Beosin Founder AMA on 8btc: Tips on Keeping our Crypto Assets Safe
A crypto whale has been the victim of SIM hacking and this made possible for an attacker to access to bitcoin deposits of this user and steal cryptocurrencies (BTC and BCH) for around 45$ millions worth. According to a Reddit post from February 22nd, which is now deleted, an investor, who appears to be the founder of Bitcoin Builder as well as one of Mt.Gox’s largest creditors, Josh Jones, became the victim of an alleged SIM-swap attack.
In what could turn out to be one of the most serious SIM-card hacks in history, crypto investors are wondering how to safely store crypto assets. What security factors should be taken into consideration when choosing a hardware wallet? Is centralized crypto exchange still reliable? What can we individual investors learn from this?
To get these straight, Chainnode (formerly 8btc Forum), the earliest and largest bitcoin community in China, invited Yang Xia, CEO of Beosin, a China’s top blockchain security company to hold an online AMA (Ask Me Anything) with the Chinese crypto community on February 28 to answer questions about the secure storage of crypto assets.
Yang Xia, the founder and CEO of Beosin, is the first expert engaged in formal verification of blockchain in the world. Engaged in security technology research including formal verification, core security, mobile device security, TEE for 18 years.
About SIM attack
Q1: Is this SIM attack feasible in mainland China? Will crypto exchanges be affected by SIM attacks or similar attacks?
Yang: If a hacker wants to attack a SIM in mainland China, he must clone all the information of the target to his controllable SIM card.
Take China Mobile, China’s largest mobile communication operators for example, its SIM card is the identification module of the customer, on which the customer information is stored, and a set of 128 bit key is stored in the card to ensure security. At the same time, the mobile communication network is independent of the Internet. Therefore, it is impossible to copy SIM card remotely technically. “If the attacker wants to go to the business hall to change your SIM card with a forged identity, he needs to first change the user data of the operator into his false information before he can succeed. On the whole, in mainland China, the possibility of SIM attack is very low.
Generally speaking, the risk of being attacked is higher than that of ordinary users for crypto exchange, because it has more entries than ordinary users. Therefore, a complete set of safety protection plan is needed.
Q2: How can the attacker get the verification code of SIM message? Is the mobile phone hacked?
Yang: If the hacker can get the verification code, either the mobile phone is implanted with a Trojan virus t, or the SIM card is cloned by some special technical means.
Q3: Why centralized Alipay and WeChat is rarely being attacked through SIM, while the centralized crypto wallet will be attacked? Does the SIM attack mean that there is no security in the cloud-end wallet?
Yang: The payments of WeChat and Alipay are not by mobile phone verification code at present, but using biometrics and password-based payment. Why blockchain wallets are attacked is an unanswerable question as it’s all for profit.
The security of cloud-end wallet is the most basic and important condition for a wallet service provider to attract users. It is believed that such service providers will upgrade their protection means according to the upgrade of hacker’s attack means. Users must have a second thought before choosing this kind of wallet.
Suggestions for ordinary users
Q4: For ordinary users, do you have any suggestions on capital security in daily operation?
Yang: I suggest that users should have a high sense of security for the protection of personal information when using cryptocurrency. The simplest method is the ‘environment segmentation’, such as setting up a set of individual systems for operating fund transfer or transaction, including mobile phone, mailbox, to separate life and transaction. The mobile phone environment used for operating crypto exchange should be pure and no unnecessary applications installed, not for communication, chat, entertainment and other activities unrelated to the transaction.
Q5: How do ordinary users (mainly for users whose crypto assets are not in the three major exchanges.) to deal with the security of their own crypto assets？
Yang: For users who do not choose to store their assets in a large exchange, the protection of private key and personal information is the top priority. The simplest method is also the environment segmentation to separate life and transaction. The storage of private key and mnemonic words is recommended to use the original but effective paper recording method, avoiding the use of screenshots and other forms of network transmission.
Q6: How do you think the opinion that it’s not reliable to store crypto assets in any third-party media while ‘brain wallet’ is the most reliable?
Yang: Brain wallet or mnemonic words are of course better memory friendly compared to a private key, but I recommend adding some more secure auxiliary memory means to avoid unnecessary loss, because the money lost due to forgetting private key may be far greater than the money lost due to attack.
About FCoin shutdown
Q7: How can ordinary users avoid crypto exchange shutdown?
Yang: Users should pay attention to the following dimensions of the exchange: first, the capital scale of the exchange, the scale of users, the security events and handling results in the operation history of the exchange, the compliance of the projects on the exchange and the means of publicity. For example, if the exchange focuses on promoting the high margin of mortgage capital, then as an ordinary user, we should be to be vigilant and judicious. In order to select an exchange that can be trusted and used for a long time, we need to consider the technical model and financial model of the exchange comprehensively.
Q8: Apart from putting assets on the three major exchanges, what other measures should be taken? After all, there are also many high-quality projects on other platforms.
Yang: Whether the security technology can be reasonably used determines the resistance of the exchange to external attack, and a reasonable and sustainable economic model determines whether the exchange can have a long-term safe and stable capital flow. For ordinary users, the best choice is to divide the investment into two parts: trading capital and holding capital. Trading capital can be understood as more liquid capital, which needs to be frequently used for trading, the holding capital is the part with low liquidity, which can be a cryptocurrency that users are optimistic about for a long time or a stable currency. In this way, a reasonable division of capital can meet the requirement of convenience and security at the same time.
Suggestions for choosing a crypto wallet
Q9: How to choose hot wallet or cold wallet to avoid property loss as much as possible?
Yang: Hot wallet and cold wallet have their own advantages and disadvantages respectively. It is recommended to store the assets frequently transacted in hot wallet. When we make profits, we can put the income into the cold wallet for long-term storage to avoid the accumulation of too much capital in the hot wallet. It is recommended to discard the cold wallet that has been contacted with the net after transferring out all the assets at one time to avoid reuse.