making fake HW wallets(will we see this scam next)?? - page 2.

tenant48

full member

Activity: 336

Merit: 161

Quote from: o_e_l_e_o on August 16, 2021, 04:26:25 AM

Quote from: tenant48 on August 16, 2021, 01:21:10 AM

passphrase of at least 10 - 12 characters, this is quite enough to protect the compromised seed

It is far from ideal, though. A 24 word seed phrase provides 256 bits of security. 10 random lowercase characters provides only 47 bits. You shouldn't be relying on only a passphrase for all your security, and definitely not one so short.

When you iterate over a seed of 24 words (256 bit), you have the opportunity to find millions of other wallets, since most wallets use the bip39 standard, in this case there should be sufficient redundancy. When you iterate over the passphrase, you have the opportunity to find only one single wallet, so such protection (10 -12 characters) will be enough. Read again the article https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af?gi=a11722e479d8 there is a table with examples of password phrases and the approximate cost of attacks

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: tenant48 on August 16, 2021, 01:21:10 AM

The question was asked about a pre-installed BTC address by an attacker and I answered it.

Sure, your method protects against that specific attack, but it does not guarantee your wallet is "normal" as you suggested.

Quote from: tenant48 on August 16, 2021, 01:21:10 AM

passphrase of at least 10 - 12 characters, this is quite enough to protect the compromised seed

It is far from ideal, though. A 24 word seed phrase provides 256 bits of security. 10 random lowercase characters provides only 47 bits. You shouldn't be relying on only a passphrase for all your security, and definitely not one so short.

tenant48

full member

Activity: 336

Merit: 161

Quote from: o_e_l_e_o on August 15, 2021, 03:50:48 PM

Quote from: tenant48 on August 15, 2021, 11:49:39 AM

To make sure that your wallet is normal, you will need to generate a seed on it and then check the correct generation of addresses by entering this seed here: https://iancoleman.io/bip39/ If the addresses match, then your wallet is normal. Then reset it to factory settings and create a new seed for permanent use.

But how do you know your wallet is not generating seed phrases from a bank of several thousand or so which were pre-generated by an attacker? Just because the address did indeed come from the seed phrase you were displayed, does not mean your wallet is "normal" or safe.

You need to have some way of verifying the firmware which is installed on your hardware wallet, or verifying the updates you are applying to it, and verifying that the firmware is truly generating a random seed phrase. You could also mitigate this by using a long and complex passphrase (and then verifying that the addresses you are being displayed are indeed generated from seed phrase + passphrase), so even if an attacker knew your seed phrase they still could not access your coins.

The question was asked about a pre-installed BTC address by an attacker and I answered it. If you have doubts about the work of the built-in random seed generator, then you have two options: create your own seed manually or additionally protect the seed with a passphrase of at least 10 - 12 characters, this is quite enough to protect the compromised seed https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af?gi=a11722e479d8

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: tenant48 on August 15, 2021, 11:49:39 AM

To make sure that your wallet is normal, you will need to generate a seed on it and then check the correct generation of addresses by entering this seed here: https://iancoleman.io/bip39/ If the addresses match, then your wallet is normal. Then reset it to factory settings and create a new seed for permanent use.

But how do you know your wallet is not generating seed phrases from a bank of several thousand or so which were pre-generated by an attacker? Just because the address did indeed come from the seed phrase you were displayed, does not mean your wallet is "normal" or safe.

You need to have some way of verifying the firmware which is installed on your hardware wallet, or verifying the updates you are applying to it, and verifying that the firmware is truly generating a random seed phrase. You could also mitigate this by using a long and complex passphrase (and then verifying that the addresses you are being displayed are indeed generated from seed phrase + passphrase), so even if an attacker knew your seed phrase they still could not access your coins.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: sheenshane on August 15, 2021, 11:25:37 AM

If there is, that's a noob or innocent one that is new to the crypto world or considerable as a lazy one because it doesn't even have their own research regarding the no-brand wallet use.

Those are exactly the victims that scammers target. What you explained is not different from any other scheme that is created for newbies, those who are greedy, careless, and don't take the required amount of time to consider the consequences of their actions.

Quote from: sheenshane on August 15, 2021, 11:25:37 AM

Let say if they(scammer) modify the HW wallets and you bought it from the unofficial distributor store, I think the reset button is enough in the first place to secure your wallet and the hacker has nothing to do because it will generate another seed phrase and address.

It wouldn't be enough if someone managed to create what I explained in my previous post in this thread. Besides, the scammers could use the leaked Shopify/Ledger databases to send out their fake products. We have already seen something like that not so long ago.

tenant48

full member

Activity: 336

Merit: 161

Quote from: ben19850 on August 12, 2021, 04:36:38 PM

lets say you make a fake HW wallet

people add a passphrase for extra secuirty and keep seed safe

could a scammer have serval dormant pre programmed BTC address which they could tell the wallet to display(which the HW would give to the new user a there new seed linked wallet?

no need for the scammer to get seed ect... just give them a wallet that scammer has access to already

This situation is theoretically possible. To make sure that your wallet is normal, you will need to generate a seed on it and then check the correct generation of addresses by entering this seed here: https://iancoleman.io/bip39/ If the addresses match, then your wallet is normal. Then reset it to factory settings and create a new seed for permanent use.

sheenshane

legendary

Activity: 2366

Merit: 1206

I don't see that there's a scam next if someone making their own fake HW wallets. If there is, that's a noob or innocent one that is new to the crypto world or considerable as a lazy one because it doesn't even have their own research regarding the no-brand wallet use.

Let say if they(scammer) modify the HW wallets and you bought it from the unofficial distributor store, I think the reset button is enough in the first place to secure your wallet and the hacker has nothing to do because it will generate another seed phrase and address.

All I see on this matter, it's unrealistic to happen. No one will risk their crypto assets from an unknown source of HW wallets.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

If I understand the OP correctly, he is asking if it would be possible to create a wallet that always displays one or more receiving addresses of the hacker independent of what seed + seed extension the victim is using. The software of such a device would have no role at all, and would work as a regular hardware wallet where you are shown a seed to write down. But no matter what seed or passphrase you use, the device ends up displaying the same receiving addresses that ultimately leads to the victim making transactions to addresses that belong to the hacker. Is that it?

I don't think this is impossible.

NeuroticFish

legendary

Activity: 3500

Merit: 6205

Looking for campaign manager? Contact icopress!

Quote from: ben19850 on August 12, 2021, 04:36:38 PM

could a scammer have serval dormant pre programmed BTC address which they could tell the wallet to display(which the HW would give to the new user a there new seed linked wallet?

no need for the scammer to get seed ect... just give them a wallet that scammer has access to already

As I see this, the so-called pre-programmed extra address will not be part of the seed based HD wallet. So whenever one uses this... device... will have a HD wallet+1 address. This means that the scammer will probably have to make his own wallet software too to import the extra address somehow.

While some very new n00bs can be caught with this, I don't think that many can be so stupid to use both counterfeit HW and bad wallet software too, especially as legit wallet software comes free.

Lucius

legendary

Activity: 3220

Merit: 5634

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: ben19850 on August 12, 2021, 06:02:06 PM

what i mean is it wouldnt matter if a new seed was generated
if it was a pre programmed BTC address the new user wouldnt know

If you buy a used HW that is basically original, and someone has already intentionally or accidentally set it up (generated seed), then it is generally considered that resetting such a device to factory settings is quite enough to use it safely later by generating a new seed. However, the question is whether such a device may have been modified in some way (hardware modification), and can allow the original owner to try to hack you.

On the other hand, if someone were to make an effort to modify the HW in such a way that it always generates identical seed or perhaps to generate several sets of seed known to the hacker, in that case, no reset of the device would help.

Even when someone buys an original HW directly from the manufacturer, you don't need to make a big deposit right away - because there is always the possibility of a new vulnerability that no one knew about before - test with small amounts, wait a few days and if everything is fine continue to use HW normally.

dkbit98

legendary

Activity: 2212

Merit: 7064

Cashback 15%

Quote from: ben19850 on August 12, 2021, 04:36:38 PM

lets say you make a fake HW wallet

I don't understand what do you mean make a fake hardware wallet? You mean ordered or DIY made device? Explain it better.

You can add multiple passphrases to your wallet as extra protection that is working only in combination with your seed words, but keep them in different locations.
For accessing any funds on that wallet, you also need to have pin code, and you need to know correct passphrase.
You can also reset the device, and generate new random decoy wallet.

ben19850

newbie

Activity: 19

Merit: 3

Quote from: LeGaulois on August 12, 2021, 05:55:52 PM

If a day I receive a wallet and I notice the seed has already been generated, I would start to have some doubts about the device itself.

One way more people can easily fall for the scam is to tinker with the wallet so that the seed can be siphoned off.

In the same style as what happened to the company Ledger when some people were receiving a wallet with a flash drive with a fake app connected to the circuit board. Rarely people would open the device to check if everything is "legit", isn't? I did it once just for curiosity but I didn't do it with all my devices.

Quote from: LeGaulois on August 12, 2021, 05:55:52 PM

If a day I receive a wallet and I notice the seed has already been generated, I would start to have some doubts about the device itself.

One way more people can easily fall for the scam is to tinker with the wallet so that the seed can be siphoned off.

In the same style as what happened to the company Ledger when some people were receiving a wallet with a flash drive with a fake app connected to the circuit board. Rarely people would open the device to check if everything is "legit", isn't? I did it once just for curiosity but I didn't do it with all my devices.

what i mean is it wouldnt matter if a new seed was generated

if it was a pre programmed BTC address the new user wouldnt know

bitmover

legendary

Activity: 2212

Merit: 5622

Non-custodial BTC Wallet

Quote from: ben19850 on August 12, 2021, 04:36:38 PM

lets say you make a fake HW wallet

people add a passphrase for extra secuirty and keep seed safe

could a scammer have serval dormant pre programmed BTC address which they could tell the wallet to display(which the HW would give to the new user a there new seed linked wallet?

no need for the scammer to get seed ect... just give them a wallet that scammer has access to already

This is why you should only buy a hardware wallet official retailer or from the manufacturer . You shouldn't be buying one on eBay .

There are even some attacks on official devices which become compromised with a physical attack, if the attacker has access to the device.

LeGaulois

copper member

Activity: 2828

Merit: 4065

Top Crypto Casino

If a day I receive a wallet and I notice the seed has already been generated, I would start to have some doubts about the device itself.

One way more people can easily fall for the scam is to tinker with the wallet so that the seed can be siphoned off.

In the same style as what happened to the company Ledger when some people were receiving a wallet with a flash drive with a fake app connected to the circuit board. Rarely people would open the device to check if everything is "legit", isn't? I did it once just for curiosity but I didn't do it with all my devices.

ben19850

newbie

Activity: 19

Merit: 3

lets say you make a fake HW wallet

people add a passphrase for extra secuirty and keep seed safe

could a scammer have serval dormant pre programmed BTC address which they could tell the wallet to display(which the HW would SHOW to the new user as there newly setup seed linked wallet?)

no need for the scammer to get seed ect... just give them a wallet that scammer has access to already

Topic: making fake HW wallets(will we see this scam next)?? - page 2. (Read 311 times)