HMQ token withdrawal: why you should do it quick! (and from a WiFi you trust)

Humaniq.co is a beautiful project about bringing security and blockchain standards to a network of billions of unbanked. It run a pretty successful ICO some time ago rising the equivalent of USD 5M in bitcoins and ethereum. HMQ is an ethereum based token.

You must withdraw your tokens quickly:

• The function will be disabled by the 22nd of June, after the process will be much longer
• The sign-in form on humaniq.co is un-secure, so after you log-in you must execute the withdrawal as soon as possible or at least enable 2FA (and next time activate 2FA immediately!)

You can see a screenshot here of the page inspected revealing the un-secure form:

The humaniq.co website has an https certificate BUT the sign-in form has not, this means that your information will be sent in an un-secure way. I honestly don't know how much a man-in-the-middle attack is worth on the HMQ tokens but it is definitely doable: this is the exact same scenario which I learnt at first going through Moxie Marlinspike materials at defcon 19! Here is the link to the original presentation: https://www.defcon.org/html/links/dc-archives/dc-19-archive.html#Marlinspike
Actually the fact that the form is not even over https makes it much simpler.

If you are a HMQ token holder you have received the instructions on how to withdraw the tokens; MyEtherWallet is an Open Source project which will guide you through the process of creating your own Ethereum wallet. ETH address is also good to deposit the HMQ tokens.

In the end if you are curious the DEFCON conference material is a good starting point!

Now that you know, be quick and do your operation from a WiFi you trust and cannot be compromised;) If you have questions tweet me @th_s4m0ht!

Cheers and keep it safe