ben19850 (OP)
Newbie
Offline
Activity: 19
Merit: 3
|
|
August 12, 2021, 08:36:38 PM Last edit: January 30, 2022, 04:14:50 PM by ben19850 Merited by NotATether (2) |
|
lets say you make a fake HW wallet
people add a passphrase for extra secuirty and keep seed safe
could a scammer have serval dormant pre programmed BTC address which they could tell the wallet to display(which the HW would SHOW to the new user as there newly setup seed linked wallet?)
no need for the scammer to get seed ect... just give them a wallet that scammer has access to already
|
|
|
|
|
|
|
|
In order to achieve higher forum ranks, you need both activity points and merit points.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
LeGaulois
Copper Member
Legendary
Offline
Activity: 2870
Merit: 4095
Top Crypto Casino
|
|
August 12, 2021, 09:55:52 PM |
|
If a day I receive a wallet and I notice the seed has already been generated, I would start to have some doubts about the device itself.
One way more people can easily fall for the scam is to tinker with the wallet so that the seed can be siphoned off.
In the same style as what happened to the company Ledger when some people were receiving a wallet with a flash drive with a fake app connected to the circuit board. Rarely people would open the device to check if everything is "legit", isn't? I did it once just for curiosity but I didn't do it with all my devices.
|
|
|
|
bitmover
Legendary
Offline
Activity: 2296
Merit: 5920
bitcoindata.science
|
|
August 12, 2021, 10:01:15 PM |
|
lets say you make a fake HW wallet
people add a passphrase for extra secuirty and keep seed safe
could a scammer have serval dormant pre programmed BTC address which they could tell the wallet to display(which the HW would give to the new user a there new seed linked wallet?
no need for the scammer to get seed ect... just give them a wallet that scammer has access to already
This is why you should only buy a hardware wallet official retailer or from the manufacturer . You shouldn't be buying one on eBay . There are even some attacks on official devices which become compromised with a physical attack, if the attacker has access to the device.
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
ben19850 (OP)
Newbie
Offline
Activity: 19
Merit: 3
|
|
August 12, 2021, 10:02:06 PM |
|
If a day I receive a wallet and I notice the seed has already been generated, I would start to have some doubts about the device itself.
One way more people can easily fall for the scam is to tinker with the wallet so that the seed can be siphoned off.
In the same style as what happened to the company Ledger when some people were receiving a wallet with a flash drive with a fake app connected to the circuit board. Rarely people would open the device to check if everything is "legit", isn't? I did it once just for curiosity but I didn't do it with all my devices.
If a day I receive a wallet and I notice the seed has already been generated, I would start to have some doubts about the device itself.
One way more people can easily fall for the scam is to tinker with the wallet so that the seed can be siphoned off.
In the same style as what happened to the company Ledger when some people were receiving a wallet with a flash drive with a fake app connected to the circuit board. Rarely people would open the device to check if everything is "legit", isn't? I did it once just for curiosity but I didn't do it with all my devices.
what i mean is it wouldnt matter if a new seed was generated if it was a pre programmed BTC address the new user wouldnt know
|
|
|
|
dkbit98
Legendary
Offline
Activity: 2226
Merit: 7129
|
|
August 13, 2021, 09:27:44 AM |
|
lets say you make a fake HW wallet
I don't understand what do you mean make a fake hardware wallet? You mean ordered or DIY made device? Explain it better. You can add multiple passphrases to your wallet as extra protection that is working only in combination with your seed words, but keep them in different locations. For accessing any funds on that wallet, you also need to have pin code, and you need to know correct passphrase. You can also reset the device, and generate new random decoy wallet.
|
. .HUGE. | | | | | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ . CASINO & SPORTSBOOK ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | |
|
|
|
Lucius
Legendary
Offline
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
|
what i mean is it wouldnt matter if a new seed was generated if it was a pre programmed BTC address the new user wouldnt know
If you buy a used HW that is basically original, and someone has already intentionally or accidentally set it up (generated seed), then it is generally considered that resetting such a device to factory settings is quite enough to use it safely later by generating a new seed. However, the question is whether such a device may have been modified in some way (hardware modification), and can allow the original owner to try to hack you. On the other hand, if someone were to make an effort to modify the HW in such a way that it always generates identical seed or perhaps to generate several sets of seed known to the hacker, in that case, no reset of the device would help. Even when someone buys an original HW directly from the manufacturer, you don't need to make a big deposit right away - because there is always the possibility of a new vulnerability that no one knew about before - test with small amounts, wait a few days and if everything is fine continue to use HW normally.
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
NeuroticFish
Legendary
Offline
Activity: 3668
Merit: 6376
Looking for campaign manager? Contact icopress!
|
|
August 13, 2021, 10:47:06 AM |
|
could a scammer have serval dormant pre programmed BTC address which they could tell the wallet to display(which the HW would give to the new user a there new seed linked wallet?
no need for the scammer to get seed ect... just give them a wallet that scammer has access to already
As I see this, the so-called pre-programmed extra address will not be part of the seed based HD wallet. So whenever one uses this... device... will have a HD wallet+1 address. This means that the scammer will probably have to make his own wallet software too to import the extra address somehow. While some very new n00bs can be caught with this, I don't think that many can be so stupid to use both counterfeit HW and bad wallet software too, especially as legit wallet software comes free.
|
. .HUGE. | | | | | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ . CASINO & SPORTSBOOK ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | |
|
|
|
Pmalek
Legendary
Offline
Activity: 2758
Merit: 7132
|
|
August 15, 2021, 08:42:15 AM |
|
If I understand the OP correctly, he is asking if it would be possible to create a wallet that always displays one or more receiving addresses of the hacker independent of what seed + seed extension the victim is using. The software of such a device would have no role at all, and would work as a regular hardware wallet where you are shown a seed to write down. But no matter what seed or passphrase you use, the device ends up displaying the same receiving addresses that ultimately leads to the victim making transactions to addresses that belong to the hacker. Is that it?
I don't think this is impossible.
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
sheenshane
Legendary
Offline
Activity: 2394
Merit: 1215
Cashback 15%
|
|
August 15, 2021, 03:25:37 PM |
|
I don't see that there's a scam next if someone making their own fake HW wallets. If there is, that's a noob or innocent one that is new to the crypto world or considerable as a lazy one because it doesn't even have their own research regarding the no-brand wallet use.
Let say if they(scammer) modify the HW wallets and you bought it from the unofficial distributor store, I think the reset button is enough in the first place to secure your wallet and the hacker has nothing to do because it will generate another seed phrase and address.
All I see on this matter, it's unrealistic to happen. No one will risk their crypto assets from an unknown source of HW wallets.
|
. .HUGE. | | | | | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ . CASINO & SPORTSBOOK ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | |
|
|
|
tenant48
|
|
August 15, 2021, 03:49:39 PM |
|
lets say you make a fake HW wallet
people add a passphrase for extra secuirty and keep seed safe
could a scammer have serval dormant pre programmed BTC address which they could tell the wallet to display(which the HW would give to the new user a there new seed linked wallet?
no need for the scammer to get seed ect... just give them a wallet that scammer has access to already
This situation is theoretically possible. To make sure that your wallet is normal, you will need to generate a seed on it and then check the correct generation of addresses by entering this seed here: https://iancoleman.io/bip39/ If the addresses match, then your wallet is normal. Then reset it to factory settings and create a new seed for permanent use.
|
|
|
|
Pmalek
Legendary
Offline
Activity: 2758
Merit: 7132
|
|
August 15, 2021, 04:36:45 PM |
|
If there is, that's a noob or innocent one that is new to the crypto world or considerable as a lazy one because it doesn't even have their own research regarding the no-brand wallet use. Those are exactly the victims that scammers target. What you explained is not different from any other scheme that is created for newbies, those who are greedy, careless, and don't take the required amount of time to consider the consequences of their actions. Let say if they(scammer) modify the HW wallets and you bought it from the unofficial distributor store, I think the reset button is enough in the first place to secure your wallet and the hacker has nothing to do because it will generate another seed phrase and address. It wouldn't be enough if someone managed to create what I explained in my previous post in this thread. Besides, the scammers could use the leaked Shopify/Ledger databases to send out their fake products. We have already seen something like that not so long ago.
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18509
|
|
August 15, 2021, 07:50:48 PM |
|
To make sure that your wallet is normal, you will need to generate a seed on it and then check the correct generation of addresses by entering this seed here: https://iancoleman.io/bip39/ If the addresses match, then your wallet is normal. Then reset it to factory settings and create a new seed for permanent use. But how do you know your wallet is not generating seed phrases from a bank of several thousand or so which were pre-generated by an attacker? Just because the address did indeed come from the seed phrase you were displayed, does not mean your wallet is "normal" or safe. You need to have some way of verifying the firmware which is installed on your hardware wallet, or verifying the updates you are applying to it, and verifying that the firmware is truly generating a random seed phrase. You could also mitigate this by using a long and complex passphrase (and then verifying that the addresses you are being displayed are indeed generated from seed phrase + passphrase), so even if an attacker knew your seed phrase they still could not access your coins.
|
|
|
|
tenant48
|
|
August 16, 2021, 05:21:10 AM Last edit: August 16, 2021, 06:41:28 AM by tenant48 |
|
To make sure that your wallet is normal, you will need to generate a seed on it and then check the correct generation of addresses by entering this seed here: https://iancoleman.io/bip39/ If the addresses match, then your wallet is normal. Then reset it to factory settings and create a new seed for permanent use. But how do you know your wallet is not generating seed phrases from a bank of several thousand or so which were pre-generated by an attacker? Just because the address did indeed come from the seed phrase you were displayed, does not mean your wallet is "normal" or safe. You need to have some way of verifying the firmware which is installed on your hardware wallet, or verifying the updates you are applying to it, and verifying that the firmware is truly generating a random seed phrase. You could also mitigate this by using a long and complex passphrase (and then verifying that the addresses you are being displayed are indeed generated from seed phrase + passphrase), so even if an attacker knew your seed phrase they still could not access your coins. The question was asked about a pre-installed BTC address by an attacker and I answered it. If you have doubts about the work of the built-in random seed generator, then you have two options: create your own seed manually or additionally protect the seed with a passphrase of at least 10 - 12 characters, this is quite enough to protect the compromised seed https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af?gi=a11722e479d8
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18509
|
|
August 16, 2021, 08:26:25 AM |
|
The question was asked about a pre-installed BTC address by an attacker and I answered it. Sure, your method protects against that specific attack, but it does not guarantee your wallet is "normal" as you suggested. passphrase of at least 10 - 12 characters, this is quite enough to protect the compromised seed
It is far from ideal, though. A 24 word seed phrase provides 256 bits of security. 10 random lowercase characters provides only 47 bits. You shouldn't be relying on only a passphrase for all your security, and definitely not one so short.
|
|
|
|
tenant48
|
|
August 16, 2021, 09:04:19 AM |
|
passphrase of at least 10 - 12 characters, this is quite enough to protect the compromised seed
It is far from ideal, though. A 24 word seed phrase provides 256 bits of security. 10 random lowercase characters provides only 47 bits. You shouldn't be relying on only a passphrase for all your security, and definitely not one so short. When you iterate over a seed of 24 words (256 bit), you have the opportunity to find millions of other wallets, since most wallets use the bip39 standard, in this case there should be sufficient redundancy. When you iterate over the passphrase, you have the opportunity to find only one single wallet, so such protection (10 -12 characters) will be enough. Read again the article https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af?gi=a11722e479d8 there is a table with examples of password phrases and the approximate cost of attacks
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18509
|
|
August 16, 2021, 10:17:34 AM |
|
-snip- Even if we assume there are 2.1 trillion 24-word BIP39 wallets with coins in them (as in, all 21 million bitcoin ever split up across 2.1 trillion wallets with only 1000 sats in each wallet), then you are still looking at a 1 in 5.5*10 64 chance of finding a collision. To find a single 10 character lowercase letter password is a 1 in 141,167,095,653,376 chance. The differences between these two numbers really cannot be overstated. That difference is comparable to the difference between a single atom and all the atoms in the entire world. Using a passphrase of that strength is almost certainly going to be fine if your seed phrase is secured. But in our scenario here of a seed phrase which is known to an attacker, then it is simply not good enough. You are massively reducing your security.
|
|
|
|
tenant48
|
|
August 16, 2021, 11:09:04 AM Last edit: August 16, 2021, 11:32:46 AM by tenant48 |
|
-snip- Even if we assume there are 2.1 trillion 24-word BIP39 wallets with coins in them (as in, all 21 million bitcoin ever split up across 2.1 trillion wallets with only 1000 sats in each wallet), then you are still looking at a 1 in 5.5*10 64 chance of finding a collision. To find a single 10 character lowercase letter password is a 1 in 141,167,095,653,376 chance. The differences between these two numbers really cannot be overstated. That difference is comparable to the difference between a single atom and all the atoms in the entire world. Using a passphrase of that strength is almost certainly going to be fine if your seed phrase is secured. But in our scenario here of a seed phrase which is known to an attacker, then it is simply not good enough. You are massively reducing your security. Sorry, the article was not written by me, but specialists from Trezor. It states that to brute force a passphrase of 10 characters, you will need to pay about $ 1,000,000 today. For 12 characters - $ 128,000,000. By renting servers on Amazon. Do you think this is insufficient protection? Or are you going to store hundreds of millions $ on one wallet? For this attack, the attacker must know your seed and be prepared to invest huge amounts of money with dubious results.
|
|
|
|
NotATether
Legendary
Offline
Activity: 1596
Merit: 6728
bitcoincleanup.com / bitmixlist.org
|
|
August 16, 2021, 03:24:50 PM |
|
Sorry, the article was not written by me, but specialists from Trezor. It states that to brute force a passphrase of 10 characters, you will need to pay about $ 1,000,000 today. For 12 characters - $ 128,000,000. By renting servers on Amazon. Do you think this is insufficient protection? Or are you going to store hundreds of millions $ on one wallet?
Never mind Amazon, you can't even rent $100 of computational capacity without filing a service limit increase request, and if you're not linking a credit card you got officially from a bank office then chances are you are going to be hit with an account suspension shortly after you commence the attack. Same goes for other cloud platforms near the size of AWS. A botnet is the most likely way to get power even remotely close to $1,000,000.
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4316
<insert witty quote here>
|
|
August 19, 2021, 07:53:59 AM |
|
This "scam" isn't really any different to the one where certain paper wallet generators were giving out a set of pre-generated private keys known to the scammers.
It could just as easily be perpetrated using any type of wallet... web wallet, desktop wallet, mobile app or a "scam" hardware wallet.
The key is to ensure you have some way of ensuring that the addresses being displayed do indeed belong to the seed/private keys being generated. In the case of hardware wallets, having 2 from different manufacturers is certainly one way to be able to determine if the addresses being displayed are indeed correct for a given seed.
However, as someone else mentioned earlier... it doesn't really guarantee that the seed/private keys themselves are actually being randomly generated. For that, you'd probably need to generate your own seed (offline) using dice or something similar.
|
|
|
|
ben19850 (OP)
Newbie
Offline
Activity: 19
Merit: 3
|
|
January 30, 2022, 04:19:02 PM |
|
lets say you make a fake HW wallet
I don't understand what do you mean make a fake hardware wallet? You mean ordered or DIY made device? Explain it better. You can add multiple passphrases to your wallet as extra protection that is working only in combination with your seed words, but keep them in different locations. For accessing any funds on that wallet, you also need to have pin code, and you need to know correct passphrase. You can also reset the device, and generate new random decoy wallet. i mean make a fake a device thats is assumed to be 100% geuine(NOT FAKE) but the guts are programed to display a fake SEDD then a fake wallet address(a scammer control address)
|
|
|
|
|