Understanding Web3 Security
One of the best parts about being on a web3 platform is that you have total control of your wallet. Because of this, it's extremely important for you to be on guard as you're exploring the ecosystem of the wild, wild web3. Just like in the traditional world of finance, there are sometimes bad actors and scammers looking to steal your stuff.
To get an understanding of the web3 ecosystem, we present to you:
A guide to avoiding scams and keeping your wallet safe.
“The Actors/ Villains: Types of Users in Web3”
In every emerging technology, there are 3 actors: 1. The Good Actors 2. The Bad Actors 3. The Victim.
- The Good Actors: are the ones with good intentions, they build projects with real-life use cases, educate the people, and provide a safe working environment.
- The Bad Actors are the ones with bad intent. They trick and take advantage of people.
- The Victims: Anyone can be a victim of both bad and good actors. A good project doesn’t guarantee a good return. A good project can fail due to encapsulated and systemic complexity.
“The Set: Common Scams”
There are several security threats in the web3 environment, the most ubiquitous of which are social engineering scams. The list below covers a few common attack vectors.
- Phishing Emails/ Text messages: This is the most common of all attacks — this is where a bad actor sends you an email or text message as if they were from a legitimate website, e.g.- foundation.app. They may send you a URL that looks legitimate but will redirect you to a FAKE URL, and from here they steal your information. These can also be disguised as free airdrops, contests, and people claiming to help you do something with your wallet. Always check website URLs more than once, NEVER share your wallet information or seed/secret recovery phrase — and if something seems too good to be true, IT IS.
- Commission Scams: If you are an artist or a creator, you may have been contacted by someone who is looking to collaborate with you. Be mindful of the types of engagement you have with these people. Foundation will never contact you directly to collaborate. We strongly recommend that you research the person who is messaging you; check out their social profiles and confirm that they are who they say they are.
- 2-Factor Authentication with SMS or Text: Never set up a 2FA with SMS or text. A hacker may be able to steal your phone number by contacting your phone company with as little as your name, surname and phone number. Use dedicated authentication apps instead, or switch to biometric authentication. It is safest to store your crypto passwords somewhere non-digitally.
- Copy & Paste aka “Clipboard Hijackers” : Some programs can replace a wallet address you copied for another address. You must always double and triple check the address to which you are sending. Be careful what you download and never give out your seed/secret recovery phrase or private key.
“The Stage Crew: Foundation Support + Trust & Safety”
Foundation is committed to help: but in a web3 ecosystem we do not have access to your wallet. Below are steps we can take if you have lost your seed/secret recovery phrase, but can still access your wallet.
- For MetaMask, you can reveal your secret recovery phrase by following the instructions in this link. Please be sure to save this in a safe place offline and do not share it with anyone.
- If you have lost your secret recovery phrase and are also locked out of your account, unfortunately, there is no way to regain access to your wallet.
- If your wallet gets hacked and you need help deleting your profile send an email to email@example.com our support staff will be able to help.
“The Hero: Your Security"
You are the hero of your security: only you can protect yourself from being scammed or hacked. Below are helpful tips to keep you safe in the web3 ecosystem.
- Use offline (”cold”) wallets: especially if you only transact every once in a while.
- Create a safe backup. If you lose your information it will be gone forever. It’s best to keep all your passwords somewhere safe offline.
- Create strong passwords — something that is not easy to remember. It’s best to think in terms of pass phrases.
- Try not to use the same email for multiple accounts/wallets. Always create separate emails when taking part in Airdrops, Faucets and Bounties.
- Make a second wallet for taking part in Airdrops, Faucets and Bounties. It's easy to collect a drop in a different wallet and send it to yourself on a later date. By doing this, if it is a scam, the hacker can’t take anything from you.
- Practice good internet hygiene! Never download or open files from an untrusted source.
- Never share your private key. It’s a private key for a reason. It’s best to write it down somewhere and store it offline.
- As the old saying goes “if it seems too good to be true, it probably is.” Make sure to follow the above steps and always do your research!
Will Foundation ask a customer to send ETH to verify a transaction?
No, Foundation will never ask you to send ETH to verify a transaction and/or facilitate a sale. All transactions on Foundation are handled on the blockchain through smart contracts. This means there is no need for Foundation to verify the validity of a Foundation profile or NFT sale. Remember that if someone ever asks you over email or through DMs to send ETH to conduct an AML screening or scan a QR code that connects your wallet to an unknown site, it is likely to be a scammer. If you are ever unsure about a correspondence, feel free to reach out to us by emailing firstname.lastname@example.org.
“The Credits: One more thing...”
Be smart: Watch for signs of fraud, look at the details and always keep in mind if it doesn’t seem right it’s not. If it's too good to be true then it is. Go with your gut and welcome to WEB3.