[codetrotter]

This is scary and even a hardware wallet might not help.

When I create a transaction with Electrum on my computer, I use a hardware wallet to sign the transaction. When I sign the transaction, the hardware wallet shows the amounts, and the output addresses.

But if my copy of Electrum was backdoored and smart about what it did, it could use an output address for the remaining amount that went to another wallet. And since I and most people mainly check the address we are sending to but don’t pay close attention to the change address, we could end up having our funds stolen that way.

I’ve been thinking about moving to a multisig setup instead, that would have multiple computers independently used for checking and signing the transactions.

So far I’ve been putting it off because a single wallet and being diligent about checking the output address that you send to seemed sufficient. But now I think moving to a multisig setup is something me and more people should do sooner rather than later.

[popol12]

No, you're wrong. The issue you're describing can't be exploited on Ledger devices at least. (Source: I’m a contributor to their bitcoin transaction parsing code) Their hardware wallet checks if the provided change output's address is actually owned by the device owner:

- if it does, then the change output is simply hidden from the user validation flow

- if it doesn’t it will appear as a second bitcoin transfer to approve, which require a second physical approval on the device. this is highly unusual and should trigger the user's suspicion.

I can’t say for other vendors but this is pretty standard security practice I’m sure, hardware wallets are fighting against attacks that are way more elaborate than this one.

[codetrotter]

Ok. I use Ledger. And I would not have thought of being suspicious of there being two addresses to confirm.

So rather than being “wrong”, maybe I am more similar to most regular user of hardware wallets, and that this kind of attack would indeed be a disaster for a lot of users who have hardware wallets. Myself included.

[pests]

But.... if you did confirm two addresses, wouldn't the second one be suspicious solely because... if you're confirming it... it means you actually did something besides click a button right? And if it wasnt an address you owned?

[codetrotter]

I would think one was the target address and the other was the change address.

And then if I went so far as to double check that the other address was a change address, I’d do so by looking in the list of addresses for my wallet in Electrum.

But in our scenario I am using a backdoored Electrum. And therefore it could be showing a mixture of the real addresses that belong to me in that list alongside addresses belonging to a different wallet that was set to show up there by whoever backdoored my copy of Electrum.

[elbear]

Does each address show the amount transferred? If it doesn't, with my current knowledge of how things work, I would maybe assume the second address is used for a commission. Depending on what funds I would be transferring, maybe I would be suspicious and cancel the whole thing to find out why 2 addresses are displayed.

[nvdr]

Ok, and what if you use your Ledger seed phrase to connect / recover on Exodus? Hardware wallet or not, if the recovery seed is exposed, are you in trouble?

[Quiark]

I'd say the fact that you can not enter a seed phrase into an app on computer or website should be like "level 1" required crypto knowledge. I understand that many are still failing at this daily.

[stouset]

Reading this, it is bonkers to me that people think cryptocurrencies are ready or appropriate for mainstream use, either as a currency or as an investment.

Line could go up, but if you aren’t extremely careful with processes that most people don’t and won’t comprehend—and don’t even realize are something you need to do—you can just straight up lose everything.

[aeternum]

Ah yeah clearly not ready in fact neither is traditional finance:

https://www.aura.com/learn/i-got-scammed-on-venmo-what-do-i-...

https://help.venmo.com/hc/en-us/articles/235171088-Cancel-Pa...

A fool and their money..

[itsoktocry]

Do you not see the difference between a Venmo transaction and Bitcoin transaction?

With Bitcoin, a small mistake or oversight and you money is gone, and unrecoverable. So you can point and laugh at people getting scammed on Venmo, but you need "normies" to adopt BTC.

[aeternum]

It's the same with Venmo, I have a few friends that have sent money to random people never to see it again.

There's really very little crypto-specific here, convincing someone to transfer funds to a scammer-controlled account is one of the oldest financial tricks in the book. It's still very common with bank wires.

[mratsim]

Venmo, CashApp, Paypal "Friends or Family" and gift cards (Apple, Google Pay, Steam, ...) are all irreversible.

[justajot]

Yeah, it's definitely not ready. I agree with everything you are saying.

Though, the industry is aware of this and working on it. There is at least one company (Chia Network) where the on-chain language (ChiaLisp) is both capable and secure enough to allow for the sort of management needed to allow for self-custody to happen in a safe, sane manner. GUIs for this sort of thing aren't ready for the general public yet, but are definitely on the way.

[loveparade]

Solutions have been on the way for more than five years, but literally nothing has changed and all we've gotten is pyramid schemes and gambling. Chains and protocols have exploded in complexity and technical debt to the point where nobody fully understands the attack vectors. By now I am convinced that anything beyond pyramid schemes is never going to happen.

[justajot]

It's frustrating, I agree. People are obviously going to continue being people with pyramid schemes and the like. At the same time, there are enough who also agree that it's a mess, have closely studied the successes and mistakes of the past, and are building a solid foundation for doing this right. I mean, what we're really talking about here is creating a fundamentally new system for which the financial system operates upon ... it's going to take time ... longer than five years. And the progress that I've seen thus far is encouraging.

[troupo]

> there are enough who also agree that it's a mess, have closely studied the successes and mistakes of the past, and are building a solid foundation for doing this right.

People who "closely study mistakes and successes of the past" are in a very rare supply in the crypto space, and for a good reason: because people who actually closely study mistakes and successes of the past don't want to touch that space even with a 10-yard stick.

The reasons were spelled out in no uncertain terms 7 years ago in https://medium.com/@kaistinchcombe/ten-years-in-nobody-has-c... and followup here https://medium.com/@kaistinchcombe/decentralized-and-trustle... 17 years in, all those reasons remain the same.

[FireBeyond]

> People who "closely study mistakes and successes of the past" are in a very rare supply in the crypto space

Unless you're talking about people who are studying the mistakes and successes of crypto scams, and are working to refine them (the scams), then you can find a few.

[danuker]

Do you also consider Bitcoin a pyramid scheme?

[loveparade]

No, I don't. But Bitcoin also isn't particularly interesting because it's not (very) programmable and not useful for mainstream use anyway. I don't consider Ethereum itself a pyramid scheme, just useless. The protocols on top of these chains though, nearly all pyramid schemes. The best way to describe Ethereum is that it provides a platform for pyramid schemes.

[reactordev]

The base of the pyramid, if you will. I wouldn’t lump all contracts in with this but it does describe a vast majority of them.

[justajot]

Hahaha, accurate.

[Quiark]

What's the name of the function in ChiaLisp that returns true if this is an illegitimate transaction initiated by a hacker and false if it's being done by the real owner of the funds?

[FireBeyond]

> where the on-chain language (ChiaLisp)

So all you need to do then is learn a Lisp? That sounds worth the effort for most non-tech people...

[lottin]

It isn't a software problem.

[justajot]

What is it?

[mratsim]

The same problem as with passwords that has been plagging the security industry for decades.

Passwords, credentials and other high-risk high value intangible data are not associated with high-risk high-value AND our memory is not designed for random junk.

Maybe an anthropologist can study this phenomenon further.

We already have hints of that: our memory has evolved for thousands year to easily memorize places and spatial navigation, in thr past for food, water and danger. Today you go in a foreign place, just one visit and you know where everything is. At the same time, people can usually hold only ~7 concepts/numbers/objects in their head.

In memory competitions people leverage our spatial prowess with a technique called the memory palace, that was already used in ancient Greece and Roman Empire to recall anything, from bard tales to the Iliad and Odysseus.

https://en.m.wikipedia.org/wiki/Method_of_loci

[RobertRies]

The claim is that some day innovations, and checks, and some other technologies will fix this and do all of this automatically, somehow.

That's why it's still early days.

[TimeBearingDown]

No, this is usually (apologies if not in your case) a straw man, and representative of the usual HN blind spot for cryptocurrency. Ledger and Trezor hardware wallets do protect against this class of attack. We are rapidly approaching a world in which those with significant assets or job responsibilities should be carrying physical 2FA tokens, which can allow use of private keys while protecting them (a hardware wallet).

This is more of the same. The base rule in crypto has always been “not your keys, not your coins” and to keep your recovery seed offline and only enter it with the utmost of caution.

The history of scams is long, requiring periods of societal learning and transition as e.g. credit card, identity fraud, and wire fraud have taken center stage.

Private keys will be something that a certain amount of the population will eventually be required to understand in my estimation, even if simplified as much as can be. The alternative is more middle ground solutions putting ultimate trust in a separate party managing the keys.

There isn’t much use for most first world citizens in maintaining direct control over their digital wealth, so they are best served by staying away or dollar cost averaging a small percentage of their portfolio into an offline wallet. Those who want to experiment with smart contracts can do so with much smaller amounts.

The ability to memorize 12 words and have direct ownership of your wealth anywhere with an Internet connection, independent of any party save those facilitating the network and the one accepting your payment, and the ability to cross a border or transfer to the other side of the globe without seizure, is already tremendously powerful to hundreds of millions of people who lack trustworthy financial services.

[lottin]

> The base rule in crypto has always been “not your keys, not your coins”

This is because blockchains have no way of enforcing laws, including property rights. Therefore it comes down to this. Imagine that whoever got hold of your car keys, automatically became the owner. This is what "not your keys, not your coins" means.

[joncrocks]

It's a bit more like 'possession is 9/10 of the law'.

The "not your keys, not your coins" is more the fact that someone else holding your stuff happen to them and your stuff goes away. Or they never had it to start with. i.e. Counterparty risk.

`Cash` doesn't inherently have any mechanism for enforcing rights either. The difference is that real-world identities are easier to establish in situations where cash transactions go awry.

[lottin]

Indeed, physical cash has similar limitations. Everybody understands that it's inherently unsafe. Yet crypto-currency advocates are advising people to keep a large part of their savings as an asset that's even less safe than physical currency, which is absolutely crazy.

[FireBeyond]

> It's a bit more like 'possession is 9/10 of the law'.

Common mistake. The original saying was "Possession is nine points of the law". Over time it's been bastardized to "nine-tenths".

[TimeBearingDown]

“Enforcing laws” with regard to what? Censoring transactions? Freezing accounts?

If people want a system where this as well as excessive inflation are close to impossible, they now have an option, with the clear caveat of that ownership.

It’s not like there aren’t other options to choose - custodial services and multi-signature wallets. Banks are custodial services too, and that’s fine.

[troupo]

> “Enforcing laws” with regard to what? Censoring transactions? Freezing accounts?

Fraud. Transaction rollbacks. Consumer protection laws.

[lottin]

If you want lawlessness go ahead, but don't come crying when someone steals your riches or punches you in the face.

[mschuster91]

> The history of scams is long, requiring periods of societal learning and transition as e.g. credit card, identity fraud, and wire fraud have taken center stage.

And governments have enacted laws to protect people. With cryptocurrencies, they - by definition - cannot. Once you got scammed, your money is all but gone (sans a very VERY few exceptions).

> The ability to memorize 12 words and have direct ownership of your wealth anywhere with an Internet connection, independent of any party save those facilitating the network and the one accepting your payment, and the ability to cross a border or transfer to the other side of the globe without seizure, is already tremendously powerful to hundreds of millions of people who lack trustworthy financial services.

That's a societal problem, it can only be solved by society, not by cryptocurrency peddlers and tech-bros. And in any case: at some point that "wealth" has to enter the real world, and it's there that governments can step in and seize said wealth.

[ericd]

>That's a societal problem, it can only be solved by society, not by cryptocurrency peddlers and tech-bros. And in any case: at some point that "wealth" has to enter the real world, and it's there that governments can step in and seize said wealth.

People escaping oppressive regimes don't have time for their society to solve it, they need to leave to a different, less messed-up society. And this is one of the few ways that they can bring a decent fraction of their assets with them in a form that's not very easily stolen from them.

[TimeBearingDown]

> And governments have enacted laws to protect people. With cryptocurrencies, they - by definition - cannot. Once you got scammed, your money is all but gone (sans a very VERY few exceptions).

Rollbacks being impossible doesn’t mean the government cannot legislate.

This is a double edged sword - the benefit and the drawback are inextricably linked. Caveat emptor. Do you want absolute control of your funds? If so, you can memorize 12 words and travel the globe. If not, look to custodial partners, ETFs, or multi-signature wallets.

> That's a societal problem, it can only be solved by society, not by cryptocurrency peddlers and tech-bros. And in any case: at some point that "wealth" has to enter the real world, and it's there that governments can step in and seize said wealth.

What? I assume by “this” you mean people who don’t have quality trustworthy financial institutions?

This is Hacker News. We brainstorm technological solutions to real world problems all the time. This particular problem can only be solved be “society” at large, not technology, because you say so?

You want to disparage those trying as “tech-bro peddlers” - do you simply mean any technology inclined entrepreneur who doesn’t present female? This is an absurd emotional invective.

I’d bring up Monero RingCTs and stealth addresses as an intermediate step and the offramp of direct purchases which that community has been building, as well as tools like Bisq, but I doubt the utility of continuing to reply.

[ipython]

Early days… 15 years later. To quote spaceballs, When exactly will “then” be “now”?

[legutierr]

In 1980 packet switching had existed for 20 years already. The public Internet wouldn’t emerge for more than a decade after that—and it would take yet another 20 years for the true power of packet-switched networks to be realized, in the form of mobile Internet.

In 2000 neural networks had existed for more than 50 years. More than 20 years later their full potential is finally being realized, and many would say it is still early days.

It’s naive to think that you can predict the future course of a technology simply based on the fact that it has already existed for a certain amount of time.

[acdha]

Those comparisons are incredibly mismatched. In 1980 a computer cost as much as a car, and network connections were incredibly expensive and slow. Bill Gates, child of wealth and privilege, famously had to use a shared computer paid for by his elite school because even the child of an IBM board member wouldn’t have access to a computer! The microprocessor revolution unfolded in the 80s, however, so even your timeline is off by over a decade because people paid money to get online because things like email, telnet, Usenet, and FTP were immediately useful. By 1995, the web was already multiple years into extreme growth – very little of which was directly related to selling as opposed to all of the things you could do with it. Nobody was saying you should buy a modem and sit on it before reselling it at a profit, they were talking about all of the things you could do once you had one!

Similarly, nobody doubted that neural networks were capable of very interesting things - the holdup was the level of processing power needed to run them. As soon as that changes, useful applications abounded.

Those make quite the contrast with bitcoin which has been universally available to a much, much larger population and had truly massive resources available, but almost no meaningful impact because it doesn’t give most people anything new or better. The few businesses which aren’t trying to market it and still accept it almost universally convert BTC into real currency as soon as they receive it, companies like Western Union and Visa haven’t felt the need to lower rates, and to the extent that PayPal is reconsidering screwing everyone so aggressively it’s because of Venmo and Stripe, not Bitcoin.

[mattdesl]

> Similarly, nobody doubted that neural networks were capable of very interesting things - the holdup was the level of processing power needed to run them. As soon as that changes, useful applications abounded.

This is incorrect. AI has gone through multiple ‘winters’ where there were serious doubts and pessimistic attitudes toward its capabilities.

https://en.wikipedia.org/wiki/AI_winter

[threeseed]

Crypto-currency isn't about the technology.

It's a political experiment centred around replacing the existing financial system.

And the mistake there is that people in the crypto space are ignorant about how that world works. Namely that there is such a large overlap with the government that you're in essence trying to disrupt governments. Which is a losing battle.

[reidjs]

I don’t think it’s a battle. At least one government has adopted cryptocurrency to a small extent. No technology is “about” the technology, the other poster mentioned the Internet, very few care about how it works, they care about what they can with it.

[ipython]

IMO, your timelines are way off and the goalposts are totally skewed. In 1980, the Commodore 64 hadn't even been released yet. Even so, 15 years later, in 1995, almost 15% of adults had dialup access to the Internet. The real goalpost here is the advent of the WWW.

TBL released his paper and source code for the WWW on April 30, 1993. On that date, all that existed was an idea and a command line browser. Most people only knew the web in those early years as "that thing you could reach by telnet to info.cern.ch".

Even given this modest start, fifteen years later, in 2008, nearly 75% of adults used the internet according to a Pew research study (https://www.pewresearch.org/internet/2015/06/26/americans-in...). In 2008, we already saw the emergence of the e-commerce market, with upstart Amazon already commanding a 1% share of the entire retail market (to put in perspective, that grew to ~6% by 2019, according to Census and Morgan Stanley data: https://finance.yahoo.com/news/chart-shows-just-big-amazon-r...). Heck, by 2008, you could watch a movie instantaneously on your TV without renting or buying the DVD! (https://web.archive.org/web/20080525201828/http://www.netfli...)

So yes, you can determine something about the relative strength of a particular technology by the speed it is adopted in the marketplace. Fifteen years is a long time, and even taking into account the slow Internet speeds between 1993 and 2008, people found enough value in the Web to use it on a daily basis. I don't see the same adoption curve for cryptocurrencies.

[GauntletWizard]

The history of finance is as long as recorded history, perhaps the reason for it[1]. That said, these kinds of crazes[2] are almost as old.

[1]https://en.wikipedia.org/wiki/Complaint_tablet_to_Ea-n%C4%81... [2]https://en.wikipedia.org/wiki/Tulip_mania

[cypherpunks01]

I don't recall ever reading about a tulip ETF, though, that could be kind of interesting

[jakupovic]

Lol. HN is stuck in "CRYPTO BAD BOOO, We don't need no reason. We know", in the voice of HN group think.

[atraac]

People(old and young) give away their entire life savings to scammers every day, everywhere in the world. You don't hear about it on the internet all the time because we either got used to it or they don't want the publicity. You hear about big cryptocurrency scams more often because people invested are more into tech and spend time on the internet. Do you say that cash is not ready or appropriate for mainstream use? What about that cashier that never has that 1c of change back? Clearly a sign of not being appropriate for mainstream.

Those generic arguments can be applied to literally everything we already have. People get scammed via their bank accounts every day too, people literally get scammed by the phone. You have to use your brain when it comes to _anything_ that involves a real world value these days, saying 'crypto bad cause scams' is pointless as there are way more scams involving real world money everywhere.

[FabHK]

The difference is that you need cash and bank accounts and phones to run a modern economy. They're useful for many many things, and you can't do without, and we our best to police and minimise scams.

Crypto, on the other hand, is specifically designed to evade regulation (permissionless setting), is useful for very little else, and you can do easily without it.

[csomar]

> you can just straight up lose everything.

The story is not much different in Traditional Finance; though in some cases you can recover your money. The US (and to some extent EU) have some protection, but for the rest of the world it's not much different than crypto.

[acdha]

> The US (and to some extent EU) have some protection, but for the rest of the world it's not much different than crypto.

Do you have any citations to your survey of global consumer protection laws? Examples would be especially relevant if you know of cases where a bank granting access to a scammer left the victim with no recourse.

[csomar]

Beyond being an anecdotal point myself, you do read other people's experience online. I don't have concrete statistics; however, I do know that even big institutions get scammed with no recovery (ie: I recall the Bangladeshi central bank being swindled for tens of millions of dollars because of SWIFT and not being able to recover that money. If the Central Bank of a nation doesn't have a recourse for such an amount, I don't think the average person have that much protection either).

[acdha]

This is a great example: most of the fraudulent transactions were blocked by the NY Federal Reserve – $850M – and of the remaining $101M, a significant amount was recovered:

https://en.wikipedia.org/wiki/Bangladesh_Bank_robbery

https://www.bbc.com/news/stories-57520169

Not perfect, but 90-something percent better than no recourse. More importantly, it’s also not a given that individuals lose everything as opposed to higher operating costs for a bank. The kinds of crimes we see in the cryptocurrency world tend to leave individuals with no recourse other than very expensive private investigations, whereas a major financial institution at least had the resources to go after the money without going bankrupt.

[px43]

That was a complete dumb luck accident due to a spelling mistake.

https://www.independent.co.uk/news/world/asia/spelling-mista...

Note that the rest of the money disappeared quite effectively.

[npoc]

Not really - it's simply that a lot of people are safer trusting a custodian to hold their bitcoin for them (e.g. an ETF)

[FabHK]

Poor Satoshi. Vision:

> purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required [...]

Reality: The world's biggest financial institutions hold BTC as an intermediary for clients through trusted third party custodians for speculative purposes (rarely payments).

[npoc]

I'm sure he'd recognise that most of the population was not going to using bitcoin directly - what he has provided is a way for a population to a) digitally pay peer to peer if they so choose b) escape the enslavement caused by central banks' unlimited money printing if they so choose, hence the message in the genesis block

Of course bitcoin is rarely used for payments yet. Why would you sell the hardest money in existence, when you can sell junk dollars instead. And why would you price goods in something that's growing so quickly that its price changes dramatically month to month? It makes no sense.

Stage 1: prove ability to store value

once the value has grown to the point that it's stabilised enough to be a unit of account we will naturally move to

Stage 2: medium of exchange

The fact is we never even have to move to stage 2 for bitcoin to still be worth millions of dollars per bitcoin. Even if bitcoin only matches the market cap of gold, it will be worth ~$600,000/BTC and bitcoin has way better store-of-value fundamentals than gold.

[crystaln]

Few people think they are ready.

If they were ready btc would be $1m and they would be widely used.

[crystaln]

The time to invest is when things are not ready.

[judith48]

The world has evolved, lot of phishing and scam on cryptocurrencies . its very important to know that a source is legit before investing and most importantly safe guarding and upgrading security concerning your crypto like two factors authenticators and all necessary precautions .. although there are lot of good coders and hackers like recovering ATusa com that make it easier to recover stolen cryptocurrencies and of course only few are able to get theirs in full......

[t_mann]

Assuming the hardware wallet is safe, and that you indeed check all the recipient addresses and make no mistakes there, I don't see how the software should be able to fool you, though? I would assume that the hardware wallet is built to never leak your private key, at least not when signing a transaction, and the signature that it produces would always be for the exact transaction (recipient, amount, data,...) that you checked (since we assume the hardware wallet to be safe). Can you explain?

[woah]

So many of these exploits boil down to "hardware wallets not providing enough/the right information".

The screen is tiny, and protocol devs don't usually put a lot of thought into making stuff easily human readable. Ideally a transaction can be fully understood and verified from the hardware wallet but we still have a ways to go.

[npoc]

I use a repurposed mobile running BlueWallet

[sowbug]

Since BIP-32, receive and change addresses have been generated from a single seed, never from outside sources. Hardware wallets verify this.

It's much more likely you'll fall victim to malware that waits until you're on an exchange website, and substitutes the attacker's receive address for the exchange's. You think you're depositing funds in your account, but they vanish instead. This is basically the same attack as fake escrow instructions emailed to people buying a home.

[zepton]

Ledger fixed that exact issue in 2019: https://sergeylappo.github.io/posts/ledger-hack/

[Scoundreller]

> if my copy of Electrum was backdoored

While it’s not foolproof, it’s a good reason to compile things yourself from source instead of using the binaries. Unless someone trusted is validating build reproducibility, but that isn’t as common as we’d all like.

Some 4y old discussion of how some OSs for electrum are built reproducibly: https://old.reddit.com/r/Bitcoin/comments/dcz0my/what_is_not...

[FabHK]

This is clearly the right solution for the poor unbanked peasants crypto proponents are so concerned about. /s

[npoc]

Bluewallet Vault makes multi-sig simple. And when co-signing a transaction, it calculates the amount to display on the screen by calculating the difference between inputs & owned outputs, and so for general transactions this means you only need to check the amount and the destination address to be sure the right amount of money is going to the right place.

[yieldcrv]

If you put your seed phrase anywhere that transmits it online, none of this information about outputs or ledgers matters

This app simply transmitted seed phrases to a server, or derived the first private key of one and sent that

Starting to agree with everyone else here, if the crypto enthusiasts on HN can’t differentiate

[csomar]

> But if my copy of Electrum was backdoored and smart about what it did, it could use an output address for the remaining amount that went to another wallet.

Pretty sure this is not the case for Trezor (This was an angle that got addressed a long time ago). Also, Ethereum doesn't have a change address.

> So far I’ve been putting it off because a single wallet and being diligent about checking the output address that you send to seemed sufficient.

If you are too concerned and use Bitcoin, there is an easier/simpler way. Sign the transaction offline and don't broadcast it. Copy the transaction Hex and decode it. You can there read the details of the output addresses, fees, etc.. When you are sure, then you can broadcast the transaction.

[codetrotter]

> Also, Ethereum doesn't have a change address

Read the comment you quoted again.

I said Electrum. The Bitcoin wallet.

[ews]

A hardware wallet would 100% have stopped this.