It's easy to shit on other people who falls for scams but even someone who has a security focus can fall for it.
I personally used "The Great Suspender" for years until it was bought out and the rug was pulled out from under me.
I do think Apple's requirements are higher than Android for publishing apps, but I would not risk that much money on a mobile device ecosystem. If you're transferring $600,000 worth of BTC, purchase a one-time use laptop and use wallet.trezor.io as your web wallet. This laptop should only be used for this workload and kept offline / powered off otherwise.
I just bought a small amount of crypto on Coinbase to toe the waters (think double-digits worth). Still, if I wanted optimal security, what would I do to keep my crypto safe?
There are so many gamer's out there that I am wondering why they haven't united to take down Bitcoin and Other Cryptocurrencies with their powerful gaming PC's.
They are pissed off about GPU prices being high and all the crime and the environmental impact Bitcoin causes they can get together to undermine the network. If gamers started a mining pool not for profit but to take down the network I can see it happening. First start mining with smaller cryptocurrencies, the money goes to encrypted wallets that no one controls then start posting fake transactions with that money to clog up the network.
As publicity gets more people to join the project, they can then start performing 51% attacks to further undermine the network. At some point that crypto will be worthless and they can move on to a bigger one then just repeat until they get up to bitcoin. But as the mainstream media picks up the story I don't think they would even need to get to Bitcoin as everything will collapses.
Conclusion: Better Environment, Less Financial Fraud, LOWER GPU prices. Someone start the project and call it "Gamers VS Crypto" or something like that.
I think in a large mining pool this is still a possibility to attack the network with 20 Series Nvidia and Above / Equivalent Video Cards. Especially if gamers get together to attack the network, the pool can grow into the millions of users.
I find it funny that users of this site constantly complain about how Apple should treat iPhones as general purpose computers and every time Apple does they scream about not protecting them from scams. you can't have it both ways.
That's not a fair complaint. It can be turned around.
In fact YOU (well, I mean Apple) cannot have it both (other) ways. It's not fair to arbitrarily remove legitimate apps, lock down the devices, under the guise of user safety but in the end fail to actually provide the level of security at all that people now expect and paid the price of the device not being GP.
If Apple is so sure of their measures they should also cover (i.e. pay up) any damages when fraudulent or dangerous apps do make it to the store or are not removed in a timely fashion. The fees they siphon off from app revenue should probably go there.
General purpose computing doesn't mean tolerating multimillion USD scams even after numerous complaints. Apple has created an aura that it's App Store is trustworthy. One person was enough to blow that out of the water. Also he didn't even have to do something brilliant/hard to find out these scams.
I think it's slightly more nuanced than that. It's more like "the walled garden is bound to fail and allow malicious apps so you might as well allow people to load whatever apps they like".
The argument is rather that the AppStore is not secure at all, but a) we still cannot sideload apps and b) legitimate apps get kicked off for no good reason, etc.
The problem is false security and false expectations.
Arguably it's easier for a user today to accidentally download a scammy app from the app store than it would ever be to do when sideloading. The latter would always come with the expectation and warning that it's not vetted by anyone, so the user and/or community will invest the time to make sure the download is legitimate.
For people who back Bitcoin - every time this happens it undermines your thesis about Bitcoin. Blaming the victim and similar rhetorical tactics don’t correct the harm to the public image of Bitcoin done by scams.
I mean surely it's just a different trade off. With one system you have absolute sovereignty over your money with all of the risks that entails and with the other you have less independence and potentially (hopefully) more protections when something goes wrong.
If your bank gets hacked and your savings stolen, there are laws, policies, procedures, and insurance (like FDIC) that will guarantee you eventually get most, if not all of your money back. If your bitcoin wallet gets hacked, you're basically SOL.
If you think the current system is that good... think again. In Europe, the protection is capped to 100K Euros. And that's the EU, not a third world country .. :-)
We are not speaking about hacking here, simply about banks failing. Bank which failed, it happened 10 years ago, who knows when the next crash is happening...
Bank failure is completely orthogonal to fraud. Do the regulations cap bank's liability in case of fraud? If there are such regulations, I have not heard of one.
> Bank which failed, it happened 10 years ago
For what it's worth, governments have gotten progressively better at regulating banks in a way to make such failures increasingly unlikely. We have a similar system in Canada, with protection capped at 100k CAD. The last time they had to pay out was 1996. Failures were frequent in 80s and 90s, and then they just stopped. Not by miracle, but by regulation. The government had learned how to avoid failure instead of allowing it to happen and reimbursing the stakeholders.
1. A fraudster obtains your credentials and steals money from your bank account: The bank reverses the entire transaction and makes you whole. You get your whole money back, no matter the amount.
2. The bank goes out of business: Worst case scenario, the bank has no assets, the government reimburses you up to 100k CAD/100k EUR/250k USD depending on the country the bank is located in. A lot of times, bankruptcies are due to liquidity issues, not insolvency, so you would get back most of your money, even above the caps here, eventually. Also, because the government is not just the insurer, but also the regulator, it has gotten much better at avoiding bankruptcy and this does not happen often these days (at least in Canada).
I am not sure what failure mode you are concerned about: one where fraudsters steal so much money that the bank goes under, like tens or hundreds of billions of dollars? And the transactions are somehow irreversible?
There are plenty of phone scams that trick people into sending money such that the money is unrecoverable (like using retail gift cards). The victim’s recourse in these cases is also zero.
Don't banks in your country cover you for being a victim of fraud? If he had entered his bank credentials in the fraudulent app instead, wouldn't the bank have made him whole and reversed all transactions to get their money back?
Not necessarily. Keep in mind, Bitcoin is attractive mainly for people living in countries were rule of law is really loose. So a loose proposition like Bitcoin is still a good one.
The comment I replied to talks about "any other world's currency, not "every other world's currency". They must mean USD, EUR, JPY, and CHF too, not just VES and MMK.
My cash savings are held in the form of US treasury bonds.
To a first approximation, they are impervious to theft (registered to me personally and accessible via treasurydirect.gov) and devaluation (indexed to grow with inflation).
If they’re short term treasurys (or heck, anything up to five year maturities) they’re definitely not keeping up with inflation, especially if you have a normal income and have to pay taxes on the interest.
But also, this is hilarious nitpicking from fans of digital "currency" that can't be used to buy anything or even moved for less than a 20 dollar transaction fee. [0]
I'll put treasury bonds up against bitcoin as a stable store of value all day. How much are you up? Getting nervous to sell, or gonna HODL strong?
Who knows anymore? Bitcoin advocates keep changing what their thing is supposed to be an improvement on as it proves to be inferior to one traditional financial implement after another.
In a very paradoxical way, this is the opposite of that.
Any new technology has (incorrect) underlying old assumptions, so there are always people utilizing them and abusing them.
In 1981 if you were talking to a girl you never met on the phone, then chances are she was actually a girl. In 2001 if you were talking to a 'girl' online in text, then chances are you are being catfished on the internet.
In 2021, if you are just doing video and audio verification in a similar situation, chances are you are being catfished by Machine Learning [1].
Technology scams (as opposed to Social engineering scams) are an indication of how radically different new technology is from the assumptions people have about it (for instance, all the old ladies who are being still scammed by Indian call centers out of their life savings).
People tend to pick on the newcomer. Take Tesla. Every single Tesla crash or fault makes the news, even though their rate of fault is less than average. It's meaningless to say "10 Teslas have caught on fire this year already!" without also mentioning the thousands of cars from other manufacturers that have done the same.
People who say bitcoin can never work because people fall for scams don't understand what the technology can do and don't understand where the technology is going. All of these problems are very solvable.
This is exactly why I think all current forms of cryptocurrency are not suitable for use as a store of any significant value. You must have 100% flawless opsec at all times or you could have your entire life savings stolen, with absolutely no recourse.
One of the most important features of the financial system is that most actions have an "undo" procedure. It might takes a few days, but in most cases you can get most of your money back after a simple mistake.
I'm always surprised to hear, as a supposed benefit, how easy Bitcoin makes it to move money. I don't want it to be fast, easy or cheap to move my life savings. I want inertia.
Maybe credit card, but cash, debit, interac, etc don't.
If I etransfer (Canada) someone money and that person up and disappears I am out that money, a bank will do absolutely nothing. You can file a police report but those chances are also basically zero.
Same with cash, if I give someone cash or take cash out and don't store it properly I lose the whole thing.
There isn't really an undo process except credit cards.
I'd say that's mostly true for credit card transactions, but I don't of anyone who has gotten scammed and got their money back. Banks either don't care, or can't actually do anything. Scammers know what they are doing.
This is almost always a great benefit for consumers. For some merchants this is an unacceptable risk and because of it they are not able to offer their products at a reasonable price.
Maybe we could transfer a standardized cryptocurrency ammount into a write-once device, and use as many of those as we need to purchase things. We could call these fungible cryptodevices "cashcoins".
I agree significant value should not be stored directly by many end users.
What cryptocurrency can do is separate the owner of the value (the individual) from the provider of the security (the custodian).
In theory you can have an account where both you and your bank must sign a transaction to move funds. This adds an additional layer of security. The bank can't steal your funds without your digital signature and you can't do something stupid without the bank's approval.
It hasn't happened yet in a meaningful way. But it is possible.
> In theory you can have an account where both you and your bank must sign a transaction to move funds. This adds an additional layer of security. The bank can't steal your funds without your digital signature and you can't do something stupid without the bank's approval.
This is basically the model of Casa, except they're never custodian because they only hold 1-of-N signing keys, where N is 3 or 5, and creating a transaction requires a quorum.
The advantage is some redundancy in your signing device setup, and also protection against theft by geographically distributing your keys, while still maintaining sovereignty of your funds. It also allows them to assist you in recovering access to your funds if one of your own signing keys is lost, but they never have the ability to move your funds on their own.
The tradeoff compared with maintaining your own multisig setup is a reduction in privacy, since they can see your transaction history. This is still far more preferable than letting a custodian hold "your money" for you. I believe it's the best model for the vast majority of the public to hold Bitcoin.
They also push a "seedless" model to prevent the exact attack described in the article. Nothing prevents the user from keeping backups of one (or more) of your seed phrases, it's merely a suggestion.
Can someone explain how this scam works in more detail? In the article it said seconds after the person logged into the fake app, the BTC was gone.
So did the scammers automate this then? Scraped the login details and then automatically logged into the real platform and transferred the BTC out?
What about 2FA? How did the scammers get around that?
Also, the article mentioned you can change your app after you submitted it to the Appstore without requiring another approval? i.e. did they change the logo without Apple noticing?
I feel like there's more to this story but I'm just shocked that trezor transactions can be authorized from the app. I know that with ledger your keys/password are not exposed to the device and you need to enter a pin for every transaction, he'd know he was authorizing a transaction at the moment of entering his PIN!
I've never used a trezor before so I had to look it up:
When considering the security in entering our passwords, in Trezor wallets, the password is entered via the keyboard of the connected device, making it vulnerable for attackers to read it.
However, in Ledger wallets, the password is linked to another PIN which is entered using the normal keys.
"The app was a fake, designed to trick people into thinking it was a legitimate app."
Same app, different user:
"He wanted to make sure his investment was secure, so he purchased a Trezor Model T hardware wallet and downloaded an app on his iPhone called Trezor, which asked for his seed phrase. The app didn’t connect to his Trezor wallet, and he figured it didn’t work."
NEVER TYPE A SEED PHRASE INTO AN ONLINE DEVICE. That is never required during normal operation of any hardware wallet, that's the whole point of using one.
That's misleading information coming from a competing hardware wallet maker. While it's true that the pin is entered on the computer, it's scrambled[1], so it's non-trivial to keylog it.
Indeed, there is something missing. My guess is that he entered his private key into the wallet. A part from requiring a PIN, you need to make a few clicks to authorize a transaction and the trezor screen will show the amount/receiver.
> Phillipe Christodoulou wanted to check his bitcoin balance last month, so he searched the App Store on his iPhone for “Trezor,” the maker of a small hardware device he uses to store his cryptocurrency. Up popped the company’s padlock logo set against a bright green background. The app was rated close to five stars. He downloaded it and typed in his credentials.
The whole point of a hardware wallet is to keep the credentials (private keys / seed phrase) locked up in there, and be safe from any malicious wallet app.
Entering his credentials in the app destroyed the security of his hardware wallet.
This stuff happens too often. When there’s no entity to blame this on, it really becomes your responsibility and risk to deal with it. Most people can’t deal with their life savings being in a digital wallet.
This kind of trick, however, would have fooled most people since you’d expect Apple’s devices and store to be safe (relatively to everything else)
This incident is awful! App Store should always do a background check of financial applications because there might be some problems just like this. They should be held liable for any losses of the user.
This is why many people, especially those who are older, prefer avoiding cryptocurrency as an investment, as it has a lot of complex functions and a learning curve to set up one.
The app store should absolutely not be held liable for people's losses. If someone secretly plants uranium in your bag, should you be sent to prison as a terrorist? No! It's not you fault, it's the fault of the person that planted it on you obviously. It's not easy to catch scams in applications. It's usually incredibly difficult bordering on impossible.
Cryptocurrency enthusiasts talk endlessly about the virtues of decentralization, immutable transactions, “code is law” etc, but when they lose their keys or get scammed, it’s always some big, centralized entity that is apparently responsible for making them whole.
But Apple holds out the purported security of the IOS app store ecosystem[0] as the reason to pay them $1k for a phone (and the cheapest IOS phone is $450!) and 30% rent seeking for all transactions on the phone, and why they kick apps out of the store simply over speech that they disagree with, such as COVID misinformation or Chinese censorship.
Apple deliberately degrades the performance and functionality of web apps in the sole browser allowed on the IOS platform (Safari, all other browsers are a wrapper around it), slow walk and introduce bugs into standards such as WebRTC, and make it very difficult to install apps as a PWA in order to funnel everyone (50% of phone users in the U.S.) into the App Store, and ban all other app installation methods.
And, when they introduce new features like privacy nutrition labels, it's always so that they can force even more users into their walled garden, and strengthen proprietary apps like iMessage, and build up their ads business. It's like "nobody but us", where "us" is Apple.
So, yes, if they are holding out that all of this app review process is to benefit and protect the users, and the users get scammed because their app review process is apparently incapable of catching these obviously scam apps, then Apple should make the users whole.
> Apple charges 30% because they can, not because there is some sort of logical basis for it.
Agreed. Actually, they could probably jack it up to 90% if not for the inevitable lawsuits from state Attorneys General..
> If Apple was somehow deemed responsible for policing crypto-scams, the only rational thing to do would be to ban Crypto apps.
This might be true if the only scam apps were crypto related.
Apple's quest for control over the apps translates to a quest for increased control over their users;
Just as with Google's ability to control search results, when Apple can control how you work, which apps you can install, and even what you say in those apps, they ultimately control how and what you think.
That's a pretty powerful position for two of the most powerful companies in the world. It becomes self-perpetuating and people will automatically suppress any evidence that their opinions are being shaped.
I'm wondering how long it takes them to figure out people would immediately start scamming apple if they were liable. The risk of crypto is its freedom. I have no idea why people would not stay in regulated markets.
I personally used "The Great Suspender" for years until it was bought out and the rug was pulled out from under me.
I do think Apple's requirements are higher than Android for publishing apps, but I would not risk that much money on a mobile device ecosystem. If you're transferring $600,000 worth of BTC, purchase a one-time use laptop and use wallet.trezor.io as your web wallet. This laptop should only be used for this workload and kept offline / powered off otherwise.