That's the one where the manufacturer can sweep funds by iterating over *public* block hashes with their known encoded serials

> The factory-generated address is made from the block hash (at the "birth height" of the card) and a random number that never leaves the card.