If you're like me who frequently interact with several blockchains then you must be having several browser extensions or desktop wallets for this purpose including Steem Keychain, Hive Keychain, Metamask, Scatter, TronLink etc. for different blocckhains.
We do a lot of different transactions with the help of these extensions, eps. if you play games on daps, no. of transactions made can be huge.
How many times do you closely monitor the details of the message you sign through these wallets? Do you even click the "Click to show data" link on your Steem or Hive Keychains before you sign the transaction?
Well, if you're an average user like me, you just click the Confirm button and wait for the transaction to complete soon. If it's some big transfer, you may double check the amount and destination address but not with all other transactions.
So is there anything risky with this behavior?
Do you always make sure to sign out from your wallet extensions after you complete the transaction?
At least, I don't sign out when my session is on and I'm likely to make more transactions. E.g. when I'm writing this post, my Keychain is in signed in state. And I believe, when my Keychain is logged in, my private keys are not in encrypted form in my browser.
And if you're like me, I keep several tabs open in my browser? Typically, there are somewhere between 70 - 100 tabs open. And all those tabs can read my public key or account name if I'm signed in to my wallet extension. But I don't consider it very risky for me. However, some malicious websites can possibly trick you through some fake notifications and dummy interfaces of your wallet extension.
I really don't know how it can be done but somehow believe that there is some possibility. There were some similar attack vectors exposed for Metamask on Ethereum chain a few years back but I guess they should have been corrected by now.
But for some days, these thoughts crossed over my miind. Especially after I heard about some malicious incidents last week on EOS chain. I heard that some websites are offering Voice tokens as airdrop or something to lure people interested in this new blockchain based social network. But when you visit their website with Scatter, they make you sign a transaction which unstake all your EOS CPU & REX and transfer those to their address. I don't know how it can happen in one transaction when there is an unstaking period of 3 days, but that's what I heard!
Recently, I've started using another Keychain extension called WhaleVault. WhaleVault is a fork of Steem Keychain. It's interface may not look that clean or beautiful as Hive Keychain but it's very useful. WhaleVault is a cross-chain Keychain extension which supports most of the graphene chains:
Steem,WhaleShares, Smoke, Golos, Scorum, Vice, Hive, Blurt, BitShares, Peerplays, Eos, Telos, Worbli and may be more.
Although not all dapps and websites support it yet, but to me it feels easier to conduct all transactions with one extension. It also displays the transaction details. You can view complete transaction details before signing the transaction by putting mouse over on "1 OPERATION". It also shows transaction log for recent transactions in Accounts section. Here too you can check the complete transaction detail by mouse over on transaction given after "reason:":
Sorry, I couldn't screenshot another popup window over this one, that showed complete transaction detail.
But the point is, can we do it all the time? Will it be of any help! I dunno.
The best thing we can do is to log out of these extensions when not in use. And most importantly, triple check the website credential before you sign up or make any transaction with your key store extensions. Even if it's a new game website or dapp, first check its credentials and authenticity. Only then sign up or log in to it. I think this much precautions we all can take!
Do you have anything to add? What precautions do you take to secure your wallet credentials? What is the most important suggestion you offer to noobs, regarding security of wallet?
Thanks in advance!