Ultimate Resource On Trezor Hardware Wallets (#GotBitcoin?)
Be careful, buy only from Trezor Shop or authorized resellers. Ultimate Resource On Trezor Hardware Wallets (#GotBitcoin?)
However, in recent weeks, we have discovered something more startling. A one-to-one copy of Trezor One. In other words, a fake Trezor device, manufactured by a different, unknown vendor.
While Trezor clones are marketed under a different name, manufactured by (legitimate) legal companies, allowing you to distinguish them from the original, a fake Trezor tries to replicate the original to the bone. It seeks to be as indistinguishable from the original as possible. It is not dissimilar to counterfeit brand clothing.
Similarly to clothing fakes, a fake Trezor One is often sold at a steep discount. This should act as the first red flag. Others will be described below.
More importantly though, let’s have a look at why fake Trezor devices can be a severe threat to your security. As we did not manufacture the device, we cannot guarantee its function. These fake devices are thus unsuitable for secure storage of cryptocurrencies and other digital assets.
You would not entrust your money to somebody who has already cheated you by selling you a different product than you thought you were buying. We, therefore, recommend not to use this device and report it to us, which would help us fight these scams and provide you with a legitimate device.
As soon as we learned about the existence of Trezor fakes, we have started to fervently pursue a number of legal and other steps to prevent those fakes from being produced and distributed, in order to protect you, our customers.
How to check if your device is genuine.
We are warning our customers about the hologram when logging for the first to the wallet.trezor.io.
If you suspect you have bought a fake Trezor One device, do not use the device and contact our support immediately.
Original Trezor One holographic seal (above) in contrast with fake holographic seal (below)
How to shop for a genuine Trezor One device.
The simplest way to procure your genuine Trezor One is to buy it at the official Trezor shop, official Amazon shop or from official resellers. Be very cautious when buying on other marketplaces, such as eBay, Taobao, AliExpress, unknown Amazon resellers or other places. If you are not sure about the authenticity of the seller or the channel, always proceed with the official channels. You can find more information about the security elements both for Trezor One and Trezor Model T on our Wiki.
When It Comes To Your Coins, Keep It Quiet
Have you ever heard the saying “Silence is golden”? In the context of cryptocurrencies, being quiet about your funds will not bring you gold, but it might just save your coins.
Beware of stranger danger.
Let’s suppose that you have invested a lot of money in cryptocurrencies, or that your investments have paid off and your cryptocurrency funds have multiplied.
Obviously, you are pleased about it, and you want to share your success story with other people, so you post a comment about it on Facebook or Reddit.
A random reader of your post might then decide that he or she really wants your riches and starts using a variety of malicious tactics to get them. These might include cyber attacks or even physical violence. (You would be surprised how much information can be mined from your social media, including your physical location.)
Use Common Sense
In the offline face-to-face world, a bit of restraint might come in handy as well.
It is easy to have a few beers and start to be a bit more talkative. Making friends is great, but the contents of your Trezor wallet might not be the best topic to begin with, just like you wouldn’t talk to everyone about your regular bank account balance or your salary.
Don’t Be An Easy Target
Trezor hardware wallet, One or Model T, is a perfectly safe, cryptographically protected place for your coins and keys.
However, keeping a low profile will protect you from other people even trying to steal your funds or harm you. Physical violence or blackmail are things even Trezor cannot protect you from.
What to avoid?
While publicly advocating the benefits of crypto is perfectly fine, boasting about how much you actually own might not be a good idea.
Avoid talking about your account balances with people you do not trust. (Sometimes, you should keep quiet even with people you trust.)
Avoid posting about your personal funds on social media and on internet forums.
Never ever post your recovery seed online or show it to anybody else.
Use a fresh receiving address for your incoming transactions. If not careful, your address may be used to track your balance and transaction history.
Phishing Attacks Used To Steal Your Coins
Ever since the dawn of the internet, there has been a type of malicious activity almost immune to technological advancement in cybersecurity — social engineering. Nowadays, the target of these practices can be even you and your cryptocurrencies.
Phishing is a type of attack which relies on the fallibility of human judgment and perception. Phishing, the most widespread form of attack, is regularly used to extract sensitive data such as credit card numbers, SSN, passwords, and other confidential information from unknowing users online by letting them submit this information directly to the attacker.
Trust Your Device
Your internet browser and software wallets are often susceptible to malware and tricks implemented to mislead you or lure out information which should never get online. Your Trezor device, however, stays offline and is isolated from these attempts to misdirect you. The fundamental purpose of your Trezor device is to keep your recovery seed isolated. You should always look at your device for confirmation of all operations, especially when working with your recovery seed. Your computer should never require the use of your seed without the device knowing it.
Moreover, if you ever need to use the recovery seed to access your accounts, the device will always instruct you to enter the words in a shuffled order. We recommend entering the words of your seed directly on the device to maximize the safety of this operation.
There is a variety of phishing techniques which could be used to carry out an attack. In this article, we offer you some basic knowledge and tips on how to protect yourself against these kinds of malicious attempts.
The Impersonation technique is one of the fastest to carry out and technologically simplest to implement. The attacker usually impersonates a Customer Service agent or Sales representative and tries to lure sensitive information from an unaware user using emails, phone communication or a spoofed website.
Trezor (SatoshiLabs) representatives will never ever ask for your recovery seed (in any form) or a credit card number.
If you ever have a problem with your device or have some questions about Trezor-related issues, be sure to reach out to us only by submitting a ticket in our Support Center.
We do not provide phone call or live technical support. Do not call numbers who claim to be associated with the Trezor Support team.
Many phishing techniques aim to get you to a fraudulent site where all inputs are collected and controlled by the attacker. Similarly to the impersonation techniques, these are also designed to rob you of your private keys.
DNS poisoning technique takes advantage of how the Domain Name System works and sends the visitor off in the wrong direction, making the site appear to be offline or even redirecting users to a server the attacker controls. On the other hand, BGP hijacking is a process of taking control of a group of IP prefixes assigned to a potential victim. Both methods can be identified by an invalid SSL certificate, but users can skip the warning very quickly, leading them to the malicious site. It is, therefore, crucial to be wary of all signs, especially when working with something as important as cryptocurrencies.
The Unicode domain phishing attack, also known as IDN homograph attack, relies on the fact that the affected browsers show Unicode characters used in domain names as ordinary characters, making them virtually impossible to separate from legitimate domains. If an attacker can register a domain that is visually indistinguishable from a legitimate one, he can trick users into trusting the site.
Cybersquatting refers to illegal domain name registration or use. It can have many different forms, but its primary purpose is to steal or misspell a domain name. Cybersquatting can also include advertisers who mimic domain names that are similar to famous, highly trafficked websites.
Never enter your recovery seed online in a straight sequence and never disclose the order of the words.
Trust your device. Look for confirmation on the screen, especially when it involves transactions or your recovery seed.
Make sure the URL is exactly: https://wallet.trezor.io (or https://beta-wallet.trezor.io). Although the “Secure” https lock may not be a guarantee of the authenticity of the website, be alarmed if it is missing.
* Carefully Observe The Website Addresses And Watch Out For Any Misspellings Or Odd Characters.
* Bookmark The https://wallet.trezor.io To Avoid Misspelling It In The Address Bar Of Your Browser.
* Use Updated Security Software, Install Security Patches And Updates As They Are Made Available.
* Avoid Clicking On Links In An Email Or Social Media Unless You Are Absolutely Sure That It Is Authentic. (Hover Above The Links To See The Url Before Clicking On It And Then Enter The Url By Yourself.).
* Pay Particularly Close Attention To Shortened Links, Especially On Social Media.
* Be Vigilant. Do Some Research First Before You Decide To Trust A Third-Party Service With Your Sensitive Information (Even Your Xpub).
SatoshiLabs Rolls Out Bitcoin-Only Firmware for Trezor Wallets
SatoshiLabs, the Prague-based manufacturer of hardware cryptocurrency wallets Trezor, released a beta version of its new firmware that supports Bitcoin (BTC) exclusively.
“Orange Coin Good!”
According to the blog post published on Sept. 9, SatoshiLabs’ new BTC firmware is now available to download for both Trezor One and Trezor Model T.
The company also noted that it aims to introduce a “stable version” of Bitcoin-only firmware in the next month’s release, adding:
“From now on, we will be producing four different versions of firmware — regular (full altcoin support + U2F/WebAuthn) and Bitcoin-only, for both Trezor One and Model T. […] We have created a customized version of both our firmware and Wallet designed for everyone who supports the idea of Bitcoin. Every Bitcoin maximalist can now enjoy the Wallet interface with nothing else but Bitcoin.”
Firmware For Bitcoin Maximalists
Per the announcement, to install the new firmware, users will require Trezor Model T (version 2.1.0 or newer) or Trezor One, access to Trezor Beta Wallet or trezorctl, and a correct firmware installation file.
As Cointelegraph reported on March 11, Trezor’s direct competitor — major hardware crypto wallets manufacturer Ledger — disclosed five reported vulnerabilities in Trezor One and Trezor Model T.
In response, Trezor later claimed that none of the weaknesses revealed by Ledger are “critical” for hardware wallets. It was stated that none of them can be exploited remotely, as the attacks described require “physical access to the device, specialized equipment, time, and technical expertise.”
Trezor Wallets Can Be Hacked, Kraken Reveals
Kraken Security Labs revealed on Jan 31. that Trezor hardware wallets and their derivatives can be hacked to extract private keys. Though the procedure is quite involved, Kraken claims that it “requires just 15 minutes of physical access to the device.”
The attack requires a physical intervention on the Trezor wallet by either extracting its chip and placing it on a special device or soldering a couple of critical connectors.
The Trezor chip must then be connected to a “glitcher device” that would send it signals at specific moments. These break the built-in protection that prevents the chip’s memory from being read by external devices.
The trick allows the attacker to read critical wallet parameters, including the private key seed.
Though the seed is encrypted with a PIN-generated key, the researchers were able to brute force the combination in just two minutes.
The vulnerability is caused by the specific hardware used by Trezor, meaning that the company cannot easily fix it. It would need to completely redesign the wallet and recall all existing models.
In the meantime, Kraken urged Trezor and KeepKey users to not allow anyone to physically access the wallet.
In a coordinated response published by Trezor, the team minimized the impact of the vulnerability. The company argued that the attack would show visible signs of tampering due to the need to open the device, while also noting that the attack requires extremely specialized hardware to perform.
Finally, the team suggested users activate the wallet’s passphrase feature to protect from such attacks. The password is never stored on the device as it is added to the seed to generate the private key on the fly. Kraken also noted that this is a viable alternative, though researchers referred to it as “a bit clunky to use in practice.”
The feature also adds significant responsibility to each user. The passphrase needs to be complex enough to not be easily brute forced as well, and forgetting it would completely lock users out of their money.
Cointelegraph reached out to Kraken for additional details, but had not received a response as of press time. The article will be updated as more information becomes available.
Ledger Reignites Trezor Beef With ‘Dishonest’ Report on Crypto Wallet Hardware
Cryptocurrency hardware wallet manufacturer Ledger has reignited an old feud with competitor Trezor, in a blog post dated Feb. 13 highlighting the claimed benefits of its internal Secure Element chips. Trezor co-founder and CEO of SatoshiLabs, Marek “Slush” Palatinus, hit straight back, in a tweet accusing the post of being “dishonest” and not telling the “whole story.”
The Ledger post compared the three internal chip types common to hardware wallet devices: Microcontroller Units (MCU), Safe Memory chips and its own Secure Elements.
It claimed that the MCUs found in Trezor wallets were intended for general devices such as microwaves and TV remotes, and had no embedded countermeasures against physical security attacks.
Furthermore, it stated that Safe Memory chips, used in certain other manufacturers’ hardware wallets, were not third-party tested, and were vulnerable to side-channel attacks as the private keys were passed to the MCU.
Only part of the story
Palatinus retweeted the post, claiming that Ledger was being “dishonest” and “point[ing] out only part of the whole story.”
A non-disclosure agreement (NDA) for Secure Elements chip vendors prevents wallet manufacturers from discussing security issues, according to the tweet:
“Trezor is using nonNDA chips so we can be fully transparent and act in your best interest.”
Palatinus promised to talk more about the implications of NDAs to end-user security at the Bitcoin 2020 conference in March.
Ledger previously clashed with Trezor last March, when it published a report disclosing five supposed vulnerabilities in Trezor hardware wallets.
As Cointelegraph reported, Trezor was quick to respond, pointing out that none of the vulnerabilities were critical for hardware wallets. Furthermore, none of the weaknesses could be exploited remotely, with all requiring physical access to the device.
Things seemed to have calmed down since then, but with this latest post, Ledger may well have reignited an old beef.
Public Service Announcement. Non-genuine,Public Service Announcement. Non-genuine,Public Service Announcement. Non-genuine,Public Service Announcement. Non-genuine,Public Service Announcement. Non-genuine,Public Service Announcement. Non-genuine,Public Service Announcement. Non-genuine,Public Service Announcement. Non-genuine,
Trezor Claims New “Phishing Proof” Desktop Wallet
The desktop app reportedly provides “more robust protection” than Trezor’s browser-based wallet.
Crypto wallet provider Trezor has launched a new desktop app called Trezor Suite for its hardware wallet.
According to an Oct. 14 blog post, Trezor’s parent company Satoshi Labs claimed its desktop app provides “more robust protection” than its browser-based wallet, and said they have eliminated the risk of phishing attacks that often target crypto users.
“People have the right to privacy and security online but few know how to achieve it,” stated the Trezor blog. “Using Trezor Suite should help everyone take full advantage of Bitcoin more easily and open the door to a more privacy-aware, crypto-competent, and self-sovereign society.”
Hardware wallets — despite being commonly used as a cold storage method — aren’t exempt from data breaches. In January, Kraken Security Labs showed that hackers could extract private keys from a Trezor hardware wallet with just 15 minutes of physical access to the device.
There has been fierce competition among major cryptocurrency wallet providers, with data security often at the forefront of the discussion. Cointelegraph reported in September that hackers had been targeting users on Electrum — a Bitcoin hot wallet — in phishing scams resulting in the loss of millions of dollars. Ledger, another hardware wallet provider, confirmed a data breach in June that compromised more than one million user email addresses.
Trezor noted that its desktop app would be in public beta until January, at which time its old browser-based Trezor Wallet would be deprecated.
Spanish Lawmakers Get Cryptocurrency In A Bid To Promote Industry
All 350 members of Spain’s lower house got 1 euro equivalent in cryptocurrency, and it’s not a donation.
Members of Spain’s lower house of Congress saw a surprise in their inboxes, the equivalent of 1 euro in crypto.
As reported by Spanish news outfit ABC, the plan is spearheaded by Tutellus, a decentralized platform looking to tokenize education technology, and the Blockchain Observatory. The project aims to promote the use of cryptocurrencies in the country.
All 350 members of Spain’s lower house, or the Congress of Deputies, received the equivalent of 1 euro in cryptocurrency in their emails. Miguel Caballero, Tutellus founder, said the goal is to raise awareness about the future role of cryptocurrencies in society:
“We have explained to your honorable members that we are in a time of profound change in the use of money, in addition to highlighting the important role that cryptocurrencies have today.”
Caballero said the cryptocurrency “is not a donation” and acknowledged that some congress members might be more familiar with crypto. But for those who no experience with cryptocurrencies yet, Caballero said, this is an opportunity to learn more.
Spain is not the first country to send cryptocurrencies to lawmakers. The political action committee (PAC) of the Chamber of Digital Commerce sent $50 worth of Bitcoin to all 541 members of Congress in early October, reported Decrypt.
Spanish banks have been more interested in cryptocurrencies and blockchain in the past few years. Santander partnered with Ripple for a blockchain-based payments platform while the Banco Bilbao Vizcaya Argentaria (BBVA) launched a study to explore zero-knowledge proofs and other cryptographic techniques.
The European Central Bank also announced it would look into a digital euro by 2021 and released a report diving into its possible impact on the retail market.
Trezor Crypto Wallet Warns Users Of Doppelgänger Scam App On Google Play
The fake Trezor app has been downloaded by at least 1,000 people on the Android’s app store Google Play.
Trezor, a major hardware cryptocurrency wallet supplier, has warned its users about a fake Trezor application on Google Play.
According to Trezor, the fake app is malicious and has no relation to Trezor or SatoshiLabs, a company that created the Trezor wallet. Announcing the news on Jan. 18, Trezor asked its clients to not install the malicious application, reminding users that they should never share their seed phrase with anyone.
This app is malicious and has no relation to Trezor or SatoshiLabs. Please, don’t install it.
Remember that you should never share your seed with anyone until your Trezor device asks you to do it! pic.twitter.com/6C3iKfPDnR
— Trezor (@Trezor) January 18, 2021
Trezor also provided its users with a short manual on using Trezor wallet with Android. In the manual, the company listed major third-party Trezor apps including Mycelium, Sentinel or Walleth.
At publishing time, the malicious app is still available on Google Play. As of Jan. 18, the app was reportedly downloaded more than 1,000 times. The doppelgänger app also has about 200 reviews on the app store, with the majority warning that it is a scam. “This app is a scam. Never enter your recovery phrase in anything except an official hardware Trezor. Anyone that asks for this phrase (besides a physical Trezor) is trying to scam you),” one supposed user wrote.
Trezor did not immediately respond to Cointelegraph’s request for comment.
This is not the first time that a fake app has been listed on Google Play. In May 2019, Cointelegraph reported on a malicious Google Play app imitating Trezor wallet. The app was found by ESET antivirus researchers, who said that they expect more crypto scam apps to enter the Android store as the crypto market grows.
Online scammers have been targeting other popular crypto companies to impersonate their apps on Google and steal money from users. In May 2020, a cybersecurity researcher discovered 22 malicious Google Chrome extensions imitating crypto services like Trezor’s rival Ledger and major Ether (ETH) wallet MetaMask.