Your seed words matter more than your wallet.
It occurred to me the other day that a “great” place to attack someone’s cryptocurrency accounts would be to somehow “infect” their hardware wallet. Then it actually happened in real life: a guy bought a new Ledger Nano S that came “pre-seeded” for his “convenience.” What this meant was that the 24 seed words were already established by someone in the hardware supply chain (probably the reseller), making this supposedly ultra-secure cold storage hardware wallet completely accessible to an unknown party via a pre-established address. The seed words even came under a scratch-off foil, which was a nice touch. The poor guy fell for it and lost all his coins.
In the days leading up to this, I was researching resellers of the Ledger Nano S, and it came to my attention that there were dozens of “just launched” sellers on Amazon alone.
These resellers literally have no reputation on Amazon and are suddenly starting up, selling hardware wallets. It really makes you think what their business plan might be. Now, the guy in our story bought from Ebay, which to me sounds even worse, outdone only possibly by buying one on Craigslist, I suppose.
Factory reset is your friend.
What this tells us is that you should not buy a hardware wallet from just any old reseller. And, regardless of who you buy it from, always wipe it before using it! You should never blindly trust that “security seal,” which is just a piece of tape. It means nothing and is easily exploited! The thing that matters most is that list of 24 seed words, which you should keep in a secure place apart from your wallet. Also, put a backup copy of those words somewhere even further out of reach, like a safe deposit box at the bank. (Yikes, I said the B-word!) If you’re really hardcore, and you don’t trust the longevity of paper and ink, look into the likes of Cryptosteel, and pound your seed words into durable metal! You can restore any hardware wallet from those 24 seed words. Your seed words matter more than your wallet. Factory reset is your friend.