Security Team: At the 2015 BlackHat conference, global hackers unanimously agreed that facial recognition technology is the most unreliable method of identity authentication. Nearly a decade later, with the advancement of AI technology, we now have nearly perfect “magic” to replace human faces. Indeed, conventional visual facial recognition can no longer provide secure protection. Therefore, it is more important for identification parties to upgrade algorithmic technology to identify and prevent deepfake content.
Regarding the risks of AI face-swapping, aside from protecting their own biometric data privacy, users have limited options. Here are some small suggestions:
1) Use facial recognition applications with caution
When choosing to use facial recognition applications, users should select those with good security records and privacy policies. Avoid using applications of unknown origin or questionable security, and regularly update software to ensure the latest security patches are in use. Previously, many domestic microloan company apps violated regulations by selling user facial data and leaking user facial data.
2) Understand Multi-Factor Authentication (MFA)
Single biometric authentication poses significant risks, so combining multiple authentication methods can significantly enhance security. Multi-Factor Authentication (MFA) combines various verification methods, such as fingerprints, iris scans, voice recognition, and even DNA data. For identification parties, this combination of authentication methods can provide an additional security layer when one authentication method is compromised. For users, protecting their privacy data in this regard is equally important.
3) Maintain skepticism to prevent fraud
Clearly, with faces and voices being easily imitated by AI, impersonating someone over the network has become much simpler. Users should be particularly vigilant about requests involving sensitive information or fund transfers, implement two-factor authentication, confirm the other party’s identity through phone or face-to-face verification, stay vigilant, not easily believe urgent requests, and identify common fraud methods such as impersonating executives, acquaintances, customer service, etc. Nowadays, there are also many celebrity impersonations, so be careful with “fake endorsements” when participating in some projects.
OKX Web3 Wallet Security Team: Generally speaking, emerging virtual technologies bring new risks, and these new risks actually lead to new research on defense methods, which in turn leads to new risk control products.
I. AI Deepfake Risk
In the field of AI face-swapping, many AI deepfake detection products have emerged. The industry has proposed several methods to automatically detect fake videos, focusing on unique elements (fingerprints) generated by using deepfake in digital content. Users can also identify AI face-swapping through careful observation of facial features, edge processing, audio-visual asynchrony, and more. Additionally, Microsoft has introduced a series of tools to educate users on identifying deepfake. Users can learn and enhance their personal identification skills.
II. Data and Privacy Risks
The application of large models in various fields has also brought risks to user data and privacy. When using conversational AI, users should pay attention to the protection of personal privacy information and avoid direct input of key information such as private keys, keys, passwords, etc. Users should hide their key information through alternatives, obfuscation, and other methods. For developers, Github provides a series of friendly checks. If there are OpenAI apikeys or other risky privacy leaks in the submitted code, the corresponding push will report an error.
III. Risk of Content Generation Abuse
In the daily work of users, they may encounter many results generated by large models. Although these contents are effective, the abuse of content generation has also brought false information and copyright issues. There are now some products for detecting whether text content is generated by a large model, which can reduce some corresponding risks. Furthermore, developers should pay attention to the correctness and security of the generated code function when using large model code generation. For sensitive or open-source code, a thorough review and audit must be carried out.
IV. Daily Attention and Learning
When users browse short videos, long videos, and various articles in their daily lives, they should consciously judge and identify potential AI fakes or AI-generated content. Recognize common signs such as male voiceovers, female voiceovers, reading errors, and common face-swapping videos, and consciously judge and identify these risks in critical situations.
Q6: From a professional perspective, share some physical device security recommendations
OneKey Security Team: Based on the various risks mentioned earlier, we summarize the protective measures as follows.
1. Guard against the invasion risk of IoT devices
In our daily lives, IoT devices are ubiquitous, but they also bring potential invasion risks. To protect our high-risk data (such as private keys, passwords, MFA backup codes), we should use strong encryption methods and choose isolated network storage solutions to avoid storing this sensitive information directly in plaintext on devices. Additionally, we need to remain vigilant against phishing and trojan attacks. Consider using dedicated devices for encrypted asset operations and other common purposes to reduce the risk of attacks. For example, we can separate our daily laptops from hardware wallets used to manage encrypted assets so that even if one device is compromised, the other device remains secure.
2. Maintain physical monitoring and protection
To further safeguard our high-risk devices (such as hardware wallets), strict physical monitoring and protection measures should be taken. These devices at home should be stored in high-security safes and equipped with comprehensive smart security systems, including video surveillance and automatic alarm functions. When traveling, choosing hotels with secure storage facilities is crucial. Many high-end hotels offer dedicated security storage services, providing an additional layer of protection for our devices. Additionally, consider carrying a portable safe to ensure the security of our essential devices in any situation.
3. Reduce exposure risks and prevent single points of failure
Diversifying the storage of devices and assets is a key strategy for reducing risks. We should not store all high-permission devices and encrypted assets in one place or one wallet but instead consider storing them in secure locations in different geographic areas. For example, we can store some devices and assets at home, in the office, and with trusted friends or relatives. Additionally, using multiple hot wallets and hardware cold wallets is an effective method, with each wallet storing a portion of the assets to reduce the risk of single points of failure. To increase security, we can also use multi-signature wallets, which require multiple authorized signatures to conduct transactions, significantly enhancing the security of our assets.
4. Prepare emergency measures for worst-case scenarios
When facing potential security threats, having contingency plans for worst-case scenarios is crucial. For high-net-worth individuals, maintaining a low profile is an effective strategy to avoid becoming a target. We should avoid flaunting our encrypted assets in public and keep our property information discreet. Additionally, developing emergency plans for lost or stolen devices is necessary. We can set up decoy encrypted wallets to temporarily deal with potential robbers while ensuring that the data of important devices can be remotely locked or erased (with backups). When traveling in high-risk areas, hiring a private security team can provide additional security, using special VIP security channels and high-security hotels to ensure our safety and privacy.
OKX Web3 Wallet Security Team: We introduce security recommendations from two perspectives, OKX Web3 APP level and user level.
1. OKX Web3 APP level
The OKX Web3 wallet employs various methods to strengthen the app, including but not limited to algorithm obfuscation, logic obfuscation, code integrity checks, system library integrity checks, application anti-tampering, and environment security checks. These measures significantly reduce the probability of users being hacked when using the app and also minimize the likelihood of black-market entities repackaging our app. Furthermore, in terms of Web3 wallet data security, we use cutting-edge hardware security technology to encrypt sensitive data in the wallet, binding the encrypted data to the device chip, making it impossible for anyone to decrypt the stolen encrypted data.
2. User level
For users involving physical devices such as hardware wallets, common computers, and mobile devices, we suggest enhancing security awareness in the following ways:
Hardware wallet: Use hardware wallets from reputable brands, purchase from official channels, and generate and store private keys in an isolated environment. The medium for storing private keys should be fireproof, waterproof, and theft-proof. It is recommended to use a fireproof and waterproof safe to store private keys or seed phrases in different secure locations to enhance security.
Electronic devices: For mobile phones and computers where software wallets are installed, choose brands with good security and privacy protection (such as Apple). Reduce the installation of unnecessary applications and maintain a clean system environment. Use Apple’s ID management system for multi-device backups to avoid single device failures.
Daily use: Avoid sensitive wallet device operations in public places to prevent camera recording leaks; regularly use reliable antivirus software to scan the device environment; regularly check the reliability of the physical device storage location.
Finally, thank you for reading the 4th issue of the OKX Web3 Wallet “Security Special”. Currently, we are working diligently on the content for the 5th issue, which will include real cases, risk identification, and security operation tips. Stay tuned!
This article is for reference only and does not intend to provide (i) investment advice or recommendations; (ii) solicitations to buy, sell, or hold digital assets; or (iii) financial, accounting, legal, or tax advice. Holding digital assets (including stablecoins and NFTs) involves high risks and may experience significant fluctuations or even become worthless. You should carefully consider whether trading or holding digital assets is suitable for your financial situation. Please responsibly understand and comply with relevant local laws and regulations.
The content provided in this article is official and does not represent the position of this site or investment advice. Readers must conduct prudent evaluations on their own.