Bitcoin Forum

Hello

I need your guide , my friend lived on another country and the Trezor website not send in his country
So he want to order directly from Trezor 3 reseller on the Amazon
But he told me because it will ship from another country and not trust his post shipping then he told me , is there any way when the Trezor 3 received then not use its Default 24 seed phrase ? And Wipe it And Generate the new new 24 seed phrase ?

My mean Is , can Trezor 3 have ability to Generate new 24 seed phrase ? and not use its device Default 24 seed phrase ?

Another question is , when it's connected to the Trezor Suite App then is there any option to check is this Trezor 3 already connected and used ? and check the app or firmware already  updated on this device ?

thank you

He can go for a verified reseller.

Read this: https://trezor.io/learn/a/authenticate-trezor-safe-3 to know if the Trezor Safe 3 is authentic or not.

Know that all seed phrase generated are new as long as you are using the original Trezor and not a fake one.

There is no default seedphrase. If you buy a Trezor for the first time, and find an existing wallet, it means someone has already used it.

But to answer your question, yes, you can wipe the device and generate another seedphrase but then, what if the actual device has been tampered with (hardware/firmware)? Read the above as mentioned by Charles-Tim.

I personally would be more concerned about using a third-party reseller, than the actual shipping service.

thank you from @Charles-Tim and @OmegaStarScream

just one thing about third-party reseller , trezor website told you can buy it from amazon link without concern
https://www.amazon.com/trezor

But @OmegaStarScream i have question , what is the concern about third-party reseller ?, for example if we follow the step mentioned by @Charles-Tim , then what is the other concern ?
for example what third-party can do with this device ?
what other danger possible please ?

can you please tell me more ?
thank you

I'm pretty sure I have seen issues with devices bought through Amazon in the past, maybe not recently, but I believe I did.

But looking at Reddit[1][2] and the support responses, it doesn't seem like they're against it, they seem pretty confident (given that you follow the proper steps to check for the device authenticity). I guess I'm just too paranoid.

[1] https://www.reddit.com/r/TREZOR/comments/1ds7p2h/how_dangerous_is_it_to_order_a_safe_3_from_amazon/
[2] https://www.reddit.com/r/TREZOR/comments/1hg9iok/is_it_safe_to_buy_a_trezor_through_amazon/

There is no default 24 seed phrase with Trezor devices, and every time you are getting different words.
User is always generating brand new seed words when they plug in Trezor Safe 3 for the first time.
I think Trezor is proposing use of 20 seed words with SLIP39 in their new devices, but it's easy to select and use standard 12 or 24 words.
SLIP39 is better for multi-share backup for increased safety, but it ads more complexity if enabled:
https://content.trezor.io/slip39

This is going to be clearly visible in lower left angle in Trezor Suite, and you can even make it auto-update if you want.

Sometimes there are scammers who pretend to be authorized resellers when they are not. Before buying from a reseller, you should check Trezor’s website to know if they are legitimate.

As far as Amazon goes, Trezor does have an official storefront in several countries. I have recently purchased a Trezor Safe 5 from Amazon and it was a genuine device. There are several levels of protection to prevent you from losing funds if you accidentally bought a fake Trezor or if your device has been tampered with.

Every new device will have a special seal over the USB-C port. A scammer couldn’t install malicious firmware without destroying the seal. When the wallet first arrives it won’t have any firmware installed. Before installing anything, Trezor Suite will check if your device is genuine. Whenever your device is connected to Trezor Suite it will also check the authenticity of your firmware.

If your friend can't purchase the Trezor from the official online shop, using an official reseller is fine. Just make sure the reseller is part of the authorized resellers network (https://trezor.io/resellers) and that you can reach their website from trezor.io. Don't google resellers and trust Google's recommendations or blog posts teaching you how to buy a Trezor in country X.

A brand-new and genuine Trezor doesn't come with a "default seed" nor is one given to you. If you get such a package, contact Trezor about it and don't use it. The user generates a seed during the setup process, and you can generate as many as you want. As others have mentioned, check the authenticity of your device before you send any money to it. The device should also not have a firmware installed. Your friend will have to pick between the Bitcoin-only or Universal firmware depending on his needs.

If you're looking for testimonies I have personally bought a Trezor device through Amazon and everything has been processed smoothly for me. It could be a good way to not directly give your physical address to a crypto company, in order to stay safe from any data breach or data reselling related to a crypto wallet purchase like what happened quite recently with Ledger. You can even pay with cryptos on Amazon, if gift cards are available for the Amazon website where you are making your purchase.
For your Trezor device if you are really concerned it could be tampered, you can enter your own seed generated from another source, the device is very unlikely to send your seed elsewhere by its own if your computer is free of any malware.

I recently bought a Trezor One from a reseller.

 👀

Has there been any reports that hardware wallet buyers' coins have been stolen because their hardware wallets were tampered with by a reseller?

It's still in the box. I'll post the "unboxing" in Pmalek's thread tomorrow. 8)

I can't remember one incident from the top of my head. The problem with such "hacking cases" of hardware wallets is that most of the time the users weren't hacked at all. They fell for social engineering techniques and handed over their keys and money to scammers or someone close to them stole their coins. Some are unwilling to admit it and accept the fact that they were responsible for what happened. Ultimately, it's much easier to present the case as them not having done anything wrong and suddenly waking up with all their crypto gone.

I'm aware of those social-engineering attacks. I believe that the hack of Bybit was a social-engineering attack that made the developers install some malicious software. But that's not the actual context. I'm asking if there are malicious resellers that tamper with the hardware wallets that they sell to steal users' coins.

That has never largely happened, no?

I seriously doubt it. Official resellers who attempted something like that would lose all the credibility and trust which they probably needed to build for several years. Sure, one big heist might be worth jeopardizing all that if you are thinking like a criminal but it's a big risk nevertheless.

I also don't think it's that easy to tamper with hardware wallets as some people believe. Anyways, you should always verify the software and hardware (if possible) of your wallets regardless of where it came from.

This should not happen with serious resellers, but we have already seen that some employers do something on their own. (Not when it comes to the Trezor).
What you need to know, Trezor does not come with a predefined seed phrase. You will surely get a proposal to update the firmware, and it is best to do it through the official Trezor suite app.

Someone already said it, but it doesn't hurt to repeat and emphasize:

Trezor Suite will check if bootloader of a Trezor is genuine or passed internal genuity check. Embedded Secure Element chip can act as a trust anchor and helps to verify the bootloader hasn't been tampered with.

Bootloader is initially locked and should stay locked. A locked bootloader will accept only genuine firmware. Once you unlock the bootloader the attestation key in the Secure Element for Trezor Safe models is discarded and as far as I read it can't be re-instated. So you will always be able to detect when at any point of time tampered firmware has been loaded on the device. A Trezor without attestation key is not recognized as genuine or authentic anymore.

Firmware is signed and a Trezor very clearly displays when it is running non-genuine and/or non-signed firmware. You have to confirm that you're OK with running non-genuine firmware on the device, e.g. if you're a developer.

If your newly purchased Trezor has already a firmware on it, someone used it before you. It's not a new, unused device then. You shouldn't accept this for a device sold as new.

And if you find a piece of paper with your device that already lists 12, 20 or 24 mnemonic recovery words, then something is very wrong. This should never be the case and is a clear sign of fraud or scam.