Reddit user identified a security flaw that any scammer can now exploit
A helpful Reddit user from Germany has identified and highlighted a possible security flaw that could enable a seed phrase scam. Fortunately, the honest crypto enthusiast has informed the community about the loophole which gives all of us the chance to avoid it before it’s too late.
- Predictive texting on smartphones can accurately predict a 12-24 word seed phrase.
- There are ways to minimize the risk: clearing predictive caches, turning off autocorrect and being aware of the problem are just three of them.
- Blockchain security firm reported that DeFi hacks in 2022 alone stand at $1.57 billion, already surpassing 2021’s total of $1.5 billion stolen.
With so many scams hitting the NFT world and metaverse recently, it’s good to know how to keep your assets safe and your wallet secure. One Reddit user has highlighted a potential scam that any NFT enthusiast and cryptocurrency holder should be aware of.
Andre, an IT professional from Germany, who goes by the handle u/Divinux, realized the security flaw when he was typing in his seed phrase on his smartphone. After he’d typed the first word, his phone suggested the second word. Once he clicked on the second word, it suggested the third, and so on until it had predicted the entire thing.
He immediately saw the problem: all a dishonest scammer would need to do is steal a person’s phone and type in one of the words from the Bitcoin Improvement Protocol (BIP) 39 list of 2,048 words. With a bit of time, the scammer will find the first word. If your phone does what u/Divinux’s does, and predicts the entire phrase from this single word, all of your crypto and NFT holdings will be free for someone to steal.
1. Check to see if your phone can already predict your seed phrase
Conduct a quick test to see if your phone is a potential liability in the fight against scammers. Open up any chat app and type in the first word from your seed phrase. Does the second word come up as an option straight away? If it does, then your phone is open to an easy hack.
It’s important to note that u/Divinux does not use English as the primary language on his phone. This means that when he does type in the English words as his seed phrase, his phone automatically stores the unusual words for future use.
So for anyone who uses a different language on their phone to what their seed phrase is written in, be extra cautious!
2. Clear your predictive cache and empty your personal dictionary
Modern phones have excellent predictive capacity that can be really helpful when you’re texting friends or sending emails. Unfortunately, that helpfulness comes with a downside.
If you’re comfortable living with this security flaw, and would rather have the convenience of your phone learning what you say and predicting your future intentions, leave your predicative cache as it is.
If you think the risk is too big, go to your settings and clear your predictive cache. This means your phone has no words on which to base its predictions about what you will type next. Emptying your personal library will do the same thing.
3. Turn off “auto replace” and “suggest text corrections” in your phone’s settings
While you’re in your settings, turn off the “auto replace” and “suggest text corrections” functionality. Along with clearing your predictive cache, turning off both of these functions will give you double protection against your phone predicting what you will type next.
4. Double-check the wallet address you are sending cryptocurrency or an NFT to
This one is obvious, but when you’re in a rush, mistakes can happen. People will generally copy and paste a wallet address when they’re sending some currency, tokens or NFTs to it. This cuts down on the risks of entering the wrong numbers and letters.
For added protection, if you’re sending a large amount of cryptocurrency or an NFT, try sending a small amount of crypto first, just to check it goes to the right place. It may cost you a bit of money in gas fees, but it might save you lots of money and pain in the long run.
Remember, no one can get your money back for you if you send it to the wrong place. There is no insurance or a complaints department to fix your mistake if you make one. So be precise and double-check that you’re definitely sending your money to the right place.
DeFi scams have hit 2022 hard
2022 has already been a tough year for DeFi hacks. According to security firm PeckShield, hackers have stolen $1.57 billion, easily surpassing the $1.5 billion stolen in 2021. This equates to £13 million stolen per day and if this trend continues, it will add up to $4.7 billion stolen by hackers by the end of the year.
The Ronin bridge hack was the worst, by far. Hackers stole more than $600 million which made this scam the biggest one on record. The majority of users are yet to get their money back.
The Wormhole bridge hack was the second biggest hack of the year. Back in February, digital robbers stole $321 million by exploiting a bridge between the Solana and Ethereum blockchains.
The third biggest exploit was the Beanstalk hack, which saw $182 million pilfered by nefarious actors.
To make sure your security is as tight as possible, read this article on The 8 Ways to Check if it’s a Token Scam. Also follow up blog and Twitter feed to keep up to date with the latest in blockchain hacks and security