separate cold wallet for assets you don't plan on selling or interacting with. This way, if you interact with a bad contract or signature, or if you leak your seed phrase or private key, you are not compromising all your assets in one go. The same concept can apply for browser profiles which is a way to segregate your daily browsing activities from one another, for example having a browser profile dedicated to social networks/shopping, while you have a completely separate one for your crypto related activities.
Social engineering is the concept of using your emotions against you. There are multiple red flags to look out for, especially considering you are not the one inciting the initial action. For example, you've received a text message, email, phone call or any other type of communication telling you to perform an action, like clicking on a link, going to a website, installing or opening a file, etc. You are told that it is time sensitive, that you need to do it now, or not to tell anyone else about what is happening.
Sometimes scammers perform what is called pig butchering, or romance scams, where social engineering takes place over days, weeks or even months. In these scenarios people are socially engineered into thinking the scammer they are talking with is actually someone attempting to help them, provide a job opportunity, be their friend... up until the point where they have gained your trust and hit you with a link or attachment that may compromise your device or assets.
"Up until several years ago software (viruses, hacking, etc.) was a big attack vector, now it's shifting to social engineering since it's easier to scam people which is why it's very important to be able to recognize when you are being socially engineered." - Marco
98% of compromises start with some level of phishing whether it's an email or text or phone call. Very few hacks are truly technical exploits. A lot of corporations and businesses have begun performing internal pentests and phishing campaigns in order to ensure their employees are aware of these types of threats. These practices should not only be taken with web2 companies, but web3 companies and anyone who chooses to self-custody as well.
When you are using software there is a level of trust you put into the provider, especially if the product is not open-source and you don't know what the internal operation of the software truly is.
LastPass is a major example of a company that is supposed to provide a security level via a password manager who has had their customer data compromised multiple times. This results to not only credentials like usernames and passwords being leaked, but also compromises those who chose to use their software to store their 2FA backup codes, private keys or seed phrase.
Regardless, you should never store your 2FA backup codes, private keys or seed phrase digitally (this includes taking a picture of it, texting it, emailing it, saving it as a file on your computer, keeping it in a notes app, etc.).
The importance of a personal audit of your own data is at an all-time high. Think of all the apps and extensions you have installed over time on your devices and forgotten about, or even the accounts you made over time and left your data on. These third party services and apps are sitting on your device, running in the background, potentially exploitable among many other variables. Having this same type of digital audit with your family, to ensure they are not actively being socially engineered or their data mined, as well as having a safe word in case of an emergency, is essential.
"...make sure you don't have extra copies of your data in multiple different places - reduce your data scatter." - Michael
Popular accounts being compromised and used to distribute scam links are becoming more and more common, like what just happened with the founder of Ethereum, Vitalik. SMS (text based 2FA) was disabled on his account, but his phone number was still tied to his account as a recovery method, giving an attacker the ability to gain access to his account once they perform a SIM swap.
Remove your phone number as a recovery method from your accounts immediately! This includes your email addresses (ex. GMail), social networks (ex. X) or any other accounts that you are using it as a recovery or 2FA method for. A phone number is the weakest form of security for your account. When being sim swapped the attacker is socially engineering your phone provider to convince them they are you and to transfer your number to their account; this is completely out of your control, therefore eliminating it as an attack vector on your accounts is crucial.
For example, to remove your phone number from your X account: · Settings > Your Account > Account Information > Remove phone (ensure you have your email as a sign-in method before doing so) · Settings > Security > 2 Factor Authentication > Turn off text message authentication and use software/hardware method instead
"SMS (text based) 2FA can be weaker than having a strong password." - Ohm
There has been an influx of scam ads on search engines as well as social networks. Staying vigilant is important to determine whether what you are about to interact with is an ad or not.
We are in a bear market and there are a lot of scam ads, so imagine when the bull market comes how much more adamant scammers are going to be to get their links in front of you. This is an important reference back to our mention of using an adblocker like uBlock Origin given the fact that it stops a lot of these scam ads from search engines in the first place.
"The concept of focusing on education first, how can we expect the masses to onboard if they can't differentiate a scam from a real source." - Michael
If you need help be sure to ask your questions in public forums in order to have the responses vetted publicly. Once someone messages you privately they may give you completely different answers as opposed to what they would have said in a public scenario.
"If something doesn't feel right, stop what you are doing; re-evaluate the situation you are in." - Montoya
MetaMask Snaps launched this month and we have the privilege of speaking with Montoya from the MetaMask Snaps team.
MetaMask has been working on Snaps for a few years. Giving users the ability to access new features inside of MetaMask from other chains, tools and dApps greatly opens the door for interoperability. You are in complete control of how you can use Snaps to customize your wallet!
"...for example, transaction insight Snaps (like Wallet Guard) let users see insights on their transaction before confirmation, showing you a simulation of the outcome of a transaction... so that you can avoid getting phished or scammed." - Montoya
Snaps are isolated by default leaving the user in complete control. All Snaps in the open beta launch are fully audited, open-source and directly reviewed by the MetaMask team. Multiple measures have been taken to make sure the integration of Snaps are as safe to use as possible.