Author | Anidel Silvano
Translator | Fire Fire sauce Zebian | Xu Veyron
Produced | block chain base camp (blockchain_camp)
There are rumors that the so-called "SIM swap hacking" incident, a Chinese lost approximately $ 30 million of BCH. This rumor originated on Reddit a now deleted the post, the post said the victim requests the miners to help restore its access to the BCH. Victim says he still has his private key, and will reward those who can help themselves miners.
This exchange from the SIM hacker attacks are nothing new, and in the past there have several SIM hacking victims eventually lost millions of dollars, but this latest, but not the same as before, because the victims clear He says he can still access their private key, which means that he was black in unmanaged wallet.
Figure source: https://www.reddit.com/r/btc/comments/f7lbae/30m_bch_sim_hack/
SIM swap hacker attacks
For a clearer understanding of this event, I will explain what SIM exchange hacker attacks, and how it is executed . Simply put, SIM swap hacker attack is a hacker access to personal circumstances and only for the victim's safety information. They activate your phone number on the device by persuading other mobile service providers to achieve this.
To convince mobile operators seem to approve such changes is not difficult, as long as the hacker can provide information to prove their identity, the customer representatives will be willing to make changes.
This means that information may have been the victim leaked. Before becoming a target, they may have been a victim of phishing or social engineering attacks of.
When victims become the target of highly skilled hackers SIM exchange, they can do very little, because the success of the attack depends on the operator whether to approve the exchange. If a hacker can meet all the requirements, then they can be successful hacking attacks.
Why would a hacker interested in SMS messages?
Now, some people might ask, if the hacker had access to all the information necessary to secure the victim network, then why did they have to go through the trouble of switching SIM cards to attack it? In simple terms, because when a user enables two-factor authentication (2FA), SMS has become a second layer of security in many applications selected. Be presented in the form of one-time passwords (OTPs) is.
Successful SIM switching means second layer of protection has been destroyed, and all applications that use the protection will be destroyed.
In addition, email and social media accounts using SMS as a way to verify the identity of the account at the time of recovery. For example, when a user wants to restore its Gmail accounts, only one SMS OTP authorized to change the password.
Note that e-mail has usually been seen as another 2FA method similar to SMS. This suggests that, to keep your phone line or SMS security how important it is. However, easier said than done, because SMS to a large extent depends on the required due diligence mobile service provider.
SMS 2FA
Although the exchange had taken place before the SIM hacker attacks, but SMS is still one of the main choice for many applications in the digital wallet, banking applications, centralized encryption currency exchange and so on. In fact, SMS 2FA give users a false sense of security, because they are too dependent on a third party to ensure their safety.
In this case, only if the user is the only person authorized to access the time, SMS 2FA is safe. Because SMS 2FA through the operator's network, so always be faced with the risk of internal and external, from the network of the bad guys to use SMS protocol vulnerabilities (eg SIMJacker vulnerability) hackers everywhere at risk.
Protecting our SIM
The only way to protect our SIM is to prevent hackers from the Internet to obtain sensitive information. Therefore, when you are not familiar with the site needs to be KYC or upload personal information, be extra careful. URL links should be double-checked to make sure that you really want to enter or login site.
If you have this option, it is strongly recommended that you activate the anti-phishing features. Also, note that hackers will use a variety of social engineering techniques to obtain sensitive information. Remember, a customer representative basically not take the initiative to contact you, we will not ask for unnecessary information.
Figure source: https: // medium
If any, you might need to enable other authentication methods as an extra precaution. 2FA alternative methods including e-mail, authentication applications (such as Google authenticator or Authy) and hardware keys (such as Yubi key). If a hacker can access your SIM, then the extra layer of security will definitely improve security and prevent attacks.
However, there is another method does not need to deal with 2FA currency assets of encryption protection. In fact, you do not need to enable 2FA, because you have complete control over and access to their assets, without having to rely on any third party. This unmanaged purse or account, users have full control and access their assets in it.
Unmanaged purse or account
Unmanaged wallet allows users to create their own private key (PK) encryption wallet offline tool. Although the tool was created by other developers, but only to generate keys users can access it. The only way other people want to access the private key that is shared by the owner.
In most cases, the user will be PK write a piece of paper and place it in a safe place, such as a vault or safe, in order to ensure the safety of the PK. Some stores it in a dedicated USB key with enhanced security features, whereas others will use hardware wallet.
Unmanaged purse SIM exchange hacker attacks
BCH declared stolen claimed he was the victim of hacker attacks SIM exchange, but they still have to be private black purse. This has led some people to encrypt the community a little puzzled, because it seems to indicate that this person unmanaged purse is stolen by SIM exchange.
If the wallet from the purse centralized exchange or hosting service provider, it makes sense, because most of them are using SMS 2FA to protect their wallet. However, since the victims have access to his private key, we can only conclude: This is indeed an unmanaged purse.
Details of hacker attacks is essentially unknown to the public, after the attackers removed their original post on Reddit, nor any updates. The hacker attack is unique in that infer the victims their money was stolen from unmanaged wallet.
Familiar unmanaged purse works knows that the only way to get these funds is to obtain its private key. Has so much money users almost impossible to use the private key can be accessed via SMS.
We may never be able to determine that this is in the end is how it happened, but we all know: the only way to get a successful hacker unmanaged access wallet purse money is private.
Therefore, we can put this hacker attacks blamed on the wallet owner's misjudgment, because he accidentally stored online can be accessed using SMS or private. The private key is kept off-line using one of the basic rules of unmanaged purse, ignore this rule might have some dire consequences, such as that mentioned above.
Unmanaged purse and trading remains the safest
It had never been involved in any type of unmanaged purse security flaws or vulnerabilities event. If the so-called SIM swap hacking is true, then the hackers may be due to the user's security negligence, because he did not properly protect their private keys, or can be accessed online or via their SIM private key.
Wallet with managed properties never reach the level of security unmanaged purse. I think that only let users of their assets have absolute and complete control in order to achieve the maximum and optimum safety, unmanaged purse is the case.
This security can be extended to all services using unmanaged purse. Including such as this decentralized exchange Newdex (DEXs), these exchange system does not require customers to deposit money into a managed exchange operator held the purse.
(Newdex:https://newdex.io/)
All transactions take place directly in the customer's wallet unmanaged, ensuring optimal safety, as traders execute transactions only at that moment will be lost hosting rights to their digital assets. Use highly scalable block chain of DEXs (such as Newdex used EOS) will execute trades almost immediately.
Although CEX operators in the past done a lot of security improvements, such as making most of the liquidity remain offline and get insurance, but it still does not provide security and DEX par, because the property owner had never surrender its hosting rights.
CEX may have reduced the risk from external threats, but must maintain a user account on the system and keep its platform of digital customer assets, not really make any progress. For various reasons, the customer's assets may still be trapped in CEX, such as technical issues lost wallet cold private key platforms, comply with regulations, or even a bankruptcy issue.
SIM may occur in unmanaged purse in exchange hack it?
Under appropriate conditions, it is possible, but highly unlikely. Unmanaged purse owner to ignore all reminder to keep the private key offline, ignore hackers spy, access irresponsibly in an insecure network (eg SMS) in.
The event may really is just a rumor only, but it also has led to some interesting questions that this way is the possibility of unmanaged black purse.
It all comes down to one thing: security unmanaged purse depends on how asset owners to handle security wallet or account private key. As long as the property owner to follow the recommended safety procedures, they should be able to enjoy unprecedented security, even the most centralized exchanges in the world can not be compared.
The kind of security block chain technology can offer, even the most centralized exchanges are also available.
Original: https: //hackernoon.com/is-a-dollar30-million-bch-sim-swap-hack-possible-in-a-non-custodial-wallet-rzib3y8d
This article CSDN block chain headquarters of translation, reprint please contact micro letter: 1360515146
Recommended Reading
The writing of intelligent design patterns contract Solidity
I went with my colleagues actually stored in clear text password! ! !
GitHub open source project after another blocked provoke outrage, CEO personally apologize!
From abstraction layer, processing layer, the infrastructure to start with and you know Spark Kafka!
We seek in the old iron look! ????
