Vitalik新文:后深度伪造时代下如何保证信息安全?
Original title: Ask security questions
Original author: Vitalik
Original compilation: Luccy, BlockBeats
Editors note: On February 4, a financial officer of a multinational company was defrauded of $25 million during a video conference call. The scammer used deepfake technology to impersonate the companys chief financial officer. The employee initially suspected a phishing email after receiving a message purportedly from the companys UK-based chief financial officer because it talked about the need for a secret deal. However, after the video call, the employee put aside his initial misgivings as others in attendance looked and sounded like colleagues he knew, but in reality all were deepfake entertainment products.
In this regard, Vitalik believes that encryption does not solve all problems, pointing out that leveraging the information base that humans are naturally good at remembering, setting security questions is worth incorporating into the workflow in addition to other layers of protection. But he also said that while security issues are useful, they are not yet humane enough. BlockBeats compiles the original text as follows:
Special thanks to Hudson Jameson, OfficerCIA, and samczsun for their feedback and review.
There was one article in the last weekarticleA story is circulating about a company that lost $25 million after a finance staff member was tricked into sending money to a scammer posing as the CFO, seemingly through a very realistic deepfake video call.
Lately, deepfakes—fake audio and video generated by artificial intelligence—have been appearing with increasing frequency in the cryptocurrency space and beyond. Over the past few months, my deepfake videos have been used to peddle various scams and Dogecoin. The quality of deepfakes is improving rapidly, and while the deepfake videos of 2020 were pretty bad, they have become increasingly difficult to distinguish in recent months. People who know me well can still tell that the video of me selling Dogecoin is fake because Im saying lets f***ing go in the video, and I only use LFG to mean looking for group, but People who have only heard my voice a few times may be easily fooled.
I mentioned the $25 million theft mentioned above to security experts, and they all agreed that it was an unusual and embarrassing failure of corporate operational security on multiple levels, and that standard practice is to require more than 100% of the money before approving any transfer of anywhere near that amount. level of signature.But the fact remains that as of 2024, a persons audio or even video streaming is no longer a secure way to confirm their identity.
This begs the question: What is a secure way to authenticate?
Encryption methods alone will not solve the problem
Being able to securely verify peoples identities is important to all kinds of people in all kinds of situations:individuals need to restore theirMulti-signature or social recovery wallet, businesses need approval for business transactions, individuals need approval for large transactions for personal use (e.g. investing in a start-up, buying a house, sending remittances), whether using cryptocurrency or fiat currency, or even family members needing to communicate with each other in an emergency verify. Therefore, we need a good solution that can cope with the coming era of deepfake videos.
In cryptocurrency circles, one answer to this question that I often hear is: You can authenticate yourself by providing a cryptographic signature of your ENS/human proof profile/public PGP key address. The answer is fascinating. However, it completely ignores why it is useful to have other people involved when signing a deal. Lets say you represent an individual user with a personal multi-signature wallet, and you are sending a transaction that requires approval from a number of co-signers. Under what circumstances will they approve it? When they are convinced that you are the one who actually wants to make the transfer. If they determine that the trader is a hacker who has stolen your keys, or a kidnapper, they will not approve the transaction. In an enterprise environment, there are often more layers of defense; but even then, an attacker may be impersonating a manager and not just on the final request, but also earlier in the approval process. They may even hijack legitimate requests in progress by providing incorrect addresses.
Therefore, in many cases,For other signers to accept you signing with your key to confirm you are you defeats the entire purpose: it turns the entire contract into a 1-to-1 multisig that only requires control of your single key. Can steal funds!
This is an answer we came up with that actually makes some sense:Security Question.
Security Question
Suppose someone sends you a text message claiming to be your friend so-and-so. They text from an account youve never seen before, claiming to have lost all their devices. How do you determine if they are a real person?
Theres an obvious answer: ask for things only they would know, which should be related to:
You know
What you expect them to remember
What the Internet doesn’t know
Hard to guess
Ideally, even those who have compromised corporate and government databases would not know about it
Feel free to ask them about shared experiences, such as:
When we last met, at which restaurant did you have dinner and what did you eat?
Which of our friends told a joke about an ancient statesman? Which politician is it?
Didn’t you like that movie we saw recently?
Last week you suggested that I talk to so-and-so to see if they could help with our research on XXX?
A recent practical example of a security question someone used to verify my identity
The more unique your question is, the better. Questions that are right on the edge where people need to think about it for a few seconds and might even forget the answer are best, but if the person youre asking claims to have forgotten, be sure to ask them three more questions. Asking for micro details (what someone likes or dislikes, specific jokes, etc.) is often better than asking for macro details, as the former are usually more difficult for a third party to accidentally dig up, e.g. even if only one person Post a photo of the dinner on Instagram, and a modern LLM might be able to quickly capture it and provide the location in real time. If your question is likely to be guessed, i.e. there are only a few possible reasonable options, then add another question to increase the entropy.
People often stop engaging in security practices if security questions are boring, so make security questions interesting. They can be a way to remember positive shared experiences, and they can be motivation to actually have those experiences.
Security issues added
No single security strategy is perfect, so its always best to combine multiple techniques together.
Pre-agreed password: When you are together, intentionally agree on a common password so that you can use it to authenticate each other in the future.
You might even agree on a panic button: a word you can accidentally insert into a sentence to suggest to the other person that you are being coerced or threatened. The word should be common enough that it feels natural when you use it, but rare enough that you dont accidentally insert it into your speech.
When someone sends you an ETH address, ask them to confirm it on multiple channels (such as private messages on Signal and Twitter, on the company website, or even through mutual acquaintances).
Prevent man-in-the-middle attacks: Signal’s “safe numbers”, Telegram’s emojis and similar features are worthy of understanding and vigilance.
Daily Limits and Delays: Simply impose delays on highly critical and irreversible operations. This can be done at a policy level (pre-agreeing with signers that they wait N hours or days before signing), or at a code level (imposing restrictions and delays in the smart contract code).
A potentially advanced attack is for an attacker to impersonate executives and grantees at multiple steps in the approval process. Both security issues and delays can protect against this, and its best to use both.
Security questions are useful because, unlike many other technologies, they fail not because they are unfriendly, but because they are not user-friendly enough. Security issues are based on information that humans are naturally good at remembering. Ive been using security questions for years, and its actually a very natural and non-awkward habit thats worth incorporating into your workflow in addition to other layers of protection.
Please note that the person-to-person security issues described above are very different use cases than the business-to-person security issues, such as making phone calls after deactivating your credit card multiple times because you have traveled to another country. Go to the bank to reactivate your credit card, then wait in line for 40 minutes with music, and a bank employee shows up and asks for your name, birthday, and maybe your last three transactions. The kinds of questions to which individuals know the answers are very different from the kinds of questions to which businesses know the answers. Therefore, it is worth considering these two cases separately.
Everyones situation is unique, so the kinds of unique information you share with the person whose identity you need to verify will vary. Its often better to adapt technology to peoples circumstances rather than adapting people to technology. A technique doesnt need to be perfect to work, the ideal approach is to combine several techniques at the same time and choose the one that works best for you. In the post-deepfake era, we do need to adjust our strategies to adapt to the new reality of what is now easy to fake and what is still hard to fake, but as long as we do that, staying safe is still entirely possible of.
