Wie kann ein Hauptbuch zusammengesetzt sein?

[root_s2yse8vt]

Up

0

Down

::

Ich sehe hier eine Menge Ängste: Fingerabdrücke, Verpackungen, „geleerte“ Geldbörsen.

Aber welche Möglichkeiten gibt es, dass ein Ledger fehlerhaft sein kann?

Soweit ich weiß, sind diese beiden Befürchtungen berechtigt:
– Falsche Software: Die Betrugssoftware fordert Sie auf, Ihre neu erstellte Seedphrase einzugeben? Lösung: Überprüfen Sie dreimal die Website, von der Sie das Ledger herunterladen, und geben Sie die Seedphrase NIEMALS online ein.
– Vorinstalliertes Ledger: die 24 Wörter sind bereits im Paket enthalten? Lösung: Installieren Sie das Ledger neu.

Solange es die Hintergrundprüfung der legalen Software besteht, ist alles in Ordnung, oder?

[dhork]

Up

0

Down

::

There is a third clever hack that someone posted about some time ago: they open the thing up and squeeze in a small USB flash drive before selling it. It still looks like a Ledger, but when you plug it in instead of getting a Ledger you get their flash drive with their scammy software installed. It wouldn’t fool someone who knows what to expect, but it could fool someone who was new to Ledger.

I expect this would not pass the background check unless they found a way to add the flash drive while keeping the actual Ledger connected.

https://bitcoinmagazine.com/technical/ledger-hack-victim-scam-details

[TaterTots_Ledger]

Up

0

Down

::

There are exactly 2 ways your Ledger Accounts can be *totally* compromised i.e., assets across multiple chains drained from one event.

1. Your 24 words are compromised

* Storing 24 words digitally (even as a picture or well-hidden in a document [a program can scan for BIP-39 words in sequence even if you have them in a larger document])
* Entering 24 words to any software – the ONLY place to enter your 24 words is your Ledger device. Anything else diminishes security and even if your funds aren’t immediately taken, it’s recommended that you drain accounts associated with these phrases and migrate your assets to new 24 words and their derived accounts.

2. Your PIN is compromised by someone with access to your device.

* this one is far more intuitive. In the same way that your device and PIN combined give you unlimited access to all of your accounts, so too could anyone who knows your PIN and has your device.

That covers the catastrophic cases, but there are tons of other instances where specific accounts can be compromised, they’re quite common on smart contract chains and generally revolve around granting some sort of approval that has unintended consequences. Best practice is to carefully scrutinize how many people have interacted with a given contract before setting new approvals and whenever possible, mitigate risk by testing with a wallet that doesn’t hold all of your assets, be that a hot wallet or a Ledger-derived account that you create for this purpose.

Note that in instances where devices may be physically manipulated or if someone managed to install fake firmware/software, they would not be able to pass Ledger Live’s genuineness check, so you’d likely know they were malicious before getting rekt.

[Sonicthoughts]

Up

0

Down

::

Depends on definition of „compromised“. Ledger Live, for example has no encryption and xpub/all transaction history is super easy to see with access to the local drive. IP is leaked (with location data) unless using VPN / Tor. Lot’s of privacy holes.

[Autor]

Beiträge