Topic: Getting a hardware wallet doesn't mean your funds are completely safe (Read 503 times)

I think a cheap new ledger nano S is indeed very likely to be a preconfigured one. Some scammers are ready to invest real money, if the potential gain is huge. You can generate a new seed and it will probably be safe to use, but why take the risk ? The ledger is quite cheap bought from the manufacturer... On the same line of thinking, I can see no good reason to sell it used either.

Hardware wallet does perfectly well what is meant to. Keep your private keys safe from any possible malware on your computer or phone.  But that is it. It is not a magic box that can kill all dangers your coins can get into. It can never prevent your stupidity. You need to learn what are dangers and avoid them.

There are a lot of people think that if they have already a hardware wallet is there is no chance that their funds cannot be hacked anymore which is a misconception but still we must need to take aware and keep all the things safety there are a lot of people getting confident because of this kind of hardware wallet it's useless if the user of the account or computer is always activity clicking suspicious links, download unreliable sources and using a lot of third-party software.

First of all, there's no such system or hardware that is immune to any kind of scheme. It is true that having a hardware wallet gives more security than a software wallet can provide. But this is not necessarily mean your money is in 100% percent because these hardware wallets can only be managed through a computer that can potentially be hacked or get malware upon download random software. Consequently, we must must beware of downloading stuff online, get your software in the official website if possible and secure your phrases, keys, and more away from online, make sure that you'll be only one know where it is stored.

That's true provided you keep your hardware wallet physically secure, but the fact that such an exploit exists is very concerning. Trezor One was launched in January 2014. This bug was first published in July 2019. That means that the bug was not publicly known about for over 5 and a half years, and all Trezor devices could have had their seed phrases extracted and coins stolen in that time. It is almost certain that all hardware wallets currently have bugs of various significance which have not yet been discovered or publicly disclosed. I still use hardware wallets, but just be cautious with assuming they are impenetrable and make sure you still take standard security precautions when using them.

This is not true. The whole point of a hardware wallet is that it can be connected to an internet enabled computer without any additional risk to your coins. Even if you plug it in to the most unsecured and malware ridden computer in existence, the most the computer can do is push a malicious transaction to the device to be signed. As long as you read what is on the screen of the hardware wallet and don't just blindly accept everything, then the transaction cannot be signed and your coins cannot be stolen.

No system or technology is perfect when it comes to security features. It is why we should avoid using our hardware wallet connected on the internet for a long time because hackers could easily have accessed in our hardware wallet if we are online or connected on the internet. We should also avoid downloading unsafe apps in our computers or laptop for our hardware wallet not to be traced.

Everything related to the technology maybe not perfect, there will be always kind of error. Moreover, if it still relates tot he human, the error will still exist. Like here in the choice of the wallet. hardware wallet may still have any weakness, moreover when the owner makes some mistakes about it. However, at least, it is better than the software or online wallet. At least, it has a smaller chance to lose our funds here rather than the online or software one. This is the truth. You may not be able to get 100% security, but at least, you get it better.

Thanks o_e_l_e_o for the info. I didn't know about these vulnerabilities.
I know that there is no 100% secure device but didn't expect there were a vulnerability which allows the attacker to steal funds remotely... this is a bit concerning!

AFAIK, vulnerabilties that require physical access to the device aren't that easy to exploit.

Trezor devices have an unpatchable vulnerability where an attacker with access to the device can extract the seed phrase.
Ledger devices were recently found to have a (now patched) vulnerability which allowed an attacker to make the device send bitcoin when the user was interacting with their altcoin wallets, which would have allowed bitcoin to be stolen.
There are undoubtedly bugs which we do not know about yet.
Hardware wallets are better than software wallets, but do not make the mistake of thinking they are infallible.

Since there is no known vulnerability or a bug affecting the most popular hardware wallets that can result in your funds being stolen, I don't see how paper wallets can be more secure than hardware wallets!
By using a hw you can sign transactions without having to disclose your private keys. However, when using a paper wallet, you will have to import the private key into a third party software and you will have to take extra precautions to ensure your private key doesn't get leaked.

I have been scammed many times and learnt every time that nothing can save us from cyber crime except ourselves and our decisions. I don't trust hardware as they are also vulnerable to many attacks online (heard many cases these days), I only trust paper wallets because they can be saved at our secure places and are not prone to online attacks as all they will have is our private keys.

I agree with you, but the problem with many members is that they do the opposite and do things that put them at risk, and I know a lot of people who store their passwords on the Internet and on mobile phones. Anyone can hack their accounts or their mobile devices I tried to give a lot of advice to them but they They ignore my words. Hope I convince them that what they're doing is totally wrong and untrue.
We must think rationally and intelligently so that we can guarantee and protect our money
As you said, my friend, all kinds of hot and cold wallets are at risk of being stolen and hacked at any time

Of course, there is no perfect hot/cold storage method. All you have to do is take maximum care whenever you use your wallet and make sure that you're keeping your seeds and private keys away from any visible/vulnerable spot, and that includes the Internet. Avoid custodial stuff as well, whenever possible.

It'd not that hard once you get the hang of it. Just spare a few more seconds making sure what you're doing is right, it usually solves and helps prevent a lot of issues and possible mistakes.

I see that all wallets, regardless of their types and shapes, are vulnerable to hacking and theft, and that wallet hacks are often due to the wallet owner making many mistakes that may be unintentionally, such as putting passwords in places inside it. Everyone's access or words are placed and stored inside the internet or mobile phone
I won a Trezor Wallet a while ago, and I hope I can use it correctly and without making any mistakes in it.

For which you'll be basically making your computer a less secure "hardware wallet" for being configured specifically for cryptos.

Hardware wallets are hardly designed to be used for hodling only. It's more suited for users who want security but doesn't want to take a super cautious approach to secure their computers beyond the basics. There's absolutely no problem with connecting the hardware wallet to a computer frequently; there isn't any known exploit that could compromise your device over USB and it is likely quite hard to do so. If you really want to have a wallet specifically for long term hodling, you won't have to spend large sums of money for a hardware wallet and it's fairly easy to spin up a LiveCD for a wallet seed.

I don't think it pays for anyone to modify hardware wallets and then sell them somewhere as originals, because apart from such modifications requiring expertise - you can never know in whose hands such a device will fall, maybe to someone who will save a BTC worth $100 on it. What I think poses a greater danger is a targeted attempt to deliver such a modified device to a person who is already known to possess a significant amount of crypto - and the ideal targets for this are those who keep their crypto online.

Of course, I'm not referring to pregenerated seed here, but to modifying the hardware that could potentially allow an attacker to take possession of the seed - yet this is still an unexplored area where hackers are certainly working.

What made me think Ledger Nano replicas exist is when i saw them on eBay for 20 usd each and they had lots of sales. It was also New in Box.  I just checked and they are no longer selling them that cheap, it was few months ago when I saw them.  Or they could have bought original ones and did the custom scratch card with their own personal seed like this and sold them cheap to attract buyers:

https://news.bitcoin.com/wp-content/uploads/2018/01/ledger-ebay-scam-628x1024.jpg

Either way we should all be careful. I personally own a Ledger Blue myself and that's where i keep my crypto but i got it directly on Ledger website.  

When you buy a Ledger device you get 3 recovery sheets and a a Getting Started sheet. This sheet instructs you to visit the official site to configure your new device. At least that was the case in the past.

To configure your wallet, you should visit start.ledgerwallet.com
This is the old site, it now redirects to https://www.ledger.com/start/ when you visit it.
The site shows 4 steps you need to follow to set up your wallet and Ledger Live. They even posted videos of the entire setup process.

If users would just read about 10 sentences they would understand that Ledger says:
"Write down your recovery phrase".
"Never share it with anyone".
"Store it in a secure place".

For those who have used Ledger even once must have noticed that the seed words never appear on the computer screen. They are only visible on the small screen of your device. It's the same when creating a new wallet or recovering an old one from seed.

Point of the story: Ledger will not ask you to enter your seed anywhere and will never display your seed on your computer screen. Period.

I can’t recall there being fake replicas of Ledger Nanos S (I do recall a 2018 article on Fake Trezor Ones): https://blog.trezor.io/psa-non-genuine-trezor-devices-979b64e359a7). That does not mean it can’t happen, especially if the market on a bull run, and that is why it is essential, as you say, to purchase the devices on the official seller’s site (they will list official resellers if need be).

What we have seen are sites that allegedly sell Ledgers in bulk for a very low price (you’ll probably receive nothing at all there) and people that sell a preconfigured Ledger (as is described in the 34K$ case).

Also buy hardware wallets directly from the source. Don't trust eBay as resellers can be scammers trying to steal your hard earned cryptocurrencies. Also plenty of replica Ledger wallets from China and they most likely have a backdoor to steal your funds. Check out this article on how someone lost life savings of $34,000 because of this:

https://news.bitcoin.com/mans-life-savings-stolen-from-hardware-wallet-supplied-by-a-reseller/

It's just increased security, not guaranteed. Just like there's no perfect system out there, there's also no perfect defense mechanism out there. It's just that online wallets are more prone to stuff happening that you actually don't know about. Heck, some people don't even know how hacks happen or how your pc gets invaded by a third party. Hardware wallets on the other hand, need physical contact, so people would have to go to your house and rob you, at the very least, you know what they would try to do, plus, robberies are easily discovered with surveillance cams which may prevent such situations from occurring repeatedly. Add that to you not really revealing any info when buying Bitcoin and when moving funds, you're pretty much safe from being robbed by someone who discovered you on the internet.

Hardware wallets are pretty much used for just hodling imo. If I were to frequently have the need to connect it to a device, I'd rather configure a laptop or a pc with my specifications, making it my wallet which I can connect to exchanges now and then and only that, nothing else would probably be done there to prevent myself from being swept up by possible malware/virus.

When I bought the Nano X last year I have to admit I was pleasantly surprised with everything that was in the package compared to 2 years ago when I bought the Nano S. Namely, it is about the fact that Ledger obviously listened to the advice of some users who advised that the warning should be put in several languages, not just English. This resulted in 3 sheet recovery papers with a warning in more or less all important world languages. However, I agree that more could be done on this issue - not only should there be a warning about how important seed is, but also that there are phishing sites and fake wallet extensions.

But sometimes it's all in vain if we can't get people to read and to understand what they have been advised.

Hardware wallet already offers increased security, but does not mean that all your tokens are safe forever. There have been several cases with hardware wallets where security gaps were discovered. therefore only you can guarantee the best security

I would avoid Google search even if I wasn't in to crypto. It is a privacy nightmare, and everything that you search for and click on is logged against your identity and used to build a profile of you which is then sold to third parties. Couple that with the fact that Google regularly accepts money from scammers to push their pages to the top of results, and it is an all round terrible search engine to use. DuckDuckGo or Qwant are easy to use alternatives. If you absolutely must use Google for some reason, the best way to do is it to use Searx search engine and configure it to search Google on your behalf and return the results to you anonymously.

The piece of card provided with Ledger devices for writing down your seed phrase on to simply says "Confidential" across the top. Trezor's is a bit better with the words "Do not disclose the seed to anybody" across the front.

Ledger’s website is full of alerts in this sense, such as this one:
(see https://www.ledger.com/academy/how-to-make-sure-that-my-crypto-stays-safe-with-ledger)

Although it is pretty much common sense, this common sense is less common with those that are not already used to reading about these type of things. I can’t recall seeing any big sheet warning of these practices along with the product, but even so, boxes get set aside and instructions are often not revisited. Perhaps the devices themselves could engrave an "only visit [url]" on the device itself to mitigate people erroneously ending-up using a fake site, although the search engine culture we’re in will still not make this fool proof.

We assume people who bought hardware wallets have the basic knowledge and knows what to do but the victim in that reddit post proves otherwise. That's exactly the main point of my post.

There's been too many victims of fake wallets that were downloaded from Google. I don't think suggesting to avoid them as much as possible is too much. On any given day, if you search for Trezor, the first to show up will most likely be an ad. There are other browsers available that are far less used by scammers like DuckDuckGo for example.

Similar to my response above, our assumption is they have common sense. The reality is people will always have lapses and commit "basic" mistakes.

I understand the picture but to the point not using a Google search is too much. A kind of safety measure, yes, but that's not necessary as a whole. I mean, even for a newbie, their common sense should know that why on earth they will input their wallet's seed at any website. What's the purpose?

And in my own view, for people that buy hardware wallets, at most of the cases, they won't buy it without a purpose so beforehand, they already research what this stuff does and encountered, at least, the safety measures should they do. But the post above is right, unfortunately, some people don't follow it.

There is no exact or correct site to enter your seed phrase in to. You should never enter your seed phrase in to any website, under any circumstances.

They are safe for common folk without technical knowledge. You do not need technical knowledge to follow the very simple instructions of "Don't enter your seed phrase in to any website". You only need to actually read and follow the instructions, which unfortunately most people do not do.

Desktop software wallets are significantly more at risk than hardware wallets. A simple pull on GitHub of some malicious code inserted in to a dependency or an automatic update is enough to completely empty a software wallet. At least with a hardware wallet that can't happen without the user being shown the transaction and having an opportunity to decline it.

Which is huge problem for hardware wallets that one purpose is to be safe for common folk without technical knowledge.
They cost quite much money and should be immune to human errors. I know its impossible to protect someone from every scam out there but hardware wallet should be more secure than ok keep ur money on hardware device but write your seed and store it somewhere safe ).
This is same as desktop wallet, ur funds are safe but keep ur seed safe.

There is nothing that's completely safe neither hardware wallet nor hot wallet but understanding the basis security and privacy policy helps user minimises the risk of attacks on the wallets or rather risk of getting scammed. The victim in op's narration failed to understand this simple policy by submitting seed phrase without checking the exact and correct site. The possibility of maintaining human security standard is not 100%, so the exact solution to avoid such trap is operating with the best wallet by observing Standard Operating Procedure(SOP) of that particular wallet for easy usage.

I'm not sure what you mean by this? The whole point of a hardware wallet is that you can connect it to any device, even ones infected with malware, and your private keys will remain secure and safe inside the device. The most that malware can do is create a malicious transaction and push it to the device, but as long as you are vigilante and double check everything before you approve it, then such a transaction will never be signed.

Exactly. Hardware wallets protect against malware and attacks on your computer. They do not and can not protect against human error, which is how 90% of people lose their coins.

I think the probability that you'd get wrecked is approximately the same whether you use hot wallets or HWs if you have no clue what you're doing or do not properly check tx details beforehand. Most of these scams happen because newbies either aren't reminded enough times (or skip the warning) that you should never expose your privkeys/seed or they don't verify if addresses match before broadcasting a transaction.

So the HWs are indeed way safer imo, but your seed doesn't have much to do with their safety. You'd have to never get access to the seed in order to "be completely safe" - and that leaves you with no backup, so it gets actually worse. All I'm hoping for is that there'll never be some freaky exploit that lets a bad actor change the address on a HW display. That'd do a ton of harm to whoever'd have both their HW and PC infected.

I think that the word "completely safe" is used in advertising campaigns, but nothing is completely safe, but relatively safe compared to something else. For example, when we compare a hot wallet with hardware wallets, the probability that you lose your money in the hardware wallet is less, and so on.
So if you don't know how to do things, you will not be safe. It's like having an impenetrable bulwark and not being good at using it.

Even a hardware wallet is not considered secure if you connect it frequently to your device.

I dont have a hardware wallet at the moment because I am not a multi-asset trader or crypto investor. I dont even think that anyone with a hardware wallet is completely error safe, especially owner negligence or human error. A hardware wallet will only increase the security of valuable asset like bitcoin and hundred of other valuable altcoin.

Cryptocurrency is a valuable digital asset and scammer are constantly looking for loopholes to get it for free from crypto user. Many case of fraud occur because of negligence or lack of experience and knowledge. Google is not a safe platform from online fraud case and therefore we must always be vigilant.

The seed phrase giving over would give the hacker the ability to sign transactions and spend the coins on the wallet, but the original owner still owns the phrase and can recover the wallet (although empty) and sign a message on it to prove ownership.

Most people fall for these scams cause they usually expect a warning or a red flag to be shown when they are dealing with such scammers, the internet however is not censored and scam websites can easily seep through the filters of "reliable" search engines like Google, this gives people a feeling of faux security and they let down their guard.
Treat everything offer as a scam until proven otherwise, doubly so when it is related to your assets. Taking a pause and asking yourself if this action is safe, could be the difference between people who are scammed and those who aren't m

I think most people who get hardware wallets won't quickly get victimized by inputting your seed phrase. That's just nuts. I think people who invest in hardware wallets should already have basic knowledge of those things like that. I never thought of sharing my seed phrases to anyone because they can have access to it. That's just if.

I hope those complaints would be useful and get the funds of the victims back. I hope they manage to get the right ones. Signing a signature would be a challenge for them if they got victimized by inputting seed words.   

It's just a form of social engineering attack. No hardware can ever prevent the exploitation of human nature. With the leakage of Ledger's customer information, phishing attempts are just going to be more deliberate and its just a matter of time before even the more cautious ppl falls for it.

You definitely said it better than me. I was trying not to use the word stupid to avoid offending newbies but it's the hard truth. Most errors committed are plain stupid.

Thanks for these. Allow me to add them on my post.

There is no wallet in existence which is immune to user error or human stupidity. If you type your seed phrase in to a website or store it online, then your funds will be stolen, and there is nothing any wallet can do to stop that from happening. Hardware wallets are good for a number of reasons, but they are not infallible, not immune to bugs or vulnerabilities, and can't stop a user doing something stupid like sharing their seed phrase with a random website or confirming transactions without double checking them.

Far more important for newbies than simply buying a hardware wallet and assuming that all their keys are now safe forever is spending some time learning about basic security practices. Here are some good places to start:

https://bitcoin.org/en/secure-your-wallet
https://en.bitcoin.it/wiki/Storing_bitcoins

If this is your first time learning about hardware wallets and you want to know more, you can check this topic https://bitcointalksearch.org/topic/general-bitcoin-wallets-which-what-why-1631151 and follow discussions on this board https://bitcointalk.org/index.php?board=261.0 This post is not to discourage you to buy and use hardware wallets but to remind you to always be extra careful in taking care of your funds.

It's safe to assume that more than 90% of people in crypto would suggest using hardware wallet for storing crypto assets. It is one of the more superior wallets when it comes to security that's currently available in the market. Buying is actually a good investment in itself but don't be careless just because you have one.

Technically, your funds are safe if you just keep them there and nobody else can take them away from your wallet unless you commit a serious newbie error of giving out your seed phrase to someone else both offline and online. There are many fake websites already reported here and more will come out in the future. You may think that you are good enough not to fall for these phishing attempts but you never know.

If you haven't seen one, read this reddit post https://www.reddit.com/r/Bitcoin/comments/ib2ze8/fake_trezor_website_all_crypto_syphoned_from_my/


If you happened to be in the same situation where you need to update, please don't do what the guy did.
- Avoid using Google search as much as possible. It's infested with phishing sites since Google doesn't filter them and only take them down if reported.
- Don't enter your wallet's seed phrase online. You bought a hardware wallet so you can access your funds offline in the first place.

If you are still planning to buy one, make sure you buy from the official websites.
- https://www.buytrezor.com/
- https://www.ledgerwallet.com/products/1-ledger-nano

Bookmark the above links so you have to search for it again.

More stuffs to read for basic security practices as suggested by o_e_l_e_o:
- https://bitcoin.org/en/secure-your-wallet
- https://en.bitcoin.it/wiki/Storing_bitcoins