Connect with us

Blockchain

Update: Efforts to Protect Your Data and Prosecute The Scammers

While the security of Ledger products is unparalleled – Ledger Nano products are the only hardware wallets independently certified on the market –  and remains uncompromised, criminals are attacking Ledger customers with phishing attempts using different attack types. Recently, Shopify discovered Ledger customers were impacted by the Shopify data theft disclosed by Shopify here, and […]

Republished by Plato

Published

on


01/13/2021 | Blog posts

Data breach

While the security of Ledger products is unparalleled – Ledger Nano products are the only hardware wallets independently certified on the market –  and remains uncompromised, criminals are attacking Ledger customers with phishing attempts using different attack types. Recently, Shopify discovered Ledger customers were impacted by the Shopify data theft disclosed by Shopify here, and notified Ledger.

<TL;DR>

Focused adversaries will always try different angles to access Ledger data and we must continue to strengthen our security posture. This is an industry-wide problem we need to fight together, and Ledger is doubling-down on our commitment to do our part in this fight.

In this blog post we are updating our users on our ongoing actions to strengthen our security practices and pursue justice in our 2020 data theft:  

  • We are announcing changes in the way Ledger will handle customer data: Our goal is to completely delete your personal data such as name, address, and phone number as soon as possible. We are challenging ourselves and third party providers to keep this data for as short a period of time as necessary to fulfill our obligations to our customers (such as fulfilling your order) and the law (such as accounting and legal obligations). Data which needs to be kept will be put in a further segregated environment. 
  • We will implement a messaging model where proactive important security and technical information will be conveyed through Ledger Live. Email and social media will ONLY be used for broadcasting product messages and announcements.
  • Ledger is committing numerous additional resources to identifying and prosecuting those responsible for the attacks on Ledger and Ledger customers including a bounty fund of 10 BTC for information leading to successful arrest and prosecution. We hope other companies will join the bounty program and help make the crypto community a safer place. 

Security reminder: NEVER give your 24 words to ANYONE.  Ledger will NEVER ask you for your 24 words.  If someone posing as Ledger asks for your 24 words, that is a criminal, not Ledger. The ONLY place where the 24 words of your recovery seed must be input is in your Ledger Nano – NEVER IN LEDGER LIVE.

<TL;DR>

In this post we will recap the events related to our data breach in the most transparent way possible. The entire Ledger team is working extremely hard to solve these challenges.  This post is long but we want to give you as much information as possible regarding the direction Ledger is taking to keep your data safe and catch and prosecute the criminals perpetrating these crimes.  

1- What happened

First, to recap the situation briefly: On July 14th, 2020 a researcher contacted us through our bounty program to inform us of a data breach on our e-commerce and marketing database. We immediately fixed the data breach and launched internal investigations. We discovered a malicious attacker had gained unauthorized access to our e-commerce and marketing database via a third party’s API key.  Through forensics conducted by Ledger as well as third party forensics company Orange Cyberdefense we were able to identify that more than one million email addresses and approximately 9500 customer records including name, address, product(s) ordered and phone number were also stolen. We immediately (July 29th, 2020) notified our customers and shared the forensic information with the relevant authorities.

On December 20th, 2020 the full contents of the stolen databases were made publicly available in a forum.  Once we saw these full databases, we could see that approximately 272,000 customer records including name, address and phone number were stolen in addition to the more than 1M email addresses. As soon as this was discovered we warned affected customers via email (December 21st, 2020).

Now, we have new information to share: on December 23rd, 2020 we received a notification from our e-commerce service provider, Shopify, regarding an incident involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020. According to Shopify, this is related to the incident reported September 2020, which concerns more than 200 merchants, but until December 21st, 2020, Shopify had not discovered that Ledger was also targeted in this attack. Shopify tells us they engaged digital forensics experts and counsel to continue their investigation on the matter and have reported the matter to law enforcement in both Canada and the USA.

Along with forensic firm Orange Cyberdefense we were able to establish that it affects approximately 292,000 customers. While the database is 93% similar to those exposed in the previous attack there were approximately 20,000 new customer records including, email, name, postal address, product(s) ordered and phone number included in this breach.

If you purchased a Ledger product after the end of June, 2020, or if you purchased your product outside of Ledger.com, your data was not exposed in these incidents.

For answers to frequently asked questions on both these attacks please visit the FAQ.  To educate yourself on the kinds of phishing attacks being perpetrated, or to report a phishing attack to our team, see this page.

Throughout these attacks, Ledger hardware wallets remain uncompromised and your cryptocurrency secure SO LONG AS YOU NEVER SHARE YOUR 24 WORDS WITH ANYONE (especially someone pretending to be Ledger — Ledger will never ask you for this information).

2- Actions taken by Ledger

Concerning the data breach discovered on July 14th

We patched the breach on July 14th, 2020. On July 17th, 2020 we notified the French Data Protection Authority. We began conducting forensics with Orange Cyberdefense on July 20th, 2020. It was necessary and prudent to complete the investigation with Orange Cyberdefense and gather as many facts as possible before communicating the data breach to our customers.

As soon as we had the final report we sent an email to our entire email database on July 29th, 2020. We informed the media about the situation via a press release the same day. We filed a complaint with the French public prosecutor on August 5th, 2020.

Concerning the phishing campaigns against our customers

In recent months we’ve seen high activity of phishing attacks on our customers. We have communicated heavily to warn our customers about these attacks via email, on our Website, within Ledger Live, and on Twitter, Reddit and other third-party platforms. We sent an email to our entire database regarding these phishing attempts on October 22nd, 2020. We partnered with Webdrone, a company specialized in business intelligence and cybercrime, to identify the author(s) of phishing websites. We have an on-going program with Corsearch to shutdown phishing websites expeditiously through registrars and to date have shut down 216 sites and counting.

Our internal brand protection team has been exclusively dedicated to the phishing attacks since they started.  Corsearch is collaborating with international investigative organisations on our behalf. On December 16th, 2020 we launched a specific page sharing the anatomy of these phishing attacks to help you identify them and report any new attacks you receive. 

We are working with Chainalysis and other organisations to track the cryptocurrency wallets used by the scammers.  If/when discovered, we will report them to law enforcement for action (for example to freeze the crypto assets should they land on exchanges). 

We continue to work with several private investigators to find and track the individuals responsible for these attacks. All clues and information gathered are shared with the relevant authorities (if you have new information for us, please see the bounty program below).  For the phishing campaigns, Ledger has also filed a complaint with the French prosecutor and shares information gathered by Ledger and the investigators on a regular basis.

Due to these incidents, Ledger has experienced an exponential increase in requests for information compared to this time last year. Every communication with our customers is important to us and we want to respond to every one with precise information. To accommodate to this demand we hired more resources in 2020 and are continuing to hire in 2021. We are sincerely sorry if you are experiencing delays with our customer support and we are working hard to answer everyone as quickly as we can. We hope this blog post and the FAQ immediately help you find the answers you are looking for.

Concerning the Shopify data breach

The investigation into the incident involving Shopify is ongoing and we will continue to update you as the situation unfolds. As of today: We notified the French Data Protection Authority on December 26th, 2020. After completing forensics with Orange Cyberdefense we informed all customers affected by this breach via email on January 13th, 2021.  We continue to work with Shopify and prosecutors on the case; an investigation is already underway, led by the FBI and the RCMP.  Ledger also reported the events to the French Public Prosecutor and filed a complaint against the rogue agent(s).  We are continuing to work with Shopify using new internal processes to ensure enhanced security.

3- Next steps

Data breaches and  phishing attacks are an industry-wide problem. We continue working on this problem every single day, and today we want to share with you the beginning of our new plan that is aiming to increase the protection of our customers.

FIRST of all, we would prefer not to have your data; your trust is worth much more to us than holding your data. When you order your product directly from Ledger we collect your information so we can ship you your order. Accounting regulations and legal obligations require that we keep e-commerce purchase data for a certain period of time.  Still, we are changing the way we handle this data, to go above and beyond GDPR principles and take a best-in-class approach:

  1. Our goal is to completely delete your personal data such as name, address, and phone number as soon as possible. We are challenging ourselves and third party providers to keep this data for as short a period of time as necessary to fulfill our obligations to our customers (such as fulfilling your order) and the law (such as accounting and legal obligations). Data which needs to be kept will be put in a further segregated environment. For instance, we aim to put your e-commerce order information such as name, address, phone number in a segregated environment three months after the shipping of your product.
  2. We will reduce the locations at which your personal information is displayed.  For example, we will be deleting the name, address, and phone number from the order confirmation emails we send to you so this data does not pass through our ecommerce email provider.
  3. We will implement a messaging model where proactive important security and technical information will be solely conveyed through Ledger Live. Email and social media will ONLY be used for broadcasting product messages and announcements.
  4. We will be conducting a detailed re-assessment of all our suppliers and partners to ensure that they continue to meet the highest standards.

SECOND, thefts and attacks such as this cannot go uninvestigated or unprosecuted.  For cryptocurrency to thrive there must be a price to pay for committing cryptocurrency theft.  We continue to work with law enforcement as well as private investigators on these cases, and we are adding more firepower:

  1. We are hiring additional private investigation capacity, adding experience and different approaches to finding those responsible for these data thefts.  We will continue to work in concert with global law enforcement to find, arrest, and prosecute those responsible wherever possible.
  2. We are creating a bounty for new information, obtained legally, leading to the identification, arrest and successful prosecution of those responsible for attacks against Ledger and our customers.  Ledger has seeded a wallet with 10 BTC (address: bc1qappeev2uut3md3622wtmxllwtn7ctqdhwv0xsc) as the initial bounty reserve. This will be disbursed at the discretion of Ledger and will consider factors such as – has the information been obtained legally? Is it new? How substantial is the information and how far will it help progress the investigation and result in a direct ability to prosecute individual(s)? Has that prosecution been successful? More generally, it will be subject to the terms of our bounty program available here.
  3. We are announcing our intention to collaborate with others in the industry on this initiative.  We are reaching out to other companies and individuals in the space about ongoing funding of this bounty program for crimes committed against the crypto community. CEOs of other companies in the crypto space, if you would like to join us on this project, please get in touch ASAP.

We are deeply sorry that these incidents occurred and for any pain or stress they’ve caused our customers.  Keeping you secure is Ledger’s mission and we take these incidents extremely seriously both personally and professionally.  We will soon release a technical solution that will remove the 24 words as the single pillar of the security of our hardware wallets and will open the door to funds insurance for individual customers. These attacks have only strengthened our resolve to build and release products that keep you and your crypto safe.  We have exciting, innovative and secure products and services to announce in 2021. Ledger remains committed to building the most secure products and protecting the crypto ecosystem. Period. 

PLEASE take this moment as a reminder to be vigilant and take every possible step to protect yourself. As the value of your crypto increases and more people join the ecosystem, this will continue to be an area of focus. Crypto Casey does a great job of summarizing the situation and how to protect yourself in this video and podcast.  Please take all steps to keep yourself and your crypto safe.

We are all here for the same reason: we are long-time believers in the value and future of cryptocurrency and digital assets.  We at Ledger have learned very important lessons and will continue to work hard to ensure your trust is well-placed in us. We are humbled. We are becoming stronger and more resilient as a result. 

Sincerely,

Pascal, Ian, Antoine, Matt, Charles.



Source: https://www.ledger.com/blog/update-efforts-to-protect-your-data-and-prosecute-the-scammers

Blockchain

Chainlink, Synthetix, Verge Price Analysis: 05 March

Republished by Plato

Published

on

The altcoin market showed that market bears were in the ascendancy over the past week, with the same likely to continue over the next few days. Chainlink approached an area of demand at $25, while Synthetix faced rejection at the $27-level. Finally, Verge flipped the $0.019-level to support, although this development could be short-lived.

Chainlink [LINK]

Chainlink, Synthetix, Verge Price Analysis: 05 March

Source: LINK/USD on TradingView

On the 4-hour chart, LINK registered rising bearish momentum as the RSI dropped below 50. It was noting a value of 40, at the time of writing, and faced an area of demand in the $24.8-$25.8 zone. This could see LINK bounce to retest the $27-level as resistance.

The imminent levels of interest seemed to be $27, as likely resistance, and $24.8, as support. A drop below $24.8 would see the bears push further and climb to touch the $23.24-level of support.

The $23.24-level has been tested as support multiple times since early February, and certain on-chain metrics did point to a fall in the number of LINK users, which, in turn, could see less demand and lead to further losses.

Synthetix [SNX]

Chainlink, Synthetix, Verge Price Analysis: 05 March

Source: SNX/USDT on TradingView

SNX was trading within a descending channel for the better part of February, and a few days ago, broke out of the pattern with a technical target of $27.

SNX tested the $24-mark as resistance but its attempts to climb any further were met with rejection. SNX has since steadily posted losses and lost the $21-level to the bears. The MACD formed a bearish crossover and began falling to show downward momentum.

Over the next few days, the $19.7 and the $18.5-$19 zone can be expected to serve as support.

Verge [XVG]

Chainlink, Synthetix, Verge Price Analysis: 05 March

Source: XVG/USDT on TradingView

The ascending trendline had some confluence with the retracement level at $0.019, and the market bulls were able to defend that level. Closing a trading session under the $0.0189-level would likely see XVG drop back towards $0.0165, while a breakout past $0.021 would be a bullish development. A move lower was the more likely scenario, given the general market conditions.

Even though the DMI showed the bullish trend gaining some strength in recent days, the trading volume was in disagreement with the rally. The Awesome Oscillator was moving above zero, but did not show bullish strength.


Sign Up For Our Newsletter


Checkout PrimeXBT
Trade with the Official CFD Partners of AC Milan
Source: https://ambcrypto.com/chainlink-synthetix-verge-price-analysis-05-march

Continue Reading

Blockchain

The Flash Mint is here: WETH10 turbocharges the flash loan concept

Republished by Plato

Published

on

A team has released WETH10, the latest iteration of the Wrapped Ether token that allows using Ether (ETH) in a DeFi setting. WETH10 carries a host of useful features, the most notable of which is the flash mint, an evolution of the flash loan concept.

Flash loans allow users to borrow the entire liquidity pool of a protocol to use as they see fit, without posting collateral. The only limitation is that the loan must be returned in full within the same transaction, otherwise the loan will never exist in the first place.

In the DeFi community, flash loans are primarily a tool for arbitrage, as they offer an unlimited source of funds for anyone transacting entirely within the DeFi ecosystem. This includes liquidation bots, with one lucky liquidator making $4 million from scratch in November by using flash loans. Another class of flash loan users are hackers and protocol exploiters, who often use them as a source of funds for their attacks.

The flash loan’s prevalence in hacks has made the concept somewhat controversial, with some arguing that they are net negative for the ecosystem and should be removed. For others, they represent one of few meaningful DeFi innovations, which democratizes access to arbitrage.

One limitation of flash loans is that the total sum available for a transaction is limited by the liquidity locked in a particular protocol. This is where the concept of a flash mint comes into play — instead of taking funds from a liquidity pool, the mechanism mints tokens out of thin air and destroys them once no longer necessary.

The amount that can be obtained from a WETH10 mint is not really infinite, Alberto Cuesta Cañada, technical lead for Yield Protocol and developer of WETH10, told Cointelegraph:

“The only limitation to flash mints of WETH10 is that the flash minted amount can never exceed 2^112-1 at any given time.”

In decimal terms, the number quoted by Cuesta Cañada has 33 zeros, which should be enough to cover any liquidity needs in DeFi. In practice, if the user needs to unwrap the WETH for a particular use, there may be limitations due to how much ETH is stored on the WETH contract.

Most DeFi protocols actually use WETH in the backend, though they hide this from users by automatically wrapping and unwrapping it at each interaction. If they were to switch to WETH10, the flash mint could grow to its full potential.

Will projects adopt the new standard?

“The new standard will be adopted slowly, it it gets adopted,” said Cuesta Cañada. “It is not users, but applications, that might adopt WETH10, and nothing might be seen for at least a couple of months.”

Adopting WETH10 only for the risk of amplifying potential losses from coding mistakes may be a tough proposition, but the new token carries a host of other advantages. WETH10 includes the ability to make transactions free for the end user, and it skips the “approve token” mechanic to save on gas costs and avoid security threats. An additional benefit of WETH10 is that its flash mint is completely free, unlike flash loan protocols levying their own fees.

Cuesta Cañada believes that newer projects will have an easier time integrating the standard, with existing names possibly doing so in their next releases. It is yet unclear if DeFi projects believe the risks of flash mints outweigh the benefits from the new WETH standard. “No one has committed to use it yet, but we haven’t gone looking for it either,” said Cuesta Cañada. He concluded:

“If the selling proposition of WETH10 is good enough, it will be adopted. If it is not, such is life, we all learnt a lot and had a great time coding it.

Checkout PrimeXBT
Trade with the Official CFD Partners of AC Milan
The Easiest Way to Way To Trade Crypto.
Source: https://cointelegraph.com/news/the-flash-mint-is-here-weth10-turbocharges-the-flash-loan-concept

Continue Reading

Blockchain

Why there’s more to Chainlink’s growth than what meets the eye

Republished by Plato

Published

on

After a collective collapse a week ago, the digital asset industry recovered somewhat, before falling once again. However, it would seem that Chainlink missed the memo in the first place. In fact, AMBCrypto had recently reported about LINK’s inability to pull-forward without the assistance of strong on-chain fundamentals.

While its long-term credentials remain golden, during the aforementioned phase of corrections, LINK’s active addresses and receiving addresses fell to monthly lows. However, recent data might be suggesting a shift, one that may just confirm once again the narrative drawn by the previous article.

Chainlink’s brief rise above $30 saw significant Address Activity

Over the past 72 hours, LINK has been on a topsy-turvy journey on the charts. While the altcoin did recover briefly to touch $30, it soon fell on the back of the rest of the crypto-market reeling too.

However, what must be noted here is that when LINK was climbing, so was its on-chain activity, an observation that backed the notion that LINK’s hikes are usually always supported by strong on-chain fundamentals.

Source: Twitter

In fact, Santiment data showed that Chainlink registered its highest single-hour level of address activity over the last seven months. Around 26,700 addresses were active during the 1-hour window, a finding indicative of high on-chain activity.

The cohesion between the altcoin’s price and active address conformed with the narrative drawn in the previous article, one that highlighted the importance of network development for LINK’s value.

In the past, certain crypto-assets such as Bitcoin SV, Bitcoin Cash, etc., have depended on their correlation with Bitcoin more than anything else, for price appreciation. On the contrary, Chainlink is re-defining its interest and mostly basing its growth on market engagement.

Citi Group suggests LINK may gain upper hand against Bitcoin

Citi Group’s recent report bestowed major props to Bitcoin, identifying its intrinsic value and interest while suggesting that the asset could become the currency of choice for international trade.

In the same report, however, Citi also drew a comparison between LINK and BTC. The concluding sections of the report highlighted that Chainlink was recently recognized by the World Economic Forum as one of the 100 most promising technologies of 2020.

Chainlink has expanded beyond expectations, gaining adoption on other blockchains such as Polkadot as well. The report added,

“It is thus already possible to envision a commerce-linked or infrastructure-linked coin that may eventually eclipse Bitcoin. Innovation in the chain-based ecosystem is continuing apace and today’s offerings may yet give way to a new invention that garners more attention and assets than Bitcoin.”

Is LINK eyeing another breakout?

Source: Trading View

On the weekly chart, Chainlink seemed to be pointing towards another price hike, especially if bullish momentum is considerable over the next few weeks. As identified by the chart, Chainlink might be on its next rally phase, similar to the one it saw towards the end of July 2020. The same can be confirmed by the higher position of the 21-day Exponential Moving Average over the 20-Moving Average on LINK’s weekly price charts.

Higher accumulation at the current range may kick off the rally, therefore, keeping an eye out for whale movement will be imperative over the next few weeks.


Sign Up For Our Newsletter


Checkout PrimeXBT
Trade with the Official CFD Partners of AC Milan
Source: https://ambcrypto.com/why-theres-more-to-chainlinks-growth-than-what-meets-the-eye

Continue Reading
Blockchain5 days ago

Google Finance adds dedicated ‘crypto’ tab featuring Bitcoin, Ether, Litecoin

Blockchain4 days ago

Why Mark Cuban is looking forward to Ethereum’s use cases

Blockchain2 days ago

Amplifying Her Voice

Blockchain5 days ago

NBA Top Shot leads NFT explosion with $230M in sales

Blockchain5 days ago

Top 5 cryptocurrencies to watch this week: BTC, BNB, DOT, XEM, MIOTA

Blockchain4 days ago

The Sony PlayStation 5 Game Console Mining Ethereum with almost 100 MH/s is Not True!

Blockchain2 days ago

Libra Coin – A New Digital Currency Developed by FACEBOOK

Blockchain2 days ago

Blockchain in Sports Betting

Blockchain5 days ago

Polkadot, Cosmos, Algorand Price Analysis: 28 February

Blockchain2 days ago

Will Netflix soon buy bitcoin?

Blockchain3 days ago

DeFi token CRV spikes after reports PayPal acquired unrelated custody firm Curv

Blockchain3 days ago

DEX aggregator 1inch integrates Bitquery’s API-powered crypto trading data

Blockchain2 days ago

Bitcoin Halving: Definitive Guide (In Just 5 Minutes)

Blockchain2 days ago

3 key Ethereum price metrics show pro traders are aiming for $2K ETH

Blockchain20 hours ago

Crypto fund KR1 makes investment in blockchain data protocol LazyLedger

Blockchain24 hours ago

XRP Price Analysis: 04 March

Blockchain2 days ago

Ethereum’s price prospects: What you need to know

Blockchain1 day ago

Bitcoin HODL Waves Suggest Bull Run Has Barely Started

Blockchain3 days ago

ChiliZ To Expand Operations, Will Invest $50 Million in the US

Blockchain3 days ago

Da Vinci Capital Reportedly Requests $100 Million from Telegram for TON’s Failure

Trending