Topic: Ledger Card Honeypot (Read 579 times)

https://ledger.baanx.co.uk/CL_Platform_Terms_of_Use.pdf

So, pretty much the same thing like sending your money from Ledger to Binance/Coinbase and then using debit card. With maybe one (or more in case of Coinbase-Revolut combo) step less as you won't have to dend money to card (I guess) and from what I read among those replies, transactions from Ledger to card will be free. Then again, they won't have any cashback system, at least for now and that's a big drawback for anyone who uses crypto debit card on the daily basis.

Gonna skip that one in the end.

Not only that, but sharing that data with all the third parties which are integrated in to Ledger Live. Has anyone got Ledger Live installed who can tell us exactly who they are? (I'm definitely not installing it to find out!) According to the menu on the left of this page (https://support.ledger.com/hc/en-us/articles/4413768794257-Managing-NFT-in-Ledger-Live) they will be sharing your data with Coinify, Wyre, Changelly, Paraswap, and Lido (I've not even heard of some of these). And as we discussed earlier there is now a Coinbase integration as well. Who else are they sharing your info and data with?

I'm becoming more and more skeptical of all hardware wallets as time goes on, given the constant issues with privacy and security which keep arising. I still use a couple of brands for smaller amounts of coins, but the bulk of my holdings are either on paper wallets or encrypted airgapped wallets.

And the official Ledger account replies to all the people singing its praises with meaningless hype, and ignores the people who question the privacy or KYC implications.

Exposing IP location to manufacturer like ledger is one thing, but using this data and sharing it with bunch of their partners is big red flag for me, especially if wallet address can be connected with that.
It's possible that other devices are doing something similar, but I know that Trezor Suite have built in Tor privacy option.

That is true, ledger have big list of affiliates, youtubers, influencers and they all earn money whenever someone purchase ledger device with their link.
Nothing bad in doing affiliate marketing if you are honest about specific product and you don't hide stuff like this, and I never heard anyone talking about this issue.

I probably spent more time creating bunch of ledger related topics in bitcointalk forum, not because I hate them but because I want to show the full picture.
For example, when you look at their website reviews is all roses but if you check Trustpilot ledger reviews you will see something different.

Exactly, and I don't know what's the problem for ledger to open source everything, so that we could all contribute making a better product and stop with speculations about backdoors.

Combine that with previously leaked customer information, maybe some hidden NDA with government agencies, and you have a big horror story just waiting to be revealed.

---

More information about new Ledger card released today:


https://twitter.com/Ledger/status/1472892039545110532

Knowing your exact location and your exact balance, while having a history of leaking customer data, is just plain scary.
It's as if they have an interest in selling $5 wrenches!

The IP sharing, yes, but what other data are they sharing with their third party partners? I note that the mobile apps also collect information such as your device ID and GPS location data. What about which coins you are holding, or even your balances or addresses? And then once you share your KYC to access this Baanx card, is that going to be shared too? Far too risky.

I think it mostly goes back to the root issue, which is most people do not care about their privacy until it is too late. If people are happy to send their KYC off without a second thought to any centralized exchange, or even worse to some complete stranger who can copy and paste an existing token and launch some scam bounty campaign, then good luck convincing them that Ledger sharing their identity with a debit card provider is a concern for them. If you care about your privacy then this behavior from Ledger is unforgivable, but if your KYC documents are already for sale on dark net markets, then this is pretty much irrelevant.

The fact that Ledger have survived seemingly unscathed after literally putting many of their customers in physical danger by leaking their full names and addresses, means I suspect that most people simply won't care about their loss of privacy here either. I had a look through their subreddit and could only find a single user express privacy concerns about this, and he was being downvoted for doing so.

I wouldn't either.
Bitcoin, an open source protocol should only be managed with open source wallets (in case of holders), if not what is even the point then on trying to be one's own bank while trusting there is not a hidden back-door?  

A VPN will get around that, but I guess it get's back to what has been being said about them for a while that they should not be trusted.
As I posted above, the issue is not us, it's them and everyone else that uses & promotes them.
Bitching about what they do amongst ourselves is fine, but we have to spend time educating others about what they do.
...quoting myself from another post:


I spent wayyyyy to much time the other day pointing out why someone I know should stop using his ledger, I might as well been talking to my cat for all the progress I made with him. But I tried. This is just another thing we will have to talk people out of.


Sorry missed this the other day, just 1 transfer to Coinbase with the 1 fee and it just pulls from my USDC balance.
They also pay some small amount of interest on USDC.
But if you are going to spend crypto on stuff instead of holding it, I'll take 4% back.
As I have posted in other places here, my privacy & anonimity are already gone since I am a long time Coinbase user, so I might as well make the best of it.


-Dave

"We keep your information safe."

If you use Ledger Live, then I fully suspect that this is already happening.

Out of curiosity, I went and had a look at the Ledger Privacy Policy, since I've not paid it any attention in some time. It's worse than I remember, or perhaps it has become worse since I last looked at it. Examples include:


With no way to update the firmware or the apps on your Ledger device without going through this piece of software, then it is essentially impossible to use a Ledger device privately.

It's possible that everything will be connected with ledger live app, and anyone using this application will have their IP recorded, along with wallet address and now with this new card.
I guess people could still use VPN or Tor connection when using this app, but I wonder why it's not built in option within app, same like we have in Trezor Suite.

Maybe it's time for you to release LoyceV coin with staking option and support for ledger wallet... I am waiting for my airdrop sir 

Ledger is perfect honeypot company for government agencies to infiltrate their agents, being closed source, leaking customer information multiple times, and receiving millions of dollar investment information just increases my suspicion even more.
I wouldn't trust them with this new ledger-Baanx debit card either.

It's a bit different with Ethereum in that (a) you have to send the coins the the beacon chain (AKA ETH2) and while you can hold the keys, you can't really withdraw the coins until some future hardfork and (b) there are uptime requirements - you can get penalized if your validator node goes down. Looks like this Ledger service is trying to solve these two issues (not sure about the first part though but presumably you can sell the staking tokens, perhaps at a slight loss), as well as allow staking less than 32 ETH. Nothing particularly wrong with that, there are other similar services, but it's definitely perpendicular to the purpose of a hardware wallet.

To anyone who is considering this Ledger implementation to be a good idea, I would like them to (re)visit this topic started by dkbit98 about how the big brother wants to be able to crack your HW in the future.

Ledger not being fully open source and still being one of the most important HW providers would fit like a glove to those who seek to undermine the purpose of the HWs themselves. Be careful, the devil won't come to us with horns and in red, but dressed in white and offering "wonderful things".

I've only staked a worthless altcoin, where staking worked straight from the Bitcoin Core clone, without exchange. I assume the same would work on ethereum, but the minimum is about half a Lambo worth of that coin. So staking leads to further centralization, who would have thought.

I don't think you will. Most probably you will only be able to get a deposit address from Ledger Live. But once you see that address, it might be possible to deposit crypto from let's say an exchange or some other wallet that isn't Ledger Live. Or maybe they have a way to whitelist only your addresses that have been funded in the past in LL.

They provide false claims. The fact that your private keys never leave your device isn't important because your coins do. But isn't that exactly how staking works all over the place? You have to lock the coins for X amount of time, send them to an exchange, and you can't get them back until your staking period expires. The safety of the keys has nothing to do with it.   

If they lie about this, the real question is what else do they lie about that is less obvious to see?

I don't use Ethereum so I had no idea about this, but wow. How can they possible call it a hack-proof experience when you have to send your ETH off to some random smart contract. The number of token contracts and smart contracts which have had critical bugs and vulnerabilities in them is uncountable.

The whole partnership thing here simply appears to be that there will now be a tab/button/advert/whatever in Ledger Live that will let you link your card and generate a deposit address from within Ledger Live itself, as opposed to having to go to Baanx's own website. Baanx will obviously pay Ledger a cut of the fees and profits for this, and I'm absolutely certain that both companies will share data to increase ad revenue and the like. I can't see anything at all which is new or revolutionary compared to already existing bitcoin cards, with the significant downside being that you will have directly linked a KYCed account with your hardware wallet.

I can't think of anything worse in a hardware wallet. It's crap like this that makes me happy to use airgapped cold storage. At least I know some random company isn't going to start trying to turn my airgapped computer in to something I have never and will never want.

I don't have fakebook account so I can't read that link, but this is exactly the same thing we see with all other crypto debit cards, just in this case card has ledger label on it.
Since Baanx group don't know addresses from ledger customers (I hope) this means that I can send coins even from hot wallet or exchange to that card, totally unrelated with ledger.
It would be terrible f they need some proof and connection that coins are really coming from ledger device address.

Some people maybe remember several months ago when ledger received bunch of money ($380 Million) from various companies for their last fundraising campaign.
Well know it's payback time 

Not working in my case... and I tried with several new identities.
You must have some special early accees for Torbook metaverse.

This is just a beginning, wait until we see new deals coming up, Ledger is very interested in becoming smatphone storage for nft mambo jumbo art.
Ledger consider bitcoin to be boring old tech so I speculate they are going to be used as main metaverse tool in future

Maybe that's something that will be released later down the line.

All companies like their customers to be smart and educated enough to purchase their products or services, but at the same time ignorant enough not to question their policies and methods of how things are done. You are being a naughty boy o_e_l_e_o asking such things.

Too good or to scary. If you can spend the coins from a hardware wallet without physically confirming each transaction, who has your private keys, master private keys, or the seed phrase. That would mean Ledger has a copy of them.

They use the exact same strategy when it comes to staking ethereum:
They literally tell people to exchange their (shit)coins for (shit)tokens, as if holding the keys to the (shit)tokens is enough to get back your (shit)coins when the shit hits the fan.

It didn't work for me, despite a circuit change. A third circuit change just now and it did work. Guess I was just unlucky. Thanks for sharing the image anyway!

I find the whole thing very disingenuous if I'm honest. "You're safe and sound when you do so, as you need your Ledger Nano S/X to confirm the transaction." I mean, technically that's correct, but as soon as you confirm the transaction you are no longer safe and sound in any way since your coins are no longer protected by your hardware wallet, are no longer in your control, are in the possession of a third party (and not even Ledger themselves), and you have no idea how good their security is. All that information seems to be inexplicably missing from all the explanations they are giving as to how this works. It's almost like they don't want people to realize they are losing all security and privacy by using this.