In Part I – Introduction we covered the four risk categories you want to be aware of when using any Bitcoin or other cryptocurrency wallet. By using a hardware wallet you protect yourself against custodial risk (#1). By setting up your Trezor, Ledger, or other hardware wallet properly and keeping your backups safe, you protect against loss or corruption of the hardware device itself (#2). This article covers risk #3: Incorrect or malicious addresses and phishing in general. This risk applies to any type of crypto wallet, hardware or otherwise, so the best practices below are important for anyone to learn. Don’t worry, though, as these are pretty easy habits to establish!
Part III in a nutshell….
Double-check that every address you scan or paste is actually the address given to you by your source.
This may seem obvious, but the irreversibility of Bitcoin and other crypto transactions leaves no room for error. Although rare, you may at some point be the unfortunate victim of malware that will change the address you copied into clipboard. The only way to catch that is to visually check the address after pasting. Likewise, there is the more common case of thinking that you copied something into clipboard when you actually didn’t, and when you go to paste the contents you actually paste a different address copied earlier.
Essentially, take nothing for granted. Double-checking an address doesn’t have to be time consuming: All you need to do is visually compare the first and last few characters of an address with your source for that address. Before long it will become old habit!
Specific instructions for the Ledger Nano S and Trezor:
Ledger Nano S When receiving coins/tokens: Your PC-side wallet should prompt you to check your current receive address on the Nano device screen. Don't skip this step. Check that at least the first several characters match what's shown on your PC-side wallet interface. You can confirm they match with the right button (checkmark) or reject it with the left (x). If your addresses ever fail to match you should stop here and contact Ledger for support. Don't use your Nano S again on the same computer. If they do match: You can now copy the address on the PC-side and paste it into a website or message, or scan the QR code with another wallet. Again, follow the best practice above and make sure that the scanned or pasted address matches what is shown in your Ledger wallet. When sending coins/tokens: You will be copying an address from your destination and pasting it into the Ledger wallet. Just follow the best practice above and visually check the pasted address to see if it matches your source for this address before clicking Send. Finally, the wallet will prompt you to check the address and amount on your Nano device screen. If everything looks good, press the right button (checkmark) to send or, if not, the left button (x) to cancel. See also: Ledger's Send and Receive instructions page
Trezor One (Model T is similar) When receiving coins/tokens: Pressing "Show full address" will bring up your current address both on the PC side and on the Trezor screen itself. Check the first and last characters to make sure it is correct before pressing Continue (right button). You may also scan the address directly from the Trezor's screen by pressing the left button. If you need a larger QR image, just press Continue and it will appear in the PC wallet. If the addresses ever don't match, stop here and do not continue using your Trezor on this PC. Remember that this is just half of the process. Also double-check that the receive address you paste into another website or message matches what was shown on your Trezor's screen. When sending coins/tokens: Follow the best practice above and visually check the address that you paste from your destination. After filling in the amount and pressing Send, the Trezor will display that address and amount information on the device screen itself. If everything looks good, confirm the transaction with the right button to send it off. If it doesn't look right, press the left button to cancel and try again. See also: Trezor's guide to receiving & sending payments
One Final Note
Some assets you may want to use on your hardware wallet will require an external website to interact with. Ethereum, for example, is more commonly used via websites such as MyCrypto.com & MyEtherWallet.com. These websites connect directly to your Ledger or Trezor via the bridge interface you installed when you setup your hardware wallet. There are two things to keep in mind about external sites:
- These websites can only obtain a list of all public addresses for a particular asset or account from your hardware wallet. This does not give those sites the ability to take any funds, even if they were compromised (you’d have either confirm a send with your hardware device or give them your recovery phrase). Needless to say: Never type your recovery phrase into a computer.
- Because these websites can be hacked or can be “phished” (trick you into visiting a different site that looks the same), it’s very important to follow the advice in this article about double-checking addresses at all times while using an external site. Basically, if the external website is compromised, the only way you would know this is by noticing an address that is different from what you had intended to use. In this case stop, go back to your hardware wallet’s official website, and find a correct link for the website you were trying to use. Then try again, watching the addresses very closely.
There have already been cases of MyEtherWallet and/or MyCrypto getting hacked and numerous examples of copycat websites out there. The good news is that you are best protected by a hardware wallet while visiting these sites, and you can install tools which help prevent phishing. Read through the pop-up guide that appears on those sites for more info.
The ultimate line of defense is yourself, however. Your hardware wallet will not send to an address you don’t approve, so check the first and last characters of each one, every time. Don’t just assume that it is correct.