The popular hardware wallet Ledger, often considered the most secure way to hold your crypto, is facing criticism after a recent update. Ledger announced that it will offer users the option to link their seed phrase to their identity card or passport. This has raised concerns among privacy advocates, who argue that the update could lead to increased vulnerabilities and erode trust in the wallet’s security measures.
Traditionally, a hardware wallet like Ledger allows users to be solely responsible for their recovery seed phrases, with no third parties given access. The new Ledger Recover update, however, presents a subscription service for storing recovery seed phrases in an encrypted manner. Notably, Ledger has clarified that this is an additional service and users can continue to manage their seed phrases independently.
To execute this update, Ledger will purportedly encrypt and divide your seed phrase into three pieces, then request your identity proof and a selfie recording. Subsequently, three different custodians (Ledger, Coincover, and a third party) will secure the shards. But herein lies the problem – in order to use this service, a user must connect their identity to their Ledger account, thus exposing them to potential data leaks, hacks, and possible government surveillance or censorship.
Furthermore, this update necessitates trusting a third party with sensitive ID information and details about crypto holdings. Creating a database of this nature could leave it vulnerable to cyber attacks, and the value of the information stored may tempt the “authorized third parties” to exploit the data as an income source.
This is especially concerning as Ledger experienced a data breach in 2020, leaking phone numbers, physical addresses, and over a million email addresses of its customers. Moreover, the update’s technical aspect remains problematic, as the code for the process is closed-source and unverifiable. Ledger Live uses Ledger’s nodes for wallet synchronization, which links users’ ID information to their cryptocurrency activities.
On top of all these issues, KYC data is collected by a company called Onfido, which also handles KYC onboarding and tracks users’ device and activity information during identity verification. This means that not only do users need to trust Ledger and other authorized parties, but they also have to place trust in Onfido and its handling of critical information.
Ultimately, this highly criticized update raises numerous questions about the risks associated with entrusting third parties with confidential information and the potential consequences of doing so. While the future of digital asset management remains uncertain, it is vital for crypto enthusiasts to carefully assess their options and prioritize both security and privacy.
Source: Coingape