Fake Security Vulnerability: Ledger Nano X and Ledger Nano S?

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: jerry0 on February 15, 2020, 04:30:36 PM

im confused here. So they want you to download something but isn't the nano ledger x and s not hackable?

Please stop bumping old topic with stupid questions, don't you know how to read? How can you be confused by something that is explained in a way that a child of 10 years can understand? Maybe you should stick to traditional banking, though I believe you have a problem with that as well, because you are not adopting the information you are getting. I have a feeling that at some point you will do something stupid and lose everything you have in crypto...

Quote from: HCP on February 17, 2020, 02:20:27 AM

I'm not actually aware of anyone who fell for this phishing attempt (at least I didn't see anyone posting about having used the "Ledger SE Checker" and then losing all their coins Tongue

)

There is warning about this on Reddit some 6 months old, and when it started I remember few users who were naive enough to share their seed with hackers. One is lost 600 ZEC (some $16k at that time), other $30k worth of BTC...

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: jerry0 on February 15, 2020, 04:30:36 PM

im confused here. So they want you to download something but isn't the nano ledger x and s not hackable?

Phishing and hacking are two different things. Your device wouldnt get hacked. The tool wants you to enter your seed words and send them to the hacker. It has been said many times before that the seed should never be entered into a software. It is only meant to be looked at on the hardware wallet.

HCP

legendary

Activity: 2086

Merit: 4361

It's an old warning about an old phishing email that some users received. It attempted to get the user to download something and I believe input their 24 word seed mnemonic.

I'm not actually aware of anyone who fell for this phishing attempt (at least I didn't see anyone posting about having used the "Ledger SE Checker" and then losing all their coins Tongue

)

jerry0

full member

Activity: 1750

Merit: 186

im confused here. So they want you to download something but isn't the nano ledger x and s not hackable?

malevolent

legendary

Activity: 3472

Merit: 1722

Quote from: vapourminer on November 01, 2019, 08:39:35 AM

for fun, try to break into your main emails accounts on a fresh computer (ie one thats never logged into that email account before) by clicking "forgot password" link and seeing how far you get. you may be surprised.

Coinbase (? - probably them, IIRC) had a long guide somewhere instructing users how they can setup their gmail account to make it practically impossible for anyone* ever to recover access should a stranger try to hijack someone's account or should the original owner forget the password. Smaller or lesser known email providers might be more susceptible to social engineering attacks. Same goes for registrars and hosting providers if someone's using an email with their own domain name.

*realistically speaking, google may change their policies, their employee(s) can go rogue, etc.

big_daddy

hero member

Activity: 1680

Merit: 583

xUSD - The PRIVATE stable coin - Haven Protocol

Ledger is, from my poin of view and experince, a great crypto company

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

The Pharmacist, there is another thread with same topic and it was concluded that there was no hacking on Ledger's email database. The person who received the email in question says the following :

Quote from: big_daddy on October 26, 2019, 07:39:53 AM

Yeah, I was using this mail in some bounties and airdrops years ago, not a lot of them, but one wrong is enough, usually I use a telegram bot (TempMail) that is generating an unique email box for bounties and airdrops
It’s good to know that other Ledger users didn’t recieve this mail cause that can be a proof that nothing inside the Ledger system has been hacked or list leaked

I think Ledger is too serious company to allow itself to sell its databases like some others (Facebook), and that they make decent money from the sales of their devices. However, all that is needed is a corrupt or perhaps careless employee, because most hacking shows that people are the weakest link when it comes to security.

The Sceptical Chymist

legendary

Activity: 3500

Merit: 6981

Top Crypto Casino

Quote from: bL4nkcode on October 27, 2019, 05:05:34 PM

I wonder how you and/or anyone received that email? I'm a subscriber of ledger and never received such kind of email.

I didn't get the e-mail either, but now that I think about it I don't know if I ever gave them my primary e-mail address or not. How would scammers get access to Ledger's database of e-mail addresses anyway? Did they get hacked, did Ledger sell them? Just thinking out loud there.

Quote from: o_e_l_e_o on October 29, 2019, 04:18:55 AM

You should absolutely be using different email addresses for different things.

I'll keep protonmail in mind--I'd never heard of them before. But boy, I hate using multiple e-mail addresses--I have a couple of different ones, but I don't even use e-mail much anymore so it's a pain in the ass to keep checking several of them. Fortunately spam filters are so much better than they used to be in the early days of the internet. I always hated getting adverts for sex toys and Viagra and the like, not to mention all the scam attempts.

vapourminer

legendary

Activity: 4354

Merit: 3614

what is this "brake pedal" you speak of?

Quote from: malevolent on October 29, 2019, 08:05:07 AM

Quote from: o_e_l_e_o on October 29, 2019, 04:18:55 AM

You should absolutely be using different email addresses for different things. As well as helping to prevent this kind of thing from happening, it also increases your security as an attacker gaining access to one email account can't try to reset passwords on every online account you own, and it also increases your privacy by not linking your crypto activities to the rest of your details.

Just be careful when choosing email addresses as recovery email addresses on each email account so that one compromised account doesn't result in other accounts getting hacked.

also try to use 2FA on any important emails accounts. not a text message to a phone number that can be taken over, something OTP based like google 2fa (or its open source equivalents).

for fun, try to break into your main emails accounts on a fresh computer (ie one thats never logged into that email account before) by clicking "forgot password" link and seeing how far you get. you may be surprised.

malevolent

legendary

Activity: 3472

Merit: 1722

Quote from: o_e_l_e_o on October 29, 2019, 04:18:55 AM

You should absolutely be using different email addresses for different things. As well as helping to prevent this kind of thing from happening, it also increases your security as an attacker gaining access to one email account can't try to reset passwords on every online account you own, and it also increases your privacy by not linking your crypto activities to the rest of your details.

Just be careful when choosing email addresses as recovery email addresses on each email account so that one compromised account doesn't result in other accounts getting hacked.

big_daddy

hero member

Activity: 1680

Merit: 583

xUSD - The PRIVATE stable coin - Haven Protocol

Tnx for the link and for the suggestion
I will consider your advice and take an action asap

Best regards

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: big_daddy on October 28, 2019, 05:41:21 AM

I have to make a new private email

You should absolutely be using different email addresses for different things. As well as helping to prevent this kind of thing from happening, it also increases your security as an attacker gaining access to one email account can't try to reset passwords on every online account you own, and it also increases your privacy by not linking your crypto activities to the rest of your details.

Have one email for work/university/school, have one for fiat finances like online banking, bills, credit cards, online shopping, have one for personal things like friends, social media, and have one for financial crypto sites such as exchanges. For everything else, particularly ICOs or bounty campaigns, make a completely new throwaway address or use one of the many temporary email address generators to sign up.

For your main email addresses, you should also be looking to use a privacy respecting provider. Protonmail is widely recommended, but you can find other good providers here: https://www.privacytools.io/providers/email/

big_daddy

hero member

Activity: 1680

Merit: 583

xUSD - The PRIVATE stable coin - Haven Protocol

Quote from: Pmalek on October 28, 2019, 04:54:27 AM

Quote from: bL4nkcode on October 27, 2019, 05:05:34 PM

I wonder how you and/or anyone received that email?

He used the email in connection with a bounty or airdrop most probably. Just like big_daddy in a different thread.

Quote from: big_daddy on October 26, 2019, 07:39:53 AM

Yeah, I was using this mail in some bounties and airdrops years ago, not a lot of them, but one wrong is enough, usually I use a telegram bot (TempMail) that is generating an unique email box for bounties and airdrops

All that data is posted freely in the google sheets for bounty campaigns so it is easy for scammers to compile it in a database and do what they want with them.

Yup
That’s true
I checked my address here https://haveibeenpwned.com/
And it’s not good Sad

I have to make a new private email...
Shit.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: bL4nkcode on October 27, 2019, 05:05:34 PM

I wonder how you and/or anyone received that email?

He used the email in connection with a bounty or airdrop most probably. Just like big_daddy in a different thread.

Quote from: big_daddy on October 26, 2019, 07:39:53 AM

Yeah, I was using this mail in some bounties and airdrops years ago, not a lot of them, but one wrong is enough, usually I use a telegram bot (TempMail) that is generating an unique email box for bounties and airdrops

All that data is posted freely in the google sheets for bounty campaigns so it is easy for scammers to compile it in a database and do what they want with them.

vlom

legendary

Activity: 1498

Merit: 1117

i did not receive the message in the inbox of the account i used to communicate with ledger. just in a "spam-account".

LTU_btc

legendary

Activity: 3220

Merit: 1374

Slava Ukraini!

Quote from: bL4nkcode on October 27, 2019, 05:05:34 PM

I wonder how you and/or anyone received that email? I'm a subscriber of ledger and never received such kind of email. Most probably your/their email was used on some cloud minings, bounty campaigns, ico, etc. and was sold to these scammers, that's why people keep receiving emails from scammers.

I also didn't received this email. You and me subscribe emails from Ledger, so it probably means that they received email of OP and some other people from somewhere else. Internet is full of offers to buy databases of emails from ICO's, bounties or hacked websites. Also, it's possible that OP posted his email somewhere in public.

bL4nkcode

copper member

Activity: 2142

Merit: 1305

Limited in number. Limitless in potential.

I wonder how you and/or anyone received that email? I'm a subscriber of ledger and never received such kind of email. Most probably your/their email was used on some cloud minings, bounty campaigns, ico, etc. and was sold to these scammers, that's why people keep receiving emails from scammers.

Pmalek

legendary

Activity: 2730

Merit: 7065

Could an admin maybe merge this thread and its posts with this one? https://bitcointalksearch.org/topic/security-vulnerability-ledger-nano-x-and-ledger-nano-s-5196022
I just think that all the posts of those two threads should be in one place as they are discussing the same issue.

hugeblack

legendary

Activity: 2646

Merit: 3911

The degree of success of this type of fraud depends on the extent of users' anxiety.
people behave irrationally when deciding in a hasty, so the warning is always strongly worded and recommends fast downloading.
Besides, the user does not verify the official website but follows the link sent to him.

Always check out decentralize sites such as forums, the official site can be hacked.

bitmover

legendary

Activity: 2352

Merit: 6089

bitcoindata.science

You did correct. Check official website before doing anything
Personally, I never plug in my hardware wallet, just when I need to do transactions (few times a year).
Never plug it just to install something, you don't need. Your coins are safer away from the computer

Topic: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? (Read 358 times)