My Steemit ID Theft: Lessons, Recommendations & A Message To The thief.

in #steemit7 years ago (edited)

Dwight Lemonade.png

For anyone who doesn't know Dwight from The Office tv show (US Version), you really should.

Objective:

This post is to help others learn from my experience, as well as realize that there are many opportunities for us to help Steemit's developers strengthen their platform. My focus here mainly on drawing attention to the stolen account recovery process.

While decentralization is anonymous and great for many revolutionary reasons, it also offers unique challenges we're not all accustomed to. While phishing attempts are relatively impossible to prevent, my recent experience has shown me that there are several simple, yet significant, ways to impede the damage done once accounts have been identified as compromised. As these accounts are used to perpetuate the scheme after their money is stolen, I feel that this alone should be enough motivation to reevaluate and reengineer the recovery process.

Steemit is special in that it monetizes social media content and activity. This means that OUR time, reputation, and money is at risk. It seems obvious to me that we NEED to protect these assets better. While I didn't have much SBD stolen yesterday, it could've been 5 million SBD, and there'd be absolutely NO recourse either way. That's terrifying to me from a risk standpoint. Yes, it's a user's responsibility to not get phished, but when they do, it's way too easy for thieves to thrive. Aside from thieves quickly moving or tumbling their coins before taking them offline in a matter of minutes, your identity and reputation can be taken as well for an unknown amount of time. As some people told me via chat, it could be weeks before an account is recovered. Whether that's true or not, there aren't a lot of people who know about the process at all, or how to expedite it when it's truly necessary.

I feel that this is an urgent issue, as these attempts will not stop, and people will occasionally fall victim. After this successful breach, new thieves may be attracted once they learn of how simple it was to get credentials, and even worse, RETAIN accounts for hours, days or even longer after they've been reported. The most people seem to be able to do now is flag and block content in a reactive way, but steemd.com shows how easily the thief easily kept ahead of that (and is still at it NOW with other accounts). While efforts can be made to prevent phishing posts or links, the structure and support after account compromise seems very underdeveloped given the responsibility it bears. It actually feels inviting for phishing attempts.

Please read below for a brief summary of how I was tricked and my recommendations.

How It Happened:

With some digital forensics and network intrusion background, I shouldn't have fallen for this simple phishing scheme. I wasn't thinking clearly when prompted for my username and password after clicking on a Bitcoin post's link. I noticed a lot of blank space in the post, but ignored warning sign #1. Something seemed off when the post said to click a link for the full article, but my hands moved too fast to bring me to the crossroads of being fooled, or not. The critical mistake I made was that I second-guessed myself that I must've unchecked "remain logged in" at some point. I should've made sure of that before assuming to bring me to this screen. After seeing the poster's inconspicuous 51 rating and benign account details, I proceeded. The fake login window was identical, so click, enter info, click... huh, ohhh sh*t..., rush to reset password, password already changed by thief, SBD stolen... too late.

This all happened in a matter of under a minute. The instant I entered my login credentials, I gave the thief the keys to my account. If I'd also been a little more aware of the webpage's address behind the login, I'd have caught this, but I just woke up and wasn't sharp.

Following Steps:

I immediately submitted a Stolen Account Recovery Request and hit the Steemit Chat Rooms to try to find someone from Steemit's organization who could be alerted of the intrusion. Nobody there. I heard that they may occasionally check the #help chat, but no replies from staff there or elsewhere over the span of my issue. Using steemd.com, I watched the thief start using my account to perpetuate their phishing scheme. There were a few other victims who the thief kept together as an upvoting/posting pack in an effort to provide credibility to their scam. This went on all day until I suppose they went to sleep. It then started up the next day with a new post theme (Ethereum). Same victim group, plus maybe one or two more new victims.

After a little more than 26 hours of checking with some very helpful contacts in the chats, I got an email recovering my account. I don't know if my chats got read by support staff, a member got through to someone for me, or Steemit IT ultimately got to my request in their queue, but it took way too long. I immediately validated and cleared the malicious content. I replaced all posts with a brief note about the ID theft to try to preserve my reputation and get some flags removed. I then thanked those who helped me, and responded to anyone who replied to the bad posts where appropriate to make sure they knew what they truly were.

I know that Steemit is young and that the development team/staff is presumably small, but change is needed. Many of the kind people who tried to help simply forwarded me the Stolen Account Recovery link and knew of no other way to reach anyone with account privileges to warn that the active intrusion was spreading quickly. While it might take a day, several days, or weeks to have an account recovered, no one knew the answer. More information should be readily available to the community.

Improvement Ideas For Steemit Staff:

  1. An email confirmation acknowledging the reported account theft with a ticket number is a simple first step for congruence. Perhaps I'm missing something in the coding or logic that makes this more difficult or impossible, but I think it's an easy way to let the compromised user have some comfort that something is underway.

  2. Stolen account recovery submissions are treated as a higher priority on the backend of the Steemit team where responses are expedited. This can be automated in that the email address of the original account holder can be automatically contacted to confirm this claim. If the email is confirmed by the user, then it should be an even more urgent issue to resolve to protect the community and their funds.

  3. An account doesn't need to be restored immediately, as I understand that may take some time and validation. However, the account should immediately have its financial activity, voting and publishing rights frozen for an amount of time that's reasonable to slow down or stop an attack. No questions asked. This ensures that the thief can't do anything else with this account, and it will discourage them from trying to do this more. As of now, phishing seems like a joyride, and the thief must've been enjoying normal access rights a reported stolen account should never ever allow.

  4. There could be a dedicated chat room with regular coverage where people can contact experts in the arena who can advise/liaise directly with Steemit staff to extinguish stolen accounts before they spread like wildfire. Steemit's blockchain holds our funds, not us. Reputation and voting power can be rebuilt, but Steem funds can't regrow unless you buy more or get rewarded slowly. In my opinion, this is critical to support from end-to-end to develop trust and advancement into the mainstream.

  5. Develop inroads with Bittrex or other exchanges who support Steem/SBD to report fraudulent theft of funds so they can try to recover them quickly or block further actions by the account on their side. I personally made a support ticket at Bittrex with the transaction ID of the thief, but I doubt it'll lead to anything fruitful.

  6. If an account is reported by the community or a bot as a potential ID thief, the user's original email should get an alert so they can be aware of it as a precaution. If I didn't log in for weeks, the hacker would've had weeks to have fun before I opened up a stolen account recovery request. However, I'd get an email on my phone in minutes. This is a simple protocol I doubt people will mind.

I want to give a special thanks to @reggaemuffin, @patrice, @patriot and @gandalf for their personal help and guidance. The lowly thief will be their fish food soon (see below).

Two Whales 2.png

To the thief who will probably never see this, I had a picture of how to give the middle finger in various countries for you, but I'll let you use your imagination. As you're incapable of supporting yourself through honest means, perhaps it's just a function of how poorly you were raised, or the pathetic path you chose. Karma is quite a bitch.

If anyone found this helpful or can share other ideas, then I'm glad. Feel free to follow if you'd like to keep in touch. Apologies to anyone who clicked on any links my account posted while it was compromised.

school of fish.jpg

Image 1: https://me.me/i/4112055
Image 2: https://www.pinterest.com/pin/448741550353243973
Image 3: https://imgur.com/gallery/6zBWs1m
(Seeing if this might alert "@ned" to my post to help.)

~steemmatt

Sort:  

As others have said, I'm glad you were able to get your account back but you do raise valid concerns. I read a post from another users that this happened to and that's very scary. Hopefully more will continue to be done. I know @steemit made some massive delegations over the last week or so to accounts like @steemcleaners and others that help police the community. And we're talking 1.5 Mil Steem Power iirc, was delegated recently. Your bring up a number of easy processes that could help prevent this situation for becoming worse and I think freezing the account is the most crucial. I have faith the community will learn from these attempts and be able to respond appropriately as they always have in the past but they need to be suggested and brought to light and I thank you for that.

Thanks for your constructive comments! Glad my message jived.

Well the good thing is your back and they couldn't get your stack. It must have really sucked. But there are always gonna be assholes in this world. So keeo your head up, it wasn't your fault and here's a 100% for you brother. Look back to 42 rep. You will be bigger and stronger.

You're right, my silver stack is secure! Thanks for the 100% Ray. Truly repping steemsilvergold!

Your welcome buddy

Very encouraging and inspiring. It's never too late to start.

Definitely keep the majority of your account in SP or Savings. That makes stealing the money before you can recover your account much more difficult. Then don't use your master key unless absolutely necessary. Thanks for the post and suggestions. This should be discussed, and hopefully your story will help others avoid the same fate.

P.S. You reminded me to change some SBD to Savings too! /thank

These are all good ideas, but what you are asking for is the same thing that banks and or the governments use to "protect" it's citizens. When you said "the account should immediately have its financial activity, voting and publishing rights frozen" that there is exactly why people go into cryto., so it cannot be frozen by another party.

Feedback appreciated. That's regarding one of my suggestions, which I meant for a short period of settling time to stop others from having their money stolen too. Food for thought and something I personally wouldn't mind to help secure my SBD in the future for peace of mind.

There could theoretically be a command that works like account recovery but instead of changing, it just locks. So the moment you submit your request, steemit.com has your side of the authority and can together with their side of it freeze the account.

Yeah, that's what I was thinking could also be a good idea... Creating a new operation type that could immediately lock down an account if signed with the signature of any recent password, and thus also initiating the normal account recovery process.

That sounds like the best idea Ive heard today. Reggaemuffin.

That makes sense.

Upvoted and followed .... I guess we can all do that much to help a fellow steemian regain reputation. But i dont understand what you mean by master and posting passwords? I thought we only had the long random collection of digits supplied as a password when we first joined? Off now to convert SBD....

Like you my account also hacked same way how you did and i lost 156 steem which is my biggest earning on any site but with help of admin i recovered my account but didn't money because they already transferred in bittrex. I also emailed to bittrex that i know you can't return money but this memo used by hackers and if you can help check that user who is they and block them but no reply. Admin told me if you have big amounts then you can save in savings which i forget to do and that was my big mistake because if its in savings even they hacked it will not transfer immidetly and it take 3 days and till our account recover so they can't transfer there. I still can't believe i lost it. Post made with my friend account which already hacked and i thought she made so without checking i enter to see post and i suffered bad. God is seeing everything they will sure get punishment for it. They will in that situation come that even money cannot save him

Thanks for sharing this information, good for everyone to know! And thanks to you I remembered to logout, and login with just the posting key. Gotta stop using the main password altogether. Thankfully you got your account back at least, but terrible that you lost some funds.

Have a great night! :-)

I am a victim of Steemit ID Theft. This thief made 2 phishing blogs.
I went Stolen Accounts Recovery page https://steemit.com/recover_account_step_1 to request for recovery.
I logged in to Steemit Chat #tech-support and @drakos and @firepower was there and answered my questions on how to recover my account.

For more or less 28 hours, I received an email from Steemit for the recovery process.

I cannot delete the phishing blogs made by the thief. I immediately edited them told what happened and apologized.

Lesson learned.

Should be the Reputation be included in the recovery?

thanks to @patrice and @cheetah for unbanning this account.

At least they only made 2 blogs. My account made 17! Glad you were able to get your account back. Reputation doesn't seem to be included in recovery, but you can earn it back. If you contact some witnesses, perhaps they can upvote some new content for you to help boost that.

Congratulations @steemmatt! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

You published 4 posts in one day
Award for the number of posts published

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

Coin Marketplace

STEEM 0.26
TRX 0.20
JST 0.037
BTC 94544.61
ETH 3425.86
USDT 1.00
SBD 3.91