WARNING: Easy Potential Social Engineering Hack! #steemit -#hack + Temporary Solution
As far as I can see this hack (rather exploit) has not been prevented, but if I'm wrong please let me know in the comments.
I'm mentioning this hack because it was extremely effective on /r/giftcardexchange
And people have already made this mistake.
The Hack
1. Buy a reddit account on http://www.redditsecrets.com/buy-reddit-accounts or elsewhere
2. Open an account with a modification of the username bittrex, e.g. bittrrex, bitrrex which haven't yet been taken etc.
3. Wait for people to make mistakes, withdraw when they do, with a large enough sample size you can bet someone will.
This can be applied even more successfully with permutations of @openledger's name
How likely is this to happen?
There is a user @bitrex with whom people have already apparently made the mistake and with whom they apparently continue to make this mistake:
Thanks @venuspcs for bringing it to my attention that it is probably already happening with @poloniex fake accounts.
@polonix @ploniex
As more people use Steemit the probability of such a mistake occurring will tend to 1.
How to avoid this
- Auto fill forms, or perhaps a two layered input prompting users to select whether to send to "user" or "exchange", then drop down menu for exchanges. Many possible similar approaches.
- Users can systematically copy and paste bittrex (and other exchange's names) instead of typing them from memory.
#steemit #hack #money #security
In a decentralized protocol, how can the creator take control of an account? It's, in a way, the right of the guy to create a bitrex account to steal money - even if it's unethical. What could be done, perhaps, is to mitigate this strategy by tampering the user interface in the online web wallet. Say one tries to enter "bitrex" in the field. Then a message comes out and says "bitrex is a known scam account. Perhaps you meant bittrex - the online currency exchange?" - or something to that effect....
Yes, a better approach, I agree. By take control I meant create it.
This is already a possibility with the Poloniex exchange as well....in a quick search I found @polonex and @ploniex
Ugh, people...
Its like taking advantage of other peoples dyslexia.
Quick thinkin. I like this guy.
This is extremely easy to execute and potentially incredibly lucrative, so please promote this to devs.
Good post! Another way that would help from this happening would be if it has saved the usernames you usually send to, so the correct one appears like the auto-fill on google when you type the first letters.
Thanks Man!
Good to know ◕ ‿ ◕, good job.
You can tell from the image he sent it back
I'm John I like to scam, so I'm keeping it.
See what I mean?
Thanks!