Title: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: vlom on October 25, 2019, 08:20:16 PM E-Mail from Ledger: noreply@supportledger.com
Quote IMPORTANT: Ledger Nano S and Ledger Nano X SECURE RNG CHIP CRITICAL VULNERABILITY Inside Ledger hardware wallet, we use the Secure Element chip to generate and store the private keys for your crypto assets. Unfortunately, some chips, a limited number, were found to be defective by the external company commissioned by Ledger for the production. The problem identified concerns the lack of a correct source of entropy for use by the random number generator may lead to the generation of predictable sequences of numbers and therefore of private keys by malicious users. Ledger is actively working on the problem to replace all defective devices. Please check now if your device is defective with the Ledger SE tool. We apologize for the inconvenience. This mail was sent to you because your Ledger device could be faulty. Please download the Ledger SE Cecker tool below and check right now! With a Link in the E-Mail. But nothing on the website https://www.ledger.com And support uses this e-mail: support@ledger.zendesk.com Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: malevolent on October 25, 2019, 08:55:27 PM It's a scam. Ledger CTO (/u/btchip) confirmed it on reddit:
https://old.reddit.com/r/ledgerwallet/comments/dn389a/received_email_security_vulnerability_ledger_nano/f57fhf6/ https://old.reddit.com/r/ledgerwallet/comments/dn3ef1/just_got_this_email_and_having_a_hard_time/f57io22/ Not like the last line isn't a dead giveaway anyway. Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: bitmover on October 26, 2019, 01:22:45 AM You did correct. Check official website before doing anything
Personally, I never plug in my hardware wallet, just when I need to do transactions (few times a year). Never plug it just to install something, you don't need. Your coins are safer away from the computer Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: hugeblack on October 26, 2019, 03:34:28 PM The degree of success of this type of fraud depends on the extent of users' anxiety.
people behave irrationally when deciding in a hasty, so the warning is always strongly worded and recommends fast downloading. Besides, the user does not verify the official website but follows the link sent to him. Always check out decentralize sites such as forums, the official site can be hacked. Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: Pmalek on October 27, 2019, 08:06:52 AM Could an admin maybe merge this thread and its posts with this one? https://bitcointalk.org/index.php?topic=5196022.0
I just think that all the posts of those two threads should be in one place as they are discussing the same issue. Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: bL4nkcode on October 27, 2019, 10:05:34 PM I wonder how you and/or anyone received that email? I'm a subscriber of ledger and never received such kind of email. Most probably your/their email was used on some cloud minings, bounty campaigns, ico, etc. and was sold to these scammers, that's why people keep receiving emails from scammers.
Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: LTU_btc on October 27, 2019, 10:57:27 PM I wonder how you and/or anyone received that email? I'm a subscriber of ledger and never received such kind of email. Most probably your/their email was used on some cloud minings, bounty campaigns, ico, etc. and was sold to these scammers, that's why people keep receiving emails from scammers. I also didn't received this email. You and me subscribe emails from Ledger, so it probably means that they received email of OP and some other people from somewhere else. Internet is full of offers to buy databases of emails from ICO's, bounties or hacked websites. Also, it's possible that OP posted his email somewhere in public.Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: vlom on October 28, 2019, 07:13:16 AM i did not receive the message in the inbox of the account i used to communicate with ledger. just in a "spam-account".
Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: Pmalek on October 28, 2019, 09:54:27 AM I wonder how you and/or anyone received that email? He used the email in connection with a bounty or airdrop most probably. Just like big_daddy in a different thread.Yeah, I was using this mail in some bounties and airdrops years ago, not a lot of them, but one wrong is enough, usually I use a telegram bot (TempMail) that is generating an unique email box for bounties and airdrops All that data is posted freely in the google sheets for bounty campaigns so it is easy for scammers to compile it in a database and do what they want with them. Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: big_daddy on October 28, 2019, 10:41:21 AM I wonder how you and/or anyone received that email? He used the email in connection with a bounty or airdrop most probably. Just like big_daddy in a different thread.Yeah, I was using this mail in some bounties and airdrops years ago, not a lot of them, but one wrong is enough, usually I use a telegram bot (TempMail) that is generating an unique email box for bounties and airdrops All that data is posted freely in the google sheets for bounty campaigns so it is easy for scammers to compile it in a database and do what they want with them. Yup That’s true I checked my address here https://haveibeenpwned.com/ And it’s not good :( I have to make a new private email... Shit. Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: o_e_l_e_o on October 29, 2019, 09:18:55 AM I have to make a new private email You should absolutely be using different email addresses for different things. As well as helping to prevent this kind of thing from happening, it also increases your security as an attacker gaining access to one email account can't try to reset passwords on every online account you own, and it also increases your privacy by not linking your crypto activities to the rest of your details.Have one email for work/university/school, have one for fiat finances like online banking, bills, credit cards, online shopping, have one for personal things like friends, social media, and have one for financial crypto sites such as exchanges. For everything else, particularly ICOs or bounty campaigns, make a completely new throwaway address or use one of the many temporary email address generators to sign up. For your main email addresses, you should also be looking to use a privacy respecting provider. Protonmail is widely recommended, but you can find other good providers here: https://www.privacytools.io/providers/email/ Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: big_daddy on October 29, 2019, 09:36:37 AM Tnx for the link and for the suggestion
I will consider your advice and take an action asap Best regards Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: malevolent on October 29, 2019, 01:05:07 PM You should absolutely be using different email addresses for different things. As well as helping to prevent this kind of thing from happening, it also increases your security as an attacker gaining access to one email account can't try to reset passwords on every online account you own, and it also increases your privacy by not linking your crypto activities to the rest of your details. Just be careful when choosing email addresses as recovery email addresses on each email account so that one compromised account doesn't result in other accounts getting hacked. Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: vapourminer on November 01, 2019, 01:39:35 PM You should absolutely be using different email addresses for different things. As well as helping to prevent this kind of thing from happening, it also increases your security as an attacker gaining access to one email account can't try to reset passwords on every online account you own, and it also increases your privacy by not linking your crypto activities to the rest of your details. Just be careful when choosing email addresses as recovery email addresses on each email account so that one compromised account doesn't result in other accounts getting hacked. also try to use 2FA on any important emails accounts. not a text message to a phone number that can be taken over, something OTP based like google 2fa (or its open source equivalents). for fun, try to break into your main emails accounts on a fresh computer (ie one thats never logged into that email account before) by clicking "forgot password" link and seeing how far you get. you may be surprised. Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: The Sceptical Chymist on November 01, 2019, 01:45:44 PM I wonder how you and/or anyone received that email? I'm a subscriber of ledger and never received such kind of email. I didn't get the e-mail either, but now that I think about it I don't know if I ever gave them my primary e-mail address or not. How would scammers get access to Ledger's database of e-mail addresses anyway? Did they get hacked, did Ledger sell them? Just thinking out loud there.You should absolutely be using different email addresses for different things. I'll keep protonmail in mind--I'd never heard of them before. But boy, I hate using multiple e-mail addresses--I have a couple of different ones, but I don't even use e-mail much anymore so it's a pain in the ass to keep checking several of them. Fortunately spam filters are so much better than they used to be in the early days of the internet. I always hated getting adverts for sex toys and Viagra and the like, not to mention all the scam attempts.Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: Lucius on November 01, 2019, 02:00:24 PM The Pharmacist, there is another thread with same topic and it was concluded that there was no hacking on Ledger's email database. The person who received the email in question says the following :
Yeah, I was using this mail in some bounties and airdrops years ago, not a lot of them, but one wrong is enough, usually I use a telegram bot (TempMail) that is generating an unique email box for bounties and airdrops It’s good to know that other Ledger users didn’t recieve this mail cause that can be a proof that nothing inside the Ledger system has been hacked or list leaked I think Ledger is too serious company to allow itself to sell its databases like some others (Facebook), and that they make decent money from the sales of their devices. However, all that is needed is a corrupt or perhaps careless employee, because most hacking shows that people are the weakest link when it comes to security. Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: big_daddy on November 01, 2019, 02:03:34 PM Ledger is, from my poin of view and experince, a great crypto company
Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: malevolent on November 01, 2019, 11:12:42 PM for fun, try to break into your main emails accounts on a fresh computer (ie one thats never logged into that email account before) by clicking "forgot password" link and seeing how far you get. you may be surprised. Coinbase (? - probably them, IIRC) had a long guide somewhere instructing users how they can setup their gmail account to make it practically impossible for anyone* ever to recover access should a stranger try to hijack someone's account or should the original owner forget the password. Smaller or lesser known email providers might be more susceptible to social engineering attacks. Same goes for registrars and hosting providers if someone's using an email with their own domain name. *realistically speaking, google may change their policies, their employee(s) can go rogue, etc. Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: jerry0 on February 15, 2020, 09:30:36 PM im confused here. So they want you to download something but isn't the nano ledger x and s not hackable?
Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: HCP on February 17, 2020, 07:20:27 AM It's an old warning about an old phishing email that some users received. It attempted to get the user to download something and I believe input their 24 word seed mnemonic.
I'm not actually aware of anyone who fell for this phishing attempt (at least I didn't see anyone posting about having used the "Ledger SE Checker" and then losing all their coins :P) Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: Pmalek on February 18, 2020, 10:19:35 AM im confused here. So they want you to download something but isn't the nano ledger x and s not hackable? Phishing and hacking are two different things. Your device wouldnt get hacked. The tool wants you to enter your seed words and send them to the hacker. It has been said many times before that the seed should never be entered into a software. It is only meant to be looked at on the hardware wallet.Title: Re: Fake Security Vulnerability: Ledger Nano X and Ledger Nano S? Post by: Lucius on February 18, 2020, 10:44:18 AM im confused here. So they want you to download something but isn't the nano ledger x and s not hackable? Please stop bumping old topic with stupid questions, don't you know how to read? How can you be confused by something that is explained in a way that a child of 10 years can understand? Maybe you should stick to traditional banking, though I believe you have a problem with that as well, because you are not adopting the information you are getting. I have a feeling that at some point you will do something stupid and lose everything you have in crypto... I'm not actually aware of anyone who fell for this phishing attempt (at least I didn't see anyone posting about having used the "Ledger SE Checker" and then losing all their coins :P) There is warning about this on Reddit some 6 months old, and when it started I remember few users who were naive enough to share their seed with hackers. One is lost 600 ZEC (some $16k at that time), other $30k worth of BTC... |