CRYPTO CORNER EPISODE 611
“Ledger Recover” – Assessing the Concerns and Claims
In recent news, Ledger, the most popular crypto hardware wallet – a Paris-based company, unveiled a new feature called “Ledger Recover.” This update, available for Nano X models, has sparked a ton of controversy within the crypto community. By allowing users to share their seed phrase with 3rd party custodians users can restore access to their crypto assets if they forget or misplace their seed phrases. The 3 custodians were not announced at first, but now we know they are: Ledger, Coincover, and EscrowTech.
Coincover is apparently a digital asset protection company provides digital assets insurance services including theft recovery, disaster recovery, and validator key recovery solutions. They have raised $30 million in funding led by Foundation Capital to protect people and their digital assets from hacks or human error and work with over 300 businesses, including crypto companies like BitGo, Fireblocks, and Bitso, as well as hedge funds, family offices, and banks. Coincover claims to be the first and only service to guarantee digital funds will not be lost or stolen by combining insurance with the latest security.
EscrowTech is a provider of software and technology escrow services to protect the source code of software and other materials with a third party. EscrowTech has been in business for over 25 years and has helped thousands of customers world-wide.
So, at first glance, this looks secure enough, right?
Also, this new feature relies on a mechanism called Shamir Secret Sharing or Shamir Backup, which allows for your seed phrase to be split into several parts (a.k.a. shards), each of them is useless on its own and only works when paired with another shard (or several). In this case, they will be sharing it in 3 pieces, so 2 out of the 3 will be needed, but a more secure step would have been to split it to 5 shards for instance and 3 out of the 5 will be needed or 7, where 4 or 5 out of the 7 will be needed – making it harder for a hacker to obtain all of these records and combine the shards successfully.
And this is just one of the many issues that are causing this massive outcry.
The “Ledger Recovery” service is going to be a paid, opt-in service, so it’s not a compulsory feature at this point, but it has raised important questions regarding privacy, control, and the balance between convenience and security.
What’s The Need for Seed Recovery?
Ledger recognized the growing need for a seed recovery mechanism within the crypto space. The introduction of Ledger Recover is intended to address the concerns of users who may forget or lose their seed phrases, providing them with an option to regain access to their funds. By utilizing this service, users can approach Ledger, verify their identity, and have their private key restored, ensuring peace of mind and mitigating the risk of permanent asset loss.
Well, here lies the main concern: if there is a way to extract my seed phrase from my wallet, even if this is an optional service, what is to stop them doing so without my consent?
Ledger claims that they will never do this without your consent, but the problem is that it becomes possible with this upgrade. When there is a possibility for something to occur, this is a risk that I wouldn’t want to take. Maybe it will never happen, but what if it does? What if a rogue staff member of Ledger decides to abuse this in any way? The Ledger database was hacked in 2020, where more than 200,000 users emails got leaked, so these are valid concerns.
This service really compromises the fundamental principle of self-custody, potentially exposing us, the users, to unauthorized access or control over our assets.
Other valid concerns from the crypto community include:
- Transparency: The closed-source firmware used in Ledger Recover has drawn scepticism from those who value transparency and open-source practices. Without visibility into the inner workings of the firmware, we are unable to assess any potential hidden vulnerabilities or security risks.
- Forceful Access: Concerns have been raised regarding the potential for unauthorized parties to forcibly extract the seed phrase from a hardware wallet. This scenario poses a significant security risk, undermining the safeguards put in place to protect user assets.
- Security of Third-Party Custodians: The involvement of third-party custodians in storing encrypted backups of users’ seed phrases introduces a potential vulnerability. Users worry about the possibility of hacks or leaks compromising the security of their confidential information.
In response to the criticism, Ledger provides the following justifications for the introduction of the Ledger Recover feature:
- Customer Demand: Ledger claims that the inclusion of key recovery functionality was driven by customer demand. They aimed to cater to a wider user base, making cryptocurrency more accessible to those who may be concerned about the risks associated with self-custody.
- Monetization for Growth: By offering value-added services such as key recovery, Ledger seeks to monetize its customer base and ensure continued growth. This strategy allows the company to fund ongoing innovation and product development.
- Voluntary Opt-In: Ledger affirms that the use of the key recovery service is entirely optional. Users retain the choice of whether to rely solely on self-custody or leverage the recovery mechanism offered by Ledger Recover. The company aims to uphold user autonomy and provide them with the freedom to make informed decisions regarding their funds.
All of this makes us wonder – can we still trust Ledger enough to continue using their devices? Is there any government pressure that forced Ledger to activate such feature? What if their firmware has always been open to such seed phrase extraction but we just didn’t know it as the firmware is not open source?
And their response to this didn’t help at all.
“Technically speaking it is and always has been possible to write firmware that facilitates key extraction. You have always trusted Ledger not to deploy such firmware whether you knew it or not,” Ledger said earlier in a now-deleted tweet.
This only added fuel to the fire and now I am starting to change my mind about Ledger. In my previous response video on this topic, I was much more inclined to take Ledger’s side in this debacle, seeing this as a service that will provide extra security to many users. I think – I still think that Ledger is acting in good faith and will continue to do so. As their CTO said in his twitter thread the other day:
”Using a wallet requires a minimal amount of trust. If your hypothesis is that your wallet provider is the attacker, you’re doomed.”
This is very true!
If you don’t trust the wallet provider, you shouldn’t use it. Period.
But, I am not that concerned about Ledger per se, acting maliciously, I am concerned about the possible exploits and attacks that will follow soon. Phishing emails have been circulating since 2017, trying to dupe Ledger users to upgrading or signing transactions on fake websites, so your seed phrase or private keys would be compromised or exposed in some way and this is only going to get worse with this new service.
Maybe the KYC that will be implemented in order to activate this service will help stop potential future abuse, but then again, how can you trust that your data, your ID and other highly sensitive data will not be leaked just llike it happened back in 2020? It was just names and emails back then. Now, it will be much more…
Users, concerns regarding privacy, control, and potential vulnerabilities cannot be dismissed lightly. It is essential to carefully weigh-in the trade-offs and evaluate the level of trust we place in third-party custodians. As the crypto ecosystem evolves, finding the equilibrium between user convenience and the principles of self-custody remains a critical challenge that warrants ongoing discussion and consideration.
I have reviewed all major crypto wallets on the market and you can also check out this playlist on my channel with my reviews of the wallets I use and recommend:
If you watch the video on top of this post, you’ll find out more, so do check it out.
☝These are my opinions, not financial advice, always DYOR.
☝These are my opinions, not financial advice, always DYOR.
👉 👉 Sign Up for the Crypto Corner Newsletter and get more insight on the crypto markets, new releases and updates, plus my personal choice of coins to trade.
📖Dictionary: “Crypto Jargon A-Z” is the most comprehensive crypto glossary: https://www.amazon.com/dp/B07Y9DT3H6
📖Guide: “Learn Crypto” is the ultimate beginners guide to cryptocurrencies that helps you avoid the mistakes all newbies make when investing in crypto: https://LearnCryptoNow.com
🚩 MUST-HAVE crypto SERVICES:
Use Brave Browser for extra security and earn crypto at the same time. It is privacy-oriented and blocks unnecessary cookies and much more: https://brave.com/ojj095
Get your own NFT blockchain domain – no yearly fees and censorship-free with Unstoppable Domains: https://unstoppabledomains.com/?ref=46122235f05f405
Aurox – my top charting tool and indicator for finding the right entry and exit points for trading on any of the top exchanges and trading pairs. Give it a try and sign up for free: https://aurox.app/iwr
Token Metrics: the most detailed statistics and analysis for all major cryptocurrencies and price predictions to help you find the right coins to trade and the right time to buy/sell – give it a try and get 10% discount if you choose to upgrade with this link: https://tokenmetrics.com/?ref=ojjordan2
🔑Top Crypto Wallets:
- ►Top Mobile (Anonymous) Wallet is Trust Wallet – https://share.trustwallet.com/TtMUdOW
- ►Top Desktop (Anonymous) Wallet is Atomic Wallet – https://atomicwallet.io/
💹Top Crypto Exchanges
- Binance (biggest, KYC required)
- Kucoin (crypto only, 5BTC daily withdrawal, no KYC)
- Bitget (no fees, no KYC)
The information contained in this article is for informational purposes only. Nothing herein shall be construed to be financial or legal advice. The content of this video reflect solely my own opinions. Purchasing cryptocurrencies poses considerable risk of losses.
All information is meant for public awareness and contains what is already in the public domain. Please take this information and do your own research.
Want to know how to make money by investing in crypto?
Grab a copy of my best-selling eBook “Learn Crypto” to find out all about the cryptocurrency market, the different blockchains and the “Do”s and “Don’t”s of how to build a successful crypto portfolio. It’s now in its second edition.
Find out more: LearnCryptoNow.com
Crypto Jargon A-Z is the most comprehensive crypto dictionary (glossary) of all the terms, acronyms and slang that you will find in crypto guides, videos, articles and social media posts. Get more than 1000 terms compiled and defined in a simple way, and enhance your knowledge and understanding of the jargon you see every day.
Indestructible Seed Phrase Protection with These Titanium Plates | “Forever” Storage
So, you’ve been very careful with your cryptocurrency investments. You’ve researched the best hardware wallets, set strong passwords, and enabled two-factor authentication. But there’s…
Is OneKey Touch The Ideal Cold Wallet? | Review & Setting Up Guide
What is OneKey Touch – is it worth the money?Is it a good choice for you?How does it work? These are the questions I…
Best Crypto Cold Wallets in 2023 | The Ultimate Hardware Wallets Guide
In recent years, cryptocurrencies have gained a lot of popularity, with Bitcoin leading the way. As more people invest in cryptocurrencies, the need for…