How are you login in?
How did you just log in?
And so it happened, my brother in law @knightly who has been here for some months now, mainly as a quiet account who wanted to speculate on the who crypto craziness. He bought some tokens to give it a whirl, made some posts, and soon learnt that he could put his SP to work passively.
Being someone who has very little time to blog himself, he decided that this would be the best move. Maybe because of that, I did not explain some basic things, and maybe that is my fault.
Today, he logs into to his account and we see that all his liquid funds, the one's he had been collecting from his small delegation are gone. All gone, seven days ago to be precise.
The thief or thieves, because it could be more than one, even tried to power down the account right before it stole the funds. I think he/she gave up because it was going to take too long to extract the amount, and maybe it was not worth it.
We are sitting there scratching our heads, How did this happen? How would anyone have access to the account? Of course, right away I made him change the master password, safeguarded and what have you, and then he logged back in, and then I noticed it.
"How did you just log in? with the master password?"- Yes, that is a big and I do mean a big no no. Now, I still don't know how the active key got copied, or if the master password was compromised. I doubt it, since they would have changed the master password right away, but it reminded me of this little security tip we must all know.
Never and I do mean never log in with your master password. Use your posting key, and then your active for financial transactions. In other words 99% of the time you should be using your posting key and that's it.
So, lemme ask you... How did you just log in?
Great advice. This should be taught as Steemit 101.
Its very confusing when you first join, but this is critical.
very much so... problem is, that i dont see it ever becoming too different, so if it ever becomes easier, it would not be at a blockchain level, but at a front end that manages the whole thing easier. Now, is that safe? im not sure..
This is really important, but why should we have to evangelise this to fellow Steemians? Steemit Inc is actually being negligent on this by providing a loaded footgun to users.
When you design a user experience, you should design it in a way that discourages insecure practices. There is a proverb that goes "you can lead a horse to water, but you can't make it drink." A corollary is, "you can't prevent a suicidal horse from dehydrating itself, but you can make it wait by the river until it dies."
The fact that the Condenser application even allows logging in with the master password is negligent as hell. When generating their accounts, new users should be instructed to write their master passwords down and never use them again... and if they try, it shouldn't work. Extra points for forcing them through the password reset workflow after detecting the activity.
Crypto can't go mainstream until we make the necessary security practices understandable to Average Joe. We need to expect as little of Joe as possible. We need to assume that he's not only stupid, but actively acting against his own interests, because social engineering makes that not only possible, but probable; not only probable, but inevitable.
Then, we need to do what we can to empower him (in a manner as brain-numbingly simple as possible) to protect himself from himself.
I may make this into a post later. Without cooperation from Steemit and a massive security awareness campaign, an extremely large portion of the Steem userbase, possibly even a majority, is headed for complete disaster. We are one keylogger epidemic away from a mass extinction event.
We must all remain vigilant. Is there a procedure one should know about if shit happens. Who does one contact etc. Maybe there is another post for you lol.
if your account gets stolen, there is a recovery method, I can teach you if need be, but there are plenty of posts about it.
However the main thing here is, use your posting key.. not your password.
I do only use my posting key .Thank you.
This is very serious, what devices and OS is he using?
Any idea how he got hacked besides using the master password?
no idea so far...
Posting Key.
When I joined in June, Steem 1010 advice was dispensed in the joing FAQ, which was adamant that using the "posting key" most of the time was imperative, and that if I used and compromised my master password, it would all be on my own head.
Since then, I have realized there are ways to get your account back even if you lose your master password (ie with help), but this should never be relied on.
Sorry your brother-in-law got burned like that. :(
Interesting. I may be the least tech savvy guy on the planet, but I got the message about which passwords to use and when to use them the day I got them. I can't remember where I saw the information, but it was somewhere on the site, probably in the FAQs. Has everyone read the FAQs? Somebody went to a lot of trouble to write them. There were probably reasons for that.
I log in with my posting key, but every time I do a financial transaction and use the active key, da kaput'r wants to update to the active key. If you are not careful and accidentally click on "update" instead of "don't update", the next time you log in, the Kaputer will be using the active key. At that point the thieves are one step closer to taking your mojo. Never use your master key, because if they get that, they won't take your mojo; they will take the account.
I'm the last guy who should be offering tips, but I will anyway. Don't use your computers auto password fill in function. I work on a secure computer no one else uses, so I keep my Steemit passwords on an electronic sticky note on the screen and grab the one I need when I go to log in. No accidents that way.
That wouldn't work for me, but is a valid method for those with only a few accounts. Thanks for thinking along on these issues. Greetings!
I certainly don't use this method for all my accounts, only those where security seems to be of the utmost importance.
Shitttt...totally bummer for him and a good wake up call for everybody who is not doing this as yet logging in with posting/active key!
Also scary that even small accounts are at risk!
It IS very confusing when you start... and you look at "permissions" and it seems like you have SIX passwords! "What does what?" I asked myself.
And it's not made easier by the fact that SteemConnect asks for different things, depending on which app/utility you are trying to access.
So yes, it's important to stay safe; thanks for the reminder!
Going to re-steem this.
=^..^=
Sorry to hear your brother-in-law lost some of his tokens...
OMG that is devastating! I am not even feeling paranoid with my account. I never really thought about it until now, thank you for the tip Meno!