#cryptonews #crypto2023 #dyor #BTC #security
Ledger, a leading provider of cryptocurrency hardware wallets, has stirred up a storm of controversy within the crypto community with its latest service, Ledger Recover. The function, which is based on user identification (ID), aims to enable the recovery of access keys for cryptocurrency wallets. However, the announcement has been met with strong criticism and concerns over security.
Ledger Recover, the newly introduced tool, is designed to offer a backup solution in the event of a lost seed phrase or recovery phrase, which is a secret key consisting of 12 to 24 words used to access a cryptocurrency wallet and retrieve associated funds if needed.
The new Ledger service divides the recovery phrase into three fragments and sends them to trusted third parties. When combined and decrypted, this information can be used to reconstruct the original phrase, as reported by The Block.
However, the proposal has ignited a heated debate among users and security experts, primarily due to its Know Your Customer (KYC) requirements. To utilize the recovery service, users are required to provide their passport or national identification document to confirm their identity. Many cryptocurrency enthusiasts value their privacy and find this ID demand contradictory to the decentralized principles of digital currencies.
"It's a terrible idea, DO NOT enable this feature," advised Mudit Gupta, Director of Security at Polygon Labs, on Twitter. This sentiment was echoed by the renowned crypto investor known as 'DC Investor,' who stated, "I would not recommend anyone to upgrade such firmware."
Gupta defended the concept of fragmenting the seed phrase, considering it to be a positive step. However, he pointed out that the encrypted keys were being sent to "3 corporations" that could potentially have the ability to reconstruct the phrase.
The Ledger Recover function is included in the latest firmware version 2.2.1 for Ledger Nano X hardware wallets. Currently, the identity registration requirement applies to users from the European Union, the United Kingdom, Canada, and the United States, with the company planning to add support for documents issued by other governments in the future.
According to Wired, the service will come at a cost of $9.99 per month and will rely on three custodians: Ledger, Coincover, and EscrowTech.
"This is a disaster waiting to happen," commented a Reddit user. "I genuinely cannot believe what I'm reading; it seems insane that a hardware wallet provider would encourage you to back up your initial phrase online AND [ALSO] give them your passport/ID."
Despite co-founder and Vice President of Innovation Lab at Ledger, Nicolas Bacca, responding to user concerns on Reddit, many individuals reiterated their fears regarding security practices and the potential for malicious actors to exploit the functionality and gain access to keys, resulting in cryptocurrency theft.
Adrian Hetman, the Technology Lead at the Web3 bug bounty platform ImmuneFi, highlighted the risk associated with the tool, stating that it provides an opportunity for a malicious actor with access to a user's passport or ID document to gain control of their funds. "Identity theft is common, and this would expose cryptocurrency users to a new form of attack," Hetman told Decrypt.
Despite the multiple criticisms, Ledger has defended its new recovery feature. In an email sent to The Block, a Ledger spokesperson explained that the process of decrypting the three fragments can only occur on the Ledger device, after the user has verified their identity. The spokesperson emphasized that the companies involved do not have access to the seed phrase in any way and that it is a paid service.
The three companies safeguarding the fragments "never have access to your seed phrase, it is not stored 'in the cloud,' and backups are only encrypted, fragmented, and decrypted directly on your Ledger if you subscribe. So, if you are a Ledger user who wants to use your Ledger as you always have, you can still do so without worry. Nothing changes for you."
Ledger is one of the largest providers of hardware wallets for cryptocurrency investors. The company has previously faced criticism, particularly after experiencing a data breach in 2020 that exposed the phone numbers, physical addresses of nearly 300,000 customers, and over 1 million email addresses.