Crypto asset security incidents occur frequently. How can you ensure that the platform and wallet APP you use are safe?

Author: Mu Mu, Vernacular Blockchain
 
Asset security has always been an important topic in the crypto industry. However, according to the observation of Plain Language Blockchain, although security science is often popularized, not many people really pay attention to security issues, because the general mentality of many people is: "This is completely a probabilistic event, it is not my turn to win the lottery", but they often think that winning the lottery with a lower probability than this will definitely be their turn.
In fact, with the mainstreaming of encrypted assets, security incidents targeting personal user assets occur frequently, and no matter whether they are large or retail investors, these incidents often happen around us, and are no longer low-probability events.
So, starting from the most common personal user asset security incidents in recent times, let’s sort out the security issues that are closely related to us. The first and foremost one is: how to ensure that the platform and wallet APP you are using are safe?
01 Are “official channels” definitely safe?
 
Most people think that ensuring the security of platforms and wallet apps is simple. Isn’t it enough to just identify the “official channels”? In fact, this is not necessarily the case…
1. "Official Website" that is more like an official website than an official website Everyone knows to find the "official website", but taking the common mainstream wallets as an example, can you immediately list their accurate official website addresses? "Take the test" immediately:
Most people may choose A and B. According to daily practice, many people think that the brand name + .com or io suffix is ​​the official website with "brand strength", but in fact, many teams started out as small entrepreneurial teams in the early days, and the official website domain name registered at that time was very "sloppy". The correct answer is actually C.
For the same reason, when the official teams of these wallets started, they probably didn’t even consider registering trademarks… Then the brand trademarks were registered by others, and then others could use the trademarks to buy brand protection services on certain search engines, put “official brand” certification labels on search results, or buy promotion services, and always rank at the top, which is extremely confusing. This happened in the past two years. To date, the first few pages of results for searching “xxx wallet official website” on some mainstream search engines are most likely fakes.
These "official websites" that are more official than official websites have really "tricked" many people, because for hackers, it is also one of the ways with low cost and high success rate. 2. What if you know the official website address? Many people think that if you make sure to enter the correct official domain name, the downloaded app must be safe. However, things will still go wrong. In the recent Bitkeep wallet security incident, BitKeep issued an announcement stating that after the team's preliminary investigation, it is suspected that some APK package downloads were hijacked by hackers and packages with codes implanted by hackers were installed. Simply put, some users were "hijacked" by hackers during the download of APK packages, and the downloaded "wallets" specially processed by hackers were installed. Let's temporarily classify it as an unofficial "fake wallet".
The main reason mentioned in the announcement is "hijacking". Due to the many methods and links of "hijacking", it is not clear what link has gone wrong, but we can talk about how hackers usually make a user download a fake wallet even though he clearly enters the "official website" domain name: The first is the local Localhost file tampering script. After the local PC device is induced or malware or viruses are installed through vulnerabilities, by modifying the local host Localhost file, this method can directly point the specified domain name to the IP of an unofficial server (such as the "official" page prepared by hackers). In other words, after the browser is opened, enter the exact domain name, but the website visited is the website provided by the hacker, and the downloaded APP is also a fake APP. The second is to tamper directly with the page opened by the local browser or App. When you open certain platform websites and wallet web pages, you can directly modify the content displayed on a specific web page through a browser plug-in, such as replacing the APP download link address pointed to by the APP download button with the address prepared by the hacker, and replacing the asset charge and withdrawal address with the hacker's. You can also read and modify the wallet address or private key in the clipboard. As for whether the browser plug-in has the authority to modify the web page, don't worry about it, because almost most browser plug-ins have such authority. If you observe carefully, you will find that even the Little Fox Wallet we often use has such authority... Not long ago, there was also an incident where the deposit and withdrawal addresses were replaced and the assets were lost because of downloading the head CEX. The third type, remote DNS hijacking, domain name resolution record modification, APP manufacturer server hacking, this belongs to the problem of remote Internet service providers, which rarely occurs, and the cost and difficulty coefficient are also very high, but it has indeed occurred, and it is also through a similar "poisoning" method to make the domain name you visit resolve to the hacker's address. In addition, the service provider's own domain name service provider account is stolen, resulting in the modification of domain name resolution, which may cause the official website to be entered, but enter the hacker's website. In addition, if the APP manufacturer itself is hacked, there is nothing to say, these are all situations that we cannot control.
 
02 Security Tips for Blockchain in Vernacular
After learning that hackers can hijack even official websites, we have to sigh "it's hard to prevent", so what can we do? In fact, these security issues are not only in the field of encryption. In the digital age, any APP has security issues, including banks and third-party payment APPs. There are many fake "APPs". Therefore, we have summarized some corresponding security precautions for your reference based on past experience: 1. Use HTTPS to prevent hijacking. When entering the correct official domain name, be sure to add https:// at the beginning of the domain name. It plays a big role. When opening a URL, if there is a risk of local hijacking or remote DNS hijacking, there will usually be a red warning of "unsafe" above the browser address bar and various warnings such as page security risks. The specific principle will not be expanded. Simply put, this is also one of the widespread applications of asymmetric encryption, which is used to prevent hijacking and ensure that the web page accessed is officially provided through asymmetric verification of encrypted signatures.
Here is a side note. In fact, many project websites, even DeFi websites, do not use or force the use of Https to deploy websites. This is totally unacceptable and it is difficult to feel the team's attitude and professionalism. 2. Check the APK file hash. Due to some special reasons, domestic Android phone users cannot download APPs directly through Google Play. They can only download APK installation packages. Most fake APP security incidents are caused by the replacement of APKs and the download of fake APKs. Therefore, we must ensure that the APK is provided by the official.
First, use Https to open the official website and enter the download page. Careful students may see that some download pages usually have a link with words such as "Verify application security" or SHA256. It is estimated that 80% of people will not read the security tips, and 90% of people have not clicked on the verification link to view the content and verify it... After clicking on the security verification link or SHA256 link, we will see the hash value corresponding to the official APK installation package file (if there is any modification to the file, the hash value will change completely). After downloading the APK file, we calculate its hash value and it is consistent with the official one, which means that the file has not been replaced. After downloading the APK, the key step is to open Google's virustotal.com virus detection website and upload the APK file just downloaded. We can obtain the hash value of this file for comparison and search through dozens of virus databases to see if this file carries malicious code. It can be said to be a magic weapon that kills two birds with one stone.
Finally, if you want to be more rigorous, you should also pay attention to the worry that the hash value and download link may be tampered with by local viruses and plug-ins when opening the official website download page. In this case, you can confirm whether the hash value is consistent through browsers in different environments such as mobile phones.
If the wallet official website download page you are going to download does not support HTTPS, you should first doubt whether this is the real official website. In addition, if the APK file hash value verification is not provided, you can also doubt the rigorous attitude of the wallet team towards security. Such an omission is very inappropriate and irresponsible. Please carefully consider whether to use the APP. 3. How to check whether the currently installed platform and wallet APP are safe? In fact, the best way is to enter the Android Google Play and IOS AppStore through the official website download page to download and install, because in theory, the security factor of Google and Apple App Store is much higher than that of the official wallet. Their platforms have world-class security software and hardware and talent reserves, and wallets or platforms are not at the same level as them.
Therefore, open the Google Play and AppStore pages through the wallet and platform official website download page, and confirm again that there are no problems with the developer's company name, download volume, and comment volume (these volumes are large for mainstream wallets). At this time, we can assume that the downloaded APP is safe.
If you are not sure whether the apk package installation application currently being used on your device is safe, you can follow the previous two security tips to confirm the official and verify the hash before downloading it to your phone to overwrite and install it. However, don't forget to back up the mnemonics first to prevent errors in the overwriting process that may cause data loss and inability to restore the wallet (but generally overwriting or updating applications will not cause data loss). 4. Other suggestions on wallet security If you do not use cold wallets or hardware wallets, and like hot wallets, the safest way is to install it on an iPhone. First, you only need an overseas ID and do not need to go through all the hassles of Android. Second, after the iPhone is locked, the encrypted data cannot be unlocked without a key.
Many mainstream overseas apps (such as Metamask) do not support APK download and installation alone because there are too many security issues. However, many manufacturers are forced to open APK downloads in order to attract new users or because of the large number of Android users. If Android wants to bypass the APK issue, it needs essential software such as Google Service Framework (including Google Play) and Google Password Authenticator, which are very difficult to install at this stage for some reasons. Many people look for third-party solutions whose sources are unofficial, unsafe, and not rigorous enough.
Of course, you must use an Android phone. You can choose some manufacturers that still natively support Google's full family bucket framework, such as Samsung. In addition, installing the wallet on a device that supports a secure folder isolated by a security chip can serve as a second layer of security, which can achieve the additional security effect of being unable to unlock and obtain sensitive data after being lost, just like an Apple phone.
 
5. Suggestions on platform APP
Since most CEX platforms use multiple verifications, they are not easily affected by fake apps (which makes it more difficult for hackers). However, you should also pay attention to whether the deposit and withdrawal addresses in the app are consistent with those provided on the official website. In addition, you must enable the "whitelist" function in the platform, and only withdraw assets to safe whitelist addresses.
In addition, the biggest risk faced by the CEX platform, in addition to the two local hijacking and modification of the deposit and withdrawal addresses mentioned above, is phishing. This is because most people's APP, SMS, and Google Authenticator are actually installed on the same device. This means that hackers only need to control or monitor one device to most likely control these three pieces of information and then manipulate your platform assets.
Therefore, for security reasons, it is not highly recommended to operate multiple verifications on one device at the same time. You can install Google Authenticator on another secure phone, or you can operate the platform account on a PC or PC web page instead of installing the app on the phone. This can prevent single-point "explosion" and maximize asset security.
 
03 Summary
Security is no small matter. Plain Blockchain believes that security issues are worth talking about every day and at all times. In daily operations, perhaps you only need to pay attention to these details for one more second to increase the possibility of asset security by 99%. Why not do it?