Topic: How (un)safe is Ledger nano x? (Read 212 times)

See how your attitude changes a bit? Change it a bit more. It's completely fine to be a beginner and not be tech savvy and come and ask for help by saying I don't understand this or that, or can someone help me figure all this out. But that's not how you did it. Your approach was criticizing a service for something they are not responsible for, and claiming they somehow allowed this disastrous scam to drain millions of dollars from innocent users.

Ledger is guilty for a lot of bad and negative events that you may or may not know about, but this isn't one of those. So if you are ready to learn, you can do that here, and many will help you. If you want to throw around baseless accusations about something you don't know anything about, then don't be surprised if you get negative comments that you might not like.

This thread should have been about you having bought a Ledger and asking help how to use it.
I have heard about address poisoning scams, are they dangerous, are the funds/keys on my Ledger in jeopardy?
How do I properly protect myself, etc., etc.   

Perhaps it is best to leave it in the box, at least for some time until you understand what you have actually bought - otherwise you will be in for some possibly unpleasant surprises. Buying such a device is only the beginning in the effort to get additional security for outgoing and incoming transactions, because every action on the device needs to be confirmed by pressing a physical button, and no malware/virus has yet managed to appear in physical form and do it instead of you.


It is not a question of how technically aware someone is, but whether or not he adopts the knowledge provided to him. After everything that many members wrote to you in the previous thread, you still try to portray the weak points of people as the weak points of some device. Any similar device can be technically almost perfect, but in the wrong hands and with the wrong understanding, it is actually worth nothing.


A classic example of a person who does something without being aware of how to use the device correctly, which would mean that he should only read the basic instructions, which boils down to always checking the coin address to which you send or receive a transaction. Being a "crypto millionaire" does not necessarily mean being smart, as this example clearly shows.

That quote came from an online user. I checked again and the spam would lead him to a malicious transaction, aiming to drain his account. But like you mention, only when he physically signs it.

I get that Ledger is not responsible for mistakes of users. But there is always a learning curve.
I have an unboxed nano x device. It will take some experience and education not to fall into any traps, as is the case with any other form of online payment.
Not all traps are obvious. There seem to be some forum members who like to label the less tech savvy users stupid for not having experience with ledger.

The gullible and and unaware are and will always be easy targets. It's got nothing to do with any product or service in particular, but the level of understanding of the people using them.

I haven't looked at the video and don't need to. The address poisoning scam is a trick you fall for due to the incorrect use of bitcoin and other crypto wallets. It's not a hack. It's a social engineering scheme that fools those who don't know better.     

Bitcoin uses a public ledger. The same is true for the networks that were the primary targets of address poisoning schemes, like Tron, BSC, Ethereum, etc. All transaction history is public and anyone can see the transactions that got confirmed on the networks. That's not a mystery, it's the way public blockchains work. 

That's not true. It doesn't replace your history. The history is there and recorded on the blockchain. It adds a new entry which will logically land on the top. If I send you a PM, my PM will appear above the ones you received yesterday and last month, wouldn't it? It would be the most recent entry in your PM folder. But my PM doesn't replace the other ones. If you make a mistake and send me some sensitive information that were meant for someone else, that's your fault and nobody else's. When I post this message, it will be the newest post in your thread, but it doesn't replace the older posts. 

It should scare the hell out of you because you don't know how to send and receive crypto properly. You need to question your own capabilities of owning and holding bitcoin. Ledger gave you the proper tools, your lack of understanding and knowledge about how to use them is not their fault.

Bullshit. That's not how hardware wallets work. Hardware wallets require PHYSICAL CONFIRMATIONS for transactions. You create the transaction in the app, check the details, doublecheck the details on the hardware device, and physically approve the broadcast yourself. Wrong amounts, wrong fee rates, wrong addresses are the sender's fault.

So what? Scammers contact you for all sorts of reasons. They will tell you about the funds your great grandfather left you, Saddam's lost gold, foolproof investment opportunities, million-dollar lottery wins, etc. If you can't recognize that, you are just a ticking timebomb.

Like any technology, it has its vulnerabilities and risks, but generally, it is considered a safe device. It features robust security measures like a secure chip, PIN codes, and a passphrase option, making it difficult for hackers to access funds. However, there have been some reported incidents of phishing attacks where hackers trick users into revealing their PIN or seed phrase, which can compromise the security of the device.

It is important to follow best security practices like keeping the device and seed phrase secure, double-checking addresses before sending funds, and keeping the firmware updated. Overall, the Ledger Nano X is a reliable hardware wallet, but it is essential to remain vigilant and take precautions to ensure maximum security.

Between any wallet and hardware wallet, the most insecure is the gasket between these (human factor). This is where the biggest vulnerability lies, which will never be fixed and no HW device manufacturer will be able to do it.

What spam are you talking about?
The root of all the horror stories you describe is the user. As I said above: this is the weakest link.
Afraid to use Ledger Live - there is an alternative in the form of Electrum (Electrum+Ledger hardware wallet).

Binance is able to protect itself from hackers? Really? But what about the case in October 2022? If we compare it this way, then at least the Ledger has not yet been hacked and not a single coin has been stolen from their hardware wallets (theft from user accounts using social engineering is not taken into account, because this is completely different).

It is not safe to leave funds on any exchange, including the Binance. Have you forgotten how often they get hacked?

If you don't want to fall into a common scam within the cryptocurrency universe, I would highly advise you to follow o_e_l_e_o opinion regarding finding a "experienced trader". By default you shouldn't trust strangers on the Internet, let alone having them "supervising" such operations. The process that you fear to do alone since it is your first time is nothing too complex that you can't understand or even do by your own. I've tried searching YouTube for a video - max duration 5 minutes - that could explain you the steps you need to recreate in order to make the first transactions and I've found this one[1].

The video is simply to understand and reflects o_e_l_e_o summarized steps. If you are still unsure you can always come back here and ask whatever questions trouble you and surely someone will help you out.

---

[1]https://youtu.be/9skbU7ICKjY?t=98

I already answered you about this in another thread: https://bitcointalksearch.org/topic/m.62109874

The whole point of any hardware wallet is so that you cannot lose everything simply from having malware on your computer or clicking on a malicious link. Every transaction which is made sending coins out of your device needs to reviewed and confirmed on the device itself. If you authorize a malicious transaction because you didn't bother to check it properly, then there is nothing that any hardware device can do to stop that.

I don't see what this would achieve, or how you would do it. To send coins from an exchange to your hardware wallet, all you have to do is copy an address from your Ledger Live software and give it to the exchange, and then double/triple check the address is correct. There is nothing that a third party could to do help without showing up to your house and looking at your screen or you remotely sharing your screen with them, both of which would be a huge risk to your security and privacy. Anyone offering to help you do this via private messaging, Telegram, etc., is almost certainly going to try to scam you.

As TryNinja has already explained, it has nothing to do with Ledger or the device itself, even if the nano x with the bluetooth connection is not the best in security.  In any case, I advise you not to use live ledgers but electrum or sparrow to manage your wallet.

I don't want to be lazy. But do you think it is a good idea to have an experienced trader who I can trust, review my first transactions?
Of course I will not show him my seed phrase. But I think this is something I have to get experience with

I know, nothing changes what I said.

You can't have your Ledger drained because you received or clicked on a spam transaction.

Exactly. A malware or a fake Ledger Live can prompt you to accept a transaction that has been altered, but if you do not accept it physically on the device, the transaction will NOT be made and your coins will be safe.

The hardware holds the private-keys for your wallets and is responsible for signing your transaction. This is literally the purpose of having a hardware wallets and what makes it different from a regular web/desktop-based wallet.

This is why verifying your transactions ON THE DEVICE'S SCREEN is so important. Do not confirm any transaction before checking the address and amount. And actually verify it! Many people only look at the first and last 2 characters of the address, which aren't enough (generating addresses similar to yours is a trivial task). DO NOT BE LAZY. Check what you're confirming.

I was referring to 9:48 in this video https://www.youtube.com/watch?v=nVOlO_24BCo&t=685s

The user mentions spam in his ledger live app (claiming he receives free tokens) It was sent to him because his crypto address was displayed in public, on a blockchain like Polygon if I recall it correctly.
I assume it is the official app and not a downloaded version of a dodgy website full of malware. Are you saying that nothing I click on in the ledger live app can result in draining my account? Unless I approve of a malicious transaction.

I just bought a separate laptop that I only use for browsing to the exchange I use. I made a new, protected email address (protonmail).
My first deposit to the exchange is made, and it is a significant one. But before I buy crypto and transfer it to ledger, I have to know all scams.

Surely I will download the app from the official website.

I know that it is not an exchange. But in order for you to manage different tokens with ease, it seems that you need their Ledger Live app. And this is very prone to attacks from hackers. Ot not? I also wonder if updating the app (the official one) can ever go wrong if Ledger gets hacked.


I believe that the scams (spam, fake ledger support, address poisoning) all happened on the Ledger Live app downloaded from the official website. There are experienced traders falling for this. I plan to hold BTC for the next 25 years. There will not be many transactions. On the other hand this is my very first crypto experience and therefore I am likely to make mistakes.


I know that. I don't intend to every type it on any laptop.


From the official website, linked under the Coin Bureau channel which in my opinion is the leading channel for crypto advice.
It is still unopened, but I plan to use it soon. Therefore I am educating myself about common traps and scams

This has nothing to do with Ledger, their company or their device.

This is a social engineering attack. Something you fall for if you don't know what you're doing and isn't careful enough. To fall for it, you need to copy an address from the block explorer thinking it's your friends' (why would you do that?), send coins there AND manually physically accept the transaction on your device. If you do this = your OWN fault.

Also, this is the same if you're using Ledger, Trezor, Electrum, Metamask, whatever... name a wallet, social engineering attacks are possible with literally every single one of them.

Very easy not to fall for this: just copy the address directly from your friend and verify it. No issues at all.

What you're scared about is someone not checking the address they're sending to. Just do not do this and check the address (besides not copying the address from a random transaction on a block explorer).

Also have nothing to do with Ledger or their device.

The user physically confirms the transaction with missmatching data on their device - missmatching because their PC is infected with malware. This is also their own fault.

If you go to the bank and say: "hey, I want to transfer $100 to my friend at account number 123"
And then the cashier prompts you: "ok, so what you're telling me is that you want to transfer $10k to your friend account number 987?"

If you confirm this, it's YOUR FAULT.

Ledger is clear: verify and confirm.

This is false. You can't have your [Ledger] account "drained" because "you clicked on spam [transaction]".

If your PC is infected, of course a malware can intercept the transaction request and change it. If you sign it, though, it's your fault. That's why hardware wallets exist...


TLDR: Ledger is pretty safe.

The way that you're referring to Ledger makes me think that you see it as some kind of exchange like Binance is, which is wrong. Ledger is only a company that sells you a device - their hardware wallet - which makes you able to receive/sent cryptocurrency. The hardware wallet generates a seed for you - that will never leave the device - which will then be responsible to generate all your addresses. Ledger will never hold any of your funds and you'll be in total control over them since you will be the one holding the private keys (they are generated inside the wallet and never leave it).

The best compass that you can have to dodge any kind of scamming attempt is using your brain. Be always skeptical when you receive a random e-mail from Ledger in your inbox and always double check the sender and the e-mail origin. Download and verify Ledger Live- if you wish to access to your wallet by using their program - to avoid typing the website in Google and eventually fall into a lookalike website that will surely drain your wallet by having a tampered executable within.

The best advice that anyone can give you is the most frequent one that you'll see - Never share your seed phrases. Not even if the Pope have asked you to do so as they hold the keys to any fund that you possess. If anyone catches them they'll be able to have complete control of your cryptocurrency.

May I ask, where have you brought the Ledger device from?

---

[1]https://www.ledger.com/ledger-live

I have purchased a Ledger device and the tutorial video seems simple.
However when I dug a little deeper, I found loads of videos of users who lost all of their coins to scammers on Ledger.

They seem to get more creative.
This video here is about a crypto millionaire who lost a significant amount of coins because of address poisoning, recently. https://www.youtube.com/watch?v=gNhzOQGyvfY&t=549s Apparently scammers can get a hold of the latest addresses you have sent funds to.

They are able to poison your transfer history, which means that they copy the first 5 and the last 5 digits of the address you recently sent crypto to.
But they change everything in the middle and they make their own address this way. Their new address is listed in your transfer history, replacing your genuine history (How can Ledger let this happen??) So you copy paste the address, thinking you are transfering to your friend but you transfer directly to the scammer. The fact that this is possible, scares the hell out of me and really makes me question the capability of ledger as a company.

This one here lets you enter all the details of a transaction in the live app. And then when you check the ledger, the amount displays your full account of that token. You think it is just displaying your full balance, but if you confirm the transaction it sends your full account to a different address (of the hacker) https://www.youtube.com/watch?v=gwLyvZR1KCI

You can also receive spam in Ledger Live (app), which looks totally innocent. But if you click on it, your entire account is drained.
Or they can make transactions appear in Ledger live, that never happened. Or contact you as being Ledger Live support when they are not.
If you have any other experience with hacks, please let me know.

Isn't a company like Binance more financially capable of protecting themselves against professional hackers? I think they just have more funds than Ledger.
I am not convinced that it is safe to leave my funds there.