Before I start this article I want to make it very clear - you should be using a hardware wallet if you care about your NFTs and want to keep them safe. While you might think that you're the most careful person on the planet, the reality is scammers are getting more crafty and the complexity of scams is only going to continue to increase over time.
A hardware wallet is without a doubt the best way to keep your NFTs safe, but there's also an often overlooked security risk that I don't see mentioned enough, which I thought I'd talk about here.
First - let's talk about how a hardware wallet works when it comes to NFTs since I know this is a confusing topic for a lot of people, especially those of you who are just dipping your toes into the NFT waters.
A hardware wallet is a way to store your NFTs, which in almost all cases will be ERC-721 tokens in an Ethereum wallet. The most popular Ethereum Wallet for NFTs these days is MetaMask and you'll be happy to know that MetaMask works with both Ledger and Trezor, the two most popular hardware wallets out there.
The first confusion I see with hardware wallets is people thinking that their NFTs are actually stored on the physical device itself - this is not the case. Instead, your hardware wallet stores your private key and requires you to authenticate transactions on a separate device. The huge advantage here is that if you performed an action that would normally say, transfer all the NFTs from your wallet to a scammers wallet, you'll need to approve anything that happens on this physical device while it's attached to your computer.
Hot wallets, which is what most people are using right now, can be hacked, and scammers can perform actions that could cause you to lose your NFTs often without having the slightest clue you're doing something wrong.
Okay, so now that we're all on the same page, I want to talk about the one security risk people don't talk about enough when it comes to hardware wallets and how to mitigate or really completely eliminate this risk.
Most people who get a Ledger or Trezor take all their valuable NFTs and move them onto the hardware wallet. At this point they breath a sigh of relieft and say, "phew - all my NFTs are finally safe." And they're right for the most part, but there's one thing people don't think about.
When you go to a website and click the mint button, you're running a function in a smart contract and the reality is, unless you've looked at the smart contract yourself (and know what you're looking at) - you don't know what that mint button is doing. In some cases, scammers will put code that rather than minting a new NFT, takes all the NFTs in your wallet and moves them to their wallet, and poof your NFTs are gone.
While you might think a hardware wallet would protect you in this situation, it won't, and here's why. Suppose you go to a website for a new project you're excited about, you click the mint button and sign using your Ledger connecting your primary wallet. You've now given approval for that smart contract to do whatever it's going to do, whether that's minting an NFT or transferring away all your NFTs.
So how can you stay safe?
It's actually easier than you think. Create two hardware wallets, and yes - you can create multiple hardware wallets using one Ledger or Trezor. One hardware wallet you can use for your NFTs, the second you can use for minting. The minting hardware wallet will never be used to store NFTs, it will just be used for minting. Once you're done minting, you can move your NFTs from the minting wallet into the hardware wallet that's just used for storage.
What this means is that if you decide to ape into a new project and that project ends up being just a scammer trying to steal your NFTs, they can't steal anything, there are no NFTs in the wallet you're minting with.
I hope this is helpful, stay safe out there everyone!