Two Simple Tricks to Outsmart Phone Scammers: Even Grandma Can Do It

1. June's UBR Partner: Hunter Bookstore. Hunter Bookstore has gone above and beyond this June. They've curated a special shelf featuring all 21 selected books and even prepared a detailed introduction about the project, which I should have provided. The book purchasing period lasts until the end of July. Head over to Hunter and buy some books to help preserve Hong Kong’s literary treasures.

2. Pop-Up at Happy Belly. Today (Thursday, July 4th) from 4:30 PM to 6:30 PM, I'll be at Happy Belly in Mong Kok, enjoying a hot tea and a bao. Feel free to drop by, open your wallet, and claim some DHK tokens, or just have a chat. Although this is the fourth consecutive week, remember that the Drifting Classroom is an irregular, pop-up store with no fixed schedule or location. I’ve just been a bit more diligent lately.

3. DHK dao Meeting. The fifth DHK dao meeting will be held on Friday, July 5th at 9:00 PM at meet.google.com/wip-mopt-cks. The discussion will be in Cantonese, and everyone is welcome to join.

Below is the content.

In recent years, phone scams have become increasingly common. Many households with elderly members have likely encountered scam calls where the fraudster, pretending to be a distressed child, urgently asks for money. With the advent of advanced technology, scammers might even use AI voice imitation, making the calls sound incredibly convincing.

So, how can we help our elderly loved ones handle these deceitful calls?

My mother, who is quite elderly and surrounded by grandchildren, is a prime target for scammers. She has indeed received scam calls before. Fortunately, she called my brother, who was being impersonated, to confirm, and the scam was exposed. Afterward, I joked about teaching her to use software to analyze if the call was AI-generated. In reality, I came up with a simpler solution: I agreed with my family on a code word, "123." Whenever my mother receives such a call, she asks the caller for the code word. If they can't say "123," she knows it's a scam. This old-fashioned trick might seem outdated, often seen in old Cantonese movies, but "old methods work if they are effective." Scammers use old tricks, so we respond with old tricks, like fighting fire with fire.

You might have noticed that my mother calling my brother to verify is a form of 2FA (two-factor authentication), showing her cleverness. If she were born in a different era, she might have been a hacker. As for the code word, it acts like a password. This shows that whether preventing digital hacks or identifying real-world scams, the principles are the same. A hard-to-guess password (you didn't really think our code word is "123," did you?) combined with 2FA is something even your grandma can master.

In a previous article, I used "Open Sesame" to illustrate digital passwords, but it's not quite accurate. Think about it: anyone who says "Open Sesame," whether they're Alibaba or one of the 40 thieves, can open the cave and access the same treasure. In computer science, this is called "stateless," meaning the system doesn't care about your identity. I googled the translation and amusingly found it means "without nationality" in Chinese—an ironic coincidence.

Most modern internet services are "stateful," meaning they give different results based on your identity. When Alice and Bob open the same link, they often see different things. That's why digital passwords are always paired with usernames. Just providing a password like "opensesame" won't get you into the system, and just a username won't either. Wait—did you know that, in the very early days of the internet, some forums did let you in with just a username? And at MIT, computers once shared a common password, reflecting a "Trust. Don’t verify." era that’s long gone.

To break it down, usernames and passwords play different roles. Usernames identify you, and passwords grant you access. When used together, they let you access the data and assets linked to your identity. All activities and data generated are then tied to this identity.

Many find Web3 hard to use for various reasons, but one lesser-discussed issue is that, unlike traditional Web2 applications, which are stateful, decentralized apps (dapps) on Web3 are stateless. This can feel unfamiliar and take some time to get used to.

If you have some experience, you might wonder, "Don't you still need an identity to use dapps?" Yes, but it's not quite the same. You'll notice dapps often use the term "connect" rather than "login" when referring to wallets. If a dapp does use "login," it's for user convenience but isn't entirely accurate.

True dapps like Uniswap and Aave don’t offer email and password logins because user state can’t be stored on the public blockchain. If they did use traditional logins, they’d need to store user data in a centralized database. This introduces a centralized element, risking data loss if the company fails or if there's a disaster causing a single point of failure.

Understanding this difference is crucial. In Web3, your wallet connects you to the app, maintaining your privacy and decentralization, but also requiring a shift in how we think about digital identity and security.

We’ve often mentioned that calling it a blockchain "wallet" is misleading. Cryptocurrencies are never actually "in" the wallet. In fact, they don’t exist in any physical form. A more accurate analogy is a keyring or keychain. When dapps ask you to "connect your wallet," it’s like saying, "Please take a key from your keychain and insert it into the lock." Think of it like unlocking your front door in the physical world, which grants you access to everything inside. For Alibaba, the magical key "Open Sesame" unlocks the treasure. In these examples, the "key" is the private key, and the "lock" is the public key. The system recognizes the key, not the person. Anyone with the private key can access the corresponding assets recorded on the blockchain, which is why this system is considered stateless.

For over 30 years, the "username + password" login method has been widespread but problematic. Easy-to-remember passwords are not secure, and secure passwords are hard to remember. They are vulnerable to phishing and data breaches, leaving users at risk.

On the other hand, the asymmetric encryption mechanism of "public key + private key," proven secure by applications like Bitcoin, is highly robust. However, it doesn’t store user states, and the user experience is poor. Simply asking users to securely store their private keys or mnemonic phrases, or risk losing all assets, is enough to scare away most potential users.

To address this, the industry introduced the passkey standard a few years ago, aiming to combine the best of both worlds. Passkeys use both mechanisms' strengths, providing security like blockchain while maintaining the user-friendly experience of traditional applications. In the fourth part of our cybersecurity series, we will discuss the basic principles of passkeys, understanding how they integrate with stateful traditional applications while being as secure as blockchain. Most importantly, passkeys are simpler to use than both password logins and wallet connections.

P.S. During the July 1st holiday, I took the opportunity to tidy up. Although we don't have much stuff at home, we do have quite a few books. To save space, I arranged the books in two layers, with the less frequently used ones at the back. After some rearranging, I moved all the books related to China to the back layer. I'm not sure if this counts as organizing my books or organizing my thoughts.