Phishing & Password Protection
I posted my own version of a public service announcement on phishing a few days back. If you missed it, see below and do be careful with clicking on a comment claiming your post has been plagiarized. This is the current phishing comment message used to entice a click. It could change at anytime! Perhaps the next comment might tell you to click "here" to get your free 1 Million Byteball airdrop? User education and awareness is critical on this platform (even in real life). You all know how hard it is to earn SBD! Do be careful so you don't lose your hard-earned money.
If you see a comment from the user mentioned at the bottom of my phishing post, DO NOT CLICK!
https://steemit.com/community/@beeyou/if-something-smells-phishy-it-most-likely-is
Why do you think we have that saying “Curiosity Killed the Cat”?
Do Not Be Bait!
Phishing is an issue in the real world and on Steemit because the average user is not savvy about the tricks hackers use to steal your account. An example of phishing in the real world is an email stating you have inherited a lump sum from someone of Royalty descent in a third-world country. In order to receive the funds, you must send money to cover the cost of paperwork fees. Perhaps a "link" to a fake bank site is listed for easy transfer? Who knows, the tricks are endless. Who wouldn’t want to be a millionaire?
Here are examples of phishing messages on Steemit:
Current scam:
Old scam:
Follow-Up on Phishing Activity
My reason for writing a follow-up post is because I have been following along with the phishing issue with that particular account. Yes, sometimes I am a curious bee. I see the team at Steem Cleaners actively flagging the user, but due to the high Reputation level at 64, the team is finding it difficult to control the situation. The account is still commenting on the posts of unsuspecting Steemians.
Another point of concern now, the account just powered down! Why shouldn’t it, right? If there is an opportunity to steal more STEEM from this account, why not take advantage of it? It’s not like all the flagging done from the Steem Cleaners community is impacting the users’ reputation. So I am interested in knowing the turnaround time to take control of a hacked account with Rep 64 (nearing three days). Imagine all the damage this one person is doing to the community. What if there is a slew of them?
I realize we all have our own interests on here. I would love to look at photography or comedic posts, and stay in my own corner of the Steemit world. In fact, that is me on a daily basis, interacting with the same group of friends on here. We all have to remember though that the STEEM blockchain is a self-governing community! There is no government body to call for help.
If the system fails, we all fail.
For us redfishes and minnows, the reality is there isn’t much we can do but to spread awareness. Even if a post reaches just one person, well, that is one more person who is now informed of the issue. I would never suggest for anyone to join the flagging. Remember, a higher Reputation could destroy your own small account. I am suggesting to being abreast of the issue. Be careful with your own passwords. Do not become the next victim of phishing!
Password Security
My coworker introduced me to Steemit and the first thing I was told to do was log in once with the MASTER password, grab all my passwords (Posting, Active, Memo), then store my master key away offline. Never to be used again!
The MASTER key is the password that was given to us upon Steemit sign-up. I would never have known to do that if I wasn’t advised by an experienced user. So I followed along not knowing why we had to do such an annoying thing. I had wondered why there were so many passwords? I am positive many users do not know this fact. In fact, the phishing activities with SBD/STEEM stolen and accounts being hacked indicate that people are ACTIVELY using the MASTER key to log into the different dapps on STEEM. @bifilarcoil asked me some good questions about passwords. I am no expert, but you can read our conversation here. Link will be listed at the bottom of post as well.
There is a Guide to Steemit Account Security written by @mudcat36 about securing your passwords. He along with @davemccoy is the co-founder of our #newbieresteemday community, founded with the focus of helping newbies as they come onboard to the Steemit community.
IF you are still using the same password given to you by Steemit, make sure to read the post below. Different dapps on STEEM require different passwords. If you are using Steemit, use only your POSTING key for daily activities such as commenting and upvoting. IF you are using Busy, unfortunately, you need to use your ACTIVE key to log onto the platform. You will have to be extra careful about not clicking on links that require you to log-on again. This is how your account gets hacked and funds stolen!
Be Safe!
Link to conversation on passwords:
https://steemit.com/community/@beeyou/if-something-smells-phishy-it-most-likely-is#@bifilarcoil/re-beeyou-if-something-smells-phishy-it-most-likely-is-20180716t161036996z
Image Sources and examples of links you should NEVER click if seen in a comment:
Simpson giphy, Hacked,Divider, Snippets from Steemit, Curious Cat meme
Beeyou image by@seaslim
Thats why you have savings and power up so no one can take what you have
Ahh, but the account is currently powering down. The turnaround time for savings to be available is 3 days, and this account has been in the hacker's possession for nearly 4 days. There were no savings, but it would have been emptied by now.
It does take longer to power down, but that is exactly what the hacker is doing right now. Started a few days ago. Question is, how long will it take the true owner to take back the account?
Security will always be a problem on interactive websites. Therefor it is important that the people who run large scale web platforms do extra efforts to make the stuff that needs to be secure intuitive and extremely easy to use. If our bank would let us log in with a key system like steemit then our government, however crappy it is, would take them offline the very same day. Maybe europe has high standards, not sure.
Phising links are hard to combat as everyone alway is one step behind. this makes frequent users most vulnerable. Add a non-intuitive key system and people will get scammed far more easy. This week everyone reads about phising and scams so this week they will be carefull, The attacker knows this so this week they lay low, once everyone forgot about it, they launch a new attempt, and they will be more successful since steemit's user base is growing fast.
So true here @bifilarcoil. That is why we usually see quiet downtime, then phishing scams re-emerging when people have their guards down. As long as we are aware of the dangers, then we all can be mindful of steps to take to protect ourselves. Thanks for the resteem. :)
Somehow we must then have a strategy that warns about phishing once we expect the next wave? This is a bit of a bullshit solution as it does not fix the real issue , but software being software in a software culture that patches patches with patched patches, my first guess is that something like this could one day be come a layer of plaster and that such exoskeleton could be kept in place forever without ever fixing the real bug.:-)
This is how the windows OS grew from one CD to one DVD + a shitload of service packs full ith pattches that repatch patches and introduce new bugdoors without adding usefull functionality and destroying 4 times as much resources due to all the bloat.
Yes, the future is bloated.
Every car will need a bloated AI machine that consuemes more energy then 4 humans just to be the robo driver in our cars while people are going to be bored to death.
We quit using Windows five years ago, switched to Linux, Ubuntu, and been loving it. We haven't had a BSOD, no virus attacked, and no crashes.
Great choice @swan-nguyen. Why pay for a platform that sucks when there are dozens of OS's available at no cost and run like a dream.
Thank you, that what I thought!
Funny driver!
I made a comment on my other post about a password add-on that is currently being built for steemit. Perhaps that might help safeguard against phishing? Exact comment below.
Sounds intresting, yet it still has the problem of the combined master key that opens all locks, instead of having only access to reset the keychain.
The problem is that the master key that can reset the keychain also has acccess to the wallet. right? I'm confused already... LOL But thats the point as well. this should be 100% clear to every user, even users with limited 'coin skills'.
If coins will take over then stuff like this MUST be 100% intuitive.
As in intuitive enough for teenagers and also for elderly people who start using this for the first time. RED key should NEVER be used ANYWHERE unless you need to reset the key chain. So RED key should NOT be able to POST ANYTHING EVER as that will prevent people from using the WRONG key. .
In the current steemit situation people tend to log in with the main key making it easy for scammers to get hold of THAT key.
So even with a key manager like meta mask the MASTER key should NOT be in ANY manager. We should be able to store the master key offline and be sure that it NEVER is in ANY keymanager. As the key manager will else become a target for scammers. does that make sense? my neurons are a over charged this week..
Lol, yes you are putting those neurons to good use @bifilarcoil. That would be a stinc customer service feedback. Too bad they don't have that feature. I can only imagine the type of feedback they receive on steem! Good points with the keys.
good job on educating everyone... You truly are a geek now :P ... Seriously it is an important topic and I'm glad you are letting people know about the dangers. Great job!
There is some geekness in everyone, don't you think? ;)
Some people may blame the user for clicking on an unknown link, but seriously, it comes down to user education. The more one knows about the dangers out there, better someone can use the knowledge to protect themselves. Especially with the password usage. There are password management apps that can be used to store passwords and lessen the risk of having to input passwords, but the average user wouldn't know about all this. Heck, I didn't even know not to use my master key. I'm sure a user starting out alone wouldn't know this fact.
@beeyou you are so right.. .except about the geek... I don't think I ever got any of that... If I could do what I do without any tech, I'd be the first one to sign up...
Ps... if you really want to help people that don't completely get it, then realize that many of those people don't like to really read. They are picture people... And just a few at that... So if you really want to help them, see if you can do it with 3 pictures and no more than 25 words. It is a challenge, let's see if you accept it ;)
Challenge accepted @davemccoy 😀
@beeyou ... you did great... You are on the top... and since you are judging me, then I have no chance... so I hope you win this one (fingers crossed) :D
Nice follow up post @beeyou! It's very important that everyone is generally aware that these phishing links will continually evolve, and that we are careful in general with anything that either looks suspicious or unusual.
Stay away from suspicious behaviors! Happy to see you took the time to write a phishing post to spread the awareness. Good job!
Thanks for posting another version as a reminder. We appreciate you helping to keep us safe!
I don't really write these public announcement posts (I really do prefer to resteem, hehe), but I see the malice happening at this very moment. Hopefully people will know to be careful, especially newbies with their passwords. Thanks for stopping by @themanwithnoname.
I didn't even know about using the posting key and not the master key until I had been here over a month. It's easy to get lost in the shuffle. That's why it's so important to connect with good people who will get you get going.... and then stay on track. :D
There are many tutorials out there, but as you said, it all can get lost in the shuffle, and this applies to both human and posts. I skimmed below and saw one person had not known about the master key. Mission accomplished!
Thank you for your community service on this. ❤️ It’s always better to read these awareness posts from a trusted source. I’ll certainly pause a moment before I get too clickety-click on unknown sources or warnings.
Many of us know not to do so, but there will always be the few that fall prey. Just as in life. You didn't have to make time to read this post @linnyplant. Lol, many would have stopped at the COM post.
As long as there is money involved, there willalways be people with malicious intents trying to steal it.
Thanks for the update, @beeyou. Maybe it is time to dust off my old posts considering the matter and find a way to repost them somehow. Meanwhile, I'll resteem this one. ;0)
Your post was helpful to many out there. I even used it for others to reference on my first post on phishing. I did see one person had not known about the master key, so at least I reached one person. Thanks for the resteem! :)
Mission accomplished, I'd say.
I used to dream about making a change for everyone, but meanwhile I think making a change for just one person is already worth the effort. So well done, @beeyou.
That's how one conquers the world: one person at a time :0)
Hence the need for a rock solid and intuitive key system
Thanks for the info @beeyou! Always worth repeating I think. I'm passing your post off to a couple of discord channels in the hopes of more hearing your message :)
Hey Lynn. The things people do on here. This hacker has now changed the profile picture to a "kind grandfather" look so others see a nice, kind face and have no qualms in "clicking". It's such a shame. Many of us know not to click, but there will always be one or two new victims.
Thanks Lynn. We are probably in the same discord rooms, but I never think to drop off my links in there. Lol, I'm not active much. I did resteem on newbieresteemday though, only so newbies could change their password, if they never did so. I wouldn't restem if it was a personal post, but do feel people should be aware of the phishing scams.
Hey @beeyou 😅 Thankfully I have noticed a lot of new posts on the phishing scam as well as the abundance of flagging going on to by a certain person/persons unknown. You said it, "the things people do on here"...the grandfatherly thing is a new low though, isn't it?!
They probably decided a picture of a little kid won't work on here since users are primarily adult @lynncoyle1. Yes, new low for sure.
I've been using my Master password for everything so far. Thanks a lot for the heads up
Be sure to log-in one last time with your Master, grab all your passwords, then store that Master password away! Posting key is the safest to use when doing your daily activities on steemit like commenting/upvoting.
I'm glad you found this post helpful.