Crypto/NFT: How to protect existing accounts with a new hardware wallet? (without ‘moving’ tokens)
or: “How to turn your hot wallet into a cold wallet?”
NFA, DYOR, etc… you know the drill. Also, this is not a product endorsement nor a paid article.
I am starting with some background information, as always, but if you are just here for the links, please scroll down to the second chapter…
Intro
Customer support of hardware wallets will always advise you to set up your account with -and ‘on’- a hardware wallet right from the start. If you never had your so-called seed phrase on an electronic device besides your hardware wallet, it is obviously highly protected. That is very logical.
But does life really work that way? Who wants to look into Crypto or NFTs or yield farming on the blockchain and thinks “uh, before I even transfer $5 on this blockchain thing just to try it out, I better get a hardware wallet for a larger sum”? — That’s right… I am sure, the majority of us tried this weird new thing out, got hooked, and the thing you know is that it is 2 weeks later (which feels like a whole year), and you used your first wallet to sign up everywhere.
If you gave the whole NFT topic a chance because you are an artist, it is even more complex: all NFTs you might have sold (congratulations!) will always be associated with your old account, while the newly minted pieces will be on your new account, and that is unpleasant and a whole mess. (Customer support will tell you that it is possible to ask all collectors to please send the NFTs back to your old accounts, internally transfer them to the new one, and from there you could do a private sale for $0 back to your collectors; oh yes, because that is how life works — not.)
So what now: you decided to stay in Crypto, but you want to add another layer of protection to your existing accounts, so what can you do?
How does a hardware wallet actually work?
When I use the word “Ledger” here, I am using it synonymously with the word “hardware wallet”. It is what I use, but still: this is not a product endorsement.
A common misconception is that you can move coins, tokens or even NFTs “onto” a Ledger. No, you don’t. The Ledger basically is just a very tiny USB stick that keeps your private keys to your wallet (your “seed phrase”) secured and handles all requests if funds are moved out of this account.
The “seed phrase” aka “private keys” that you got when you set up the wallet initially (it is normally a set of 12 to 24 random words) hold the power to grant access to the associated wallets. This access cannot be revoked. This access cannot be limited. And what at first looks like “only a wallet” is actually your digital identity on the blockchain: you log into sites and services with your wallet. You are holding NFTs that grant access to events or airdrops or whatever in your wallet. If you university diploma comes with an NFT version, it is in your wallet. For most services, you do not even have a username or a password anymore: just connect with your wallet.
For every transaction and sign-up etc., your private keys need to be present. They will never actually be shared with the services, but the entity that holds the private keys also has the power to make decisions.
If you do not use a hardware wallet, these keys will be stored in your “hot wallet” like MetaMask, TrustWallet etc. Whenever you are making a transaction, the hot wallet identifies itself as the entity who can approve on the transaction, and the transaction will go through with a few clicks.
This is very easy, but it also has a significant downside: if your device that holds the hot wallet (and you could have set up multiple ones) gets targeted by a hacker, the very same hacker now has your private keys — and with it, unlimited access to your digital identity, and this access can never be taken away from the hacker.
However, if your seed phrase (your private keys) is only stored on a Ledger, and your hot wallet is linked to that “cold wallet” (i.e. your hardware wallet), then this hot wallet does not hold the keys anymore — the keys that are needed to approve these transactions.
So it has to “ask”, and it will turn to the entity that actually holds your private key: the hardware wallet. On it, you will have to sign off on the transaction.
If the hardware wallet is not connected and the transaction cannot be confirmed, it will not go through. So nobody can transfer something out of your wallet without approving it via the Ledger.
You convinced me. — What do I have to do now?
As we learned in the previous chapters, no coins or tokens or NFTs are stored “on” a Ledger. So if we do it wisely, we do NOT have to transfer anything from A to B to protect it!!
The trick is to make MetaMask (or any other hot wallet) “forget” our seed phrase and make our new Ledger the only device that “knows” it.
So how to we do that: I assume you already have a MetaMask account that is not yet protected by a Ledger (or Trezor).
1. When setting up the new Ledger, enter the “old” seed phrase from your pre-existing MetaMask account.
2. Connect the “old” MetaMask account with the new Ledger, and use the official software Ledger Live to import all “old” MetaMask accounts
(hint: if an account is not found, make a small transaction on Ethereum, because Ledger Live does not import “empty” accounts and won’t be able to find other accounts “behind” an empty one either)
Now we have two devices that “know” your seed phrase: your “old” MetaMask account and your “new” Ledger.
You can check that all balances are the same, and you can keep it “parallel” for a few days if you want to make sure.
But you will notice that the Ledger still is NOT needed to confirm transactions on your MetaMask. Why is that? Well, the “old” MetaMask account still knows your seed phrase and therefore does not “need to ask the Ledger” for it.
This, we must change!
3. Once you have all accounts imported into the software Ledger Live, completly deinstall the MetaMask extension in your browser (on all devices!).
(make sure to save your address book if you need it, write down your account names and imported tokens; basically everything that you might have customized for your convenience in the MetaMask, because your old MetaMask account will soon be gone.)
If you can, also clear the Google Chrome browser history to make sure all old information is gone!
4. Re-Install Meta-Mask and choose a completly new account with a new seed phrase. Write down that seed phrase too, of course, but keep in mind that these are the private keys to the “hot wallet” only — which ideally, you will not use for much.
5. Connect the “new” MetaMask with the Ledger and import all “old MetaMask” accounts
All “old” MetaMask accounts are now imported into a new MetaMask account; the private keys of the “old” accounts are safely stored on Leger only. Any transaction that need to happen now on your “old” MetaMask accounts, the “new” MetaMask account needs to ask the Ledger first to confirm the transaction because your new account does not know the seed phrase that is needed for that.
Wohoooo!!! Congratulations!!!
FAQs
1. Am I now 100% protected and can never be hacked?
No. If you do not protect your seed phrase aka your private keys, and other people get their hands on it, then no hardware wallet in the world can help you.
2. Does all this really keep me a 100% secure?
Well, the highest level of security would surely to be to follow the official vendors’ advice and set a wallet up via a hardware wallet only and never have the seed phrase / private key touch another electronic device except the hardware wallet, but if that were possible, you would not be reading this article and simply go back to square 1 of your crypto journey — but you can’t, because you too quickly went down that rabbit hole (as we all did).
So yeah, your seed phrase could theoretically already be compromised because you had it in your browser extension for a while, so entering a compromised seed phrase into a Ledger does not really help (see question 4).
But the good news is that hackers and scammers normally are greedy: if they have your seed phrase, they will use it soon. So if all your tokens are still there, you are most likely not compromised.
So adding a hardware wallet for that account is advised even though there is this very, very slim chance that your seed phrase already is in the wrong hands.
Just look back at your life when you were 15 years old: did you then get all the insurance that you will ever need in your whole life (because back then it was cheaper, you were young and healthy, and you got the best premiums)? Or might there have been a point later in life where you decided to add or amend an insurance because your life changed, and you need extra insurance that you simply could not anticipate? Well, here we are: better late than never.
3. Whom can I call when I lose / don’t remember my seed phrase?
“The bad thing about DeFi is: you have to do everything yourself. —
The good thing about DeFi is: you can do everything yourself.”
(I am self-quoting here.)
So no: you cannot call anybody. It will all be lost.
4. If I have been hacked, can I protect this account with a Ledger?
No. When you have been hacked, the hackers have your seed phrase and, as written before, unlimited and irrevocable access to your wallet and your digital identity go with it.
5. How do I have to modify this guide if I use the wallet on multiple devices?
I would advise to modify how you approach the security of your digital identity that will become more and more important in the upcoming years, first of all.
Sure, you can have multiple wallets and move the more valuable assets to a wallet that has extra protection while you roam more freely on “burner” wallets on multiple devices. Otherwise, keep your funds on a computer that you ideally do not use for social media, where you do not receive mails (or at least do not clicks in emails) and all that. A separate device is advised — but often, surely, not practical.
So basically: put some thoughts and efforts into your security, and if you have a wallet that you want to protect on multiple devices, make sure to follow the steps 3 to 5 on all of them (in step 3, you do not have to set up a new hot wallet anytime; you could also reuse the first one you create on all other devices).
6. Where do I best store my seed phrase?
If I come to your home, and I see a sheet of paper around with 12 or 24 random English words, you can be sure I will snap a picture. ;-)
Which, by the way, is something you yourself should never do: do not save it on the computer in a text format, do not take pictures (good photo software can still ‘read’ the written words), do not dictate it into your phone, do not print it on T-Shirts, … and do not give it to anyone unless you want them to have full control over your digital assets and your own digital entity — forever.
Some people engrave their seed phrases into metal plates and hide these in vaults. This is pretty secure: the metal is more resistant than paper, and a vault definitly is a safe option.
But for many, this might be impractical for various reasons. Still, make sure that nobody accidently can find the seed phrase. Also, maybe think of hiding it in two places just in case one of the two become inaccessible.
Also, maybe don’t talk about your security measures, so maybe now you will understand why I am a bit tight-lipped what I did myself, but let’s say it this way: I chose more than one location to hide away my seed phrases, and none of them are even in the same city as I am.
This also ensures I cannot even fall for a quick scam where I quickly enter the seed phrase because I am in a stressful situation, and someone coerces me to do it. If I needed it, I would have to go on a longer drive. And I believe that half way to one of the secure locations, I will have a lightbulb moment: “Wait a minute, why exactly am I supposed to enter the seed phrase here? Might this be a scam?”
Note: some scammers will not ask for your “seed phrase” or “private keys” directly, but they might call it “recovery phrase” or “your 12 words”, etc.
7. Should I post my questions about getting a hardware wallet on Twitter and/or ask about it on Twitter Spaces?
While I love all the Twitter Spaces that are held about security, I personally have mixed feelings about hopping on stage and asking questions that reveal that you might not have secured your assets with a hardware wallet.
If you reveal your assets are vulnerable, some scammers might just hear that and target you next.
Also, when you use the words “Ledger” and “MetaMask” on Twitter, you will get a lot of automated replies from fake accounts that recommend you clicking a link because they claim that this will help solve your problem — believe me, it will make it worse!
8. What do I do when the hardware wallet breaks? Is it all gone?
Nope. Just a minor inconvenience. Get a new Ledger (from their official site only!), retrieve your seed phrase aka private keys aka recovery phrase from one of your secure locations, enter it into the Ledger, and just carry on with your happy Crypto life!
