About two weeks ago I had asked a friend, a big crypto investor in Europe, if I should finally move my Bitcoin off of my current account and put it on my Ledger Nano S. It seemed way more secure, hack free of course, because who is accessing my Ledger Nano S? I imagine no one.
Then Ledger started sending me emails telling me I had to create an account online. I had not done so yet, and this was the perfect nudge.
And then, days later, Ledger gets hacked. Like everyone who has a Ledger Nano or a Ledger account, I am now getting emails from unknown individuals and fake Ledger accounts (phishing campaign, for sure) telling me my email address was leaked to ne’er-do-wells; and that my wallet has been disabled. I know all of this is spam because I do not yet have a Ledger account. I never set one up.
And Ledger’s website has this sprawled across its home page now.
On December 23, the France-based Ledger said the company had “fallen victim to a cyber attack” and that on December 20, malicious software was installed on one of their servers. As of December 23, they said that it was “technically impossible” to make an assessment of the severity of the data breach. They warned that it was safe to assume that “your funds could be at risk of theft”.
The hack apparently took place in July and the data was published on RaidForums, a marketplace for buying, selling, and sharing hacked information, Forbes contributor Billy Bambrough wrote.
The hacked data includes customer email addresses, full names, phone numbers and postal addresses, according to Ledger. A vulnerability on the Ledger website allowed a “unauthorized third party” to access the company’s e-commerce and marketing database before it was spotted by a researcher participating in Ledger’s bounty program, Bambrough wrote last week.
One of the biggest sticking points of cryptocurrency has been storage and security. If someone robs Santander, and cleans out the local branch in my home town, not one red cent of my savings and checking has vanished. But losing cryptocurrency to hackers is every Bitcoin investors worse fear. Especially now that Bitcoin has staged a comeback and is trading over $26,000, an all-time-high. This is the perfect time for incredibly bad luck.
As Bitcoin investors, we all want to start 2021 with our BTC firmly in hand.
“If you have not updated the software for your Ledger device, you should assume that your funds are not as secure as you think,” says Bohdan Prylepa, Co-founder and CTO of Prof-it.bz, a seven year old IT company that develops web and mobile apps. “If you have the latest version, your funds should be secure. But in light of the latest attack, you should take further measures to protect your funds,” he says.
It’s headaches like these that turn people off to Bitcoin, or investing in general. Who has the time for all of this?
The other concern for lay BTC investors is — if someone hacked Ledger, does it mean they could have access to my Nano S wallet? How is that even possible?
“Nothing is impossible,” says Prylepa, adding that he thinks the hackers did not get access to private security keys, so without that they would not yet have access to individual funds. “They will use phishing attacks – a fake email newsletter for example – to extract more information from you that they can then use to access your wallet,” he says, which is what Ledger has been warning on its website all week.
For now, the best way to stay safe is to use brand named cryptocurrency wallets that have been around for a while.
“I recommend selecting hardware or an online wallet for storing cryptocurrencies based on your specific request — like what do you want – securely store, quickly exchange, and buy certain coins? Define several specific goals and choose the best wallet option for each one,” says Max Krupyshev, CEO of Estonia-based CoinsPaid, a crypto-financial ecosystem with its own cryptocurrency wallet, including so-called hot wallet systems for businesses.
“Hardware wallets are in demand precisely because of security and the inability to access third-party users ‘ data, but there is still a high risk of software bugs. And no one is immune from database hacking,” he says.
Raja Zuberi, founder of ProgramOnChain, a Github alternative, still trusts Ledger, for the most part.
“Ledger hardware wallets have proved to be one of the safest options but you have to always be cautious while revealing the personal information online, especially when we are talking about crypto-holding related platforms, including the centralized exchanges,” Zuberi says. “That’s because most of the information provided to these services is stored on a plain database and it is not only your digital assets but also your privacy that you have to protect. You have to be vigilant, excessively aware.”
Exhausting. Maybe just stick to the new Graystone Bitcoin ETF. That fund is up 13.2% on Monday.
Ledger will still claim that their hardware wallets are the best, most convenient way to store Bitcoin. People are used to pen drives. The Ledger Nano S is just like that. Don’t lose the pen drive, don’t lose its contents. The Nano is like that, only it acts more like a safe; a custodian of sorts.
The good news is that hackers have not been able to access anyone’s devices, so while their server infrastructure was breached, their fundamental device security is still sound, says Prylepa.
He thinks Trezor is another alternative to Ledger, also known for their hardware wallets.
Both firms are still reliant on the crypto investor to have solid digital security practices, write down their passwords, keeping mnemonic passphrases as secure as possible, and storing them offline, as well, including in a notebook with pen and paper should your desktop computer go bust and the Notepad document you saved with all your passcodes is now lost forever.
Losing those is not the same as losing your checking account number. Traditional banks like Fidelity are now getting in on the Bitcoin business and will act as secure custodians of accounts.
For those who want to remain firmly in the crypto world, and side-step traditional banking and large corporations, there are few alternatives.
“The main alternative to hardware wallets, and still among the most secure method of storing, is ‘cold storage’, in particular a paper wallet,” Prylepa says. “It’s less convenient, but generating a Bitcoin address offline and storing the private key in a hard copy cuts the risk of theft as close to zero as possible because the funds and passkeys are essentially stored offline.”