Topic: Square is considering making a hardware wallet for Bitcoin - page 12. (Read 4002 times)

The funny thing about all that is that you don't even need Block's 2FA device to approve spending above a certain limit because all cheap smartphones nowadays already have an in-built fingerprint scanner. You can just create a software wallet in which it would be required to touch the scanner to send a transaction. In fact, there are tons of mobile software wallets that already have such a feature implemented. Why would I even buy additional hardware to achieve exactly the same security that I can achieve with only one device? I don't understand this VC thinking: they put their money into a project, but it seems they don't care if it really serves the purpose. The only thing they seem to care about is how to multiply their initial investments selling outright garbage to naive users.


Traditionally, the question about security and privacy... Can Jack Dorsey or someone else get the information about fingerprints from these devices, collect it, and link to the addresses? Imagine having a database where all the addresses on the blockchain have a corresponding fingerprint of real users. Isn't it a good approach to prevent crimes and money laundering?

I saw this news posted few days ago but I forget to post something about that.
If looks like Block developers want's to replace everything in their hardware wallet including seed words, passwords and seed phrases with a single fingerprint  
This have disaster label written all over it, and from what I read most of the people don't like this idea, including me.
Fingerprint is one of the easiest thing you can copy, it can be taken from anything you touch and it's easy to duplicate it with cheap silicone.
There is no ''peace of mind'' in that, like Block Wallet team is saying in their document, so it's better to evaluate alternative options for people who don't want to be fingerprinted.

I never expected anything revolutionary to come from this project, but things are sure getting in wrong direction.
Whats next on the line? Iris scanner, maybe dna from blood or urine sample for using Block wallet 

Honestly, I'm quite disappointed at how this so-called hardware wallet is shaping up... Based on the @o_e_l_e_o's post, it seems that there are no preventive measures for anything that's below the chosen limit, and considering that there are various ways of cloning the fingerprints ^{[and other ways of acquiring it (e.g. by force)]}, this just introduces a lot of other risks to the equation.

If you look at the actual blog post from Block, it doesn't even sound like a hardware wallet at all anymore, but more like a YubiKey or other hardware 2FA device. See here: https://wallet.build/march-update/. Interesting quotes below.


So your funds are stored on the mobile wallet, you set a limit that the wallet is allowed to spend, and any transactions over that limit you have to connect the "hardware wallet" and use it to scan your fingerprint. The hardware wallet will not have a screen, meaning it cannot generate or display a seed phrase, cannot show transaction details for double checking, and cannot show a receiving address for verification. That's not a hardware wallet; that's a 2FA device.

I've just seen that Block's hardware wallet will also have fingerprint sensor. There is a bitcointalk topic too about this.
The talk on Twitter is: https://twitter.com/jack/status/1502358737981521925


A funny answer, but actually very thoughtful was this:



I fear that this HW is designed more for hype than security...

I'm going to need you to start trigger warning posts like this!

But yeah, it's no real surprise. Companies which own many subsidiaries almost always share data fully and completely between their subsidiaries. It'll be in the terms of service which no one reads. For example, both Square and CashApp say the same thing about your who they share you data with:

If you are going to buy a hardware wallet from a company which also runs CashApp and Square, then your data will be shared across all their subsidiaries.

So, for those who do not know, Square (now block) is big into credit card processing and they also own CashApp
I use cashapp. I also have their debit card.

I was at a local restaurant the other day ( https://www.buffalogrilleli.com/ ) and they are using square for CC processing.
I put in my card to pay (Citibank Sears MC running a 15% bonus cash back on restaurants more on this in another post https://bitcointalksearch.org/topic/using-btc-vs-using-credit-debit-cards-and-purchase-tracking-and-privacy-5386484 ) and the terminal popped up with an enter your phone # for rewards at this restaurant.

OK, I put in a Google Voice number I use for stuff like this.

Got a text message on my phone about the points being added to my account, and poof the CashApp app saw the text and added it to it's list of bonuses and points with no interaction from me. The app wants to read text messages since there is nothing relevant on that phone I let it.

So with all this going on, if you are really concerned with privacy would you want a hardware wallet from a company like this?

Now I am saying the following, I don't give a shit at this point for me. *IF* I could go back in time I would have changed my habits about BTC & privacy and a bunch of other things 10 years ago. But I didn't, I'm known, and I am far to lazy to spend the time to put my privacy and anonymity back. I am on the old side of 50 and really have better things to do with my time.

But, if you are using one of their hardware wallets and they can get that 1st breadcrumb of tracking data from something you did, they can probably track a lot more then you think.

I can hear @o_e_l_e_o crying about the lack of privacy with all of this.

-Dave

This one sounds good; what I saw so far in experimental setups was a bit different, but there seem to be multiple solutions to extending NFC range. Anything that can be used to extend any other RF-device's range should work on NFC just as well.
What is interesting though is that it starts making financial sense to develop and improve these further, the more financial transactions are made through NFC, while it has been a more academic and theoretical subject until now.

I found a relatively old thread on Stack Exchange about a guy who wanted to track customers entering his dentist office via NFC technology. He wanted to extend the range to read NFC tags of his customers at a distance of 30-60 cm.

This is the answer of a person who claims that range can be extended and he wrote how to do it.

   
Source: https://electronics.stackexchange.com/questions/107811/diy-nfc-boosting-antenna-for-a-mobile-device

To paint a better picture, everyone should imagine that NFC is just a small antenna.
It's my opinion that having antenna in hardware wallet is not secure, but that is just my opinion, what do I know


In theory some kind of universal NFC reader could be used for all devices including desktop computers, but question is if this will be compatible with one used in Square wallet.
I was reading that Apple had worse support for NFC from all other smartphones, but maybe something changed in last few models.

I found some interesting articles about alleged ''secure'' NFC techology that everyone is trying to push down out throat recently.
One of them say that malware can be planted using NFC beaming, but bug was android related:
https://www.zdnet.com/article/android-bug-lets-hackers-plant-malware-via-nfc-beaming/

This one is from last year, NFC Flaws Let Researchers Hack ATMs by Waving a Phone!
https://www.wired.com/story/atm-hack-nfc-bugs-point-of-sale/

After reading all this I am really having trouble to believe how they say that adding NFC in hardware wallets in more secure than other methods.
If ATM can get hacked with NFC than I rest my case, or maybe we should buy this new hardware wallets and use them for hacking 

While I don't expect gsmarena have info about really all makers and models, I'd expect that the even cheaper ones (ie those that may be missing) will just increase the numbers of models without NFC.

You are free to click onto the bottom-right button and see the results = the actual phones for which you'll see the specs if clicked.
Unfortunately you may have to fiddle more with the settings and get subsets, since not all are shown if the number of results is that big.
And unfortunately they don't have search for "no NFC" (either All, either with NFC).

Even more, there are results with the specs telling "NFC    Yes (market/region dependent)"
These are included in the list with NFC, hence giving a certain extra advantage to "that side".


TL;DR; I was actually "nice" to tell 50%, and the real percent of no-NFC phones for 2021 may be even bigger.

I never really dived that deep into it, until you mentioned it and I immediately fell in love with how they designed those batteries.
^{- Block should follow that design, as opposed to integrating both of them at the same time.}

I have limited knowledge about its security but in regards to the simplicity of its approach, it means little to nothing if it's going to work occasionally.
^{- My previous phone had fewer connection issues with NFC-enabled devices than the one I'm currently using [not sure why].}

I really hope they ditch the NFC and that they only go for Alkaline if they know they have to keep the current draw very very low. Otherwise it will eat through them like Passport v1.

Yeah, that's about right. All the close-range mumbo jumbo is not implemented as a security measure; you can circumvent it with a tunneling attack, stronger antennas and similar. On hardware level, it is not protected against that. You can 'patch up the holes' by adding time of flight checks in higher layers or additional confirmation for larger amounts (like in credit cards) but it's not very confidence-inspiring that you'll constantly need to fix the holes of your underlying technology.

I think that Keystone wallet is the only one that offers some kind of hybrid battery solution in their Keystone pro version.
They have standard lithium slim battery and in the same package everyone receives fat empty container for regular AAA batteries that can work in emergency cases.
Most hardware wallets are using cable connection for power, and others are using only one type of battery.

I would like to see QR codes more than NFC, but some people are claiming that NFC is relatively safer and more simple option.
Simple is not always better, and NFC means that there is one more chip that could be exploited, and there is one source for most NFC chips.

I don't follow anything about smartphones so I can't confirm anything from wiki or any other websites.
Some guys from our local forum say that all phones now have NFC, and they are obviously wrong if data from gsmarena is true.

Sure, but if I steal your NFC supported credit card, I can make contactless payments up to a certain amount (I think it's not more than €20-€50) without entering any PIN. I can do that multiple times in various stores without anyone suspecting anything. Surely Square will have countermeasures in place, but I am still not delighted about their choice.   

On the latter part of the PDF link, they also mentioned the possibility of having "hybrid solutions"... Does anybody know if currently, we have a hardware wallet with such configuration?
^{- I do know it has its own risks, but I think it'd be cool to finally have a hardware wallet with multiple battery options.}

Hopefully, they could back it up by "showing" the results from various tests!

That's easier said than done ^{[unfortunately, but I hope I'm wrong]}.

On another article that was linked in the one that you posted yesterday, they mentioned there'll be QR code support in their mobile app:

• Quote from: https://squareselfcustody.substack.com/p/building-self-custody-hardware
  and people will still be able to use QR codes for payment applications via the mobile application that makes up part of the product.

Yeah, quite sad.


It would have been probably better than NFC.


Not everybody is buying expensive phones.
I went to gsmarena and:
1. I've done a search with all phones released last year. 602 results. https://www.gsmarena.com/search.php3?nYearMin=2021
2. I've done a search with all phones released last year having NFC. 297 results. https://www.gsmarena.com/search.php3?nYearMin=2021&chkNFC=selected

So about half of them don't have it. And I took only the phones made last year! I find it more relevant than that wiki, sorry.


No, but I can turn it off in my phone¹. I expect the wallet be a tad smarter than an un-powered plastic card, really. Hence (while I understand your point) I think that the comparison doesn't stand.


NFC (Near field communication) works only very near. I don't know if attack vectors are so scary in this. Keep in mind that millions pay on a daily basis with NFC cards, phones, bracelets..


----
¹ Actually I could (and did) in my previous phone which had NFC. My current one doesn't have it.

This will probably be the only way of communicating judging by document they released, the reason is because they are focusing only on mobile and not desktop users.
I much more prefer QR codes and camera, but industry is apparently going in this direction.

I don't know exactly what phones support NFC but I am sure that all phones in future will have that options, or Jack wouldn't go planning something so big.
They want to sell this hardware wallets to 100 million users and more.
Here is one recently updated list of most NFC enabled mobile devices:
https://en.wikipedia.org/wiki/List_of_NFC-enabled_mobile_devices

Can you also turn off NFC on your credit an debit cards or in your passport and id cards?  

Hopefully, it wont be there at all. Not sure why people prefer Bluetooth or NFC in this case instead of a cable.
 
NFC only works if two devices are in close proximity one to the other, but maybe there are certain gadgets that can widen this grid!? In that case, it  becomes a new attack vector. I remember reading an article some time ago on NFCs where it said that the protocol can't be considered secure because it was created to be a convenient and fast solution, not one that is security-oriented. NFC connections also don't require a password or pin. I am not sure if and how one can abuse the system to access someone's data, but if there is a way, someone somewhere will probably find it.   

Will it be the only way to communicate?
Because if so, they'll lose quite a big segment of potential buyers, just because many smartphones don't have NFC (yes, even today).
And if there's also another way, I certainly hope that NFC can also be turned off, just in case.
(And yeah, I would have been preferring wired communication, like my Nano S does.)