Even if you buy a hardware device from an authorised reseller, you need to check

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: Bitsaurus on October 27, 2020, 10:39:24 PM

I can only assume the inventory was mixed by accident, but at this point I doubt Amazon cares as it's just riding on it's bulk.

Have a read of the Reddit post I linked to higher up in this thread, particularly the sources it provides. It seems that it is absolutely not accidental - Amazon mix legitimate products with cheap/knock off/fake/returned products routinely, with zero due diligence.

Quote from: erikoy on October 28, 2020, 08:44:20 AM

Since this is not regulated and protection is not quite high like no authorities has been tasked to monitor the events and happenings of cryptocurrency because we wanted as much as possible without the interference of the government that could also defeat of its purpose being a decentralized.

You can't be your own bank if you are relying on third party regulators or your government to police your devices and ensure they are safe. Financial freedom comes with responsibility.

Quote from: Harlot on October 28, 2020, 10:50:45 AM

There is also an attack called the Evil Maid attack where someone can put a malware onto a device which is something that can be done on hardware wallets especially Ledger since they don't have a tamper proof stick of some kind in their boxes so you would really have to rely on their security features if it can really outsmart any malware being tried to install on these devices.

Ledger explain why they do not use tamper proof stickers here:

Quote from: https://support.ledger.com/hc/en-us/articles/360002481534

Ledger deliberately chooses not to use anti tamper seals on its packaging. These seals are easy to counterfeit and can therefore be misleading. Rather, genuine Ledger devices contain a secure chip that prevents physical tampering: this provides stronger security than any sticker possibly could.

I can go on Amazon right now and buy 500 tamper proof stickers for less than $10. They are a meaningless gesture, and do not add to the security of the device in any way. The security comes from the cryptographic verification when you connect the device to Ledger Live for the first time.

Harlot

hero member

Activity: 1806

Merit: 671

There is also an attack called the Evil Maid attack where someone can put a malware onto a device which is something that can be done on hardware wallets especially Ledger since they don't have a tamper proof stick of some kind in their boxes so you would really have to rely on their security features if it can really outsmart any malware being tried to install on these devices. So its really a gamble when buying these devices online maybe buying it directly to their website is a smart choice if you really want it to be directly coming from the manufacturers itself.

Kong Hey Pakboy

member

Activity: 1120

Merit: 68

Quote from: erikoy on October 28, 2020, 08:44:20 AM

Probably this is another way of doing scam. There are many scammers in cryptocurrency because they take advantage on it. Since this is not regulated and protection is not quite high like no authorities has been tasked to monitor the events and happenings of cryptocurrency because we wanted as much as possible without the interference of the government that could also defeat of its purpose being a decentralized. Anyway, I do believe that one day cryptocurrency will go strong and that include the strengthening of security system.

Many people wish that someday security could not be a problem, so we would not bother or think about our protecting our sensitive data and funds stored in our wallets. But I think it is impossible because no technology is safe from hackers and scammers capable of stealing someone's data and funds. It is why we should always be careful about the things we buy online; even they are an authorized reseller of hardware devices.

yazher

hero member

Activity: 2184

Merit: 585

You own the pen

If this is the case, I would not buy some hard wallet from them. I rather buy from its original sources from the original store.

Anyway, If we buy a hard wallet from its original source do we have to do those steps you told us or no need to?

and also, how can we know the device if it has tampered with?

erikoy

full member

Activity: 686

Merit: 125

Probably this is another way of doing scam. There are many scammers in cryptocurrency because they take advantage on it. Since this is not regulated and protection is not quite high like no authorities has been tasked to monitor the events and happenings of cryptocurrency because we wanted as much as possible without the interference of the government that could also defeat of its purpose being a decentralized. Anyway, I do believe that one day cryptocurrency will go strong and that include the strengthening of security system.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: jossiel on October 26, 2020, 05:26:17 PM

In my experience, I forgot my PIN 3 times and after that, it asked me to enter the recovery phrases that I have saved. Fortunately, I have them of course. I just forgot the PIN of the device.

This is just proof that such things should not be kept in mind, because people tend to forget such combinations, especially if it is an 8-digit PIN that is not used often. In your case, it's good that you had the right seed on hand, but what if it was a PIN that was the only way to access the wallet?

With all possible precautions, what I would recommend to anyone who buys a new HW is not to send all the coins he has to that device instantly, but to send a small part and leave them like that for a few days. In case something is wrong, it is better to lose 5% or something similar than everything you have.

Bitsaurus

hero member

Activity: 873

Merit: 1007

Amazon's inventory is not pristine. They routiney mix 3rd party sellers with their own manufacturer sourced stuff. Some reviewers are idiots because they think just because they bought the product from Amazon that it went through the proper channels and didn't pay attention the Buy Box when clicking add to cart. I have received counterfeit items from flash memory to batteries that was sold directly by Amazon. I can only assume the inventory was mixed by accident, but at this point I doubt Amazon cares as it's just riding on it's bulk.

While it's not guaranteed every 3rd party hardware wallet will contain malicious code, you can be certain there's definitely a motive to have somebody want to steal your passphrase. If there's a way, there's a will.

jossiel

hero member

Activity: 2842

Merit: 625

Quote from: Fortify on October 26, 2020, 04:00:26 PM

Can these ledgers even be reset, or are you stuck if the original owner already set everything up?

As said by o_e_l_e_o.

In my experience, I forgot my PIN 3 times and after that, it asked me to enter the recovery phrases that I have saved. Fortunately, I have them of course. I just forgot the PIN of the device.

I barely remember if that's the exact process that I went through when I've forgotten the pin.

If I'll purchase a new ledger wallet in the future, I'll just go directly to Ledger's website and order.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: Fortify on October 26, 2020, 04:00:26 PM

Can these ledgers even be reset, or are you stuck if the original owner already set everything up?

Very easily.

With either a Nano S or a Nano X, either navigate to Settings -> Security -> Reset all, or simply enter an incorrect PIN three times in a row after turning on the device. This will reset to factory settings, wiping the seed phrase and private key that the attacker already set up and leaving a blank device, which you can then set up as you would a brand new device. See here for more info: https://support.ledger.com/hc/en-us/articles/360017582434-Reset-to-factory-settings

Once you've done that, you should then follow the link I shared above to verify the device is genuine before proceeding to the next page of their support to set up as a new device.

Fortify

legendary

Activity: 2646

Merit: 1176

That is a pretty devious way to take someone elses Bitcoin and really stresses the importance of understanding what you are buying. Especially with new technology that is effectively acting like a bank account, it seems very foolish to send it to a wallet that was provided to you. Knowing how weak the return policies are with Amazon, it seems like it would be a common but risky tactic for the returner. Can these ledgers even be reset, or are you stuck if the original owner already set everything up?

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: aioc on October 26, 2020, 09:07:21 AM

I thin even if it coming from the manufacturer you never know.

Every one of these "hacks" has been due to a device being pre-initialized and the user in question not following the basic set up guide, which would protect them against such an attack. There have been no known cases of coins being lost due to a Ledger device being physically tampered with, having the hardware altered, or having custom firmware installed on it. Provided you follow the basic set up guide Ledger provide (https://support.ledger.com/hc/en-us/articles/360002481534), then by setting it up you both ensure no one has previous initialized it and you also connect it to Ledger Live to verify it is a genuine device.

Having said all that, if you are genuinely concerned regarding supply chain attacks, then hardware wallets are probably not for you. In such a case, I would suggest to instead generate your own entropy using coin flips, rolling dice, or something similar, and use that to generate a wallet using open source code you have reviewed yourself on permanently airgapped device.

aioc

hero member

Activity: 2898

Merit: 567

This is a big warning to anyone who wants to purchase not only to Amazon but to resellers and first owner of the device, imagine if the guy has a huge amount of coins and he put all of it there, I have read getting scam by exchange but this is the first time getting scam by a ledger, we should be properly educated and configure it correctly before storing our coins to the ledger, I thin even if it coming from the manufacturer you never know.

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

Is the person mentioned in the op still using a ledger or that ledger by amazon?

If what you've thought of is an attack vector, there's A LOT worse they could do. If this is the case with a lot of resellers ONLY buy from the official website. Don't trust anyone, amazon&ebay won't care they might not even use the verified seller as it's probably easy to fake anyway.

gentlemand

legendary

Activity: 2590

Merit: 3008

Welt Am Draht

Quote from: NeuroticFish on October 26, 2020, 08:38:27 AM

Wow. I didn't think of this. If this indeed happens then it's indeed a very big problem at Amazon, not only with Ledger products...

The thing is almost all of the time this doesn't matter. If you get a junk micro SD card then you simply send it back. Amazon aren't going to change squat to protect a few people stung by this.

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

Quote from: o_e_l_e_o on October 26, 2020, 07:50:47 AM

"commingled inventory."

Wow. I didn't think of this. If this indeed happens then it's indeed a very big problem at Amazon, not only with Ledger products...

Quote from: o_e_l_e_o on October 26, 2020, 07:50:47 AM

Quote from: NeuroticFish on October 26, 2020, 07:27:33 AM

One week is unexpectedly long time. I'd expect such theft happen at or right after the first confirmation.

Why? If the wallet has been loaded, then the thief/attacker knows that the customer is unsuspecting. Makes sense to wait a while to see if they deposit any more funds before stealing the initial deposit.

I was expecting the thieves have scripts attached to the wallets they are watching and as soon as funds are in, they get them without delay.
But maybe I just don't have thief material (no biggie) Cheesy

The Cryptovator

legendary

Activity: 2240

Merit: 2174

Need PR/CMC & CG? TG @The_Cryptovator

The problem will happen if anyone has less knowledge about bitcoin technical knowledge. I bought a Ledger wallet from Amazon as well. It was on solid packed when arrived at me. Before open this, I search as much as possible how Ledger works. I set my own password and mnemonic words, I don't have doubts about that, of course, the seller was Ledger official.

If someone wondering to enter something new, then he should research as much as possible to learn. So when anyone learns then there would be doubts when received a Ledger with a pre-generated password and seed. It's always suggested if you have doubts then reset your device by entering the wrong password on the device. So there will be new mnemonic words and passwords as well.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

I recently read a post on Reddit which is relevant here. I cannot vouch for how accurate or not it is, but it certainly makes for interesting reading: YSK that Amazon has a serious problem with counterfeit products, and it's all because of something called "commingled inventory."

Essentially it goes like this:

Ledger send Amazon a bunch of Nano S wallets to be sold from their "Official Amazon Web Store", and so Amazon records that inventory and stick them on a shelf labeled "Nano S wallets".
Some third party reseller also sends Amazon a bunch of Nano S wallets to sold from their "Random Third Party" page, and Amazon records that inventory and sticks them on the same shelf labeled "Nano S wallets".
Whenever someone buys a Nano S wallet, regardless of whether through Ledger or through some random third party, if the order is "Fulfilled by Amazon" then they simply get a random wallet picked from that shelf, which could have come directly from Ledger, or could have passed through any number of third parties.

Quote from: NeuroticFish on October 26, 2020, 07:27:33 AM

One week is unexpectedly long time. I'd expect such theft happen at or right after the first confirmation.

Why? If the wallet has been loaded, then the thief/attacker knows that the customer is unsuspecting. Makes sense to wait a while to see if they deposit any more funds before stealing the initial deposit.

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

Quote from: DdmrDdmr on October 26, 2020, 06:28:27 AM

only to find that the device had come with a default pin, and a prefilled 24 word mnemonic.

Such case should be returned and reported to Ledger imho (of course poor newbie didn't know, unfortunately). They should be aware about such cases and take the responsibility (!) if they are the Seller at Amazon.
Without such actions (and of course, writing them all over media) nothing would change. I think that Ledger has its part of responsibility in this.

Quote from: DdmrDdmr on October 26, 2020, 06:28:27 AM

The friend, unaware that this is not how it should be, moved some BTC onto one of the device’s addresses, only to see it vanish a week later.

One week is unexpectedly long time. I'd expect such theft happen at or right after the first confirmation.

Sad story. I think that this kind of devices should not be returnable. Period. (Although I the idea that an employee actually did this also makes plenty of sense and I have no solution for that.)

gentlemand

legendary

Activity: 2590

Merit: 3008

Welt Am Draht

Quote from: DdmrDdmr on October 26, 2020, 06:28:27 AM

Corollary to the moral of the tale: Resellers should install a protocol that sends these returned devices back to the manufacturer, always (and, in turn, the manufacturer should review the product properly before even considering placing it back for sale).

To Amazon and every retailer other than the manufacturer it's just another bit of tech that flies out the door. They should be doing things like this, they certainly won't as it's not their problem.

Mixing stuff like this with standard retail policies is a dangerous combination but I can't see them ever taking special measures.

Charles-Tim

legendary

Activity: 1512

Merit: 4795

No comment again, the best to do by resellers (amazon) is to take back the hardware wallet only to the company they bought it from which is ledger company in this case. Normally, if truly this is the case, the victim supposed to file a law suit against Amazon and demand for the coin lost, so that it will be a lesson for Amazon. Normally, they do not have to think about this two times to return the hardware wallet for any malicious activity, because humans are wicked and malacious in nature.

But, let us check another way around, people are so malacious, it is possible returning the hardware wallet after such event could be the norm of Amazon (although, I am only saying) but one of the workers in Amazon may know about this malacious events, and be the one that took it back from the malicious person or even replace the good one to malacious one in order to resell/sell it to another person, so that the person can be a victim. With this, I think we should not trust any other party than the company selling the hardware wallet. The safest way will be to buy directly from hardware companies like ledger nano, trezor and the likes.

Topic: Even if you buy a hardware device from an authorised reseller, you need to check (Read 274 times)