Topic: Arculus Hardware Wallet Review / Warning (Read 245 times)

If they are tracking your IP and/or location then it absolutely isn't anonymous. It doesn't matter whether or not you cross borders. If I can see from your location data that you spend 10 hours each night at the same address, then it becomes trivial to identify that as your house and therefore identify you. If I can see from your IP data (assuming you are not using Tor) that the same IP accessed this Facebook page or that Instagram page, then again, it becomes trivial to link that to an identity.

And there is no way to know what they are doing with that data. Blockchain analysis companies would pay top dollar for a list of names, locations, and IPs of individuals who are known to own bitcoin, doubly so when those names, locations, and IPs can be easily linked via Arculus' servers to all the wallets, addresses, and coins that those individuals own.

Ugh.  I guess there's an argument to be made that knowing if you crossed a political border doesn't give away your ID and hence it's anonymous (but the definition of that word would have to be agreed upon, which it seems silly to do)....but that doesn't excuse the fact that only being able to use the Arculus in the US is just a really bad "feature".

I think there are people/companies who know there's going to be a big market for slick wallets with abhorrent security features--much like the Ballet wallet.  The manufacturers very well may not have the intention of scamming via the scheme you described, but there just no way for any of us to know. 

I'm sorry, this is going to sound very negative but the Arculus deserves to fail as it stands.  If you addressed the security concerns instead of all the "trust us" stuff, you might have a decent product to sell.  I have a couple of them, and they're attractive.  But as I said before, there's just no way I'd ever use one to store any crypto on.

Assumption is that their card incorporates PRNG that share random number to Android app which responds with   SEED and keeps relevant master private key. This  guess  and  closed source  app  would drow me the red line  if  I ever wanna  buy and use Arculus.

I'm late to this thread; the problems regarding privacy claims, while you knowing where users are located (geo-blocking), as well as regarding closed-source hardware and software have sufficiently been pointed out.

What I'm wondering though is: how do you envision this product even being an upgrade over a software wallet e.g. when considering clipboard malware?
Clipboard malware is easier to build and distribute than anything taking over a system completely (e.g. to attack a software wallet, creating and sending transactions without user input). Without a screen, there is no protection against it; no way to check that the card is about to sign a good transaction without altered amounts or addresses, right?

---

Regarding price: there is Satochip going for €25....
https://bitcointalksearch.org/topic/satochip-hardware-wallet-on-smart-card-usbnfc-5181719

100 does seem excessive, especially if you make these in the millions (by your own words). So you'll have even lower costs on them than the Satochip guys, probably.

What exactly was wrong assumptions and false information posted about Arculus?
All information posted by me was based on your website, and feedback on internet is not very good, to say at least.

I guess people from rest of the world should just wait and pray you don't cancel access in future.
This is obviously centralized control and I would never use any hardware wallet like that

You obviously know who order the wallet, and I don't know what you are doing with customer data.
Nobody can use this wallet unless they are in US, so that means you also know IP address and location of users at all times.

When reading this I had the same thought, make something that in an advert will look expensive as hell, claim it's some new type of wallet like a Balenciaga handbag trashbag, put an out-of-your-mind price tag on it, and then have a turn of heart and make a lottery where 1000 lucky customers will get this for free or nearly for free. So you will get both some "lucky" users and you will get a lot of people who would spend thousands to brag  about it, it takes one of those to not be careful and you might hit the jackpot with a few tens of BTC.

Hopefully, this is not the case


Heard that from Ledger, next thing was going through hundreds of pages checking if my address and name were leaked, and finding that two of my friends are living in the same neighborhood as they were back in high school.
You might be totally legit, you might not want to scam a single client, you could also be very confident that your security is better than the others but put yourself in the client's shoes for one moment, this is not a credit card that you can lock with a phone call, this is a wallet that hacked all your funds are forever gone.

So when I read this, I'ma  bit confused

If this should not happen, why do you have a special help page about it happening?  

OK, I (somewhat) stand corrected, still if only displayed on the phone, that's a bad joke, not security.


This would be funny, but it's actually sad; it means that the one(s) who implemented the wallet most probably doesn't have the knowledge on blockchain/bitcoin/transactions he should have (and the wallet is built on wrong assumptions).

They claim to be completely anonymous but the app won't work outside the US, meaning that at a minimum they are tracking your IP, your location, or both. That doesn't sound very anonymous to me, not to mention the fact they are clearly lying when they claim to be anonymous.

They do provide a seed phrase, but it is displayed via your phone, making it only as secure as any closed source mobile app (i.e. not secure in the slightest).

Also, just lol at how wrong this answer on their support pages is: https://support.arculus.co/hc/en-us/articles/6218984488087-I-tried-to-send-multiple-transactions-of-BTC-and-only-one-succeeded-the-others-are-pending-and-I-do-not-see-them-on-the-blockchain

Arculus is probably one of the worst hardware wallets I heard about, and I don't know if this is still the case, but you can only use it inside United States.
The moment you cross the border or go to some other country it, Arculus app won't work anymore and that is the only way you can use this wallet.
If we add that everything is closed source than I would never recommend using this wallet for anything serious, other than testing.

https://support.arculus.co/hc/en-us/articles/4408161149463-May-I-use-the-Arculus-Wallet-app-outside-the-US-
https://support.arculus.co/hc/en-us/articles/4408171741079-Can-the-Arculus-Key-card-be-shipped-outside-the-US-

From what I know you don't offer backup of the seed, hence if your company dies, the user funds go with it. That's not how security should work.
From what I know your wallet doesn't let user see what he's doing, leaving the door open for mistakes. Again, that's not how security should work.
The fact we have to trust your word instead of looking into sources, is a topic already discussed.


Yet one cannot use this from outside of US, hence you most probably do connect a wallet to user IP(s).
Sorry, but these claims coming in a technical area are... weak...

The facts are that neither your app nor your hardware is open source. It is impossible for the end user to verify anything that is going on and they must have complete trust in you and your product. They cannot verify their seed phrase or keys were created securely, and they cannot verify they are signing what they think they are signing. Having the seed phrase displayed on the phone is a huge security risk and makes the product barely any better than a free closed source mobile wallet. Users have no idea what the app is doing in the background, how much data it is collecting about what is going on, or how much data you are collecting through your servers which your app is connecting to.

The price is ridiculous when you can get a proper open source hardware wallet with a screen like a Trezor for 20 bucks less.

I got a server error on your landing page, but it seems a new Tor circuit has solved this.

The whitepaper is not a whitepaper at all - it is an advertising brochure. It explains nothing about the inner workings of the app or the hardware.

Whoa, whoa, whoa. There are a lot of assumptions and falsehoods here.

I'm the Head of Product at Arculus - let me give you the facts.

First off, the wallets that were part of Bitcoin 2022 weren't "free" they were part of the entry fee to the conference.

Arculus is part of a public company called CompoSecure that has been making metal payment cards (and has numerous patents on NFC communication with metal cards) for more than 20 years. We make about 2 million cards a month at our factory in New Jersey.

We do not, to my knowledge, "attack" other wallets in our marketing. We believe in getting strong, hardware-based security to the mainstream. Without getting into calling out specific competitors, other hardware wallets are (for the most part) secure and good at keeping attackers away from your crypto. They're also pretty good at keeping you away from it as well because they are often difficult to use and inconvenient.

If you see a server error on our website, please tell me where and we'll investigate.

International expansion is coming soon.

"they are selling all your other information" - No, we are not. Privacy is central. We have no way of connecting a wallet to a person's identity. The wallet is completely anonymous.

If you want to read more about how the wallet works, you can read our whitepaper: https://cdn11.bigcommerce.com/s-eew4m8g4im/content/documents/arculus-whitepaper.pdf

Now, I'm not saying this is what is happening, but if I was wanting to pull off a widespread hardware wallet scam, this is what I might do:

• Create a closed source device which can be mass produced very cheaply, like a simple bank card
• Make this device seem far more expensive than it is (such as by stamping "Retail Value $99.00" on the box - I mean who does this? And seriously? A 100 bucks for a card with a chip in it? The kind that banks and stores give away for free to all their customers?)
• Make the device generate a seed phrase from a predetermined list which I secretly have access to
• Hand out as many of the devices as possible for free

The whole thing seems very suspect to me. I tried to poke around their website for some more info, but it returns a server error. If the device truly does cost 100 bucks, where did they get the funding to be able to hand out thousands of the device for free? And why would they do that? No other hardware wallet manufacturer has needed to do that to get their product established.

Considering that it was a concentrated campaign toward the ones who live in the US ^{[e.g. "the key card only ships to the US and "users can only use their app in the US (regardless of the workarounds)"]}, I think what you said in the above line might actually be the case here ^{[some kind of decoy]}.

Probably not and I can see it also being a support nightmare. There are so many variables to the amount of power a phone puts out through NFC. Add in different phone cases along with any other metal for attaching to magnetic holders and you have to assume that you are lucky to get tap to pay to work on a regular basis.

I am not so much about open source as verifiable source with hardware / software wallet but without either why would you even want to use one that does not have it since there are so many that do give you that option.

As always, for full disclosure, I use a closed source multi-coin wallet on my phone but I know and understand the risks and don't keep a lot of funds there.

-Dave

A long quote from myself about a different product, but yes why would anyone store funds / even use a product that was given away from an unknown manufacturer.



It's a bit different in the fact that it's a hardware wallet but still, you are 'giving' me a $100 item. Like the saying goes, if you don't pay for it you are the product.

[o_e_l_e_o  trigger warning]....
Could also be 100% legit in security, but they are selling all your other information. Think about it, a decent HW wallet setup, that is now telling anyone who will pay for the information what coins came in and from what addresses and where they went.

Or they could just be a team of incompetent nimrods who got funding and are trying to get a product out there, or a bunch of scammers who got funding who stole 90% of it and then just put out whatever to get more money from their backers.

Going to have to find out a lot more, but for now yeah...run away.



I sent him 4 2 from me and 2 from you :-)

-Dave

Any company that spends more time attacking and talking bad about the competition rather than properly explaining the workings of their own product should be avoided in my opinion. Focus on presenting what it is that your device brings to the table. If that isn't the case and you aren't doing that, it might be because you don't have anything to offer.

Since these HWs were given away for free, the saying "if something is free, you are the product" is suitable. 

Thanks for making this thread, OP.  I'm all out of sMerits, so I'll have to owe you some.

Anyone who knows me on the forum knows I'm no expert in the workings of these things, but I made a trade with a member a while back for a couple of these wallets (which he also got from the Miami conference).  That led me to look into them a bit further, and I'm pretty sure I came across the video you linked to and I came away with the impression that the Arculus is not a trustworthy wallet. 

The packaging and the wallet are great, and it's a neat collectible in my eyes, but there's no way in hell I'd ever use it.  And I'd also love to hear others' thoughts on it, though I'm pretty sure I know what I'm going to read.

A buddy gifted me a couple of these wallets that Arculus was giving away at the Miami bitcoin conference this year.  I finally decided to look in to this wallet out of curiosity and came across exactly what I expected to find, reasons why this wallet is not safe and secure.

I also made this write up because I’ve seen this company doing a ton of advertising and lying about how “traditional” hardware wallets are less safe. This is a very shady marketing tactic, and one they didn’t have to use to become a successful product.



https://www.getarculus.com/

Here’s a pretty good YouTube video of a guy who explains some of the main reasons why this wallet isn’t secure.

https://youtu.be/q09he4RPg_A

—Some of the main issues—

*Thousands have been given away for free at the Miami Conference alone. This and of itself should make you question the wallet’s legitimacy right off the bat. I understand this helps get the word out, but a truly revolutionary wallet (that retails for $99), as they claim to be, would garner enough attention where this likely wouldn’t be necessary.

*Not Open Source

*This wallet has to rely on its application/software alone for trust. You have to use a phone to use it which opens it up to potential issues such as malware.

*They do not explain how the keys are stored, other than it’s “encrypted”. ( The guy in the video reached out to Arculus for key storage explanation and said all he got back was basically “you should just trust us”.

*No screen display. Without a screen display you can’t verify on the hardware wallet itself that the key on the wallet matches the key on your phone.

*Seed phrase is displayed on your phone and not the device itself. This opens it up to an attack, what if someone sim swapped you, they’ll be able to see the seed and steal your coins.

On the website it states the seed is generated from the wallet itself, is that even possible with NFC chips?




I am not an expert in this area, but I know enough to understand why this wallets flaws render it not smart to use. Would love to hear from others /experts with any experience with these wallets, other security issues I may not have mentioned, or just any thoughts in general on this wallet and the company behind it.