Chain Security founder Yang Xia talks about asset security issues that ordinary users should pay more attention to behind the whale attack | Chain Node AMA

The recent whale coin loss incident has once again brought SIM card attacks and digital asset security issues to people's attention. From the information available, the giant whale can control the private key by himself (he performed signature verification), and claims to have been attacked by a SIM card. In this regard, the analysis of the SlowMist security team said: "It is guessed that a well-known decentralized wallet service is used, and this decentralized wallet actually requires SIM card authentication, which means that there is a user system that can be based on SMS two-factor authentication for SIM cards, guessing it might be "

What exactly happened when the whale lost money? What lessons can we learn from this? How can retail customers safely store digital assets? When choosing a hardware wallet on the market, what security factors should you pay attention to? On the afternoon of February 28, Yang Xia, founder and CEO of Chengdu Chain Security Technology, was a guest chain node AMA to discuss the above hot topics with community users.

WeChat picture_20200301001014

On the whole, in mainland China, the possibility of SIM cards being attacked is very low.

In daily life, when we lose the SIM card, we can go to the corresponding operator to apply for a "transplant" SIM card. In this process, the user can directly transfer the phone number to the new SIM device. The SIM attack that we usually say refers to a hacker using this vulnerability to transplant the user's SIM card to their own device. Next, the hacker can easily use the password reset function on the email through the verification code, and then use the mailbox to go Steal users' electronic assets. However, Yang Xia is currently in mainland China, and this possibility is very low. In this regard, she explained:

If an attacker wants to attack a target's SIM, in mainland China, he must clone the target's SIM card information to his controllable SIM card. Here is a rumor message released by China Mobile many years ago. "China Mobile Information Security Management Department stated that the SIM card is a customer's identification module. It stores mobile phone customer information. A 128-bit key is stored in the card to ensure security. At the same time, the mobile communication network is independent of the Internet. The external network has inherently prevented attacks from Internet hackers, so technically, remote copying of a SIM card is impossible. ”If an attacker wants to go to the business office to change your SIM card with a fake identity, then The operator's user data needs to be tampered with his false information before he can succeed. On the whole, in mainland China, the possibility of SIM cards being attacked is very low.


Here we need to note that some community users mentioned that centralized wallets such as WeChat and Alipay are rarely attacked by SIM cards. Yang Xia said that this is because WeChat and payment methods are currently not mobile phone verification code payments. , But use the biometric plus payment password method. Therefore, the security of these two cannot be attributed out of context to "centralization". For users who have lost their property due to the SIM card, suing the operator is also a way to defend their rights, but the final result depends on the specific situation and legal requirements.

Pay attention to the protection of private keys and personal information, and make reasonable and safe distribution of assets

The whale loss incident has once again brought the issue of asset security to our eyes. So how do ordinary people (mainly targeted at users whose crypto assets are not on the three major exchanges) ensure the security of their own encrypted digital currency assets? Yang Xia emphasized:

For users who do not choose to store funds on large exchanges, the protection of private keys and the protection of personal information are the top priorities. The simplest and easy-to-implement security method is environmental partitioning, such as the establishment of special funds for operating funds Or a system of transactions, including mobile phones, mailboxes, etc., that separates life from transactions. The mobile phone environment used to operate the exchange should be pure, without installing any unnecessary applications, not for communication, chat, entertainment, etc. For transaction-unrelated activities, the storage of private keys and mnemonics is recommended to use original but effective paper records, avoiding the use of screenshots, screenshots and other forms of transmission over the network.

On the basis of the protection of private keys and personal information, Yang Xia also said that users need to pay attention to the reasonable and safe allocation of funds. The best advice for ordinary investment users is to divide the funds into two parts: transaction funds and held funds. Transaction funds can be understood as the more liquid capital part, which is used for the environment that requires frequent use of funds such as currency transactions on the exchange. Holding funds is the less liquid part, which can be a long-term optimistic view for users. Currency or stable currency. In this way, a reasonable division of funds can meet the convenience and security of the transaction at the same time.

WeChat picture_20200301001650

When users need to store long-term assets in the exchange, they need to pay more attention to the selection of the exchange. In this regard, Yang Xia suggested that users need to pay special attention to several dimensions of the exchange: the size of the exchange's funds and the scale of users , Security incidents and processing results in the history of exchange operations, compliance with projects on exchanges, and publicity tools. In this regard, she added:

For example, if the exchange focuses on promoting high rebates of mortgage funds, etc., as ordinary users at this time, it may be necessary to be vigilant and judge carefully. To select an exchange that can be trusted and used for a long time, it is necessary to comprehensively consider the technical model and finance of the exchange. The model, whether the security technology can be reasonably used determines the resistance of the exchange to external attacks, and whether there is a reasonable and sustainable economic model determines whether the exchange can have a long-term safe and stable capital flow. Good exchanges are indispensable.

Asset security as an old-fashioned question is indeed a topic that every ordinary user should think about every day. Perhaps the best asset protection method we can do today is to always stay safe online and actively learn more about wallets and private keys. Relevant knowledge and principles, although not foolproof, we can do our best to avoid giving attackers a chance.

For a detailed review of this issue of AMA: