Topic: Do Hardware wallet Manufacturers Ship to PO Boxes or Not? (Read 587 times)

Sorry, but I don't know anything about your product. I have seen your posts in the last couple of days advertising your wallet in various discussion threads all over the Hardware Wallet section. This thread has information on a a few selected brands that most people have heard about. There are many others that are missing, and I have no plans to add them. At least not for now.

Can you please add Cypherock wallet?

We ship to PO boxes and we accept BTC through Coinbase Commerce.

Thanks for your feedback. Everything that I wrote in the table was correct at the time of writing. Maybe there were changes in the meantime or the information you see in your location is different from what I see on my end. I will go through the suggestions you made, double-check myself, and correct if needed.

I have a website (https://thebitcoinhole.com/) where I compare 37 different hardware wallets. It displays all the payment methods supported by each official store. I verified them myself by going checkout by checkout.

Some corrections to the list in this post:
- Bitbox also supports BTCPay Server
- Keepkey is not supporting pay with crypto
- Keystone also supports Open Node
- Ledger is supporting BitPay or Crypto.com Pay, but not in all the countries they ship.
- OneKey also supports MixPay
- Satochip is integrated with Coinbase Commerce, not CoinGate.

So since I had the spiffy 35% off coupon [ https://bitcointalksearch.org/topic/35-off-keystone-hardware-wallets-code-5421345 ] for a keystone I ordered one.
Was correct in my assumption that at least in the US they use Amazon for fulfillment. So at least here, you can probably get it delivered anyplace.



As always YMMV and based on what country you are in it will probably vary a lot.

-Dave

I remember reading that reply some time ago. 60 days is certainly better than 1 year or 10 years. It would be interesting to learn more about their offline solution and how they deal with security. Who has access to the data, and decryption keys for example? If I was a pissed off Foundation employee and a scumbag looking to profit anyway possible, could I easily gain access to the offline system and copy what I need from it? 

You can live the dream today!


There will always be legal limitations, but companies can definitely do a lot to improve customer data security.

It would be great if it worked that way. But due to regulations and local laws, businesses are required to keep records of their customers for X period of time. Unfortunately, the X seems to be different from company to company and depending on the territory. Some businesses anonymize private data after a while. Even that's better than storing it in their computers for 10 years. I think Ledger stores them that long. Would be even better if that anonymized data was taken offline and stored on paper in a company office space somewhere and then simply destroyed once the law allows it. I guess I am dreaming now...   

There is one more nuance to this.
Sure; an individual business hosting everything themselves, may not notice a data breach quickly, may not communicate it to customers or if they do, customers may not read about it. These are the downsides. And I'd argue that it's more likely for a small business to fuck up some server configuration or have less tight security training of employees in non-technical fields like accounting and customer support (social engineering vector).

But hear me out: The most secure way to store data is not to store it. Or to store it for a very limited amount of time.
With all the shortcomings of self-hosting mentioned above, it is also much easier (and verifiable) to completely delete customer data when you host it yourself.

Unless that information is clearly mentioned somewhere, I am not sure where I could get it. This is surely not something that a regular support rep could help with. To be honest, I don't know which shopping cart software brands are self-hosted and which ones are operated by a 3rd-party myself. I will have to take your word for it and trust you gave me the correct info.

I can't help but to think of Ledger in this situation. All it takes is one unknowledgeable or malicious employee to destroy your reputation forever. Ledger wasn't just affected by the Shopify breach. Their employees caused a similar incident themselves. Self-hosted or not, your data is still sitting on a server somewhere that could get hacked with enough motive and incentive. I agree that it's surely more rewarding attacking and breeching the defenses of a 3rd-party company, which handles such data by millions of customers than to attack one individual business.   

Places that use shopping cart software that is hosted / run by someone else.

A store can run WooCommerce or PrestaShop or Open Cart or Zen Cart or many others and the cart information never leaves their server. Name / address and what I bought stays local to them. Picking on Keystone since they are the ones we have been talking about they send all that info to a 3rd party to handle the cart.

Coinbase Commerce is a payment processor. Some want more info then others. But keeping it internal by running something like BTCPay is still better.

Just thinking that since this is about privacy and data leaks it is worth a mention.


The counterpoint is that if Shopify does get hacked (again) it makes the news, due to the size and nature of who they are and what they do. If some business is hosting it themselves and there is a data breach, if they don't find out about it or tell people about it we may never know that our info is out there.

-Dave

I tried with a PO Box address in Germany (also known as Postfach) and the site didn't report any errors. But who knows what would actually happen if you ordered a parcel, it arrived at the designated address, and it was time to pick it up. Would it even be delivered or would the courier call you and ask for an alternative?     

What do you consider 3rd-party checkouts? Ordering through Coinbase Commerce would be a 3rd-party checkout, for example, right? Paying the company directly from my wallet to theirs isn't in that case. Most HW do the former. 

Their store. The issue is, that Amazon does, or at least did give you the option of blind shipping. The return address will be a generic facility that 1000s of shippers use. Sometimes it's easy to spot since it's a known local Amazon warehouse. But, I have gotten packages from addresses that are just massive USPS facilities that I KNOW came from an Amazon warehouse.

 
If you order from there will it let you ship to a PO box?

---

Still I think there should be a discussion about 3rd party checkouts


If like Keystone they are using a 3rd party cart. If they are doing enough with cookies and browser fingerprints they can easily know that DaveF who ordered the hardware wallet and paid with crypto and shipped to a PO box is the same DaveF that ordered the replacement battery for his motorcycle paid with Visa and shipped it to his house. At that point it does not matter if Keystone got hacked, you are now worrying about the 3rd party cart provider and when they get hacked.


-Dave

That previous picture you posted, which shows delivery information to a PO BOX, is that an image taken from their official online store or from the Amazon link below?
 
Yeah, it works. I can see different Keystone products on the page.

It went through with no issues. Since they do sell through Amazon here in the US I wonder if they are just using them for fulfillment here. Would cut down on a lot of work for them in terms of logistics.

Does this link work for you? https://www.amazon.com/stores/page/0360EBE5-E20C-45DC-836C-59573EAE62F5
 


Lightning or onchain.
When I go to pay this is what I see, you have one option for Coinbase Commerce and one for BTC:




When I click through the BTC option it takes me to an opennode link, to pay a shopify cart.




So it could be they are using different providers depending on where the customer is coming from, could be they changed the day after you spoke to them. Or, it could be their customer service person who you were dealing with was wrong.

Shipping to a PO Box is drobably not that big a deal in terms of security / privacy now since they are using a 3rd party cart we don't know what else is being captured. So assume that they know what you purchased, what IP you came from for geo location and a ton of other stuff. What information is shopify getting and keeping? We may never know.

That should probably be another column in the chart, self hosted cart or 3rd party.

-Dave

The data in the OP is based on what info I got from the customer support of all those companies. Does their online shop allow you to complete the purchase after selecting a PO box or is there an error or other type of notification that hinders it? Do you know what carrier they work with in the US? The information I got off the Ledger support team was that their packages in the USA are shipped via DHL, and they don't deliver to PO boxes. So it's a restriction set by the carrier company and not the device manufacturer. 

I got redirected to Coinbase Commerce when I imitated a fake purchase just to see where it would take me. It's the first time I hear payments are also processed by opennode.com. Are those Lightning payments maybe or is it a geographical thing that determines which payment processor a customer is redirected to?

At least in the US Keystone does allow shipping to PO Boxes:



If you are paying by credit card you will probably have to have the PO box listed as a shipping possibility.
And they are still at Amazon ($10 more) but you can have it shipped to an Amazon locker if there is one that you can get to.

Also, they use opennode.com for BTC payments and Coinbase Commerce for altcoins and also BTC.


-Dave

Using a PO Box would make you anonymous to hardware wallet manufacturer, but the post office or the service you use will have information on file about you. If that data is stored digitally, we are back to the same problem. But this time it's not a hardware wallet manufacturer that stores your data, but the US Post Office or any other post office of the world. Can they be hacked or suffer a leak? Of course.

PO Boxes aren't available worldwide, many curriers require that you sign for the package upon delivery, and some couriers don't ship electronic devices to PO boxes. So there are different problems with using them. If you are not worried about supply chain attacks, you can always buy a HW by physically going into one of the shops they are sold at and purchase it there with cash.   

It would be great if someone has experience in buying a hardware wallet and delivering it to the  PO Boxes, and is also willing to share information about the nuances of this. This could be useful (not only for me personally, because I have an interest in this), because the delivery of parcels to the  PO Boxes may differ due to the specifics of each country. I don'tt think that for the sake of this it is necessary to create a separate topic, because, in principle, the discussion of this fits into the concept of this topic. Are there people here who ordered hardware wallet for a PO Boxes?

Crypto payment processor information was missing for a few brands, so I did another check and added the ones I left out.

- Blockstream uses BTCPay Server.
- Coldcard doesn't seem to be using a payment processor judging by their store.
- Foundation Devices uses BTCPay Server.
- There is an issue with KeepKey when it comes to crypto payments. The system is currently not functional. I think they are using Coinbase Commerce.
- Trezor uses Confirmo.net.

I look at it more as OP-Sec then paranoia. Going with the assumption (yeah I know assumption) that a trusted user here is a low risk source for supply chain attacks then it is IMO somewhat easy to be invisible.
Disposable email -> new account -> contact shipper-> give info -> send BTC -> wait for delivery.

It could be you contacting the shipper, it could be theymos, it could be anyone, does not matter they would just need a name and address to ship to.

Taking about edge cases here, but still interesting to throw ideas around.

-Dave

They are, but it should have been possible to do preorders through resellers, in my opinion.
Not sure how they handled it in batch 1, but that was a preorder, too. I believe that resellers just bought / preordered a fixed amount and - well - resold it in their stores.

We usually need to pay VAT and import tax if it's above some threshold (like around 100 bucks). Yes, the PO box shipping is a problem when importing stuff.
Therefore I made sure to order in a different way.

It is the 90s! The Perl code is actually from adam3us.

I am not sure if the customs fee is included in that estimate. Since the package comes from the USA (a non EU country), customs fees and VAT will surely be added on top of the price of the product. There might be additional charges as well. I don't have more information about what the total fees are for electronic devices such as hardware wallets. It's surely different from country to country. Maybe Buying goods online coming from a non-European Union country can help.

Ooft. That's an extra $100 on top of what is already not a cheap device. And how does it work in the EU with imports? Will there be a customs fee or import charge on top of that as well? Or is that what they mean by the tax and duty fee they've already included?

Still, looking at the EU reseller, they are charging $335 at current conversion rates for the original Passport, while the official site is charging $260 for the new model. Guess you'll need to wait and see what price the resellers charge for the new model to see which is the better option for you.

The official shop doesn't show clear information about the tax fees during checkout. But shipping it to the EU from the USA would cost you from $24 to $45 depending on the speed of delivery. There is also an estimation about taxes that says:

https://foundationdevices.com/checkout/#cfw-shipping-method
Depending on the shipping method, the tax & duty amount changes to $56.95 and $57.93.

I made a similar inquiry just to see how much it would cost to have a Foundation device delivered to a South American country. Shipping fees are $25 to $53 for Argentina. The tax and duty fees are estimated at $59 to $65 depending on shipping method.

Yeah, that's a fair point. I guess you would then need to weigh up the pros and cons of not having your details shared with a hardware wallet manufacturer and all their third party buddies on one hand, versus inserting a third party in to the delivery chain and the theoretical risk of supply chain attacks. And even if you trust the third party not to attack your hardware wallet, do you also trust them to be as honest as they claim with your personal details and have a rock solid security set up?

But I guess if you are like me, and are getting to that level of paranoia, then the best option is probably going to be to ignore hardware wallets altogether and use an airgapped computer instead.

I look it at closer to the fact that a single trusted user doing it as a side hustle that only deals with hardware wallets is more likely to get away with the 'I don't keep records' thing if something happens then a full service company. I know a lot of the mail forwarding places do keep records and have handed them over to the authorities if requested. The o_e_l_e_o re-ship service could get away with a lot more, and if you are ordering the device yourself you have 0 concern about someone shipping you a pound of meth that you then forwarded on...

Taking it a step past that you could always keep a few of the more popular ones sitting around and then just ship from stock, but when the next model comes out you might be stuck with the old one.

You would never get rich doing this, but beer money is good :-)

-Dave

Are they not still at the pre-order phase? I wouldn't expect re-sellers to offer them for sale until they had confirmation from Foundation Devices that their shipment was complete and ready to go.

What kind of delivery fees or customs/import fees would you be looking at to import to the EU from the US? And I presume a PO Box would be out of the question in such a case.

A bar code rather than a QR code? What is this, the 90s!? Did you find that picture on Geocities?

I'd advice to always order 'locally' (this usually includes whole EU if you're in the EU) exactly because of this. However, I'm not sure why Passport batch2 is not yet available from European resellers. Luckily, I can receive online orders in the US at the moment, but if all EU-based customers need to import, that would really suck.

Never forget!

Wouldn't surprise me. We know from things like AOPP and FATF documents that in the US the government want to move to a system where every address is KYC linked, and that they want all centralized exchanges, platforms, or services which allow withdrawals to personal wallets to ensure every withdrawal address is KYC linked. It's not a huge step from there to imagine them wanting a system where every wallet, software or hardware, requires KYC linking first. Of course such a proposal is crazy and could never work in practice, but these are the same people who are trying to ban encryption, so I wouldn't put something equally stupid like this past them for a second.

Maybe they would do that if they understood how important the privacy and security of their clients is. The way they tried to minimize the damage they caused to their clients when the database was hacked perhaps best shows that such things are not very important to them. Although, considering that some EU politicians and bureaucrats have visions of even stricter regulation when it comes to cryptocurrencies, I would not be surprised if Ledger and similar companies start demanding strict KYC for every customer.

A few days ago, I read that an online casino is asking for verification in such a way that the user has to take a selfie with a newspaper in his hands, in front of a sign with the name of his street and house number...

Yet another option is to use general delivery or poste restante, where your package is simply delivered to a post office and you later go pick it up. You will still have to reveal your name, but not your address, and you can always use a post office in a completely different city/county/state to obfuscate things further.

This, and the mail carrier they use. Note the disclaimer given on the BitBox link that Pmalek has included in his first post:

Ledger's support told me that they only work with DHL in the United States, and according to them, DHL doesn't deliver packages to PO Boxes. Their suggestion is using regular mail if you are a US customer.

Adding one or two more columns with reseller information is certainly doable. Contacting each individual reseller to ask them about PO boxes is quite the task though. I know that Ledger and Trezor have dozens of them worldwide. Since you mentioned Foundation Passport, I know they have 3 official resellers in the EU. The one you mentioned is for the UK, but there is also Cryptomaan and Bitcoin Brabant for Belgium and The Netherlands. There is also a company in Slovenia called Eventus sistemi, but they are not mentioned in the EU list. They are in a "Distributors" category at the end of the page. 

Great list, very valuable information! Unfortunately, it doesn't include information about export / import.
I'm not 100% sure about it, but I believe it depends more on the individual country's laws than on what the wallet manufacturer.

So therefore it would be useful to also add official (overseas, with respect to manufacturer location) resellers to the list.
For example, US-based Foundation Devices sells in EU through https://shop.btcdirect.eu/, so it would be helpful to know whether they sell through PO boxes (though they apparently don't yet sell batch 2) for EU-based customers.

It's strange that Keystone wallet is not supporting PO Boxes when they recently opened dedicated Amazon shop in Europe.
For other hardware wallets I think that UPS mailboxes are better option than PO boxes in US, or simply use any alternative  delivery address.
If I could choose I would always try to buy them locally in official shops.

They are widely known for their ''famous'' security practices, especially when you combine BitPay kyc with millions of leaked private information  

There already exist several companies which you can use to receive mail or packages and then forward to another address without opening, such as iPostal1, Traveling Mailbox, or Anytime Mailbox. It would be preferable to use a general company which forwards any package as opposed to one which only forwards hardware wallets, for the exact reason that if the forwarding company leaks user data, then if they only deal with hardware wallets then you are back at square one.

BitPay are the worst possible payment provider in existence. While I'm not crazy about any custodial payment process, I just tried to place some test orders via Crypto.com and Coinbase Commerce out of interest. Crypto.com just ask for an email address, which can obviously be a burner, and Coinbase Commerce don't ask for anything at all. BitPay, on the other hand, require a fully KYCed account in order to place an order. which is just ridiculous, especially for a hardware wallet manufacturer.

I think all of them accept crypto through one or the other service provider. I didn't check the online shops for all brands if the support agents told me exactly which crypto assets are accepted. But I think I should do that for those that are missing to ensure the info is 100% correct. Do you think BitPay is different from Coinbase Commerce Crypto.com Pay, for example? I assume that the same type of verification would be required by most of them.

Excellent. Thanks for finding that. I will update the info in the table.

I have my doubts about the knowledge of these support representatives. They might not have the full picture, who knows. I am sure you can't ship to PO boxes in all countries, and I can swear I heard that electronic devices can't be delivered to PO boxes.

If you start the ordering process in their online shop and select to pay with crypto, you will eventually be redirected to BitPay. 

Makes you wonder if there is a business model here of re-shipping crypto wallets.
[Using I / me but could be anyone]

You pay me crypto for the wallet + a fee, I order however I want and get it shipped to me I then ship it to you while never opening the original shipping package.
Yes you would have to trust me, but since I would really not care or check you could have me ship it to someone else who would then ship / give it to you.

Probably a very small market, but would help some people feel more secure that there is no real way to trace hardware wallet 'xxx' to them.

-Dave

This is certainly the first I've heard of Ledger using BitPay, but it could have been that way for years and I would have never known.

Agreed. If the only way of buying a Ledger online is either through a KYCed fiat method or a KYC enforcing bitcoin processor such as BitPay, then you should simply never buy a Ledger online. With all the time Ledger can spend integrating debit cards and instant exchangers and other privacy invading trash in to Ledger Live, you would think they could just set up their own instance of BTCPay or similar.

I don't remember it being necessary before and I haven't really used that processor for a long time - but if every customer has to do KYC just to make a payment in Bitcoin then that's just another added risk in potentially compromising the privacy of anyone buying HW.

In a way, this makes every purchase that would be made through a PO box somewhat pointless, because even though Ledger does not know our data, the payment processor can always be hacked, and then the only question is which data will leak. The only safe way of shopping left is to find a physical store, put on a cap and a protective mask and pay with cash, preferably outside the place of residence.

I can tell you that as of when *I* ordered both ColdCard keystone both DO deliver to PO boxes. OR at lest DID.

BUT, keep the following in mind.

1) I am US based so this might not apply to the rest of the world.
1a) That is probably a fair assumption in general that there may be different requirements for different places. Specifically if something is going though customs / requires a signature for delivery.

2) With keystone you either have to pay with BTC or have the PO box address on file with PayPal. A PO box is my default PP address and when I bought mine that is where it went.

3) ColdCard accepted whatever address I put in. Since we are the default office for un-deliverable things in my office building I often make up office numbers. i.e. STE 507 which is very impressive since the building only has 2 floors.... But, the point is that they do not do address verification like other places that will not let me make up office numbers.
3a) Which did turn into a disaster when the old building owner sub-divided some spaces and added 10 offices on the 2nd floor and it took a while for the post office / address verification databases to catch up.

4) Keystone is available through Amazon and they will deliver to Amazon lockers here in the US.

https://bitcointalksearch.org/topic/m.57962757

-Dave

I couldn't find anything for KeepKey, but here's a "tweet from Coldcard" that mentions they support shipping to P.O. Boxes on their Coinkite store.

---

For what it's worth, I'm glad Trezor finally partnered with a new shipping company to make this possible ^{[it wasn't possible a few months back]}.

Ledger use BitPay? Ugh. Imagine completing BitPay's KYC requirements to buy a hardware wallet. What a ridiculous security risk.

It doesn't just support it; the company which manufactures BitBox - Shift Crypto - created AOPP. I definitely don't want my hardware wallet manufacturer creating protocols which make it easier for the government to stick their noses in to my hardware wallet.

This is not a recommendation to purchase any of the wallets in the table or any hardware wallet in general if you don't want to. It's just a list of some of the most-mentioned names in the space. Most people who will see this thread will surely have heard of SafePal even if it's in a negative context. Their quality, features, and reasons for existence are not the objective of this discussion.  

Many companies introduced the infamous AOPP. They only changed their mind because the community reacted negatively.  

I think we should not omit the fact that some hardware wallets are not totally recommendable. Example is the Ledger Nano that does not much care about their customer's privacy, anyone that wants privacy may not still want go for such kind of wallet.

Another is SafePal. I am not surprised that SafePal is making use of SafePal Pay, just like Binance wants BUSD to be the dominant stable coin. But that is not the matter, the matter is that SafePal is the worst wallet among them, not recommendable nor advisable to be used. The wallet is completely close source, using close source mobile app, not support open source wallet like Electrum, but stuck with their app with little to almost no feature than to send and receive cryptocurrency.

BitBox02 is one of the best hardware wallet, but not just partially recommendable because it supports Address Ownership Proof Protocol (AOPP).

Several hardware wallet manufacturers have suffered hacks and data leaks in the past. This trend might not stop, and I think we will also read similar stories in the future.

That’s why I decided to check with the most popular hardware wallet creators if they support shipping to PO boxes and payments with cryptocurrencies. I sent emails to their support to ensure I got the correct information.

You can check out the results in the table below:

|	Brand	|	Shipping to PO Boxes?	|	Payments via Crypto?	|
|	BitBox	|	Yes, depends on country and courier.	|	Yes, BTC and LBTC via Crpyto.com Pay and BTCPay Server.	|
|	Blockstream Jade	|	Yes	|	Yes, BTC, LBTC, and USDt via BTCPay Server.	|
|	Coldcard	|	Yes	|	Yes, BTC.	|
|	Foundation Passport	|	Yes	|	Yes, BTC via BTCPay Server.	|
|	KeepKey	|	*Unknown	|	No	|
|	Keystone	|	No	|	Yes, via Coinbase Commerce and OpenNode.	|
|	Ledger	|	Yes, via regular mail. Not supported in USA.	|	Yes, via BitPay and Crypto.com Pay.	|
|	OneKey	|	Yes	|	Yes, via Coinbase Commerce and MixPay.	|
|	SafePal	|	No	|	Yes, via SafePal Pay.	|
|	Satochip	|	Yes	|	Yes, via Coinbase Commerce.	|
|	Trezor	|	Yes	|	Yes, BTC and LTC via Confirmo.net.	|

* Support agents are unsure, don't have precise information, or info is not available on official sources.


11 hardware wallet manufacturers were contacted, and all of them replied back.

When it comes to shipping to PO boxes, these are the results:
-   7 companies support sending shipments to PO boxes. It’s important to mention that not all carriers will ship packages to PO boxes in all countries.
-   2 companies don’t ship to PO boxes.
-   The support personnel of Coldcard and KeepKey weren’t sure exactly and couldn’t provide me with the correct information.  

In terms of paying via crypto, all popular brands support crypto payments. It would be weird if they didn’t, but that wasn't the case a few years ago for some of them. KeepKey support told me they accept crypto payments, but I couldn’t find an option to pay with cryptocurrencies in their shop. Once I get more info, I will update the table and thread.


More brands can be added to OP. For now, I decided to focus on the most popular ones. If you want to see a particular wallet in the table, feel free to request it below, and I will try to add it.