Guide to Staying Safe with Plug đź”’
Some tips for keeping your assets safe with your wallet in Plug!
It doesn’t matter if you’ve used Plug for a long time or if you’re just getting started, or if you’re using the mobile app or the browser app: Keeping your assets secure should be on the top of your mind. Scams, tricks, and theft are rampant in crypto and target those that avoid learning safe practices.
Don’t have the extension or mobile app yet? Download it here!
All right, here are some tips to keep your ICP, NFTs, and the rest of your tokens safe with your wallet in Plug.
Your Secret Recovery Phrase 🤫
The secret recovery phrase is the master key to a Plug user’s wallet. This is a list of 12 randomly generated words that give access to your account. It’s used to import your wallet onto another device or recover your wallet!
Keep this phrase secret. Anyone with the secret recovery phrase to your wallet can access it. That includes malicious actors. Write this phrase down, and keep it in a safe place. This doesn’t mean you should keep it in the notes app on your computer.
Always backup your phrase offline, and keep it somewhere secure.
If you give this phrase to someone, they now have full access to your wallet. Say you lose access to your secret recovery phrase, and delete your wallet or lose your password. At this point, you will not be able to regain access to your assets.
Bad actors are getting creative in their methods of acquiring secret recovery phrases. But what do these attacks and methods look like?
Phishing Attacks 🎣
The most common of these methods are phishing attacks. Malicious actors masquerade as legitimate organizations and try to gain sensitive info from their target. These attacks take a variety of forms:
- A copycat Discord server sends you a link (i.e. surprise airdrop or NFT release). The site tries to drain wallets that connect to it, or trick users into revealing their seed phrases. These sites will have domains that look very similar to the official one.
- A malicious actor disguises themself as a support rep on social media or messaging apps. They convince their target that they are a part of the team, and persuade the target to hand over their seed phrase. They then drain the target’s accounts before they even know what hit them.
- A person offers to buy your wallet but first needs to give the secret recovery phrase. A malicious actor drains the wallet and blocks them before the sale.
- Someone might also try to “sell you” a wallet with valuable assets. Never attempt to purchase a wallet, as anyone who already has its recovery phrase will be able to access it in the future, even post-sale.
Avoiding Phishing — Common Red Flags 🚩
On one hand, there are certain “safety” checklists you must follow to avoid falling for social engineering scams and phishing attempts. Here are a couple of tips and maxims you can follow when protecting a wallet:
- Make sure your secret recovery phrase is what it should be. Secret. Never share this with anyone, especially those that ask for it.
- Official accounts also do not message users first or ask for your secret recovery phrases. If you receive a suspicious message from what, at first glance, appears to be an official source, be skeptical.
- Cross-check links with official sources; go to the project’s official pages to verify the link. If you connect your wallet to a malicious site, there’s no need to give your seed phrase to anyone.
- Also, always be skeptical of links sent to you from outside sources! Don’t open URLs from people you don’t trust.
How Plug Protects You When Using dApps ⚡
On the other hand, Plug also has some security countermeasures to prevent apps from gaining excessive power when connecting to your wallet. As a maxim, always be conscious about the dApps you’re connecting your wallet to. After you’ve signed a malicious transaction, it’s often far too late to go back, so make sure you review your transactions.
Canister Whitelist on Connection 🗒️
The first barrier of security between Plug and any dApp you connect to happens when you first connect and approve a dApp to interact with your wallet.
Most wallets simply approve the dApp and allow it to sign transactions on your behalf without limits. This could mean that, when you connect to a malicious dApp with these wallets, the dApp could easily drain your wallet without asking for permission.
Plug, however, doesn’t allow dApps to make calls/signatures arbitrarily to any canister. If a dApp wants to interact with a contract/canister to -for example- transfer ICP or interact with the dApps backend when they connect they must pass a whitelist of the canisters they will interact with. This means they will only be able to sign calls to these canisters, and not use your keys arbitrarily.
Approval of Asset-Oriented Calls 🚨
The second barrier of security in Plug is the confirmation pop-up screen where users can see, verify, and approve/reject any type of action a dApp might want to sign with their wallet that affects those user’s assets:
There are two types of transactions that we see on the IC when users interact with dApps or canisters. Query calls are transactions that read information from a contract. This could be a token balance, proof of NFT ownership, or other forms of basic user information. These calls cannot change or update information, but instead, simply read a contract/canister’s information.
On the other hand, update calls are the transactions that pose risk. Update calls are requests that can affect, change or manage data on a contract, like transferring an NFT/token you own in your wallet! Anything from token transfers, to listing/delisting actions, requires an update call to be signed with your identity.
These are the calls a dApp would make when communicating with your wallet too, for example, display your balances & NFTs, or trigger a marketplace listing for an NFT! While query calls need little trust, update calls require the very opposite. It’s hard putting trust in sites you aren’t familiar with to arbitrarily sign & approve these calls with your wallet.
That’s why we’ve added a couple of security features to Plug surrounding transactions like these:
As long as a dApp tries to make a call to manage NFTs or Tokens you own in Plug, making an update call, a pop-up will appear on Plug for you to approve the action. This pop-up will show you specific token(s) the dApp wants to interact with, and what they plan to do with it. You’ll need to approve the action before the app can make anything sensible like transfer funds or lock an NFT for sale.
This is achieved thanks to Plug’s integration to DAB, where we can detect all supported assets in your wallet and make sure we check the dApp is not trying to call to them for any sensible action (e.g. transfer, list, mint, etc.).
There is also an unsafe call pop-up in Plug. dApps must follow specific guidelines when integrating Plug, to ensure users can properly see the details of each action the dApp wants to take with their assets.
If a dApp integrates Plug poorly and doesn’t send the appropriate information when trying to manage NFTs or Tokens in the user’s wallet, a pop-up for “unsafe” will appear with fewer details and a warning:
How do we determine what’s safe? You can read our guidelines for a detailed explanation. But, in a nutshell, a dApp can try to sign a call to, for example, the ICP ledger to transfer funds in two ways:
- The safe way: going through Plug entirely, displaying all parameters.
- The unsafe way: partially bypassing Plug, not displaying the call’s parameters.
The difference? When a dApp triggers calls properly via Plug’s APIs, the wallet can read all the parameters and details of the call, and show them to the user (e.g. dApp A wants to transfer 10 ICP to John!).
If the dApp doesn’t do that and tries to send Plug an arbitrary call to sign, Plug knows little details about the call (dApp A wants to make an update call, for ??? ICP, but what?). Hence Plug will show the warning above, and tell you to trust the action at your own risk. This does not mean a dApp is malicious per se but that they are not transparent about their actions.
Plug into the Internet Computer 🔌
That’s all! With this guide, you now should be fully aware of what you need to do to keep your assets safe with Plug in the extension, and mobile app. Keep an eye out for more updates coming soon!
