Welcome and thank you for being part of the MyZucoins community! Dive into some important crypto, finance and tech news to stay ahead.
PIN Codes with the Zucoin Wallet App?
Hello, Zucoin enthusiasts! Today, we want to shed light on a question regarding the absence of a PIN code in the Zucoin Wallet. Some users have asked about this design choice, so let’s dive in.
In an earlier version of the Zucoins wallet app, it had pin codes required to access the app. However, many users oddly expressed annoyance over having to remember this extra code and some even forgot it, preventing them from accessing their coins.
It follows the old seesaw saying: Security is a delicate balance between convenience and safety.
What’s more, an app could be incredibly secure while it’s not in use (“encrypted at rest”), however, while you’re using a banking app or an email app, the app is open, the data is decrypted (if it even is, most apps do not encrypt your data), and at that moment all of that security is mostly pointless. The person who just sprinted past and stole your phone can run away and quickly perform some damaging function, before you have time to act. Being vigilant and aware of your surroundings is key. Careful security practices in public spaces are perhaps even more important.
Some of the most important apps on your phone don’t have PIN code protection on them. Email and messaging apps rarely have PIN codes. This means would-be attackers can easily use an unlocked device to completely overturn your personal and professional lives. Those who work in the IT world witness many of these cases first-hand with their clients.
There is no shortage of stories where hackers who, once access has been gained to an email account, for example, will quietly watch your email activity, seeing who you contact and your behavioral styles, then mimic those behaviors to subtly slip in fake invoices. In some cases, well into the 5-6 figures. Or, they could reset access to many of your online accounts where your credit cards are linked and go on a spending spree. These are just two very, very common examples.
How many people have PIN codes turned on for their email apps? From experience, hardly anybody. Many popular email apps don’t even support this feature.
Let’s get back to the “seesaw” adage. An easy way to solve this is to only decrypt data on every button or interaction you have on the screen of a phone’s app. But to decrypt the data, you’d need to constantly ask the user to enter a pin. For every single button press or screen change, repeat this process. Obviously, this is impractical and would frustrate the user, hence why no apps do this (though it would be a cool experiment—perhaps an “extreme safety mode”).
As a general rule of thumb, iPhones tend to be the most secure smartphone devices out there at the moment, but even so, they can be subject to some very, very sophisticated attacks if you happen to become a target. Organizations like Israel’s NSO Group specialize in these kinds of equipment designed to infiltrate devices for selected individuals. Apple’s even gone to the effort of adding an extra, “Lockdown Mode” for those who want the option to further enhance security, at the expense of some useful features. (Again, the seesaw trade-off appears here again.)
As always, keeping your device up-to-date with the latest vendor updates will not only give you new features, but it’ll also help to patch vulnerabilities on your devices.
The Zucoins team have been considering re-implementing pin codes more smoothly and with modern encryption passkeys, which should be a smoother experience for users. However, there is no publicly announced timeline for this, as the team has lots on their plate already.
Some easy tips are the same as those given to enterprise IT staff training:
- Keep your devices up to date. Each device manufacturer lists the support cycle. An iPhone will typically get around 5 years of official updates from Apple. Most Android devices (Samsung, LG, Sony, Huawei, Oppo, Google Pixel, etc) tend to get only 2 years of updates, though the situation is improving.
- Lock your phone immediately after you’ve finished using it. Many modern smartphones, including those from Apple, Samsung and Google have special, dedicated TPU (Trusted Processing Unit) chips inside them. These are used to do secure processing for things like unlocking encrypted data. This is one of the best and easiest lock-out protections in public spaces.
- Try to avoid entering your pin code in public spaces. There could be security cameras or unsuspecting people around you watching your screen. If you must, e.g. to unlock your phone, try to shelter your pin code entry to your phone.
- Enable fingerprint/TouchID or FaceID (on iPhones) unlock methods instead of PIN codes in public spaces. This avoids revealing any unlocking pin codes in public spaces. The only mainstream Face-unlocking method that has been thoroughly scrutinized are found in modern iPhone’s, using their FaceID, that takes a 3D infrared-depth scan of your face. Many other phones that offer this tend to just use a 2D image, that can be easily compromised with a printout of your face. In these cases, a good fingerprint sensor on these phones are usually integrated and preferred. Sidenote: Cautiously, if you’re travelling, some governments can force you to unlock your phone with your fingerprint or face, but cannot force you to reveal a PIN code.
- Backup your important data and store it using encryption. This is a huge topic, with lots of solutions depending on your unique preferences and situation, so we won’t cover this here. There are tons of guides on this online, so we’d recommend searching around for those.
- Remote lockouts. Apple and some Google Android devices have the ability to remotely shutdown or lockout your device from another computer that is signed into your Apple or Google account. However, this is not a full-proof method, as it often requires an internet connection, enough battery or similar nearby devices (forming a “mesh” network for detection). Also, the attacker could quickly move funds before you get a chance to do this.
- Encrypting your device. Many devices now allow you to encrypt the internal storage drive. This is another easy way to improve the security of your data when it’s not in use, such as when your computer is turned off or phone is locked.
There are many, many more angles to cover when it comes to digital security, but the above are easy first steps to cross-off the basics.
This is a huge topic, but it’s worth also noting the below:
Embracing User Autonomy and Security: Some users have requested incorporating a “managed” PIN code system in the Zucoin Wallet, with a centralized recovery or reset mechanism, but this would go against the decentralized and self-managed nature of the network. Naturally, in time, third-party organizations could offer this as a service.
Encouraging Personal Responsibility and Best Practices: Decentralized systems encourage personal responsibility, especially when it comes to asset protection. We emphasize the importance of users securely storing their wallet backups in private and safe locations. This approach empowers users to control their security and adhere to best practices in safeguarding their Zucoin holdings.
Mitigating Risks Through Diversification: As with any digital asset, it is advisable not to store significant Zucoins in a single wallet, particularly one accessed frequently on a smartphone. Instead, adopting a diversified strategy by keeping smaller transactional amounts on the Zucoin Wallet while securely storing the majority of funds offline reduces the risk of substantial losses and enhances overall security.
Take the Wallet Offline: Similar to the previous point, it’s also worth noting that if you prefer, you can backup your Zucoins wallet which saves it to a simple backup file. You can keep this file in a safe place (ideally with multiple backups that are all safely stored and protected), then remove the wallet from your device, only loading the wallet file back into the device’s app as needed. In the crypto industry, this is called “cold-storage”.
In an interview, KuCoin CEO Johnny Lyu expressed his view that privacy is not the most important feature of Bitcoin. Instead, he believes that Bitcoin’s core benefit lies in its function as a unit of exchange, providing a hedge against recessions. Lyu pointed out that Bitcoin emerged after the 2008 financial crisis, which was triggered by the US subprime mortgage crisis. He stated that the creation of Bitcoin was a response to these events. One major upside of blockchain is the transparency it provides.
Regarding mandatory Know Your Customer (KYC) checks being implemented by KuCoin, Lyu explained that strict KYC practices are crucial for user security and asset protection. He emphasized that KYC measures help ensure ownership of funds and enable the tracking of assets in case of theft. Compliance becomes necessary as the cryptocurrency industry increasingly interacts with the physical world. You’ll have undoubtedly noticed that banks around the world have been increasingly communicating and cross-checking customer details with other banks in recent years.
While the introduction of mandatory KYC checks may affect KuCoin’s trading volumes in the short term, Lyu remains optimistic about the long-term impact. He believes that stricter regulations will attract more compliant funds and users, enhancing security and fostering a better environment for everyone. KuCoin currently boasts 27 million users, representing a 35% increase from a year ago. Following the announcement of the KYC upgrade, the platform’s trading volumes saw a notable increase.
Overall, the CEO’s perspective highlights the evolving nature of the cryptocurrency industry, where the focus shifts from privacy to compliance and security measures to ensure a more robust ecosystem. Read more here.
As the Zucoins team has experienced first hand, passing KYC compliance and understanding expectations from regulators can be extremely tricky when the ground in this new crypto industry is still moving. The Zucoins team has so far navigated the landscape to become, what appears, the first cryptocurrency to close an audit from Australia’s government organizations ASIC (for securities) and Austrac (for anti-money laundering and anti-terrorism funding). The book isn’t closed, but each milestone the team completes puts this huge decentralized Web3 infrastructure project closer to its goals.
If you liked this newsletter, please forward it to someone who might like it too.
What did you think of this newsletter? Reply to send us feedback on what you liked or want to see featured more. There’s more coming, so stay tuned.
All the best,
Rob & Peter