Connect with us


Ledger CTO discusses wallet’s safety after multiple security setbacks



Ledger, one of the crypto industry’s most popular hardware wallet providers, has faced multiple difficulties in recent weeks, including a breach in the company’s customer contact database and a wallet vulnerability putting users’ Bitcoin (BTC) at risk. Are the recent events simply a summation of a few difficult weeks, or is a larger unraveling at play?

Charles Guillemet, the chief technology officer of Ledger, told Cointelegraph: “As far as the database breach, an attacker got access to a portion of our e-commerce and marketing database through a third party’s API key that was misconfigured on our website, which allowed unauthorized access to our customers’ contact details and order data.”

Ledger’s data breached

The breach dates back to June and July 2020. Ledger received a tip on July 14 mentioning the firm’s website and a possible associated weakness, as the report by Cointelegraph detailed. Although Ledger repaired the issue following the tip, the company discovered that someone had already exploited the weakness on June 25, leading to nearly 1 million leaked email addresses — with 9,500 affected customers seeing other private data leaked, such as their phone numbers and names.

Guillemet said Ledger repaired the issue and disabled the troublesome API key that same day. “In addition, no payment information, credentials (passwords) or crypto funds were impacted,” he added. “This data breach has no link nor impact on our hardware wallets and the Ledger Live application,” he explained. “Customer crypto assets have always been safe and are not in peril,” he said, crediting Ledger’s device makeup for its security, as it gives authority over funds back to the users.

Jake Yocom-Piatt, the project lead at cryptocurrency Decred, said he was not surprised by the incident, noting companies usually give less attention to their e-commerce database defenses. “When your core product is secure hardware, it is easy to forget that the security of your e-commerce software system is also important,” he told Cointelegraph, adding: “Many larger organizations view software security as a sunk cost because it falls outside their core product offering, so they cannot market it and extract profit.”

Wallets had a software vulnerability

Shortly following the data breach, Ledger device holders read about another difficulty surrounding their wallet of choice on Aug. 5, as a software vulnerability surfaced. The hole essentially provided a bridge between Bitcoin and its various forks, such as Litecoin (LTC). Harnessing the flaw, attackers could make a transaction seem associated with one asset, while confirming the transaction on the device would approve a separate transaction for a different asset — unbeknownst to the wallet owner.

Ledger issued a software update the same day, correcting the issue. On Aug. 26, when asked for additional comments, a Ledger public relations representative pointed toward an explanation of the situation on the company’s blog posted on Aug. 5, which explained that a bounty hunter found the vulnerability, leading to Ledger’s mentioned update in response. “We’d like to assure you that this vulnerability cannot be used to obtain sensitive data like your private keys or recovery phrase,” Ledger clarified in the write-up.

Ledger wallets still effective

Despite the recent difficulties, Ledger wallets remain a popular option for crypto storage. “Ledger and other hardware wallets are a major security upgrade for the average cryptocurrency user because it prevents remote access attacks — e.g., keylogging — from succeeding,” Yocom-Piatt said, adding:

“However, the protection against remote theft that comes with a hardware wallet is typically paired with a distinct decrease in privacy since the hardware wallet supplier can see exactly which coins a wallet controls.”

Twitter user CryptoGainz tweeted out difficulties he faced when working with his Ledger wallets on Aug. 13, citing unreliable software. Although the comment came shortly after the Aug. 5 vulnerability issue, the situation proved unrelated, with CryptoGainz still expressing faith in the wallet company as a crypto storage option.

Related: Uniswap and automated market makers, explained

“They’re a safe way to store crypto, they just suck for trading via metamask on Uniswap,” CryptoGainz told Cointelegraph in a Twitter DM chat, citing an online wallet provider/decentralized application avenue and the latest decentralized exchange trading craze, Uniswap.

Ledger customer protection

Although Ledger’s wallets provide parameters for enhanced security, users still must know best practices and tactics for the protection of their assets. “We’re most worried about phishing attempts — emails from scammers pretending to be us,” Guillemet explained.

A phishing scam occurs when a malicious party sends an email, or another form of communication, disguising itself as a different person or company in an attempt to gain private information from the target. “We’ll never ask our clients for the 24 words of their recovery phrase,” Guillemet said, urging customers to harness two-factor authentication, while also pointing toward educational information on security found on Ledger’s website.

Aside from phishing attacks, Ledger holds safeguards against malware. “Ledger devices are designed to protect users’ funds against malware on users’ computers, including fake Ledger Live applications,” Guillemet explained, referencing Ledger’s desktop application for interacting with wallet devices. He specified that users should make sure to get the app from Ledger’s official online site or app store.

Yocom-Piatt also spoke on protection against company data breaches, such as the one Ledger suffered. “Since e-commerce systems typically have weak security, I recommend that users ordering these devices have them sent to an address that is not their primary residence,” he said.

Using a different physical address shields customers from exposure of their residence, should such a breach occur, helping guard against potential in-person Ledger wallet device theft. “Also, when possible, you should avoid using the wallet software supplied by the hardware wallet vendor to maximize your privacy,” he added.

Self-custody over assets is a major selling point in the crypto industry, although it requires knowledge and technical prowess. The complexity involved might explain the push for mainstream crypto trading products, such as exchange-traded funds in which companies custody assets for investors.

Source link


BTC payments coming to certain Quiznos shops, thanks to Bakkt collaboration




An upcoming collaboration between Bakkt and Quiznos will allow customers to pay for meals at certain locations with Bitcoin (BTC).

Customers will be able to pay in BTC at certain Quiznos shops in Colorado’s capital as part of an initial test run, according to a public statement on Tuesday. “The pilot will be available at select Quiznos locations across the Denver market, including the high-traffic Denver airport location, starting in mid-August,” the statement said.

Folks will be able to pay with Bitcoin via Bakkt’s app — a versatile hub for holding and spending Bitcoin, as well as managing reward points and other features. Quiznos is owned by REGO Restaurant Group. REGO’s president, Mark Lohmann, said in a statement:

“Partnering with an innovative platform such as Bakkt is appealing to us for a number of reasons, primarily because it allows us to accept bitcoin directly at the point of sale as part of a quick and seamless transaction […] As we continue our digital transformation journey and respond to mobile and millennial consumer demand for alternative and cryptocurrency payment options, we are excited to offer yet another accessible way for customers to buy a meal, in this case, through the Bakkt digital asset wallet.”

The test run comes with an extra perk as well. Quiznos goers will earn $15 of free Bitcoin if they get Bakkt’s app, purchase some BTC on it and then spend that BTC at a participating Quiznos shop, the statement included.

“Through a partnership with Bakkt, merchants and franchisees have the opportunity to accept bitcoin payments from consumers while still benefiting from a cash-settled experience,” the statement said. The statement was not clear on whether or not Quiznos would sell the received BTC right away.

Cointelegraph reached out to Bakkt for comment but did not receive a response in time for publication.