Security

NeoWalt — Wallet Security

Key principles

  • The starting sentence (12/24 words) = master key . Never type it on a computer/phone.
  • The PIN protects access to the wallet, the passphrase protects the seed.
  • Check the address on the device screen before each sending.
  • Offline backups in two separate locations, regular restore testing.
  • Update firmware & apps from official sources.

Objective: to reduce your physical, software and social attack surfaces.

Physical security: EAL (Evaluation Assurance Level) levels

EAL = insurance level 1 → 7 (from simplest to most strict) “+” = enhanced requirements
Level
Description
Objective
EAL1
Minimum verification of product functionality.
To show that there are no obvious anomalies.
EAL2
Further review of the design and independent testing.
To provide moderate insurance for existing products.
EAL3
Systematic verification of security functions and the development environment.
Ensure that the product follows safe practices.
EAL4
Comprehensive design review, extensive testing, and independent review.
A good balance between safety and cost.
EAL5
Semi-formal design based on partial models and proofs.
Ensuring high confidence in high-risk environments.
EAL6
In-depth mathematical analysis of security mechanisms.
Guaranteeing a very high level of assurance (defense, critical infrastructure).
EAL7
Complete mathematical proof of the design and safe behavior.
Achieving maximum trust (critical military or cryptographic systems).

Many wallets use a Secure Element certified EAL5+ or EAL6+ . A high EAL (End-of-Average Level) = more assurance, but actual security also depends on the firmware and design. and your usage practices.

Your security score

0%
High risk
This score is saved instantly on your browser.

Common threats

  • Phishing / address poisoning : cloned sites/applications, similar addresses, malicious QR codes.
  • SIM swap & social engineering : 2FA/SMS takeover and manipulation.
  • Malware / keyloggers : blind signatures, infected extensions.
  • Supply chain : device damaged before receipt, "pre-printed" seed.
  • Evil-Maid : stealthy physical access (office/hotel).

⚠️ Red flags

A seller will either provide you with a seed or ask for your 24 words.
Installation links via private messages / social networks.
Urgent request to design a transaction "for verification".
Wallet received without a seal or with suspicious stickers.
Application that refuses address verification on the device.

Essential good practices

  • Initialize the wallet yourself, from official sources .
  • 6+ digit PIN ; disable auto unlocking of mobile phones.
  • Passphrase : activate it to compartmentalize.
  • Seed on steel , 2 separate locations, never photographed.
  • Verify addresses on your device . Avoid public Wi-Fi.
  • Regular firmware /application updates. Back up before any update.
  • For large amounts: opt for multisig (2/3) or Shamir.

Receiving: Supply chain control

1) At the opening
  • Sealed intact, official packaging, no pre-filled "seed card".
  • Numbers/serial numbers visible, accessories as described.
2) Installation
  • Download the official application (Ledger Live / Trezor Suite / dedicated app).
  • Check the fingerprint or signature if available.
3) Initialization
  • Generate a new seed on the device.
  • Activate the secret phrase if you know how to manage it.
  • Write your words down on a durable medium (steel recommended), in private.

Backups and legacy

  • 2 separate locations for the seed; secret phrase elsewhere .
  • Shamir : M-on-N sharing (e.g., 2/3) to distribute trust.
  • Multisig : several devices/keys required (e.g. 2/3).
  • Legacy : sealed file (inventory, instructions, contacts), designated executor.

Choose between Shamir and Multisig depending on your operational capacity.

Personal Policy Generator

Tip: Print and seal a copy, separate from your backups.

Emergency plan (incident)

Loss/theft of the device
  • Restore on a new device in a safe location (seed + passphrase).
  • Transfer the funds to new keys immediately.
Potentially exposed seed
  • Immediately move all funds to a new seed/passphrase.
  • Consider multisig/Shamir.
Suspected malware/phishing
  • Disconnect, isolate the machine, change passwords offline.
  • Reinstall cleanly or use a dedicated, clean machine.

Quick Glossary

Starting sentence

A 12/24 word sequence, BIP39, which allows you to regenerate all your keys. Keep offline.

Passphrase

An additional word/phrase that creates different portfolios. Don't forget it.

Interfer

Streaming without a direct connection (e.g., QR code). Reduces USB/Bluetooth risks.

Multisignature

Several keys needed for spending (e.g., 2/3). Ideal for large amounts.

Shamir

Sharing the seed into fragments (M-on-N) to distribute trust.

Educational information. Do your own research. Never divulge your seed.
© NeoWalt — Security Information Page. This page does not replace your internal policies or regulatory obligations.