Xaman Help Center
English
English
  • Welcome to the Xaman Help Center!
  • Getting started with Xaman
    • 💙Understanding the Xaman Service Fee
    • 🎉Xaman 4.0
    • How to create a RLUSD Trust Line
    • 💸What is Xaman?
      • Understanding Self custody
      • Where are your funds stored?
      • Xaman & natural disasters
      • Common misconceptions
    • Installing Xaman
    • Your first XRP Ledger account
      • How to create an XRP Ledger account
    • Activating an account (XRPL)
      • From GateHub
      • From Uphold
      • From Kraken
      • From Crypto.Com
      • From Coinbase
      • From Kucoin
      • From Binance
      • From Bitrue
      • From Bitstamp
    • Importing your account (XRPL)
      • Should I import my XRP Ledger account into Xaman?
      • ...with Secret Numbers
      • ...with a Family Seed
      • ...with a Mnemonic
      • ...a Xaman card
      • ...in Read Only mode
      • How to import an XRP Ledger account from a hardware wallet
    • Buying XRP
      • Banxa
      • BTC Direct
      • Guardarian
      • Topper
      • C14
      • Xaman On/Off Ramp
    • Sending tokens to Xaman
    • Sending XRP to Xaman
    • Sending tokens from Xaman
    • Sending XRP to Moonpay
    • How to convert a Read only account to Full Access
    • Deposit to Exchange Didn’t Arrive
    • Can Xaman reverse, freeze or undo a transaction?
    • Can I view/export my account secret?
    • I've lost my account secret!
    • Accessing your XRP Ledger account
    • General Terms and definitions
    • How to create a Trust Line
    • How to test your Account Secret
    • How to Rekey an XRP Ledger (XRPL) Account
    • How to disable the Master key
    • How to enable the Master Key
    • How to configure biometrics
    • Displaying XRP value
    • How to migrate from Toast Wallet to Xaman
    • Why adding / generating & confirming "Secret Numbers" is not user friendly
  • Learning more about Xaman
    • 📱Got a new phone?
    • 🪙Supported tokens
    • Adding an Icon/Logo to a Trust Line in Xaman
    • Cashing out your XRP
    • Cashing out with GateHub
    • Adding Euro tokens via GateHub
    • Xaman & the Flare network
    • Xaman & AMM
    • Xaman & Fractal ID
    • Spam on the XRP Ledger
    • How to set the currency
    • How to change your Email Address
    • KYC
    • xApp Publishing
    • How to Get a Token Added to the Xaman Short List
    • Destination tags
    • How to recover a Casinocoin (CSC) account
    • GateHub’s issued tokens
    • How to send SGB to BiFrost
    • Taxes and your XRPL/Xahau accounts
    • How to reset the 6 digit passcode
    • Resetting the (account) signing password
    • Deleting an XRPL account
    • Official communication channels
    • NFTs
      • NFT Burn Process
    • Does Xaman offer Staking?
    • I've been scammed!
    • How to take a screenshot
    • Moving your XRPL account to another wallet
    • Feeling Generous?
    • How to access Testnet on XRP Ledger
  • Configuring Xaman
    • Understanding the Settings Options
      • How to take a screenshot
      • Events screen
      • Security screen
      • How to post a Session Log
      • Third party apps
  • XAMAN (TANGEM) CARDS
    • All about Xaman (Tangem) cards
    • Getting started with your new cards 🤗
    • How to configure a backup signing account
    • Creating a pin on your card
    • Best Security Practices Using the Xaman (Tangem) Cards
    • Lost or damaged cards
    • How safe is a card?
    • How to link an existing account to a Xaman card
  • ALL ABOUT XAPPS
    • Xaman xApps
      • Account Worth
      • Account Merge
      • Vanity Address xApp
      • Get Cards
      • DEX Trade
        • The price difference between selling and buying is too high
      • Path Finding
      • Xumm Pro Beta
      • Buy/Sell XRP
    • XRPL Services
      • Token Trasher
        • How to remove a Trust Line
        • How to get rid of tokens
      • Escrow creator
        • How to release an escrow
      • Token creator
      • Xahau Import
    • XRP Community
      • Trust in the XRPL Community
      • CasinoCoin Lobby
      • XRP Ledger TipBot
      • UniSpend
      • Transaction Exporter
      • Gatehub Trade
      • Stably xApp
    • Xahau xApps
      • Balance Adjustment
      • XAH Teleport
      • Voucher
  • Xaman Pro
    • 😎What is Xaman Pro?
    • How to subscribe to Xaman Pro
    • Features of Pro
      • Profiles
        • All about Profiles
        • What is PayString?
        • Setting up your Xaman Profile
      • Push notifications
      • Accounts
      • Xaman App early access
      • Free Tangem Card
      • Premium Support
      • Vanity addresses
  • Security and Xaman
    • All About Security
      • How secure is Xaman?
      • Has Xaman been audited?
      • Upgrading your encryption
      • Xaman (Tangem) Cards
      • 2FA and Xaman
      • Account present on another device
      • Quantum Attacks and Xaman
  • XRP Ledger resources
    • XRP Ledger Concepts
      • Video: Reserves and Fees on the XRPL
      • About Reserves
      • Payment Channels
      • Multi Signature
      • Understanding fiat currencies
  • Release notes
    • Current release
    • Previous releases
      • 😎Updating to Xaman v2.8.2!
      • Xaman v2.8
      • Xaman v2.6 (Formerly Xumm)
      • Xumm v2.5
      • 🥳Updating to Xumm v2.5!
      • Updating to Xumm v2.4
      • Xumm v2.4
      • Xumm v2.3.1
      • Xumm v2.3.0
      • Xumm v2.2.8
      • Xumm v2.2.6
      • Xumm v2.2.5
      • Xumm v2.2.3 / v2.2.4
      • Xumm v2.21
      • Xumm v2.0
      • Xumm v1.0.0
      • Xumm v0.6.0
      • Xumm v0.5.2
      • Xumm v0.5.1
  • About Xaman & XRPL Labs
    • About XRPL Labs
    • 👨‍👩‍👧‍👧The XRPL Labs/Xaman team
      • 📺Team: Ali, Satish & Koen
      • 📺Team: Richard & Tristan
      • 📺Team: Chris & Alex
      • 📺Team: Tom & Kevin
      • 📺Team: Dominique & Dirk Jan
      • 📺Team: Patrick & Will
      • 📺Team: Mai
      • 📺Team: Denis & Robert
    • Xaman vs. Ripple
    • Privacy Statement
    • Terms of Service
    • Responsible Disclosure Policy
    • Switching from Ledger to Xaman
  • Xahau
    • Activating a Xahau account
      • Activating an XRPL account on Xahau
      • Activating a Xumm card account on Xahau
      • Activating a Vanity Account on Xahau
      • How to send XAH from GateHub
      • How to send XAH from Bitrue
      • Via another Xahau account
    • Understanding the XAH token on the XRP Ledger
    • Understanding Reserves on Xahau
    • Understanding Trust Lines on Xahau
    • How to create a XAH Trust Line in your XRPL account
    • How to create a Trust Line (Xahau)
    • How to create an Evernode Trust Line
    • How to trade XAH coins
    • How to Rekey a Xahau account
    • How to trade Evernode (Evr) tokens
    • How to send XAH to GateHub
      • How to send XAH Tokens to GateHub - Hosted account
      • How to send XAH Tokens to GateHub - Self Custodial account
      • How to send XAH coins to GateHub - Hosted account
      • How to send XAH coins to Gatehub - Self Custodial account
Powered by GitBook
On this page
  • How the card generates the account secret
  • How the transactions are signed with the card
  • Understanding how NFC works
  • NFC vulnerabilities and possible attack vectors
  • What Xumm is doing to prevent proximity attacks
  • I just received my cards and customs opened the package. How do I know the cards are still safe?

Was this helpful?

Export as PDF
  1. XAMAN (TANGEM) CARDS

How safe is a card?

How secure/safe is a Xumm (Tangem) card?

There are lots of different cold wallets to choose from in the crypto space. Here are some of the main security features you get with a Xumm (Tangem) card.

How the card generates the account secret

Xumm cards use a EAL 6+ certified microchip for secure operations.

Upon first use, a private key is generated on the card using its cryptographically secure True Random Number Generator that lives inside the chip present in the plastic card.

The public key is then derived from the private key using Elliptic curve point multiplication.

Finally the public key is hashed to produce an XRP address.

The private key is stored securely on the card. It is never revealed and is not accessible by anyone - not even by the Xumm application.

How the transactions are signed with the card

Xumm creates a sign request, then asks the user to sign that request by placing the card over the NFC reader on their mobile device. The sign request is sent to the card where it is signed or rejected on the card, then the sign request is returned to Xumm.

The account secret never leaves the card.

So, while the Xumm app starts the signing operation, the card is exclusively responsible for actual signing a transaction and returning a signed hash back to the Xumm app.

Understanding how NFC works

Each card has a secure NFC smart-card chip with a Type A contactless interface embedded in it.

In case you're wondering,

Near-field communication (NFC) is a set of communication protocols that enables communication between two electronic devices over a distance of 4 cm or less

The card uses the NFC smart-card chip to communicate with your phone directly to Xumm.

NFC vulnerabilities and possible attack vectors

The primary attack vectors against a Xumm card fall under the category called "proximity" attacks.

Proximity attacks are potential attack vectors for all wireless and NFC devices, not just Xumm cards.

Proximity attacks are those where a potential attacker needs to be really close to the card in order to be successful. The attacker could be a real person with a phone, just a phone laying down on a table, or even small NFC device no larger than Apple AirTag.

Since NFC allows mobile devices to establish radio communication with each other over short distances, there is a possibility, however remote, that an attacker might be able to intercept that radio communication.

What Xumm is doing to prevent proximity attacks

We have implemented three main security features to combat proximity attacks.

  1. Security Delay You might have noticed that you are required to hold the card against your phone for 15 seconds before it will sign a transaction. By doing this, a potential attacker would need to be within about 4 cm of your Xumm card for at least 15 seconds in order to send a transaction to it. In theory, you would notice someone standing so close to you for this long.

  2. Strict security settings Tangem cards offer a large variety of settings that can only be configured at the factory. All Xumm cards leave the factory preconfigured to our specifications.

    Among them are:

    • NFC communication between the card and Xumm app is encrypted

    • NFC communication sessions are short to minimize chance of NFC proximity attacks

    • All card features that are not specifically used by Xumm are disabled to narrow the attack surface

    • Various security checks are enabled to distinguish valid cards produced by Tangem from potentially malicious cards

I just received my cards and customs opened the package. How do I know the cards are still safe?

When you add a Xumm card into Xumm, you will receive the following message:

This means that the card has not generated a set of private keys yet and that the card has not been used. Once you select Generate Account, the card will randomly generate a set of private keys and encrypt them on the card. As long as you see the above message, your card has not been accessed.

PreviousLost or damaged cardsNextHow to link an existing account to a Xaman card

Last updated 1 year ago

Was this helpful?

Source:

Pin/Passcode Each card has the ability to configure a pin/passcode. By doing this, it greatly increases the security of your funds by forcing you to enter a pin before a transaction can be signed. For more information about configuring this option, please refer to the following article: -

Keys are exchanged using the protocol with the pin mixed in for additional randomness

Wikipedia
Creating a pin on your card
ECDH
Page cover image