Mr. M, a white hat, said that mainstream browsers are already able to defend against such unicode phishing. On the PC, simply upgrading your browser to the latest version will take care of a large portion of the threat; on your phone, installing antivirus software will take care of a lot of the problem as well. If it's an Apple phone, install Tencent Mobile Phone Manager, and the iOS system will call its SDK to block phishing URLs as well.
Hedges checked the Cryptocurrency website and as of this writing, there are no security alerts on the front page of the site.
How should ordinary users protect themselves against such phishing attacks?
Hedges reminds the average user that the following steps can be taken to reduce the security risks of digital coin transactions.
1, no matter mobile phone or PC, you must install antivirus software, and to install the package. Simply "antivirus", is not able to solve the problem of phishing such as the Blackchips recommended Kaspersky's antivirus suite (paid version), domestic words, you can try Tencent Security Manager or Flint antivirus software (both free software).
2, the browser must be kept up to date in real time, in fact, uniode phishing past already a year, the mainstream browser should be patched, for close characters differential display. However, there are some shell-swapped browsers in China that have less core upgrades than the original browser, and these may have security issues. For example, 360 browser, Sogou browser, Cheetah browser, all may have such problems.
Hedges recommends installing the online installation of chrome browser. The full version of chrome browser, downloaded from domestic websites, has restricted upgrade capabilities that may lead to compromised security.
3, for ordinary white users, we recommend the use of password manager, the software will automatically identify the URL, in the counterfeit URL will not automatically fill in the password. However, it should be noted that once this type of password manager is compromised, all passwords can be stolen. It's up to the user to weigh the risk and convenience.
4. When downloading exchange software on your mobile phone, don't be afraid to take the trouble and make sure to download it from the official website, not from domestic mobile phone software stores, those software may have counterfeit, skinning and other problems.
Multiple large exchanges still have vulnerabilities
On March 10, a security researcher said in Zhihu that in addition to the theft of user accounts, a flaw in the exchange's wind control logic was key to the success of the attack.
Internet user“ lit. the two sons ride in a boat” Speculate in the article， The Cryptocurrency exchange has not taken a realOTP（One-timePassword） logic (loanword)。
Some Cryptocurrency victims have said on foreign websites that they have turned on the highest level of 2FA certification for Cryptocurrency. By 2FA, it means that when you log into your account, in addition to the account name and password need to be correct, the website will also send you a mobile phone verification SMS, which will be successfully verified before you are allowed to log in, this is called secondary verification in the industry.
The logical flaw in Cryptocurrency is that the mobile verification SMS can be used twice during the 30-second validity period: the user first uses it at Cryptocurrency, and then the hacker uses the SMS to log in again, and the verification code is still valid.
In reality, a real OTP only allows one login, even within the validity period, and as soon as someone has used it once, it is promptly invalidated to prevent hackers and users from logging in offsite at the same time.
According to the test of "Futako Ride", famous exchanges including Firecoin and Bigone still have OTP verification vulnerabilities that can be hacked.