Pages:
Author

Topic: Square is considering making a hardware wallet for Bitcoin - page 12. (Read 4017 times)

legendary
Activity: 2464
Merit: 4415
🔐BitcoinMessage.Tools🔑
So your funds are stored on the mobile wallet, you set a limit that the wallet is allowed to spend, and any transactions over that limit you have to connect the "hardware wallet" and use it to scan your fingerprint. The hardware wallet will not have a screen, meaning it cannot generate or display a seed phrase, cannot show transaction details for double checking, and cannot show a receiving address for verification. That's not a hardware wallet; that's a 2FA device.
The funny thing about all that is that you don't even need Block's 2FA device to approve spending above a certain limit because all cheap smartphones nowadays already have an in-built fingerprint scanner. You can just create a software wallet in which it would be required to touch the scanner to send a transaction. In fact, there are tons of mobile software wallets that already have such a feature implemented. Why would I even buy additional hardware to achieve exactly the same security that I can achieve with only one device? I don't understand this VC thinking: they put their money into a project, but it seems they don't care if it really serves the purpose. The only thing they seem to care about is how to multiply their initial investments selling outright garbage to naive users.


Traditionally, the question about security and privacy... Can Jack Dorsey or someone else get the information about fingerprints from these devices, collect it, and link to the addresses? Imagine having a database where all the addresses on the blockchain have a corresponding fingerprint of real users. Isn't it a good approach to prevent crimes and money laundering?


legendary
Activity: 2212
Merit: 7064
I've just seen that Block's hardware wallet will also have fingerprint sensor. There is a bitcointalk topic too about this.
I saw this news posted few days ago but I forget to post something about that.
If looks like Block developers want's to replace everything in their hardware wallet including seed words, passwords and seed phrases with a single fingerprint  Roll Eyes
This have disaster label written all over it, and from what I read most of the people don't like this idea, including me.
Fingerprint is one of the easiest thing you can copy, it can be taken from anything you touch and it's easy to duplicate it with cheap silicone.
There is no ''peace of mind'' in that, like Block Wallet team is saying in their document, so it's better to evaluate alternative options for people who don't want to be fingerprinted.

Honestly, I'm quite disappointed at how this so-called hardware wallet is shaping up... Based on the @o_e_l_e_o's post, it seems that there are no preventive measures for anything that's below the chosen limit, and considering that there are various ways of cloning the fingerprints [and other ways of acquiring it (e.g. by force)], this just introduces a lot of other risks to the equation.
I never expected anything revolutionary to come from this project, but things are sure getting in wrong direction.
Whats next on the line? Iris scanner, maybe dna from blood or urine sample for using Block wallet Tongue
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
I've just seen that Block's hardware wallet will also have fingerprint sensor.
We’re building a wallet that will be easy to use for everyone.
Honestly, I'm quite disappointed at how this so-called hardware wallet is shaping up... Based on the @o_e_l_e_o's post, it seems that there are no preventive measures for anything that's below the chosen limit, and considering that there are various ways of cloning the fingerprints [and other ways of acquiring it (e.g. by force)], this just introduces a lot of other risks to the equation.
legendary
Activity: 2268
Merit: 18771
I fear that this HW is designed more for hype than security...
If you look at the actual blog post from Block, it doesn't even sound like a hardware wallet at all anymore, but more like a YubiKey or other hardware 2FA device. See here: https://wallet.build/march-update/. Interesting quotes below.

Quote
Customers will primarily manage their money by interacting with the mobile application we’re building, and will only need to interact with the hardware in combination with the mobile app to authorize larger, less frequent transactions above an amount of their choosing.
Quote
As part of this approach, we plan to build the hardware without a display.

So your funds are stored on the mobile wallet, you set a limit that the wallet is allowed to spend, and any transactions over that limit you have to connect the "hardware wallet" and use it to scan your fingerprint. The hardware wallet will not have a screen, meaning it cannot generate or display a seed phrase, cannot show transaction details for double checking, and cannot show a receiving address for verification. That's not a hardware wallet; that's a 2FA device.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
I've just seen that Block's hardware wallet will also have fingerprint sensor. There is a bitcointalk topic too about this.
The talk on Twitter is: https://twitter.com/jack/status/1502358737981521925


A funny answer, but actually very thoughtful was this:

Fingerprint to be users as username, or as password?


I fear that this HW is designed more for hype than security...
legendary
Activity: 2268
Merit: 18771
I can hear @o_e_l_e_o crying about the lack of privacy with all of this.
I'm going to need you to start trigger warning posts like this! Tongue

But yeah, it's no real surprise. Companies which own many subsidiaries almost always share data fully and completely between their subsidiaries. It'll be in the terms of service which no one reads. For example, both Square and CashApp say the same thing about your who they share you data with:
With our group companies and corporate affiliates, for the reasons outlined above.
With our group companies and corporate affiliates, for the reasons outlined above.

If you are going to buy a hardware wallet from a company which also runs CashApp and Square, then your data will be shared across all their subsidiaries.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
So, for those who do not know, Square (now block) is big into credit card processing and they also own CashApp
I use cashapp. I also have their debit card.

I was at a local restaurant the other day ( https://www.buffalogrilleli.com/ ) and they are using square for CC processing.
I put in my card to pay (Citibank Sears MC running a 15% bonus cash back on restaurants more on this in another post https://bitcointalksearch.org/topic/using-btc-vs-using-credit-debit-cards-and-purchase-tracking-and-privacy-5386484 ) and the terminal popped up with an enter your phone # for rewards at this restaurant.

OK, I put in a Google Voice number I use for stuff like this.

Got a text message on my phone about the points being added to my account, and poof the CashApp app saw the text and added it to it's list of bonuses and points with no interaction from me. The app wants to read text messages since there is nothing relevant on that phone I let it.

So with all this going on, if you are really concerned with privacy would you want a hardware wallet from a company like this?

Now I am saying the following, I don't give a shit at this point for me. *IF* I could go back in time I would have changed my habits about BTC & privacy and a bunch of other things 10 years ago. But I didn't, I'm known, and I am far to lazy to spend the time to put my privacy and anonymity back. I am on the old side of 50 and really have better things to do with my time.

But, if you are using one of their hardware wallets and they can get that 1st breadcrumb of tracking data from something you did, they can probably track a lot more then you think.

I can hear @o_e_l_e_o crying about the lack of privacy with all of this.

-Dave
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
Yeah, that's about right. All the close-range mumbo jumbo is not implemented as a security measure; you can circumvent it with a tunneling attack, stronger antennas and similar.
I found a relatively old thread on Stack Exchange about a guy who wanted to track customers entering his dentist office via NFC technology. He wanted to extend the range to read NFC tags of his customers at a distance of 30-60 cm.

This is the answer of a person who claims that range can be extended and he wrote how to do it.

Quote
You want a magnetic loop antenna. A wire loop around the doorframe with a tuning capacitor on the left and cellphone on the right. Borrow a grid dip meter from your local ham radio club and adjust the capacitor to resonate at 13.56 MHz. The cellphone must be slightly within the loop. This will boost your signal to a range of a few meters if set up correctly. Again a ham radio expert can set this up in half hour including coffee. You can make a similar booster for the tag. Use the biggest loop you can and tune it with a capacitor. Aluminium duct tape works well and carefully overlap the ends just the right amount to form the tuned capacitor.
   
Source: https://electronics.stackexchange.com/questions/107811/diy-nfc-boosting-antenna-for-a-mobile-device
This one sounds good; what I saw so far in experimental setups was a bit different, but there seem to be multiple solutions to extending NFC range. Anything that can be used to extend any other RF-device's range should work on NFC just as well.
What is interesting though is that it starts making financial sense to develop and improve these further, the more financial transactions are made through NFC, while it has been a more academic and theoretical subject until now.
legendary
Activity: 2730
Merit: 7065
Yeah, that's about right. All the close-range mumbo jumbo is not implemented as a security measure; you can circumvent it with a tunneling attack, stronger antennas and similar.
I found a relatively old thread on Stack Exchange about a guy who wanted to track customers entering his dentist office via NFC technology. He wanted to extend the range to read NFC tags of his customers at a distance of 30-60 cm.

This is the answer of a person who claims that range can be extended and he wrote how to do it.

Quote
You want a magnetic loop antenna. A wire loop around the doorframe with a tuning capacitor on the left and cellphone on the right. Borrow a grid dip meter from your local ham radio club and adjust the capacitor to resonate at 13.56 MHz. The cellphone must be slightly within the loop. This will boost your signal to a range of a few meters if set up correctly. Again a ham radio expert can set this up in half hour including coffee. You can make a similar booster for the tag. Use the biggest loop you can and tune it with a capacitor. Aluminium duct tape works well and carefully overlap the ends just the right amount to form the tuned capacitor.
   
Source: https://electronics.stackexchange.com/questions/107811/diy-nfc-boosting-antenna-for-a-mobile-device
legendary
Activity: 2212
Merit: 7064
Yeah, that's about right. All the close-range mumbo jumbo is not implemented as a security measure; you can circumvent it with a tunneling attack, stronger antennas and similar. On hardware level, it is not protected against that.
To paint a better picture, everyone should imagine that NFC is just a small antenna.
It's my opinion that having antenna in hardware wallet is not secure, but that is just my opinion, what do I know Smiley

I have limited knowledge about its security but in regards to the simplicity of its approach, it means little to nothing if it's going to work occasionally.

In theory some kind of universal NFC reader could be used for all devices including desktop computers, but question is if this will be compatible with one used in Square wallet.
I was reading that Apple had worse support for NFC from all other smartphones, but maybe something changed in last few models.

I found some interesting articles about alleged ''secure'' NFC techology that everyone is trying to push down out throat recently.
One of them say that malware can be planted using NFC beaming, but bug was android related:
https://www.zdnet.com/article/android-bug-lets-hackers-plant-malware-via-nfc-beaming/

This one is from last year, NFC Flaws Let Researchers Hack ATMs by Waving a Phone!
https://www.wired.com/story/atm-hack-nfc-bugs-point-of-sale/

After reading all this I am really having trouble to believe how they say that adding NFC in hardware wallets in more secure than other methods.
If ATM can get hacked with NFC than I rest my case, or maybe we should buy this new hardware wallets and use them for hacking  Cheesy
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
if data from gsmarena is true.

While I don't expect gsmarena have info about really all makers and models, I'd expect that the even cheaper ones (ie those that may be missing) will just increase the numbers of models without NFC.

You are free to click onto the bottom-right button and see the results = the actual phones for which you'll see the specs if clicked.
Unfortunately you may have to fiddle more with the settings and get subsets, since not all are shown if the number of results is that big.
And unfortunately they don't have search for "no NFC" (either All, either with NFC).

Even more, there are results with the specs telling "NFC    Yes (market/region dependent)"
These are included in the list with NFC, hence giving a certain extra advantage to "that side".


TL;DR; I was actually "nice" to tell 50%, and the real percent of no-NFC phones for 2021 may be even bigger.
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
I think that Keystone wallet is the only one that offers some kind of hybrid battery solution in their Keystone pro version.
They have standard lithium slim battery and in the same package everyone receives fat empty container for regular AAA batteries that can work in emergency cases.
I never really dived that deep into it, until you mentioned it and I immediately fell in love with how they designed those batteries.
- Block should follow that design, as opposed to integrating both of them at the same time.

but some people are claiming that NFC is relatively safer and more simple option.
I have limited knowledge about its security but in regards to the simplicity of its approach, it means little to nothing if it's going to work occasionally.
- My previous phone had fewer connection issues with NFC-enabled devices than the one I'm currently using [not sure why].
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
~
I really hope they ditch the NFC and that they only go for Alkaline if they know they have to keep the current draw very very low. Otherwise it will eat through them like Passport v1.

I remember reading an article some time ago on NFCs where it said that the protocol can't be considered secure because it was created to be a convenient and fast solution, not one that is security-oriented.
Yeah, that's about right. All the close-range mumbo jumbo is not implemented as a security measure; you can circumvent it with a tunneling attack, stronger antennas and similar. On hardware level, it is not protected against that. You can 'patch up the holes' by adding time of flight checks in higher layers or additional confirmation for larger amounts (like in credit cards) but it's not very confidence-inspiring that you'll constantly need to fix the holes of your underlying technology.
legendary
Activity: 2212
Merit: 7064
On the latter part of the PDF link, they also mentioned the possibility of having "hybrid solutions"... Does anybody know if currently, we have a hardware wallet with such configuration?
I think that Keystone wallet is the only one that offers some kind of hybrid battery solution in their Keystone pro version.
They have standard lithium slim battery and in the same package everyone receives fat empty container for regular AAA batteries that can work in emergency cases.
Most hardware wallets are using cable connection for power, and others are using only one type of battery.

On another article that was linked in the one that you posted yesterday, they mentioned there'll be QR code support in their mobile app:
I would like to see QR codes more than NFC, but some people are claiming that NFC is relatively safer and more simple option.
Simple is not always better, and NFC means that there is one more chip that could be exploited, and there is one source for most NFC chips.

So about half of them don't have it. And I took only the phones made last year! I find it more relevant than that wiki, sorry.
I don't follow anything about smartphones so I can't confirm anything from wiki or any other websites.
Some guys from our local forum say that all phones now have NFC, and they are obviously wrong if data from gsmarena is true.
legendary
Activity: 2730
Merit: 7065
NFC (Near field communication) works only very near. I don't know if attack vectors are so scary in this. Keep in mind that millions pay on a daily basis with NFC cards, phones, bracelets..
Sure, but if I steal your NFC supported credit card, I can make contactless payments up to a certain amount (I think it's not more than €20-€50) without entering any PIN. I can do that multiple times in various stores without anyone suspecting anything. Surely Square will have countermeasures in place, but I am still not delighted about their choice.   
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
- they want to add power source, replaceable or rechargeable battery (Coin Cell, Rechargeable LiPo or Alkaline AAA).
On the latter part of the PDF link, they also mentioned the possibility of having "hybrid solutions"... Does anybody know if currently, we have a hardware wallet with such configuration?
- I do know it has its own risks, but I think it'd be cool to finally have a hardware wallet with multiple battery options.

- device will be reliable and able to survive shocks, stresses, drops, etc.
Hopefully, they could back it up by "showing" the results from various tests!

- device will have to last for years.
That's easier said than done [unfortunately, but I hope I'm wrong].

Will it be the only way to communicate?
This will probably be the only way of communicating judging by document they released, the reason is because they are focusing only on mobile and not desktop users.
I much more prefer QR codes and camera, but industry is apparently going in this direction.
On another article that was linked in the one that you posted yesterday, they mentioned there'll be QR code support in their mobile app:

legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
the reason is because they are focusing only on mobile and not desktop users.

Yeah, quite sad.

I much more prefer QR codes and camera, but industry is apparently going in this direction.

It would have been probably better than NFC.

I don't know exactly what phones support NFC but I am sure that all phones in future will have that options, or Jack wouldn't go planning something so big.

Not everybody is buying expensive phones.
I went to gsmarena and:
1. I've done a search with all phones released last year. 602 results. https://www.gsmarena.com/search.php3?nYearMin=2021
2. I've done a search with all phones released last year having NFC. 297 results. https://www.gsmarena.com/search.php3?nYearMin=2021&chkNFC=selected

So about half of them don't have it. And I took only the phones made last year! I find it more relevant than that wiki, sorry.

Can you also turn off NFC on your credit an debit cards or in your passport and id cards?  Smiley

No, but I can turn it off in my phone1. I expect the wallet be a tad smarter than an un-powered plastic card, really. Hence (while I understand your point) I think that the comparison doesn't stand.

NFC only works if two devices are in close proximity one to the other, but maybe there are certain gadgets that can widen this grid!? In that case, it  becomes a new attack vector. I remember reading an article some time ago on NFCs where it said that the protocol can't be considered secure because it was created to be a convenient and fast solution, not one that is security-oriented. NFC connections also don't require a password or pin. I am not sure if and how one can abuse the system to access someone's data, but if there is a way, someone somewhere will probably find it.   

NFC (Near field communication) works only very near. I don't know if attack vectors are so scary in this. Keep in mind that millions pay on a daily basis with NFC cards, phones, bracelets..


----
1 Actually I could (and did) in my previous phone which had NFC. My current one doesn't have it.
legendary
Activity: 2212
Merit: 7064
Will it be the only way to communicate?
This will probably be the only way of communicating judging by document they released, the reason is because they are focusing only on mobile and not desktop users.
I much more prefer QR codes and camera, but industry is apparently going in this direction.

Because if so, they'll lose quite a big segment of potential buyers, just because many smartphones don't have NFC (yes, even today).
I don't know exactly what phones support NFC but I am sure that all phones in future will have that options, or Jack wouldn't go planning something so big.
They want to sell this hardware wallets to 100 million users and more.
Here is one recently updated list of most NFC enabled mobile devices:
https://en.wikipedia.org/wiki/List_of_NFC-enabled_mobile_devices

And if there's also another way, I certainly hope that NFC can also be turned off, just in case.
Can you also turn off NFC on your credit an debit cards or in your passport and id cards?  Smiley
legendary
Activity: 2730
Merit: 7065
Will it be the only way to communicate?
Hopefully, it wont be there at all. Not sure why people prefer Bluetooth or NFC in this case instead of a cable.
 
NFC only works if two devices are in close proximity one to the other, but maybe there are certain gadgets that can widen this grid!? In that case, it  becomes a new attack vector. I remember reading an article some time ago on NFCs where it said that the protocol can't be considered secure because it was created to be a convenient and fast solution, not one that is security-oriented. NFC connections also don't require a password or pin. I am not sure if and how one can abuse the system to access someone's data, but if there is a way, someone somewhere will probably find it.   
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
- they decided to add wireless NFC feature for communication with smartphones.

Will it be the only way to communicate?
Because if so, they'll lose quite a big segment of potential buyers, just because many smartphones don't have NFC (yes, even today).
And if there's also another way, I certainly hope that NFC can also be turned off, just in case.
(And yeah, I would have been preferring wired communication, like my Nano S does.)

Pages:
Jump to: