There is another phishing attack ongoing and unfortunately @surfermarly, one of the most experienced members of the community was caught out. Thankfully, she has control of her account back from one of the assholes who do these kinds of things. You can can see details of this particular phishing approach here in a post by @arcange. Sadly, everyone must remain vigilant at all times because big or small, due to the value in wallets, we are all targets.
However, this should also send more alarm bells ringing than vigilance because of it can happen to an experienced user, it can happen to anyone and often does.
Most people aren't used to having to protect keys in this way and they aren't used to bring on a decentralised system where recovery isn't easy. Most are also not accustomed to being direct targets and very few on earth are used to being targeted openly and publicly.
This is Steem and all of crypto it seems and is an obvious drawback of allowing close to total anonymity. But something must be done on Steem if we are going to ever mainstream this community.
The system is complex in itself but I am sure there are many people who do not understand their keys and why and where to use them. The amount of people who lose their master is very high which is a symptom (and risk) of being used to having a centralised authority to message behind a "lost password?" link.
In Steem there is a lot more responsibility put on the individual than on other platforms and no clear guidelines of how best to organise security maintenance. Keep your keys safe and offline is good advice but considering people are accessing their accounts from multiple points as well as mobile devices, very impractical.
From my understanding (I have recently heard), 2FA is not possible for some reason, but there must be other ways that can be used to protect an account even in the event of a lost key.
The problem is that mass adoption means many people coming onto the platform who are a lot less security conscience than the average crypto enthusiast and on an immutable blockchain, the number of stolen and dead accounts is going to grow rapidly. It is going to be a tough sell to keep explaining why we can do nothing about theft and we offer no real preventative protection against it for the average user.
There is a high learning curve here already but is it wise to have the idea of security and watch out for bad actors the first lesson learned coming into a community? If the experienced struggle with this, what hope do the newbies have? Not everyone should have to learn the hard way when it comes to account security and their should be some clear advice and solutions available that even the most basic user can understand considering this is a global community.
I am unsure what is in the pipeline for security measures but in my opinion, a lot more needs to be developed to both simplify account management and complicate account theft before a million more people come I and lose their keys to a phishing attack in their first week and have their account turned into one of the soldiers in a bot army.
Online security is a difficult area because often it requires some level of centralisation which becomes a weak and contentious point in a decentralised community. There is some kind of lesser of two evils concept at play but I am unsure which is the larger evil of the two.
Until something is in place though, everyone has to remain on guard at all times and of something seems out of place like a login screen, it probably is it of place and should be treated with extreme caution. There are always going to be bad actors on Steem and in the world and this is why having a healthy and supportive community inherently provides some measure of security to protect its members.
All for one, one for all.
What are your thoughts on security on Steem and do you have any good advice or trusted tools to maintain security across devices?
Taraz
[ a Steem original ]
(posted from phone)
Good news on that front actually. There's a browser extension almost released, (commissioned by a couple of the witnesses). It holds your keys in your browser and just sends a token through the net.
Your keys never actually leave your browser.
Its like metamask for Ethereum.
I've been using it for a week or so and it's really top notch. Not sure when official launch will be, but I'd say very soon.
That s awesome, by any chance does it work on mobile?
I haven't tried, tbh. I use the Brave browser on my mobile, and I don't imagine it's compatible yet.
It works great in chrome on my desktop though.
Not sure about steemit.com, but I know steempeak.com and steemmonsters.com are testing it out.
I've used it on both and it's heaps quicker and simpler than steemconnect.
While SteemConnect is slow, most extensions are sadly enough made for desktop browsers only. In this mobile first era that’s rather sad and definitely doesn’t promote adoption of crypto either. Even less so because tokens like STEEM are (currently) most influential in development nations.
We'll get there.
I'd rather they moved slowly, particularly when handling keys.
sounds interesting. i am sure there will be an ANN at some point but let me know if there isn't one :)
Hi @tarazkp!
Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your UA account score is currently 6.118 which ranks you at #253 across all Steem accounts.
Your rank has improved 3 places in the last three days (old rank 256).
In our last Algorithmic Curation Round, consisting of 516 contributions, your post is ranked at #17.
Evaluation of your UA score:
Feel free to join our @steem-ua Discord server
USE YOUR POSTING KEY for everyday use!
Indeed. it is amazing how many use their master for convenience.
People are despicable. Thanks for the heads up, I really am taking it a lot more seriously now
People are despicable. Thanks for the heads up, I really am taking it a lot more seriously now
the "benefits" of having value on a platform... ;)
Thanks a lot for bringing this up!
We can't talk often enough about security measures and educate the community. I did a huge mistake and stepped into a really uncool trap - which then taught me for life, so I'm glad to share my experience with and warn others now.
Appreciated & resteemed
It is a challenge because compared to 'normal sites', there is more complexity here and not a great deal of clear communication. Combine that with some clever scammers and it is unfortunately going to be more and more of an issue moving forward with mainstreaming.
Absolutely, only having a serious of different keys (compared to one password you usually have on other social media sites) makes it incredibly complex. Sometimes it's not even about not being informed, but being distracted - like it happened to me twice. A couple of weeks back, I accidentally introduced my active key into the memo field of the smartsteem promotion service. At that point in time, there was no alert implemented yet, that informed you when you accidentally typed something into the field that looked like a key. I lost 18 SBD which was not much, but still a lesson. As a positive takeaway, the website was updated and now people are warned when introducing a key into the wrong field (like it was already implemented on steemit.com before).
The second time (as you mentioned here) I was provided with a phishing link that was wearing such a good make-up that already 850 other users had been fallen for it (as I learned later on from a developer). Eight hundred fifty people!
Now the no. 1 rule is surely to NEVER use the wrong key. That can prevent us from a lot of trouble.
Total security doesn't exist when human beings are involved - as in real life so online. However, I feel that there's a big lack of education and we should start a whole campaign to better inform those who join us.
Btw I was desperately trying to find some information in the Steemit FAQ on how to safely STORE keys. It's just said that they should be stored safely / offline, but a non-crypto person would never understand at first glance what that actually means...
Again, thanks for bringing this up! We need more of it :-)
I also had a close run a couple of years ago, with Localbitcoins. I'm considering myself as an expert, so I found it quite embarrassing, but it sort of proves the point that even experienced users may fall for phishing.
I got a phishing email, opened it on my mobile. Now, on my regular desktop email client (mutt), I can quite easily detect phishing-attempts, but on the mobile details like the senders email address and what email server it came from was hidden. In addition I was trying to pay attention to a real life talk, and in addition I was drinking beer and not being completely sober ... so I followed a link urging me to log into my localbitcoins account. So the phisherman got my password. Luckily Localbitcoins have an extra measure of security by cookies, they don't allow logins from a new browser without the account holder first confirming it by email, so when I got a "confirm this login alert", I understood that I had been phished, didn't lose anything and could change my password simply.
Thanks for being so open @tobixen, and I'm grateful you mentioned that the experience can not protect us. Especially phishing links are quite elaborated nowadays, and a single second of distraction may drive you right into a big disaster.
Steem users log-in themselves from different devices every day, and I'm pretty sure that this is one of the biggest security gaps. I have no keys on my phone anymore, but sometimes it's annoying that I can't upvote or comment posts while I'm on the move.
It's hard to define a well working synergy of flexibility, efficiency and security. Probably we can't have them all.
I also had a close run a couple of years ago, with Localbitcoins. I'm considering myself as an expert, so I found it quite embarrassing, but it sort of proves the point that even experienced users may fall for phishing.
I got a phishing email, opened it on my mobile. Now, on my regular desktop email client (mutt), I can quite easily detect phishing-attempts, but on the mobile details like the senders email address and what email server it came from was hidden. In addition I was trying to pay attention to a real life talk, and in addition I was drinking beer and not being completely sober ... so I followed a link urging me to log into my localbitcoins account. So the phisherman got my password. Luckily Localbitcoins have an extra measure of security by cookies, they don't allow logins from a new browser without the account holder first confirming it by email, so when I got a "confirm this login alert", I understood that I had been phished, didn't lose anything and could change my password simply.
I notice that links that take you away from Steemit have a little symbol to let you know. I wonder if this was hidden, somehow, in this case. Perhaps this could be extended to a warning when you click on it to say you are being diverted to a different site. Admittedly, it could get annoying if you click on links a lot, though.
I think it was an image cut and paste from a real comment. Never use your master.
Even images have the little symbol in the corner. They must have been pretty clever to get around that somehow.
Yes, most certainly never user your master and really check the address bar. You are so right, though, it's not going to help with onboarding in the long run. Even the pass keys are off putting to many. It needs to be a bit simpler and safer.
Sometimes this turns into a fear. I have nothing to be 'syphoned' currently but I wonder what will happen when I do. I can imagine how painful it is for someone who has gone through it.
Posted using Partiko Android
gotta stay frosty in the Steem jungle :)
So it seems! Sigh.
Posted using Partiko Android
We have to keep an eye out for everyone as it happens. I wish there was some other barrier of security that could be found. I know the power down takes 13 weeks but when Steem rockets this place would be like hitting a bank. It will become more serious than a few thousand dollars as we are talking in some cases millions.
people can have Steem sitting in their wallet liquid too and sometimes, that is quite a lot. I am not sure what solutions are available but even a simple secondary pin with 3 attempts might be enough for most cases. Re-login would need master and come with an additional warning that the pin was inputted wrongly and to change the keys if it wasn't you.
Just don't understand. If you are not going to power up then stick it into savings. It doesn't matter if it is going to take 3 days to get it out, better safe than sorry.
shouldn't really be an issue either way.
Actually a few good ideas to prevent abuse are in place on steemit and I like them so much. I haven't yet reached a point to try and withdraw any funds but I like the time limitations - the SP withdrawal limit of 1/13 per day makes me feel much more secure than in a case I witnessed a few years ago.
My third person view:
In 2008 my roommates started digging bitcoins. It required about 500 Euro only for a good enough machine. I was about to invest in one. My roomies had already acquired - in a matter of weeks - a few bitcoins per person which now would be worth a small fortune. One day the system got hacked, their few bitcoins drained immediately and although it took a short time to get the system running again, few people had the courage to dedicate resources again. I didn't even start.
I've been stolen from in real life - a few bikes, guitars, thing like these. Still it felt very bad. Not because of the money but because of the unexpected insult to my hard work related beliefs.
per week
It is a personal violation and intentional which makes it worse.
Yup, exactly that - the personal violation. It stays the same even online. I guess I should learn to use the alternative keys and not the master. Thank you very much for bringing up the issue :)
My wish on the matter of decentralization is for the community to find enough strength and produce enough ideas so that it proves decentralized can still be secure. That would be so much more than just a social network benefit.
I feel so sorry for @surfermarly in the attack. In a separate incident @kryptocoin got hacked as you can read about here. Many months ago I was scamed 663 SBD by some Romnians. in a phising. One must be VERY careful. I learned the importance of not using your master key. Folks need to be educated about this. Decentralization is like the wild west of the internet. LoL Thanks my friend.
Don't trust anyone ever.
Unless... you want to consult with experts who really know. };)
I was going to ask if for the security aspect of Steemit is discussed during the Steem gatherings (fests?). If there were talents capable of developing something as complex as blockchain, my guess is there gotta be equal or better talents to counter attack and protect this thing.
I know nothing about tech and i don't think with the meager resources we have at hand here i'll be able to learn or have access to any kind of security measures, unless the paltform develops methods to protect everybody.
Yesterday, precisely i was asked by an alleged member of the cervantes group to participate on an alleged program of delegation (i had been allegedly chosen to have a chance). He sent me the link to a @cervantes post showing the first month's winner and all. It so happens that that user is not @pgarcgo #0325, his discord number was different. I did not know @cervantes had already issued a warning or something like that. I wonder if that "user" has been tracked down and blocked or something.
Thanks, @tarazkp
A good thing you brought up this story - been sort of busy and I didn't look into details earlier - using a name with great rep that's pretty smart... The shock of seeing such a message from someone important could easily make you ignore the risks you are normally aware.
As for the masses hopefully joining Steemit - security would definitely be a problem... if people keep losing their keys, word would spread the site is not safe.. which wouldn't be good!
The shock of seeing such a message from someone important could easily make you ignore the risks you are normally aware.
It is a type of greed. I am not saying in this particular case but it plays on the trigger. Same in chats when "Vhales" promise votes etc for a few SBD transferred to blocktrades. The want for it to be real overpowers the rational mind.
We must protect our key to avoid checkmate friends, since there are many cheats in digital questions. My greetings, @tarazkp.
I don't share my key with anyone but I am afraid about it is there any way we can keep our account safe
Steem does have some tools in the toolbox, like the "saving account", the fact that it takes long time to "power down", plus the account recovery feature