Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Safer savings: Introducing the Xaman Tangem Card!
At XRPL Labs, we are constantly working on improving the XRP Ledger user experience for consumers and for businesses.
Xaman (formerly Xumm) is a self-custodial (un-hosted) XRP Ledger client (wallet). This means that you, and only you, have access to your funds because your funds are in your own account, to which you own the keys. Your keys are encrypted securely on your iOS/Android device.
Keeping your keys safe
While keeping your keys encrypted on your device makes a lot of sense for your daily spending (lower-value accounts, to be accessed on the fly), your keys to your XRPL savings are best kept offline, away from your iOS/Android device (or any device you carry around, for that matter).
Existing methods to keep your private keys to your higher value accounts safe all have disadvantages, if you want to be able to potentially/periodically move funds from your savings to your spending account.
A paper wallet (your secret offline, written down) is not user friendly. It’s hard to use, because it will have to be imported to eg. Xaman when you want to access your funds. Many hardware wallets have to be charged, are slightly harder (or even scary) to use. Air gapped clients require manual data entry when signing.
Enter Xaman (Tangem) Cards
Just like XRPL Labs, Tangem is making the cryptocurrency space a safer, more user-friendly place. Their take on keeping keys for XRPL accounts safe is one we at XRPL Labs appreciate a lot. To the point where we feel confident using their cards ourselves to keep our savings safe.
Instead of using a hardware wallet, or a static, written down secret (that can’t be used easily), their cards contain a chip and use NFC (near field communication). The first time you use the card, the chip generates a private key, while being powered using NFC (by your iOS/Android device). This means the cards are shipped without a private key on them, so there is no chance of it being compromised between you and the factory. The chip used in Xaman cards offers bank grade security and have been fully audited.
Security + usability
Because the key stays in the (chip in the) card, signing happens in the (chip in the) card. This means your secret will never leave the card.
You hold your card against your NFC enabled iOS/Android device to sign a transaction. Xaman will then send transaction details to the card, the card will sign and return the signature (for the signed transaction) to Xaman so Xaman can submit it to the XRP Ledger.
This offers the best combination of user experience and security. Using your smartphone with decent screen size, and the Xaman + XRPL ecosystem to compose and review transactions, while using a separate (dedicated, low level, offline) piece of hardware (the Xaman card) to sign transactions.
While Tangem already offered XRP cards, one could only use them for regular XRP payments. The XRPL has much more to offer than simple XRP payments: Issued tokens / IOU’s (decentralized exchange), account settings, multi signing, escrows, NFTs, AMM, etc. All fully supported by Xaman.
Recovery
Because the chip inside a Xaman card generates and holds the (non-extractable) private key to access your funds, a lost card means you won’t be able to access your funds anymore.
Fortunately, we’ve got your covered. Xaman includes an xApp called “Tangem Backup” which allows you to configure a second card as a backup. By doing this, you don’t have to worry about a lost, stolen or damaged card… you will have a backup card to protect your assets.
Further explanation & FAQ’s
What’s the typical use case for a Xaman card?
Your Xaman card has its own r-address. It’s a separate XRP Ledger account. Xaman, in combination with your Xaman card, enables all XRPL features.
The most common use case would be to use two XRP Ledger accounts: one for receiving funds & daily spending and one for your savings. Your daily spending account in Xaman (as read/write account), and your savings account using a Xaman card.
When you want to top up your spending account, you use your Xaman card to sign a transaction from your savings account to your spending account.
When your spending account has a higher balance than you’re comfortable with, you simply use Xaman to send some of your funds to your Xaman card account.
Can I use an existing XRP Tangem cards with Xaman?
Yes and no. The most current Tangem cards are V2 multi-cards. These cards are not compatible with Xaman. Some of the older Tangem cards will work with Xaman but your plan is to participate and interact with the XRP Ledger and Xahau communities, Xaman cards are the way to go.
Xaman Pro is a paid subscription, do I need Xaman Pro to use Xaman cards?
When you subscribe to Xaman Pro, you will receive two free Xaman cards with your order.
(Note: Not all countries are eligible to receive the cards due to customs restrictions and customers are required to pay shipping costs for the cards.) For the most current information, please refer to this article:
How can I purchase Xaman cards?
They are available via our Get cards xApp: https://xumm.app/detect/xapp:xumm.tangem-order or via our website: https://xrpl-labs.com/tangem/product
Can I extract or backup the secret / private key from my Xaman card?
No, you cannot. The secret / private key of a Xaman card is stored safely inside the chip in the card. The card can only sign for you, it will never expose the secret / private key.
While you cannot extract & backup the secret / private key of the card, Xaman can setup a recovery account, and attach the recovery account to your Xaman card account. Using this recovery account, you will be able to regain access to your funds in case of a lost, stolen or damaged card.
How is the Xaman card protected? Can someone else use my card if they have physical access?
Xaman will allow you to setup a PIN / Password on your card. If you do so, signing transactions with your card also requires that you to enter the PIN / Password. This will protect you against physical access attacks, as one not only needs your card, but your PIN / Password as well.
If you did not configure a PIN / Password on your card, anyone with physical access to the card can access and move all your funds. If you use your Xaman card to keep significant amounts of XRP (or other currencies), it is advisable to both enable PIN / Password protection on your card and not to keep your card with you during your daily commute.
Does a Xaman card require another 10 XRP reserve?
That depends on how you configure the cards. While primary cards require that they be activated, backup cards do not require activation.
See: Tangem cards - Back Up & Best Practices
Additional reading
Is Xaman a safe place to store my secret keys? Has it been audited? How secure is Xaman?
It is not uncommon for people to want to try to compare different wallets, different platforms and different devices to determine which one is "best". When it comes to protecting your assets, for many people, only the best will do so it only makes sense to get the best when it comes to protecting your funds, right...?
The challenge with this approach is that crypto security is a huge and highly technical subject which requires years of education and experience to fully understand. Simply reading an article or watching a Youtube video then thinking you have enough information to make a comprehensive comparison between wallets is...dangerous. Certainly we recommend reading as much as you can about this topic, but please keep in mind, this article is not meant to be an exhaustive discussion of Xaman's (formerly Xumm) security. It is merely a glimpse...
There are several ways to view security when it comes to your XRP Ledger account but your first line of security always starts with your mobile device.
Here are the top 9 security threats to look out for when it comes to your phone.
Social Engineering
Data Leakage via Malicious Apps
Unsecured Public WiFi
End-to-End Encryption Gaps
Internet of Things (IoT) Devices
Spyware
Poor Password Habits
Lost or Stolen Mobile Devices
Source: The Nine most common security threats to mobile devices
So before you even get around to installing Xamana, here are some things to consider:
Is your mobile device up to date with all security and OS updates?
Do you use a VPN?
Do you have an anti virus program that is up to date?
How often do you use public wifi?
Do you have a firewall on your phone?
Do you have strong passwords?
How often do you change your passwords?
If your phone is not secure, the best, most secure software wallet in the world (aka Xaman) will not be able to protect your assets. Starting out with a modern, up to date, secure mobile device is essential when it comes to securing your assets.
So your phone has no spyware or malware installed. It is up to date. You use a top of the line VPN, anti-virus software and firewall. You have installed Xaman and you used Xaman to create your XRP Ledger account. Well done!
Let's consider your XRPL account. Xaman can generate three hundred and forty undecillion, two hundred and eighty-two decillion, three hundred and sixty-six nonillion, nine hundred and twenty octillion, nine hundred and thirty-eight septillion, four hundred and sixty-three sextillion, four hundred and sixty-three quintillion, three hundred and seventy-four quadrillion, six hundred and seven trillion, four hundred and thirty-one billion, seven hundred and sixty-eight million, two hundred and eleven thousand, four hundred and fifty-six different accounts using the secret number standard. Xaman will provide you with one of those possible accounts.
It is hard to imagine how many accounts that actually is, so maybe this will help.
If you had a job that paid you 390 trillion euros per hour, you would have to work 24 hours per day, 7 days per week, 365 days per year for about 99 quadrillion years to earn 340 undecillion euros.
It is unimaginably difficult for someone to guess your account number out of 340 undecillion possible accounts. You would need to make 390 trillion guess per hour for 99 quadrillion years to guess them all.
Entire books have been dedicated to this topic but if you are interested in learning a bit more about it, you can check out this link on entropy. It is not exactly "easy reading" but it will get you going in the right direction.
It is no difference. Whether an account is generated off line or online, there is no difference in the total number of possible accounts. The chances of guessing your account secret is the same.
The only way someone can access your XRP Ledger account is if they know your Secret Numbers. Keeping them safe is the best way to keep your assets safe. The second you share your Secret Numbers with anyone, you give them 100% access to your funds and give them permission to use your funds in any way they choose.
Never give your Secret Numbers to anyone. If someone asks for them, that person is trying to steal your funds!
You are absolutely right. Let’s say that someone has acquired your phone and somehow circumvented your phone's password and now has full access to it.
An attacker launches Xaman and tries to hack your 6 digit passcode. Six digits is only 999,999 possible combinations, (000000, 000001, 000002 -> 999997, 999998, 999999), so they start entering various passcodes at a rate of 1 one passcode per second and about 11 days later they have tried all of the possible combinations. So somewhere along the way, they would get access to Xaman, right?
That makes sense, except for one small countermeasure we implemented in Xaman. We have configured Xaman to only allow 5 attempts before it starts to add time to the next attempt. After the ninth wrong entry, Xaman requires a delay of 2 hours before you can input a passcode again. That means 12 attempts per day. Now instead of 11 days to try all of the possible combinations, it would take about 83,332 days to try them all… Or about 228 years.
However, let’s say someone manages to guess your 6 digit passcode in under 228 years, now they have to figure out your signing password. (If you configured one, which we recommend that you do.) Honestly, how hard can that really be right? Well, we set the limit for the number of characters you can make your password to a mere 2,091,752 terabytes. In other words, you could make your password so long, it would take up all of the storage space on your 512GB phone and about 4 million other 512GB phones before you ran out of space to store it. Provided that you selected a strong signing password, this could take awhile to guess.
The point is, there are multiple layers of security in Xaman to protect your XRPL account. A potential hacker who gets your phone, needs to crack the phone's passcode, then crack Xaman's passcode, then crack Xaman's signing password. This is very, very difficult to do if you use good passcodes/passwords.
Yes and no.
The passcode that you configure in Xaman is designed to keep people from accessing the Xaman application. It does not protect your Secret Numbers from being used by someone else.
For example, let's say you have two phones and you have installed Xaman on both of them. You could import your secret numbers into both phones and access your XRP Ledger account from both devices. The passcode that you setup on one phone does not affect your second phone. You could configure one phone with one passcode and your other phone with a different passcode. Changing your passcode on either device does not affect the other device. In other words, the Xaman passcode (and signing password) are local security measures on your device to prevent accessing the Xaman app.
The goal for Xaman is to protect your Secret Numbers on your phone. The passcode and signing passwords are designed to help do this.
By this point, hopefully you realize it is basically impossible to guess the Secret Numbers in your lifetime. The amount of possibilities is just too great, but... there is the risk that your phone could be lost or stolen. If that were to happen, and given enough time and resources, your phone could be hacked and once someone gained access to your phone, they might be able to hack Xaman and if they did that they might be able to decrypt your secret numbers, and if they did that, they could access your funds!
We are talking theoretical here but still, it might be possible, so we decided to offer a way to mitigate the risk of a lost or stolen phone... enter Xaman (Tangem) cards.
Xaman cards are the perfect way to alleviate the risk of a compromised phone, especially if you follow our recommend guidelines here:
Although we believe that your phone is secure and that it will never get lost/damaged/stolen or hacked, having a pair of cards will ensure that even if your phone was ever compromised, your XRPL account would still be safe. Here’s how they work…
A Xaman card will generate a set of private keys on the card. They never leave the card. No one will ever see them, (including you) and there is no way to access them. You can never be tricked into giving your account secret away and the only way to access your account is by having the card with you.
You’re right. Most cold wallets give you the account secret (Secret Numbers/Family Seed/Mnemonic) so you can be tricked into giving it away. This cannot happen with the Xaman cards. As well, most cold wallets also require that you have a computer to use them and computers can be VERY difficult to secure. This is not an issue with the Xaman cards.
Your private key (keypair) is generated by a chip inside the Xaman card. The keypair cannot be extracted or wiped from the card and the key generation by the chip inside the card is very secure. (And has been audited.) There is no way for you to access them so you can never give them away. Like we said, the account secret is on the card and the only way to access your account is by physically having the card with you.
Of course. check out this article:
Xaman will never share your private keys with a third party website or application. The website/app will deliver a sign request to Xaman and Xaman will display the sign request for you to approve or deny. Once you approve it, Xaman signs it locally on your phone and returns only the signature to the website/application. Your private keys never leave your phone. Xaman only signs after approval, locally, and then only returns the end product: the signed transaction.
It is not possible for someone to access your XRP in your XRPL account via a Trust Line, however creating a Trust Line does pose several risks.
A token issuer can freeze their own Trust Line, which would make their issued tokens unusable. ( but they can not access your account or your XRP.)
A token issuer can misconfigure their Trust Line, which could make their issued tokens unusable. (Again, they can not access your account or your XRP.)
A token issuer could send you messages via the XRPL (once they know your r-address) and somehow convince you to send them your secret numbers. (While not really considered a “hack”, the results are pretty much the same.)
A token issuer could initiate the 'clawback' feature on their Trust Line which allows them to take back as much of their token as they like, as often as they like, whenever they like.
See this link for more information about the Clawback feature on the XRPL: https://github.com/XRPLF/XRPL-Standards/tree/master/XLS-0039d-clawback
A 'spam' transaction is one which is unsolicited.
In most cases, someone will send a small amount of XRP to an account along with a message, advertisement, special offer, marketing idea, business opportunity, etc. The idea is that you will read the message then decide to investigate and either buy their product, visit their website, invest in their business opportunity, etc.
The spam transactions themselves do not pose a threat to your XRPL account and do not cost you anything, but the 'special offer" they advertise is often risky and dangerous
If you would like to learn more about spam on the XRPL, check out this article:
The XRP Ledger is basically a giant, decentralized network. While it is possible that a governmental agency might be able to shut down parts of the XRPL in a particular region, (validators, nodes, internet access points) a single government could not shut down all of them all over the world. The XRPL servers are distributed around the planet to form a global network. It will still run and validate transactions regardless if a bunch of servers were shut down. (That is part of the idea behind decentralization.)
Another feature of the XRPL is that no one, not a government or an exchange or even us can access your XRPL account. You are the only one with the account secret, so without that, there is no way to confiscate or freeze your XRP.
Finally, Xaman will run regardless if XRPL Labs exists or not. Xaman does not need our backend servers to function. All of the XRPL communication and signing happens locally on your mobile device, from within Xaman. It does not need our backend servers for that.
…plus, if worse came to worse, you could always take your account secret and just use another wallet if you wanted to.
Keep your phone safe (physically), up to date and free of spyware and malware
While security is our number one priority, Xaman can be made safer if you avoid risky interactions with the internet (eg. - public wifi, shady websites, etc.), install a good firewall and use a VPN when possible.
Never give your account secret (Secret Numbers/Family Seed/Mnemonic) to anyone, for any reason
Xumm (Tangem) cards are the best solution for long term storage, large account balances and maximum security
Understanding Two-factor authentication (2FA)
Two-factor authentication (2FA) is a security process in which users provide two different authentication factors to verify themselves. Two-factor authentication provides a higher level of security than single-factor authentication (SFA), in which the user provides only one factor -- typically, a password or passcode.
Some 2FA methods are:
OTP (one time passcode) over SMS
Out of Band SMS
Google Authenticator
Mobile Authentication
Push Notification
Soft Token
OTP (one time passcode) over Email
Out of band email
Display Hardware token
Yubikey hardware token
Security Questions
Phone verification
Voice verification
2FA relies on a “shared secret”.
For example, when Google asks you to enter a 6 digit code to access your account, you and Google have a shared secret that is used to “derive” these codes.
The trick is that the secret is never sent, only the codes are. So an attacker can’t get the secret and they can’t generate the code.
This works great on a centralized system like Google but it does not work so well on the XRP Ledger since there is no place to store a “shared secret” on the XRPL. In order to implement 2FA, the XRPL would need to implement a centralized, 3rd party system to "control" access. This does not make sense on a public, decentralized blockchain. (Adding a centralized system on a decentralized blockchain.)
You might think that multi-signing accomplishes the same thing as 2FA in that you could require 2 or more signers to submit a transaction, but that only simulates 2FA, and even then, only if you sign with two separate devices that are not in the same location.
Consider the following requirements to get access to your XRP Ledger account managed with Xaman:
1) physical access to your phone
2) some way to unlock your phone
3) some way to access Xaman (could be the same as #2, e.g. FaceID / Fingerprint, passcode)
4) some way to sign transactions on your account (optional extra security using a configured password)
We can not control the first two options. You are responsible for your phone and keeping it safe. You are also responsible for creating a secure password to unlock your phone.
However, let's say that someone has acquired your phone and somehow circumvented your password and now has full access to it.
An attacker launches Xaman and tries to hack your 6 digit passcode. Six digits is only 999,999 possible combinations, (000000, 000001, 000002 -> 999997, 999998, 999999), so they start entering various passcodes at a rate of 1 one passcode per second and about 11 days later they have tried all of the possible combinations... except for one small countermeasure we implemented. We have configured Xaman to only allow 5 attempts before the app starts to add time to the next attempt. After the ninth wrong entry, Xaman requires a delay of 2 hours to input again. That means 12 attempts per day. Now instead of 11 days to try all of the possible combinations, it would take about 83,332 days to try them all... Or about 228 years.
However, let's say someone manages to guess your 6 digit passcode in under 228 years, now they have to figure out your signing password. Honestly, how hard can that really be right? Well, we set the limit for the number of characters you can make your password to a mere 2,091,752 terabytes. In other words, you could make your password so long, it would take up all of the storage space on your 512GB phone and about 4 million other 512GB phones before you ran out of space to store it.
Provided you selected a strong signing password, this could take awhile to guess.
2FA only works when:
You have a centralized system (Google, Twitter, Exchanges, name it)
You are registered and need to login (via email / user name)
This only makes sense if the access password is on a separate device, ie. NOT on your smartphone. If your receive your 2FA password via SMS on your phone, 2FA won't help. The main weakness here is the dependency on the service provider. Even without access to your phone, if your 2FA password is delivered via SMS, all someone needs to do is get access to your phone number. This is easier than you might think. Xaman does not have any of these issues.
XRP Ledger accounts created using Xaman are already incredibly safe but we certainly understand the desire maximize the security of your account. That is why we partnered with Tangem to create a hardware wallet to our specifications: the Xumm (Tangem) card.
Unlike other hardware wallets, a Xumm (Tangem) card is light, fits easily into a physical wallet or purse and interfaces with Xaman to make it convenient and easy to use. The card contains a security chip and uses NFC (near field communication) to interact with your mobile device. The chip generates an account secret for an XRPL / Xahau account, while being powered using NFC (by your iOS/Android device). This means the cards are shipped without an account secret on them, and can only be generated on the card, by the owner of the card. The chip used in Xumm (Tangem) cards offers bank grade security and have been fully audited.
If you are interested in learning more about the cards, check out this article:
A little bit about Quantum attacks
This article is meant to answer some basic questions about quantum computing and to explain our view on the future of quantum attacks as they relate to Xumm and the XRP Ledger.
Theoretically, in the near future, there will be several different types of quantum computers that will be capable of doing certain types computation at very high speeds. Some of those computers will most likely be suitable for analyzing cryptographic algorithms. Those are referred to as CRQC's or “Cryptographically Relevant Quantum Computers”. CRQCs will theoretically be extremely adept at attacking and deciphering real world cryptographic systems.
The XRP Ledger uses asymmetric-key algorithms to secure XRPL account. Also referred to as public-key algorithms, asymmetric-key algorithms use paired keys (a public and a private key) in performing their function. The public key is known to all, but the private key is controlled solely by the owner of that key pair. The private key cannot currently be mathematically calculated through the use of the public key even though they are cryptographically related. In theory, CRQC's will be able to calculate the private key based solely on the information contained in the public transactions recorded on the XRPL.
Some estimates suggest CRQC's will be viable in about 5 years time. One study suggests that a quantum computer possessing about 4000 qubits of processing power could theoretically crack the cryptography used by Bitcoin. Currently, IBM has a machine with just over 400 qubits of processing power.
Currently, there is no agreed upon definition of what makes an algorithm quantum resistant.
In theory, a quantum resistant algorithm for the XRP Ledger must be able to:
resist quantum factoring (See Shor's algorithm)
resist quantum searching (See Grover's algorithm)
resist quantum machine learning
When such an algorithm is developed, integrating it into the XRPL should be a straight forward process. (Just as the Ed25519 algorithm was added).
Keep in mind, any new algorithm that is added to the XRPL will need to be supported forever, so while it is a fairly easily process to add additional algorithms, it is not something to be taken lightly. Ideally, the XRPL community will wait as long as safely possible before adding a new one.
There are currently two options to options to help protect against quantum attacks until quantum resistant algorithms are implemented on the XRPL:
Create a new XRPL account and move your assets to your new account then leave it alone. A CRQC will need an outgoing public transaction to analyze the public key of you account. Once you perform any outgoing transaction on your new account, it will be vulnerable to a quantum attack.
Create a new XRPL account and re-key your existing account to point to your new account then disable your master key on your existing account and leave it alone. Once you perform any outgoing transaction on your new re-keyed account, it will be vulnerable to a quantum attack.
Spam is a real issue on the XRPL. In-coming transactions such as spam will not effect your quantum protection. Only outgoing transactions will.
One of the major projects we have been developing is adding smart contact functionality to the XRP Ledger. We call it, "Hooks".
A Hook can be developed to create any signing scheme you desire. For example, you could delegate a transaction through a Hook which could allow you to change your signing scheme to which ever algorithm you like. Such a hook could give you complete control over how your transactions would be signed and allow you to choose from various quantum resistant algorithms.
Another option could be to create a Hook that simply blocks any transaction that doesn't include a quantum resistant signature. This type of hook could prevent you from accidentally signing a transaction using a non-quantum resistant algorithm.
How to upgrade your account to a stronger encryption algorithm
Before we continue, we want to assure you that the whichever version of Xumm that you are currently using, it is still very safe. Upgrading your accounts using our new algorithm simply increases the security from very secure to extremely secure. This process is completely optional and while we recommend that you go through the process, it is not required.
All versions of Xumm prior to v2.4 use the AES 256-CBC encryption algorithm to encrypt your secret keys on your phone. It is the same algorithm currently used by banks, large businesses and even governments all over the world and is extremely secure. The AES 256 is also the standard encryption algorithm in the crypto industry and is widely used however...
While the AES 256-CBC (Advanced Encryption Standard) still remains the encryption algorithm of choice for governments and financial institutions, it provides only confidentiality (encryption). AES-256-GCM is "state of the art", it's faster and provides both confidentiality and built-in authentication (integrity check). Updating Xumm (rebranded to Xaman) to this enhanced standard just extends our lead in the crypto space and to be honest, Xaman users have come to expect nothing less than the best. If there was a better way to encrypt your private keys, we would have already implemented it.
We have made the upgrade process super easy, so if you are ready to upgrade your accounts here are the steps:
Launch Xumm and press Settings then Accounts:
You may have noticed in our example that the "Card 1" account is not displayed in the above image. The "Card 1" account is a Xumm (Tangem) card account so it can not be upgraded. (Since the private key is stored on the card itself, not in Xaman.)
If you have configured the "Extra Security" option for your account in Xaman, it will ask you for your Signing Password instead of your 6 digit passcode.
The upgrade only takes a few seconds... and.. all done, It's as easy as that!
Any new account that is created with Xumm v2.4 (Xumm was rebranded to Xaman in v2.6) uses the new encryption algorithm. There is no need to upgrade it.
All accounts that are imported into Xumm v2.4 will be automatically upgraded to use the new encryption algorithm. There is no need to upgrade it.
Account present on another device. Your XRPL account has been added to another device
You have just received the following message in Xaman:
This message is triggered when:
1) You install Xaman on a new phone and import your existing account secret for the first time.
2) Someone else imports your account secret into Xaman on their phone for the first time.
For older versions of Xumm, when an account tries to reach out to our backend servers to interact with the XRP Ledger via an xApp or a sign request, it would trigger an automated push notification and deliver the above message.
Normally the account had been installed on two devices and one of those devices had just recently been used. (E.g. a second smartphone, or tablet)
Xaman is not able to determine who has imported your account. It is only able to determine that an account has been installed on a different device. Since Xaman does not keep track of personal information, there is no way of knowing who imported it, where the device is located or what kind of device it was installed on.
Our goal here is to warn you that something is possibly wrong with your account and your mobile device. This is not something that just happens. This section only applies if this message is unexpected and you didn't import your account on a new or replaced device.
If you have not imported your account on a new/replacement device, it is possible that your entire device could be compromised, (user names, passwords, account information, etc.) and could be at risk. If there is even a chance of this, it is time to act immediately.
Move your funds out of your XRPL account immediately!
If you have a Xumm (Tangem) account, move your funds to this account. The account secret is stored on the card and as long as you have configured it correctly, your account can not be accessed without physical access to your cards. (Primary and Signing)
If do not have a Xumm (Tangem) account but you have an exchange account, it might make sense to temporarily move your funds there.
If do not have a Xumm (Tangem) account but you have an hardware wallet, it might make sense to move your funds there. (Although some hardware wallets are less secure than exchange accounts.)
If do not have a Xumm (Tangem) account, you could consider re-keying your account then disabling the master key
Once your funds have been moved to a safe location, you need to consider if/how your phone was compromised. Things like:
Have you recently updated your phone? The operating system?
Have you recently installed a new application on your phone?
Have you recently updated any applications on your phone?
Have you recently visited "questionable" website?
Have you recently installed any web extensions?
Have you recently downloaded any files to your phone?
Have you entered your account secret into a web form? Into another wallet? Into a website?
Have you stored your account secret on your computer? On your phone? On the internet?
Have you given your account secret to anyone?
It is highly recommended that your take the necessary steps to make sure your mobile device is secure before you continue. Having a secure phone is vital before moving funds back into self-custody. For more information about this, check out this article:
If you can not figure out how your account might have been compromised, it is a good idea to create a new XRP Ledger account then transfer your assets to your new account. This way, you will get a new set of secret numbers and you can ensure no one else has access to them.
This article explains how to create a new XRP Ledger account using Xaman:
Press the button. Xaman will list your accounts that are eligible to be upgraded.
Press the button beside the account you would like to update, then enter your 6 digit passcode.
Has Xaman been audited?
In August 2021, XRPL Labs requested Cossack Labs offer an opinion on improving the security and cryptography aspects of Xaman (formerly Xumm) mobile wallet’s behavior, source code, and cryptographic design.
We are delighted to report the results of Cossack's findings here:
If you are interested in a summary of the report, please visit our blog: