When you add an XRP Ledger account to XUMM you have three options:
- Create a new XRP Ledger account,
- Use a XUMM+Tangem card
- Import your existing XRP Ledger account using your secret key.
This blog will briefly explain the first two options, but focus on the last option (importing existing accounts).
Option 1: Create a new account
When you are new to the XRP Ledger, you will most likely create a new XRP Ledger account. XUMM will guide you through this process.
You will receive your secret key: 8 groups of 6 digits to keep really really safe.
If someone else has access to these numbers, they can steal all your funds.
On top of that, if you ever lose or change your phone and you no longer have access to these numbers, you will lock yourself out of ever touching your funds again.
Common secret key management risks are:
- (BAD) Storing your secret key on your computer, while your computer is compromised (you may not be aware of this): an attacker checks your files and steals (copies) your secret key then either steals your funds straight away or waits until there are a lot of funds in your XRP Ledger account to steal them (remotely by re-creating the account in another app).
- (BAD) Storing your secret key in your cloud account: an attacker can gain access to your cloud account (eg. Google Drive, Dropbox, etc.), check your files to steal (copy) your secret key the either steal your funds straight away or wait until there are a lot of funds in your XRP Ledger account to steal them (remotely by re-creating the account in another app).
- Writing down your secret key on a piece of paper, then forgetting where that piece of paper is located.
- Writing down your secret key on a piece of paper, then losing that piece of paper.
- Writing down your secret key on a piece of paper in one place, where it is destroyed (think fire, water).
- Writing down your secret key on a piece of paper in multiple places, where one of the locations is compromised and someone steals the secret key.
Option 2: XUMM + Tangem card
If you want more security (eg. for on Ledger savings), you can consider getting yourself a XUMM Tangem card.
The advantage of a XUMM Tangem card is that the secret key is stored in a chip inside the card, where the secret key can never be extracted.
Using a XUMM Tangem card, most of the key management risks outlined above no longer apply.
There is still the risk of losing your XUMM Tangem card (but people are less likely to lose / accidentally throw away a plastic card). Also, there is still the risk of your XUMM Tangem card being stolen/destroyed, which is why you still need to keep it safe.
Option 3: Import an existing account
As many existing XRP Ledger ecosystem participants (users) are migrating to XUMM, the most common way for users to start managing their XRP Ledger account with XUMM is to import their existing account(s). XUMM supports importing the following secret key types:
- Secret numbers (8 groups of 6 digits)
- Mnemonics (12, 16 or 24 words), usually generated by multi-coin software wallets or hardware wallets
- Hexadecimal private keys (advanced, hidden feature)
- Family Seeds: an alphanumeric string starting with a lowercase s, that looks something like this:
Most XRP Ledger accounts generated by other (possibly legacy) XRP Ledger wallets have a secret key in the Family Seed format.
Most users obtained existing secret keys either from previously used software wallets, or by generating them online at a website using an "XRP account generator" or "Paper account generator".
As the same secret key always results in the ability to manage the same existing XRP Ledger account, often users use several software wallets over time to manage their funds. XRP Ledger accounts are portable, as most wallets (like XUMM) allow users to import their existing secret keys.
While XUMM allows users to import existing accounts using the aforementioned secret key formats, there is a significant potential risk when importing secret keys! You may be importing a compromised secret key, without even knowing the secret key was compromised!
The XUMM support team gets reports on a weekly basis from users who imported their existing (unknowingly) compromised secret keys into XUMM, then to find their funds to be stolen. The ways secret keys are usually (unknowingly) compromised are usually:
- The keys have been generated by a website ("XRP account generator" / "Paper account generator"), sending a copy of the generated secret key to the scammers
- The keys have been generated by a website ("XRP account generator" / "Paper account generator") on a compromised computer (e.g. running a browser plugin that steals secret keys)
- The keys have been copy-pasted into XUMM (instead of manually typed) from a compromised device that sent the clipboard contents to a hacker/scammer
- The keys have been generated by a scam wallet, sending a copy of the generated secret key to the scammers
- The keys have been imported into a scam wallet, sending a copy of the imported secret key to the scammers
There are several SCAM WALLETS around, both in the Apple iOS App store and the Google Play store.
While those scam apps come with different names and often come and go (Apple / Google take them down, scammers re-launch their scam wallets under a different name). Common known scams are Toast Plus and Droplet Wallet.
The team working on XUMM, XRPL Labs is spending a lot of time and effort on application security. We are fully transparent about who we are, our application source code is fully open (and open source) and can be audited by anyone and we take extreme measures to keep our application and users safe. On top of that we offer fast and knowledgeable support.
It pains us to receive messages (on social media or through our support form) from users who see their savings get stolen by scammers. Every now and then, this involves XUMM users, as their keys are compromised by one of the ways outlined in this article.
If you have only the slightest amount of doubt or uncertainty about secret key security, we urgently advise you to either generate a new XRP Ledger account (with a new secret key) in XUMM and re-key their imported account or generate a new account in XUMM / order a XUMM Tangem card, and move all funds to the new account.
The procedure or generating a new XRP Ledger account (with a new secret key) and 'installing' that new secret key on your existing XRP Ledger account (preserving your public wallet r-... address ) is called 're-keying'. On the XRP Ledger, a new XRP Ledger account (with a new secret key) configured on an existing XRP Ledger account is called a 'regular key'.
If you are scammed, please report this to XRPForensics. Neither the XUMM team nor the XRPForensics team can revert transactions (XRP Ledger transactions are permanent), but you may be able to prevent more users from being scammed.