Pages:
Author

Topic: Safe Hardware Wallet Deliveries Via Amazon Lockers (Read 443 times)

legendary
Activity: 2534
Merit: 1713
Top Crypto Casino
On a scale of 1 to 100, how trustworthy do you think the business actually is? It is a hypothetical question but I am asking on first impressions. The OP stopped posting here not long after he created the thread.

Up if someone is interested.

I found the website on Twitter and they have a link on the footer redirecting to this topic. So...

Nowadays, it's not only for americans, they do internationnal orders (amazon,fr .de. uk etc...)  Grin
But I don't get about their "Estimated Taxes (~8%)". What taxe it is about? Not the VAT, not the service fee.

And the website"s name changed to https://anonshop.app/ by the way
(previous name in the original post was https://anonymouslocker.app/

copper member
Activity: 2940
Merit: 4101
Top Crypto Casino
Up if someone is interested.

I found the website on Twitter and they have a link on the footer redirecting to this topic. So...

Nowadays, it's not only for americans, they do internationnal orders (amazon,fr .de. uk etc...)  Grin
But I don't get about their "Estimated Taxes (~8%)". What taxe it is about? Not the VAT, not the service fee.

And the website"s name changed to https://anonshop.app/ by the way
(previous name in the original post was https://anonymouslocker.app/
legendary
Activity: 2212
Merit: 7064
Thanks for the suggestion. Yeah, posting to the bitcoin reddit wasn't the best idea  Cry. I will definitely get around to posting to r/PrivacyGuides, and I already posted to  r/CryptoCurrency.
Don't give up so easily and don't get discouraged Wink
I think you received much better constructive replies from Monero community, and r/CryptoCurrency are known for deleting posts if you don't have enough of their ''karma'' or whatever is called.
r/Bitcoin can be pretty strict and focused only on Bitcoin and development around it, mining, and maybe with few added news but that's about it.
jr. member
Activity: 36
Merit: 35
Thanks for the suggestion. Yeah, posting to the bitcoin reddit wasn't the best idea  Cry. I will definitely get around to posting to r/PrivacyGuides, and I already posted to  r/CryptoCurrency.
legendary
Activity: 2212
Merit: 7064
Also thanks for all the great feedback and discourse, I enjoy talking here much more than I do on reddit.
Reddit is much worse for conversation and I don't like their format at all, but it's better if you want to read latest news for topics you are following.
I think that creating a post about Amazon Lockers in r/Bitcoin, was not a good idea, there are probably much better groups that are dedicated to hardware wallets and privacy.
Maybe r/PrivacyGuides would also be a good place to post this or you would get better response n r/CryptoCurrency.
jr. member
Activity: 36
Merit: 35
I can only speak for amazon lockers in the united states but I think all of them load from the front. They could probably be opened with a crowbar, but they are usually inside stores where an attendant would probably call the cops. I have also pivoted my marketing away from hardware wallet deliveries since something about ht hardware wallet use case makes people very uncomfortable and it leads to unproductive discussions. I haven't had that happen here, but on places like reddit, https://www.reddit.com/r/Bitcoin/comments/z1w0uw/comment/ixf076d/?utm_source=share&utm_medium=web2x&context=3. I think it's just easier to discredit the amazon locker portion of the supply chain instead of people to admit that the entire supply chain from the hw maker to your front door has hundreds of opportunities to be exploited and offers no real protections from tampering. It maybe goes back to the advice about trust I was given earlier in the thread. I am not sure but I have had much better success going after just general privacy deliveries with amazon lockers. I am currenlty working on a private loyalty program. Also thanks for all the great feedback and discourse, I enjoy talking here much more than I do on reddit.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Was this a hack or Amazon system gone crazy mode?
I'm not even sure if these are Amazon lockers.

The thing is: my assumption was they would be filled from the back, like post office boxes. But this video makes it looks like it's filled from the public side, which to me looks much less secure.
legendary
Activity: 2212
Merit: 7064
Suddenly it feels much less secure after seeing this.
Was this a hack or Amazon system gone crazy mode?
This works with individual codes for each locker to be opened, but it must be a way to override this setting in service mode maybe.
Just look at that guy who is genuinely looking for his package , and he is opening and closing them until he finds the stuff he ordered Smiley
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
This video reminded me of this topic:
Image loading...
Suddenly it feels much less secure after seeing this.
legendary
Activity: 2534
Merit: 1713
Top Crypto Casino
Regarding the trust, I think even if there was a Legendary account with green many positive trust promoting the idea, it would be very difficult to manage mass sales. I have to agree that buying directly would not ensure security as many people and/or companies could have the name and address of the person purchasing the hardware wallet.

With hardware wallets becoming more and more common it stands to reason a business such as yours should have a niche market but lack of trust is thing probably holding it back. It is good to see business ideas leaping from paper to the real world in a functioning entity. I wish you success and hope the business grows.

What your saying about trust makes sense, thanks a lot for asking about the amazon locker attack vector. I was thinking more about it, and I think the amazon locker portion of the service is the most secure part of the hardware wallet supply chain. The locker has cameras, and one time use codes with a tracked record of access. No other portion of the supply chain has any security features. There is little to no security along the supply chain even if you buy direct. But trust is very hard to build, so your so right about that part.
jr. member
Activity: 36
Merit: 35
What your saying about trust makes sense, thanks a lot for asking about the amazon locker attack vector. I was thinking more about it, and I think the amazon locker portion of the service is the most secure part of the hardware wallet supply chain. The locker has cameras, and one time use codes with a tracked record of access. No other portion of the supply chain has any security features. There is little to no security along the supply chain even if you buy direct. But trust is very hard to build, so your so right about that part.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
I never thought of that attack vector. In the usa you can not open amazon lockers twice, but I could in theory still perform this attack. It would require me telling amazon customer service to give me a new locker code.

Maybe I've overthought it. Maybe it's not possible. Maybe it leads to you (and jail), maybe other find another crack/flaw.
The point was that a honest business would ... try to be honest (and there are still risks, as said, not necessarily from you, but may affect you), while a dishonest business could already have the recipe for scam, I don't know. A theoretical chance, no matter how small, probably exist. And.. we're back to the trust issue  Cheesy
However, good luck!
jr. member
Activity: 36
Merit: 35

Yes, that's the one, thanks for finding it. The things are:
* I don't know exactly how such a locker works and whether OP cannot pick up the item, tamper it and then "post it" to another locker for the user (in my country the lockers belong to the shipping company and multiple sellers can use it). On the worse case OP can have a shop at Amazon and maybe he can get to use the locker. Of curse, it's a big hassle with small chances to catch somebody and steal his money.
* If the same problems like in that (Amazon UK) topic will happen, OP trust (which he may gain meanwhile) may vanish, even if it's not his doing

I see it a risky endeavor for both sides (yeah, trust is a bitch), but if OP gets customers for it, ... very nice and good luck.

I never thought of that attack vector. In the usa you can not open amazon lockers twice, but I could in theory still perform this attack. It would require me telling amazon customer service to give me a new locker code. This is possible and would leave a paper trail leading back to me. The lockers also have cameras on them. So if I drive to the locker you chose, tamper with the wallet and get amazon customer service to let me place it back in, I could in theory give you a tampered wallet. That sounds like a lot of work to just go to jail though, since this entire process can and would be traced back to me with amazon message logs and camera footage from the locker and business the locker is in.  So although this attack is possible, I think it's not a reasonable fear to have. But what other people see as reasonable varies.

As far as tampering in general goes the only solution is multi-signature with different wallets. There is no other solution to prevent tampering when buying a premade hardware wallet. If you buy from ledger directly, amazon, or in person with cash at best buy, you face tampering issues. No supply change fix solves the tampering issue, and the only way to fix that is to go to the wallet manufacturer assembly line and build the hardware wallet yourself.

I have been a long time advocate of hardware wallets but hardware wallet manufacturers have shown a general disregard for their users safety by mishandling their name, phone number and email, in my opinion. So I made a service that lets you get a hardware wallet delivered near you without giving up any personal information.
however, at some point the customer will have to send you personal data for delivery, but how you can guarantee that all personal information on your app will remain hidden and forever locked from the public? I mean, instead to trust the HW manufacturer, why would trust your discretion?
Also, can you guarantee that your app is 100% hack safe?

I do not need any personal information from the customer for them to use my service. No app is 100% hack proof so I just don't collect information that could compromise your privacy. The only information needed for my service is: payment, what items you want, and the locker you want to pick up from. No name, no address info, email, phone number or any other information is used or collected by my service. So you can think of my service as guaranteed way to protect your privacy when you get a hardware wallet, something trezor nor ledger can offer you if you buy from them directly.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
* I don't know exactly how such a locker works and whether OP cannot pick up the item, tamper it and then "post it" to another locker for the user (in my country the lockers belong to the shipping company and multiple sellers can use it).
I've never used those lockers, but I assume Amazon designed it so that you can pickup your item, after which it's locked for the next customer. So you can't open it again, and I don't think consumers can send packages to those lockers either (that would enable drug dealers to use them). An anonymous one-time use "post office box" would be really cool for anonymous deliveries though!

tamper-proof selling to potential customers (to convince them in order to buy) is something you will probably struggle with.
Ledger doesn't even offer tamper proof packaging:
Quote
Ledger deliberately chooses not to use anti-tamper seals on its packaging. These seals are easy to counterfeit and can, therefore, be misleading.
legendary
Activity: 3472
Merit: 3507
Crypto Swap Exchange
I have been a long time advocate of hardware wallets but hardware wallet manufacturers have shown a general disregard for their users safety by mishandling their name, phone number and email, in my opinion. So I made a service that lets you get a hardware wallet delivered near you without giving up any personal information.

I agree with this claim about the negligence of user data on the part of hardware wallet manufacturers, especially the most famous one.

however, at some point the customer will have to send you personal data for delivery, but how you can guarantee that all personal information on your app will remain hidden and forever locked from the public? I mean, instead to trust the HW manufacturer, why would trust your discretion?
Also, can you guarantee that your app is 100% hack safe?
legendary
Activity: 2534
Merit: 1713
Top Crypto Casino
I like the concept behind what you are trying to when it comes to the safety and security of the purchaser but since you do not have any history in the forum it will be difficult to convince others to come onboard. Even if you had excellent reputation here it would be difficult for people to put their trust in the service you provide because of fear of tampering.

If you are simply providing a man in the middle service where you cannot gain access to the hardware wallets then it means the chances of them being tampered are still not reduced to zero because Amazon or other employees have the potential or possibility to tamper with the devices. In my opinion passing a promise of tamper-proof selling to potential customers (to convince them in order to buy) is something you will probably struggle with.

Hi,
I just started a service that uses amazon lockers to enable anonymous delivery of hardware wallets, https://anonymouslocker.app/hw . I have been a long time advocate of hardware wallets but hardware wallet manufacturers have shown a general disregard for their users safety by mishandling their name, phone number and email, in my opinion. So I made a service that lets you get a hardware wallet delivered near you without giving up any personal information. I am sure a lot of people here already have a hardware wallet, but I would love to hear any feedback y'all might have. Thanks and have a great day!
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
Maybe you are talking about this incident that involved a Ledger Nano S that was purchased from Amazon in the UK. The person who bought it, got a paper card already filled up with a 24-word seed. Not sure if the seed was also entered in the hardware wallet, but I am guessing it was.

Yes, that's the one, thanks for finding it. The things are:
* I don't know exactly how such a locker works and whether OP cannot pick up the item, tamper it and then "post it" to another locker for the user (in my country the lockers belong to the shipping company and multiple sellers can use it). On the worse case OP can have a shop at Amazon and maybe he can get to use the locker. Of curse, it's a big hassle with small chances to catch somebody and steal his money.
* If the same problems like in that (Amazon UK) topic will happen, OP trust (which he may gain meanwhile) may vanish, even if it's not his doing

I see it a risky endeavor for both sides (yeah, trust is a bitch), but if OP gets customers for it, ... very nice and good luck.
jr. member
Activity: 36
Merit: 35
Wow thanks for all the great feedback guys. The question of buy directly from them and give up your info vs use some private 3rd party is definitely a tough one, but after I studied more about how trezor and ledger use  customer info and give it to third parties I would use the third party option every time. Its cool that ledger has partnered with best buy but people have also had issues with using that method. The trust issues makes sense but I have to start somewhere. I already got one positive review on reddit, so I just have to give great customer service to build up trust. My service accepts ltc, btc, eth, and monero. The original idea was a more general service, but the only customers I found who made it worth it were the hardware wallet people so I made a special landing page for that market segment. The general landing page can be found at https://anonymouslocker.app/.
legendary
Activity: 2212
Merit: 7064
So I made a service that lets you get a hardware wallet delivered near you without giving up any personal information. I am sure a lot of people here already have a hardware wallet, but I would love to hear any feedback y'all might have. Thanks and have a great day!
Is this service working for all countries with Amazon lockers or it's only available in United States?
I think this can be a good idea but maybe you can expand this beyond hardware wallets for other small items.
It's cool to accept Monero (like you say in your FAQ page) but I would like to pay also with Bitcoin and Lightning Network if possible.

Good thing is that this service is open source, and code can be inspected on github page:
https://github.com/DecentralizeJustice/anonymousLocker
 
EDIT: I found out that this service is only available in US, so I would like to see this working in Europe also.
 
legendary
Activity: 2730
Merit: 7065
People were advised all the time to avoid third party and order directly from the factory shop where possible (since even from Amazon it seems to have happened to receive HW with seed already in, I will look for link, but I don't promise results) and this may be a problem for your business.
Maybe you are talking about this incident that involved a Ledger Nano S that was purchased from Amazon in the UK. The person who bought it, got a paper card already filled up with a 24-word seed. Not sure if the seed was also entered in the hardware wallet, but I am guessing it was.

I agree with what DdmrDdmr said in the OP. This can be a device that was tempered with by someone at Amazon, or it could be a hardware wallet that was bought by a different person altogether. It was that other person that set it up, wrote down the seed words, and then returned the device back to Amazon for whatever reason. The personnel who received it had no idea what they were doing, they just checked the contents quickly, noticed that everything seemed to be OK, and placed the package among the other ones waiting to be sold. 
Pages:
Jump to: