Bitcoin Forum

After several Legder hardware wallet fiascos and database leaks, I think we all need to have a Guide with suggestions and advices for buying a hardware wallet.

We obviously need to be a little paranoid if we want to avoid receiving phishing SMS messages and emails, and exposing our real name and home address to hackers.

Suggestions:

 - Buy hardware wallet only from official website or reseller store.
 - Use Tor or VPN when registering to website and install ad blocking extension like uBlock.
 - Use alternative or disposable e-mail address and new random password for registration.
 - Use alternative prepaid phone number and not your real phone number for registration.
 - Use crypto for payment, not connected with your real ID, or pay with cash in your local authorized reseller.
 - Use alternative or fake name for registration.
 - Use PO boxes or alternative address for delivery.
 - Do your own research


You can also ask yourself, do you really need a Hardware wallet at all?
They are not perfect and there are alternative ways for storing your crypto, including offline computer or smartphone with installed wallet and only used for this purpose.


*This list is work in progress and any suggestions are appreciated

If you won't use Tor (you should), then at least use a clean install of a new browser with a fresh VPN exit node so as to minimize being tracked by tracking cookies from Facebook, Google, etc.

The extension you want is uBlock Origin, not uBlock. The two are different, and the latter allows through "approved" ads and trackers.

This is probably the hardest step, and also very dependent on what country you live in. Generally speaking, PO Boxes or similar have to be registered in your own name, and you need to provide ID to be allowed to open them or sometimes to access them. Even so, this is still a good step, as it breaks the link between your real name and the retailer, and an attacker would have to be very determined to go about de-anonymizing your PO Box (provided you aren't careless and don't advertise it elsewhere). Other options include general delivery or poste restante, delivering to a work address (but then it either has your real name, or you need to have a receptionist who will look out for a package with the fake name on it), or sometimes you can arrange delivery to a store or similar drop off location which won't require ID to pick up.

It is also easy to have the hardware wallet shipped to an extended family member (the actual device is paid for by crypto).  I select a receiver that doesn't even own a computer or have any technical abilities at all.  At least they serve as a proxy of sorts and since they don't even know what BTC is they can be watched all day long without consequence.  Not perfect, but it feels better than jumping through hoops trying to lie about a PO Box.  Messing around with a Federal mail box can get dicey where I live.  Big crime if nabbed!

Seems a bit unfair on that family member. If you are looking to unlink your identity from the purchase of a hardware wallet, then obviously you are considering or are concerned about $5 wrench attacks. By shipping to a family member, all you are doing is moving the risk on to them, and they truly will have no coins to give up to prevent or end such an attack. If they don't even know what BTC is, then they won't even understand the risk you have placed on them.

That all seems far more unethical to me than simply receiving mail under a pseudonym.

The PO Box helps very little if your name is not John Smith. And you shouldn't use a fake name for shipping - if the package requires a signature or just doesn't fit in the box you'll need an ID to retrieve it. Even shipping to your home address with a fake name could be a problem if the delivery person wants to be a pain in the ass.

I'm really pissed at Ledger right now. Getting not only phishing e-mails but actual fucking phone calls from a "Ledger" caller ID to my phone number, which I only gave them because they supposedly need it for shipping. I don't have a feasible way of giving out a disposable phone number with each online order.

It's about time for FedEx and UPS to start working on hashing delivery addresses so that you would give just a one-time hash to a retailer. That way even if FedEx is hacked you can at least hope they don't know if you bought a hardware wallet or a dildo.

You suggestions have only one disadvantage: you can forget about warranty with all that “being anonymous” paranoja ;D In case you have any troubles with your hardware wallet - you will face lots of troubles or inconveniences.

You certainly could ask that question, a legitimate one, and I bet you most people don't own enough altcoins such that it would be a pain in the ass to keep track of all the private keys.  Not to mention if your goal isn't long-term storage or if you plan on making some trades or whatnot.

Excellent points of advice, OP.  I followed exactly zero of them when I bought my Ledgers (and that damn Keepkey), but since I don't actually have much of value on them, I'm not terribly worried about getting phished, hacked, keylogged, or whatever else it is that thieves are doing these days.  Lately I've been more of a by-standing cheerleader for bitcoin than someone who's got his foot in the market.  Oh well.

Oh, and if long-term cold storage of bitcoin is your primary goal, I'd say you definitely do not need a hardware wallet....but they're so neat, I probably wouldn't even follow my own advice if I had bitcoin I wanted to keep in cold storage.  I'd probably end up buying a Ledger all over again.  Lol

Holy shit, really?  That's messed up.

Yeah. I don't even know why it's showing as "Ledger" - different phone number each time and I don't have them in my contacts. Must be screwing with Google somehow, or whatever malware dialer the carrier might have installed on my phone.

They're also sending text messages and addressing me by full first/last name and asking me to click some sketchy link.

I would agree with your point further down that if you goal is long-term storage, then airgapped, encrypted, cold storage is better than a hardware wallet. I like my hardware wallets because they are a good balance of security, portability, and ease of transacting without having to dig out and boot up my cold storage, but for coins I am very rarely transacting with, then cold storage wins.

The concern that a lot of people have is not these phishing emails and messages - they are annoying, sure, but they are easy to spot and easy to ignore. What is concerning most people about this Ledger hack is that an unknown number of physical addresses have been released as well, opening the possibility of $5 wrench attacks. Even if you have nothing or very little stored on your Ledger, good luck convincing an attacker of that.

Various phone carriers have this feature. Essentially they register their phone number under the name "Ledger" with their carrier, and then the carrier pushes that to your device whenever you receive a call or text from them.

I don't know what 'paranoja' is, but exposing your name, address and phone number to hackers sounds a lot more like 'lots of troubles or inconveniences'.

Fake Ledger tech support now started calling people  :P
You can try to block their number, and in future you can buy reserve prepaid number used only for registrations and ordering stuff.


I like the idea for PO boxes, but they are not available in all countries and cities, and they are not perfect solution.
Best option for me is to buy something in your local authorized reseller shop and pay with cash or crypto if possible.

 

The most difficult part is the stage of hiding the address, and the matter varies from country to country, but even shipping to an intermediary and then re-shipping to you requires some trust.
Also, I think that these companies will do some encryption of the personal data, especially the address, and the problem will remain that the data can be traced by the government and the court.

I still believe that in the future it will be easy for you to make your own hardware wallets so we may not hear about hardware wallets (Ledger,...etc) soon.

It's good suggestions if you want to protect your data from phishing attacks, but not everything will work.
Using fake name can cause problems when you will have to take your wallet if it's delivered by courier or you take it from post office. Probably only way to stay anonymous - if your hardware wallet is delivered on parcel machine (don't know how exactly it's called in English). Your name isn't needed there, phone number or email is enough. You'll get PIN code through SMS or email and this code is needed to open doors of that parcel machine.
And if you're using PO boxes, it's impossible to stay anonymous.
One option - buy it from official reseller. But usually resellers have higher price than buying directly from Ledger.

You pay much higher price if you expose all your information, address and phone number to scammers.
I also checked some prices resellers offer and there is no big difference with prices manufacturers are showing on official website.
To be more precise I compared the prices from official Ledger website with official reseller in Croatia and prices are exactly the same, but I would never buy Ledger again or recommend it to anyone.
 

Were you one of the allegedly only 9.500 users who had their full personal details leaked? Did you receive an email from Ledger informing you that you had all your details leaked?
I received only two emails so far, at the beginning of the phishing campaign. They both contain only the first name, not the last name. And there haven't been any calls or SMS messages. Which means they are either using different ways to approach the users, or not everyone has had everything leaked. A third option is that they haven't had time to call yet, due to the share number of other users above me on the list.   

Unless the hackers used fake IDs when registering the phone numbers (which they probably did), the carriers could help in identifying the users behind those numbers. To the police or government agencies, of course, not to the general public. 

Using Tor or a VPN isn't really necessary. It wouldn't have protected you from a database leak at all.
Regardless of whether it is ledger or any other website.

All the information they potentially can get from that is your geo location in a 100km radius. Given they really store your IP address used.


Using an ad blocker and additionally a javascript blocker (e.g. NoScript) should always be done. Not only when ordering a hardware wallet..




This should also be always done.




I have a 2nd mobile number here just for that purpose. Using for registering when necessary.
IMO the best way to not get any spam messages/calls.

I still somehow didn't get any call, sms and/or phishing mail from ledger.

Amazon run Amazon Lockers in a number of cities, and you only need a code which they will email you to pick up a package. A new account not linked to your real name or address and a throw-away email address could be a possibility, although knowing Amazon, they will lock your account at the first sign of any shenanigans.

I'm no expert on the matter, but it used to be that simply phoning your carrier and saying that it is business phone and you would like it to be registered under the name of your business (in this case "Ledger") would be sufficient. It's even easier if they are using a VoIP service, with many letting you simply fill in the field yourself. No ID required.

I blocked a few different numbers Ledger numbers already... not sure if having a burner phone that I would never answer would be much different than just giving a fake phone number, which is what I'm leaning towards.

---

I found this - I think it applies to Android with default settings:


"Google My Business" listings are free AFAIK. Not sure what, if any, verification is done. Probably none judging by complaints like this:

---

I may have received an e-mail from them or maybe it wasn't them LOL. At this point I wouldn't trust them even if they sent me a new device for free and definitely don't trust any e-mails from "Ledger".

Edit - I checked my spam folder and there are 6 e-mails from "Ledger", all sketchy AF. All failed DKIM. Some mention 86000 hacked accounts and tell me to download new software. All came to a disposable address used for Ledger orders only. Some use my real name. So yeah, I must be the lucky 1-of-9500 but I seriously doubt that number.

Depends on whether or not Ledger or any other company would every actually need to "contact you about your order". I think most people give out their phone number far more often than they realize. For the sake of $5 for a prepaid SIM which I change every 6 months or so, a disposable phone number I don't care about and can hand out freely is great. I maintains my privacy, I know I'll never get phished or scammed via my real phone, and completely eliminates my concern regarding database breaches like this. Just think how many other databases somewhere your phone number is sitting in.

Like all things Google, there will be zero effort put in to protecting their end users. It is the same trick that telemarketers and scammers use to hide their phone numbers. It is illegal, but it is easy to do and difficult to trace, so the vast majority get away with it.

I've never had a legitimate contact via phone regarding an order except a few times someone left a message saying "you'll need to sign for a package tomorrow", which may or may not have been legitimate, and a couple of times shady sites tried to upsell me because they magically ran out of that awesome deal that was too good to be true to begin with. I think I would be fine with the order cancelled if there is a genuine problem and they can't reach me.

Now if I have a disposable phone that I'll never pick up and won't carry with me and probably won't even keep it charged, what's the point? And I wouldn't be so bold to claim that I'd never get scammed on my real number. If I give it to kid's school or doctor's office - legitimate places to give my real number to, right? - and they get hacked I'd be in the same position as with Ledger now, just perhaps with more false sense of security.

Even a friend or a relative losing their phone with my number in their contacts is a risk - impersonation scams are rampant.

I was meaning more about being phished for crypto via my main phone. If my doctor's office leaks their database, it's highly unlikely that someone will target it with Ledger phishing texts or similar. Still, I use my disposable phone not infrequently to communicate with other people while trading peer to peer in my local area, and I suppose people signing up to centralized exchanges or other crypto services could benefit from a disposable number as well. Even signing up to something like Telegram if that's your thing I would only do from a disposable number.

Yeah you have a point there.

As for Ledger, what's done is done, can't unbuy it now but I'll probably bin it and go back to tried and trusted lukewarm-wallet-on-Linux-laptop because after reading eddie3's thread (https://bitcointalk.org/index.php?topic=5289460) I realized I'll get fucked by those firmware updates sooner or later.

Yeah, I've been generally moving more towards airgapped devices and away from hardware wallets recently. With the unpatchable critical vulnerability in Trezor devices, and Ledger being unable to encrypt a simple database, there are just too many risks to using them.

As I said in another thread, the big appeal of hardware wallets is that they are (were?) a good balance of ease of use and security. A newbie could buy a hardware wallet, follow the set up guide, and store coins very securely without really any technical knowledge. They didn't need to know how to use a live OS, or airgap a device, or use encryption, or verify PGP signatures, or any of the other necessary steps to correctly use an airgapped wallet or a paper wallet.

To use a hardware wallet safely now, you need to use a disposable email, a pseudonym, a burner phone, find a neutral but secure shipping location, and pay in anonymized bitcoin. None of that screams "ease of use" to me, especially not for a newbie. If newbies are going to spend the time to follow all the steps in this thread to buy a hardware wallet, they would be better off just learning how to set up a proper airgapped cold storage wallet instead.

Add something else to your list.  When you connect your Trezor to "their" website, which most newbies will do, the connection URL captures YOUR exact device ID# every single time!  Do they use it/record it?  Of course they will say no, but we will never be able to know for sure.  This means numerous wallets/mpk's all reflect back to the exact same device ID#.  Not exactly anonymous is it, should Sat Labs ever go nefarious?

Still I use several Trezors and have learned to safeguard myself, but I am miles from being a newbie.  The business side of their house has sent me running from anything Ledger.  I received numerous bogus emails from them, but fortunately all went to tutamail and no further.  Those accounts are closed now.


What, which??  My SD card removes any I am aware of.  Fake SD is perfect for when I store my Trezor too.

He's talking about the critical vulnerability whereby if someone has access to the device, the (encrypted) seed mnemonic can be extracted in a matter of minutes using relatively cheap tools (and then the 1-9 digit PIN encrypting the seed mnemonic can be trivally bruteforced). Unless you're using a BIP39 passphrase, your funds are effectively unprotected if the device falls into the wrong hands.

It's an issue with the hardware used in the ONE and the T, and the only "workarounds" are to use a BIP39 passphrase (or the SD card encryption option on the T, which requires trezorctl, Python and commandline "skills").


Refer:
https://www.ledger.com/improving-the-ecosystem-disclosure-of-the-trezor-recovery-phrase-extraction-vulnerability?utm_source=Social&utm_medium=Twitter&utm_campaign=Donjon%20Trezor
https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets/

Yeah, the vulnerability is as HCP says. The issue is that only a minority of people using a passphrase, a smaller minority use a passphrase which is long and complex enough to be resistant to being bruteforced once an attacker has your seed phrase, and an even smaller minority use removable SD card. The vast majority of Trezor users are vulnerable to this attack.

And much like this recent database breach with Ledger, if you go to Trezor's website there is absolutely zero mention of it. Such a critical vulnerability which affects all Trezor users, or such a database leak which affects (we now think) a huge number of Ledger users, should be front and center of their website: Here is the issue, here's what we are doing about it, and here's what you should be doing about it. The fact that neither company is doing this doesn't exactly inspire confidence in their transparency and honesty.

You may have a point for newbies.  Anyone hanging out here should know to cover their security with a LONG password, and further anybody with a Trezor T should be aware of the SD encrypt protection.  In reality I guess WE sometimes forget how far out of the mainstream beginner circle we have gone.  LOL!

Unrelated but back to the thread:

I thought of another privacy weakness for Trezors where more experienced attackers are concerned:

Bear with me here.  For Trezors that are used for long term storage I like to configure them for privacy.  One item I like to conceal is that I use passphrases at all.  As mentioned above, newbies likely don't use passphrase enhancements.  By logic then if someone has a Trezor in their hands and passphrases are activated, by default there is the ASSUMPTION that multiple wallets are likely in play.  This is true for most I would think.  So, I place a minimal (but believable) amount of BTC in the default wallet (no password needed) and leave it there.  Long PIN still of course.  My feeling is seeing passphrase activated is a BAD thing for privacy and even worse for a potential "$5 wrench attack".

If you connect a Trezor to a computer using trezorctl, which I use, it clearly displays whether the passphrase feature is activated. This means I don't need to know your PIN to know you have passphrase activated.  Try it if you want and you'll see I am correct on this.  trezorctl is much more powerful than the website experience, but most attackers I think would know that!

Therefore; I always take a couple of seconds, again using trezorctl, to turn off the passphrase feature when I am finished using my Trezor.  Turning passphrase on and off using trezorctl is seconds in either direction.  So this is a hardware wallet weakness in my view.  Its easy to correct as I just described, but most newbies or users in general would never have thought of it.

My suggestion then for Trezors not used daily/mobile on the go, would be to protect your privacy by turning off passphrase when in storage.

Lastly, become familiar with trezorctl and take advantage of its power/features.  A biggie that comes to mind is to enable wipe of the entire hardware wallet by entering a code you set to offer as a fake PIN.  You can't do such an important thing using the limited web experience.  My .02

https://i.imgur.com/nOGA2On.jpg

Exactly, and they act like msm mainstream media and they keep quiet about things that are not in their favor or they don't like.
On positive note, they finally added notification after latest update telling people that there is big phishing scam attacks with their userbase.

After all this maybe the best way to buy hardware wallet would be not to buy hardware wallet, or think twice before you buy it.

Where did you see that banner? When I visit their website, the only banner I see is an advertisement for their new stablecoin lending service which is being integrated with Ledger Live.

Honestly, I think I'm done with Ledger at this point. Should we maybe work on securing out databases against hacks? Should we maybe work on finally allowing proper coin control or address management for bitcoin? Nah, let's first launch a shitcoin exchange service with ridiculous fees, and then launch a shitcoin lending service (with I'm sure more ridiculous fees). I haven't used Ledger Live with my Ledger devices in a long time, but it seems Ledger as a company are going the same way Brave did - start off with a good product and great intentions, and gradually pay less and less attention to what is important to their customers and more and more attention to whatever makes them the most profit. Such a shame.

I'm still hoping someone can recommend a secure and easy to use storage solution which we can recommend to newbies in lieu of hardware wallets. Software wallets are not secure enough, and airgapped wallets are not newbie friendly enough.

It's not on their website, but on their ledger live app.
I saw there was a new update released and decided to do it, after this new popup shoed up.


I am looking for some good alternatives for days, but everything I found so far is not suited well for newbies, and even some experienced users would most likely not use that.

Maybe ColdCard hardware wallet would be better option than ledger or trezor, it is open source and don't have problems like other competition (so far).

To paraphrase a known meme - secure, easy to use, cheap - pick two.

Explains why I never saw it. It should categorically be across the top of their website as well, not some rip-off lending rubbish.

Maybe, but it runs in to all the same problems we have been discussing in this thread - how to get your hands on one without leaving your name and personal details in a database somewhere? I couldn't see anything on their website about official third party retailers you can buy from in person with cash?

I think there are no official retailers, and only way would be to contact Coldcard support and ask them: support@coinkite.com
They are based in Canada, but I found some stores in Europe, Germany, United Kingdom and others, that are selling ColdCard.
Search locally and buy with cash.

bump

I also thought of this as well.  When you buy a hardware wallet like nano ledger s and have it shipped to your address.. well there is risk of data breach like what happened with ledger live... but not only that... what about the ppl who are handling your packaging like the people who shipped it to you from france or say dhl or fedex etc in the US?  I mean i know postal workers bring packages to many places but im sure when they look at that package and see the france address... they probably know its a nano ledger s?



Like how could you order one securely without address information?  Only thing i could think of would be like those amazon locker etc?  But of course if you do it that way, isn't there a risk of it being manipulated if somehow the place or postal office knows what is it?  Like imagine a tech savy person having access to it for a bit.  But of course putting it back in the original packaging will make it look obvious something was done to it.   

...

I'd be interested in in the BitBox02 (https://shiftcrypto.ch/bitbox02/).  I had an earlier model from these guys (out of Switzerland) that worked fine until a it seemed to have a relatively short lifetime (overheating?) so I never re-ordered, so I then bought a Trezor (Model T) and Ledger S, both of which work fine but have the security issues...

Nonetheless, I have not heard of any problems or even reviews of their devices.  Swiss-made might mean extra-quality components (?). 

Any buyers please feel free to pass along comments or reviews, as when I bought one year ago, they were as functional as the early Trezor and Ledger.

I never heard about that overheating issue and short lifetime for BitBox02 wallet and I know warranty is 2 years for them (CoboVault is offering one year warranty, Trezor waranty has two years, ledger has one year warranty), but people reported problems for other hardware wallets also, like display not working after some time or they just die without any explanation, so there is no perfect device and it is important to keep your seed words safe.

If you purchased it one year ago than you can probably replace your BitBox.

The other issue with hardware wallets is if you would like to use either many small inputs or many signatures, such is in multi-sig transactions. Those things are slow.

I've always used an old PC / laptop as my cold storage signing device. I might get another one now.

Do most of you have at least two hardware wallets in case?


Thinking of ordering another one and will most likely stick with nano ledger s.  Do most agree just get another one as oppose to get a nano ledger x or trezor?  I heard trezor there is security issue right?  Nano ledger x uses a battery so wouldn't that mean it would go bad after a few years?  But also its much more noticeable as compared to a nano ledger s which look like a keychain?


So do you say its good idea to get a PO Box at your local USPS then to order this?  Or it doesn't matter since i already ordered from nano ledger before?  Also i got to assume the fedex or dhl drivers know what the package is right when you bring the item and see its from France?  Then again many of them probably never even heard of hardware wallets right?

I'm actually going to order a cheap Fire 7 tablet, the cheapest one, it's about $50. Keep it offline, factory reset it again upon arrival, and sideload latest verified Electrum through the microsd slot, and use that as my "hardware" wallet. Turn on Airplane mode, turn off wifi, turn off bluetooth, and there are a few other privacy or app settings but that's not very much relevant if the device is permanently offline and in air gap.

You can probably sideload any offline apps / games you'd like to use as well, but I would keep the device to use only for a single purpose and that is as a bitcoin wallet. Get a second tablet for all your other stuff.

Everyone orders millions of Fire tablets through Amazon, so should not be an OPSEC issue, otherwise Amazon is going to have problems.

Honestly, i wouldn't rely on the tablet being completely air-gapped by simply just turning everything off in the (user-mode) settings and enabling airplane mode.
You'd be always better off removing any wifi and bluetooth chips etc.

Further, this device would still lack the actual hardware security a hardware wallet offers.
If you want the hardware security and convenience of a hardware wallet, such a tablet solution is not even close to being good.
If you want a air-gapped cold wallet setup, there might be some better alternatives (e.g. old laptop with an open and verified OS installed).

It could work for you but Fire is still running on modified Android OS and I would much more trust some old Netbook with Linux OS, that you can easily replace hard disk and battery, and totally disable wi-fi.

Android and iOS may have government backdoors enabling them to unlock devices whenever they want, and they even introduced a bill (https://www.judiciary.senate.gov/press/rep/releases/graham-cotton-blackburn-introduce-balanced-solution-to-bolster-national-security-end-use-of-warrant-proof-encryption-that-shields-criminal-activity#:~:text=The%20Lawful%20Access%20to%20Encrypted%20Data%20Act%20would%20bring%20an,devices%2C%20platforms%2C%20and%20systems.&text=This%20type%20of%20%E2%80%9Cwarrant%2Dproof,the%20internet%20for%20illicit%20purposes.) in US Senate that would force all devices and software providers in the US to build backdoors into their products.
This would mean much easier access and bypassing password, and there is separate issue with backdoor in Android apps, and with Amazon software and devices (https://www.gnu.org/proprietary/malware-amazon.en.html) in general.

I understand completely.

But I take it the tablet device will not be able to connect to any wifi network if it does not know the password, and it also won't connect to any bluetooth device if the other device does not pair with it.

I'm also going to play around with the tablet and see what other "hacks" I can do on it, I mean it's easy enough to root and install google (but why do that in this particular case). There is probably a way to install AOSP / Custom ROM on it and disable everything.

The alternative is indeed an older laptop or even a cheap desktop, but those are a little more bulky and I would need to get the other hardware for QR code scanning.

The tablet would be just another signature in a multi-sig setup.

Can also probably open up the thing and physically disable the wifi chips / antenna.

I'm confident enough that it will function as intended if it is never allowed to connect to anything and turned off after every use, and kept inside a faraday cage when stored. (inside a locked safe, or a room with lots of air / concrete walls.)

I'd actually trust this tablet brand new, than any of the other hardware wallets or their manufacturers out there, but that's just me.

If it does not work as intended, then at least I still have a cheap tablet my todler can play with. (or for me to do some candy crush game or whatever.) This may fit the bill as an offline music player (occasionally connected / Spotify / mp3 download) with bluetooth speakers / bluetooth car.

The main convenience of the other hardware wallets is size, but I have no intention of bringing this outside where it will be stored anyway. It will either be in a safe second location (such as a bank vault) or safe in the home or somewhere, but nowhere near the main computers or hot wallets. In this case, it's smaller than any laptop or desktop computer with Linux.

Android is still a form of Linux, but rather restricted. I'm sure there are ways to break it and render everything useless but the app you need.

Will most likely order another nano ledger s directly from ledger.  I have bought one from them directly with my name and address a while back and got a second one later on a while back.


When i order another nano ledger s from ledger... most likely i will do this as oppose to ledger nano x or trezor... i assume its fine just ordering it to my address since they already have it in their records? 


I mean do ppl here get a PO box at their local USPS solely for this?  Obviously i would rather have it sent to a location where i could pick it up myself.  But if i already ordered through them, i guess no issue doing it like i did previously?

Amazon should be a reseller, or they sell through Amazon.

I did get my Fire 7 Tablet, and it's on sale right now too. Factory reset the thing, disabled everything, disabled amazon apps, no google apps, airplane mode, then side loaded Electrum.

Have done a few transactions already and it's working like a charm for me.

It is still a tablet and larger than a ledger or trezor, but it already has it's own camera and screen, to copy transactions using QR codes.

I am thinking the same and am thinking about going the paper wallet route. Do you know any resources of this and the pros and cons. No matter what you do you have to have your private keys and passphrase written down, hidden and retreavable. How do you use a paper wallet. and still have the security and anonymity as when you have a hard wallet?

Please don't make duplicate posts, and go off-topic with paper wallets.
I have already answered your question in other topic you created: https://bitcointalk.org/index.php?topic=5334859

Like IRS confirmed, hardware wallets are very secure so they need help hacking them, but they are not perfect:
+plus: hardware wallets are more secure than software wallets on online computer, easier to use for most people.
-minus: They are not free and you need to pay for them; there is chance of malicious firmware and phishing websites, some of them have closed source code and can have hidden backdoor.

Has anyone of you ever gotten a phone call about a shipment? Because I haven't. So one day, when I cancelled my landline subscription, I decided not to hand out phone numbers for deliveries anymore. I just always come up with something new that has the right number of digits and never had any issue.
I believe I once had a support session with some online shop and when they asked me to verify my phone number (which I obviously didn't remember anymore), they were immediately happy with me claiming I just change them often to benefit from new subscriber promotions.

@n0nce

What did you do when you ordered the Passport Wallet? You have to enter a phone number there.

I've not given out my real phone number to a business in years. I either leave the field blank, or fill it with something obviously fake but which fulfills the criteria, such as all 1s.

If you need to receive a one time message for confirmation or something along those lines, then there are plenty of websites you can find with a quick web search which offer free online SMS inboxes linked to various phone numbers. Anyone else who wants can also read the message you receive, so you have no privacy or security, but it does the job in some cases.

If you really need an active phone number, then depending on your country you can usually pick up a SIM for a couple of bucks (or sometimes free) and stick it in an old reset-to-factory-settings phone. Either destroy the SIM once you are done, or as I do, keep it for a few months and use as a general burner phone whenever you need to. Repeat every few months with a new SIM.

Smart move.
I use different prepaid mobile number not directly connected with my real life identity, and I use it only for ordering stuff.
I generally keep my phone turned off when I sleep, and recently during sleep I received bunch of calls in the same time, some even came from surrounding countries.
When I tried to call one of those numbers I received voice message that number is not in function, so caller probably use some fake number ID's.
I suspect this was some scammers or fake tech support but I can't prove anything.

Just as I said above.. :D

I don't even know if shipping companies / online shops ever even use the phone number you provide; since for obvious reasons, I have no recent experiences to make conclusions off of. If it is enforced, there are web solutions, as you say, but I often encounter this only for signup forms, not for ordering a product.
Those often don't work and are obviously open to anyone; so an alternative, that I haven't tried yet, could be a short-term private number such as: https://sms4sats.com/

From my knowledge, in EU it's now mandatory to collect KYC information, however you can get pre-registered cards in small 'telephone shops' if you ask for it.

But personally, I can almost always get around phone number requirements completely, in one way or another.

Oh, that looks cool. I'll try to remember to give it a shot next time it would come in handy. As I said though, I always have a burner phone on constant SIM rotation and frequent factory resets for this exact purpose.

You mean you can't purchase a SIM card without handing over KYC data? Even a prepaid one or one which you simply top up with cash? Am I handing my info over to the cashier in the store? Or I have to upload documents online when I register the SIM? That's ridiculous.

Hell, I can buy prepaid SIMs from a vending machine if I wanted.

I was also shocked by this information since where I am at the moment I never met any kind of this measures whenever I had to buy a SIM card (either on a supermarket or in a vending machine). However it seems that some countries in the EU applied KYC procedures for prepaid SIMS as a way to fight against counter-terrorism[1] (it started upon the terror attacks of Paris in 2015[2]). If this source[3] is updated (and correct) then countries like Germany, Belgium, France (and others) do ask your personal information whenever you buy such a card. This study[4] actually makes an effort in trying to understand if this rule ends up enforcing a stricter control but as we can see in the conclusion it's not so clear that it works as intended:
I would like to see some kind of study, for instance in Germany, where they would compare the rate of crime before and after implementing this measure. My guess is that the results would be unoticable at the cost of their citizens privacy ...

---

[1]https://www.miteksystems.com/blog/mobile-identity-verification-key-to-mitigate-the-effects-of-eus-mandatory-sim-card (https://www.miteksystems.com/blog/mobile-identity-verification-key-to-mitigate-the-effects-of-eus-mandatory-sim-card)
[2]https://www.linkedin.com/pulse/sim-card-kyc-spotlight-paul-van-der-schueren (https://www.linkedin.com/pulse/sim-card-kyc-spotlight-paul-van-der-schueren)
[3]https://prepaid-data-sim-card.fandom.com/wiki/Registration_Policies_Per_Country (https://prepaid-data-sim-card.fandom.com/wiki/Registration_Policies_Per_Country)
[4]https://www.gsma.com/publicpolicy/wp-content/uploads/2016/04/GSMA2016_Report_MandatoryRegistrationOfPrepaidSIMCards.pdf (https://www.gsma.com/publicpolicy/wp-content/uploads/2016/04/GSMA2016_Report_MandatoryRegistrationOfPrepaidSIMCards.pdf)

I guess you have never tried ordering something in the Balkans then, have you? ;D Depending on the shipping company, the driver, and your luck, you might have to search for him on your block. Some dudes call you when they are close to check if you are home and if they can deliver to the assigned address. If they are not from your city, don't know how to work the GPS, or something else, they aren't always sure where to find you. So you have to find them. ;)
If you can get a private and prepaid SIM card, just keep one of those around with some old phone you used in the past that you activate when you expect a delivery.

Even the prepaid cards you buy on gas stations or shopping malls require online registration. You don't have to submit any documents though and you aren't giving any info to the cashier. Until you register and fill out the forms, the card remains inactive. In my experience, you can sometimes get the card unblocked relatively quickly, like 10-15 mins after data submission, but it can also take an hour or two. I can only conclude that someone somewhere is checking your entries.

Of course they would be. There is no evidence that even mass surveillance programs such as what the US and its allies conduct around the world has any effect in preventing terrorism or other crimes. Something as simple as making people register their details against a SIM card will also achieve nothing. Like terrorists wouldn't be able to buy some random sucker's documents from the darkweb for a few bucks. ::) It's never about preventing crime, although that's usually how it's marketed because then it's easier to get people to voluntarily surrender their rights.

So nothing stopping you entering a bunch of fake information then?

Yeah, you could do that. Worse case scenario is they block your SIM card and you just threw away €20 or something for purchasing it. You have to submit an address and your name among other things. They probably check that data and compare it with entries in some central database. That could create some red flags.

If it's a real address, they might see that a married couple already registered their phones with that address. If it's a fake address that doesn't exist, they might discover that. If you use a real name from someone you find on the Internet, their checks might show that person is already registered and lives somewhere else. If you sign up with Donald Duck from Thanksgiving Street 47/c, they can tell you that address doesn't exist, and ask for additional info and maybe proof of identity and address.

It depends on how thorough their checks are. Maybe they are randomly picking lucky winners whose data will be reviewed in detail, while others are accepted without any major problems.   

No, you can get them in a grocery store, without giving the cashier any data, but it's not activated out of the box. You have to go to some online website and activate it before it becomes usable. At least that's what I've heard; I still use a card from before these new laws.

And they work right out the gate? Like, you can plug it into a phone and it works immediately?

Maybe they claim to do this to fight against terrorism, but fighting against counter-terrorism would be a bit hysterical. :P
Joke aside, these types of measures are almost always unfounded and just arbitrary new ways of gaining more and more control over the population. It is clear that all these types of measures don't work. AML doesn't stop money laundering, KYC doesn't stop fraud and none of the above stops terrorism.

My guess is the same as yours, Rick. Sad but true.

I don't think I've actually ordered something while in the Balkans! Thanks, I will keep it in mind for the future; it sure sounds funny; having to run around town to find the delivery driver.. :D

I thought you actually have to do CEX-style KYC (video camera and ID card), but it's possible that I'm wrong; as I said, I don't have personal experience on this. However, as Pmalek says, with fake information it might work, but very clearly fake information will probably be filtered out automatically.

Unless they added personal document verification into the mix in the last couple of years, it shouldn't be a requirement. It could also depend on the network provider, who knows. It's been a couple of years since I last purchased and activated a EU SIM card.

A good way around this is to use one of those fake office addresses which is used by dozens of different companies as a registration address or just somewhere to receive their mail. It would be entirely reasonable for hundreds of different people to be registered to such an address. Search for "virtual business address" or similar to see what I mean.

Yeah, so fake information seems fine.

Depends partly on the type of SIM you buy, the carrier, and where you are buying it. Some require registration but accept any old nonsense as above, some work immediately.

At this point most of the world has SIM card registration if you want to be able to use them: https://www.comparitech.com/blog/vpn-privacy/sim-card-registration-laws/

Sometimes it's to 'fight against terrorism', sometimes it's 'just in case' surveillance, sometimes it's for tax reasons, etc. In Poland at least buying a SIM card registered on someone else's name, or from a different country isn't difficult or expensive ($5-10).