By Kirsty Moreland
May 10, 2022 | Updated Oct 24, 2022
Read 5 min
Beginner
| Key Takeaways: |
| — There are some threats even a hardware wallet can’t protect you from – so understanding threat vectors is key to knowing how to protect your crypto yourself — Cyber attacks are online and hackers will use the internet to get access to your keys. — Social engineering attacks are done by scammers who will get you to relinquish control of your keys by gaining your trust. — Hardware wallet theft and sophisticated physical attacks like power glitching and side-channel attacks rely on (1) the ability to physically compromise your device. |
Crypto offers a powerful way for people to gain control of their own money, but that power comes with great responsibility. There are a number of different ways clever scammers can steal your crypto, here we do a full audit on every angle, so you know exactly how to protect yourself.
We all know the drill: the security of your crypto depends on your wallet. But listen, there are still some threats even a wallet cannot protect you from – not even your Ledger.
The only way to really be sure you’ve properly secured your precious crypto is to understand the different types of threat that exist, and what type of defense – your wallet, or your own knowledge – needs to be deployed in order to avoid it.
So here, we’ve broken down different crypto threat vectors into three distinct categories,with an explanation of what’s needed to protect yourself against it. Ready for the ultimate crypto security glossary? Let’s dive in!
Cyber threats (hacking, malware): The vulnerability of the internet
Your internet connection is the biggest threat to your private keys. Anything connected to the internet – including your crypto wallet – is vulnerable to cyber threats. It’s that simple.
There are a couple of ways this can happen:
- Let’s say you’re using a hot wallet or holding your crypto using an exchange. If the platform is hacked, your keys are at risk of being stolen through the internet.
- Clicking on a malicious link could provide the hacker with remote access to your device and extract things such as your private key or your seed phrase.
How to protect yourself From Online Threats
Since crypto wallets can be subject to hacks, the only way of really keeping your keys safe is by using a wallet that’s not connected to the internet.
The whole premise of a hardware wallet like the Ledger Nano is to keep both your private keys and your seed phrase offline and away from cyber threats.
Never Expose your Private Keys, Even When You Transact
And what about when you’re interacting with online applications? Even here, your Nano also acts as a venue for transactions to be signed offline, meaning your data lives safely in your device even while the important information is communicated online to make the transaction happen. Here’s how that works.
Generate your Recovery Phrase Offline – and Keep It There
Securing your crypto is not just about moving your existing private keys offline – it’s about making sure they are never online to start with.
A Ledger device generates your recovery phrase (the shorthand for all of the private keys in your wallet) offline from the very beginning, communicating it to you in a completely offline environment, via the screen of the device. This gives you complete control over your wallet, while still ensuring that none of your sensitive data is ever exposed to an online environment.
But ultimately, how you store that seed phrase is down to you – storing it on a connected device will defeat the whole purpose of using a Ledger.
Online Threats = Offline Wallet
So in short, your crypto is vulnerable to this category of threats any time your private keys are online – but don’t worry, that can easily be solved by using a Ledger to secure your private keys. As long as you use the device properly and secure your seed phrase safely, these threats can be completely overcome, leaving you free to forget your worries and explore the ecosystem.
Physical threats: theft or attack of your hardware device
Using a hardware device to keep your private keys offline is a great move. But it does mean you need to be mindful of a new threat vector – theft or probing of the device itself.
Say your hardware wallet is taken from you; how can you be sure your precious crypto will remain safe, even if the device is in strange hands? Let’s check it out.
A PIN Code Set By You
A hardware wallet is only as secure as its PIN code. It’s the front line of defense against intruders and it’s the only part of security that you set for yourself.
This is why Ledger allows you to set your own code and even determine its length, up to eight digits. This ensures that no matter who has your Nano, only you can access it. And if the wrong PIN code is entered three times, the device automatically bricks (performs a factory reset), meaning your device keeps out even the most opportunistic thief.
Advanced Passphrase
Most devices have a 24-word recovery phrase as a backup. Ledger has a 25th word passphrase on top of that too. It’s an advanced security feature that adds an extra layer of security to keep your funds secret even if you’re under duress. This 25th word allows you to access a secondary, “secret” wallet from your regular device, allowing you to leave the bulk of your crypto in this secret wallet and protect it in any situation.
Physical Hacks to the Hardware
If your device falls into the wrong hands, you may face a more sophisticated threat – a physical hack of the device. With sophisticated attacks from expert hackers such as power glitching, side-channel attacks, and software hacks like attacking a Hardware Security Module, hardware wallets can be vulnerable if they don’t have the right fortification.
Ledger’s hardware wallets are designed to protect your sensitive data against online AND physical attacks, with features in place to offer the very highest level of security. There are a couple of important factors that set Ledger devices apart in their layers of protection against physical attacks:
Secure Element: The Impenetrable Chip
Ledger uses a Secure Element chip, which is found in things like passports and credit cards where high-end security is needed. Ledger hardware wallets are the only wallets in the industry that uses a Secure Element chip, protecting you and your private keys against attacks like laser attacks, electromagnetic tampering, and power glitches.
BOLOS Operating System: Isolating Each Application
The problem with some hardware wallets is that they use a monolithic system, managing all of the applications they contain as one. Ledger’s custom operating system, BOLOS, ensures that all of the apps and crypto accounts within your Ledger device are managed separately. For you, this means that even if an application was ever compromised via an attack, the damage would be isolated to that application, and would not impact the rest of your wallet.
The Donjon: Constantly Checking Your Security
To make sure your wallets are always safe from hacking, we have a team of internal good-guy hackers to test and find any potential chinks in our armour. The Ledger Donjon is our internal security evaluation team made up of security experts to conduct constant, extensive hacks to the hardware, establishing any possible point of failure that might impact your security. The Donjon work hand-in-hand with Ledger’s Firmware development and hardware team to scrutinize the security of the devices, make sure only state-of-the-art security measures are in place that can withstand any attempts to attack, and constantly upgrade our system accordingly.
Physical Threats Require The Safest Hardware Device
Using a hardware device to secure your private keys protects you from online threats but could potentially leave you open to physical attacks on the device. That’s why it’s so crucial to choose a device that not only uses the safest components but continually seeks to improve its systems to ensure absolutely nothing can permeate the device.
By choosing a Ledger, you can secure your private keys and forget about them – the components and system keep your wallet airtight from physical attacks.
Social engineering threats – YOU are the weak link
Some hackers don’t play the internet or the code, they play the people. In social engineering attacks, scammers will create a fake situation to gain your trust, getting you to open the door and let them access your data under false pretenses. We see this approach in attacks like phishing and pharming (site addresses that look the same as a legit site but aren’t).
Blind Signing: Scammers’ Paradise
Smart contracts enabled the whole ecosystem of Dapps we now enjoy, but they came with a bit of a caveat.
Some smart contracts can’t be properly read by certain crypto wallets, meaning you can’t be 100% sure what you’re actually signing. It becomes a blind spot and you have to trust the other person behind the smart contract. Scammers use this blind spot by creating scenarios that will convince you to approve a transaction that’s not legitimate. You might think that you’re minting an NFT, but instead the smart contract is drawn to take a precious NFT of yours.
Clear Signing with Ledger’s Ecosystem
Ledger is more than just a crypto wallet – it’s a safe gateway to Web3. Ledger Live is Ledger’s platform of integrated applications; for each integration, users are able to clear sign transactions using their Ledger Nano and see exactly what they’re agreeing to each time. This gives you more transparency than ever when you interact through the Ledger ecosystem, and adds a huge layer of protection from social engineering scams.
BUT no matter how secure and transparent our wallets are, Ledger won’t be able to prevent a scammer accessing your private keys if you’re the one giving them access. This is why it is so important to understand how crypto works and how to assess a transaction for yourself – and we’re here to help you do that.
The One Thing Ledger Can’t Protect you From
Even Ledger can’t completely protect you from social engineering scams – here, only YOU can defend your crypto, and this means understanding it deeply for yourself. Learning how to read a smart contract, avoiding blind signing and taking a cautious approach to anything suspicious is a fantastic start to securing yourself against social attacks.
To that end, Ledger’s Academy is a treasure trove of information on crypto security, taking a deep dive into how to keep your keys safe sets you up nicely to identify anything that comes your way. So although Ledger can’t offer you complete protection from clever scammers, by bringing you clear signing and a raft of educational materials, Ledger gives you the tools you need to be the ultimate gatekeeper for your crypto.
You Are the Gatekeeper
Congratulations! You just complete a full audit of how crypto gets stolen and you’re in a perfect position to explore Web3. Understanding the crypto ecosystem – and your role in your own cryptocurrency’s security – is crucial to the safety of your coins and tokens.
Ledger wallets are the safest option for anyone using crypto, but even a Nano cannot protect you from every threat. That’s why we’re here to make sure you understand exactly how you can protect yourself. So get free and KEEP ON LEARNING, in crypto you are the master of your own destiny.
LFG!
Knowledge is power.
Blind signing is one of the biggest threats you face as a crypto holder – here, we explain in detail, so you can protect yourself. Thanks School of Block.
