Verso Cards

Latest release: 0.9.6 ( 26th November 2015 ) 🔍 Last analysed 23rd March 2022 . Provided private keys Not functioning anymore

Jump to verdict

Help spread awareness for build reproducibility

Please help us spread the word discussing build reproducibility with Verso Cards via their Twitter!

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.

What is a bearer token?

Bearer tokens are meant to be passed on from one user to another similar to cash or a banking check. Unlike hardware wallets, this comes with an enormous "supply chain" risk if the token gets handed from user to user anonymously - all bearer past and present have plausible deniability if the funds move. We used to categorize bearer tokens as hardware wallets, but decided that they deserved an altogether different category. Generally, bearer tokens require these attributes:

Secure initial setup
Tamper evidence
Balance check without revealing private keys
Small size
Low unit price

and either of these applies:

Somebody has a backup and needs to be trusted.
Nobody has a backup and funds are destroyed if the token is lost or damaged.

The Analysis ¶

Addendum 2022-03-19

Back when the Verso card was still available, it was affordable enough to pass on from one user to another.

Previous Review 2022-02-17

The Verso Card has a companion app on Google Play named Verso Wallet with appID ‘com.VersoSolutions.VersoApp’. As of 2022-01-02, it is no longer available.

A comprehensive review and unboxing article has been made by Bitcoin Magazine on March 24, 2014.

Printed on one side is the QR code for the public key of your address, and on the other side the private key. But WAIT A MINUTE! If someone knows the public and private keys of one of your bitcoin addresses then they could steal all your coins! right? Well no so quick. It turns out that the private key is encrypted (with AES-256).

A third-party reviewer Dan Roseman from letstalkbitcoin.com also mentioned some security problems with the card:

The password was problematic for me at first, as I had forgotten which password I had chosen and the card arrived more than a week after I ordered it. Verso Card initially did not inform users that their password would be required to use the card when ordering, but the order form has since been updated to include a noticeable disclaimer. One problem with this method, however, is that there is no option to change your password; doing so would end up changing the private key QR code. This could be disastrous to some forgetful users, myself included. The password is useful in some cases. For example, if you lose your phone, an attacker will be required to scan the encrypted private key on your Verso Card in order to use the App or send bitcoin. It’s a unique form of 2-factor authentication. Exposing the unencrypted public key and encrypted private key in clear view on the Verso Card does not align with Bitcoin security best practices. All it would take for a malicious attacker to access a Verso wallet is an image of both sides of the card (easily captured by Google Glass or smartphone) and a password which cannot be changed or updated. Passwords are less secure than an unencrypted private key, which makes the Verso Card less secure than other paper wallet providers

The card does not have a screen interface or a button for confirming transactions. To confirm transactions or use the app, the user is required to scan the card’s private key.

The primary domain for the vendor is still online, however the ‘Buy’ function is no longer available. The last public tweet of the VersoCard twitter account was made on November 14, 2015.

All indications point to a product that is no longer available.

(dg)

Verdict Explained

The device gets delivered with private keys as defined by the provider!

As part of our Methodology, we ask:

Provided Keys!

Are the keys never shared with the provider?

If the answer is "no", we mark it as "Provided private keys".

The best hardware wallet cannot guarantee that the provider deleted the keys if the private keys were put onto the device by them in the first place.

There is no way of knowing if the provider took a copy in the process. If they did, all funds controlled by those devices are potentially also under the control of the provider and could be moved out of the client’s control at any time at the provider’s discretion.

But we also ask:

Defunct!

Is the product still supported by the still existing provider?

If the answer is "no", we mark it as "Not functioning anymore".

Discontinued products or worse, products of providers that are not active anymore, are problematic, especially if they were not formerly reproducible and well audited to be self-custodial following open standards. If the provider hasn’t answered inquiries for a year but their server is still running or similar circumstances might get this verdict, too.

Share on

Twitter Facebook LinkedIn

Or embed a widget in your website

<iframe 
    src="https://walletscrutiny.com/widget/#appId=bearer/versocards&theme=auto&style=short" name="_ts"
    style="min-width:180px;border:0;border-radius:10px;max-width:280px;min-height:30px;">
</iframe>

will show

and

<iframe 
    src="https://walletscrutiny.com/widget/#appId=bearer/versocards&theme=auto&style=long" 
    style="max-width:100%;width:342px;border:0;border-radius:10px;min-height:290px;">
</iframe>

will show