Introduction
MetaMask is a browser extension rather than a stand alone app, so extra precautions are advised to ensure good security practices to protect your assets.
These are some of the main points to consider whilst using MetaMask:
Installation
- Always use the correct webpage link for installing MetaMask.
- There are many phishing scams that look and feel exactly the same as MetaMask and can gain access to your seed phrase by a complex hack that copies your seed phrase and the hackers can empty your wallet at their own leisure.
- These scams can be run on search engines and paid google ads, tricking the unsuspecting user into thinking they are on the original site.
- The correct website is https://metamask.io
MetaMask Security Advice
- When it comes to keeping your MetaMask wallet secure, nothing is more important than protecting your password and secret recovery phrase.
- The latter will grant complete access to your MetaMask wallet, including all the funds stored within it.
Here are some important facts to keep in mind:
General Advice
- Don’t use your wallet on a shared computer.
- Preferably use your MetaMask on a laptop/desktop and not a mobile device.
- Mobile devices are much more easily compromised/stolen and are more easily vulnerable to hacks due to their physical movements, connections and accessibility as users go about their day to day life.
- Consider setting up and using multiple accounts inside MetaMask for different protocols that you may not use frequently, this ensures that your main account is less likely to be compromised if you inadvertently interact with a platform that is malicious.
- Deactivate/turn off the MetaMask extension when not in use.
- Regularly clear your browser cookies and cache.
- Never trust anybody asking you to “authenticate your wallet”, disengage from the conversation immediately.
- MetaMask will never ask you to complete KYC for your wallet.
- Due to the nature of hacks and exploits this is not all that needs to be considered and is often good practice to keep abreast of information in this space at https://twitter.com/MetaMaskSupport
Passwords
- Use a unique password that you haven’t used anywhere else or for anything else.
- You can also use a password generator and password manager for your password and have a set timeframe to rotate your password for your account.
Secret Recovery Phrase
- Store the secret recovery phrase completely offline.
- Don’t take photos of it with your phone or store it in a password manager, or any other form of digital storage no matter how secure.
- Find a way or multiple ways that work best for you to ensure your secret recovery phrase never ends up in the wrong hands.
- Nobody from MetaMask will ever ask for your seed phrase, no matter the situation.
- Don’t share it with anybody, no matter the circumstances.
MetaMask Security for the Web Browser Extension
- MetaMask automatically gives permission to any site you click on as its a browser extension.
- If you open a malicious site there is a chance it could connect to your wallet and empty out your funds.
- To disable this feature, right click on the MetaMask logo and you will see an option for “this site can read and change site data”.
- Click that and then click “when you click the extension”.
- This will disable the automatic connection to your wallet when you click on any page.
- This mean an extra step every time you want to connect your wallet.
- Every time you visit a new page, you will have to enable the extension for that webpage, by clicking on the MetaMask logo.
Settings for MetaMask Security
Generally these settings should be on by default but it is advantageous to check to see if these functions are turned on for peace of mind.
The following are recommended settings for using the MetaMask browser extension and mobile app securely:
MetaMask Wallet Browser Extension
- Settings → Advanced → set Auto-Lock Timer to < 5 minutes.
- Settings → Advanced → turn off any experimental features.
- Settings → Advanced → select preferred ledger connection type if using a hardware wallet.
- Settings → Security & Privacy → turn on show incoming transactions.
- Settings → Security & Privacy → turn on Use Phishing Detection.
- Settings → Security & Privacy → turn OFF Participate in MetaMetrics.
- Settings → Alerts → turn on all alerts.
- Settings → Experimental → turn off any experimental features.
MetaMask Wallet Mobile App
- Mobile app → Settings → Security & Privacy → recommend to use password/passcode instead of face ID but if your password is weak then face ID is preferable.
- Mobile app → Settings → Security & Privacy → turn on Privacy mode.
- Mobile app → Settings → Security & Privacy →clear privacy data, browser history and cookies at regular intervals.
- Mobile app → Settings → Security & Privacy → turn OFF Participate in MetaMetrics.
- Mobile app → Settings → Security & Privacy →Mobile app → change password specific to mobile.
MetaMask Security for Airdrops
- Airdrops are trending right now, some people make consistent gains being on top of airdrops but it also takes a lot of time and effort to keep on top of the airdrop cycle.
- Malicious actors also have found many ways to gain access to users wallets through random tokens being airdropped with smart contracts enabled on the backend to empty out the funds in an unsuspecting wallet.
- Don’t interact with them, that means don’t try to transfer them, sell them or do anything with these “random” tokens.
- If you are legitimately waiting for an airdrop from a reputable source, then do your own diligence on these before interacting with the airdropped tokens in your wallet.
Internet Connection
- Don’t ever access your wallet through a Public WiFi network ever!
- Public WiFi networks are one of the biggest security risks, just don’t do it.
- Use your mobile hotspot if needed.
Security Software
- Purchase some decent antivirus/malware software for your devices.
- Crypto is about being our own bank, and as such we as users are responsible for our own security.
Custom Tokens
- There is often a need to add custom tokens into MetaMask, to do so the user will need to add the contract address into Metamask for the token balance to show.
- Use only reliable sources such as coinmarketcap, coingecko, or the verified original token address from the project itself.
- Double check these contract addresses and do not use addresses provided in social media or private messages from unknown sources.
Hardware Wallets
- For a deeper layer of security, connect the MetaMask app to a hardware wallet.
- The hardware wallet signs the transaction or Tx through the private keys on the physical device.
- Supported wallets are Trezor, Ledger, Lattice and Keystone.
- If a person or a hack were able to gain access to your MetaMask app, they would not be able to move any assets out of your wallet as physical access to the device is also needed.
Technical Support
- This is an area where a lot of scammers target unsuspecting users through various communication channels such as discord, twitter or telegram.
- Often scammers reach out to users in response to their queries or questions and offer assistance. They will imitate the language of technical support personnel and give assurance that they can provide you help for your issue at hand at the same time utilizing a user’s emotional vulnerability and distress to their advantage.
- They might offer you a link or eventually ask you for your seed phrase.
- The best thing you can do is block them and/or ignore them and most certainly don’t click on any links they provide as they will most certainly be malicious.
- If you have genuine issues about a project and need help for a certain project then the best course of action is to find out who the moderators are in the project channel and directly message them.
- Don’t post your question in the main chat channel and never give out your seed phrase to anyone.
- Use an official channel to communicate through the projects website, they generally all have links on their homepages for this.
- The Official channel for metamask is https://metamask.zendesk.com/hc/en-us/
Transaction Addresses
- As much as this is a tedious task, if you are sending funds out, double check the transaction address to ensure it matches the intended address.
- There is a hack called clipboard hacking where malware can affect your device and swap out a “copy and paste” address, doing so before you would even register that it has been swapped over.
- Again this is why it pays to have good antivirus/malware installed on your device to prevent these sorts of hacks.
Conclusion
It is an unfortunate fact, that more than often, hackers and scammers gain access to user’s funds simply because they never took the precautionary steps to protect their assets.
We hope that this article has shed some light on how to ensure that your cryptocurrency assets remain safely in your own hands.