MetaMask Security: NEVER Get Hacked Again

MetaMask has over 30 million monthly active users.  This number is nothing short of impressive.  However, the wallet’s popularity means that it’s in the crosshairs of hackers and scammers.  Watch this video till the end to find out some of the best tips to protect your MetaMask  wallet from hacks.  Alright, tip number one.

 Use a strong password.  Yes, you’ve been told that a million times over, but that just shows how important it is to have a strong and strong password. Yes, you’ve been told that a million times over,  but that just shows how important it is to have a strong and unique password.  We’ve all been guilty of reusing passwords for easy memorization, but this is highly risky,  especially with data breaches happening left and right.

 If you’re still skeptical,  go to haveibeenpwned.com and enter your email address. Chances are you have had at least one instance of your personal information being exposed in a data breach.  A great solution is to use a password manager, which stores your passwords securely so that you don’t have to worry about remembering them,  allowing you to use strong and unique passwords for all your important accounts.

 Even in the case of unfortunate events like the recent LastPass security breach, password managers are still overall a better solution than the alternative.  Number 2.  Protect Your Seed Phrase Like an Elephant Protects Its Calf  This means that you should consider storing your MetaMask seed phrase completely offline,  preferably writing it down on one or multiple pieces of paper and  hiding them well. Just don’t hide it so well that you forget how to find it.

 You could also go a  step further and store your seed phrase in metal crypto wallets. They are usually designed to  withstand extreme physical conditions like fire and floods. Moving on, stay vigilant of phishing  scams, as this is probably one of the most common  ways users lose their assets.  Scam artists are getting creative, and sometimes they’ll fool unsuspecting users into giving  out their seed phrases or other personal information.

 They may typically redirect you to their phishing websites through emails that may be customized  to look like they were sent by MetaMask.  Once you’re redirected to their website, they’ll trick you into inputting your seed phrase,  which is something you should never do unless restoring your wallet.  To make sure that you’re protected, stay alert when receiving emails, and don’t simply download  files and click into random links before properly validating the sender’s authenticity as they may  download malware into your device.

 Tip number 4.  Use a hardware wallet It should go without saying that it’s highly  risky to have the majority of your crypto wealth stored in your MetaMask wallet.  Remember that hot wallets are always online, so they are more prone to vulnerabilities.  Hardware wallets, on the other hand, are less convenient but  reduce the risks of getting hacked.

 So, consider storing the majority of your crypto on hardware  wallets unless you plan to actively trade it. Though, even if you have a hardware wallet,  don’t be complacent as you are still as vulnerable to phishing attacks.  Next up we have a tip that may be often overlooked, keeping your MetaMask software up to date.  MetaMask regularly releases updates, so keep an eye out for them to make sure that you’re getting the most out of their new security features.

 Usually MetaMask’s software will auto-update, but just to be sure, right-click on its extension on your browser and select Manage Extension, then check for any updates.  On mobile, check the app or Google Store for any updates.  Note that phishing attempts can come in the form of fake MetaMask extensions.

 To stay safe, head to the official MetaMask website, which will direct you to the legitimate  extension page.  Next tip, lock your MetaMask wallet when not in use.  Doing this significantly reduces hacking risks compared to when it’s unlocked.  For instance, cleverly timed phishing attacks pulled off by getting a hold of your wallet  addresses.

 This is mainly because it’s possible for websites to view your wallet address when  your MetaMask wallet is unlocked. Tip number seven. Don’t leave a trail of breadcrumbs for  hackers to follow. Habitually do a clean-up of your browser’s cache, cookies, and history.  This is a simple yet effective way of stopping hackers from getting a hold of your personal  information that can be used to impersonate you.

 Form a habit of cleaning your browser data at least once a week.  Speaking of browsers, use a separate browser profile for your MetaMask extension.  We mentioned how scam artists are getting creative,  so you should be wary of malicious extensions  that might have excessive permissions to read your data.

 The safest route to take would be uninstalling all your Chrome extensions.  However, if you must have them installed, do so in a separate browser profile.  Tip number nine, don’t use public Wi-Fi.  Using free public Wi-Fi can it’s not a guarantee that you’ll be  hacked, there have been multiple cases of people getting hacked using public Wi-Fi.

 Usually because you don’t know who set it up or who else is connecting to it.  Just to be safe, avoid any financial activity while using public networks. Now, last but not least, review and revoke token approvals regularly.  To interact with smart contracts, you’ll typically be required to allow them to utilize  either a specified amount or an unlimited amount of your assets.

 Malicious developers take advantage of the latter to drain your wallet.  Next time when your MetaMask wallet requests a transaction approval, click on Edit Permissions  and enter your desired spending limit so that the dApp cannot transact above the specified  amount.  On top of that, use a block explorer like Etherscan to see the smart contracts that  have the approval to either access tokens or submit transactions on your behalf.

 You can then select the specific approval that you want to cancel.  Just keep in mind that you’ll have to pay a gas fee.  As you can already tell, crypto scams and hacks are not going to go away anytime soon,  especially with the crypto user base growing fast.  Also, in most cases, scams are not outrightly targeting technical vulnerabilities in wallets  like MetaMask.

 Rather, they are targeting users like you, counting on a security slip-up.  So stay vigilant by applying these tips to your MetaMask and other hot wallets in general,  because ultimately, the safety of your crypto is up to you.  Drop any other safety tips below and click here to find out  how to avoid scam projects in crypto.

MetaMask Security – 9 Attacks and How to Stop Them 

Transcript:

 The next 20 minutes could potentially be the most profitable minutes of your life in terms  of dollars an hour saved.  While talking about these attacks and vulnerabilities, I am in no way trying to promote fear or paranoia.  I just want to get real about what you need to do to protect your money.  At the end of this video, you will know every single way someone could attack your MetaMask  or any other crypto wallet to try and steal your money.

 You’ll understand how the attack works and what you need to do to protect yourself against  it. Also, if I’m wrong on any of this, challenge me on it. If you have the knowledge and understanding  the rest of us don’t, please share it with us. I’ll aggregate the new knowledge into a thread  under the pinned comment or if need be I’ll scrap this video altogether and make a new one.

 Let’s get to it. There are three categories of attacks that someone could use to steal your  crypto. The three categories are first, private key vulnerabilities, second, machine vulnerabilities,  and third, smart contract vulnerabilities.  Now, some of you might be thinking, I use a hardware wallet connected to MetaMask, so  I’m protected from all of this, right?  Of the following nine attacks, using a hardware wallet only protects you from two of them,  attack number three and number six.

 Hardware wallets are great, but I worry they give people a false sense of security.  So if you use a hardware wallet, you’ll still want to continue watching so you can understand  what attacks a hardware wallet does and does not protect you from.  Now let’s talk about each specific attack and defense.  First up is private key vulnerabilities.

 Someone with your private key can steal all your money from anywhere in the world.  This results in a complete loss of funds.  To understand this category, it’s important to understand that your crypto wallet is not  actually a wallet. Most people think that their crypto or tokens are inside their wallet.

 This is false. Crypto wallets don’t actually hold anything. What your crypto wallet is  is proof of ownership. It’s keys. And whoever holds the keys gets to use the money. Your  wallet is a pair of two keys, a public key, which is related  to your public wallet address, and a private key, the thing you use to sign transactions.

 Your  private key proves you own that money. However, if someone else gets your private key, then they  also own that money because now they can sign transactions for it as well. So if someone steals  your private key, they become a joint owner of your money and can steal all your tokens by sending  them to a different address. Because private keys are just joint owner of your money and can steal all your tokens by sending them to a different address.

 Because private keys are just long strings of random letters and numbers, wallet providers  like Metamask don’t want you to make a mistake while writing it down. Human error would be  huge, and people would lose all their money just by recording their key wrong. So instead,  you are given a secret recovery phrase, which is basically a human readable version of your  private key. The point I’m making is that it doesn’t matter whether they steal your secret recovery phrase or your private key with either one

 They can access the ownership of your wallet  So what are the ways someone can steal your secret recovery phrase or private key?  The first attack is the simplest yet most effective you give up your secret recovery phrase  Willingly who in their right mind would do this a lot people. And it normally starts by going to a phishing website.

 Typically, you’ll end up at this website after  clicking a helpful link a scammer sends in an online forum. Or perhaps you get a private  message about how you won a free giveaway or airdrop. Or perhaps, like me, you’re researching  a new DeFi project and you click the link on Google rather than going straight to the  source.

 When you click on this link, it will take you to a website that looks exactly like the website you thought you were going to, but the URL will be  wrong. This is called a phishing site. When you try to interact with the site, eventually it will  show you something like this asking you to enter your secret recovery phrase to restore your Meta  Mask, claim your prize money, or log into your Meta Mask. Please don’t do this. So what’s your  defense? Never reveal your secret phrase.

 Ever.  Make your secret phrase so hard to get to that by the time you have it in your hand,  you’ll remember that you’re about to get scammed out of all your money.  Another strategy scammers use for this attack is to get you to reveal it during a screen  sharing session.  This gets a lot of people because they don’t know their unlocked MetaMask contains their  secret recovery phrase.

 If you press profile, security, privacy, then reveal secret recovery phrase, if you press Profile, Security, Privacy, then Reveal  Secret Recovery Phrase. Or similarly, if you click Account Details and Export Private Key.  So your defense is the same. Don’t do this. Never reveal your secret phrase or private key.

 If you’ve made an awful mistake and you think you may have revealed your private key or secret  recovery phrase, then it’s very likely that all your funds are gone. But if by some miracle,  your wallet hasn’t been completely drained yet, you have one last line of defense.  You can immediately set up a new wallet with a new private key and address and manually  transfer all your funds over to your new wallet.

 There is only one situation with which you should ever mess with your private key.  This is if you are setting up MetaMask on a new device or you lost your password to  log into your MetaMask and you need to set up your account again.  And if you find yourself in this situation, you better be typing in www.metamask.

io directly  into the browser so you don’t end up on a fake phishing website and end up giving the  keys to your wallet directly to a scammer.  MetaMask will never ask you for your secret recovery phrase or private keys.  So if a person or website ever asks you for your secret recovery phrase, this should immediately set off a million red flags  in your head.

 The next attack is to steal your secret recovery phrase from an unsecure digital  location. I love computers, but files on your computer are inherently unsecure. Malware and  computer viruses are far too common these days, and scammers are getting better about how to trick  you into downloading them.  So what is your defense?  Don’t store your recovery phrase digitally.  Don’t put it on your computer and please don’t take a picture of it on your phone.

 Think about this.  MetaMask goes through a ton of effort to store your private key in an encrypted format to  protect you if your computer ever does get hacked.  Additionally, if you use a hardware wallet, then that company went through an even greater  effort to store your private key in an encrypted, safe way.

 Why would you undo all that effort and store an unencrypted, easy-to-steal version of your  secret recovery phrase on your computer?  Your defense is to keep two or more copies of your recovery phrase in… secure locations.  I’d recommend writing them down on a piece of paper, laminating that paper to keep it  waterproof, then storing one copy outside your home in a secure location like a bank vault.

 With self-custodial wallets, which is a fancy name for what MetaMask is,  you are the owner.  In a way, it’s the purest form of money ownership,  but it’s also the riskiest in that you assume full responsibility.  If you lose the money, then no one, including the police, can get it back for you.  Attack number three is stealing your private keys  by accessing your encrypted private key  through malware.

 Malware is malicious software you accidentally download onto your computer.  Some types of malware allow someone to download files stored locally on your computer.  Since your MetaMask encrypted private key is stored locally on your computer or phone,  if your device becomes infected with this malware, it could allow that file containing  your encrypted private keys to be stolen.

 But here’s the catch.  Even with that file, they don’t have your private keys yet.  The file containing your private keys is encrypted with your MetaMask password.  So they still need your password to decrypt and read the file.  So how does a hacker get your password?  If you use a lame password, then the hacker doesn’t even need to steal your password.

 They can just use something called a brute force attack to randomly generate your password in minutes or seconds. They can do this by running a program  that runs thousands to billions of password attempts a second against your encrypted file.  Weak passwords don’t stand a chance.

 The next way to get your password is to use a keylogger,  another form of malware that logs and records everything you type into your keyboard. Then,  stealing your password is only a matter of sifting through keyboard history.  So what are your defenses?  To protect against losing your encrypted private key, you need to protect against malware.  We’ll talk more about that in the next section.

 To protect against a brute force attack, you need a darn good password.  Short passwords and passwords with words are not going to survive brute force attacks.  Current Google wisdom says that with a strong 12-character password, you’ll be well protected  from a brute force attack.  And by strong, I mean that it doesn’t contain any words, but instead contains random digits, symbols,  and upper and lowercase characters.

 In case I’ve lost you already, the reason you want a strong  password is so that it will be hard to unlock your encrypted private key if someone is able to  download it. Even with a strong password, you are still vulnerable to key loggers that can just  record your password while you type it in.

 The best defense against attack number three is to not store your encrypted private keys  on your computer or phone in the first place.  But that is exactly what MetaMask does by default.  So the best of both worlds would be able to still use MetaMask as your front end, but  bypass its default key storage mechanism.  To do this, you’ll need a special tool called a hardware wallet, essentially a sophisticated  USB stick that keeps your private key separate from your computer or phone.

 They’re pretty nifty in the way they handle your private key so that your key never leaves  the device even when signing transactions.  Here’s a brief rundown on how hardware wallets work.  First, your private key is generated on the physical device itself, which means your private  key has never been exposed to a vulnerable computer or network.

 That’s good.  Next, when you need to sign transactions on MetaMask, an API request is sent from MetaMask to your  hardware wallet. Before proceeding, your hardware wallet will require you to physically press  a button on your device to confirm that transaction.

 Once confirmed, your hardware wallet will  create its own transaction, sign it using the private key, then return the signed transaction  to the API request. In this way, MetaMask is no longer involved in the handling of any private keys.  And the great news is that you can still use MetaMask with full functionality as your front-end  user interface, just like you would normally, but not have to worry about the unsecure way  MetaMask stores your private key.

 If you’ve ever heard the terms hot wallet and cold wallet before,  this is exactly the principle they’re talking about. Hot wallets have keys stored on devices connected to the internet and therefore vulnerable to  malware and cold wallets have private keys generated and stored on devices that are not  connected to the internet.  While hardware wallets are the safest option for protecting against attack number three,  here’s where you shouldn’t trust hardware wallets and it’s called the supply chain attack,  attack number four.

 If someone can get their hands on your hardware wallet before you buy it, then you could receive  a fake product or a real product with bad software.  Or it could come with scam instructions that lead you to use an old account with a private  key someone else already owns.  Anyway, if you get a compromised device, your funds are as good as gone.

 Luckily, the defense here is pretty simple.  Buy a hardware wallet directly from a company you trust, and never buy a used hardware wallet.  Unfortunately, many people set up their hardware wallet wrong when linking it to MetaMask and  end up still having a hot wallet that can be downloaded with malware.

 If you’re interested in learning how to connect your hardware wallet to MetaMask correctly,  or you’ve already linked one up and you just want instructions to verify that you have  set it up correctly, you can follow the links in the description.  That brings us to the end of private key vulnerabilities.

 The theme of this section is Gandalf.  Keep it secret.  Keep it safe.  Up next is machine vulnerabilities.  We’ve already discussed a lot of the principles in this section when we talked about attack  number three.  There is malware that can download files and the danger that poses if you use a hot wallet.

 There is also malware called keyloggers that can record your keyboard history to steal passwords. But there is another malware  we should probably talk about, and that is clipboard hijacking. Even a hardware wallet  can’t protect you from this one.

 Clipboard hijacking is a malware that changes the contents  of your copy and paste clipboard. It will leave the copy and pasting of ordinary text  alone so that you think everything is okay. But when you copy a wallet address, it will  change your clipboard contents to a different address, aka the scammer’s address.  So you’ll end up sending money straight to them.

 Luckily, your defense is simple.  To defend against clipboard hijacking, always verify your transaction details before confirming.  Check the address you are sending to and make sure that it also matches the address you  were intending to send to.  Another defense is to always do a test transaction.  And trust me, doing a test transaction will save you from far more than just clipboard hijacking.

 User error is the biggest reason people lose money in crypto, and test transactions are  the most beautifully simple way to avoid that. I always send $1 worth of money as a test  to make sure my money ends up going where I expect it to, and so I can confirm it was  received before sending a larger amount.

 Now let’s talk about malware in general. The truth is that malware will probably evolve faster  than most of us can keep up. I’ve gone ahead and listed this as its own attack because we have no  idea what we may face next. So what can you do about avoiding malware in general? Most people  know to use common sense and that you shouldn’t go to sketchy internet sites, click on suspicious  links, or download pirated software.

 But it’s difficult to be vigilant 100% of the time.  So a good defense is to use common sense and just be safe with your internet usage.  A better defense is to use a hardware wallet as it should protect you from all malware.  But the best defense against malware is to use a hardware wallet AND to separate your  crypto use from your work and personal computing by using a dedicated device for crypto use only.

 No software downloads, no sketchy internet browsing, no email, nothing  besides your crypto and DeFi use. You may be laughing and rolling your eyes at this  point because to avoid all risks just means we have to become hermits, right? To use crypto  and DeFi, especially when using a self-custodial wallet like MetaMask, there are risks we have  to be willing to accept. However, this next attack, infinite token approvals, is a risk you do not have to accept.

 You may not even know you’re accepting it though, because the default action is also  the riskiest action.  Let’s talk about it.  This brings us to section number three, smart contract vulnerabilities.  Every time you interact with a smart contract, you have to approve the use of your tokens.  For example, if you want to lend five tokens to a smart contract, you need to let that  contract take those tokens from your account.

 The reason is because smart contracts don’t know and can’t know if you’ve sent them  money.  Instead, you approve the contract to take those 5 tokens from you.  It’s weird, but it’s just the way smart contracts work.  If you want to lend 5 tokens, you’ll approve 5 tokens, then as long as you actually end  up using those 5 tokens in the next step by lending, staking, trading, you know, doing the thing you came  to do, then your token approval will be reduced by five and your approval will now be at zero

 again.  This is where we as DeFi users have made a problem for ourselves.  We get whiny and complain and say, I don’t want to spend gas to approve my tokens every  single time that costs a lot of gas fees.  So DeFi protocols  listened and implemented infinite token approvals as the default action by approving an infinite  number of tokens.

 You no longer have to spend gas to approve your tokens every time you  go to use that protocol. Thumbs up. However, this is a huge risk. Your tokens will forever  remain exposed to a hack on that contract in the future. The difference between a limited  approval one where you approve and immediately use and an infinite approval is like the difference between  saying I trust you right now versus I trust you forever.

 As an example, let’s say you do the  default approval action, which is the infinite one before lending some USDC. This is safe because  currently the smart contract hasn’t been hacked and any action requiring your tokens can only be initiated by you.  However if in a month or if in five years that contract is hacked then the contract  or contract administrator can steal all your USDC.

 And here’s the real kicker.  The transaction to take your USDC doesn’t need to be approved by you because you already  approved it.  So even if you use a hardware wallet where you normally would have had to physically press buttons to do that transaction, in this case you are not  protected and the transaction can occur without any physical interaction with the device.

 The scope of this hack is limited though. The bad smart contract with which you approved  your unlimited tokens can’t steal your whole wallet, only the tokens that you’ve done  the infinite approval for. So what is your defense? Don’t do infinite token approvals.  Instead, approve only what you need at the moment.

 Approve 5, use 5, and your approval will be reset to 0.  If you approve 10, then only end up using 5, you’ll still have a remaining balance  of 5 on your approval.  So perhaps you could save gas by approving what you think you’ll need for the next  week.  This still reduces your risk exposure while also saving on gas fees.

 To change the default unlimited approval, click View Full Transaction Details, then click Edit. Notice  how the current proposed approval limit has an E plus 59 in it. That means 1.15 times  10 raised to the 59th power, basically infinite. To change this, click Custom Spend Limit,  enter in the number of tokens you want to approve, and click Save.

 I trust the smart  contracts I use, but I wouldn’t go as far as to say I trust them forever by  giving them unlimited approval.  But what if you’ve already exposed your assets by giving infinite token approvals because  you didn’t know about this yet?  You can use a tool called dbank to see your approvals and decline them.

 What’s happening behind the scenes is you’re just doing another approval with that contract  but with a value of zero rather than infinite.  If you don’t trust Dbank, many modern blockchain explorers like PolygonScan, BSCscan, and Etherscan  also have an approval section where you can do the same action as you would on Dbank.

 The next attack is attack number eight, smart contract hacks.  Smart contracts are beautiful and they are what make DeFi, DeFi.  They open up amazing possibilities but put a lot of  pressure on the security of that code. A bad contract can steal all the funds that you currently  have staked inside that contract. When I say bad, I mean one of two things.

 A bad smart contract  could either be a malicious smart contract written with the intent to steal or a good smart contract  that has a bug in it. So how can you defend against the risks of using smart contracts?  The easiest option is insurance.  In the future, I believe this will be the best option, but currently it just isn’t  widely available.

 The DeFi insurance market is so new, I’ve seen relatively few options and the options  I have seen don’t cover the protocols I’m using.  But it’s something to look into as DeFi continues to grow.  The hard answer is that we have to decide the risks for ourselves.  Which is pretty impossible because even if you knew how to code smart contracts, you  could still miss a bug or security flaw.

 And how do normal people who don’t know how to code decide the risk?  The answer to this is pretty subjective.  This is my personal opinion.  For large percentages of my portfolio, I stick to battle-tested, well-known protocols that  have been audited many times and have a long track record.

 But if you’re new, how in the world do you even know who  that is? This is a shortcut and will offer you a place to begin your research.  To find who the established decentralized exchanges are in each network, I use a tool  called DexScreener. DexScreener also happens to be where I do all my price charting for  tokens only available on DeFi.

 But what if you want to use a newer protocol? How do you  decide if they’re safe or not? Once again, subjective, but I like to see projects  that have been audited and have resolved all major issues identified in the audit.  That means you have to actually read the audit. If you don’t know anything about  audits, this is where I would start.

 After you open it up, scroll down for a little  bit and there’s usually a page that shows a table of issues found. It will  also rate the severity of the issues and their status. If there are risks labeled as major or medium  and they have been acknowledged but not resolved, I wouldn’t use that protocol. This means  that auditors found issues that pose significant risks, but the team decided not to change  the code.

 Often, minor issues will be acknowledged and not resolved and I’m generally okay  with this as long as I read why the team decided not to change the code.  Often the minor issues are more about usability and less about security.  The example I’m using here is actually kind of interesting because I believe this protocol  paid for this audit to look legitimate and just hoped investors wouldn’t read it.

 Scammery protocols might advertise the fact that they have an audit even if their code  contains serious security flaws. Another tool I use for security research is RugDoc. RugDoc is great and terrible all at the  same time. Great because they’re good at identifying high-risk mark contracts, but  terrible because once you start browsing through the protocols, you’ll be exposed to a lot of  extremely new and untested protocols. Protocols that might quickly die out within weeks.

 RugDoc  is not an auditing service, but they are great at giving you a first initial reaction  to the security of the code.  If you want to learn more about security contract exploits, Rekt.News is an amazing resource  for learning about large-scale exploits that have happened in the past.  Now let’s talk about a non-attack, a security misconception that does absolutely nothing  to protect you.

 I’ve seen many YouTubers recommending that you disconnect your MetaMask from a DApp after using it.  The only thing that connecting your MetaMask wallet does  is it exposes your public wallet address.  Let me say that again.  It exposes your public address.  Since your wallet is already public,  connecting is not a security threat  and disconnecting does not add any additional security.

 In fact, if you’ve already used the DApp,  then your address is  already listed under their transactions with the smart contract in the blockchain explorer.  Disconnecting your MetaMask is just removing your address from an arbitrary list when they already  have it on the blockchain.

 The only thing someone with your public wallet address can do is send you  stuff. Sometimes you could get a legitimate airdrop worth real money, but airdrops are becoming less  popular so 99% of the time that just means they will send you worthless scam tokens as another  phishing attempt.  That brings us to attack number 9, scam tokens.  They’ll use your excitement or curiosity over the fact that you think you got free  money to encourage you to go to their website.

 Their website will probably be an attempt to get you to interact with their scammy smart  contracts, attack number 8.  Or a way to phish your secret recovery phrase out of you, attack number 1. Your defense is to not touch the  tokens. They can’t hurt you if you leave them alone. That wraps it up.

 If I missed anything,  please let us know in the comments to protect our DeFi community. I put a lot of time and effort  into these videos and I hope you’ll take a risk on me by subscribing to this channel.  My promise to you is that I’ll never waste your time.

 

MetaMask Community Call: Security Essentials – YouTube

Transcript:

 All right. He’s joining. Um I guess whatever that will don’t  worry. Oh you gotta you gotta you gotta accept them. Okay.  Alright, we’re live now.  All right, we’re live now.  All right.  Yeah, so Adam.  All right.  Hey, hey, everybody.  Are we live?  Yeah, we’re live now.  Hey, hey, hey, hey.  What’s up, everybody?  Welcome to the MetaMask Security 101 call.

 This is very different than our other calls.  Other calls are onboarding calls.  This call, though, is going focus on how to stay safe.  With us today is Francesco and Jolie.  Hi guys.  Myself, Crypto Hamilton,  I’ll be answering your questions, Anthony, and Manbir.  So purpose of this call is to help you stay safe.

 Web3 is amazing, Web3 is beautiful, is amazing web 3 is beautiful web 3 is a  new place it’s a new frontier but a new frontier is sometimes there can be things that jump out of  you right so like like you know like uh like uh you know this they could be like animals that  jump at you there’s like rocks there’s ravines there’s all this stuff so with adventure there’s  also a little bit of danger but that’s okay danger is not bad as long as you know what you’re doing um you’re great  man you’re gonna be awesome so let’s start off with uh the call manbury is gonna is gonna go

 through this call he’s gonna go to run the show francesco and i’re gonna answer questions and  provide some commentary and hopefully by the end of this you guys are gonna feel safer more  empowered and know some best practices so that  you um you know can can navigate web3 with greater ease and uh and less worries let’s get started  all right well hello everyone i hope you all are doing well and welcome to this metamask  security essentials call where we talk about all things metamask security. Security is in fact becoming an essential topic

 in crypto and Web3 and insanely essential, I would say,  because it’s one of the most important topics  to be aware of and to be very deep into  if you want to sustain in this domain long term.  So without  further ado, these are your hosts for today. It’s me  Francesco and crypto Hamilton.

 So I’m working as a committee  manager with metamask. And Francesco and Anthony are  working as developer developer relations manager and head of  development security respectively. So here’s the  session outline. As we are done with the introduction,  we’ll be going ahead with the three scams are on the rise, what to do with that, phishing and  spoofing, what, why and how, how to avoid becoming a victim, some non-common attacks, how to help in  identifying the scam, best way to connect with metamask support, what to do if you lose your

 funds, wallet best practices, community updates, FAQs and Q&A.  So without further ado, let’s get started.  So Web3 scams are on the rise.  And just to touch upon that on a deeper level, I would say the crypto space has become particularly attractive to phishers because it’s a low effort and high reward activity and  social media and automation has made it very easy to cast a wide net.

 It also  takes advantage of the weakest link in the ecosystem that’s the human element.  According to a cybersecurity strategist at Proofpoint,  cybercriminals continue the trend of targeting people more so than infrastructure  using spoofing and social engineering.

 And there’s no indication that these attacks are going to be  slowing down at all. In 2021 itself, scammers stole over $14 billion worth of cryptocurrency and over 50 percent of attacks that take away the  cryptocurrency of people are done either by spoofing or impersonation schemes of some sort  so uh just to reiterate on uh what kind of numbers we’re looking at so 15 000 plus entries added to  metamask slash each phishing detect since january 2018 so we have a  fuzzy match of two added distance so we don’t need to add everything uh over 12.

7 k domains  are targeting metamask caught by fishford since august 2018 so fishford is a company that we have  partnered with to identify scammers and phishers and to basically take them down so that  the community stays safe from them action fraud uk reported over 140 million pounds in crypto  was stolen to fraud at the start of 2021 and 30 percent more than the whole of 2020 itself  more than the whole of 2020 itself.

 Proofpoint reported successful phishing cases on an average up to 64%.  So that’s way more than 50% since 2021 itself.  And email-based phishing, bulk phishing,  BEC attacks, pair phishing attacks,  these are some of the most common ones.  Now, phishing, what it is and how it works and what’s the Web3 context around it.

 So there are many, many forms of phishing, but the most common in crypto and Web3 is spear phishing.  Spear phishing targets people who are public in the crypto space or work for high profile crypto companies.  The bad actors usually post as someone trusted in order to induce you into getting scammed.

 So, for example, there’s a Webster.  Consider there’s a Webster.  The practice of tricking Internet users, that’s what they do.  And that’s done by using deceptive email messages or websites or direct messaging you on any social platforms into revealing personal or confidential information, which can then be used illicitly.

 So, for example, if you are using MetaMask, say, for example, you have your secret recovery phrase and all your funds depend on your secret recovery phrase right if you lose access to your  secret recovery phrase or if someone else gets access to that they get access to your all your  funds right all your uh cryptocurrency all your nfts and so on so spoofing is when someone or  something pretends to be something else in order to attempt to gain or gain a victim’s confidence get access to a system or

 steal data in this case in case of a self-custodial wallet that would be a secret recovery phase  so spear phishing targets people who are public in the crypto space or work for high profile  crypto companies and even worse than these attacks are those by the groups  that are known as APTs or advanced persistent threats.

 And these are the professional scammers  who are playing the long games.  And they’re often backed by the governments  who are not so friendly with the people  that they’re attacking.  Probably the most famous that some of you might have heard of is the Lazarus Group and they are run by the North Korean state.

 And they really love going after cryptocurrency. People working in crypto, especially in DevOps or system admin roles, are the ones that have been heavily targeted by the Lazarus group but that does not mean that you are  completely safe so stay cautious especially if you are into crypto for the long term  and as builders in this space uh if you are a community manager if you’re a community builder  if you are an NFT artist uh innovator uh founder say for, or if you work in any of the crypto roles, right?

 We must be hyper vigilant about our own personal security,  but also as builders in this space who are working on goals  such as mass adoption.  So even if you’re not working full-time in crypto,  but engaged often in terms of getting people  onboarded to the Web3 and crypto space.  We must keep the user’s identity safe, user’s safety in mind as well,  as we build and interact with Web3 products.

 All right.  So types of some of the most common types of phishing.  So this is one of the most common phishing attacks  phishing domains basically you might have seen some ads or some links that  That pretend to be basically an official link right an official channel  So on the screen currently you see an ad that’s being run on Google itself  But this is clearly basically a phishing attempt, right?  This is not an official link.

 The official link is right below that,  that is metamask.io.  So for example, links like this,  metamask.2mmconstruction.com slash login,  this is clearly a phishing attempt, right?  So you should not go ahead and visit any other link apart from metamask.io  and try to download metamask because that would be a phishing attempt and if you download any of  the third-party software they could take away probably your secret recovery phrase or they  could take away your crypto in some way right all right why does phishing happen? What are they after? What are the phishers after?

 They’re after assets, tokens, NFTs, and anything of value, including signing keys for multisig or  DAO tokens. It could be any form of asset as a whole. What are common ways to get access to your  crypto? So it could be private keys.  It could be secret recovery phrase.  It could be through signing and transaction approvals as well.

 So these are three of the most common types of attacks.  But you should keep in mind that you should never click unsolicited links in emails.  You should never click unsolicited links in emails. You should never click unsolicited links anywhere at all.  How to avoid becoming a victim?  Know your wallet.

 Wallet key management types.  So these are two of the key management types,  custodial and non-custodial.  And just to reiterate on how these works,  custodial wallets are basically wallets or accounts that are held by a third party, such as an exchange or a server.  And those third parties do the whole custody of your assets.

 So you don’t have 100% control over your assets, such as be it any form of cryptocurrency, be it NFT, etc.  But with non-custodial or self-custodial wallets like Metamask,  a user is in 100% control of their assets,  be it cryptocurrency like ETH, for example, or NFTs,  be it any asset as a whole, right?  So with that kind of responsibility uh with with that  kind of self-sovereignty comes a great responsibility i would say so that uh you  are the only person who is responsible for your assets and no one not even the metamask team is

 responsible for your securing your assets because we don’t get access to your secret recovery phrase  we don’t get access to your assets at all anytime and there are two wallet types that I would like  to touch upon software and hardware software wallets are like again metamask for example but  those are non-custodial but it could be be also custodial.

 Like, for example, as I mentioned,  wallets on exchanges and third-party servers, right?  And then the second type is hardware wallets,  like Ledger, Trezor, KeepKey, et cetera.  Get a hardware wallet if you are having significant amount of funds,  or even if those are significant for you, might not be for others,  you should definitely get  a hardware wallet and if you are in it uh if you’re in this domain for the long term get a  hardware wallet again wallet strategy again uh do a fund distribution uh be it if you’re using a hot  wallet a cold wallet uh distribute your funds accordingly make different accounts within your

 metamask wallets so you can add account one you will see account one when you set up your metamask  wallet but you can add account to account three and so on as you go so that you could probably  store long-term funds in one account your regular rotating funds in another account, your NFTs in some other account, and so on.

 So choose your own wallet. These are some of the wallet providers that we have partnered with.  Ledger, Keystone, Trezor, and GridPlus.  So hardware wallets provide an added layer of security so that you have a peace of mind.  So that you could take your secret  recovery phrase offline your private keys offline so that no one could  basically get access to that all right known common attacks smart contract  allowances squating domains social media outlets Twitter telegram so smart  contract allowances for first so whenever you

 approve a transaction or whenever you interact with a smart contract whenever you approve a  transaction for example you are allowing a website to basically keep interacting with your wallet  and what happens is that could result in that website constantly using your constantly running that  smart contract constantly running that program in in the background that could drain your wallet  so be constantly in check with uh what kind of allowances are there and make sure to disconnect  with those allowances make sure to uh not connect with any of the dabs that are not reliable that

 are not secure uh for example only connect with wallets and dabs that are well established in the  industry right squatting domains uh looking malicious domains to google ads as i as i’ve  shown you before so uh be mindful of those ads.  As we always say,  the ad-based internet or Web2 is broken.  And that’s because anyone can pay these Web2 companies,  not taking any name necessarily,  but most of the Web2 companies can be paid  and ads can be done on those platforms, right?  So that they could basically deceive users into

 into sharing their secret recovery phrase or losing their assets in some way.  Social media outlets again, Twitter,  Telegram, Discord, we’ll discuss this in the next few slides.  All right, smart contract allowances, now how to stay safe with that giving a contract a permission to move your token balance.

 So three most important points to keep in mind always make sure you know what you’re  setting your allowance to never grant an infinite allowance and revoke all allowances when you  no longer have a need for it.  So always keep these three points in mind  and do scan this qr code to read the metamask support tutorial on how to revoke smart contract  allowances or token approvals this is an excellent article that i would recommend to everyone out  there now another type of very common attack these days is verify your wallet.

 So this kind of scam has been running from quite some time now.  And you might see this kind of message or email or kind of say DM on Twitter as well,  saying that, dear customer, our system has shown that your Metamask wallet has not been verified yet.  This verification can be done easily via the button below, right? our system has shown that your MetaMask wallet has not been verified yet.

 This verification can be done easily via the button below, right?  Unverified account will be suspended on a particular date.  They can mention anything.  Please make sure to verify your wallet as soon as possible.  We are sorry for any inconvenience we cause doing this, but please keep in mind all that is scam.

 Just keep that in mind. This is scam just keep that in mind  this is scam you never need to verify your wallet you never need to do any form of kyc simply to use  your wallet there are some on-ramp providers that we have partnered with like for example moon pay  coinbase wallet for example to purchase crypto but that kind of kyc would be on their end we never get access to  any form of data in that kyc and you’re doing that kyc on their platform not on metamask so  you never need to verify your wallet you never need to do any form of kyc simply to use your

 wallet such emails or communications are scammed so stay away from them  all right domain squating so as i mentioned this is a basically a phishing attempt uh stay away from this the domain that you see right below that metamask.io this is the original metamask website  that you should download the wallet from and how can you uh help identify scammers all right so here’s a here’s an interesting  product so mobi mask is an initiative to eliminate phishers mobi mask is the first demonstration  of a new crypto primitive and the kinds of interactions it makes possible delegatable

 uh so it’s delegatable it’s it’s not like any company or any person owns this  uh which allows any contract to easily enjoy web of uh webs of off-chain invitations and  invocations with on-chain redemption and revocation for enforcement so you can scan this QR code to  know more about movie mask and how you can help in identifying the scams you can help in  identifying phishers etc so definitely go ahead and contribute towards making this space more safe  for everyone all right fake social media accounts so you might have seen on twitter that uh a lot of

 people or even if you might if even if you haven’t seen that yet uh there are a lot of  accounts on twitter that uh impersonate people especially uh high profile crypto influencers  like for example vitalik it could be anyone it could be any crypto founder any any engineer it  could be devops or sysadmin etc so you might have seen this uh anyone who replies to tweet asking for or offering ease is  a scammer uh please like this tweet so that uh it gets above the scammers and report report the  scammers uh but below right below that uh you might see uh an impersonator of vitalik buterin

 right hey guys i want to give away another 1500 e to my followers again scam so you should never dm  such people you should never follow these rules easy rules to send this much amount of crypto  to their address once you send out you’re never getting that amount back ever keep that in mind  now uh in case anything happens to your wallet make sure that you go to the appropriate place  to go for help.

 Twitter, Discord, and Telegram are full of impersonators that could be posing as people  who are in support roles.  So anyone could also reach out to you as metamask support, say, for example.  If you are having a problem, you might tag metamask or on twitter for  example but people would only reach out to you and that that’s in no way going to help you right  uh and only official support channel uh to get in touch with metamask support or to uh to check out  support related articles is this one that you can directly access through your metamask wallet

 through this link that that is den access through your metamask wallet uh through this link  that that is denoted by a big red arrow right now all right so if you lose funds now what to do if  you lose funds uh asset reality comes into picture metamask has partnered with Asset Reality to enhance customer support by providing  direct access to third party who can investigate, track, trace and potentially attempt to recover  funds. Even if the amount you have lost is relatively small, Asset Reality can still

 help in recovering that amount. It can still run investigations.  It can still incorporate your case data  into a wider investigation that can result in positive outcome  over time and bring the individuals that  stole from you to justice.  Asset Reality can provide users who have been victimized  with the assistance they need to navigate a very difficult and  stressful situation.

 So if you have lost funds or if anyone in your network has lost funds,  direct them or basically you can also visit this website. This is basically a website  using this QR code. Just scan this QR code and you need to probably file a report over there  and once you do that the team will be in touch all right some security best practices never  share your secret recovery phrase never share your private keys never enter your secret recovery  phrase or private keys into any website online metamask support will never dm to offer you help  website online metamask support will never dm to offer you help never dm someone offering to help you should never do that either and some key takeaways beware of fake website official one

 is this one that you see on the screen right now metamask.io official help channel is this  support.metamask.io and official committee channel is this community.metamask.io do not share secret recovery  phrase with people who ask for that they are scammers no matter how sincere they sound  and securing your secret recovery phrase is only your responsibility how to do that how secret  recovery phrase works we hold monthly metamask 101 calls for that so make sure to join that  do not dm or respond to anyone that claims

 to be metamask support never send your information via email do not contact email send to you uh  that attempt to contact you never send tokens to anyone who says that they can 2x or 10x them  that never happens that being said uh we’ll go ahead with some of the updates from the for the community  so these are some of the community updates that i have so we have partnered with air gap vault  recently uh and air gap ball now supports metamask on mobile and these are some of the updates that  you can also check out on reddit.com slash r slash metamask this is pinned under the pinned post basically so you can

 check that out and this is the article that you can also have a look at metamask dev this is a  channel for developers now has an official twitter account for the developer community  so if in case you come across uh announcements from this channel uh from this  twitter account uh this is not an impersonator this is an official channel so there you go  that’s an official announcement uh over a community call pose the ethereum merge do you need  to do anything with your eth or your metamask wallet after the merge no you should not do any

 of that and do check out this uh tweet basically  the merge is upon us and some of you might be wondering about the fate of your eth after the  merge will you have to move them off exchanges upgrade them convert them you should never do that  and too long didn’t read a part of that would be you should never do that  but make sure to read this whole thread  as well that is live on our consensus page. And understanding and avoiding crypto honeypot scams.

 This is an excellent article that you should read. This is the temptation of a crypto honeypot.  What’s that? What does that mean? Make sure to read this article to understand this in depth.  what does what does that mean make sure to read this article to understand this in depth  all right metamask snaps now has a home page so metamask snap is based essentially a way to extend the functionality of metamask metamask being the most popular wallet now offers the  power for the community to build on top of metamask so for example you can add support for

 various apis various chains so you can add support for avalanche solana non-evm compatible chains and  so on and you can add more such unlimited possibilities to the metamask wallet  all right metamask zendesk is now available in 16 languages, 16 new languages.  Learn about MetaMask wallet fundamentals, security token essentials and best practices in your own language.

 So make sure to check out metamaskzendesk.com.  And this is, again, officially the only support channel that we offer.  Learn how to avoid scammers and phishers. So this is again an article that you  should definitely check out. Here’s how to avoid scammers and phishers. This is again something  that we’re iterating on again and again.

 This committee call has been on this topic itself but  this article also offers some some of the deeper insights that you might want to check out.  How to learn how to avoid scammers and phishers, hardware wallets and metamask.  The best security combo.  So this is an article that walks you through various hardware wallets and how you can use  a hardware wallet in conjunction with your metamask wallet.

 So make sure to check out this wallet. Why would you need a hardware wallet in conjunction with your metamask wallet so make sure to check out  this wallet why would you need a hardware wallet why is self-consuming necessary  all these topics are explained very in detail in this article itself  all right metamask launches beta portfolio dapp for users to view all their assets across chains  portfolio DAB for users to view all their assets across chains.

 All right.  So basically what we have done is we have introduced a beta portfolio DAB for users to view all their assets across multiple chains.  So you can connect your MetaMask wallet and basically check out all your  assets across chains at one place.  Cool.

 assets across chains at one place itself cool uh that being said i would like to invite uh  anthony and francesco back to the stage uh to see if they have anything to add  yeah um yeah go ahead  i just want to say like amazing presentation m a beer uh i was literally hearing different like  privacy and security panels and i remember when the time that we launched our i think was a  security report i think this year compared last year uh we saw for fund for for fun loss incidents  that 50 were always srp uh leaks that means people were literally sharing  their uh uh their private security phrase and I think check out also like my beers uh sessions uh

 recordings that we did before and just to return on that so 50 was srp um srP basically exposure exposed and then the other F um 50 was also a malicious contracts so  I think that’s also was uh it’s a very interesting part to see because uh you know the SRP exposure  is definitely through all the social engineering uh uh tactics that that maybe are also explained  and this is the only way to get through this is literally like to get  to yeah to see what are those tactics like like maybe you explained and get educated on how to um

 how to basically like respond to those uh to those hackers so never respond you know we never contact you on that on that side of the business and on the malicious contracts we are literally what’s my beer said also the snaps aside uh uh they were hacking uh also need to like revoke snaps like literally  revoking a specific connection with your wallets uh use specific tools for uh really also make sure  like your your double triple check the emails that you get from from others and and and yeah very quite interesting

 presentation and I think we can yeah we can we can go on the questions if Anthony have something to  say yeah yeah I agree um excellent presentation excellent comments uh guys um so yeah just just just read these things uh don’t have if you had only one thing it’s  assume the person on the other side is trying to trick you all the time that’s it yeah just  pretend that um you’re holding a bag of gold and people show up with mustaches and they’re like hey  uh can i hold this real quick i just want i just want to check it out right

 or hey lend me your bicycle i’m just going to write it around the block um you probably won’t  see your bicycle again if this person you don’t know so just assume that um just just treat your  digital assets like you would your physical assets and if you put if you keep that in mind um and  treat your digital assets like it was your time or something  that you hold the most dear because um you know just like email scans with people pretending to  be princes from different countries you’re gonna see wherever there’s a new opportunity there’s a

 new scam so just stay safe use common sense never share your secret recovery phrase um and and if  you can get a harder wallet and follow these and then don’t get unlimited permissions ever  um to a smart contract because unlimited permissions um means that unlimited things could happen and  also if you see kind of like a meme coin yeah it’s probably a rug stay away from them stay away from  meme coins look for fundaments um that’s not investment advice i’m just saying like if a coin  appeared out of nowhere and it’s kind of a meme it’s probably indicator that um you might you might um experience an experience that may keep you at night so avoid those things not

 investment advice i that’s what i do this is my personal opinion but there’s not investment advice  no this is because it should be construed as an investment advice yeah cool so basically what  what happens is uh whenever raghup pull happens uh basically people the way people  fall for them is they want their money to be uh 10x or 20x or 50x or 100x within a couple of days  that might happen that might not happen who knows but you should stay away from such projects  again not an investment advice but you should just know that it’s your responsibility

 to stay safe in this space and no one else’s responsibility. Cool. That being said, let’s  quickly walk through some of those questions that have been asked in the question section.  Francesco, you might also take some if you’d like. But I’ll quickly go ahead with one so add two factor  authentication so 2fa is a false sense of security as as answered by hero  protagonist that cannot adequately protect blockchain accounts so 2fa is  essentially for centralized systems not not not exactly for decentralized

 systems for decentralized systems the best kind of security that is being provided currently  is using Metamask in conjunction with a hardware wallet probably.  So you could probably take your private keys offline and store them offline so that they’re  never connected to the internet.  So definitely get a hardware wallet ledger  treasure keep key grid plus any of those uh those are some of the leading ones so get a harder wallet  cool uh francesco would you like to take any of these questions  i think looks like uh um our colleagues already like respond to a lot of those

 i’m just checking all like there are quite a lot of questions  uh please enable aware of our shoe contracts i’m not sure what’s uh what’s really the question but  uh yeah i think also like um we’re doing a lot of the security side of metamask calls on the on blacklisting  specific smart contracts where i think we’re like a specific library of a certain amount of  blacklisted contracts and if you interact you get a notification so you’re not you’re not interacting  with the smart contract that’s probably something that i could add on the answer

 that I could add of the answer.  And one question is,  please add token approval option.  Again, we don’t completely understand what exactly you meant by this,  but if you have any suggestion,  any feature request,  you can directly go ahead  in your MetaMask wallet  and raise a feature request from there.  So the link is community.metamal.

io you can directly go  ahead and visit that page to add a new feature request also like it yeah go for it no I just  say like the token uh the token detection features is also quite interesting because it’s not just  doing token detection but it’s also like uh  delisting like scam tokens so I think this is also quite uh quite an important uh quite an  important part and I think right now all the tokens in the token detection list are on ETH  but uh but it’s definitely definitely useful uh because sometimes you see like two three

 token symbols they’re all the same you never know which one is the malicious one.  Yeah.  Anthony, you wanted to add something?  ANTHONY KUNIBURY- Yeah, I see one  says, please explain more about phishing.  What is phishing?  Is it going out to a lake and getting fish?  No, it’s not.  Phishing is you are the fish.

 You’re not the one phishing.  What does that mean?  You’re on some sort of telegram group or some sort of you got some sort of email and it says, hey, hey, urgent.  And then, oh, my God, it’s a little worm.  Oh, this is amazing.  And then you bite the worm and then they pull you up.  And how do they pull you up?  They trick you into sharing your secret recovery phrase or your private key phishing is very simply people impersonating some sort of authority to gain information then metamask the most sensitive information the most the number one sensitive

 information if there’s anything you’re gonna get from this call is drum roll don’t share your  secret recovery phrase also called the c phrase that’s the most sensitive thing, don’t share your secret recovery phrase, also called the C phrase. That’s the  most sensitive thing. We don’t have it.  Only you have it.

 It’s only on your computer  or on your hardware wallet.  Do not fall for the bait.  Don’t share your secret recovery phrase.  Phishing is people impersonating others,  usually MetaMask,  to try to trick you into sharing this stuff.  They put on a mustache.  They have a really nice website.

 The website can pop up on google search terms they give you you get a random  email on your in your email it could be like a discord message that’s why we don’t host these  calls on discord it’s a very it’s a place where you can get fish very easily or telegram we don’t  have a telegram right uh don’t we’re not gonna reach out to you in discord we’re not gonna reach out to you  unless you sign up for an email list or something right so let’s just assume that if metamask is  reaching out to you it’s uh it’s it’s probably not metamask okay um and another question here is  um where’s the promise decentralization where’s the mass token mass token is not coming out sorry

 guys decentralization for wallets means choice.  Just because you have a token doesn’t mean your,  your project is decentralized.  I mean,  somebody can own the majority of tokens and that’s it.  And then I mean,  come on,  that’s it.  It’s not decentralized guys.  It’s like,  it’s like decentralization does not only happen on a software level.

 It happens on financial level as well.  How much amount of tokens people are holding yeah so  this is this financial essential so like what we want to do is we want to um offer first of all  security usability accessibility but then and also decentralization how do we offer decentralization  uh metamask snaps right our code is open source so you can audit it right you can see what’s  what’s up and then metamask snaps allows people to build upon MetaMask.

 And it’s coming soon.  It’s a stable version.  It’s on Flask.  Check it out.  Google MetaMask Snaps.  But MetaMask Snaps allows people to basically, how do you say, give MetaMask new superpowers, right?  So the centralization comes in, the ability to be able to customize metamask to your needs right so you know  all needs for all the folks um versus like just the token which is like okay i mean but that  doesn’t really solve the user needs and we really focus on using solving user pain points first and

 foremost we care about our users we love our users we want to be able to do as much as we can for  our users and the community of developers and people who are interested um can help them so  check out metamask um it says here check check it out, MetaMask Snaps.  The website’s nice and spiffy.  Give it a look.

 If you’re coming to a hackathon, consider one of our bounties.  We’re really excited to talk to you.  Yeah, also to add on that, on the Snaps topics,  I see also people are asking please add layer to stocking  swaps and uh and specific multi-chain strategies um a part of the answer of our hero protagonist  and uh yeah it’s a great team member and shout out to him i also wanna um i also wanna say for  example like this is exactly why why you should build the snaps because uh especially for  pushing like non-uh non-evm compatible uh layers like you have already like uh we already like on

 uh they’re not a production but they’re also flask uh specific libraries on steps like the  BTC snaps uh there are different snaps being built they’re not even compatible uh you also should  check out the start net snap basically you can interact with uh startnet on on top of metamask that’s super super  valuable and uh and yes so basically that’s also the goal of snaps and also the community owning  what uh what what they can basically build and extend the functionality of uh of uh of of  metamask right right now uh check it out they’re directly

 on flask but uh but it’s definitely also good yeah what anthony say the com if you’re a developer  come back to those uh those hackathon i think will be next also on uh in lisbon and uh and uh  and uh yeah super super excited uh to uh to to share share this news also with all the community.  Awesome.  Cool.

 We are trading on snaps a bit.  So why we do this?  Human potential is immense.  It’s like it tends to infinity, right?  Now, humans build MetaMask.  MetaMask potential is also immense.  How do you extend that?  Snaps is the way to go humans uh  humans have made their way to moon to other planets as well right we are researching on how to uh move to other planets how to basically uh discover other planets as well right so potential in terms of life is immense it’s it’s like it tends to infinite  again uh humans are if they’re building on metamask the potential becomes immense just think

 of it that way what happens in 5 10 years 20 years that depends on you what what do you build on  metamask so be mindful of that and uh we would definitely encourage you to build on snaps.  Check it out.  Check out that website, metamask.io.  And that being said, if you have any other points to add, Francesco, Anthony, please definitely go ahead.

 I’m good.  I think you resumed everything, right?  Never share your secret phrase also check out the  previous uh um uh essentials web3 onboarding videos that maybe did and uh stay stay also  where really close where the ecosystem is you know like cause a good way to interact is checking out  the the consensus Discord we have also China call call ethic report scammers it’s also a  good way to uh to show if you find something suspicious and be part of a flag in those scammer  not just you know block block block twitter accounts and do make sure to join the metamask

 community and we’ll be back with more such community calls with more such informative calls with more such content  and make sure to join them but until then see you yeah guys i’ll see you and remember if aliens come  down and they ask you a secret recovery phrase never see a leader and give me a security recovery  phrase what do you say guys no don’t have to say a security coverage phrase, okay?  That’s the number one thing you should know.

 

🔒 ALL ABOUT METAMASK SECURITY (Secure Your Wallet) 

Transcript:

 so in today’s video let’s talk about the security of your metamask wallet so if you have a metamask  wallet i can give you a few tips and you need to understand a few things about uh the security here  of metamask so first of all what you guys need to understand is that this this wallet is a hot  crypto wallet and by hot crypto wallet i mean that in order for signing in and import your account here  you need to you need to have a recovery phrase of 12 to 24 words and you can import it in here so  but you know to understand guys if i create another account let’s say i have here my savings i don’t know and i create it let’s say i have a few tokens inside

 this account so if anyone hacked my device here my metamask all my cryptos are in different accounts  are inside they are merged in the same metamask account so that means that all the tokens that  are in here and in here, they both are hacked  just in case someone enters my account.  So let’s say you want to improve your security here  into Metamask and one way that you can improve your Metamask  is by clicking in here, which is my account,  go into your settings and you can go  into the advanced section.

 You want to scroll a little bit down and change the auto lock timer minutes.  Settle the ID times a minute before Metamask was become locked.  That means if this one is an auto lock timer of 5 minutes, I want to decrease this into  3, let’s say 2 minutes.  This might be a little annoying to put your password  every time you want to use MetaMask,  but this is gonna be totally improving a little bit more  our internet, our MetaMask security.

 When MetaMask asks you to import your wallet  by using your recovery phrase,  do not copy paste your recovery phrase into your clipboard  because if you copy that into your clipboard  all the information is going to be attached inside the internet the network so you’re going to be  sharing your information so so i strongly recommend you guys to just to not copy paste into  the clipboard but by signing as manually putting word by word and the last thing that i can do is to let’s say i’m into  coinbase.com and i want to go into my metamask here so as you can see here’s the metamask and

 says connected you have one connected account to this site and if i click into permissions  says you have authorized the following permissions see address account balance activity and suggested transactions to  approve so this means that all the connected size has the power to see all my assets that are  available in here so if i have maybe a lot and bunch of vmv it’s going to be exposed to this  site so if you’re going to be using metamask inside the coinbase you might be your assets  and all that you might want to fix you may want to disconnect all the sites manually here from

 metamask so uh you don’t have to expose yourself for a long time so go into this three dots go into  connected sites and just select the option that says disconnect so once this one is already  disconnected are you  sure you want to disconnect you may lose site functionality i’m going to go into disconnect  so this one is no longer connected so i’m not going to be exposed a lot here into metamask  and yes having a cold wallet it’s going to be much more safer but just in case that you signed  into a bad contract inside of a crypto world

 into another exchange you’re gonna give permissions into a wallet whether that  would be cold or hot to see your information so you have to be really  really careful with the contracts in the cryptocurrency world so this is just a  recommendation guys if you want to make your cryptos more secure i strongly recommend you guys to have this ledger purchase right now here in the  product section like the ledger nano x or the nano s plus as a matter of fact i do have this ledger  nano x here in my own so if so if you want to acquire any of this token or let’s say you want

 to buy this other one i can leave you a link down  below in the description so you can get a great discount if you want to make cryptos more safer  guys and here in the shop of ledger.com you can see all the features and the security of this  amazing device how is this working and how you can even earn rewards i mean grow your assets while  you have your device with you.