My Steemit ID Theft: Lessons, Recommendations & A Message To The thief.
For anyone who doesn't know Dwight from The Office tv show (US Version), you really should.
This post is to help others learn from my experience, as well as realize that there are many opportunities for us to help Steemit's developers strengthen their platform. My focus here mainly on drawing attention to the stolen account recovery process.
While decentralization is anonymous and great for many revolutionary reasons, it also offers unique challenges we're not all accustomed to. While phishing attempts are relatively impossible to prevent, my recent experience has shown me that there are several simple, yet significant, ways to impede the damage done once accounts have been identified as compromised. As these accounts are used to perpetuate the scheme after their money is stolen, I feel that this alone should be enough motivation to reevaluate and reengineer the recovery process.
Steemit is special in that it monetizes social media content and activity. This means that OUR time, reputation, and money is at risk. It seems obvious to me that we NEED to protect these assets better. While I didn't have much SBD stolen yesterday, it could've been 5 million SBD, and there'd be absolutely NO recourse either way. That's terrifying to me from a risk standpoint. Yes, it's a user's responsibility to not get phished, but when they do, it's way too easy for thieves to thrive. Aside from thieves quickly moving or tumbling their coins before taking them offline in a matter of minutes, your identity and reputation can be taken as well for an unknown amount of time. As some people told me via chat, it could be weeks before an account is recovered. Whether that's true or not, there aren't a lot of people who know about the process at all, or how to expedite it when it's truly necessary.
I feel that this is an urgent issue, as these attempts will not stop, and people will occasionally fall victim. After this successful breach, new thieves may be attracted once they learn of how simple it was to get credentials, and even worse, RETAIN accounts for hours, days or even longer after they've been reported. The most people seem to be able to do now is flag and block content in a reactive way, but steemd.com shows how easily the thief easily kept ahead of that (and is still at it NOW with other accounts). While efforts can be made to prevent phishing posts or links, the structure and support after account compromise seems very underdeveloped given the responsibility it bears. It actually feels inviting for phishing attempts.
Please read below for a brief summary of how I was tricked and my recommendations.
How It Happened:
With some digital forensics and network intrusion background, I shouldn't have fallen for this simple phishing scheme. I wasn't thinking clearly when prompted for my username and password after clicking on a Bitcoin post's link. I noticed a lot of blank space in the post, but ignored warning sign #1. Something seemed off when the post said to click a link for the full article, but my hands moved too fast to bring me to the crossroads of being fooled, or not. The critical mistake I made was that I second-guessed myself that I must've unchecked "remain logged in" at some point. I should've made sure of that before assuming to bring me to this screen. After seeing the poster's inconspicuous 51 rating and benign account details, I proceeded. The fake login window was identical, so click, enter info, click... huh, ohhh sh*t..., rush to reset password, password already changed by thief, SBD stolen... too late.
This all happened in a matter of under a minute. The instant I entered my login credentials, I gave the thief the keys to my account. If I'd also been a little more aware of the webpage's address behind the login, I'd have caught this, but I just woke up and wasn't sharp.
I immediately submitted a Stolen Account Recovery Request and hit the Steemit Chat Rooms to try to find someone from Steemit's organization who could be alerted of the intrusion. Nobody there. I heard that they may occasionally check the #help chat, but no replies from staff there or elsewhere over the span of my issue. Using steemd.com, I watched the thief start using my account to perpetuate their phishing scheme. There were a few other victims who the thief kept together as an upvoting/posting pack in an effort to provide credibility to their scam. This went on all day until I suppose they went to sleep. It then started up the next day with a new post theme (Ethereum). Same victim group, plus maybe one or two more new victims.
After a little more than 26 hours of checking with some very helpful contacts in the chats, I got an email recovering my account. I don't know if my chats got read by support staff, a member got through to someone for me, or Steemit IT ultimately got to my request in their queue, but it took way too long. I immediately validated and cleared the malicious content. I replaced all posts with a brief note about the ID theft to try to preserve my reputation and get some flags removed. I then thanked those who helped me, and responded to anyone who replied to the bad posts where appropriate to make sure they knew what they truly were.
I know that Steemit is young and that the development team/staff is presumably small, but change is needed. Many of the kind people who tried to help simply forwarded me the Stolen Account Recovery link and knew of no other way to reach anyone with account privileges to warn that the active intrusion was spreading quickly. While it might take a day, several days, or weeks to have an account recovered, no one knew the answer. More information should be readily available to the community.
Improvement Ideas For Steemit Staff:
An email confirmation acknowledging the reported account theft with a ticket number is a simple first step for congruence. Perhaps I'm missing something in the coding or logic that makes this more difficult or impossible, but I think it's an easy way to let the compromised user have some comfort that something is underway.
Stolen account recovery submissions are treated as a higher priority on the backend of the Steemit team where responses are expedited. This can be automated in that the email address of the original account holder can be automatically contacted to confirm this claim. If the email is confirmed by the user, then it should be an even more urgent issue to resolve to protect the community and their funds.
An account doesn't need to be restored immediately, as I understand that may take some time and validation. However, the account should immediately have its financial activity, voting and publishing rights frozen for an amount of time that's reasonable to slow down or stop an attack. No questions asked. This ensures that the thief can't do anything else with this account, and it will discourage them from trying to do this more. As of now, phishing seems like a joyride, and the thief must've been enjoying normal access rights a reported stolen account should never ever allow.
There could be a dedicated chat room with regular coverage where people can contact experts in the arena who can advise/liaise directly with Steemit staff to extinguish stolen accounts before they spread like wildfire. Steemit's blockchain holds our funds, not us. Reputation and voting power can be rebuilt, but Steem funds can't regrow unless you buy more or get rewarded slowly. In my opinion, this is critical to support from end-to-end to develop trust and advancement into the mainstream.
Develop inroads with Bittrex or other exchanges who support Steem/SBD to report fraudulent theft of funds so they can try to recover them quickly or block further actions by the account on their side. I personally made a support ticket at Bittrex with the transaction ID of the thief, but I doubt it'll lead to anything fruitful.
If an account is reported by the community or a bot as a potential ID thief, the user's original email should get an alert so they can be aware of it as a precaution. If I didn't log in for weeks, the hacker would've had weeks to have fun before I opened up a stolen account recovery request. However, I'd get an email on my phone in minutes. This is a simple protocol I doubt people will mind.
To the thief who will probably never see this, I had a picture of how to give the middle finger in various countries for you, but I'll let you use your imagination. As you're incapable of supporting yourself through honest means, perhaps it's just a function of how poorly you were raised, or the pathetic path you chose. Karma is quite a bitch.
If anyone found this helpful or can share other ideas, then I'm glad. Feel free to follow if you'd like to keep in touch. Apologies to anyone who clicked on any links my account posted while it was compromised.