It Takes But Seconds to Take Over Your Account

One curse gift I believe I have is my insatiable curiosity. I haven't really kept count of how many occasions my inquisitive mind jeopardized helped me in many aspects of life. My deep interest in answering questions, solving puzzles, or quantifying things has definitely helped me in my Steemit journey (for the most part).

_{"Curiosity killed the cat" is a proverb used to warn of the dangers of unnecessary investigation or experimentation. A less frequently-seen rejoinder to "curiosity killed the cat" is "but satisfaction brought it back". ~ Wikipedia}

If the frequency of unrelated comments you see in your posts worries you, or you get taunted by your posts making cents when the trending page is filled with contents that in your opinion did not take as much effort, and any other thing that makes you question whether Steemit is still worth your time; people who are exposed to the data get that a hundred folds over.

The title of this post is not meant to scare anyone off, rather it is meant to warn everyone about how important it is to keep their private keys safe and secured. I shit kid you not.

I was reading old posts and saw mentions of @sami100, this lead me to this post from @surfermarly where she detailed a mistake she's done in handling her keys, how @sami100 took 18 Steem Dollars from her wallet, and why everyone should protect their private key now more than ever.

After the @surfermarly post just five days ago, there's been three more victims whose money were taken out because of simple mistakes that frankly can happen to anyone. The victims are no newbies, and have for sure realized they've made a mistake almost as soon as committing them. In this post, I will detail how long it took @sami100 to take money out from the victims' account, then take over their accounts.

The @awriter Story

The latest victim made a mistake of pasting his owner key in his post where he meant to paste a YouTube video. I followed the next events that happened and will breakdown the timing for everyone here:

• @awriter published his post with his owner key in it at 2018-05-24 13:28:33 (UTC) - SteemD Transaction Link
• A transfer of 36.258 STEEM from @awriter to @sami100 was cleared at 2018-05-24 13:28:42 (UTC) - SteemD Transaction Link
• A transfer of 0.003 SBD from @awriter to @sami100 was cleared at 2018-05-24 13:28:42 (UTC) - SteemD Transaction Link
• At 2018-05-24 13:28:45 (UTC) @awriter's keys were changed - SteemD Transaction Link

In this example, 12 seconds from making a mistake is all it took to take over an account that built a reputation for 16 months spent in the platform.

The @mazharnoor Story

• @mazharnoor published a post where he pasted his owney key when he meant to share a link to a shop with great hover boards at 2018-05-21 19:48:45 (UTC) - SteemD Transaction Link
• A transfer of 0.023 STEEM from @mazharnoor to @sami100 was cleared at 2018-05-21 19:48:54 (UTC) - SteemD Transaction Link
• A transfer of 47.074 SBD from @mazharnoor to @sami100 was cleared at 2018-05-21 19:48:54 (UTC) - SteemD Transaction Link
• At 2018-05-21 19:48:57 (UTC) @mazharnoor's keys were changed - SteemD Transaction Link

Are you seeing a pattern? Here it took no more than 12 seconds between the mistake, the transfers, and changing of keys much like the @awriter story.

Protect Your Keys

I can go on with more examples and bore you to death, but if it took just 12 seconds to take over a couple of accounts, it is a process that is repeatable, and the mistake can very well happen to anyone. I took the below summary of what the different keys are for from the FAQ of Steemit which anyone can access by going to the hamburger menu and clicking on FAQ.

_{"What are my different keys for?}

_{Posting key - The posting key allows accounts to post, comment, edit, vote, resteem, and follow or mute other accounts. Most users should be logging into Steemit every day with the posting key. You are more likely to have your password or key compromised the more you use it so a limited posting key exists to restrict the damage that a compromised account key would cause.}

_{Active key - The active key is meant for more sensitive tasks such as transferring funds, power up/down transactions, converting Steem Dollars, voting for witnesses, updating profile details and avatar, and placing a market order.}

_{Memo key - Currently the memo key is not used.}

_{Owner key - The owner key is only meant for use when necessary. It is the most powerful key because it can change any key of an account, including the owner key. Ideally it is meant to be stored offline, and only used to recover a compromised account."}

If you are still using your owner key to do "ALL" your activities in the blockchain, I implore you to please heed this warning from Steemit.

How Is Anyone Able to Do Account Take Over This Quick?

Transactions are kept in the blockchain, this is how people who are doing analysis of the many aspects of Steemit, and all the other frontend applications are gathering their data. It seems like the perpetrators have either created an alarm system or run searches every so often to look for mistakes involving private keys. There's a multitude of ways to run searches for the auto-generated passwords.

@noisy covered this risk quite extensively, with possible solution in his post titled How to set an own password, which is not generated by Steemit.

You cannot be too careful with your keys specially now that there are these actors out there just waiting for you to make a mistake, and your months/years of effort all goes to waste.

Credits:

Man w/ Laptop Black-and-white Cover Photo Background - Pixabay
Sherlock Holmes and Magnifying Glass - Pixabay
Car Speedometer - Pixabay
Stopwatch - Pixabay
Cyber Security - Pixabay