It’s Time to Get Real: Stop Relying on Third Parties to Protect You & Your Funds. You are responsible for your security.

ktmgen (48)in #ethereum • 8 years ago (edited)

The Problem

Over the past few months we have seen a huge increase in phishing emails & phishing sites via Google/Bing ads. Along with your easy-to-detect scam sites, these phishing sites have taken the funds of too many damn users. This is truly basic stuff, team. Banks, PayPal, email providers, and more have been fighting the good fight against phishers since before Y2K was a thing. If my mom can manage to not to click a suspicious link in an email and especially not to then enter her SSN on that link, so should you.

It’s truly impressive that today, with a community comprised mostly of developers and computer-savvy folks, phishers are still managing to steal yo’ shit.

So.

It’s time to get real.

You cannot rely on a third party to protect you from these. I know from first hand experience. Every single morning and every single night for 62 days now I have sent phishing reports, DMCA takedowns, contacted people on twitter, re-written legal takedown forms in Russian, and so much more in order to attempt to have these sites take down. To date, I’ve sent 289 emails. That does not include all the online reports I’ve filed.

Google, GoDaddy, Digital Ocean, Microsoft/Bing, Bluehost, CloudFlare, Reg.ru, and so many more simply do not take action or do not take action in time. 5-7 days and 10-14 reports later, sometimes a site gets taken down. And then the phisher registers a new URL and is up and running in 20 minutes. And the process begins again.

I’m sick and tired of this. I’m sick of watching people lose their hard-earned money. I’m sick of emailing people letting them know what they did wrong. I'm sick of reading about people blaming Kraken, Google, Twitter, and everyone but themselves when they get their funds taken. I’m sick of spending more time trying to take down sites than I do building new features.

The Solution

Here’s what you need to do to protect your own ass. Because, frankly, these multi-million dollar companies don’t care about you, your cyber-money, or your safety. They are in the business of making money and will continue to focus on making money, which includes not changing their fonts to differentiate between I l 1 0 O, not changing their policies regarding taking down phishing sites, not refraining from doing business in the future with a known scammer, and not dealing with the thousands of takedown and abuse reports they get.

Bookmark your crypto sites and use those bookmarks. That includes things like: https://www.myetherwallet.com/ https://www.kraken.com/ https://www.poloniex.com/ https://shapeshift.io/
Install an adblocker that actually turns off Google/Bing Ads. I recommend going with uBlock Orgin. If you are already using Adblock Plus, it does not hide Google Ads from you. If you are the type of person who literally cannot tell the difference between the ad and the Google result, then you need to go into your Adblock Plus settings and uncheck the box that says “Allow some non-intrusive advertising”. If you have sites you do want to support (ie: reddit.com) then you need to then go and whitelist that specific domain.
Oh, and, don’t click on advertisements!!! With or without an adblocker, you should never, ever click on advertisements. Especially when you just googled myetherwallet.com to find the site, but instead manage to end up on myetherswallet.
Always check the domain when the page is done loading. Then check it again immediately before entering any information. This includes, but is not limited to, usernames, passwords, email addresses, private keys, and any other personal information. Most of these phishers get SSL certs today so it is not enough to check the SSL cert. You must check the URL itself.
Don’t click any link regarding anything crypto, money, banking, or a common service like Dropbox / Google Drive / Gmail in any email ever. And if the scammy clickbait was simply too irresistible for you, don’t freaking enter any information on the page. FYI, MyEtherWallet doesn't have a login. We don't have your email address. We will literally never email you except in direct response to your own email. You have a new file in your Dropbox/Drive/Kraken? Why not click your bookmark instead of the link from the email? Or, at the very least, click the link in the email and if it asks for your username/password close the fuck out of it and go to your bookmark.
If you have accidentally visited or typed a phishing site, clean out your recent history and autocomplete. This will prevent you from typing kra… and having it autocomplete to the malicious krakken.com.
No one is giving you free or discounted ETH. Even for completing a survey. This is a common one on Twitter these days. Why? Because people freaking fall for it and the phishing scamsters get your money. It doesn’t help that Twitter uses a font that makes all 1 l I 0 O look identical.
Turn on two factor for EVERYTHING. Go do it. Right now. Quit your excuses. Stop thinking you are too good for 2FA. Stop being a lazy asshole begging to have their funds and personal information stolen. While you are at it, if you are using the same password across multiple platforms, CHANGE THEM ALL. Email. Slack. Dropbox. Google. Twitter. Github. Kraken. Poloniex. Coinbase. LastPass. Eveything you log into needs to be on 2fa. Specifics below, especially for Kraken because the amount of failure surrounding people properly securing their Kraken account is unbelievable.

(More awesome recommendations from the comments! Thank you all!!)

Do NOT keep your funds on an exchange: There truly aren't any excuses for keeping your funds on an exchange after Mt Gox. Yet nearly 4 years later we are still watching exchanges lose customer funds due to compromised wallets, insecure systems, internal "bad seed" employees, and on and on. In 2016 alone we've seen ShapeShift (no customer funds lost thankfully), GateCoin, Bitfinex, Cryptsy, and every single one of their customers suffer. The only funds you should have on an exchange are funds you are actively trading, and no more than you are willing to lose. By the time you learn about a hack, your funds are already gone. Don't be lazy. (Shameless plug: check out the MEW help page. It'll walk you thru step-by-step) (thanks /u/Zillacoin).
If you have 2FA on everything, get yourself a password manager: ...and actually use it. I have one in my browser for non-so-sensitive logins. I personally choose not to store any private keys, ssh, pgp, or primary accounts like Google in there but it's great for ensuring you don't reuse passwords and generating secure passwords. Check out LastPass, Keepass, Dashlane, and others. Do NOT forget to turn 2FA on your password manager as well!!!!! (thanks /u/cjudge).
Use different browsers, or at least different profiles: I won't copy and paste the entire thing but read this comment by /u/mhswende, especially if you are one of those people who already do everything else on this list. You can always been more safe.

2FA your fraking Kraken

Kraken is a fun one with 2FA and is one of the sites getting hit hardest with phishers right now. So, together, let’s do it correctly. More info.

Login to your Kraken account.
In the upper right click on your name. Then click “Security”.
Change your password right now for the fuck of it. In case you were unaware, it’s a good practice to occasionally change your passwords. Oh, and don’t use the same password across multiple sites. Seriously.
Once password is up to date, click on “Two-Factor Authentication”.
Find “Account Login” and click “Setup”. I prefer Google Authenticator TOTP. Learn more about TOTP/HOTP here.
Go to your Google Auth app. Add a new code -> “scan a barcode”. Scan the QR code that’s displayed on the Kraken site. This will add a line to your app with a name, some numbers, and a little timer that counts down. Enter the numbers into the field on Kraken and the click “Setup”.
Now each time you login to Kraken you will need to open the app on your phone and type in the numbers displayed. This also prevents a phisher, even one with your username and password, from ever getting into your account.
Go back to the Two-Factor page. Setup a method for “Funding”. This requires you to use your 2FA to do any withdrawals or deposits. So even if someone gets into your account, they cannot withdraw or deposit.
Go back and add a master key password -or- edit your existing one. Here is what Kraken told me a while back the Master Key is for: ”Also I noticed that you have a master key set on your account. This is a good idea, but actually you'll need to enable the global settings lock in order for the master key to do it's job. If you check your account regularly, a short time lock, such as 2 or 3 days, should be long enough. Please note that the global settings lock prevents even the Kraken support team from changing your account settings, so be careful. Also, don't set a global settings lock without a master key-- you can always use the master to unlock settings so you can do things like add or delete withdrawal/deposit addresses, etc.”
So, the biggest issue with this key is that it is what you will use to lock / unlock your settings and do things like add a new withdrawal address. If it is the same as your Kraken password, the phishers can turn off 2fa and other things. So create one or update the existing one to be DIFFERENT than your standard Kraken password. Seriously. You can also do another Google Authenticator for this, which is recommended.
Now click on your name again and click account settings. At the very bottom, turn the Global Settings Lock “ON”. The longer the time, the safer your account is. I use 3 days as I'm always within feet of my computer. Next time you are on vacation or going to be away from trading for any extended period of time, update the time again to the amount of time you are going to be away for so you don’t have to worry about it.