image_pdfimage_print

Remote activation of phones by the police: an analysis of its technical, legal and social aspects

Remote activation of phones by the police

Remote activation of phones by the police by Jacques Gascuel This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.

How does remote activation of phones by the police work?

An article of the bill on justice 2023-2027 raises controversy. It allows remote activation of mobile phones and capture of images or sound without the owner’s consent, for cases of organized crime or terrorism. How does this intelligence technique work? What are the conditions to use it? What are its advantages and disadvantages? What is the situation in other countries? We explain everything in this article.

2024 Digital Security

Cyberattack Exploits Backdoors: What You Need to Know

2024 Digital Security

Google Sheets Malware: The Voldemort Threat

2024 Articles Digital Security News

Russian Espionage Hacking Tools Revealed

2024 Digital Security Spying Technical News

Side-Channel Attacks via HDMI and AI: An Emerging Threat

Discover our other articles on digital security

What is the new bill on justice and why is it raising concerns about privacy?

The bill on justice is a legislative project. It aims to modernize and simplify justice in France. It covers civil, criminal, administrative and digital justice. It also strengthens the investigation and prosecution of serious offenses, such as terrorism and organized crime.

One measure authorizes remote activation of phones by the police for some investigations. Article 3 “An unfailing commitment to better prevent radicalization and fight against terrorism” of the bill includes this measure. It modifies article 706-102-1 of the code of criminal procedure. This article defines how to activate remotely any electronic device that can emit, transmit, receive or store data.

This measure raises privacy concerns because it lets the police access personal or professional data in phones without the owners’ or possessors’ consent or knowledge. It also lets the police locate, record or capture sounds and images from phones without notification or justification. This measure may violate fundamental rights and freedoms, such as privacy, confidentiality, dignity, presumption of innocence and right to a fair trial.

What is remote activation of phones and how does it work?

Remote activation of phones by the police is an intelligence technique that allows law enforcement agencies to access data or record sounds and images from phones without the consent or knowledge of the phone users. This technique can be used for criminal investigations or national security purposes.

To remotely activate phones, law enforcement agencies need three factors: compatibility, connectivity, and security of the phones. They need to be compatible with the software or hardware that enables remote activation. They need to be connected to a network or a device that allows remote access. They need to have security flaws or vulnerabilities that can be exploited or bypassed.

Law enforcement agencies can remotely activate phones by three methods: exploiting vulnerabilities, installing malware, or using spyware on phones. Exploiting vulnerabilities means taking advantage of security flaws or weaknesses in the phone’s operating system, applications, or protocols. Installing malware means putting malicious software on the phone that can perform unauthorized actions or functions. Using spyware means employing software or hardware that can monitor or control the phone’s activity or data.

By remotely activating phones, law enforcement agencies can access data such as contacts, messages, photos, videos, location, browsing history, or passwords. They can also record sounds and images such as conversations, ambient noises, or camera shots. They can do this in real time or later by retrieving the data from the phone’s memory or storage.

What is the French bill on remote activation of phones by the police and what are its implications?

The French bill on remote activation of phones by the police is a legislative text that was promulgated on 25 May 2021. It is part of the justice orientation and programming bill for 2023-2027, which aims to modernize the justice system and reinforce its efficiency and independence.

The bill introduces a new article in the code of criminal procedure, which allows the judge of liberties and detention (at the request of the prosecutor) or the examining magistrate to order the remote activation of an electronic device without the knowledge or consent of its owner or possessor for the sole purpose of locating it in real time. This measure can be applied for crimes or misdemeanors punishable by at least five years’ imprisonment, a fairly broad criterion.

The bill also allows the judge of liberties and detention (at the request of the prosecutor) or the examining magistrate to order the remote activation of an electronic device without the knowledge or consent of its owner or possessor for the purpose of recording sounds and images from it. This measure can be applied only for crimes relating to organized crime and terrorism.

These measures cannot concern parliamentarians, journalists, lawyers, magistrates and doctors, nor the defendants when they are in the judge’s office or with their lawyer.

The bill also specifies that the remote activation of an electronic device must be done in a way that does not alter its functioning or data, and that the data collected must be destroyed within six months after their use.

The bill aims to provide law enforcement agencies with more tools and information to prevent, investigate and prosecute crimes, especially in cases where phones are encrypted, hidden or destroyed. It also aims to harmonize the French legislation with other countries that have used or considered this technique, such as the United States, Germany, Italy, Israel, Canada, China, France, and the United Kingdom.

However, the bill also raises ethical and social challenges, as it involves a trade-off between security and privacy, as well as between effectiveness and legitimacy. It may undermine the right to respect for private life and the right to a fair trial, which are guaranteed by the European Convention on Human Rights and the French Constitution. It may also expose law enforcement agencies to legal or technical challenges or dangers, such as encryption technologies that can prevent or hinder remote activation. It may also create distrust or resistance among phone users or providers, who may use encryption technologies or legal remedies to protect their data or communications.

The bill has been criticized by several actors, such as lawyers, human rights defenders, digital rights activists, journalists and academics. They have denounced its lack of proportionality, necessity and oversight. They have also questioned its effectiveness and legitimacy. They have called for its withdrawal or amendment.

The bill is still subject to constitutional review by the Constitutional Council before its final promulgation.

How did the Senate vote on the bill and where to find the official sources?

The Senate adopted this measure on October 20, 2021, with some amendments. The Senate voted in favor of this measure by 214 votes against 121. The Senate also added some safeguards to this measure, such as limiting its duration to four months renewable once and requiring prior authorization from an independent judge.

The National Assembly still has to examine the bill before adopting it definitively. The National Assembly may approve, reject or modify this measure. The final text may differ from the one that the Senate voted.

The examination of the bill by the National Assembly will start on December 6, 2021. You can follow the progress of the bill on the website of the National Assembly. You can also find the official text of the bill and the report of the Senate on their respective websites. You can also consult the website of the Ministry of Justice for more information on the bill and its objectives.

What are the benefits and risks of remote activation of phones?

This technique can affect citizens’ and suspects’ behavior in different ways.

On one hand, it can deter people from serious offenses. It exposes them to a higher risk of detection and identification. It reduces their incentives for criminal activities.

On the other hand, it can also make people more cautious or paranoid. It increases their uncertainty and fear. It leads them to avoid electronic devices, encrypt their communications, or use countermeasures such as jamming devices.

This technique can also impact public safety and security positively and negatively.

On one hand, it can improve the efficiency and effectiveness of law enforcement agencies. It provides them with more information and evidence. It helps them prevent, investigate and prosecute crimes.

On the other hand, it can also pose risks for human rights and civil liberties. It allows intrusive and covert surveillance. It violates privacy, confidentiality and dignity. It can also be subject to abuse, misuse or error by law enforcement agents or hackers.

Finally, it can create a feeling of insecurity and mistrust towards institutions, which can access personal or professional data in phones. It can also harm respect for presumption of innocence by placing permanent suspicion on people targeted by this technique. It can also infringe on protection of journalistic sources or right to information by discouraging whistleblowers or witnesses from speaking freely. It can finally encourage people concerned to adopt avoidance or circumvention strategies, such as changing phones regularly, using encrypted applications or switching to airplane mode.

These strategies can reduce the actual effectiveness of this technique for preventing terrorism and organized crime.

What are the arguments in favor of remote activation of phones?

Some people support this technique because they think it has several advantages for law enforcement and public security.

How can remote activation of phones violate privacy and data protection?

One of the main arguments against this technique is that it can violate privacy and data protection for individuals and groups. Privacy and data protection are fundamental rights recognized by international standards and laws. They ensure human dignity and autonomy.

Remote activation of phones violates privacy and data protection by letting law enforcement agencies access personal or professional data without the owners’ or possessors’ consent or knowledge. It also lets law enforcement agencies access sensitive or confidential data without notification or justification. It also lets law enforcement agencies access excessive or irrelevant data without limitation or proportionality.

For example, remote activation of phones could let the police access medical records, financial transactions, political opinions, religious beliefs, sexual preferences, or other intimate information on a device or a communication. It could also let the police access information that is not related to the investigation or that is out of scope on a device or a communication. It could also let the police access information that is not necessary or appropriate for the investigation or that is disproportionate to the seriousness of the offense on a device or a communication.

How can remote activation of phones improve access to justice and evidence?

Another argument in favor of this technique is that it can improve access to justice and evidence for law enforcement agencies and victims of crimes. Justice and evidence ensure the rule of law and the protection of rights.

Remote activation of phones improves access to justice and evidence by letting law enforcement agencies obtain information that is otherwise inaccessible or difficult to obtain. It also lets law enforcement agencies obtain information that is more reliable and accurate than other sources. It also lets law enforcement agencies obtain information that is timelier and more relevant than other sources.

For example, remote activation of phones could help the police access data that is encrypted or password-protected on a device or a communication. It could also help the police access data that is authentic and verifiable on a device or a communication. It could also help the police access data that is up-to-date and pertinent on a device or a communication.

What are the arguments against remote activation of phones?

Some people oppose this technique because they think it has several disadvantages for human rights and civil liberties.

How can remote activation of phones violate privacy and data protection?

One of the main arguments against this technique is that it can violate privacy and data protection for individuals and groups. Privacy and data protection are fundamental rights recognized by international standards and laws. They ensure human dignity and autonomy.

Remote activation of phones violates privacy and data protection by letting law enforcement agencies access personal or professional data without the owners’ or possessors’ consent or knowledge. It also lets law enforcement agencies access sensitive or confidential data without notification or justification. It also lets law enforcement agencies access excessive or irrelevant data without limitation or proportionality.

For example, remote activation of phones could let the police access medical records, financial transactions, political opinions, religious beliefs, sexual preferences, or other intimate information on a device or a communication. It could also let the police access information that is not related to the investigation or that is out of scope on a device or a communication. It could also let the police access information that is not necessary or appropriate for the investigation or that is disproportionate to the seriousness of the offense on a device or a communication.

How can remote activation of phones undermine the presumption of innocence and the right to a fair trial?

Another argument against this technique is that it can undermine the presumption of innocence and the right to a fair trial for individuals and groups. The presumption of innocence and the right to a fair trial are fundamental rights recognized by international standards and laws. They ensure justice and accountability.

Remote activation of phones undermines the presumption of innocence and the right to a fair trial by letting law enforcement agencies access data that they can use against individuals or groups without any legal basis or due process. It also lets law enforcement agencies access data that they can manipulate or falsify by law enforcement agents or hackers. It also lets law enforcement agencies access data that individuals or groups can challenge or contest.

For example, remote activation of phones could let the police access data that they can incriminate individuals or groups without any warrant or authorization from a judge. It could also let the police access data that they can alter or corrupt by law enforcement agents or hackers. It could also let the police access data that individuals or groups can dispute or refute.

How can remote activation of phones create a risk of abuse and misuse by the authorities?

Another argument against this technique is that it can create a risk of abuse and misuse by the authorities for individuals and groups. Abuse and misuse are illegal or unethical actions that violate rights and obligations. They damage trust and legitimacy.

Remote activation of phones creates a risk of abuse and misuse by the authorities by letting law enforcement agencies access data that they can use for purposes other than those authorized or intended. It also lets law enforcement agencies access data that they can share or disclose to third parties without any oversight or control. It also lets law enforcement agencies access data that they can retain or store for longer than necessary or permitted.

For example, remote activation of phones could let the police access data that they can use for political, personal, commercial, or other interests on a device or a communication. It could also let the police access data that they can transfer or leak to other agencies, organizations, media, or individuals on a device or a communication. It could also let the police access data that they can keep or archive for indefinite periods on a device or a communication.

What are the alternatives and safeguards for remote activation of phones?

Some people suggest that there are alternatives and safeguards for remote activation of phones that can balance security and privacy.

What are the existing legal tools to access phone data with judicial authorization?

One of the alternatives for remote activation of phones is to use existing legal tools to access phone data with judicial authorization. Judicial authorization is a legal requirement that ensures respect for rights and obligations. An independent and impartial judge grants it after evaluating the necessity and proportionality of the request.

Existing legal tools to access phone data with judicial authorization include search warrants, wiretaps, geolocation orders, data requisitions, and international cooperation agreements. These tools let law enforcement agencies obtain information from phones in a lawful and transparent manner. They also provide legal protection and recourse for individuals and groups.

For example, search warrants let law enforcement agencies physically seize phones and extract data from them with judicial authorization. Wiretaps let law enforcement agencies intercept calls and messages from phones with judicial authorization. Geolocation orders let law enforcement agencies track the location of phones with judicial authorization. Data requisitions let law enforcement agencies request data from phone operators or service providers with judicial authorization. International cooperation agreements let law enforcement agencies exchange data with foreign authorities with judicial authorization.

What are the principles and conditions for remote activation of phones according to the bill?

One of the safeguards for remote activation of phones is to follow the principles and conditions for remote activation of phones according to the bill. The bill on justice sets some rules and limits for this technique to prevent abuse and misuse.

The principles and conditions for remote activation of phones according to the bill include:

  • The technique can only be used for terrorism and organized crime investigations.
  • An independent judge who authorizes it must supervise the technique. The technique can only last for four months renewable once.
  • The technique must respect necessity, proportionality, subsidiarity, and legality.
  • Parliament and independent authorities must oversee and control the technique.
  • Experts and stakeholders must evaluate and review the technique.

These principles and conditions aim to ensure a reasonable and accountable use of this technique. They also aim to protect the rights and interests of individuals and groups.

What are the possible ways to limit or challenge remote activation of phones?

Another safeguard for remote activation of phones is to use possible ways to limit or challenge remote activation of phones by individuals or groups. These ways can help protect rights and interests, as well as ensure accountability and transparency.

Some of the possible ways to limit or challenge remote activation of phones are:

  • Using encryption technologies:

    Encryption technologies can make data on phones unreadable or inaccessible to law enforcement agencies, even if they remotely activate them. Encryption technologies can also protect communications from law enforcement agencies’ interception or recording. For example, using end-to-end encryption apps, such as Signal or WhatsApp, can prevent law enforcement agencies from accessing messages or calls on phones.

  • Using security features:

    Security features can prevent law enforcement agencies from installing or activating software or applications on phones that enable remote activation. Security features can also detect or remove software or applications that enable remote activation. For example, using antivirus software, firewalls, passwords, biometrics, or VPNs can prevent law enforcement agencies from accessing phones.

  • Using legal remedies:

    Legal remedies can let individuals or groups contest or oppose remote activation of phones by law enforcement agencies. Legal remedies can also let individuals or groups seek compensation or redress for damages caused by remote activation of phones. For example, using judicial review, administrative appeals, complaints, lawsuits, or human rights mechanisms can challenge law enforcement agencies’ actions or decisions regarding remote activation of phones.

How does this technique compare with other countries?

Law enforcement agencies in other countries, such as the United States, Germany, Italy, Israel, Canada, China, France, and the United Kingdom, have used or considered remote activation of phones by the police. This technique is not new or unique. However, the legal framework, the technical methods, and the ethical and social implications of this technique vary from country to country..

How does remote activation of phones by the police work in different countries?

Remote activation of phones by the police is an intelligence technique that varies from country to country. It depends on the legal framework, the technical methods and the ethical issues of each country. Here are some examples of how it works in different countries.

  • In the United States, this technique is known as “roving bugs” or “mobile device tracking”. The Foreign Intelligence Surveillance Act (FISA) authorizes it for national security purposes and Title III of the Omnibus Crime Control and Safe Streets Act for criminal investigations. It requires a court order based on probable cause and limited in scope and duration. It can locate or record sounds and images from phones. It can be done by installing malware or exploiting vulnerabilities on phones.
  • In Germany, this technique is known as “Quellen-TKÜ” or “source telecommunications surveillance”. The Code of Criminal Procedure and the Telecommunications Act regulate it for criminal investigations and the Federal Intelligence Service Act for national security purposes. It requires a court order based on reasonable suspicion and proportionality. It can intercept communications from phones. To do so, it installs software or uses spyware on phones.
  • In Italy, this technique is known as “Trojan horse” or “spyware”. The Code of Criminal Procedure and the Data Protection Code regulate it for criminal investigations. It requires a court order based on serious indications of guilt and necessity. It can access data or record sounds and images from phones. To do so, it installs software or uses spyware on phones.
  • In Israel, this technique is known as “IMSI catchers” or “stingrays”. The Wiretapping Law and the Privacy Protection Law regulate it for criminal investigations and the Security Service Law for national security purposes. It requires a court order based on reasonable grounds and proportionality. It can locate or intercept communications from phones. To do so, it uses devices that mimic cell towers and trick phones into connecting to them.
  • In Canada, this technique is known as “cell site simulators” or “IMSI catchers”. The Criminal Code and the Charter of Rights and Freedoms regulate it for criminal investigations. It requires a court order based on reasonable grounds and proportionality. It can locate or intercept communications from phones. To do so, it uses devices that mimic cell towers and trick phones into connecting to them.
  • In China, this technique is known as “network interception” or “remote control”. The Criminal Procedure Law and the Cybersecurity Law regulate it for criminal investigations and national security purposes. It does not require a court order but only an approval from a higher authority. It can access data or record sounds and images from phones. To do so, it installs software or uses spyware on phones.
  • In France, real-time geolocation is regulated by the Criminal Procedure Code and the Intelligence Law for criminal and national security investigations. Article 706-102-1 of the Criminal Procedure Code allows police officers and agents to use a technical device to access, record, store and transmit computer data without the consent of the persons concerned. This requires a court order based on serious reasons and proportionality. Article 230-32 of the Criminal Procedure Code states that “Any technical means for real-time location, throughout the national territory, of a person, without his consent, a vehicle or any other object, without the consent of its owner or possessor, may be used if this operation is required by necessity: “. This also requires a court order based on serious reasons and proportionality.
  • In the United Kingdom, this technique is known as “equipment interference” or “hacking”. The Investigatory Powers Act regulates it for criminal investigations and national security purposes. It requires a warrant based on necessity and proportionality. It can access data or record sounds and images from phones. To do so, it installs software or uses spyware on phones.

How does remote activation of phones by the police raise ethical and social challenges?

Remote activation of phones by the police raises ethical and social challenges in different contexts and situations because it involves a trade-off between security and privacy, as well as between effectiveness and legitimacy.

Security versus privacy

On one hand, remote activation of phones by the police can enhance security by providing law enforcement agencies with more information and evidence to prevent, investigate, and prosecute crimes. It can also deter criminals from using phones to plan or commit crimes.

On the other hand, remote activation of phones by the police can undermine privacy by letting law enforcement agencies access personal or professional data without consent or knowledge. It can also violate human rights and civil liberties by letting law enforcement agencies monitor or record sounds and images without notification or justification.

Effectiveness versus legitimacy

On one hand, remote activation of phones by the police can be effective by increasing the chances of finding relevant information or evidence on phones that may be encrypted, hidden, or destroyed. It can also be efficient by reducing the costs and risks of physical surveillance or interception.

On the other hand, remote activation of phones by the police can be illegitimate by violating the legal framework, the technical methods, or the oversight and control mechanisms that regulate this technique in each country. It can also be counterproductive by creating distrust or resistance among phone users or providers, who may use encryption technologies or legal remedies to protect their data or communications.

The ethical and social challenges of remote activation of phones by the police depend on the legal framework, the technical methods, and the oversight and control mechanisms that regulate this technique in each country. They also depend on the cultural and political values, the public opinion, and the media coverage that shape the perception and acceptance of this technique in each country.

Some of the ethical and social challenges of remote activation of phones by the police are how to :

  • balance security and privacy in the use of this technique?
  • ensure compliance with fundamental rights and freedoms in the use of this technique?
  • prevent abuse, misuse, or error in the use of this technique?
  • provide legal protection and recourse for individuals or groups affected by this technique?
  • ensure accountability and transparency in the use of this technique?
  • evaluate the effectiveness and legitimacy of this technique?
  • foster trust and cooperation between law enforcement agencies and phone users in the use of this technique?

What is the impact of encryption technologies on this technique?

Encryption technologies are methods or systems that make data unreadable or inaccessible to unauthorized parties. Encryption technologies can have a significant impact on remote activation of phones by the police, as they can make this technique more difficult, risky, or controversial.

How can encryption technologies make remote activation of phones by the police more difficult or impossible?

Encryption technologies can make remote activation of phones by the police more difficult or impossible by preventing law enforcement agencies from accessing data or communications on phones, even if they remotely activate them. Encryption technologies can also protect phones from malware or spyware that enable remote activation.

For example, end-to-end encryption, which some apps such as Signal or WhatsApp use, can prevent law enforcement agencies from intercepting or reading messages or calls on phones, as only the sender and the receiver have the keys to decrypt them. Device encryption, which some operating systems such as iOS or Android use, can prevent law enforcement agencies from extracting or viewing data on phones, as they require a password or a biometric authentication to unlock them.

How can encryption technologies make remote activation of phones by the police more risky or harmful?

Encryption technologies can make remote activation of phones by the police more risky or harmful by exposing law enforcement agencies to legal or technical challenges or dangers. Encryption technologies can also harm phone users by compromising their security or privacy.

For example, breaking encryption, which law enforcement agencies sometimes do to access data or communications on phones, can expose them to legal challenges, as it may violate laws or regulations that protect encryption or privacy. It can also expose them to technical dangers, as it may weaken the security of phones or networks and create vulnerabilities for hackers or criminals. Hacking encryption, which law enforcement agencies sometimes do to install malware or spyware on phones, can harm phone users by compromising their security or privacy, as it may allow unauthorized access to their data or functions.

How can encryption technologies make remote activation of phones by the police more controversial or unacceptable?

Encryption technologies can make remote activation of phones by the police more controversial or unacceptable by raising ethical and social issues or debates. Encryption technologies can also create conflicts or tensions between law enforcement agencies and phone users or providers.

For example, undermining encryption, which law enforcement agencies sometimes request to facilitate remote activation of phones, can raise ethical and social issues or debates, as it may affect human rights and civil liberties, such as privacy, confidentiality, dignity, presumption of innocence, and right to a fair trial. It can also create conflicts or tensions between law enforcement agencies and phone users or providers. They may have different interests or values regarding encryption and security.

How does EviCore NFC HSM technology developed by Freemindtronic offer a high level of protection for phone users?

Remote activation of phones by the police can be facilitated by exploiting security flaws, installing malware, or requesting backdoors in encryption technologies. However, some encryption technologies may be resistant to these measures and offer a higher level of protection for phone users. One of them is the EviCore NFC HSM technology developed by Freemindtronic.

This technology lets users create their own encryption keys in a random way and store them in a physical device that communicates with the phone via NFC (Near Field Communication). The device also lets users define their own trust criteria that must be met to use the keys or their segments. The encryption is done in post-quantum AES-256 mode from either a device compatible with the EviCore NFC HSM technology or from an encrypted enclave in the phone created in the Key chain (Apple) or the Key store (Android) via the EviCore HSM OpenPGP technology. The encryption keys are segmented and superior to 256 bits. Moreover, they are physically externalized from computer systems. Everything is designed by Freemindtronic to effectively fight against espionage and corruption of telephone, computer, communication and information systems. Finally, without a server, without a database, even in air gap and airplane mode works EviCore NFC HSM or EviCore HSM OpenPGP technology. Everything is designed to work in volatile memory to leave no trace in telephone and computer systems.

This technology offers a high level of security and privacy for phone users who want to protect their data from unauthorized access, including by the police. It also offers a high level of performance and usability for phone users who want to encrypt or over-encrypt all types of messaging in the world, including SMS and MMS. It also works with other applications that use encryption, such as email, cloud storage or blockchain.

Furthermore, this technology is designed to be totally anonymous, autonomous, unconnected, without a database, without collecting any information of any kind on the identity of the user, nor on the hardware, nor on the terminals used. The technology is designed to be totally isolated and totally independent of the security of the terminal used whether it is connected or not. Freemindtronic does not keep the unique pairing keys for each NFC HSM device. And even if it did, the user at installation will automatically generate segmented complementary keys for encryption with administrator and user passwords. Each NFC device has a unique 128-bit signature dedicated to fighting against counterfeiting of NFC devices. It is also used as a key segment. The secret stored in eprom memories or in enclaves of the phone and/or computer can be individually secured by other segmented keys characterized by additional trust criteria such as a geozone, a random hexadecimal code via an existing or generated QR code or Bar Code via EviCore HSM. It is therefore physically impossible for Freemindtronic but under judicial assignment to decrypt data encrypted via EviCore HSM technologies even with a quantum computer.

Conclusion

Remote activation of phones by the police is an intelligence technique. It aims to fight terrorism and crime by accessing data or sounds and images from phones without consent or knowledge. Law enforcement agencies in various countries have used or considered this technique. For example, France, the United States, Germany, Italy, Israel, Canada, China, and the United Kingdom. However, this technique raises technical, legal, ethical, and social challenges. They need to be addressed.

On the technical side, remote activation of phones by the police depends on three factors: compatibility, connectivity, and security of the phones. It can be done by three methods: exploiting vulnerabilities, installing malware, or using spyware on phones.For example, EviCore NFC HSM technology developed by Freemindtronic protects data and communications on phones from remote activation by the police. Encryption technologies can make this technique more difficult or impossible by preventing law enforcement agencies from accessing data or communications on phones, even if they remotely activate them.

On the legal side, remote activation of phones by the police requires a legal framework that regulates its use and scope. Laws or regulations can authorize it and specify the conditions and criteria for its application. Legal remedies can also challenge it and contest or oppose its validity or legality.

On the ethical side, remote activation of phones by the police involves a trade-off between security and privacy, as well as between effectiveness and legitimacy. It can enhance security by providing more information and evidence to law enforcement agencies to prevent, investigate, and prosecute crimes. It can also undermine privacy by letting law enforcement agencies access personal or professional data without notification or justification.

On the social side, remote activation of phones by the police raises issues or debates that affect human rights and civil liberties. For example, privacy, confidentiality, dignity, presumption of innocence, and right to a fair trial. It can also create conflicts or tensions between law enforcement agencies and phone users or providers, as they may have different interests or values regarding encryption and security.

Therefore, remote activation of phones by the police is a complex and controversial technique that requires a careful and balanced approach that respects the rights and interests of all parties involved. The French bill on remote activation of phones by the police and the EviCore NFC HSM Open PGP technology developed by Freemindtronic illustrate the complex and evolving relationship between intelligence and encryption in the digital age. They raise questions about finding a balance. It is between security and privacy, between public interest and individual rights, between innovation and regulation.

: According to Okta, privacy is the right to control how your information is viewed and used, while security is protection from threats or dangers (https://www.okta.com/identity-101/privacy-vs-security/).

: According to Carnegie Endowment for International Peace, finding a balance between security and privacy requires addressing technical, legal, and social questions (https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573).

: According to Springboard, finding a balance between innovation and regulation requires cooperation among stakeholders and respect for human rights (https://www.springboard.com/blog/cybersecurity/privacy-vs-security-how-to-balance-both/).

Protect Meta Account Identity Theft with EviPass and EviOTP

A man holding a resident card of a person in Andorra, wearing a badge of an identity card of a Spanish woman and surrounded by other identity cards of different countries including France and on his left a hacker in front of his computer with a phone

Protect Meta Account identity theft by Jacques Gascuel This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.

How to Spot and Avoid Phishing Attacks on Meta

Have you ever wondered what would happen if someone hacked your Meta account and used it for malicious purposes? Identity theft is a serious threat that affects millions of internet users worldwide. It can harm your reputation, finances, privacy, and even your safety. That’s why it’s essential to protect your Meta account from identity theft.

Articles Crypto Currency Digital Security EviSeed EviVault Technology News

Enhancing Crypto Wallet Security: How EviSeed and EviVault Could Have Prevented the $41M Crypto Heist

Articles EviVault Technology News Uncategorized

Why choose a Cold Wallet NFC HSM to secure your cryptocurrencies?

Articles Digital Security EviVault Technology NFC HSM technology Technical News

EviVault NFC HSM vs Flipper Zero: The duel of an NFC HSM and a Pentester

Articles EviVault Technology Phishing

Cryptbot malware steals data cryptocurrencies

Protecting Your Meta Account from Identity Theft

Meta is a family of products that includes Facebook, Instagram, Messenger, WhatsApp, Oculus, and more. These products allow you to connect with people, share content, play games, shop online, and explore new realities. However, they also store a lot of personal information that can be exploited by hackers if you don’t secure your account properly.

Identity theft of online accounts is a growing problem that affects many Meta users. Hackers use various techniques to illegally obtain user credentials and two-factor authentication information. This results in financial, legal, and psychological consequences for the victims, who find themselves deprived of their digital identity. In this article, we explain how to protect your Meta account from identity theft, with a focus on the security of your passwords and your two-factor authentication. We also present real testimonials of identity theft on Meta, which illustrate the seriousness of this problem and the importance of protecting yourself. Finally, we introduce you to an innovative solution that allows you to manage OTP tokens (One Time Password) securely and contactlessly thanks to an NFC device (Near Field Communication).

Identity theft on meta how to protect your meta account from identity theft by Freemindtronic from Andorra

Creating Strong and Unique Passwords to Safeguard Your Meta Account

To enhance the security of your Meta account, it’s crucial to create strong and unique passwords. A strong password is the first line of defense against identity theft. Use a combination of uppercase and lowercase letters, numbers, and special characters. Avoid using obvious personal information, such as your name or date of birth. Furthermore, avoid reusing the same password on multiple accounts, as this makes it easier for hackers to gain unauthorized access. Consider using a secure password manager such as EviPass, offered by Freemindtronic, to store your passwords securely and regularly check their integrity.

Enhancing Meta Account Security with Two-Factor Authentication (2FA)

Enhancing the security of your Meta account is crucial, and enabling two-factor authentication (2FA) is an effective way to achieve that. In the security and login settings of your Meta account, you have access to a range of 2FA methods. Each method has its own advantages and considerations, empowering you to select the most suitable option for your needs.

Table: Comparison of Different 2FA Methods on Meta

2FA Method Advantages Disadvantages
Security Key Highly secure, doesn’t require internet connection Expensive, susceptible to loss or forgetfulness, requires USB or NFC port
Authentication App More secure than SMS, compatible with multiple accounts Risk of smartphone loss or theft, requires prior installation
SMS Simple and quick Risk of phone number hacking, reliance on mobile network
Authentication Applications Enhanced security, generates secure 2FA codes Risk of smartphone loss or theft
EviPass Highly secure, contactless, compatible with multiple accounts, no prior installation required Requires purchase of EviPass device

The Ultimate Solution – EviPass and EviOTP for Meta Account Protection

EviPass, powered by Freemindtronic’s EviOTP technology, offers the best of both worlds with its PassCypher product. PassCypher combines two technologies: EviPass Hardware and/or Digital Manager, compatible with Freemindtronic’s NFC HSM devices. It also incorporates the EviOTP technology, a secret key manager for OTP and HOTP, enabling the generation of OTP codes. With PassCypher, you can experience highly secure and contactless 2FA. It eliminates the need for prior installation and provides a seamless user experience. By securely storing and generating OTP secret keys using EviOTP technology, PassCypher ensures end-to-end authentication. Please note that the PassCypher device, which includes EviPass and EviOTP technologies, needs to be purchased to utilize this comprehensive solution.

Being Vigilant Against Phishing Attacks to Secure Your Meta Account

Hackers often use phishing techniques to trick you into disclosing your credentials. Be vigilant about suspicious emails or messages asking for your credentials or personal information. Do not click on dubious links and always check the website address before entering your information. If you receive a suspicious message claiming to be from Meta, report it immediately.

Regularly Updating Security Information for Meta Account Protection

To maintain optimal security, it is important to update your security information regularly, such as your recovery email address and phone number. This information will allow you to regain access to your account in case of identity theft or password forgetfulness. Make sure you choose secure and easily accessible recovery information that only you have access to.

Implementing EviOTP for Enhanced Meta Account Security against Identity Theft

One innovative solution for securing your Meta account is EviOTP by Freemindtronic. EviOTP utilizes contactless technology and NFC devices to securely manage OTP tokens (One Time Passwords). By enabling two-factor authentication with EviOTP, you are required to provide an additional code along with your password when logging into your Meta account. This method offers optimal protection against phishing attacks and identity theft, as your OTP tokens are stored and encrypted within the NFC device, physically isolated from your computer and phone systems.

Table: Advantages and disadvantages 2FA

2FA Method Pros Cons
SMS Simple and fast Risk of hacking your phone number, dependence on mobile network
Authentication App More secure than SMS, compatible with multiple accounts Risk of losing or stealing your smartphone, requires prior installation
Security Key Very secure, does not require internet connection Expensive, easy to lose or forget, requires USB or NFC port
EviOTP Very secure, contactless, compatible with multiple accounts, does not require prior installation Requires purchasing the EviOTP device

Considering the different options available, each 2FA method offers unique benefits and drawbacks. Security keys provide a high level of security but may be costly and prone to loss. Authentication apps offer increased security and compatibility, but the risk of smartphone theft exists. SMS codes are simple and fast but carry the risk of phone number hacking. Authentication applications like Google Authenticator or Microsoft Authenticator generate secure codes but are still susceptible to smartphone loss. Finally, EviOTP stands out as a highly secure, contactless option compatible with multiple accounts, although it requires purchasing the EviOTP device.

EviOTP – The Ultimate 2FA Solution

For the ultimate 2FA solution, EviOTP by Freemindtronic offers unmatched security and convenience. EviOTP combines contactless technology, compatibility with multiple accounts, and a seamless user experience. It eliminates the need for prior installation and configuration, making it ready to use right out of the box. By securely storing and generating OTP secret keys, EviOTP ensures end-to-end authentication. To benefit from EviOTP, please note that the EviOTP device must be purchased.

To enable two-factor authentication with Contactless OTP Manager, you must follow these steps:

  1. Download and install the PassCypher application embedding the EviPass technology and especially EviOTP on your NFC-compatible Android mobile device from the Google Play Store.
  2. Log in to your Meta account on a computer or mobile browser.
  3. Go to the security and login settings of your Meta account and click on “Use two-factor authentication”.
  4. Choose the option “Authentication application” and follow the instructions on the screen.
  5. Open the PassCypher application on your mobile device and bring your Contactless OTP Manager device close to the phone to scan the QR code displayed by Meta.
  6. Enter the six-digit code generated by Contactless OTP Manager in the “Security Code” field on Meta and click on “Next”.
  7. Save the recovery codes provided by Meta in case of loss or theft in your Contactless OTP Manager device that you also use to generate codes to authenticate yourself.

Beware of phishing attacks

Hackers often use phishing techniques to trick you into disclosing your credentials. Be vigilant about suspicious emails or messages asking for your credentials or personal information. Do not click on dubious links and always check the website address before entering your information. If you receive a suspicious message claiming to be from Meta, report it immediately.

Update your security information regularly

To maintain optimal security, it is important to update your security information regularly, such as your recovery email address and phone number. This information will allow you to regain access to your account in case of identity theft or password forgetfulness. Make sure you choose secure and easily accessible recovery information only by you.

Real Testimonials of Meta Account Identity Theft and Steps to Protect Yourself

Identity theft is a phenomenon that affects more and more internet users worldwide. According to a study by the Federal Trade Commission, consumers reported losing more than $5.8 billion to fraud in 2021, an increase of more than 70% over the previous year. Among the most common types of fraud are identity theft scams, which aim to steal the login information of users on various Meta products, such as Instagram, Facebook, Messenger, WhatsApp or Oculus. These information can then be used to harm the reputation, finances or privacy of the victims.

Finding real testimonials of identity theft on Meta is not always easy. Indeed, victims may feel ashamed of being fooled, afraid of the consequences or simply not know who to turn to report the problem or ask for help. That’s why we have gathered in this section some true and verified stories that illustrate the different possible scenarios of identity theft on Meta. These stories are presented in the form of small short paragraphs that are easy to read and explain how the victims discovered the hacking, how they reacted and what were the consequences.

We hope that these testimonials will help you to become aware of the risks associated with identity theft on Meta and to adopt good practices to protect your personal data online. If you are a victim or witness of identity theft, do not hesitate to report the problem to the competent authorities and ask for help from specialized services.

  • Marie found June 6, 2021 Marie’s Instagram account was hacked by scammers. They tricked her into giving them her login information. They used her account to ask her followers for money. Marie reported the hack to Instagram and warned her contacts. She finally got her account and her 2,000 followers back. She learned to be more careful online.
  • A woman from France had her Instagram account hacked by scammers who tried to extort money from her followers. She contacted Meta, but received no response. She then contacted a cybersecurity expert who helped her recover her account and her 6,000 followers.
  • Muriel, a regular user of Meta, was a victim of identity theft on her personal account as well as on her Meta Business Manager account. Despite activating two-factor authentication, hackers managed to bypass security measures, leaving Muriel in a difficult situation. Unable to receive the necessary help from Meta, she shared her experience on social networks, hoping to find a contact within Meta who could help her solve this frustrating problem.
  • In December 2021, Meta filed a lawsuit against the bad actors who allegedly created over 39,000 websites that resembled the login pages of Instagram, Facebook, Messenger, and WhatsApp. The defendants used these websites to deceive users and collect their login information. They also infringed Meta’s trademarks by using its logos and names on their fake pages.
  • In February 2023, a couple was victim of a phishing scam that targeted META users. They received an email that seemed to come from the social network and asked them to confirm their credentials and password to avoid the closure of their account. When they clicked on the link, they were redirected to a fake login page that recorded their data. A few days later, they noticed that their account had been hacked and that fraudulent purchases had been made with their credit card linked to their META account.
  • In October 2022, a woman discovered that her Instagram account had been hacked and that a scammer had used her identity to blackmail her followers. He sent them messages pretending to be her and asking for nude photos or money. He threatened to expose their private conversations or photos if they did not comply. The victim reported the hack to Instagram and warned her contacts about the scam.
  • In October 2021, a man was sentenced to 18 months in prison with a suspended sentence for having impersonated several personalities on social networks, including the president of the French Republic Emmanuel Macron. He created fake META (ex-Facebook) accounts and sent private messages to internet users asking them for money or services. He also tried to extort personal information from journalists and politicians by pretending to be their relatives or collaborators.
  • In February 2020, a woman discovered that her META account had been hacked and that a scammer had used her identity to trick her friends. He sent them messages pretending to be her and asking them for financial help for an emergency. He then asked them to send him PCS recharge codes (prepaid cards) that he could use to buy goods or services online. The victim filed a complaint and alerted her contacts about the hack.
  • French case of Loïc: Loïc suffered identity theft on Meta for a grueling period of 17 years. Hackers opened numerous bank accounts in his name, took out consumer loans and used his information to benefit from social and tax benefits. Loïc recounted his ordeal during an interview with Olivier Delacroix on Europe 1 on January 15th, 2019. For years, he had to provide proof of identity and fight with administrations, banks and bailiffs to restore the truth and regain control of his digital identity.
  • Case of Julie: Julie was a victim of identity theft on her Meta account by her ex-partner. He managed to access her account by cloning her SIM card, changing her security information and posting defamatory messages in her name. Julie quickly became aware of the situation and immediately filed a complaint with the competent authorities. She also contacted the Cybermalveillance.gouv.fr service to get help in the process of recovering her account and protecting her online reputation.
  • Thomas’s Instagram account was hacked by a hacker who impersonated him and sent rude messages to his contacts. He managed to recover his account with the help of a cybersecurity expert.
  • Benoît fell victim to a scam on WhatsApp. He received a message from a friend who asked him to lend him money urgently. He agreed and sent 500 euros by bank transfer. He realized too late that it was an impostor who had hacked his friend’s account.
  • Clara was a victim of identity theft on her Facebook account. She received a notification that told her she had won a free trip and asked her to click on a link to claim it. She followed the link and entered her Facebook credentials. She realized too late that it was a trap to steal her data and use it to create fake profiles in her name.
  • David was a victim of identity theft on his Oculus account. He received an email that told him he had been selected to test a new virtual reality game and asked him to download an app on his smartphone. He downloaded the app and scanned a QR code with his Oculus headset. He realized too late that it was a malicious software that had stolen his login information and used his account to buy games without his permission.
  • Emma was a victim of identity theft on her Meta Workplace account. She received a message from a colleague who asked her to send him confidential documents related to an ongoing project. She trusted him and sent the documents by email. She realized too late that it was an impostor who had hacked her colleague’s account and used the documents to harm the company.
  • Another real case of identity theft on Meta is that of Aaron Elekes. This film and TV producer had his Facebook account hacked by scammers who impersonated him and his contacts. Despite his efforts to recover his account, he did not receive the necessary help from Meta. He had to create several new accounts under his name, which caused him a lot of stress and frustration. This testimonial shows how important it is to protect your Meta account from identity theft.
  • Other real examples of identity theft on Meta include:
    • A company called Meta that accuses Meta (formerly Facebook) of unlawfully seizing its mark, name and identity.
    • The risks associated with identity theft on Meta, such as the loss of personal data, the spread of false information, the contact scam or the infringement of copyright.

These real testimonials of identity theft on Meta illustrate the severity of the problem and highlight the importance of taking adequate security measures to protect your account. By following the tips mentioned above, such as creating strong passwords, enabling two-factor authentication and using innovative solutions like EviPass and EviOTP, you can enhance the security of your Meta account and significantly reduce the risks of identity theft.

Conclusion: Safeguard Your Meta Account from Identity Theft

Protecting your Meta account from identity theft is essential to preserve your online security. By following the recommended security measures, such as creating strong and unique passwords, enabling two-factor authentication and using innovative solutions like EviPass and EviOTP from Freemindtronic, you enhance the security of your account and reduce the risks of identity theft. Also be vigilant about phishing attempts and make sure to update your security information regularly. Use the tools and technologies at your disposal to enhance the security of your Meta account. By following these tips, you will be able to fully enjoy your experience on Meta with peace of mind.

Protect your digital identity and take the necessary steps to secure your Meta account now. Don’t let hackers steal your online identity. Be proactive in your approach to security and make protecting your account a top priority.

By adopting strong security measures and staying informed about the latest techniques used by hackers, you can minimize the risks of identity theft and protect your digital life on Meta. Make sure you implement the recommendations presented in this article and don’t hesitate to explore more advanced security solutions to further enhance the protection of your account. Your online security is in your hands, so act now to protect your Meta account from identity theft.

Protect your digital identity and take the necessary steps to secure your Meta account now. Don’t let hackers steal your online identity. Be proactive in your approach to security and make protecting your account a top priority.

By adopting strong security measures and staying informed about the latest techniques used by hackers, you can minimize the risks of identity theft and protect your digital life on Meta. Make sure you implement the recommendations presented in this article and don’t hesitate to explore more advanced security solutions to further enhance the protection of your account. Your online security is in your hands, so act now to protect your Meta account from identity theft.

Remember that securing your Meta account is not limited to these measures. Stay vigilant, educate yourself on the latest security practices and be proactive in protecting your digital identity. By taking these precautions, you can fully enjoy your experience on Meta safely and peacefully.

EviPass the ultimate offline NFC hardware password manager passwordless manager by Freemindtronic Andorra

About Freemindtronic

Freemindtronic is a company specialized in digital security solutions based on NFC technology (Near Field Communication). Founded in 2017 by Jean-Marc Zanni, an expert in embedded systems engineering, Freemindtronic offers innovative products such as EviPass and EviOTP that allow users to manage their passwords and OTP tokens securely and contactlessly. Freemindtronic’s solutions are designed for individuals and professionals who want to protect their digital identity from cyberattacks and identity theft.

How BIP39 helps you create and restore your Bitcoin wallets

BIP39 EviSeed post Freemindtronic from Andorra web site

BIP39 by Jacques gascuel This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.  

BIP39: how to create and restore your Bitcoin wallets securely

Do you want to know how BIP39 helps you manage your cryptographic keys with a simple mnemonic phrase? Find out in this article how this standard works and how to use it to protect your bitcoins.

2024 Digital Security

Cyberattack Exploits Backdoors: What You Need to Know

2024 Digital Security

Google Sheets Malware: The Voldemort Threat

2024 Articles Digital Security News

Russian Espionage Hacking Tools Revealed

2024 Digital Security Spying Technical News

Side-Channel Attacks via HDMI and AI: An Emerging Threat

How BIP39 helps you create and restore your Bitcoin wallets

Do you struggle to manage your cryptocurrency wallets? Are you looking for a simple and secure solution to create and restore your wallets? You are not alone. According to a study, more than 20% of cryptocurrency users have lost access to their funds because of a forgotten or stolen private key. Fortunately, there is an innovative solution to avoid this problem: BIP39 and mnemonic phrases. In this article, we will explain what BIP39 is, how it works, what are its advantages and disadvantages, and which wallets support it.

What is BIP39 and how does it work?

BIP39, also known as Bitcoin Improvement Proposal 39, proposes a novel method to simplify the creation and recovery of cryptocurrency wallets. It relies on the use of mnemonic phrases, which are sequences of words easy to remember generated from a predefined list of words. These mnemonic phrases serve to derive the private keys that allow you to access your funds. The use of this method greatly simplifies the management and backup of wallets, avoiding the need to memorize complex private keys.

BIP39 is part of the many BIPs (Bitcoin Improvement Proposals) that aim to improve the Bitcoin protocol. It was proposed in 2013 by Marek Palatinus, Pavol Rusnak, Aaron Voisine and Sean Bowe. It was implemented on Bitcoin in 2014 and has been adopted by many other cryptocurrency projects since then. You can consult the official document of BIP39 here (link to https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki).

The benefits of BIP39

BIP39 has many benefits for cryptocurrency users. First of all, it simplifies considerably the process of creating and recovering wallets. Thanks to mnemonic phrases, it becomes easier to backup and restore your wallets in case of need. Moreover, these mnemonic phrases are generally more user-friendly, as they are composed of words in natural language, which makes them easier to remember.

Another important benefit is compatibility. Many hardware and software wallets support BIP39, which offers great flexibility in choosing the wallet suitable for your needs. Whether you prefer a physical wallet or a software solution, there is a high chance that you can find a wallet compatible with BIP39.

The drawbacks of BIP39

Despite its many benefits, BIP39 also has some drawbacks. The main drawback lies in the security of the mnemonic phrase. Given that the mnemonic phrase is the key to access your funds, its loss or theft can result in the total loss of your cryptocurrencies. It is therefore crucial to take appropriate security measures to protect your mnemonic phrase, such as secure backup in an offline location.

Another drawback is the dependence on wallet software compatible with BIP39. It is important to verify that the wallet you use supports BIP39 before generating your mnemonic phrase. Otherwise, you may not be able to access your funds with another wallet that uses the same protocol.

Cold wallet vs hardware wallet: what’s the difference?

If you own cryptocurrencies, you need a wallet to store and manage them. But not all wallets are the same. In this article, we will explain the difference between a cold wallet and a hardware wallet, and how to choose the best one for your needs.

What is a cold wallet?

A cold wallet is a type of hardware wallet that is very secure: it never interacts with any smart contract or external source; it only stores assets and executes transfers between your other wallets. For example, a hardware wallet that is not used to explore Web3 can be considered a cold wallet.

What is a hardware wallet?

A hardware wallet is a physical device that stores your private keys in an isolated environment from an internet connection. This is important, because anyone who has access to your private keys has access to your crypto. A hardware wallet also allows you to sign transactions; enabling you to interact with different blockchain networks.

What is the difference between a cold wallet and a hardware wallet?

The main difference between a cold wallet and a hardware wallet is the level of interaction with smart contracts and external sources. A cold wallet is safer than a hardware wallet active online, because it does not face any threat from interactions with smart contracts.

Here is a summary table of the advantages and disadvantages of each type of wallet:

Cold Wallet Hardware Wallet
+ Very secure + Secure
+ Ideal for long-term storage + Ideal for Web3 exploration
– Not convenient for frequent transactions – Less secure than a cold wallet
– Can be lost or damaged – Can be hacked by malicious smart contracts

What standard is used to generate the mnemonic phrase or mnemonic code?

Another important aspect to consider when choosing a wallet is the standard used to generate the mnemonic phrase or mnemonic code. This is a group of easy-to-remember words that serves as a backup for your wallet in case of loss or destruction. The most common standard is BIP39, which is used by many deterministic (HD) wallets and not only by Bitcoin wallets. It has also been adopted for use in many other cryptocurrency projects.

Cold wallets and hardware wallets generally use BIP39 for master key generation. Some hardware wallets also use other BIPs to improve the security and functionality of their wallets. For example:

  • The Trezor Model T uses BIP32, BIP39, BIP44 and SLIP39. SLIP39 is an improvement of BIP39 that allows creating split backups (Shamir Backup) for increased security.
  • The Coldcard uses BIP32, BIP39 and BIP174. BIP174 is a standardized format for partially signed transactions (PSBT) that allows signing transactions offline.

What are the different types of cold wallets and hardware wallets?

There are different types of cold wallets and hardware wallets, and some can belong to both categories. For example, the Keepser is an NFC cold wallet that uses BIP39 to save seed phrases generated by other wallets or blockchains. It is therefore a type of hardware wallet that comes in the form of a contactless card that communicates with an application on your smartphone. The Keepser only protects cryptocurrency private keys, and not other types of private keys. It also allows printing private keys and seed phrases in the form of encrypted QR codes, which can be scanned by the Keepser application to restore wallets. The Keepser uses EviVault and EviSeed technology developed by Freemindtronic, a company specialized in cybersecurity and custom product design.

It is therefore important to check what standards are supported by the wallet you choose and how they affect the security and compatibility of your wallet.

BIP39 EviSeed post Freemindtronic from Andorra web site

How to choose a BIP39-compatible wallet

Update 29/05/2023

To fully enjoy the benefits of BIP39, it is essential to choose a wallet compatible with this feature. Many hardware and software wallets support BIP39, offering a simplified and secure experience. To help you in your choice, we have created a comprehensive table that compares the best wallets compatible with BIP39:

How to secure your mnemonic phrase with EviSeed?

If you use a BIP39-compatible wallet, you must imperatively protect your mnemonic phrase against any loss or theft. An innovative solution for this is EviSeed, developed by Freemindtronic. EviSeed is an electronic device that allows you to store your mnemonic phrase in a secure and resistant NFC card against physical or logical attacks.

EviSeed offers several advantages over traditional backup methods on paper or metal:

  • It is easy to use: just approach your NFC card from a compatible smartphone to display your mnemonic phrase.
  • It is secure: it uses a patented algorithm that encrypts your mnemonic phrase with a personal PIN code.
  • It is durable: it resists shocks, water, fire and magnetic fields.

EviSeed is compatible with all wallets that support BIP39, such as Ledger, Trezor or Metamask. You can order your EviSeed on Freemindtronic’s official website (link to https://freemindtronic.com/eviseed/en/).

Some real-life examples of people who lost their keys

You may think that losing your mnemonic phrase is a rare or unlikely case. Think again! Many people have already experienced this misadventure, sometimes with dramatic consequences. Here are some real-life examples taken from the media:

  • Stefan Thomas, a programmer living in San Francisco, owns 7 002 Bitcoin that he cannot recover because he lost the password of his IronKey hard drive, which contains the private keys of his wallet1. He only has two attempts left before his hard drive locks permanently.
  • James Howells, a British computer scientist, accidentally threw away his hard drive containing 7 500 Bitcoin in 20132. He tried unsuccessfully to find his hard drive in a municipal landfill.
  • Brad Yasar, an entrepreneur living in Los Angeles, mined thousands of Bitcoin at the beginning of the project3. But he forgot his passwords and failed to access his wallets despite hundreds of hours spent trying.
  • Luke Dashjr, one of the original developers of Bitcoin Core, said he lost more than 200 Bitcoin after his PGP key was compromised on December 31, 20224. He claimed he did not know how hackers were able to access his key.

These examples show well the importance of using a reliable and secure method to backup your mnemonic phrase. With EviSeed, you can avoid this kind of situation and enjoy your cryptocurrencies peacefully.

Other standards related to BIP39

BIP39 is not the only standard that concerns the generation and management of cryptocurrency wallets. There are other standards that are related to BIP39 or that propose alternatives to it. Here are some examples:

  • The BIP32 is another standard that describes how to generate deterministic wallets from a master key. The BIP32 allows creating a hierarchy of derived keys from a single master key, which facilitates the organization and backup of wallets. The BIP32 uses a hash function to derive keys, which ensures that keys are unpredictable and independent from each other. The BIP39 is a method to create a master key from a mnemonic phrase. The two standards are often used together to create deterministic wallets from mnemonic phrases.
  • The BIP44 is an extension of the BIP32 that defines a hierarchical structure for deterministic wallets. It allows managing multiple accounts and multiple currencies with a single mnemonic phrase. The BIP44 defines five levels of derivation: purpose, currency, account, address type, and address index. The purpose is fixed at 44’ to indicate that the wallet follows the BIP44. The currency is a numerical code that identifies the currency used (for example, 0’ for Bitcoin, 60’ for Ethereum). The account is a number that allows separating funds according to personal criteria (for example, 0’ for the main account, 1’ for the secondary account). The address type is a bit that indicates if the wallet uses external addresses (0) or internal addresses (1). External addresses are those that are used to receive payments, while internal addresses are those that are used to send changes. The address index is a number that identifies each address within the address type. For example, the address m/44’/0’/0’/0/0 corresponds to the first external address of the first Bitcoin account of the wallet.
  • The SLIP39 (Shamir’s Secret-Sharing for Mnemonic Codes) is an alternative to BIP39 that allows splitting a mnemonic phrase into several parts that must be combined to restore the master key. The SLIP39 uses Shamir’s secret-sharing scheme, a cryptographic algorithm that allows distributing a secret into several pieces, called shares, such that a minimum number of shares is required to reconstruct the secret. For example, one can split a mnemonic phrase into five shares, of which three are required to restore it. This allows increasing security and redundancy of the wallet, by avoiding that one single share is enough to access funds or that one single share lost makes the wallet irrecoverable.
  • The Electrum Seed Version System is a system used by Electrum wallet to generate and verify mnemonic phrases. It differs from BIP39by several aspects: it uses a different word list, it does not use a checksum but a version code, it allows generating mnemonic phrases of variable lengths (12, 18 or 24 words), it allows deriving keys and addresses from a hash of the mnemonic phrase without depending on a fixed word list, it supports different types of mnemonic phrases according to the type of wallet (standard, multisig or segwit).
  • The Monero Seed Format is a format used by Monero wallet to generate and verify mnemonic phrases. It differs from BIP39 by several aspects: it uses a different word list, it uses a different checksum based on CRC32, it allows generating mnemonic phrases of 13 or 25 words depending on the seed length (128 or 256 bits), it allows deriving keys and addresses from the seed without depending on a fixed word list.

The segmented key authentication technology

Another innovative technology that allows to protect sensitive data such as mnemonic phrases by using encryption keys that are stored on different supports is the segmented key authentication technology. This technology was invented by Jacques Gascuel, a Frenchman living in Andorra, founder of the Andorran company Freemindtronic, is also patented in the USA under number US11281759B2 in 2020.

According to the invention, the encryption keys of the mnemonic phrases are segmented into several parts, which allows to store them on different supports such as contactless devices, phones, computers or a paper print with a QR code. Each mnemonic phrase is associated with an NFC HSM device and/or an EviCore OpenPGP HSM from Freemindtronic, which contains a part of the encryption key, which can be a pairing key. This part allows to decrypt the mnemonic phrase when the other parts are gathered. The other parts can be validated in different ways, such as a password, a fingerprint, a geofence or an identifier of the phone or network, etc. The technology allows to create different segmentation combinations for each mnemonic phrase. To reconstruct the encryption key and access the mnemonic phrase, one must approach the NFC HSM device from the phone and validate the other parts according to the order chosen by the user or automatically if all conditions are met.

According to one of the implementations of the invention, the key segments chosen by the user to constitute the decryption key can be of physical or digital origin. For example, the user can choose a key segment that corresponds to a geofence, thus allowing to decrypt the mnemonic phrase without requiring any other action, apart from being physically in the right geographical area. Of course, this key segment is associated with at least another key segment, such as the identifier of the user’s phone. This greatly improves user experience without compromising security level, as there are other default authentication factors integrated into NFC devices, such as also segmented pairing key, NFC identifier, unique 128-bit key, administrator and/or user password, as well as phone fingerprint.

Finally, an advantage of this technology is that key segments can be entrusted to various third parties without any risk. For example, a third party can hold a key segment without knowing what type of segment he owns, whether it is a BSSID, a geofence or a phone identifier that will receive a donation. There is virtually no limit to this. It is an effective solution for donations and inheritances, where the notary or lawyer can have a geofence key segment that he can only use in a specific place defined in a will or under the supervision of a bailiff.

Conclusion

In summary, BIP39 is a major improvement proposal to simplify the management of cryptocurrency wallets. Thanks to the use of mnemonic phrases, it offers a user-friendly and secure solution to create and recover your wallets. However, it is crucial to protect your mnemonic phrase against any loss or theft, and to choose a reliable and compatible wallet with BIP39.

We hope that this article has helped you understand better the functioning and benefits of BIP39. If you have any questions or comments, we would love to help you in the section below. Simplify your cryptocurrency management experience with BIP39!

Segmented key authentication: an innovation by Jacques Gascuel to secure sensitive data

Segmented key authentication by Jacques gascuel
This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.  

….

…..

2024 Articles Cardokey EviSwap NFC NDEF Technology GreenTech Technical News

NFC vCard Cardokey: Revolutionizing Digital Networking

2024 Articles Cyberculture EviPass Password

Human Limitations in Strong Passwords Creation

2024 Articles Digital Security EviKey NFC HSM EviPass News SSH

Terrapin attack: How to Protect Yourself from this New Threat to SSH Security

2023 Articles Cyberculture EviCypher NFC HSM News Technologies

Telegram and the Information War in Ukraine

Articles Crypto Currency Cryptocurrency Digital Security EviPass Technology NFC HSM technology Phishing

Ledger Security Breaches from 2017 to 2023: How to Protect Yourself from Hackers

Articles Digital Security EviCore NFC HSM Technology EviPass NFC HSM technology NFC HSM technology

TETRA Security Vulnerabilities: How to Protect Critical Infrastructures

2023 Articles DataShielder Digital Security EviCore NFC HSM Technology EviCypher NFC HSM EviCypher Technology NFC HSM technology

FormBook Malware: How to Protect Your Gmail and Other Data

Articles EviCore NFC HSM Technology legal News Training

Dual-Use Encryption Products: a regulated trade for security and human rights

Segmented key authentication: an innovation by Jacques Gascuel to secure sensitive data

What is segmented key authentication?

Segmented key authentication is a technology that allows to protect sensitive data by using encryption keys that are stored on different supports. This technology was invented by Jacques Gascuel, a French inventor living in Andorra, and patented under the number FR3063365 in 05.04.2019.

The principle of segmented key authentication is to divide an encryption key into several segments that are distributed on physical or virtual supports. These supports can be smart cards, USB keys, smartphones, computers or cloud services. To access the encrypted data, it is necessary to gather all the segments of the key and combine them according to a specific algorithm.

The advantage of this technology is that it makes it very difficult to steal or compromise sensitive data, because it would require accessing all the supports that contain the segments of the key. Moreover, this technology allows to control the access to data according to the context, the location. For example, it is possible to define that some segments of the key are only available in a certain geographical area.

How does segmented key authentication work?

Segmented key authentication relies on a system composed of three main elements: a contactless device, an NFC device and a software.

The contactless device is a physical support that contains one or more segments of the encryption key. It can be a smart card, a USB key or another object with an electronic chip. This device is designed to work without battery, without maintenance and without cloud. It can be reset for the second-hand market.

The NFC device is a device that allows to communicate with the contactless device by radiofrequency. It can be a smartphone, a tablet or a computer equipped with an NFC antenna. This device provides the energy necessary for the operation of the contactless device and retrieves the segments of the key that it contains.

The software is an application that runs on the NFC device and that manages the segmented key authentication process. It allows to configure the parameters of the encryption key, such as the number and size of the segments, the combination algorithm, the access conditions or the actions to perform in case of failure. It also allows to encrypt and decrypt data using the key reconstituted from the segments.

What are the possible applications of segmented key authentication?

Segmented key authentication can be used to secure any type of sensitive data, whether personal, professional or confidential. It can also be used to protect access to systems or services that require strong authentication.

Among the possible applications, we can mention:

  • Electronic safes: these are systems that allow to store sensitive data in a secure and encrypted space. Segmented key authentication can enhance the security of these systems by making it impossible to access data without having all the segments of the key.
  • Alarm systems: these are systems that allow to detect and report an intrusion or an anomaly in a protected place. Segmented key authentication can improve the reliability of these systems by preventing disarming or hacking without having all the segments of the key.
  • Financial transactions: these are operations that involve the transfer of money or goods between parties. Segmented key authentication can ensure security and traceability of these operations by requiring physical and simultaneous presence of parties to validate transaction.

The patents of segmented key authentication

The invention of segmented key authentication has been subject to several patent applications in different countries. The first patent granted is FR patent FR3063365, published in 2018. This patent describes segmented key authentication system, its elements, its functioning and its applications.

Other patent applications are pending or awaiting in other countries, including:

  • French patent FR3063365, granted in 2019,
  • European patent EP3586258 A1, published in 2020, which repeats same claims as US patent. It is under examination.
  • Korean patent KR1020190120317 , published in 2019, which repeats same claims as US patent. It was granted in 2021.
  • Chinese patent CN110402440, published in 2019, which repeats same claims as US patent. It is awaiting examination.
  • Japanese patent JP2020508533 , published in 2019, which repeats same claims as US patent. It was granted in 2020.
  • Algerian application 190460 , filed in 2019 with National Algerian Institute for Industrial Property (INAPI). It is not yet published or granted.

These patent applications are derived from international patent WO2018153274 A1, published in 2018, which is priority application for invention. This international patent was filed by Jacques Gascuel with World Intellectual Property Organization (WIPO) according to Patent Cooperation Treaty (PCT). It allows protecting invention in more than 150 countries members of PCT.

The differentiation of invention from prior art

The invention of segmented key authentication differs from other inventions in field of computer security by several aspects.

Firstly, it relies on original concept of segmenting an encryption key into several segments that are stored on different supports. This concept allows increasing security level of sensitive data by making it more difficult to steal or compromise complete key. Indeed, it would require accessing all supports that contain segments of key, which implies more material and software effort than with single key. For example, if key is segmented into four parts, one on smart card, one on USB key, one on smartphone and one on computer, it would require stealing or hacking these four supports to reconstitute key and access data. This scenario is much more complex and unlikely than with single key stored on single support.

Secondly, it allows controlling access to data according to context, location. Indeed, it is possible to define access conditions for each segment of key, such as geographical location, number of attempts etc. Thus, one can limit access to data certain situations or circumstances, which strengthens protection of data. For example, one can define that segment of key stored on smartphone is only available in radius of 10 km around owner’s home, or that segment of key stored on computer is only available between 9 am and 5 pm from Monday to Friday. These access conditions allow reducing risks of unauthorized access to data.

Thirdly, it uses a contactless device and an NFC device to communicate with main token that contains authentication datum. This contactless device is designed to work without battery, without maintenance and without cloud. It can be reset for second-hand market. The NFC device provides energy necessary for operation of contactless device and retrieves segments of key that it contains. The software that runs on NFC device manages segmented key authentication process. This configuration allows avoiding problems related to wear or loss of contactless device, as well as risks related to connection to cloud or wireless network.

The invention of segmented key authentication therefore presents several advantages over prior art, especially in terms of security, flexibility and ecology. These advantages have justified granting US patent US20210136579 B2 and derived patents in other countries.

To illustrate these advantages, one can compare invention of segmented key authentication with other similar inventions in field of computer security.

For example, US patent US8112066 B2 describes system for providing encrypted authentication datum from first device to second device. This system uses NFC device for transmitting encrypted authentication datum from first device to second device. However, this system does not segment encrypted authentication datum into several segments stored on different supports. Thus, if first device is stolen or hacked, encrypted authentication datum can be compromised.

For example, US patent US9942750B2 describes system for performing security operations on wireless devices based on proximity with another device. This system uses NFC device for establishing secure communication between two devices and for performing operations such as locking or unlocking first device. However, this system does not control access to data according to context, location. Thus, if two devices are close each other but in insecure environment, security operations may be ineffective or undesirable.

For example, CN patent CN110838917B describes system for authenticating user from QR code generated by server and displayed on screen. This system uses smartphone for scanning QR code and sending request to server for verifying user’s identity. However, this system uses connection to cloud or wireless network for communicating with server. Thus, if connection is interrupted or compromised, system may not work properly or be vulnerable attacks.

One can see that invention of segmented key authentication brings innovative and efficient solutions problems encountered by other inventions in field computer security.

A implementation of segmented key authentication based on trust criteria

Segmented key authentication can be implemented using trust criteria as segments encryption key. These trust criteria are data that characterize context location access sensitive data They can be stored on NFC device or external supports

For example one can use following trust criteria:

  • Geolocation: this GPS coordinates NFC device main token One can define geographical area 50 cm 1110 km² which segment available
  • BSSID: this identifier wireless network which NFC device main token connected One can define one more wireless networks authorized access segment
  • Phone ID: this identification number mobile phone serves NFC device One can define one more mobile phones authorized access segment
  • Password: this secret code user must enter access segment Password can be stored external support such smart card USB
  • Barcode QR code: this graphic symbol contains coded information User must scan barcode QR code with camera phone access segment Barcode QR code can be printed external support such paper sticker

    User can freely choose trust criteria he wants use constitute encryption key He can combine up nine trust criteria which can be cumulative horizontally or vertically

    For example he can choose use:

    • Part or whole segments first line (geolocation) and/or second line (BSSID) and all lines 3 4 5 (phone ID password barcode QR code) In this case segments are cumulative horizontally
    • Part or whole segments first column (geolocation) and/or second column (BSSID) and all columns 3 4 5 (phone ID password barcode QR code) In this case segments are cumulative vertically

    In both cases it necessary gather all chosen segments reconstitute encryption key access sensitive data If segment missing decryption not possible

    According another implementation trust criteria are integrated encryption secret non modifiable Secret can be shared with other people who must respect same trust criteria access it

    This implementation allows using segmented key authentication effective customizable way secure sensitive data according context location

Recovery Phrase Backup: How to Secure It

Recovery phrase backup how to secure it article by Jacques Gascuel from Freemindtronic Andorra

Recovery Phrase Backup by Jacques Gascuel This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.

Recovery Phrase Backup: a beginner’s guide

If you own a crypto wallet, you probably have heard of a recovery phrase backup. This is a series of words that allows you to access your crypto funds in case you lose or damage your wallet. It is one of the most important things you need to know and protect when dealing with cryptocurrencies. What is a seed phrase and how does it work? How to create and store it securely? What are the risks and challenges? And what are the best practices and tools to safeguard it?

Articles Crypto Currency Digital Security EviSeed EviVault Technology News

Enhancing Crypto Wallet Security: How EviSeed and EviVault Could Have Prevented the $41M Crypto Heist

Articles EviVault Technology News Uncategorized

Why choose a Cold Wallet NFC HSM to secure your cryptocurrencies?

Articles Digital Security EviVault Technology NFC HSM technology Technical News

EviVault NFC HSM vs Flipper Zero: The duel of an NFC HSM and a Pentester

Articles EviVault Technology Phishing

Cryptbot malware steals data cryptocurrencies

This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.

How to make a physical backup of your secret phrase

The Mnemonic Phrase is the ultimate key to access your crypto assets. If you lose it or share it, you risk losing control of your funds. That’s why it’s essential to physically backup your seed phrase and store it in a safe and secret place. Here’s how to do it.

Recovery Phrase Backup vs Private Key

Before explaining what to do if you lose your seed phrase, let’s understand the difference between a seed phrase and a private key.

A private key is a secret code that allows you to control your crypto-assets on the blockchain. It is generated from your seed phrase, which is a list of words that stores all the information needed to recover cryptographic funds on the blockchain. It consists of 12 to 24 randomly generated words that allow you to access or restore your wallet on another device. You must keep it in a safe place and never share it with anyone.

What to do if you lose your Recovery Phrase? The solutions to recover your crypto-assets safely.

If you lose your seed phrase, you risk losing permanent access to your crypto-assets. It is used to create your private keys. You don’t need it to access your cryptocurrencies on a daily basis, but it is mainly a backup method. You can restore your crypto-assets in case of a problem with your device or wallet. However, if you lose your hardware wallets (cold wallets) and access to your online wallets (hot wallets), you will not be able to recover your cryptocurrencies without your seed phrase.In case you have correctly noted down your seed phrase, there are some possible recovery solutions:

• If you can still log in to your wallet with your password, you can find or export your seed phrase via the wallet.

• If you have lost your wallet but have your seed phrase, you can restore your wallet on a new hardware or software wallet. Enter the 12 to 24 words at startup.

• If you have forgotten or lost your seed phrase and have no other way to access your wallet, there are specialized services that can try to find it. They use a part of the words or other clues, but they are expensive and not always reliable.

Can you avoid using a Recovery Phrase?

You may wonder if there is a way to avoid using a seed phrase to secure your crypto-assets. The answer is no. The mnemonic Phrase is the only way to guarantee that you can always access your funds. Even if you lose or damage your device or wallet. Without a seed phrase, you depend entirely on the service or provider that you use to store your cryptocurrencies. If the service is hacked, closed or inaccessible for any reason, you also risk losing your assets. The seed phrase is an essential element to protect your financial independence and digital sovereignty.

Introduction: What is a recovery phrase and why is it important?

If you are new to the world of cryptocurrencies, you may have heard of the term “seed phrase” or “mnemonic phrase” or “backup phrase” or “seed recovery phrase” or “recovery phrase”. This is a set of words that allows you to access your crypto wallet and funds. It is one of the most important things you need to know and protect when dealing with cryptocurrencies.

How does a recovery phrase work and what are its formats?

But what exactly is a seed recovery phrasehrase and how does it work? How can you create and store it securely? What are the risks and challenges involved? And what are the best practices and tools to help you safeguard your recovery phrase backup?

This article answers these questions and more. It explains what a seed recovery phrase is, why it is important, how it works, and how to backup and restore it. It also discusses the methods and materials to create and store physical backups (e.g. paper, metal, plastic, wood, or NFC devices). It also explores the pros and cons of each option, and some tips and tricks to make your backup easier and safer.

How to create a recovery phrase?

When you create a crypto wallet, a seed phrase is automatically generated for you. You do not need to choose or invent the words yourself. You just need to write them down and store them safely.

To create a recovery phrase backup, you can use any crypto wallet that supports the BIP39 standard, such as BitPay, Coinbase Wallet, Ledger, Trezor, or Trust Wallet. These wallets will generate a random sequence of 12 or 24 words for you, depending on the level of security you want.

You can also use an online tool like https://iancoleman.io/bip39/ to generate a seed phrase manually. However, this method is not recommended as it exposes your seed phrase to potential hackers or malware. You should only use this tool offline and on a trusted device.

What does a recovery phrase look like?

A recovery phrase backup looks like a list of simple words, such as:

  • army
  • energy
  • fabric
  • lucky
  • opera
  • stereo
  • trash
  • void

These are eight words out of the 2,048 possible words in the BIP39 standard. You can find the complete list of words here: https://www.bitcoinsafety.com/blogs/bitcoin/seed-phrase-list2.

The order of the words matters, as it determines the private keys that are derived from the seed phrase. You should never change or shuffle the words in your seed phrase.

The number of words in your seed phrase also matters, as it determines the level of security and entropy of your wallet. A 12-word seed phrase offers 128 bits of security, while a 24-word seed phrase offers 256 bits of security. The more words, the more secure.

What is the most common term for a recovery phrase?

A recovery phrase can also be called by different names, such as:

  • recovery phrase
  • mnemonic phrase
  • backup phrase
  • seed recovery phrase

These terms are interchangeable and mean the same thing. However, according to web search results, the most common term used for a seed phrase in the world is Recovery Phrase. This term emphasizes the fact that you can use your seed phrase to recover your wallet and your funds in case of loss or damage.

How to physically save your mnemonic Phrase

The Mnemonic Phrase is the ultimate key to accessing your crypto assets. If you lose it or share it, you risk losing control of your funds. That’s why it’s essential to physically back up your seed phrase and store it somewhere safe and secret. Here’s how

The role and mechanism of a secret phrase

Your cryptocurrency wallet generates a set of 12 or 24 words, also known as a seed phrase, using a cryptographic algorithm. A seed phrase is a series of words generated by your crypto wallet that gives you access to the crypto associated with that wallet. For example, if you use the BitPay wallet, you will receive a 12-word seed phrase when you create your wallet. These words are drawn from a list of 2,048 English words called the BIP39 standard1, which offers 128-bit encryption.The seed phrase can derive all the private keys that are associated with your crypto addresses and acts as a master key. You can send or spend your crypto from your wallet with a secret code called a private key.

A standard format such as BIP39 or SLIP39, which uses a predefined list of words that are easy to spell and recognize, forms the basis of the seed phrase. The words have a unique and random order and combination, and they represent a very large number that is virtually impossible to guess or crack. The seed phrase can have different representations, such as QR codes or NFC tags, but it usually appears in a human-readable form, such as “army energy fabric lucky opera stereo trash void”.

This phrase is the ultimate backup for your crypto wallet. If you have your seed phrase, you can restore your wallet and access your funds on any compatible device or platform. You can also migrate your wallet from one service or device to another, or create multiple copies of your wallet for redundancy or convenience with your seed phrase.

However, the seed phrase also comes with great responsibility. Only you know your seed phrase and can access your funds with it. If you forget lose or share your seed phrase with someone else you will lose control over your crypto assets and no one can help you recover them. That’s why backing up your seed phrase physically and storing it safely is necessary.

How to test your recovery phrase backup

After you physically backup your seed phrase, you should test it to make sure it works and you can restore your wallet with it. To test your recovery phrase backup, you can use a different device or platform than the one you used to create your wallet. For example, if you created your wallet with a hardware wallet, you can test your Mnemonic phrase with a software wallet or another hardware wallet. You should also test your backup phrase periodically, especially if you use a paper or metal backup that can degrade over time.

To test your recovery phrase backup, follow these steps:

  1. Install or launch a compatible wallet on a different device or platform than the one you used to create your wallet.
  2. Choose the option to restore or import a wallet from a seed phrase.
  3. Enter your seed phrase exactly as you wrote it down, including the order and spelling of the words.
  4. Verify that the wallet shows the same balance and addresses as your original wallet.
  5. If everything matches, your recovery phrase backup works and you can safely delete or close the test wallet.
  6. If something doesn’t match, check for errors in your recovery phrase backup and try again.

Why you need a physical backup of your seed phrase

A digital backup has several disadvantages compared to a physical backup of your seed phrase. An electronic device such as a computer, smartphone or USB drive stores a copy of your seed phrase as a digital backup. A digital backup can be convenient and easy to access, but it also comes with some risks.

Hackers, malware or phishing attacks can access your device and steal your seed phrase by compromising your digital backup. Fire, water, power surge or hardware failure can also render your device unusable by losing or damaging your digital backup. Authorities or third parties can also access your device and demand your seed phrase by confiscating or seizing your digital backup.

Being offline and disconnected from any network or device helps a physical backup avoid these risks. Hacking, destroying or confiscating a physical backup is harder than a digital backup. You have more control and ownership over your seed phrase with a physical backup than with a digital backup.

However, you need to be aware of some drawbacks that a physical backup also has. If you don’t store it in a safe and secret place, you can lose, steal or forget your physical backup. If you don’t use a durable material or protect it from environmental factors, fire, water, corrosion or wear and tear can also damage your physical backup. If you don’t write it down clearly or use a standard format, your physical backup can also be illegible or unreadable.

Following some best practices and using some tools is necessary when creating and storing your physical backup.

How to Divide Your recovery phrase backup for Enhanced Security

To protect your crypto assets, safeguard your recovery phrase backup. Secure it by splitting and storing it in different locations. This lowers the risk of losing or exposing the backup and boosts the recovery chances in emergencies. However, splitting the backup also has risks and challenges, like choosing the number, distribution and combination of parts.

You can split the backup using different methods, like paper or metal cards, QR codes, or NFC modules (e.g. EviSeed technology). You can also use cryptographic techniques like SSSS, a mathematical algorithm that divides the backup into shares that can be combined with a threshold number. For instance, you can split your backup phrase into 5 shares and require 3 shares to reconstruct it.

Using SSSS adds security and flexibility to your backup, as you do not need all the shares to recover it. You can also create share combinations for different scenarios or purposes (e.g. for yourself, your family or your lawyer). EviSeed technology also achieves this by sharing trust criteria among people in segments.

However, SSSS also has drawbacks, like more complexity and errors in your backup process. You need to use a compatible wallet that supports SSSS, such as Spectre or Unchained Capital. You should also regularly test your actions and ensure that you remember the threshold number and the location of the shares. By following these best practices, you can divide your recovery phrase backup for enhanced security and peace of mind.

How to cipher your secret phrase

To physically secure it and protect your privacy, encrypt your backup with a code or cipher. However, encryption also has risks and challenges, like choosing a secure and memorable code or cipher, following the method correctly, and avoiding errors.

You can encrypt your backup using various methods, like numbers, symbols, colors, or images. Cryptographic techniques such as BIP38 or BIP39 secret phrase encryption also work. They encrypt your private keys or seed phrase with a password. For example, BIP38 encrypts your private keys with a password and stores them on a paper wallet. Or BIP39 secret phrase encryption adds a password to your seed phrase and generates a different wallet.

Encryption adds privacy and security to your backup, as you need the encrypted seed phrase and password to access your funds. You can also create passwords for different scenarios or purposes (e.g. for yourself, your family or your lawyer). Freemindtronic’s EviSeed technology makes this possible.

However, encryption also has drawbacks, like more complexity and errors in your backup process. You also need a compatible wallet that supports encryption and regular tests of your encrypted backup, as well as the password and method. Freemindtronic’s EviSeed technology avoids these inconveniences by using NFC devices that natively feature two AES-256 encryption systems with keys over 256 bits and manage RSA-4096 keys.

How to Choose a Secure Wallet for Your Seed Phrase

Choose a secure wallet that generates and manages your starting phrase to physically safeguard it. A wallet is software or hardware that lets you create, store, and use your addresses and keys. You can choose from many types of wallets, such as online, mobile, desktop, or hardware wallets and hot wallets. Each wallet type has its pros and cons for security, convenience, and functionality.

A hardware wallet is the most secure type. It is a device that stores your keys offline and protects them from threats. It physical device also have features like PIN codes, secret phrases, recovery phrases, and some add trust criteria through segmented key systems for more security.

However, virtual and hardware wallets are not perfect and can have problems. That is why backing up your starting phrase physically and storing it safely is important. You should also pick a reputable and compatible hardware wallet that supports standard formats like BIP39 or SLIP39.Storage devices like the NFC module with Freemindtronic’s EviSeed technology also do this. They are secure for several reasons. Mainly, they are offline. They encrypt seed phrases end-to-end from the module by AES 256 contactless and post-quantum. They also allow adding trust criteria for each backup starting phrase and individual security measures. They also have a user-defined multi-factor authentication system to access the module.

In conclusion, pick a secure wallet to store your backups and protect your starting phrase.

How to Choose the Best Material for Your recovery phrase backup

You can use various materials to back up your seed phrase. Paper, metal, plastic, and wood are common. Now, hardened and waterproof NFC devices also exist. Each material has its pros and cons for cost, availability, quality, and security. Paper is cheap and easy to use, but easily damaged. Metal is strong and durable, but expensive and hard to write on. Plastic is lightweight and waterproof, but degrades over time. Wood is natural and biodegradable, but rots or burns.

However, hardened NFC devices (e.g. Freemindtronic’s IP89K NFC modules) are great. These devices resist many environmental factors and are durable. They don’t need a battery and preserve data for 40 years. The modules have EviSeed technology that controls errors through checksums when writing, reading, sharing or using. They are also affordable, available and secure (hardware and digital).

You can encrypt your backups in AES-256 by cloning or copying them between NFC modules (nearby or remotely via RSA-4096 encryption from the module) if you use NFC modules. You can also back up your seed phrases through RSA-4096 from the device in the cloud (via email USB key or other digital media) or on paper (by printing the encrypted QR Code in RSA-4096). The Freemindtronic Android NFC phone app scans the encrypted QR Code backup seed phrase easily.

An encrypted QR Code backup seed phrase is advantageous as it protects from prying eyes and brute force decryption. Your preferences budget and storage conditions determine the best material for your backup. You should also consider using multiple materials for redundancy and diversity. For example, you can use paper for a quick and easy backup, metal or NFC modules for secure and long-term backup, and plastic, wood, or NFC Tag for a backup that you can hide or disguise as an RFID door opening tag.

The best technique to backup the recovery phrase

Secret phrases, also known as recovery phrases or seed phrases, are key elements to use a physical wallet for cryptocurrencies. They consist of a set of 24 words randomly chosen, which serve as a backup for all the crypto-assets managed by the wallet. In case of loss or theft of the wallet, it is possible to restore access to the private keys by using the secret phrase.

There are different techniques to backup your secret phrase and protect it from risks related to loss, theft or deterioration. Here is an overview of the main options available:

Write down the secret phrase on a sheet of paper

This technique consists of writing the words of the secret phrase on a sheet of paper and keeping it in a safe place. You need to make sure that the phrase is correctly spelled, numbered and readable. You also need to avoid making a digital copy of the phrase, sharing it with anyone or entering it into a computer or smartphone.

Advantages and disadvantages

  • Advantages: this technique is simple, free and does not require any specific equipment. It allows you to keep full control over your secret phrase and your crypto-assets.
  • Disadvantages: this technique is vulnerable to physical hazards (fire, water, wear, etc.) and human errors (loss, theft, bad writing, etc.). It does not allow you to easily verify if the secret phrase is correct or compatible with the wallet.

Risks related to cyber security and cyber espionage

  • Risks related to cyber security: this technique does not involve exposure to networks or computer systems, so the risk of cyber security is low.
  • Risks related to cyber espionage: this technique involves physical exposure to malicious or indiscreet third parties, so the risk of cyber espionage is high.

The legal aspect and protection of sensitive data

  • Legal aspect: this technique does not pose any particular legal problem, unless the possession or use of crypto-assets is prohibited or regulated in the country concerned.
  • Protection of sensitive data: this technique does not guarantee optimal protection of sensitive data, as the secret phrase can be seen, copied or stolen by unauthorized third parties.
Another aspect that you need to consider when backing up your secret phrase is the legal aspect and protection of sensitive data. Depending on where you live and where you store your secret phrase, you may be subject to different laws and regulations regarding data privacy and security.

Data privacy refers to the right of individuals to control how their personal information is collected, used and shared by others. Data security refers to the technical measures taken to protect data from unauthorized access or disclosure.

Some examples of laws and regulations that may affect how you backup your secret phrase are:

  • GDPR (General Data Protection Regulation): A European Union law that aims to protect the personal data of EU citizens and residents by imposing strict rules on how data controllers and processors handle their data.
  • CCPA (California Consumer Privacy Act): A California state law that gives California consumers more control over their personal information by granting them rights such as access, deletion and opt-out.
  • HIPAA (Health Insurance Portability and Accountability Act): A US federal law that protects the privacy and security of health information by setting standards for how health care providers and other entities handle their data.

To comply with these laws and regulations, you need to be aware of:

  • The type of data that you backup: Is it personal data (such as name, email address or phone number) or sensitive data (such as health records, biometric data or financial information)?
  • The location where you backup your data: Is it within your country or jurisdiction, or is it in another country or region that may have different laws or standards?
  • The purpose for which you backup your data: Is it for personal use only, or is it for business or professional purposes?
  • The consent that you obtain from others: If you backup data that belongs to someone else (such as a client or a partner), do you have their permission and agreement on how you will use and protect their data?

To ensure that you respect the legal aspect and protection of sensitive data when backing up your secret phrase, you need to:

  • Choose a technique that suits your needs and preferences in terms of privacy and security.
  • Check the laws and regulations that apply to your situation and follow their requirements.
  • Inform yourself about the risks and responsibilities involved in backing up your secret phrase.
  • Respect the rights and interests of others whose data may be affected by your backup.

Use a metal device resistant to fire, water and corrosion

This technique consists of using a metal device resistant to fire, water and corrosion, such as a capsule or a plate, to engrave or insert the words of the secret phrase. This device can then be hidden or sealed in a safe place.

Advantages and disadvantages

  • Advantages: this technique offers better protection against natural elements, but it requires a higher financial investment and can attract the attention of malicious people.
  • Disadvantages: this technique requires a higher financial investment and can attract the attention of malicious people.

Risks related to cyber security and cyber espionage

  • Risks related to cyber security: this technique does not involve exposure to networks or computer systems, so the risk of cyber security is low.
  • Risks related to cyber espionage: this technique involves physical exposure to malicious or indiscreet third parties, so the risk of cyber espionage is high.

The legal aspect and protection of sensitive data

  • Legal aspect: this technique does not pose any particular legal problem, unless the possession or use of crypto-assets is prohibited or regulated in the country concerned.
  • Protection of sensitive data: this technique offers better protection of sensitive data than paper, as the metal device is more durable and less visible.
Another aspect that you need to consider when backing up your secret phrase is the legal aspect and protection of sensitive data. Depending on where you live and where you store your secret phrase, you may be subject to different laws and regulations regarding data privacy and security.

Data privacy refers to the right of individuals to control how their personal information is collected, used and shared by others. Data security refers to the technical measures taken to protect data from unauthorized access or disclosure.

Some examples of laws and regulations that may affect how you backup your secret phrase are:

  • GDPR (General Data Protection Regulation): A European Union law that aims to protect the personal data of EU citizens and residents by imposing strict rules on how data controllers and processors handle their data.
  • CCPA (California Consumer Privacy Act): A California state law that gives California consumers more control over their personal information by granting them rights such as access, deletion and opt-out.
  • HIPAA (Health Insurance Portability and Accountability Act): A US federal law that protects the privacy and security of health information by setting standards for how health care providers and other entities handle their data.

To comply with these laws and regulations, you need to be aware of:

  • The type of data that you backup: Is it personal data (such as name, email address or phone number) or sensitive data (such as health records, biometric data or financial information)?
  • The location where you backup your data: Is it within your country or jurisdiction, or is it in another country or region that may have different laws or standards?
  • The purpose for which you backup your data: Is it for personal use only, or is it for business or professional purposes?
  • The consent that you obtain from others: If you backup data that belongs to someone else (such as a client or a partner), do you have their permission and agreement on how you will use and protect their data?

To ensure that you respect the legal aspect and protection of sensitive data when backing up your secret phrase, you need to:

  • Choose a technique that suits your needs and preferences in terms of privacy and security.
  • Check the laws and regulations that apply to your situation and follow their requirements.
  • Inform yourself about the risks and responsibilities involved in backing up your secret phrase.
  • Respect the rights and interests of others whose data may be affected by your backup.

Use an online service to backup your seed phrase

One of the techniques to backup your seed phrase is to use an online service that connects it to your verified identity. This way, you can recover your keys with your ID and a selfie, and still keep control of your money. In this article, we will explore the advantages and disadvantages of this technique, as well as the risks and legal aspects involved.

Advantages and disadvantages of online seed phrase backup

  • Advantages: online seed phrase backup is easy and convenient. You don’t need to worry about storing or protecting a physical device or a paper backup. You can access your backup from anywhere with an internet connection and a compatible device. You can also benefit from the encryption and security features of the online service provider.
  • Disadvantages: online seed phrase backup exposes your secret phrase to risks of hacking, censorship or confiscation by third parties who can access the servers or the identification process. You need to trust that the online service provider and its servers are reliable, honest and secure. You also need to trust that your identity information is safe and not misused. You may face legal or regulatory issues depending on where you live and where the servers are located. You may also have to pay fees or subscriptions for using the online service.

Risks related to cyber security and cyber spying in online seed phrase backup

  • Risks related to cyber security: online seed phrase backup makes you use networks and computers, so the risk of cyber attacks is high. You need to trust that the online service and its servers protect your secret phrase and data well. You may face hackers, malware, ransomware, denial-of-service attacks or other threats that could compromise your backup or access to it. You may also face human errors, technical glitches or natural disasters that could damage or destroy the servers or your device.
  • Risks related to cyber spying: online seed phrase backup makes you use networks and computers, so the risk of cyber spying is high. You need to trust that the online service and its servers keep your secret phrase and data private. You may face spies, snoops, trackers, advertisers or other parties that could monitor, collect, analyze or share your backup or activity data. You may also face government agencies, law enforcement or courts that could request, subpoena or seize your backup or data for legal or national security reasons.
  • Risks related to phishing: online seed phrase backup makes you face fake messages and tricks that may make you give up your secret phrase or other information. Phishing is when someone pretends to be someone else, such as the online service or your wallet, to trick you into giving them your data or money. For example, you may receive an email that looks like it comes from the online service provider, asking you to verify your account or update your payment details by clicking on a link that leads to a fake website.
  • Risks related to bitb: online seed phrase backup makes you face bad browser add-ons that may change or see your web activity and take your secret phrase or other data. Bitb is when someone adds malicious code to a browser extension that can spy on or modify what you do online. For example, you may install an extension that claims to enhance your browsing experience, but actually records your keystrokes, screenshots your screen or redirects you to malicious websites.
  • Risks related to typosquatting: online seed phrase backup makes you face bad websites that look like the online service or your wallet, but have different spellings. Typosquatting is when someone registers a domain name that is similar to a legitimate one, but with a typo, to trick you into visiting their fake website. For example, you may type in www.onlineservice.com but end up on www.onlineservlce.com (with an L instead of an I), which looks identical but steals your login credentials or infects your device with malware.

The legal aspect and protection of sensitive data in online seed phrase backup

Online seed phrase backup may cause legal problems depending on the rules of the online service and its servers. You also need to think about the data privacy and security laws that affect you and follow them. Data privacy means the right of people to choose how their information is collected, used and shared by others. Data security means the ways to protect data from being seen or used by others who should not.

Some examples of laws and rules that may change how you backup your secret phrase are:

  • GDPR (General Data Protection Regulation): A European Union law that protects the information of EU people by making strict rules on how data controllers and processors handle their data.
  • CCPA (California Consumer Privacy Act): A California state law that gives California people more power over their information by giving them rights such as access, deletion and opt-out.
  • HIPAA (Health Insurance Portability and Accountability Act): A US federal law that protects the privacy and security of health information by making standards for how health care providers and other groups handle their data.

To follow these laws and rules, you need to know:

  • The kind of data that you backup: Is it personal data (such as name, email or phone) or sensitive data (such as health records, biometric data or money information)?
  • The place where you backup your data: Is it in your country or area, or is it in another country or area that may have different laws or standards?
  • The reason why you backup your data: Is it for yourself only, or is it for work or business purposes?
  • The permission that you get from others: If you backup data that belongs to someone else (such as a client or a partner), do you have their OK and agreement on how you will use and protect their data?

To make sure that you respect the legal aspect and protection of sensitive data when backing up your secret phrase, you need to:

  • Pick an online service that fits your needs and likes in terms of privacy and security.
  • Learn about the risks and duties involved in backing up your secret phrase.
  • Respect the rights and interests of others whose data may be affected by your backup.

Use a hybrid solution of cold wallet and online service

Another technique to backup your seed phrase is to use a hybrid solution of a cold wallet and an online service. A cold wallet is a device that stores your keys offline, such as a hardware wallet or a smart card. An online service is a platform that links your cold wallet to your verified identity and provides additional features, such as recovery, insurance or monitoring. This way, you can combine the security of a cold wallet with the convenience of an online service.

Advantages and disadvantages of hybrid seed phrase backup

  • Advantages: hybrid seed phrase backup is secure and flexible. You can store your keys on a cold wallet that is resistant to hacking, malware or network attacks. You can also access your backup from an online service that offers recovery options, identity verification or other benefits. You can choose the level of security and convenience that suits your needs and preferences.
  • Disadvantages: hybrid seed phrase backup is complex and costly. You need to buy and maintain a cold wallet device that is compatible with the online service. You also need to trust that the online service provider and its servers are reliable, honest and secure. You may face legal or regulatory issues depending on where you live and where the servers are located. You may also have to pay fees or subscriptions for using the online service or the cold wallet device. Some online services may also require you to renew your subscription annually or risk losing access to your backup. Some online services may also have access to your backup or keys, which could make them vulnerable to identity theft, fraud or coercion. Some online services may also split your backup into multiple servers or devices, which could increase the security but also the complexity of your backup.

Shamir’s Secret Sharing (SSS) method

Some online services use a technique called Shamir’s Secret Sharing (SSS) to split your seed phrase into multiple parts, called shares, that can be recombined to recover the original seed phrase. This technique allows you to distribute your backup across different locations, devices or people, and to set a threshold number of shares that are needed to restore your backup.

For example, you can split your seed phrase into 5 shares and store them on 5 different servers or devices. You can then set the threshold to 3, meaning that you need at least 3 out of 5 shares to recover your seed phrase. This way, you can protect your backup from being lost or stolen by one or two parties, but still be able to access it if you have 3 or more shares.

Some cold wallets use this technique to backup seed phrases in a secure way. They encrypt the parts of the seed phrase in a secure element in the device and send them to partners through a secure channel. When restoring, the parts are sent back by the partners and the seed phrase can be generated in the new device.

Advantages and disadvantages of SSS method
  • Advantages: SSS method is secure and resilient. You can increase the security of your backup by splitting it into multiple parts that are stored separately. You can also increase the resilience of your backup by setting a lower threshold that allows you to recover it even if some parts are lost or damaged.
  • Disadvantages: SSS method is complex and risky. You need to manage multiple parts of your backup and keep track of where they are stored and how they can be accessed. You also need to trust that the parties who hold the parts of your backup are reliable, honest and secure. You may face legal or regulatory issues depending on where the parts of your backup are located. You may also face technical or human errors that could compromise the integrity or availability of your backup.
Risks related to SSS method
  • Risks related to cyber security: SSS method makes you use networks and computers, so the risk of cyber attacks is moderate. You need to trust that the parties who hold the parts of your backup protect them well. You may face hackers, malware, ransomware, denial-of-service attacks or other threats that could compromise one or more parts of your backup or access to them. You may also face human errors, technical glitches or natural disasters that could damage or destroy one or more parts of your backup.
  • Risks related to cyber spying: SSS method makes you use networks and computers, so the risk of cyber spying is moderate. You need to trust that the parties who hold the parts of your backup keep them private. You may face spies, snoops, trackers, advertisers or other parties that could monitor, collect, analyze or share one or more parts of your backup or activity data. You may also face government agencies, law enforcement or courts that could request, subpoena or seize one or more parts of your backup for legal or national security reasons.
  • Risks related to collusion: SSS method makes you rely on multiple parties who hold the parts of your backup, so the risk of collusion is moderate. You need to trust that the parties who hold the parts of your backup do not cooperate with each other or with other parties to steal or misuse your backup. For example, if you split your seed phrase into 5 shares and set the threshold to 3, you need to trust that no 3 parties will collude to recover your seed phrase without your consent or knowledge.
  • Risks related to fragmentation: SSS method makes you split your seed phrase into multiple parts, so the risk of fragmentation is moderate. You need to ensure that the parts of your backup are compatible and consistent with each other and with the original seed phrase. You may face errors in splitting or recombining the parts of your backup that could result in an invalid or corrupted seed phrase. You may also face changes in formats or standards that could make some parts of your backup obsolete or incompatible.

The legal aspect and protection of sensitive data in hybrid seed phrase backup

Hybrid seed phrase backup may cause legal problems depending on the rules of the online service and its servers. You also need to think about the data privacy and security laws that affect you and follow them. Data privacy means the right of people to choose how their information is collected, used and shared by others. Data security means the ways to protect data from being seen or used by others who should not.

Some examples of laws and rules that may change how you backup your secret phrase are:

  • GDPR (General Data Protection Regulation): A European Union law that protects the information of EU people by making strict rules on how data controllers and processors handle their data.
  • CCPA (California Consumer Privacy Act): A California state law that gives California people more power over their information by giving them rights such as access, deletion and opt-out.
  • HIPAA (Health Insurance Portability and Accountability Act): A US federal law that protects the privacy and security of health information by making standards for how health care providers and other groups handle their data.

To follow these laws and rules, you need to know:

  • The kind of data that you backup: Is it personal data (such as name, email or phone) or sensitive data (such as health records, biometric data or money information)?
  • The place where you backup your data: Is it in your country or area, or is it in another country or area that may have different laws or standards?
  • The reason why you backup your data: Is it for yourself only, or is it for work or business purposes?
  • The permission that you get from others: If you backup data that belongs to someone else (such as a client or a partner), do you have their OK and agreement on how you will use and protect their data?

To make sure that you respect the legal aspect and protection of sensitive data when backing up your secret phrase, you need to:

  • Pick an online service that fits your needs and likes in terms of privacy and security.
  • Learn about the risks and duties involved in backing up your secret phrase.
  • Respect the rights and interests of others whose data may be affected by your backup.

Use a contactless technology

This technique consists of using a contactless technology that allows you to store your secret phrase in an electronic device, such as a card or a keychain, that works with NFC (Near Field Communication) technology. This device can be used with a compatible smartphone to backup and share your private keys, passwords or secret phrases.

Advantages and disadvantages

  • Advantages: this technique offers ease of transport and resistance to shocks. It also allows you to verify and restore your secret phrase at any time with your smartphone.
  • Disadvantages: this technique requires a compatible smartphone and a dedicated app. It also exposes you to the risks of loss or theft of your device. This can be dangerous if the NFC Cold Wallet does not have a digital backup system encrypted that can allow restoration in another device and/or a cloning or copying system between NFC devices, such as the EviSeed technology.

Risks related to cybersecurity and cyberespionage

  • Risks related to cybersecurity: this technique is not connected to networks, computer systems or servers in principle and has no database with the same properties as an HSM, so the cybersecurity risk is almost nil. You must ensure that your device and your smartphone are protected by PIN codes or passwords or a multi-authentication system, and that you use a reliable and secure app of origin.
  • Risks related to cyberespionage: in principle, a cold wallet is not connected and cannot be exposed to espionage on networks and computer systems. However, the attack by listening to the NFC signal is possible if the device is not equipped with a security and encryption system. The risk of remote espionage is therefore almost nil. As for proximity cyberespionage, whether invasive or non-invasive, the risk is nil to moderate depending on the type of security and access control implemented. You should avoid sharing your secret phrase with unauthorized third parties or using it in public or insecure places. Some technologies such as EviSeed have an encrypted sharing system with trust criteria defined by the sender that the recipient cannot modify and must also have an NFC device to access the secret phrase.

The legal aspect and the protection of sensitive data

  • Legal aspect: this technique does not pose any particular legal problem, unless the possession or use of crypto assets is prohibited or regulated in the country concerned.
  • Protection of sensitive data: this technique depends on the encryption and security measures implemented by the electronic device and its NFC technology. You should inquire about the technical characteristics and guarantees offered by the manufacturer or supplier of the device.
Another aspect that you need to consider when backing up your secret phrase is the legal aspect and protection of sensitive data. Depending on where you live and where you store your secret phrase, you may be subject to different laws and regulations regarding data privacy and security.

Data privacy refers to the right of individuals to control how their personal information is collected, used and shared by others. Data security refers to the technical measures taken to protect data from unauthorized access or disclosure.

Some examples of laws and regulations that may affect how you backup your secret phrase are:

  • GDPR (General Data Protection Regulation): A European Union law that aims to protect the personal data of EU citizens and residents by imposing strict rules on how data controllers and processors handle their data.
  • CCPA (California Consumer Privacy Act): A California state law that gives California consumers more control over their personal information by granting them rights such as access, deletion and opt-out.
  • HIPAA (Health Insurance Portability and Accountability Act): A US federal law that protects the privacy and security of health information by setting standards for how health care providers and other entities handle their data.

To comply with these laws and regulations, you need to be aware of:

  • The type of data that you backup: Is it personal data (such as name, email address or phone number) or sensitive data (such as health records, biometric data or financial information)?
  • The location where you backup your data: Is it within your country or jurisdiction, or is it in another country or region that may have different laws or standards?
  • The purpose for which you backup your data: Is it for personal use only, or is it for business or professional purposes?
  • The consent that you obtain from others: If you backup data that belongs to someone else (such as a client or a partner), do you have their permission and agreement on how you will use and protect their data?

To ensure that you respect the legal aspect and protection of sensitive data when backing up your secret phrase, you need to:

  • Choose a technique that suits your needs and preferences in terms of privacy and security.
  • Check the laws and regulations that apply to your situation and follow their requirements.
  • Inform yourself about the risks and responsibilities involved in backing up your secret phrase.
  • Respect the rights and interests of others whose data may be affected by your backup.

Use a mnemonic method

This technique consists of using a mnemonic method that consists of associating each word of the secret phrase with a mental image or a story. This method allows you to memorize your secret phrase more easily without having to write it down or store it. It requires however a good memory and regular repetition to not forget your secret phrase.

Advantages and disadvantages

  • Advantages: this technique offers discretion and total independence, but it exposes the secret phrase to risks of amnesia, confusion or interference.
  • Disadvantages: this technique exposes the secret phrase to risks of amnesia, confusion or interference.

Risks related to cyber security and cyber espionage

  • Risks related to cyber security: this technique does not involve exposure to networks or computer systems, so the risk of cyber security is low.
  • Risks related to cyber espionage: this technique does not involve exposure to networks or computer systems, so the risk of cyber espionage is low.

The legal aspect and protection of sensitive data

  • Legal aspect: this technique does not pose any particular legal problem, unless the possession or use of crypto-assets is prohibited or regulated in the country concerned.
  • Protection of sensitive data: this technique offers optimal protection of sensitive data as long as you do not reveal your mnemonic method or your secret phrase.
Another aspect that you need to consider when backing up your secret phrase is the legal aspect and protection of sensitive data. Depending on where you live and where you store your secret phrase, you may be subject to different laws and regulations regarding data privacy and security.

Data privacy refers to the right of individuals to control how their personal information is collected, used and shared by others. Data security refers to the technical measures taken to protect data from unauthorized access or disclosure.

Some examples of laws and regulations that may affect how you backup your secret phrase are:

  • GDPR (General Data Protection Regulation): A European Union law that aims to protect the personal data of EU citizens and residents by imposing strict rules on how data controllers and processors handle their data.
  • CCPA (California Consumer Privacy Act): A California state law that gives California consumers more control over their personal information by granting them rights such as access, deletion and opt-out.
  • HIPAA (Health Insurance Portability and Accountability Act): A US federal law that protects the privacy and security of health information by setting standards for how health care providers and other entities handle their data.

To comply with these laws and regulations, you need to be aware of:

  • The type of data that you backup: Is it personal data (such as name, email address or phone number) or sensitive data (such as health records, biometric data or financial information)?
  • The location where you backup your data: Is it within your country or jurisdiction, or is it in another country or region that may have different laws or standards?
  • The purpose for which you backup your data: Is it for personal use only, or is it for business or professional purposes?
  • The consent that you obtain from others: If you backup data that belongs to someone else (such as a client or a partner), do you have their permission and agreement on how you will use and protect their data?

To ensure that you respect the legal aspect and protection of sensitive data when backing up your secret phrase, you need to:

  • Choose a technique that suits your needs and preferences in terms of privacy and security.
  • Check the laws and regulations that apply to your situation and follow their requirements.
  • Inform yourself about the risks and responsibilities involved in backing up your secret phrase.
  • Respect the rights and interests of others whose data may be affected by your backup.

How to update your backup phrase

Sometimes, you may need to update your Backup phrase if you change your wallet settings or switch to a different custody model. For example, if you add a passphrase to your singlesig wallet, you need to update your backup phrase with the new passphrase. Or if you migrate from singlesig to multisig, you need to create new recovery phrase backups for each of the multisig keys.

To update your recovery phrase backup, follow these steps:

  1. Make sure you have access to your current recovery phrase backup and any other information that may affect your wallet, such as a passphrase or a derivation path.
  2. Create a new physical backup of your updated seed phrase using the same methods and materials as before.
  3. Test your new recovery phrase backupusing a different device or platform than the one you used to create or update your wallet.
  4. If everything matches, your new recovery phrase backup works and you can safely destroy or erase your old recovery phrase backup.
  5. If something doesn’t match, check for errors in your new recovery phrase backup and try again.

Why and How to Share Your Recovery Phrase Backup with Trusted Parties.

In some cases, If you choose to share your backup seed phrase with trusted individuals, such as family, friends, or lawyers, to ensure your cryptographic assets remain accessible in emergencies, accidents, or death. However, sharing your backup seed phrase has risks and challenges, such as choosing trustworthy individuals, secure communication, and preventing conflicts or disputes.

If you want to share your approved seed phrase with others, follow these steps:

  1. Choose trusted individuals who have knowledge about cryptography to access your backup seed phrase. Explain to them the risks and responsibilities associated with accessing it, as well as what a seed phrase is and how it works.
  2. Select a secure communication method that protects your privacy and prevents unauthorized access or interception. You can use encrypted messaging apps, password-protected files, or face-to-face meetings. For an added layer of security, you can use Freemindtronic’s EviSeed technology. EviSeed allows you to share your encrypted seed phrases offline via the Near Field Communication (NFC) encrypted communication protocol between end-to-end encrypted NFC devices. You can also share your seed phrases via an RSA-4096 encrypted QR code, which can be generated from an NFC device and shared through any means of communication, including air gap (webcam, proximity, email, SMS, chat, face-to-face).
  3. Share your backup seed phrase with your chosen individuals using the secure communication method you have selected. Make sure to include any relevant information for accessing or managing your cryptographic assets, such as a secret phrase, derivation path, or instructions on how to use a specific wallet. You can use EviSeed’s patented technology to achieve higher security, such as segmented key authentication by adding trust criteria. For example, you can share one or more trust criteria to control the conditions of access to your AES-256 post-quantum encrypted seed phrases. You can share a password associated with a unique geographic zone, which must be used in a specific location to decrypt your seed phrase. Give this password to a trusted third party who does not know the geographic zone or who can only access it under extremely complicated conditions, such as at a notary, sealed by a bailiff, or in a bank vault.
  4. Once you have shared your backup seed phrase with your chosen individuals, ask them to confirm that they have received and understood it, as well as any other relevant information.
  5. Keep their contact information in a safe place in case you need to contact them in the future.
  6. With EviSeed technology, you have other options for sharing backup seed phrases. You can clone your NFC device with all of your trust criteria onto another Freemindtronic NFC device. Then, you can entrust it to a trusted third party or keep it in an easily remembered location. Choose an extremely rugged and waterproof IP89KNFC device to limit the risk of damage. Your recovery phrase backups are also protected against the risk of theft or loss since the device is physically locked with multi-factor physical and digital authentication. Additionally, if you have added trust criteria, even if the access controls are compromised, your recovery phrase backups will remain secure until all the trust criteria you have defined are validated. You can also share your individually encrypted and protected seed phrases by trust criteria, which you can also share in a segmented manner among various individuals, as explained above.
  7. Lastly, make sure to periodically review and update your list of trusted individuals, as well as your communication and security methods, to ensure the ongoing protection and accessibility of your cryptographic assets.

Header EviSeed has an asymmetric RSA 4096 key generator to share private keys cryptocurrency and public address passphrases mnemonic code bip39 by QR Encrypted code displayed on smartphone nfc android 1920px

Best practices for creating and storing your physical backup

Here are some best practices that you should follow when creating and storing your physical backup:

  • Write down or engrave your seed phrase on a durable material such as paper, metal or plastic. Avoid using materials that can fade, rust, melt or degrade over time.
  • Use a pen or a tool that produces clear and permanent marks on the material. Avoid using pencils, markers or stickers that can smudge, erase or peel off.
  • Use a standard format for writing down your seed phrase such as BIP39 or SLIP39. These formats use a predefined list of words that are easy to spell and recognize. Avoid using abbreviations, acronyms or symbols that can cause confusion or errors.
  • Make multiple copies of your physical backup and store them in different locations. This way, you can reduce the risk of losing all your backups in case of theft, loss or damage. You can also use different materials for each copy to increase the durability and diversity of your backups.
  • Store your physical backups in a safe and secret place that only you know and can access. You can use a safe, a lockbox, a hidden compartment or any other secure container that can protect your backups from unauthorized access or environmental factors.
  • Do not share your seed phrase with anyone or store it online. Your seed phrase is the key to your crypto wallet and funds. If you share it with anyone or store it online, you are exposing yourself to the risk of losing your funds to hackers, scammers or third parties.

Tools for creating and storing your physical backups

Some tools help you create and store your physical backups easily and securely. These tools let you write or engrave your seed phrase on durable materials and protect them from damage or tampering. Here are some examples:

  • CryptoSteel: This device engraves your seed phrase on stainless steel tiles that resist fire water and corrosion. The tiles assemble in a metal casing with a lock and a seal. CryptoSteel is compatible with BIP39 and SLIP39 formats and stores up to 24 words.
  • Billfodl: This device also engraves your seed phrase on stainless steel tiles that resist fire water and corrosion. The tiles arrange in a metal frame with a sliding cover and a seal. Billfodl is compatible with BIP39 format and stores up to 24 words.
  • Cobo Tablet: This device also engraves your seed phrase on stainless steel tiles that resist fire water and corrosion. The tiles insert in a metal plate with holes for each word position. Cobo Tablet is compatible with BIP39 format and stores up to 24 words.
  • Paper Wallet: This is the simplest way to create a physical backup. You just write your seed phrase on paper with a pen. You can also print your seed phrase if you prefer. However, paper wallets are not durable and can be damaged by fire water or wear and tear.
  • NFC Seed Backup: This device encrypts and saves your seed phrase on an NFC coin that resists fire water and corrosion. An app on your smartphone scans the NFC coin and views your seed phrase without leaving anything visible. NFC Seed Backup is compatible with BIP39 format and stores up to 24 words.
  • EviSeed: EviSeed is a technology developed by Freemindtronic that allows you to save and share sensitive data such as private keys recovery phrases or passwords It is integrated into physical device such as electronic cards which work with NFC (Near Field Communication) technology The EviSeed technology offers several advantages:
    • the EviSeed technology that uses two patented systems of multifactor authentication and advanced access control
    • It encrypts data with AES256 algorithm which ensures high level of security
    • It stores data in Eprom memory which ensures long term durability without battery
    • It allows data sharing via QR code NFC tag NFC reader/writer Bluetooth Wi-Fi SMS email etc
    • It supports multiple languages formats standards protocols etc
    • It protects data with patented physical blockchain technology which allows user-defined access control authentication encryption decryption etc EviSeed is compatible with BIP39 SLIP39 IOTA formats and can store up to 100 recovery phrases
    • It protects data with two international patents on access control and segmented key authentication
    • Keepser: Keepser is another product based on EviSeed technology created by Keepser Group It allows you to store up to 100 recovery phrases on an electronic card embedded in military grade resin It offers the same features as EviSeed plus some additional benefits:

In this article, we have explained what a recovery phrase is and how to secure it. A recovery phrase is a list of 12 or 24 words that can restore your crypto wallet and your private keys on any device. It is the ultimate key to access your crypto assets, so you need to keep it safe and secret.

We have given some tips on how to physically backup your recovery phrase and store it in a safe and secret place. Some of the methods are:

  • Writing it down on paper and keeping it in a fireproof and waterproof container.
  • Engraving it on durable metals like stainless steel or titanium and hiding it in a secure location.
  • Encrypting it with a strong password and storing it on an offline device or a cloud service that you trust.
  • Using a hardware wallet that is legitimate and trustworthy and keeping it away from physical damage or malware.
  • Using a decentralized digital vault that offers a high level of security and privacy and does not require you to trust a third party.

We have also introduced EviSeed, a technology by Freemindtronic that allows you to store and share your recovery phrase securely and contactlessly. EviSeed uses NFC technology to store your recovery phrase in a hardware device that can last for at least 40 years without battery or maintenance. EviSeed also uses its own patented segmented key technology to add criteria to the encryption keys of your recovery phrases. This means that all the segments must be reunited and validated to access your seed phrases. You do not need to take the risk of relying on presumed trustworthy guardians offline and/or online. You have total control of the segmentation from end to end from your NFC HSM device by Freemindtronic. EviSeed is compatible with all BIP39 recovery phrases. It offers several solutions for storing encrypted recovery phrases, including externalizing them from the NFC device. This allows you to recover your recovery phrase in case of loss or theft.

We hope that this article has helped you understand the importance of securing your recovery phrase and the different options available to do so. Remember, your recovery phrase is the key to your crypto wealth, so treat it with care and respect. Among the various solutions, we believe that EviSeed is the most innovative and reliable one. It combines the advantages of physical and digital backups, while adding an extra layer of security and convenience. With EviSeed, you can access your crypto funds with ease and confidence, without fear of losing or compromising your recovery phrase.

Pour en savoir plus sur les phrases de départ et leur fonctionnement, consultez cet article

BITB Attacks: How to Avoid Phishing by iFrame

BITB attacks Browser-In-The-Browser remove delete destroy by IRDR Ifram Redirect Detection Removal since EviCypher freeware web extension open-source from Freemindtronic in Andorra
BITB attacks by Jacques Gascuel This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.

Beware of BitB phishing attacks by iframe!

Phishing by iframe is a malicious technique that inserts a fake web page into a legitimate one, to trick users and steal their personal or financial information. This method often targets cryptocurrency holders, especially BitB users. Learn how to spot and avoid BitB phishing attacks by iframe with Freemindtronic.

2024 Digital Security

Cyberattack Exploits Backdoors: What You Need to Know

2024 Digital Security

Google Sheets Malware: The Voldemort Threat

2024 Articles Digital Security News

Russian Espionage Hacking Tools Revealed

2024 Digital Security Spying Technical News

Side-Channel Attacks via HDMI and AI: An Emerging Threat

BITB Attacks: How to Avoid Phishing by iFrame

We have all seen phishing attacks aren’t uncommon, and they demand urgent attention with fake emails and messages at least once.. However, there’s much more in the cybersecurity landscape than just conventional email practices when it comes to phishing. Enterprises that don’t take the necessary precautions can suffer a death blow from a phishing attack. The top line is affected, but the brand’s image and trust can be obliterated if news of a data breach reaches the public.

The latest form of phishing scam is the browser in the browser attack (BITB) that simulates a browser window within a web browser and steals sensitive user information. A fraudulent pop-up window caters to the user and asks for their credentials to sign into the website in the previous web browser window, leading to identity theft.

This article explains what BITB attacks are and how they work, what the risks and consequences of BITB attacks are, how to prevent and protect yourself from BITB attacks using EviBITB technology, and how to install EviBITB on your web browser.

What are BITB attacks and how do they work?

BITB stands for Browser-In-The-Browser. This phishing technique creates a fake browser window within your web browser using HTML and CSS code. An iFrame of redirection, which is an invisible element that loads content from another URL, is displayed by this fake window. The iFrame of redirection mimics the appearance and functionality of a legitimate site, such as Google, Facebook, or Outlook, and asks you to enter your authentication information.

This fake window shows a legitimate URL in the address bar, as well as the icon and the title of the original site. That is the problem. Most users rely on checking the URL to verify the authenticity of a site. This makes it very difficult to detect the phishing attempt. This attack can affect you even if you use a secure connection (https).

BITB attacks can bypass many security measures that are designed to prevent phishing. That is why they are very dangerous. For example:

  • BITB attacks do not involve malicious links or domains. Anti-phishing software may fail to detect them because of that.
  • BITB attacks do not intercept your verification codes or tokens. Two-factor authentication may not protect you from them because of that.
  • Password managers may autofill your credentials on the fake window. They may not protect you from BITB attacks because of that.

Therefore, BITB attacks can allow hackers to access your accounts, steal your data, or even take over your identity. They pose a serious threat to your online security and privacy because of that.

How do BITB attacks work?

Two features of modern web development enable BITB attacks: single sign-on (SSO) options and iFrames.

Many websites embed SSO options that allow you to sign in using an existing account from another service, such as Google, Facebook, Apple, or Microsoft. This option is convenient because you do not need to create a new account or remember a new password for each website you visit.

iFrames are elements that can load content from another URL within a web page. They are often used for embedding videos, maps, ads, or widgets on websites.

The attackers do the following steps:

  • They make a phishing website with SSO options.
  • On their phishing website, they embed an iFrame of redirection that leads to their own server with a fake SSO window.
  • Using HTML and CSS code, they design their fake SSO window to imitate a browser window inside the browser.
  • They make their fake SSO window appear when you click on an SSO option on their phishing website.
  • With JavaScript code, they show a legitimate URL in the address bar of their fake SSO window.
  • Using OAuth methods, they request you to enter your credentials on their fake SSO window.
  • To their server, they send your credentials and then redirect you to the real website.

As you can see, BITB attacks are very deceptive and convincing. They can fool even savvy users who check the URL before entering their credentials.

What are the risks and consequences of BITB attacks?

BITB attacks are a serious threat. They can compromise data and identity for users and businesses. Users who fall victim to BITB attacks face these risks and consequences:

  • Their SSO account can be hijacked and all linked services accessed by the attacker.
  • Their personal and financial information can be stolen and used for identity theft, fraud or blackmail.
  • Their devices can be infected by malware or ransomware and their files damaged or encrypted.
  • Their online reputation can be tarnished by spamming or posting malicious content.

Businesses that offer SSO options are also vulnerable to BITB attacks. They can lose trust and loyalty from their customers or employees. Businesses that suffer a data breach due to BITB attacks face these risks and consequences:

  • Their customer or employee data can be exposed, exploited or sold by the attacker or the dark web.
  • Their brand image and reputation can be damaged by negative publicity and customer complaints.
  • Their legal and regulatory compliance can be violated by data protection laws and regulations.
  • Their revenue and profitability can be reduced by customer churn, lawsuits and fines.

Recent Examples of BITB Attacks

BITB attacks are not new, but they have become more sophisticated and widespread in recent years. Here are some examples of BITB attacks that targeted governmental entities:

  • In February 2020, Zscaler revealed a campaign of phishing BitB targeting users of Steam, a video game digital distribution service. The hackers created fake Counter-Strike: Global Offensive (CS: GO) websites that offered free skins or weapons for the game. These websites displayed a fake pop-up window that asked users to sign in with Steam. If users entered their credentials, they were sent to the hackers who could then access their Steam accounts and steal their items.
  • In March 2020, Bitdefender reported a campaign of phishing BitB targeting users of Office 365, a cloud-based suite of productivity applications. The hackers sent emails that pretended to be from Microsoft and asked users to update their Office 365 settings. These emails contained a link that led users to a fake Office 365 website that displayed a fake pop-up window that asked users to sign in with Office 365. If users entered their credentials, they were sent to the hackers who could then access their Office 365 accounts and steal their data.
  • In September 2020, Proofpoint uncovered a campaign of phishing BitB targeting users of Okta, a cloud-based identity and access management service. The hackers sent emails that pretended to be from various organizations and asked users to verify their Okta account. These emails contained a link that led users to a fake Okta website that displayed a fake pop-up window that asked users to sign in with Okta. If users entered their credentials, they were sent to the hackers who could then access their Okta account and compromise their other connected applications.

These examples show that BITB attacks can target any SSO provider and any website or web application that uses SSO. They also show that hackers can use various methods to lure users into clicking on malicious links or entering their credentials on fake windows.

What are some statistics on BITB attacks?

BITB attacks use iFrames to deceive users with fake SSO windows. Here are some statistics on BITB attacks:

  • According to Statista, the number of unique phishing sites detected worldwide reached 2.11 million in the third quarter of 2020, an increase of 10% from the previous quarter.
  • According to The Hacker News, BITB attacks can exploit third-party SSO options embedded on websites such as “Sign in with Google” (or Facebook, Apple, or Microsoft) to create fake browser windows within the browser and spoof legitimate domains.
  • According to Zscaler, BITB attacks have been used in the wild at least once before, in February 2020, to target Steam users by means of fake Counter-Strike: Global Offensive (CS: GO) websites.
  • According to NetSPI, the volume of successful phishing attacks on organizations worldwide in 2021 was highest in Brazil (25%), followed by India (17%), and Mexico (14%).
  • According to DZone, the most targeted industry sectors by phishing attacks as of the third quarter of 2020 were SaaS/Webmail (33%), Financial Institutions (22%), and Payment Services (14%).

How to effectively fight against BITB attacks?

BITB attacks are very hard to detect, but not impossible. There are some signs that can help you spot them and some measures that can help you prevent them. Here are some tips:

  • Always check the URL of the site before entering your credentials. Make sure it matches the domain of the site or the SSO provider that you want to use. Do not rely on the URL displayed on the pop-up window, as it can be fake.
  • Always check the SSL certificate of the site before entering your credentials. Make sure it is valid and issued by a trusted authority. Do not rely on the padlock icon displayed on the pop-up window, as it can be fake.
  • Always use an updated antivirus software and browser extension that can detect and block malicious sites and scripts. They can help you avoid landing on phishing pages or loading fake windows.
  • Always use strong and unique passwords for each site or application that you use. Do not reuse the same password for different accounts, as it can increase the risk of compromise if one of them is breached.
  • Always use two-factor authentication (2FA) for your accounts, especially those that you use for SSO. 2FA adds an extra layer of security by requiring a second factor (such as a code sent to your phone or email) to verify your identity. Having your username and password is less useful for hackers if they need your device or access to your email account too.

How to prevent and protect yourself from BITB attacks using EviBITB technology?

The best way to prevent and protect yourself from BITB attacks is to use EviBITB technology, a technology that allows you to detect and remove redirection iframes from web pages. EviBITB is integrated for free in the free and paid extensions of Freemindtronic that are compatible with NFC HSM devices that use a smartphone or an NFC HSM device. The latter stores encrypted multiple authentication information (username, password, otp) for secure authentication for any website on the internet or intranet.

EviBITB technology also has a system of automatic backup of the URL of connection to the account using a web browser to connect to an online account on the internet or intranet. This extension is paired with the NFC android phone which is itself paired with an NFC HSM where encrypted detailed authentication information such as username, password, and secret keys OTP (TOP or HOTP) are stored. Thus, before authorizing auto-filling of connection fields or auto-connection to an online account, the phone will check beforehand if the connection URL is compliant (sandbox technique). This system adds to EviBITB protection.(click here to learn more about EviBITB)

By using EviBITB technology, you can enjoy many benefits:

  • You can avoid falling victim to BITB attacks that can steal your data or compromise your identity.
  • You can reduce the risk of keylogging or malware infections that can capture your keystrokes or spy on your online activity.
  • You can save time and hassle by using your smartphone or NFC HSM card as an authentication key instead of creating or remembering passwords for each website you visit.
  • You can enjoy a seamless and user-friendly experience by accessing websites with just a tap of your smartphone or NFC HSM card on your computer screen.
  • You can protect your privacy by controlling what data you share with each website you visit, such as your name, email, or profile picture.

By using EviBITB technology, you can be sure that the web page you see is the one you want to see, and that you do not give away your data to hackers.

How can EviBITB protect you from BITB attacks?

EviBITB is a technology that enhances your online security. It is implemented in the freemindtronic extensions that allow secure end-to-end autofill and auto-login from an NFC HSM. It also detects and removes phishing iFrames from your web browser.

EviBITB works with an application installed on an NFC Android phone that is paired with an NFC HSM. The application has a sandbox that checks if the origin URLs saved automatically during the first login are compliant. If they are, it transfers encrypted authentication information to the extension.

EviBITB also analyzes the web page source code and detects any possible BITB iFrames. It looks for hidden elements, suspicious URLs, or mismatched styles that indicate a fake browser window.

When EviBITB detects a BITB iFrame, it alerts you by showing a warning window on your computer screen. This window shows you the redirection iFrame URL and asks you to check if you trust this URL before entering any sensitive information.

How EviBITB technology can improve your browsing experience?

EviBITB technology is a security, performance and privacy enhancer. It removes redirection iframes and improves your browsing experience in several ways:

  • It speeds up web page loading, by avoiding requests to third-party sites.
  • It reduces bandwidth consumption, by saving data transferred to or from iframes.
  • It limits exposure to ads and pop-ups, by blocking their sources in iframes.
  • It prevents online activity tracking, by deleting cookies and data stored by iframes.
  • It enhances readability and usability of web pages, by removing distracting elements from iframes.
  • It increases compatibility and accessibility of web pages, by avoiding conflicts or errors caused by iframes.

With EviBITB technology, you can enjoy a faster, smoother and more private browsing experience, without compromising security or convenience.

How to use EviBITB to protect yourself from BITB attacks?

EviBITB is a technology that detects and removes malicious iFrames that expose you to BITB attacks. These attacks simulate a browser window in a web page to prompt you to enter credentials on a fraudulent site.

When EviBITB detects a suspicious iFrame, it shows a warning window that informs you of the risk. This window also gives you five buttons to act on the BITB iFrame:

  • Close Warning: this button closes the warning window without acting on the BITB iFrame. You can use it if you trust the iFrame URL or want to ignore it.
  • Never Show Warnings On This Site: this button adds the website URL to a list of trusted sites. EviBITB will not alert you of BITB iFrames on these sites. You can use it if you are sure the website is safe and has no malicious iFrames.
  • Destroy: this button deletes the BITB iFrame from the web page source code. You can use it if you do not trust the iFrame URL or want to remove it.
  • Clean Storage: this button clears the data stored by the BITB iFrame in the browser. You can use it if you have been exposed to phishing by iFrame and want to erase any traces.
  • Read More: this button redirects you to a page with more information about EviBITB and its benefits. You can use it if you want to learn more about how EviBITB works and protects you from hackers.

Why you should use EviBITB to secure your online access?

EviBITB is a technology that allows you to use your smartphone or your NFC HSM card as a secure authentication key for any website. With EviBITB, you enjoy many benefits:

  • You avoid BITB attacks that can steal your data or impersonate your identity.
  • These attacks simulate a browser window in a web page to prompt you to enter your credentials on a fraudulent site.
  • You reduce the risk of keylogging or malware infections that can capture your keystrokes or spy on your online activity.
  • You save time and hassle by using your smartphone or NFC HSM card as an authentication key instead of creating or remembering passwords for each website you visit.
  • You enjoy a seamless and user-friendly experience by accessing websites with just a tap of your smartphone or NFC HSM card on your computer screen.
  • You protect your privacy by controlling what data you share with each website you visit, such as your name, email, or profile picture.

By using EviBITB, you can be sure that the web page you see is the one you want to see, and that you do not give away your data to hackers.

How EviBITB can improve your browsing experience?

EviBITB is not only a security tool, but also a performance and privacy enhancer. By removing redirection iframes, EviBITB can improve your browsing experience in several ways:

  • It can speed up the loading of web pages, by avoiding unnecessary or malicious requests to third-party sites.
  • It can reduce the bandwidth consumption, by saving the data that would otherwise be transferred to or from the iframes.
  • It can limit the exposure to ads and pop-ups, by blocking the sources that display them in the iframes.
  • It can prevent the tracking of your online activity, by deleting the cookies and other data that the iframes may store in your browser.
  • It can enhance the readability and usability of web pages, by removing distracting or irrelevant elements from the iframes.
  • It can increase the compatibility and accessibility of web pages, by avoiding potential conflicts or errors caused by the iframes.

By using EviBITB, you can enjoy a faster, smoother and more private browsing experience, without compromising your security or convenience.

How to get started with EviBITB?

Getting started with EviBITB is easy and fast. You just need to follow these steps:

  • Download the EviBITB extension for your web browser based on Chromium or Firefox from Freemindtronic’s official website: https://freemindtronic.com/evibitb-stop-bitb-phishing-attacks/
  • Install the extension on your web browser and follow the instructions to set it up.
  • Get a smartphone or an NFC HSM card compatible with the extension. You can find more information about these devices on Freemindtronic’s website: https://freemindtronic.com/how-does-evibitb-work-detailed-guide/
  • Pair your smartphone or NFC HSM card with your computer using Bluetooth or NFC technology.
  • Start browsing the web securely with EviBITB. Whenever you visit a website that offers SSO options, you will see a green icon on the address bar indicating that EviBITB is active. You can then tap your smartphone or NFC HSM card on your computer screen to authenticate yourself and access the website.

What are some videos on BITB attacks and EviBITB?

If you want to learn more about BITB attacks and EviBITB technology, you can watch some videos on these topics:

  • A video demonstration of a BITB attack by mrd0x:

In conclusion

BITB attacks are a new and sophisticated form of phishing that can steal your credentials by simulating a browser window within your browser. They can bypass many security measures that are designed to prevent phishing and compromise your online security and privacy.

EviBITB is a free technology that detects and removes phishing iFrames from your web browser. It also offers other features to enhance your online security, such as authentication via NFC HSM devices that secure your credentials without typing them on your keyboard.

If you want to benefit from EviBITB technology, you just need to download the extension corresponding to your web browser on Freemindtronic’s official website:

You will also need a smartphone or an NFC HSM card compatible with the extension. You can find more information about these devices on Freemindtronic’s website.

https://freemindtronic.com/evibitb-stop-bitb-phishing-attacks/ :

Don’t wait any longer and try EviBITB now!

Hashtags: #EviBITB #Phishing #Cybersecurity #NFC #HSM

Snake Malware: The Russian Spy Tool

Snake malware: The Russian that steals sensitive information for 20 years

Snake malware by Jacques gascuel This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.  

Snake: The Russian malware that steals sensitive information for 20 years

Snake is a malware that allows Russian intelligence services to collect and transmit sensitive information from hundreds of infected computers across 50 countries. It is a very sophisticated espionage tool, designed and used by Center 16 of the Federal Security Service of the Russian Federation (FSB) for long-term operations on strategic targets.

2024 Digital Security

Cyberattack Exploits Backdoors: What You Need to Know

2024 Digital Security

Google Sheets Malware: The Voldemort Threat

2024 Articles Digital Security News

Russian Espionage Hacking Tools Revealed

2024 Digital Security Spying Technical News

Side-Channel Attacks via HDMI and AI: An Emerging Threat

An example of technical analysis of Snake malware

To illustrate how Snake malware works in detail, we will use an example of technical analysis conducted by FortiGuard Labs on a fresh variant of Snake keylogger malware. This variant was captured in November 2021 and was delivered as an Excel file with malicious macro code. The main payload of Snake keylogger malware was an executable file named “Requests07520000652.exe”, which the macro code downloaded and executed

Snake malware’s core component

Several embedded resources were contained in the main payload, which was a .NET assembly file. Reflection loaded another .NET assembly file named “Guna.UI2.dll” into memory, which was one of theml”, which was loaded into memory by reflection. This file contained the core functionality of Snake keylogger malware, such as stealing information, taking screenshots, capturing clipboard data, and communicating with a command and control (C2) server.

How Snake malware steals sensitive data

The information stealing module was responsible for collecting various types of sensitive information from the infected system, such as:

  • System information: computer name, user name, operating system version, processor architecture, etc.
  • Saved credentials: passwords stored in browsers (Chrome, Firefox, Edge), email clients (Outlook), FTP clients (FileZilla), etc.
  • Keystrokes: keyboard input from various applications (browsers, email clients, chat programs, etc.)
  • Screenshots: images of the desktop or active window at regular intervals
  • Clipboard data: text or images copied to the clipboard

Snake stored the collected information in a temporary folder with random names and encrypted it with AES.

How Snake malware communicates with its operators

After the previous subsection, you can add this subsection:

The communication module was responsible for sending the encrypted information to a C2 server and receiving commands from it. The C2 server used a domain name that was generated by an algorithm based on the current date. The communication protocol used HTTP POST requests with custom headers and parameters. Snake encoded the data with Base64 and encrypted it with AES.

Some of the commands that the C2 server could send to the malware were:

  • GetInfo: request system information from the malware
  • GetLogs: request keystroke logs from the malware
  • GetClipboard: request clipboard data from the malware
  • GetScreen: demander des captures d’écran du malware
  • Mise à jour : téléchargez et exécutez une version mise à jour du malware
  • Désinstaller: supprimer le malware du système

ViperSoftX How to avoid the malware that steals your passwords

ViperSoftX How to avoid the malware that steals your passwords

ViperSoftX malware by Jacques gascuel This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.  

ViperSoftX: The malware that steals your passwords and cryptocurrencies

Do you use password managers or cryptocurrency wallets to secure your online data? Beware, you could be the target of a malware named ViperSoftX, which infiltrates your computer and steals your sensitive information. Find out how it works, how to detect it and how to protect yourself from it in this article.

2024 Digital Security

Cyberattack Exploits Backdoors: What You Need to Know

2024 Digital Security

Google Sheets Malware: The Voldemort Threat

2024 Articles Digital Security News

Russian Espionage Hacking Tools Revealed

2024 Digital Security Spying Technical News

Side-Channel Attacks via HDMI and AI: An Emerging Threat

ViperSoftX: The Malware that Steals Your Cryptocurrencies and Passwords

ViperSoftX is a malware that steals sensitive information from infected computers, including data related to cryptocurrencies and passwords. It was first discovered in 2020 as a JavaScript-based remote access trojan and cryptocurrency hijacker. Since then, it has evolved to become more sophisticated and stealthy, using innovative arrival and execution techniques, enhanced encryption and a malicious extension for web browsers. In this article, we will examine the features, targets and consequences of ViperSoftX malware, as well as how to protect yourself from it.

Global impact of ViperSoftX malware

This is not a regional threat, but a global one. The malware is mostly spread via torrents and software-sharing sites, which attract users from all over the world. According to Avast, the most impacted countries by ViperSoftX in 2022 were India, USA, Italy, and BrazilHowever, Trend Micro reported that the malware also affected a significant number of victims in Australia, Japan, Taiwan, Malaysia and France in 2023. Both enterprises and consumers are at risk of losing their sensitive data and cryptocurrencies to this stealthy malware. Therefore, it is important to raise awareness about the dangers of ViperSoftX and how to prevent its infection.

How to avoid ViperSoftX, the malware that steals your sensitive data

This is malware is dangerous malware that targets Chrome and other browsers, and can steal your passwords from virtual password managers like 1Password or KeePass 2 and virtual cryptocurrency wallets. In this article, you will learn how it works and how to prevent it from infecting your device.

Features of ViperSoftX malware

ViperSoftX is a malware that stands out for its innovative arrival and execution techniques, enhanced encryption and malicious extension for web browsers. VipersoftX is a malware that steals information from infected computers.

What is ViperSoftX and how does it work?

ViperSoftX is a type of malware called infostealer, which means it is designed to steal the data from a device. It was first discovered in 2020 by Fortinet1, and has since evolved to become more sophisticated and stealthy.

ViperSoftX mainly targets the users of Chrome and other browsers, such as Firefox, Opera, Brave and Microsoft Edge. It installs a malicious extension called VenomSoftX on the browser, which can access and extract sensitive information such as browser login data, cryptocurrency wallets, stored credit card information, passwords and more2.

It is a JavaScript-based Remote Access Trojan (RAT) that allows attackers to remotely control the compromised machine and execute various malicious actions. VipersoftX uses advanced obfuscation techniques to hide itself and evade detection from security software, It uses 8 layers of code obfuscation before executing its actual payload. It uses 3 types of obfuscation techniques: AES decryption, character array conversion, and UTF-81 decoding,

It establishes its persistence by copying itself to %APPDATA% and creating a shortcut in the startup directory to invoke it. It uses seemingly legitimate names to disguise itself, such as v pn_port.dll, reg.converter.sys, install.sig, and install.db

The main features of the malware

These features make ViperSoftX malware a serious threat to the security of users and organizations that use cryptocurrencies or password managers.

  • Arrival technique by cracked software: The malware usually poses as a cracked software, an activator or a key generator, which hides the malicious code in the overlay. The malware uses non-malicious files as carriers of the malicious code, such as gup.exe from Notepad++, firefox.exe from Tor or ErrorReportClient.exe from Magix. These files are accompanied by a DLL file that serves as a decryptor and loader of the malicious code. This technique aims to deceive users who are looking for illegal versions of software and to avoid detection by security solutions.
  • Enhanced encryption by byte remapping: The malware uses a sophisticated encryption method that consists of remapping the bytes of the malicious code according to a specific byte map. Without the correct byte map, the encrypted malicious code, including all components and relevant data, cannot be correctly decrypted, making the decryption and analysis of the code longer and more difficult for analysts. The malware also changes its byte map every month, which makes it even harder to track the malicious code.
  • Monthly change of command and control server: The malware communicates with a command and control (C&C) server to send the stolen information and receive instructions. The C&C server also changes every month, according to a predictable algorithm based on the current date. The C&C server uses the HTTPS protocol to encrypt the communication with the malware.
  • Ability to steal data from various cryptocurrency wallets and web browsers: The malware mainly aims to steal data related to cryptocurrencies, such as private keys, passwords and addresses of wallets. The malware targets more than 20 different cryptocurrency wallets, such as Blockchain, Binance, Coinbase, MetaMask or Ledger Live. The malware also installs a malicious extension named VenomSoftX on Chrome, Brave, Edge, Opera and Firefox web browsers. This extension can intercept and modify cryptocurrency transactions made on web browsers. The malware can also steal other sensitive data stored on web browsers, such as cookies, history, bookmarks or autofill data.
  • Detection of two password managers, KeePass 2 and 1Password: The malware checks for files associated with two popular password managers, KeePass 2 and 1Password, on the infected computer. It also tries to steal data stored in the browser extensions of these password managers. It is not clear whether the malware exploits a known vulnerability of the password managers or whether it uses another method to access the saved passwords.

Consequences of information theft by ViperSoftX malware

ViperSoftX is a malware that can cause serious damage to the users and organizations whose data it steals. The consequences of information theft by ViperSoftX malware can include:

  • Loss of money: The malware can steal data related to cryptocurrencies, such as private keys, passwords and addresses of wallets. This can result in the loss of funds stored in these wallets, or the redirection of transactions to the attacker’s accounts. The malware can also steal data related to online banking, credit cards or other payment methods, which can enable the attacker to make fraudulent purchases or transfers using the victim’s identity.
  • Loss of identity or confidentiality: The malware can steal data related to personal or professional identity, such as passport numbers, driver’s license numbers, social security numbers, medical records, online subscriptions, etc. This can result in identity theft, where the attacker can use the victim’s identity to access secure accounts, set up credit cards, apply for loans, or commit other crimes. The malware can also steal data related to confidential or proprietary information, such as software code, algorithms, processes or technologies. This can result in the loss of intellectual property, competitive advantage or trade secrets.
  • Risks for the consumer and enterprise sectors: The malware targets both individual users and organizations that use cryptocurrencies or password managers. For individual users, the malware can compromise their privacy and security, as well as expose them to financial losses or legal liabilities. For organizations, the malware can compromise their reputation and customer trust, as well as expose them to lawsuits, ransomware demands, recovery costs, regulatory fines or penalties

Victims of the ViperSoftX malware and statistics

The ViperSoftX malware has made many victims around the world, especially in France. Some users have lost large amounts of cryptocurrencies due to the theft of their wallet addresses. Others have seen their online accounts hacked due to the theft of their passwords. Here are some testimonies collected from forums or social networks:

  • “I was infected by ViperSoftX two weeks ago. I only realized it when I wanted to make a transfer of bitcoins to another wallet. The address I had copied had been replaced by another one in the clipboard. I lost 0.5 bitcoin, which is about 20,000 euros.”
  • “I got caught by ViperSoftX by downloading a cracked software from a torrent site. The malware installed a malicious extension on my Firefox browser and stole my passwords stored in KeePass. I had to change all my passwords and disinfect my computer with an antivirus.”
  • “ViperSoftX caused me a lot of problems. The malware accessed my personal and professional data by going through the extension of 1Password on Chrome. It used my Gmail account to send spam to my contacts and my PayPal account to make fraudulent purchases.”

According to TrendMicro, the ViperSoftX malware has infected more than 10,000 computers worldwide since its appearance in 2020. The number of victims could be even higher, as the malware is difficult to detect by antivirus.

How does ViperSoftX spread?

The malware also checks if the device has virtual password managers installed, such as 1Password or KeePass 2. These are applications that help users store and manage their passwords securely. ViperSoftX exploits a vulnerability called CVE-2023-24055 to access the data stored by these password managers through their browser extensions3.

ViperSoftX also steals users’ cryptocurrency by attacking wallets and exchanges. It targets the following wallets in particular: Armory, Atomic Wallet, Binance, Bitcoin, Blockstream Green, Coinomi, Delta, Electrum, Exodus, Guarda, Jaxx Liberty, Ledger Live, Trezor Bridge, Coin98, Coinbase and MetaMask.

The stolen data is then sent to a command-and-control (C2) server controlled by the attackers, who can use it for financial gain or sell it to other hackers.

How to protect yourself from ViperSoftX malware

ViperSoftX is a stealthy and dangerous malware that can cause serious damage to your computer and your data. Therefore, you should take some preventive measures to avoid being infected by this malware. Here are some tips to help you protect yourself from ViperSoftX:

  • Avoid cracked software: The malware often arrives as cracked software, an activator or a key generator, which hides the malicious code in the overlay. Avoid downloading or using illegal versions of software or games, as they may contain malware. Only download software from trusted sources and verify their authenticity.
  • Use security software: Use a robust antivirus software that can detect and remove malware from your device. Keep your security software updated and perform regular scans of your device. You can also use a firewall to block unauthorized network connections and a VPN to encrypt your online traffic.
  • Update your browsers and password managers: The malware installs a malicious extension named VenomSoftX on web browsers and steals data from them. It also checks if the device has security software installed, such as Windows Defender or ESET, and activates its camouflage mechanisms accordingly. Update your browsers and password managers regularly to fix any security vulnerabilities. Also, only install extensions from trusted sources and check their permissions and reviews.
  • Backup your data: The malware can steal or encrypt your data, making it inaccessible or unusable. Backup your data regularly to an external storage device or a cloud service, so you can restore it in case of a malware attack. You can also use encryption tools to protect your data from unauthorized access.
  • Be careful with email attachments and links: The malware can also arrive through phishing emails that trick you into clicking on a link or opening an attachment. Be wary of emails that ask you to provide personal or financial information, or that seem to be from unknown or suspicious senders. Also, avoid clicking on links or attachments that look suspicious or irrelevant.
  • Use strong and unique passwords: The malware can steal your passwords for your online accounts, especially for your cryptocurrency wallets and exchange platforms. Use strong and unique passwords for each account, and avoid using the same password for multiple accounts. You can use a password generator or a password manager to create and store strong passwords.
  • Enable two-factor authentication (2FA): The malware can use your stolen passwords to access your accounts and perform fraudulent transactions. Enable two-factor authentication (2FA) whenever possible, which adds an extra layer of security to your login process. 2FA requires you to enter a code sent to your phone or email, or generated by an app, in addition to your password.
  • Avoid downloading and installing software or documents from untrusted sources: The malware often hides behind cracked versions of popular software or games, which are offered on torrent or illegal download sites.
  • Keep your browser and password manager updated: with the latest security patches, and use strong and unique passwords for each account.

How to remove ViperSoftX from your system

ViperSoftX is a malware that can infect your computer and steal your data. If you suspect or know that your computer is already infected by ViperSoftX, you should act quickly to remove it and prevent further damage. Here are some steps to help you remove ViperSoftX from your system:

  • Uninstall malicious programs from Windows: ViperSoftX may have installed some malicious programs on your computer that can interfere with your removal process. To uninstall them, go to Control Panel > Programs > Uninstall a program and look for any suspicious programs that you do not recognize or that you did not install yourself. Select them and click Uninstall.
  • Reset browsers back to default settings: ViperSoftX may have modified your browser settings and installed a malicious extension named VenomSoftX that can steal your data. To reset your browser settings, go to your browser settings and look for an option to reset your browser to its default state. This will remove any malicious extensions, cookies, history, passwords, and other data that ViperSoftX may have added or modified.
  • Use Rkill to terminate suspicious programs: ViperSoftX may have some processes running in the background that can prevent you from removing it. To stop them, use Rkill, a free tool that can terminate any suspicious processes that are running on your computer. Download Rkill from here and run it as administrator. Wait for it to finish scanning and killing any suspicious processes.
  • Use Malwarebytes to remove Trojans and unwanted programs: ViperSoftX is a Trojan malware that can hide itself from antivirus detection by using camouflage mechanisms. It also checks if the device has security software installed, such as Windows Defender or ESET, and activates its camouflage mechanisms accordingly. To remove it, use Malwarebytes, a powerful anti-malware software that can detect and remove ViperSoftX and other threats from your computer. Download Malwarebytes from here and install it. Run a full scan and follow the instructions to quarantine or delete any detected threats.
  • Use HitmanPro to remove rootkits and other malware: ViperSoftX may have some hidden malware components that may have escaped Malwarebytes. To find and remove them, use HitmanPro, a second-opinion scanner that can find and remove any hidden malware that may be on your computer. Download HitmanPro from here and run it. Follow the instructions to scan your computer and remove any remaining malware.
  • Use AdwCleaner to remove malicious browser policies and adware: ViperSoftX may have changed some browser policies or installed some adware on your computer that can display unwanted ads or pop-ups. To clean your browser from them, use AdwCleaner, a free tool that can remove any unwanted policies, extensions, toolbars, ads, or pop-ups that may have been installed by ViperSoftX or other adware. Download AdwCleaner from here and run it. Click Scan Now and then Clean & Repair to remove any detected threats.
  • Perform a final check with ESET Online Scanner: To make sure that your computer is completely free of malware infections, perform a final check with ESET Online Scanner, a free online tool that can scan your computer for any remaining malware infections. It can detect and remove viruses, Trojans, spyware, phishing and other internet threats. To use ESET Online Scanner, go to this website and click Start Scan Now. Accept the terms of use and click Enable ESET LiveGrid feedback system. This will allow ESET to collect anonymous data about detected threats and improve its detection capabilities. Wait for the scan to complete and follow the instructions to delete any detected threats.”

By following these steps, you should be able to remove ViperSoftX from your computer completely. However, you should also change your passwords for your online accounts, especially for your cryptocurrency wallets and exchange platforms

ViperSoftX is a very stealthy malware that can evade antivirus detection by using various techniques. It also checks if the device has security software installed, such as Windows Defender or ESET, and activates its camouflage mechanisms accordingly4.

How to secure your passwords and cryptocurrencies with modern authentication methods?

One of the best ways to protect your passwords and cryptocurrencies from ViperSoftX and other malware is to use modern authentication methods that rely on hardware devices instead of software. These devices are called hardware password managers or cold wallets.

Hardware password manager

A hardware password manager is a device that stores and manages your passwords securely. Unlike a virtual password manager, which runs on your computer or smartphone, a hardware password manager is a separate device that you can carry with you. This way, you can avoid storing your passwords on potentially compromised devices or online services.

A hardware password manager generates and stores strong passwords for your online accounts, which you can access with one master password. To log in to an online service, you can either type the password manually or use the NFC feature of the device to transmit the password to your computer or smartphone.

NFC

NFC (Near Field Communication) is a wireless technology that allows devices to communicate over short distances. You can use NFC for various purposes, such as contactless payments, smart cards, and authentication. By using NFC, you can log in to your online accounts with a simple tap of your hardware password manager on your device.

Some of the benefits of using NFC are:

  • It is fast and convenient: you do not need to type long passwords or scan QR codes.
  • It is secure: NFC uses encryption and authentication protocols to prevent eavesdropping or tampering.
  • It is compatible: NFC works with most:

Cold wallet

A cold wallet is a device that stores your cryptocurrencies offline. Unlike a hot wallet, which is connected to the internet and vulnerable to hacking, a cold wallet is isolated and protected from unauthorized access. To use a cold wallet, you need to transfer your cryptocurrencies from an online platform to the device and vice versa.

A cold wallet generates and stores private keys for your cryptocurrency accounts. A private key is a secret code that allows you to access and control your cryptocurrency funds. You should never share or lose your private key, as it is the only way to access your funds.

Some of the advantages of using a cold wallet are:

  • It is safe and reliable: you do not have to worry about hackers, malware, or phishing attacks.
  • It is easy and convenient: you can manage your funds with a simple interface and a few clicks.
  • It is versatile and compatible: you can store different types of cryptocurrencies on the same device.

One example of a cold wallet that uses NFC technology is the NFC Cold Wallet with EviVault technology from Freemindtronic Andorra. This device allows you to store and manage your cryptocurrencies securely and conveniently with your smartphone.

EviVault Cold Wallet & Hardware Wallet

EviVault is a patented technology that enhances the security and performance of NFC devices. It uses a combination of hardware and software features to protect your data from physical and logical attacks.

Some of the features of EviVault are:

  • It encrypts and authenticates your data with AES-256 and HMAC-SHA256 algorithms.
  • It prevents cloning, tampering, or replay attacks with anti-counterfeiting and anti-replay mechanisms.
  • It detects and blocks brute force attacks with auto unpairing functions traced in a black box.
  • It optimizes the speed and reliability of NFC communication with error correction and data compression techniques.

With EviVault, you can enjoy the benefits of NFC technology without compromising your security or privacy.

The impact of the ViperSoftX malware on businesses

The ViperSoftX malware does not only target individuals, but also businesses. Indeed, the malware can compromise the security of professional data by stealing the passwords of employees or customers. It can also infect the computer network of the company and spread other malware, such as ransomware or cryptominers.

To protect themselves from the ViperSoftX malware, businesses must take several measures:

  • Educate employees about the risks associated with downloading software or documents from unofficial or illegal sources.
  • Use up-to-date and effective antivirus software to detect and remove the malware.
  • Choose secure and reliable password managers, which do not store sensitive data in browser extensions.
  • Check regularly the transactions in cryptocurrencies and the addresses of the wallets.

In conclusion

ViperSoftX is a dangerous malware that can steal your passwords and cryptocurrencies from your virtual password managers and online platforms. To protect yourself from ViperSoftX, you should be careful about what you download and install on your device, keep your software updated and secure, avoid installing unknown or suspicious extensions and backup your data regularly.

To secure your passwords and cryptocurrencies with modern authentication methods, you can use hardware password managers or cold wallets that rely on hardware devices instead of software. These devices use NFC technology to offer you a high level of security and convenience for your online accounts. However, you should also follow some best practices, such as keeping your devices updated and secure, using strong passwords and two-factor authentication, and storing only small amounts of cryptocurrency on online platforms.

What is Juice Jacking and How to Avoid It?

what is juice jacking and how to avoid it

Juice Jacking by Jacques gascuel This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.  

How to protect yourself from Juice Jacking”

Do you often use public USB chargers to recharge your smartphone or tablet? If so, you may be exposing your device to a cyberattack called Juice Jacking. In this article, we will explain what Juice Jacking is and how to protect yourself from it.

2024 Digital Security

Cyberattack Exploits Backdoors: What You Need to Know

2024 Digital Security

Google Sheets Malware: The Voldemort Threat

2024 Articles Digital Security News

Russian Espionage Hacking Tools Revealed

2024 Digital Security Spying Technical News

Side-Channel Attacks via HDMI and AI: An Emerging Threat

Juice Jacking: How to Avoid This Cyberattack

Do you often use public USB chargers to recharge your smartphone or tablet? If so, you may be exposing your device to a cyberattack called Juice Jacking. This is a type of attack that can steal your data or infect your device when you use a public USB charger. In this article, we will explain what Juice Jacking is and how to protect yourself from it.

What is Juice Jacking?

Juice Jacking is an attack that hackers can perform. They put malware on the public charger’s USB port. When you plug your device into the charger, the malware can access your data or infect your device.

Juice Jacking can take two forms:

  • Data theft: the malware can copy your contacts, photos, messages, passwords or any other sensitive information stored on your device.
  • Malware installation: the malware can install a program that will do malicious things to your device.

The Lack of Awareness and Protection of Juice Jacking Among Users Worldwide

One of the reasons why juice jacking is a serious threat is that many people are unaware of it or do not take precautions when using public USB ports. According to a 2019 study by the University of Illinois at Urbana-Champaign, 64% of Americans use public USB ports to charge their devices, and 15% of them do not know what juice jacking is. The study also found that only 8% of the participants used a USB data blocker or a power-only cable to protect their devices from potential attacks. A similar situation exists in other countries, such as the United Kingdom and Australia. A 2020 study by Comparitech surveyed more than 2,000 people in the UK and found that 45% of them used public USB ports to charge their devices, and 50% of them had never heard of juice jacking. A 2019 study by Finder analyzed the behavior of more than 1,000 people in Australia and found that 41% of them used public USB ports at least once a month, and 21% of them did not know what juice jacking was. These studies show that there is a need for more education and awareness on the risks and prevention of juice jacking.

How to prevent Juice Jacking?

To prevent Juice Jacking, don’t use public USB chargers. Instead, you can use your own charger or a portable battery. However, if you have no choice but to use a public charger, you can take some precautions:

  • Use a USB data blocker. This is a device that blocks the data transfer between the charger and your device. It only allows the power to pass through.
  • Turn off your device before plugging it into the charger. This may reduce the risk of data theft or infection.
  • Use a VPN app on your device. This can encrypt your data and make it harder for hackers to access it.

How to protect yourself from Juice Jacking with EviCore NFC HSM and EviCypher Technology

Juice Jacking is a cyberattack that steals or modifies your data through malicious USB chargers. You need a secure and portable encryption solution to protect yourself from this threat. EviCore NFC HSM and EviCypher technology can help you.

EviCore NFC HSM is a contactless hardware security module (HSM). It stores your sensitive data and protects it with configurable multi-factor authentication. You can access your data with your smartphone via NFC (Near Field Communication).

EviCypher is a hardware encryption device that works with EviCore NFC HSM. It encrypts and decrypts your documents, emails and messages with your smartphone. You can use it with any messaging service and enjoy an advanced electronic signature system.

With EviCore NFC HSM and EviCypher, you can avoid hackers who use malicious USB chargers. Your data are safe and secure offline, without any server or database. To learn more about this innovative technology, visit the website EviCore NFC HSM by Freemindtronic.

EviCore NFC HSM and EviCypher are products and services from Freemindtronic. Freemindtronic is a company specialized in NFC security solutions. It offers the best encryption products on the market.

A more technical explanation by ethical hackers

The Juice Jacking is a cyberattack that exploits the vulnerability of the USB ports that are used for both charging and data transfer. Ethical hackers, who are security professionals who use their skills for good, have demonstrated how this attack works and how to prevent it.

One of the first demonstrations of Juice Jacking was made by researchers from the University of Michigan in 2011 at the DEF CON hacker convention. They set up an informative kiosk on Juice Jacking to raise awareness among visitors about the danger of plugging their devices into public charging stations. When a visitor plugged in their phone, the screen turned red and displayed a warning message: “You should not trust public kiosks with your smart phoneYou should not trust public kiosks with your smart phoneYou should not trust public kiosks with your smart phone”.

The researchers also showed how malicious actors could use the kiosk to steal data, track devices, or compromise them. They also provided information on how to compromise charging kiosks.

Another demonstration was made by security researchersecurity researcher Kyle Osborn in 2012. He published an attack framework called P2P-ADB that uses a USB On-The-Go cable to connect an attacker’s phone to a victim’s device. The framework includes examples and proofs of concept that would allow hackers to unlock locked phones, steal data from a phone, including authentication keys that would allow the attacker to access the owner’s Google account.

In 2013, security researchers from Georgia Tech published a proof of concept of a malicious tool called Mactans that uses the USB charging port of an Apple mobile device. They used low-cost hardware components to build a small malicious wall charger that can inject malware into an iPhone running

In 2014, security researchers Karsten Nohl and Jakob Lell from srlabs published their research on the BadUSB attack at the Black Hat USA conference . They showed how hackers can reprogram USB devices such as flash drives or cables to act as keyboards or network cards and send commands or data to a connected device.

These demonstrations show how Juice Jacking can be performed by skilled hackers who have access to the USB ports or cables in public places. They also show how users can protect themselves by using their own chargers or batteries, using data blockers, turning off their devices, or using VPN apps.

Some examples and testimonials

Juice Jacking is a serious threat for users of public USB chargers. It can compromise your data and your device’s security. Here are some examples and testimonials that illustrate the risks of Juice Jacking:

  • In 2011, at the DEF CON hacker convention, an informative kiosk on Juice Jacking was set up to raise awareness among visitors about the danger of plugging their devices into public charging stations . When a visitor plugged in their phone, the screen turned red and displayed a warning message: “You should not trust public kiosks with your smart phone” .
  • In 2013, security researchers from Georgia Tech presented a proof of concept of a malicious wall charger that could inject malware into an iPhone running the latest version of iOS while it was being charged. The malware bypasses all the built-in security measures in iOS and hides itself in the same way that Apple hides background processes in iOS .
  • In 2019, the Los Angeles County District Attorney warned travelers about Juice Jacking in airports. He advised travelers to use electrical outlets rather than USB ports to charge their devices.
  • In 2020, a French journalist testified that she was a victim of Juice Jacking during a trip to India. She said that her phone was infected by malware after plugging it into a USB port in a hotel. The malware sent her messages asking her to pay a ransom to get her data back.

To illustrate the phenomenon of Juice Jacking further, you can also check out these videos:

  • A video explanation from ZDNet that presents Juice Jacking and its consequences.
  • A video demonstration from ETX Studio that shows how to protect yourself from Juice Jacking with a USB data blocker.
  • A video information from Slate that explains why you should not be afraid of Juice Jacking and how it is unlikely to happen.

Some scientific and statistical sources

Juice Jacking is a topic that interests security researchers and public authorities. Here are some scientific and statistical sources that address Juice Jacking:

  • An academic paper published in 2011 by researchers from the University of Michigan that analyzes the risks associated with using public USB ports and proposes solutions to reduce them.
  • A technical report published in 2014 by researchers from Johns Hopkins University that describes a method to detect and prevent Juice Jacking on Android devices.
  • A study conducted in 2017 by Kaspersky Lab that reveals that 25% of French users have already used a public USB charger and that 12% of them have already suffered a loss or theft of data as a result of such use.

Conclusion

Juice Jacking is a cyberattack that targets users of public USB chargers. It can compromise your data and your device’s security. To avoid it, you should use your own charger or battery whenever possible. If you have to use a public charger, you should use a USB data blocker, turn off your device, or use a VPN app.

We hope this article helped you understand what Juice Jacking is and how to protect yourself from it.

Strong Passwords in the Quantum Computing Era

Strong Passwords in the Quantum Computing

Strong Passwords by Jacques gascuel This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.  

How to Protect Your Passwords from Quantum Computers Introduction

Do you know that quantum computers could break your passwords in seconds? This could expose your personal and financial data to hackers. To prevent this, you need to create strong passwords that can resist quantum attacks. In this article, you will learn how to do it easily and effectively.

2024 Digital Security

Cyberattack Exploits Backdoors: What You Need to Know

2024 Digital Security

Google Sheets Malware: The Voldemort Threat

2024 Articles Digital Security News

Russian Espionage Hacking Tools Revealed

2024 Digital Security Spying Technical News

Side-Channel Attacks via HDMI and AI: An Emerging Threat

How to create strong passwords in the era of quantum computing?

Quantum computing is a technology that promises to revolutionize the field of computation by exploiting the properties of subatomic particles. It offers unprecedented possibilities for scientific research, artificial intelligence or cryptography. But it also represents a risk for the security of data and online communications. Indeed, quantum computers could be able to crack the secret codes that protect our passwords, our bank accounts or our private messages.

What is quantum computing? What is encryption? What is a brute force attack?How to protect ourselves from this threat? The answer is simple: create strong passwords and resist quantum attacks. But what is a strong password? And how to choose it? Here are some tips to help you strengthen your digital security in the era of quantum computing.

What is quantum computing and how does it work in video?

What is a strong password?

A strong password is a password that is hard to guess or crack by a hacker. It must be composed of at least 12 characters, mix uppercase and lowercase letters, numbers and symbols, and not contain dictionary words, proper names or personal data. For example, “P@ssw0rd123” is not a strong password, because it is too short, too simple and too common. On the other hand, “Qx7!tZ9#rGm4” is a strong password, because it is long, complex and random.

Why is a strong password important?

A strong password is important because it reduces the risk that your account will be hacked by a brute force attack. A brute force attack consists of testing all possible combinations of characters until finding the right password. The longer and more complex the password, the more possible combinations there are, and the more time and resources it takes to crack it.

For example, a password of 8 characters composed only of lowercase letters has about 200 billion (26^8) possible combinations. A classical computer can crack it in a few minutes. But a password of 20 characters composed of letters, numbers and symbols has about 10^39 (95^20) possible combinations. A classical computer would need 766 trillion years to crack it.

But what about quantum computers?

Quantum computers are able to perform calculations much faster and more powerful than classical computers thanks to their ability to manipulate qubits instead of bits. A qubit can take two states simultaneously (0 and 1), which allows it to explore multiple solutions at the same time. Thus, a quantum computer could theoretically crack a password by testing all possible combinations in parallel.

However, there are technical and practical limits to this ability. First, you need to have a quantum computer powerful and stable enough to perform this type of operation. However, current quantum computers are still very rudimentary and only have a limited number of qubits. Second, you need to know the type of encryption used to protect the password. However, there are encryption algorithms that are resistant to quantum attacks, such as symmetric encryption or elliptic curve encryption. Third, you need to have access to the system that stores the password. However, there are security measures that prevent unauthorized access, such as two-factor authentication or account locking after several unsuccessful attempts.

Thus, even if quantum computers represent a potential threat for the security of passwords, they are not yet able to crack them easily. Nevertheless, it is prudent to prepare for the advent of this technology by creating strong passwords and changing them regularly.

How to choose a strong password?

To choose a strong password, there are several methods. Here are some examples:

  • The Diceware method: it consists of randomly choosing several words from a predefined list and separating them by spaces or symbols. For example, “piano cat star 7 &”. This method allows you to create passwords that are easy to remember and hard to crack.
  • The XKCD method: it consists of choosing four random words and assembling them without space. For example, “correcthorsebatterystaple”. This method is inspired by a comic from the XKCD site that shows that this type of password is safer than a complex but short password.

The random generator method: it consists of using an online tool that creates a random password composed of letters, numbers and symbols. For example, “Qx7!tZ9#rGm4”. This is the method implemented in the evicore nfc and evicore hsm technology from Freemindtronic, which features a random password generator with Shannon entropy control. This technology also automatically calculates the number of bits of the generated password based on the type of printable ASCII 95 characters used. This method allows you to create very secure passwords but difficult or impossible to remember, which requires the use of a hardware or virtual password manager. Whatever the method chosen, it is important to follow some rules:

  • Do not use the same password for multiple accounts or services.
  • Do not write the password on a paper or store it on an insecure device.
  • Do not share the password with other people or communicate it by email or phone.
  • Do not use obvious clues or security questions to recover the password in case of forgetfulness.
  • Use a password manager to store and manage your passwords securely.

Tools for creating and protecting strong passwords

If you want to create and protect strong passwords in the age of quantum computing, you can use some of these online tools to help you:

  • Online password generator: A tool that creates a random and strong password composed of letters, numbers and symbols. For example, Mot de passe.xyz is a free and secure online password generator that lets you choose the length and types of characters for your password.
  • Password strength calculator: A tool that calculates the entropy (the number of bits) of a password based on its length and the number of possible characters. For example, Password Entropy Calculator is a free online tool that shows you how strong your password is and how long it would take to crack it.
  • Data breach checker: A tool that checks if your email or phone number has been exposed in a data breach. For example, Have I Been Pwned? is a free online service that lets you check if your personal information has been compromised by hackers.

Using these tools can help you create and protect strong passwords that are resistant to quantum attacks. However, you should also remember to use different passwords for different accounts, change them regularly, and use a password manager to store them safely.

In conclusion

Passwords are essential to protect our privacy and our data online. Faced with the potential threat of quantum computers, it is important to create strong passwords and resist quantum attacks. To do this, we need to choose passwords that are long and complex, change them regularly and manage them with caution. Thus, we will be able to enjoy the benefits of quantum computing without fearing for our digital security.

This site uses cookies to offer you a better browsing experience. By browsing this website, you agree to our use of cookies.