Wallet Logo

SafeCard

🔍 Last analysed 3rd May 2022 . Bad Interface

Jump to verdict 

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.

The Analysis 

Background

Here is an article on Medium explaining how the SafeCard works.

SafeCard is a PIN-protected card meant to backup seeds offline. This card does not have a screen interface as it is meant to be used with Lattice1 No Source! , a hardware wallet already hosting those features.

Product Description

We believe you should take all precautions to protect your funds and prevent someone from getting their hands on your private keys - and one form of an attack that’s not talked about often is what we call the “sock drawer” attack, i.e. when someone leaves their written seed phrase in the bottom of their sock drawer and someone else finds it. People inadvertently introduce risk with how they store their seed phrase - cloud storage is a big problem in this area.

This is why we decided to use the PIN protected SafeCards to store/backup your wallets - if someone finds your backup, they still can’t use it without the PIN, which adds another layer of security on top of everything else (but if you want to back up with a seed phrase, you still have the option of course).

Analysis

A paragraph on SafeCard’s product page says that the card can’t sign transactions without the Lattice1 wallet. From the page:

Put your keys on a secure GridPlus SafeCard. Carry your assets around in your pocket or lock them in an underground vault. Backup your keys on one or multiple SafeCards. Keep the keys offline or transfer funds by inserting them in a Lattice1.

This is also confirmed on GridPlus’ documentation for the wallet.

When inserted into the Lattice1, the Safe Card “takes over” as the default wallet of the device. This means that any signatures requests are done so on keys held in the card (rather than the device itself).

When removed, the SafeCard can no longer make signatures, so the device’s built-in Lattice1 wallet (the chip of this wallet is exactly the same as a SafeCard chip) returns as the default wallet.

The card doesn’t primarily function as a wallet on its own as it lacks an interface where you can sign transactions and is designed to be used in conjunction with another hardware wallet.

(dg)

Verdict Explained

The design of the device does not allow to verify what is being signed!

As part of our Methodology, we ask:

Can the user verify and approve transactions on the device? If not, we tag it Bad Interface!

These are devices that might generate secure private key material, outside the reach of the provider but that do not have the means to let the user verify transactions on the device itself. This verdict includes screen-less smart cards or USB-dongles.

The wallet lacks either an output device such as a screen, an input device such as touch or physical buttons or both. In consequence, crucial elements of approving transactions is being delegated to other hardware such as a general purpose PC or phone which defeats the purpose of a hardware wallet.

Another consquence of a missing screen is that the user is faced with the dilemma of either not making a backup or having to pass the backup through an insecure device for display or storage.

The software of the device might be perfect but this device cannot be recommended due to this fundamental flaw.

The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.