Second-hand digital hardware wallets may be cheaper, but they might contain the seeds of a scam that could lead to substantial losses of digital currency,
such as bitcoins. That was the costly and painful lesson one British bitcoin trader recently learned after purchasing a used Ledger brand Nano S hardware wallet.
But knowledge is power, and that trader’s loss can be other digital currency users’ gain. The loss was due in part to user error, and not the technology of the wallet or bitcoin itself. What’s more, it takes just a few simple steps to safeguard the Ledger wallet, and send would-be scammers packing.
Begun almost a decade ago by unidentified person known only as Satoshi Nakamoto, bitcoin is now taking the world by storm, according to sources in academia. It’s a digital currency, or crypto-currency, that allows users to make transactions through exchanges like Coinbase.
Unlike normal money, bitcoin and other digital currencies are unfettered by countries, banks or government agencies. Users deal with each other directly over a peer-to-peer network. Network nodes use cryptography to verify the transactions, and then record the transactions in a publically distributed ledger, which is called a “block chain.”
Bitcoins are created for users known as “miners,” who use computing power to ensure the blockchain is consistent, complete and unalterable. Mining involves complex algorithms and cryptography, and miners are rewarded with bitcoins.
Bitcoins can be traded for other currencies, or used to buy products and services.
Last year, between 2.9 and 5.8 million users were using cryptocurrency wallets, and most of these users were trading in bitcoin, according to researchers at the University of Cambridge.
What’s more, the popularity of bitcoin has caused its value to spike. In 2017 alone, the value of a single bitcoin increased seven-fold in just nine months. In November of last year, the total value of the bitcoin market was estimated to be worth about $150 billion.
Bitcoin’s security features also may account for some of its popularity. These features, which prevent it from being stolen or copied, involve cryptographic protocols. These protocols leverage factorization and other mathematical functions that make them difficult to crack.
Bitcoin and other digital currencies are competing with traditional, real-world currencies, but like them, they’re also prey to criminals. In 2016, cyber-crooks exploited a computer vulnerability to steal $74 million from 11,000 victims who had invested in an Initial Coin Offering (ICO).
Bitcoins are actually digital keys and can be stored in a digital wallet, which is also used to make transactions. Digital wallets exist on computers or computer clouds. Bitcoins can also be stored on a hardware wallet, such as the Ledger Nano S, which plugs into a computer’s USB port.
As the innocent British bitcoin user found out, used hardware wallets aren’t necessarily safe from scammers — especially if a scammer sells the user a hardware wallet with vulnerabilities already encoded into it.
The episode began innocently enough. The user thought he’d done everything right. The Ledger wallet was new and sealed, according to his Internet post. What’s more, he’d bought it from a re-seller on Ebay, which he believed to be a reputable merchant.
Before they can be used, Ledger wallets need to be initialized. That process involves plugging the ledger wallet into a wall socket or computer USB port, selecting a PIN, and then copying the 24 words that the Ledger wallet’s “seed” randomly generates. These words are necessary if users ever need to recover their digital currencies.
Little did the man know, however, that the re-seller was also a con artist who had initiated a “man-in-the-middle attack.” The scammer had inserted his own seed words, and enclosed an authentic-looking – but fake – seed-word “recovery card” with the Ledger wallet.
The card, which bore the Ledger logo, was labeled “confidential document, please store in a safe place,” and included a scratch-off panel with directions. “Please scratch off the panel below to reveal your 24 word recovery seed,” the card read.
Since the seed words on the bogus recovery card matched the seed words in the Ledger wallet, the victim was fooled and skipped the normal initialization process and didn’t change the seed words – allowing the scammer to become the man in the middle, and fleece the victim.
The man subsequently used the Ledger wallet for a month and saw his original investment of £8000 more than triple. But when he checked his digital currency account in early January, 2018, he found that someone had drained it.
The loss amounted to £25,000, or more than $34,000. The scam and loss so shocked the user that he also lost sleep – and his appetite – for several weeks.
He’d never fallen for any scam before, the man lamented online, and he hoped no one else would fall for the scam. Sadder still, the man could’ve stopped the hack by simply sticking with the Ledger wallet’s start-up process and use of the wallet’s seed, which is detailed here. ( https://support.ledgerwallet.com/hc/en-us/articles/115005161545-How-to-start-with-Ledger-Nano-S-)
Like the name implies, the wallet’s seed is its starting point – it creates the wallet’s identity and security. To ensure this security, users must make their own recovery document, or recovery sheet.
After connecting the wallet to a wall socket or computer, users are prompted to restore a configuration, or to choose an original seed configuration, then select a PIN code.
The 24 words will now appear on the wallet, one at a time. Users must write each word, in order, on the recovery sheet, double-check their spellings, and double-check their positions on the recovery sheet. The first word that appears will be in position #1 on the recovery sheet, and so on.
It may seem burdensome, but this last step is critical: it ensures that the wallet owner/user is his own “bank” and owner of the digital currencies it contains. Furthermore, users must keep the recovery sheet safe and secret, since it’s the only way to recover the coins if the wallet is lost.
Bitcoin and other digital currencies are only money in the bank – or digital wallet – if the wallet is secure and safe from scammers.