Shared by the editors of World Chain Finance and Economics, asset security has always been a common topic in the encryption industry. However, according to the observation of the vernacular blockchain, although we often do security science, we don't really pay much attention to security issues, because many people's general mentality is: this is completely a probability event, not my three red dates, but they often think that it is their turn to be less likely than the lottery. The following content will answer for you.

1、 Is the official channel necessarily safe?

In fact, with the mainstream of encryption assets, the security events of personal user assets occur frequently. These events often occur around us, no matter for large or small investors, and are no longer small probability events. So starting from the most common personal user asset security incidents recently, let's take a look at the security issues closely related to us. First, how to ensure that the platform and wallet APP you use are secure?

Most people think that the platform and wallet are guaranteed APP security. It's easy to identify "official channels"? In fact, not necessarily, or for the same reason, the official team may not even consider trademark registration... Then the brand trademark is registered by others, and then others can purchase brand protection services on some search engines. Registration of the "official brand" certification label on search results or purchase of promotion services are always in the front, which is very confusing, and occurred in the first two years. So far, the results of searching the first few pages of "xxx wallet official website" in some mainstream search engines are likely to be false. These are more official than the official website. The "official website" really "pits" a lot of people, because for hackers, the cost is also very low. It is one of the methods with a high success rate.

2、 How about knowing the official website address?

Many people believe that it must be safe to download apps by ensuring that the correct official domain name is entered. However, there will still be accidents. This is not recent. Bitkeep wallet security accident. BitKeep announced that after the preliminary investigation of the team, it was suspected that some APK packages were downloaded and hijacked by hackers, and the packages implanted by hackers were installed. In short, it is downloaded by some users. APK was "hijacked" by hackers during packaging and downloaded as a special processing "wallet" of hackers. Let's temporarily include it in the ranks of unofficial "fake wallets".

1. Local Localhost File Hands on

After the local PC malware is induced or installed through a vulnerability, the method can directly point the designated domain name to the unofficial server IP (such as the "official" page prepared by the hacker) by modifying the local host Localhost. That is, after the browser is opened, enter the exact domain name, visit the website provided by the hacker, and download the fake APP.

2. Open the page directly in the local browser or app

When you open the website of some platform websites and the wallet page, the content displayed on the specific page can be directly modified through the browser plug-in. For example, the APP download link address pointing to the download button is replaced by the address prepared by the hacker. If the asset recharge address is replaced by the hacker, read and modify the wallet address or private key in the clipboard. Don't worry about whether browser plug-ins have the right to modify web pages, because almost all browser plug-ins have such rights. If you observe carefully, you will find that even our commonly used Fox Wallet has such permissions... I downloaded the head not long ago. CEX You will find that even though our common ones are false, the APP results in the replacement of the recharge address and the loss of assets.

3. Remote DNS hijacking. Modifying domain name analysis record. The APP manufacturer was hacked

This kind of problem belongs to remote Internet service providers. It rarely occurs, and the cost and difficulty coefficient are also high. However, it does appear a "poisoning" method in a similar way, allowing the domain name you visit to analyze the hacker's address. In addition, the account of the service provider's own domain name service provider was stolen, resulting in the modification of the domain name analysis, which may lead to the entry of the official website, but the entry of the hacker website. If the APP manufacturer is hacked, there is nothing to say. These are situations beyond our control.

Security is not a trivial matter. The vernacular blockchain believes that security issues are worth talking about every day. It is always said that in the daily operation process, it may only take one more second to pay attention to these details, which can improve the asset security by 99%.

summary

To sum up, for safety reasons, it is not recommended to operate one device for multiple verifications at the same time. Google authenticator can be installed on another secure mobile phone, or it can not be installed on the mobile phone app, but can operate the platform account on the PC or PC web side to prevent single point "explosion" to maximize the protection of asset security.