Pages:
Author

Topic: Ledger Card Honeypot (Read 590 times)

hero member
Activity: 714
Merit: 1298
August 14, 2022, 12:28:26 PM
#59
Has anyone got Ledger Live installed who can tell us exactly who they are? (I'm definitely not installing it to find out!) According to the menu on the left of this page (https://support.ledger.com/hc/en-us/articles/4413768794257-Managing-NFT-in-Ledger-Live) they will be sharing your data with Coinify, Wyre, Changelly, Paraswap, and Lido (I've not even heard of some of these). And as we discussed earlier there is now a Coinbase integration as well. Who else are they sharing your info and data with?




https://ledger.baanx.co.uk/CL_Platform_Terms_of_Use.pdf

legendary
Activity: 1722
Merit: 5937
December 21, 2021, 03:21:23 PM
#58
More information about new Ledger card released today:

Quote
How does the CL Card, powered by Ledger, interact with #LedgerLive & your Nano?

Well, you can use Ledger Live to top up your card by sending #crypto to your card account. You'll need your Ledger Nano S/X to confirm the transaction securely.
https://twitter.com/Ledger/status/1472892039545110532
So, pretty much the same thing like sending your money from Ledger to Binance/Coinbase and then using debit card. With maybe one (or more in case of Coinbase-Revolut combo) step less as you won't have to dend money to card (I guess) and from what I read among those replies, transactions from Ledger to card will be free. Then again, they won't have any cashback system, at least for now and that's a big drawback for anyone who uses crypto debit card on the daily basis.

Gonna skip that one in the end.
legendary
Activity: 2268
Merit: 18771
December 20, 2021, 03:00:55 PM
#57
Knowing your exact location and your exact balance, while having a history of leaking customer data, is just plain scary.
Not only that, but sharing that data with all the third parties which are integrated in to Ledger Live. Has anyone got Ledger Live installed who can tell us exactly who they are? (I'm definitely not installing it to find out!) According to the menu on the left of this page (https://support.ledger.com/hc/en-us/articles/4413768794257-Managing-NFT-in-Ledger-Live) they will be sharing your data with Coinify, Wyre, Changelly, Paraswap, and Lido (I've not even heard of some of these). And as we discussed earlier there is now a Coinbase integration as well. Who else are they sharing your info and data with?

It's possible that other devices are doing something similar, but I know that Trezor Suite have built in Tor privacy option.
I'm becoming more and more skeptical of all hardware wallets as time goes on, given the constant issues with privacy and security which keep arising. I still use a couple of brands for smaller amounts of coins, but the bulk of my holdings are either on paper wallets or encrypted airgapped wallets.

More information about new Ledger card released today:
And the official Ledger account replies to all the people singing its praises with meaningless hype, and ignores the people who question the privacy or KYC implications. Roll Eyes
legendary
Activity: 2212
Merit: 7064
December 20, 2021, 12:18:31 PM
#56
Out of curiosity, I went and had a look at the Ledger Privacy Policy, since I've not paid it any attention in some time. It's worse than I remember, or perhaps it has become worse since I last looked at it.
Exposing IP location to manufacturer like ledger is one thing, but using this data and sharing it with bunch of their partners is big red flag for me, especially if wallet address can be connected with that.
It's possible that other devices are doing something similar, but I know that Trezor Suite have built in Tor privacy option.

As I posted above, the issue is not us, it's them and everyone else that uses & promotes them.
That is true, ledger have big list of affiliates, youtubers, influencers and they all earn money whenever someone purchase ledger device with their link.
Nothing bad in doing affiliate marketing if you are honest about specific product and you don't hide stuff like this, and I never heard anyone talking about this issue.

I spent wayyyyy to much time the other day pointing out why someone I know should stop using his ledger, I might as well been talking to my cat for all the progress I made with him. But I tried. This is just another thing we will have to talk people out of.
I probably spent more time creating bunch of ledger related topics in bitcointalk forum, not because I hate them but because I want to show the full picture.
For example, when you look at their website reviews is all roses but if you check Trustpilot ledger reviews you will see something different.

Bitcoin, an open source protocol should only be managed with open source wallets (in case of holders), if not what is even the point then on trying to be one's own bank while trusting there is not a hidden back-door?  Sad
Exactly, and I don't know what's the problem for ledger to open source everything, so that we could all contribute making a better product and stop with speculations about backdoors.

Knowing your exact location and your exact balance, while having a history of leaking customer data, is just plain scary.
It's as if they have an interest in selling $5 wrenches!
Combine that with previously leaked customer information, maybe some hidden NDA with government agencies, and you have a big horror story just waiting to be revealed.



More information about new Ledger card released today:

Quote
How does the CL Card, powered by Ledger, interact with #LedgerLive & your Nano?

Well, you can use Ledger Live to top up your card by sending #crypto to your card account. You'll need your Ledger Nano S/X to confirm the transaction securely.

https://twitter.com/Ledger/status/1472892039545110532



legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
December 20, 2021, 05:23:08 AM
#55
I note that the mobile apps also collect information such as your device ID and GPS location data. What about which coins you are holding, or even your balances or addresses?
Knowing your exact location and your exact balance, while having a history of leaking customer data, is just plain scary.
It's as if they have an interest in selling $5 wrenches!
legendary
Activity: 2268
Merit: 18771
December 20, 2021, 05:16:04 AM
#54
A VPN will get around that, but I guess it get's back to what has been being said about them for a while that they should not be trusted.
The IP sharing, yes, but what other data are they sharing with their third party partners? I note that the mobile apps also collect information such as your device ID and GPS location data. What about which coins you are holding, or even your balances or addresses? And then once you share your KYC to access this Baanx card, is that going to be shared too? Far too risky.

This is just another thing we will have to talk people out of.
I think it mostly goes back to the root issue, which is most people do not care about their privacy until it is too late. If people are happy to send their KYC off without a second thought to any centralized exchange, or even worse to some complete stranger who can copy and paste an existing token and launch some scam bounty campaign, then good luck convincing them that Ledger sharing their identity with a debit card provider is a concern for them. If you care about your privacy then this behavior from Ledger is unforgivable, but if your KYC documents are already for sale on dark net markets, then this is pretty much irrelevant.

The fact that Ledger have survived seemingly unscathed after literally putting many of their customers in physical danger by leaking their full names and addresses, means I suspect that most people simply won't care about their loss of privacy here either. I had a look through their subreddit and could only find a single user express privacy concerns about this, and he was being downvoted for doing so. Roll Eyes
legendary
Activity: 1162
Merit: 2025
Leading Crypto Sports Betting & Casino Platform
December 19, 2021, 08:00:56 PM
#53
To anyone who is considering this Ledger implementation to be a good idea, I would like them to (re)visit this topic started by dkbit98 about how the big brother wants to be able to crack your HW in the future.
I wouldn't trust them with this new ledger-Baanx debit card either.

I wouldn't either.
Bitcoin, an open source protocol should only be managed with open source wallets (in case of holders), if not what is even the point then on trying to be one's own bank while trusting there is not a hidden back-door?  Sad

legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
December 19, 2021, 04:42:52 PM
#52
In order to gain access to third-party services through Ledger Live, you understand and acknowledge that your location information, including your IP address, may be collected on behalf of and checked by selected partners in order to meet their own AML/KYC requirements.

With no way to update the firmware or the apps on your Ledger device without going through this piece of software, then it is essentially impossible to use a Ledger device privately.

A VPN will get around that, but I guess it get's back to what has been being said about them for a while that they should not be trusted.
As I posted above, the issue is not us, it's them and everyone else that uses & promotes them.
Bitching about what they do amongst ourselves is fine, but we have to spend time educating others about what they do.
...quoting myself from another post:

Serious thought, Ledger has already made it 100% clear that they don't care about their customers. They are not even trying to hide it. But they are selling a ton of devices. So, the question is WHAT are they doing that other manufacturers are not? And if the other manufacturers do the same will they pull sales from Ledger? And if not why not? This is something we should be discussing. I have my own thoughts, but I am interested in what other people think.

I spent wayyyyy to much time the other day pointing out why someone I know should stop using his ledger, I might as well been talking to my cat for all the progress I made with him. But I tried. This is just another thing we will have to talk people out of.

4% cashback in XLM, and if you use USDC to fund it, since it's a 'stablecoin', there are no tax implications.
Are you paying those crazy high ethereum transaction fees for every transaction you make with your card?


Sorry missed this the other day, just 1 transfer to Coinbase with the 1 fee and it just pulls from my USDC balance.
They also pay some small amount of interest on USDC.
But if you are going to spend crypto on stuff instead of holding it, I'll take 4% back.
As I have posted in other places here, my privacy & anonimity are already gone since I am a long time Coinbase user, so I might as well make the best of it.


-Dave
legendary
Activity: 2268
Merit: 18771
December 19, 2021, 02:42:11 PM
#51
If they lie about this, the real question is what else do they lie about that is less obvious to see?
"We keep your information safe." Tongue

It's possible that everything will be connected with ledger live app, and anyone using this application will have their IP recorded, along with wallet address and now with this new card.
If you use Ledger Live, then I fully suspect that this is already happening.

Out of curiosity, I went and had a look at the Ledger Privacy Policy, since I've not paid it any attention in some time. It's worse than I remember, or perhaps it has become worse since I last looked at it. Examples include:

In order to gain access to third-party services through Ledger Live, you understand and acknowledge that your location information, including your IP address, may be collected on behalf of and checked by selected partners in order to meet their own AML/KYC requirements.

With no way to update the firmware or the apps on your Ledger device without going through this piece of software, then it is essentially impossible to use a Ledger device privately.
legendary
Activity: 2212
Merit: 7064
December 19, 2021, 12:13:56 PM
#50
The whole partnership thing here simply appears to be that there will now be a tab/button/advert/whatever in Ledger Live that will let you link your card and generate a deposit address from within Ledger Live itself, as opposed to having to go to Baanx's own website. Baanx will obviously pay Ledger a cut of the fees and profits for this, and I'm absolutely certain that both companies will share data to increase ad revenue and the like. I can't see anything at all which is new or revolutionary compared to already existing bitcoin cards, with the significant downside being that you will have directly linked a KYCed account with your hardware wallet.
It's possible that everything will be connected with ledger live app, and anyone using this application will have their IP recorded, along with wallet address and now with this new card.
I guess people could still use VPN or Tor connection when using this app, but I wonder why it's not built in option within app, same like we have in Trezor Suite.

I've only staked a worthless altcoin, where staking worked straight from the Bitcoin Core clone, without exchange. I assume the same would work on ethereum, but the minimum is about half a Lambo worth of that coin. So staking leads to further centralization, who would have thought.
Maybe it's time for you to release LoyceV coin with staking option and support for ledger wallet... I am waiting for my airdrop sir  Cheesy

To anyone who is considering this Ledger implementation to be a good idea, I would like them to (re)visit this topic started by dkbit98 about how the big brother wants to be able to crack your HW in the future.
Ledger is perfect honeypot company for government agencies to infiltrate their agents, being closed source, leaking customer information multiple times, and receiving millions of dollar investment information just increases my suspicion even more.
I wouldn't trust them with this new ledger-Baanx debit card either.
legendary
Activity: 3654
Merit: 8909
https://bpip.org
December 18, 2021, 04:01:17 PM
#49
I've only staked a worthless altcoin, where staking worked straight from the Bitcoin Core clone, without exchange. I assume the same would work on ethereum, but the minimum is about half a Lambo worth of that coin. So staking leads to further centralization, who would have thought.

It's a bit different with Ethereum in that (a) you have to send the coins the the beacon chain (AKA ETH2) and while you can hold the keys, you can't really withdraw the coins until some future hardfork and (b) there are uptime requirements - you can get penalized if your validator node goes down. Looks like this Ledger service is trying to solve these two issues (not sure about the first part though but presumably you can sell the staking tokens, perhaps at a slight loss), as well as allow staking less than 32 ETH. Nothing particularly wrong with that, there are other similar services, but it's definitely perpendicular to the purpose of a hardware wallet.
legendary
Activity: 1162
Merit: 2025
Leading Crypto Sports Betting & Casino Platform
December 18, 2021, 03:30:34 PM
#48
To anyone who is considering this Ledger implementation to be a good idea, I would like them to (re)visit this topic started by dkbit98 about how the big brother wants to be able to crack your HW in the future.

Ledger not being fully open source and still being one of the most important HW providers would fit like a glove to those who seek to undermine the purpose of the HWs themselves. Be careful, the devil won't come to us with horns and in red, but dressed in white and offering "wonderful things".
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
December 18, 2021, 02:02:31 PM
#47
But isn't that exactly how staking works all over the place? You have to lock the coins for X amount of time, send them to an exchange, and you can't get them back until your staking period expires. The safety of the keys has nothing to do with it.
I've only staked a worthless altcoin, where staking worked straight from the Bitcoin Core clone, without exchange. I assume the same would work on ethereum, but the minimum is about half a Lambo worth of that coin. So staking leads to further centralization, who would have thought.
legendary
Activity: 2730
Merit: 7065
December 18, 2021, 01:11:46 PM
#46
Since Baanx group don't know addresses from ledger customers (I hope) this means that I can send coins even from hot wallet or exchange to that card, totally unrelated with ledger.
It would be terrible f they need some proof and connection that coins are really coming from ledger device address.
I don't think you will. Most probably you will only be able to get a deposit address from Ledger Live. But once you see that address, it might be possible to deposit crypto from let's say an exchange or some other wallet that isn't Ledger Live. Or maybe they have a way to whitelist only your addresses that have been funded in the past in LL.

I don't use Ethereum so I had no idea about this, but wow. How can they possible call it a hack-proof experience when you have to send your ETH off to some random smart contract. The number of token contracts and smart contracts which have had critical bugs and vulnerabilities in them is uncountable.
They provide false claims. The fact that your private keys never leave your device isn't important because your coins do. But isn't that exactly how staking works all over the place? You have to lock the coins for X amount of time, send them to an exchange, and you can't get them back until your staking period expires. The safety of the keys has nothing to do with it.   
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
December 18, 2021, 09:53:11 AM
#45
How can they possible call it a hack-proof experience when you have to send your ETH off to some random smart contract.
If they lie about this, the real question is what else do they lie about that is less obvious to see?
legendary
Activity: 2268
Merit: 18771
December 18, 2021, 08:41:45 AM
#44
They use the exact same strategy when it comes to staking ethereum:
I don't use Ethereum so I had no idea about this, but wow. How can they possible call it a hack-proof experience when you have to send your ETH off to some random smart contract. The number of token contracts and smart contracts which have had critical bugs and vulnerabilities in them is uncountable.

Since Baanx group don't know addresses from ledger customers (I hope) this means that I can send coins even from hot wallet or exchange to that card, totally unrelated with ledger.
The whole partnership thing here simply appears to be that there will now be a tab/button/advert/whatever in Ledger Live that will let you link your card and generate a deposit address from within Ledger Live itself, as opposed to having to go to Baanx's own website. Baanx will obviously pay Ledger a cut of the fees and profits for this, and I'm absolutely certain that both companies will share data to increase ad revenue and the like. I can't see anything at all which is new or revolutionary compared to already existing bitcoin cards, with the significant downside being that you will have directly linked a KYCed account with your hardware wallet.

Ledger consider bitcoin to be boring old tech so I speculate they are going to be used as main metaverse tool in future Cheesy
I can't think of anything worse in a hardware wallet. It's crap like this that makes me happy to use airgapped cold storage. At least I know some random company isn't going to start trying to turn my airgapped computer in to something I have never and will never want.
legendary
Activity: 2212
Merit: 7064
December 18, 2021, 08:28:24 AM
#43
They confirmed our speculations that you won't be able to spend the coins directly from your hardware wallet and the Ledger Live app with the card. You will be required to top up the card by manually sending funds from your LL app to the card's account address. Those coins will then become spendable with the debit card.
I don't have fakebook account so I can't read that link, but this is exactly the same thing we see with all other crypto debit cards, just in this case card has ledger label on it.
Since Baanx group don't know addresses from ledger customers (I hope) this means that I can send coins even from hot wallet or exchange to that card, totally unrelated with ledger.
It would be terrible f they need some proof and connection that coins are really coming from ledger device address.

It sounds like Ledger got paid to advertise this, or they'll get paid per user or per transaction later on. Just like they offer several services from within Ledger Live.
Some people maybe remember several months ago when ledger received bunch of money ($380 Million) from various companies for their last fundraising campaign.
Well know it's payback time  Cheesy

The link works fine without Facebook account on Tor
Not working in my case... and I tried with several new identities.
You must have some special early accees for Torbook metaverse.

I find the whole thing very disingenuous if I'm honest.
This is just a beginning, wait until we see new deals coming up, Ledger is very interested in becoming smatphone storage for nft mambo jumbo art.
Ledger consider bitcoin to be boring old tech so I speculate they are going to be used as main metaverse tool in future Cheesy




legendary
Activity: 2730
Merit: 7065
December 18, 2021, 08:12:26 AM
#42
All that information seems to be inexplicably missing from all the explanations they are giving as to how this works.
Maybe that's something that will be released later down the line.

It's almost like they don't want people to realize they are losing all security and privacy by using this.
All companies like their customers to be smart and educated enough to purchase their products or services, but at the same time ignorant enough not to question their policies and methods of how things are done. You are being a naughty boy o_e_l_e_o asking such things. Tongue

Not surprising, spending directly from your hardware sounds too good to be true and it means you need to bring your HW wallet along with the Ledger card.
Too good or to scary. If you can spend the coins from a hardware wallet without physically confirming each transaction, who has your private keys, master private keys, or the seed phrase. That would mean Ledger has a copy of them.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
December 18, 2021, 07:38:49 AM
#41
"You're safe and sound when you do so, as you need your Ledger Nano S/X to confirm the transaction." I mean, technically that's correct
They use the exact same strategy when it comes to staking ethereum:
Quote
Ledger is the safest way to stake ETH. Your private keys remain tightly secured within your Nano hardware wallet, guaranteeing a hack-proof experience. All transactions are confirmed from the security of your hardware wallet.
~
You can now verify your transaction details on your Nano hardware wallet using the LIDO app. Once confirmed, your wallet now contains the amount of ETH you staked – stETH – visible in your wallet.
They literally tell people to exchange their (shit)coins for (shit)tokens, as if holding the keys to the (shit)tokens is enough to get back your (shit)coins when the shit hits the fan.
legendary
Activity: 2268
Merit: 18771
December 18, 2021, 05:41:37 AM
#40
The link works fine without Facebook account on Tor:
It didn't work for me, despite a circuit change. A third circuit change just now and it did work. Guess I was just unlucky. Thanks for sharing the image anyway!

I find the whole thing very disingenuous if I'm honest. "You're safe and sound when you do so, as you need your Ledger Nano S/X to confirm the transaction." I mean, technically that's correct, but as soon as you confirm the transaction you are no longer safe and sound in any way since your coins are no longer protected by your hardware wallet, are no longer in your control, are in the possession of a third party (and not even Ledger themselves), and you have no idea how good their security is. All that information seems to be inexplicably missing from all the explanations they are giving as to how this works. It's almost like they don't want people to realize they are losing all security and privacy by using this.
Pages:
Jump to: