Pages:
Author

Topic: Getting a hardware wallet doesn't mean your funds are completely safe - page 2. (Read 509 times)

hero member
Activity: 2758
Merit: 675
I don't request loans~
It's just increased security, not guaranteed. Just like there's no perfect system out there, there's also no perfect defense mechanism out there. It's just that online wallets are more prone to stuff happening that you actually don't know about. Heck, some people don't even know how hacks happen or how your pc gets invaded by a third party. Hardware wallets on the other hand, need physical contact, so people would have to go to your house and rob you, at the very least, you know what they would try to do, plus, robberies are easily discovered with surveillance cams which may prevent such situations from occurring repeatedly. Add that to you not really revealing any info when buying Bitcoin and when moving funds, you're pretty much safe from being robbed by someone who discovered you on the internet.

Even a hardware wallet is not considered secure if you connect it frequently to your device.
Hardware wallets are pretty much used for just hodling imo. If I were to frequently have the need to connect it to a device, I'd rather configure a laptop or a pc with my specifications, making it my wallet which I can connect to exchanges now and then and only that, nothing else would probably be done there to prevent myself from being swept up by possible malware/virus.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
~snip~

When I bought the Nano X last year I have to admit I was pleasantly surprised with everything that was in the package compared to 2 years ago when I bought the Nano S. Namely, it is about the fact that Ledger obviously listened to the advice of some users who advised that the warning should be put in several languages, not just English. This resulted in 3 sheet recovery papers with a warning in more or less all important world languages. However, I agree that more could be done on this issue - not only should there be a warning about how important seed is, but also that there are phishing sites and fake wallet extensions.

But sometimes it's all in vain if we can't get people to read and to understand what they have been advised.
sr. member
Activity: 1414
Merit: 271
bitonator.tangled.com/join
Hardware wallet already offers increased security, but does not mean that all your tokens are safe forever. There have been several cases with hardware wallets where security gaps were discovered. therefore only you can guarantee the best security
legendary
Activity: 2268
Merit: 18775
I understand the picture but to the point not using a Google search is too much.
I would avoid Google search even if I wasn't in to crypto. It is a privacy nightmare, and everything that you search for and click on is logged against your identity and used to build a profile of you which is then sold to third parties. Couple that with the fact that Google regularly accepts money from scammers to push their pages to the top of results, and it is an all round terrible search engine to use. DuckDuckGo or Qwant are easy to use alternatives. If you absolutely must use Google for some reason, the best way to do is it to use Searx search engine and configure it to search Google on your behalf and return the results to you anonymously.

I can’t recall seeing any big sheet warning of these practices along with the product
The piece of card provided with Ledger devices for writing down your seed phrase on to simply says "Confidential" across the top. Trezor's is a bit better with the words "Do not disclose the seed to anybody" across the front.
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
Ledger’s website is full of alerts in this sense, such as this one:
Quote
There are several phishing attempts out there in the world of cryptocurrencies – so much so that we’ve written a dedicated article on it to help arm our users against them. A common phishing scam that we see is a fake Ledger Live app, most notably a fake Chrome extension or fake app for Android. We urge everyone to never interact with these apps – and definitely never enter your 24-word recovery phrase into any application. This should only be entered into a legitimate hardware wallet if needed. We also strongly recommend to only get Ledger Live through our website: www.ledger.com
(see https://www.ledger.com/academy/how-to-make-sure-that-my-crypto-stays-safe-with-ledger)

Although it is pretty much common sense, this common sense is less common with those that are not already used to reading about these type of things. I can’t recall seeing any big sheet warning of these practices along with the product, but even so, boxes get set aside and instructions are often not revisited. Perhaps the devices themselves could engrave an "only visit [url]" on the device itself to mitigate people erroneously ending-up using a fake site, although the search engine culture we’re in will still not make this fool proof.
sr. member
Activity: 1554
Merit: 413
.... I think people who invest in hardware wallets should already have basic knowledge of those things like that.
We assume people who bought hardware wallets have the basic knowledge and knows what to do but the victim in that reddit post proves otherwise. That's exactly the main point of my post.

Avoid using Google search as much as possible. It's infested with phishing sites since Google doesn't filter them and only take them down if reported.

I understand the picture but to the point not using a Google search is too much. A kind of safety measure, yes, but that's not necessary as a whole. 
There's been too many victims of fake wallets that were downloaded from Google. I don't think suggesting to avoid them as much as possible is too much. On any given day, if you search for Trezor, the first to show up will most likely be an ad. There are other browsers available that are far less used by scammers like DuckDuckGo for example.

Quote
I mean, even for a newbie, their common sense should know that why on earth they will input their wallet's seed at any website. What's the purpose?
Similar to my response above, our assumption is they have common sense. The reality is people will always have lapses and commit "basic" mistakes.
legendary
Activity: 3122
Merit: 1398
For support ➡️ help.bc.game
Avoid using Google search as much as possible. It's infested with phishing sites since Google doesn't filter them and only take them down if reported.

I understand the picture but to the point not using a Google search is too much. A kind of safety measure, yes, but that's not necessary as a whole. I mean, even for a newbie, their common sense should know that why on earth they will input their wallet's seed at any website. What's the purpose?

And in my own view, for people that buy hardware wallets, at most of the cases, they won't buy it without a purpose so beforehand, they already research what this stuff does and encountered, at least, the safety measures should they do. But the post above is right, unfortunately, some people don't follow it.
legendary
Activity: 2268
Merit: 18775
The victim in op's narration failed to understand this simple policy by submitting seed phrase without checking the exact and correct site.
There is no exact or correct site to enter your seed phrase in to. You should never enter your seed phrase in to any website, under any circumstances.

Which is huge problem for hardware wallets that one purpose is to be safe for common folk without technical knowledge.
They are safe for common folk without technical knowledge. You do not need technical knowledge to follow the very simple instructions of "Don't enter your seed phrase in to any website". You only need to actually read and follow the instructions, which unfortunately most people do not do.

This is same as desktop wallet, ur funds are safe but keep ur seed safe.
Desktop software wallets are significantly more at risk than hardware wallets. A simple pull on GitHub of some malicious code inserted in to a dependency or an automatic update is enough to completely empty a software wallet. At least with a hardware wallet that can't happen without the user being shown the transaction and having an opportunity to decline it.
legendary
Activity: 2296
Merit: 1014
There is no wallet in existence which is immune to user error or human stupidity. If you type your seed phrase in to a website or store it online, then your funds will be stolen,
Which is huge problem for hardware wallets that one purpose is to be safe for common folk without technical knowledge.
They cost quite much money and should be immune to human errors. I know its impossible to protect someone from every scam out there but hardware wallet should be more secure than ok keep ur money on hardware device but write your seed and store it somewhere safe Smiley).
This is same as desktop wallet, ur funds are safe but keep ur seed safe.
sr. member
Activity: 1232
Merit: 379
There is nothing that's completely safe neither hardware wallet nor hot wallet but understanding the basis security and privacy policy helps user minimises the risk of attacks on the wallets or rather risk of getting scammed. The victim in op's narration failed to understand this simple policy by submitting seed phrase without checking the exact and correct site. The possibility of maintaining human security standard is not 100%, so the exact solution to avoid such trap is operating with the best wallet by observing Standard Operating Procedure(SOP) of that particular wallet for easy usage.
legendary
Activity: 2268
Merit: 18775
Even a hardware wallet is not considered secure if you connect it frequently to your device.
I'm not sure what you mean by this? The whole point of a hardware wallet is that you can connect it to any device, even ones infected with malware, and your private keys will remain secure and safe inside the device. The most that malware can do is create a malicious transaction and push it to the device, but as long as you are vigilante and double check everything before you approve it, then such a transaction will never be signed.

I think the probability that you'd get wrecked is approximately the same whether you use hot wallets or HWs if you have no clue what you're doing or do not properly check tx details beforehand.
Exactly. Hardware wallets protect against malware and attacks on your computer. They do not and can not protect against human error, which is how 90% of people lose their coins.
legendary
Activity: 1134
Merit: 1599
For example, when we compare a hot wallet with hardware wallets, the probability that you lose your money in the hardware wallet is less, and so on.
I think the probability that you'd get wrecked is approximately the same whether you use hot wallets or HWs if you have no clue what you're doing or do not properly check tx details beforehand. Most of these scams happen because newbies either aren't reminded enough times (or skip the warning) that you should never expose your privkeys/seed or they don't verify if addresses match before broadcasting a transaction.

So the HWs are indeed way safer imo, but your seed doesn't have much to do with their safety. You'd have to never get access to the seed in order to "be completely safe" - and that leaves you with no backup, so it gets actually worse. All I'm hoping for is that there'll never be some freaky exploit that lets a bad actor change the address on a HW display. That'd do a ton of harm to whoever'd have both their HW and PC infected.
legendary
Activity: 2758
Merit: 4074
I think that the word "completely safe" is used in advertising campaigns, but nothing is completely safe, but relatively safe compared to something else. For example, when we compare a hot wallet with hardware wallets, the probability that you lose your money in the hardware wallet is less, and so on.
So if you don't know how to do things, you will not be safe. It's like having an impenetrable bulwark and not being good at using it.

Even a hardware wallet is not considered secure if you connect it frequently to your device.
legendary
Activity: 2618
Merit: 1181
I dont have a hardware wallet at the moment because I am not a multi-asset trader or crypto investor. I dont even think that anyone with a hardware wallet is completely error safe, especially owner negligence or human error. A hardware wallet will only increase the security of valuable asset like bitcoin and hundred of other valuable altcoin.

-snip-
Most people fall for these scams cause they usually expect a warning or a red flag to be shown when they are dealing with such scammers, the internet however is not censored and scam websites can easily seep through the filters of "reliable" search engines like Google, this gives people a feeling of faux security and they let down their guard.
-snip-
Cryptocurrency is a valuable digital asset and scammer are constantly looking for loopholes to get it for free from crypto user. Many case of fraud occur because of negligence or lack of experience and knowledge. Google is not a safe platform from online fraud case and therefore we must always be vigilant.
legendary
Activity: 2254
Merit: 2406
Playgram - The Telegram Casino
Signing a signature would be a challenge for them if they got victimized by inputting seed words.  
The seed phrase giving over would give the hacker the ability to sign transactions and spend the coins on the wallet, but the original owner still owns the phrase and can recover the wallet (although empty) and sign a message on it to prove ownership.

Most people fall for these scams cause they usually expect a warning or a red flag to be shown when they are dealing with such scammers, the internet however is not censored and scam websites can easily seep through the filters of "reliable" search engines like Google, this gives people a feeling of faux security and they let down their guard.
Treat everything offer as a scam until proven otherwise, doubly so when it is related to your assets. Taking a pause and asking yourself if this action is safe, could be the difference between people who are scammed and those who aren't m
copper member
Activity: 2940
Merit: 1280
https://linktr.ee/crwthopia
I think most people who get hardware wallets won't quickly get victimized by inputting your seed phrase. That's just nuts. I think people who invest in hardware wallets should already have basic knowledge of those things like that. I never thought of sharing my seed phrases to anyone because they can have access to it. That's just if.

I hope those complaints would be useful and get the funds of the victims back. I hope they manage to get the right ones. Signing a signature would be a challenge for them if they got victimized by inputting seed words.   
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
It's just a form of social engineering attack. No hardware can ever prevent the exploitation of human nature. With the leakage of Ledger's customer information, phishing attempts are just going to be more deliberate and its just a matter of time before even the more cautious ppl falls for it.
sr. member
Activity: 1554
Merit: 413
There is no wallet in existence which is immune to user error or human stupidity. If you type your seed phrase in to a website or store it online, then your funds will be stolen, and there is nothing any wallet can do to stop that from happening. Hardware wallets are good for a number of reasons, but they are not infallible, not immune to bugs or vulnerabilities, and can't stop a user doing something stupid like sharing their seed phrase with a random website or confirming transactions without double checking them.
You definitely said it better than me. I was trying not to use the word stupid to avoid offending newbies but it's the hard truth. Most errors committed are plain stupid.

Quote
Far more important for newbies than simply buying a hardware wallet and assuming that all their keys are now safe forever is spending some time learning about basic security practices. Here are some good places to start:

https://bitcoin.org/en/secure-your-wallet
https://en.bitcoin.it/wiki/Storing_bitcoins
Thanks for these. Allow me to add them on my post.
legendary
Activity: 2268
Merit: 18775
There is no wallet in existence which is immune to user error or human stupidity. If you type your seed phrase in to a website or store it online, then your funds will be stolen, and there is nothing any wallet can do to stop that from happening. Hardware wallets are good for a number of reasons, but they are not infallible, not immune to bugs or vulnerabilities, and can't stop a user doing something stupid like sharing their seed phrase with a random website or confirming transactions without double checking them.

Far more important for newbies than simply buying a hardware wallet and assuming that all their keys are now safe forever is spending some time learning about basic security practices. Here are some good places to start:

https://bitcoin.org/en/secure-your-wallet
https://en.bitcoin.it/wiki/Storing_bitcoins
sr. member
Activity: 1554
Merit: 413
If this is your first time learning about hardware wallets and you want to know more, you can check this topic https://bitcointalksearch.org/topic/general-bitcoin-wallets-which-what-why-1631151 and follow discussions on this board https://bitcointalk.org/index.php?board=261.0 This post is not to discourage you to buy and use hardware wallets but to remind you to always be extra careful in taking care of your funds.

It's safe to assume that more than 90% of people in crypto would suggest using hardware wallet for storing crypto assets. It is one of the more superior wallets when it comes to security that's currently available in the market. Buying is actually a good investment in itself but don't be careless just because you have one.

Technically, your funds are safe if you just keep them there and nobody else can take them away from your wallet unless you commit a serious newbie error of giving out your seed phrase to someone else both offline and online. There are many fake websites already reported here and more will come out in the future. You may think that you are good enough not to fall for these phishing attempts but you never know.

If you haven't seen one, read this reddit post https://www.reddit.com/r/Bitcoin/comments/ib2ze8/fake_trezor_website_all_crypto_syphoned_from_my/
Quote
I did google Trezor Bridge to find the latest update, thats when I clicked into the fake Trezor website. Everything looks the same as the legit Trezor.io website, except the popup saying there is a need to recover the wallet and I did put in my seed words.

I did contact Chainanlysis and the FBI and they found out that I visited a fishing site from Google.

It turns out that the hacker took more than $1 million dollars in total from various users.

The BTC address that stole the funds is:

1DmsY3tkHTAtgzZaNAKu6ZTJJAJXfEnPB

The Etherium wallet of the hacker is:

0x46901272adea02036e7433265acc1ebdfe8b8a9a

The LTC of the hacker is:

0x46901272adea02036e7433265acc1ebdfe8b8a9a

It seems that the hacker is using an Exodus wallet.

The FBI is looking into it but they need all the victims to contact them and to file a complaint.

Please send me a message if you have been a victim of a hack.

Also report it to google and fill out this FBI form:

https://complaint.ic3.gov/default.aspx

If we all band together and make a complain, the FBI will hunt him/her or them down.


If you happened to be in the same situation where you need to update, please don't do what the guy did.
- Avoid using Google search as much as possible. It's infested with phishing sites since Google doesn't filter them and only take them down if reported.
- Don't enter your wallet's seed phrase online. You bought a hardware wallet so you can access your funds offline in the first place.

If you are still planning to buy one, make sure you buy from the official websites.
- https://www.buytrezor.com/
- https://www.ledgerwallet.com/products/1-ledger-nano

Bookmark the above links so you have to search for it again.

More stuffs to read for basic security practices as suggested by o_e_l_e_o:
- https://bitcoin.org/en/secure-your-wallet
- https://en.bitcoin.it/wiki/Storing_bitcoins
Pages:
Jump to: