A recent post on the ledger receiving address attack initiated this research:
Here are the countermeasures I can think of:
(Please do add more, especially if you are aware of the software engineering process of the hardware wallet vendors. )
1. Hardware wallet vendors to adopt the ‘subresource integrity’
I also would like to know whether the ‘subresource integrity’ is sufficient. Please do comment on this.
2. Use the compiled version instead of the chrome extension version
There are different versions of wallet applications on offer even from the same vendor. The compiled version for Windows, Mac or Linux shall be less prone to malicious modification.
The good news is Ledger is phasing out the chrome apps by June 2018: Ledger timeline on trello
3. Use myetherwallet.com (This is only a transfer of responsibility in reality.)
Since myetherwallet is a website, they would have to adopt the same ‘subresource integrity’ recommendation in their coding practice to avoid the same receiving address attack.
If anyone knows the myetherwallet coding convention, please do comment.
4. Cross check with the past transfers.
Many exchange deposit/withdraw addresses do not change for a given account. And the receiving address of many cyrpto currencies in a hardware wallet do not change, either. Verify the history can reduce the risk significantly.
5. Keep minimum Chrome extension app installation
Deleting any dormant or rarely used chrome apps reduces the address attack risk. Google is ending the chrome apps for good reasons.
6. Use a dedicated trading environment.
Disciplined practices are the simplest way to avoid risk. A dedicated Linux based PC (or a Linux installation in the Virtualbox) reduces the risk significantly. Linux performs well on the slowest hardware you can find in a household.
7. Antivirus and Anti-malware
Keep them up to date. Pay for a good malware detection software is still worth it.