10 Rules to Securely Use Your Cryptocurrency Hardware Wallets - Coindoo

10 Rules to Securely Use Your Cryptocurrency Hardware Wallets

Editorial Team Avatar
Jun 8, 2019
5 min reading time

Hardware wallets are deemed the most secure storage option for cryptocurrencies. But you can’t just
put your funds on the wallet and you’re done. There are still some risks that appear if the device is
not properly initialized or there are issues with the firmware’s updates. In order to increase the
security of your hardware wallet, there are some security precautions that need to be applied.

1. Buy the wallet only from its official supplier or a trusted third-party

Purchase the wallet only from its official vendor instead of a reseller to reduce the probability of it
being counterfeited or tampered with. There was a case in which an eBay reseller managed to access
buyer’s even if he sold them legitimate and unopened products.

2. Stay away from pre-initialized hardware wallets

A pre-initialized hardware wallet could just carry a wallet that is a copy of a wallet which could have
been installed by a scammer. Make sure that you are the only person to initialize your hardware
wallet before you use it. Go through the initialization setup for your hardware wallet provided on its
official website.

3. Only use device-generated recovery words

Never use recovery words that have been pre-selected. Always make sure the wallet has been
initialized from zero and use only new random on-device generated recovery words. The person that
has the recovery words is able to access the wallet and steal its coins.

4. Look for a device that has attestation

Before you purchase your hardware wallet, make sure that you will receive a document or some sort
of proof that shows the origin, authenticity, or integrity of the product. Try to find the software
developed by the device manufacturer which can interrogate a Secure Element embedded on the
device and prove the device’s integrity.

Go through the verification instructions given by your wallet provider (Ledger has available
instructions for verifying attestation through its secure element attestation).

5. Test Your Backup

A very important rule that sometimes overlooked is verifying the backup. Your wallet backup
represents a set of recovery words. You can test the recovery words to see if they work on a different
hardware wallet device.

If the wallet has been completely and successfully recovered, then you can be certain that the
backup works. After this, you have to erase or reset the test hardware. It is not recommended to use
your usual computer or software wallet to check if the backup works.

The instructions for performing a recovery test for your backup seed should be provided by your

6. Write down and store your recovery words separately

Do not type the recovery words into a computer or take photos of them or print them. The only safe
way to store your recovery words is by writing them down on paper. You could later on laminate the
paper so it can stay safe against environmental factors that might degrade it.

Store it in a place that only you have access to. Keep in mind that the wallet’s PIN code does not
guarantee fund protection if an attacker gets a hold of the wallet physically and finds the recovery
words next to the device. Under no circumstance do you store the wallet alongside the paper which
contains the recovery words.

7. Verify the software that communicates with your hardware wallet

A desktop software that is backdoored can be a threat to your funds. Hardware wallets make use of
desktop software for transaction initialization, firmware updates for the device, as well as other
important operations.

In order to prevent an attacker from tampering with the device software after it has been installed,
there should be reproducible builds and code-signed executables available. By using code-signed
executables, the operating system automatically verifies the code signatures each time the
application is launched, as opposed to manual verification, which is usually only done once.

8. Consider using only one dedicated computer for your wallet

If just one computer is used to access and operate your hardware wallet, it can provide even more
safety as it is not used for daily tasks, thus reducing its exposure to other online threats that might
compromise it, and by association your wallet.

By option to use your hardware wallet only from a PC that has immutable configuration, you increase
the security of your private keys. This computer would have to be disconnected from the Internet,
and dedicated exclusively to initiating and signing transactions via the hardware wallet.

First, you will have to disable all of its firmware configuration (for instance, restrict boot devices,
disable network boot, etc.) to make sure that nothing connects to it during its booting process.

9. Look for a wallet that has multi-sign functionality

“Multi-signature” is the process which involves more than one key when authorizing a transaction.
This feature offers protection against a single point-of-failure. A multi-signature wallet will generate
multiple keys which can be kept in separate hardware wallets.

10. Manually check when a new multi-signature address is generated

Multi-signature wallets are formed by merging a number of private key-owners into one address
which is stated in a script. This type of address is called P2SH or “pay-to-script hash”.

This process of creating the address is performed in the user interface of the desktop software via
the use of public keys, not the hardware wallet. If you use a compromised PC when the script
generates the new P2SH address, then the hacker may be able to modify the script terms and attach
itself to the multi-sig wallet.

This means that he could secretly insert himself as an additional owner to the address and thus gain
access to said joint wallet.

Final Thoughts

With this, we conclude our article regarding how you can increase the security of your hardware wallet. It may seem a little too much (or paranoid, by some accounts) to implement all these rules,
but as recent reports have shown us, greedy malevolent actors stop at nothing to get the digital
funds of others.

* The information in this article and the links provided are for general information purposes only and should not constitute any financial or investment advice. We advise you to do your own research or consult a professional before making financial decisions. Please acknowledge that we are not responsible for any loss caused by any information present on this website.
Press Releases