Do Hardware wallet Manufacturers Ship to PO Boxes or Not?

[o_e_l_e_o]

I look it at closer to the fact that a single trusted user doing it as a side hustle that only deals with hardware wallets is more likely to get away with the 'I don't keep records' thing if something happens then a full service company.

Yeah, that's a fair point. I guess you would then need to weigh up the pros and cons of not having your details shared with a hardware wallet manufacturer and all their third party buddies on one hand, versus inserting a third party in to the delivery chain and the theoretical risk of supply chain attacks. And even if you trust the third party not to attack your hardware wallet, do you also trust them to be as honest as they claim with your personal details and have a rock solid security set up?

But I guess if you are like me, and are getting to that level of paranoia, then the best option is probably going to be to ignore hardware wallets altogether and use an airgapped computer instead.

[Pmalek]

What kind of delivery fees or customs/import fees would you be looking at to import to the EU from the US? And I presume a PO Box would be out of the question in such a case.

The official shop doesn't show clear information about the tax fees during checkout. But shipping it to the EU from the USA would cost you from $24 to $45 depending on the speed of delivery. There is also an estimation about taxes that says:

Estimated USD 53.8 tax & duty due on delivery (Tax handling fees may apply)

https://foundationdevices.com/checkout/#cfw-shipping-method
Depending on the shipping method, the tax & duty amount changes to $56.95 and $57.93.

I made a similar inquiry just to see how much it would cost to have a Foundation device delivered to a South American country. Shipping fees are $25 to $53 for Argentina. The tax and duty fees are estimated at $59 to $65 depending on shipping method.

[o_e_l_e_o]

-snip-

Ooft. That's an extra $100 on top of what is already not a cheap device. And how does it work in the EU with imports? Will there be a customs fee or import charge on top of that as well? Or is that what they mean by the tax and duty fee they've already included?

Still, looking at the EU reseller, they are charging $335 at current conversion rates for the original Passport, while the official site is charging $260 for the new model. Guess you'll need to wait and see what price the resellers charge for the new model to see which is the better option for you.

[Pmalek]

And how does it work in the EU with imports? Will there be a customs fee or import charge on top of that as well? Or is that what they mean by the tax and duty fee they've already included?

I am not sure if the customs fee is included in that estimate. Since the package comes from the USA (a non EU country), customs fees and VAT will surely be added on top of the price of the product. There might be additional charges as well. I don't have more information about what the total fees are for electronic devices such as hardware wallets. It's surely different from country to country. Maybe Buying goods online coming from a non-European Union country can help.

[n0nce]

However, I'm not sure why Passport batch2 is not yet available from European resellers.

Are they not still at the pre-order phase? I wouldn't expect re-sellers to offer them for sale until they had confirmation from Foundation Devices that their shipment was complete and ready to go.

They are, but it should have been possible to do preorders through resellers, in my opinion.
Not sure how they handled it in batch 1, but that was a preorder, too. I believe that resellers just bought / preordered a fixed amount and - well - resold it in their stores.

What kind of delivery fees or customs/import fees would you be looking at to import to the EU from the US? And I presume a PO Box would be out of the question in such a case.

We usually need to pay VAT and import tax if it's above some threshold (like around 100 bucks). Yes, the PO box shipping is a problem when importing stuff.
Therefore I made sure to order in a different way.

Never forget!

A bar code rather than a QR code? What is this, the 90s!? Did you find that picture on Geocities?

It is the 90s! The Perl code is actually from adam3us.

[DaveF]

I look it at closer to the fact that a single trusted user doing it as a side hustle that only deals with hardware wallets is more likely to get away with the 'I don't keep records' thing if something happens then a full service company.

Yeah, that's a fair point. I guess you would then need to weigh up the pros and cons of not having your details shared with a hardware wallet manufacturer and all their third party buddies on one hand, versus inserting a third party in to the delivery chain and the theoretical risk of supply chain attacks. And even if you trust the third party not to attack your hardware wallet, do you also trust them to be as honest as they claim with your personal details and have a rock solid security set up?

But I guess if you are like me, and are getting to that level of paranoia, then the best option is probably going to be to ignore hardware wallets altogether and use an airgapped computer instead.

I look at it more as OP-Sec then paranoia. Going with the assumption (yeah I know assumption) that a trusted user here is a low risk source for supply chain attacks then it is IMO somewhat easy to be invisible.
Disposable email -> new account -> contact shipper-> give info -> send BTC -> wait for delivery.

It could be you contacting the shipper, it could be theymos, it could be anyone, does not matter they would just need a name and address to ship to.

Taking about edge cases here, but still interesting to throw ideas around.

-Dave

[Pmalek]

Crypto payment processor information was missing for a few brands, so I did another check and added the ones I left out.

- Blockstream uses BTCPay Server.
- Coldcard doesn't seem to be using a payment processor judging by their store.
- Foundation Devices uses BTCPay Server.
- There is an issue with KeepKey when it comes to crypto payments. The system is currently not functional. I think they are using Coinbase Commerce.
- Trezor uses Confirmo.net.

[m2017]

It would be great if someone has experience in buying a hardware wallet and delivering it to the  PO Boxes, and is also willing to share information about the nuances of this. This could be useful (not only for me personally, because I have an interest in this), because the delivery of parcels to the  PO Boxes may differ due to the specifics of each country. I don'tt think that for the sake of this it is necessary to create a separate topic, because, in principle, the discussion of this fits into the concept of this topic. Are there people here who ordered hardware wallet for a PO Boxes?

[Pmalek]

Using a PO Box would make you anonymous to hardware wallet manufacturer, but the post office or the service you use will have information on file about you. If that data is stored digitally, we are back to the same problem. But this time it's not a hardware wallet manufacturer that stores your data, but the US Post Office or any other post office of the world. Can they be hacked or suffer a leak? Of course.

PO Boxes aren't available worldwide, many curriers require that you sign for the package upon delivery, and some couriers don't ship electronic devices to PO boxes. So there are different problems with using them. If you are not worried about supply chain attacks, you can always buy a HW by physically going into one of the shops they are sold at and purchase it there with cash.   

[DaveF]

At least in the US Keystone does allow shipping to PO Boxes:



If you are paying by credit card you will probably have to have the PO box listed as a shipping possibility.
And they are still at Amazon ($10 more) but you can have it shipped to an Amazon locker if there is one that you can get to.

Also, they use opennode.com for BTC payments and Coinbase Commerce for altcoins and also BTC.


-Dave

[Pmalek]

At least in the US Keystone does allow shipping to PO Boxes.

The data in the OP is based on what info I got from the customer support of all those companies. Does their online shop allow you to complete the purchase after selecting a PO box or is there an error or other type of notification that hinders it? Do you know what carrier they work with in the US? The information I got off the Ledger support team was that their packages in the USA are shipped via DHL, and they don't deliver to PO boxes. So it's a restriction set by the carrier company and not the device manufacturer. 

Also, they use opennode.com for BTC payments and Coinbase Commerce for altcoins and also BTC.

I got redirected to Coinbase Commerce when I imitated a fake purchase just to see where it would take me. It's the first time I hear payments are also processed by opennode.com. Are those Lightning payments maybe or is it a geographical thing that determines which payment processor a customer is redirected to?

[DaveF]

At least in the US Keystone does allow shipping to PO Boxes.

The data in the OP is based on what info I got from the customer support of all those companies. Does their online shop allow you to complete the purchase after selecting a PO box or is there an error or other type of notification that hinders it? Do you know what carrier they work with in the US? The information I got off the Ledger support team was that their packages in the USA are shipped via DHL, and they don't deliver to PO boxes. So it's a restriction set by the carrier company and not the device manufacturer.  

It went through with no issues. Since they do sell through Amazon here in the US I wonder if they are just using them for fulfillment here. Would cut down on a lot of work for them in terms of logistics.

Does this link work for you? https://www.amazon.com/stores/page/0360EBE5-E20C-45DC-836C-59573EAE62F5
 

Also, they use opennode.com for BTC payments and Coinbase Commerce for altcoins and also BTC.

I got redirected to Coinbase Commerce when I imitated a fake purchase just to see where it would take me. It's the first time I hear payments are also processed by opennode.com. Are those Lightning payments maybe or is it a geographical thing that determines which payment processor a customer is redirected to?

Lightning or onchain.
When I go to pay this is what I see, you have one option for Coinbase Commerce and one for BTC:




When I click through the BTC option it takes me to an opennode link, to pay a shopify cart.




So it could be they are using different providers depending on where the customer is coming from, could be they changed the day after you spoke to them. Or, it could be their customer service person who you were dealing with was wrong.

Shipping to a PO Box is drobably not that big a deal in terms of security / privacy now since they are using a 3rd party cart we don't know what else is being captured. So assume that they know what you purchased, what IP you came from for geo location and a ton of other stuff. What information is shopify getting and keeping? We may never know.

That should probably be another column in the chart, self hosted cart or 3rd party.

-Dave

[Pmalek]

It went through with no issues. Since they do sell through Amazon here in the US I wonder if they are just using them for fulfillment here. Would cut down on a lot of work for them in terms of logistics.

That previous picture you posted, which shows delivery information to a PO BOX, is that an image taken from their official online store or from the Amazon link below?
 

Does this link work for you? https://www.amazon.com/stores/page/0360EBE5-E20C-45DC-836C-59573EAE62F5

Yeah, it works. I can see different Keystone products on the page.

[DaveF]

It went through with no issues. Since they do sell through Amazon here in the US I wonder if they are just using them for fulfillment here. Would cut down on a lot of work for them in terms of logistics.

That previous picture you posted, which shows delivery information to a PO BOX, is that an image taken from their official online store or from the Amazon link below?

Their store. The issue is, that Amazon does, or at least did give you the option of blind shipping. The return address will be a generic facility that 1000s of shippers use. Sometimes it's easy to spot since it's a known local Amazon warehouse. But, I have gotten packages from addresses that are just massive USPS facilities that I KNOW came from an Amazon warehouse.

 

Does this link work for you? https://www.amazon.com/stores/page/0360EBE5-E20C-45DC-836C-59573EAE62F5

Yeah, it works. I can see different Keystone products on the page.

If you order from there will it let you ship to a PO box?

Still I think there should be a discussion about 3rd party checkouts

Several hardware wallet manufacturers have suffered hacks and data leaks in the past. This trend might not stop, and I think we will also read similar stories in the future.

If like Keystone they are using a 3rd party cart. If they are doing enough with cookies and browser fingerprints they can easily know that DaveF who ordered the hardware wallet and paid with crypto and shipped to a PO box is the same DaveF that ordered the replacement battery for his motorcycle paid with Visa and shipped it to his house. At that point it does not matter if Keystone got hacked, you are now worrying about the 3rd party cart provider and when they get hacked.


-Dave

[Pmalek]

If you order from there will it let you ship to a PO box?

I tried with a PO Box address in Germany (also known as Postfach) and the site didn't report any errors. But who knows what would actually happen if you ordered a parcel, it arrived at the designated address, and it was time to pick it up. Would it even be delivered or would the courier call you and ask for an alternative?     

Still I think there should be a discussion about 3rd party checkouts

What do you consider 3rd-party checkouts? Ordering through Coinbase Commerce would be a 3rd-party checkout, for example, right? Paying the company directly from my wallet to theirs isn't in that case. Most HW do the former. 

[DaveF]

Still I think there should be a discussion about 3rd party checkouts

What do you consider 3rd-party checkouts? Ordering through Coinbase Commerce would be a 3rd-party checkout, for example, right? Paying the company directly from my wallet to theirs isn't in that case. Most HW do the former. 

Places that use shopping cart software that is hosted / run by someone else.

A store can run WooCommerce or PrestaShop or Open Cart or Zen Cart or many others and the cart information never leaves their server. Name / address and what I bought stays local to them. Picking on Keystone since they are the ones we have been talking about they send all that info to a 3rd party to handle the cart.

Coinbase Commerce is a payment processor. Some want more info then others. But keeping it internal by running something like BTCPay is still better.

Just thinking that since this is about privacy and data leaks it is worth a mention.


The counterpoint is that if Shopify does get hacked (again) it makes the news, due to the size and nature of who they are and what they do. If some business is hosting it themselves and there is a data breach, if they don't find out about it or tell people about it we may never know that our info is out there.

-Dave

[Pmalek]

Places that use shopping cart software that is hosted / run by someone else.

A store can run WooCommerce or PrestaShop or Open Cart or Zen Cart or many others and the cart information never leaves their server. Name / address and what I bought stays local to them. Picking on Keystone since they are the ones we have been talking about they send all that info to a 3rd party to handle the cart.

Unless that information is clearly mentioned somewhere, I am not sure where I could get it. This is surely not something that a regular support rep could help with. To be honest, I don't know which shopping cart software brands are self-hosted and which ones are operated by a 3rd-party myself. I will have to take your word for it and trust you gave me the correct info.

Some want more info then others. But keeping it internal by running something like BTCPay is still better.

I can't help but to think of Ledger in this situation. All it takes is one unknowledgeable or malicious employee to destroy your reputation forever. Ledger wasn't just affected by the Shopify breach. Their employees caused a similar incident themselves. Self-hosted or not, your data is still sitting on a server somewhere that could get hacked with enough motive and incentive. I agree that it's surely more rewarding attacking and breeching the defenses of a 3rd-party company, which handles such data by millions of customers than to attack one individual business.   

[n0nce]

Some want more info then others. But keeping it internal by running something like BTCPay is still better.

I can't help but to think of Ledger in this situation. All it takes is one unknowledgeable or malicious employee to destroy your reputation forever. Ledger wasn't just affected by the Shopify breach. Their employees caused a similar incident themselves. Self-hosted or not, your data is still sitting on a server somewhere that could get hacked with enough motive and incentive. I agree that it's surely more rewarding attacking and breeching the defenses of a 3rd-party company, which handles such data by millions of customers than to attack one individual business.   

There is one more nuance to this.
Sure; an individual business hosting everything themselves, may not notice a data breach quickly, may not communicate it to customers or if they do, customers may not read about it. These are the downsides. And I'd argue that it's more likely for a small business to fuck up some server configuration or have less tight security training of employees in non-technical fields like accounting and customer support (social engineering vector).

But hear me out: The most secure way to store data is not to store it. Or to store it for a very limited amount of time.
With all the shortcomings of self-hosting mentioned above, it is also much easier (and verifiable) to completely delete customer data when you host it yourself.

[Pmalek]

But hear me out: The most secure way to store data is not to store it. Or to store it for a very limited amount of time.
With all the shortcomings of self-hosting mentioned above, it is also much easier (and verifiable) to completely delete customer data when you host it yourself.

It would be great if it worked that way. But due to regulations and local laws, businesses are required to keep records of their customers for X period of time. Unfortunately, the X seems to be different from company to company and depending on the territory. Some businesses anonymize private data after a while. Even that's better than storing it in their computers for 10 years. I think Ledger stores them that long. Would be even better if that anonymized data was taken offline and stored on paper in a company office space somewhere and then simply destroyed once the law allows it. I guess I am dreaming now...   

[n0nce]

I guess I am dreaming now...   

You can live the dream today!

Regarding our privacy policy – we currently have our Wordpress + WooCommerce instance set to automatically clear personal data from orders 60 days after shipping. For cancelled orders, those clear automatically after 30 days.

We do download, encrypt, and store data offline for sales tax reporting (typically need the zip code for each order) and for warranty/repair requests. If someone contacts us 6 months after ordering, for example, we need to be able to look up the order details and confirm they are a customer in order to send a replacement device. I hope this is reasonable, as it is necessary to store some information when operating a business where customers are buying a physical product.

We are working on an internal "vault" tool that will allow us to automatically encrypt all customer data and rate limit + audit internal requests to view that data. That will be live internally sometime next year, and will allow us to more aggressively purge data from Wordpress + WooCommerce.

There will always be legal limitations, but companies can definitely do a lot to improve customer data security.