A conversation with Steemit HACKER @accounttransfers & IMPORTANT SECURITY SUGGESTION for EVERYONE!

in #steemit7 years ago (edited)

steem power protection.jpg

After the ordeal of losing my account for 5 days to a hacker who used it to scam others... only to unexpectedly regain control of my account again yesterday, thanks to the awesome human side of Steemit Inc who despite their decentralised system were able to send me an email with a link which permitted me to get back in and change my password... I have learned many things.

Since getting my account back I have changed the password twice already. And it will be changed regularly from now on.

This whole experience has made not only me, but the entire Steemit community & system behind it STRONGER as a result.

To learn more about exactly what happened and how to avoid falling for their trap... read my post HERE

Over the course of five days I watched my account go from this

original banner.jpg

to this

Screen Shot 2017-10-09 at 22.01.52.png

to this

Screen Shot 2017-10-10 at 04.15.54.png

to this

Screen Shot 2017-10-10 at 23.33.11.png

It was not easy seeing this happening, knowing that I had brought it upon myself by making a silly mistake when I was very tired and under pressure to catch a flight.

Clearly I won't be making this mistake again.

sexy banner.png

When the dust settled I decided to open a dialogue with the owner of the account which scammed & hacked me @accounttransfers using the same system he was using, by sending 0.001 SBD to his wallet with the memo as my message.

I felt instinctively drawn towards thanking him

because in this moment I am genuinely grateful for what has happened.

  • A bot has now been created by @arcange to warn people when they are being scammed, using this same wallet message system.

  • The Steemit community has been made more aware of this type of scam and will be vigilant now. Assuming they take the time to read other peoples' posts... which clearly we must! Over 1000 people have read my article on this subject in the 48h since I posted it SEE HERE

  • The wording of the steemit account creation process is clear that the email address will be required if your account is ever compromised.

Clipboard - October 9, 2017 6-54 PM.png

14 months ago when I joined Steemit, the wording was different and I set up a new email account with random name and random password, exclusively for the purpose of confirming this Steemit account... and I never used this email account again.

When my Steemit account was compromised I was unable to remember any details of this email despite my best efforts, making the standard account recovery process impossible for me.

One important fact has been made crystal clear for me as a result of this (thanks to @firepower):

If I use the posting key to log in and the active key when transferring funds, this keeps the master key offline as much as possible. And ultimately makes the account safer.

Please contact me in the comments below if you are in any way confused about how to access your active & posting keys.

Matrix Steem.gif

USE STEEM POWER TO PROTECT YOU!

Steemit has been designed in a very clever way... to protect us.

The hacker was unable to take anything from me because it was all held as STEEM POWER.

The first STEEM payment comes 7 days after hitting power down. Which gave me enough time to resolve this before he could take anything.

In truth there were a few SBD in my wallet which he used to spam people with. But at 0.001 SBD per spam, this didn't cost me much.

So, the moral of the story is this...

Don't keep STEEM or SBD sitting idle in your wallet.

  • If you have STEEM and you don't intend to sell it for BTC, power it up now!

  • If you have SBD, sell it for BTC on an exchange of your choice and if you're wanting to power it up, you should sell the BTC for STEEM, transferring it back to your wallet before powering it up.

To clarify...

Hit the down arrow next to your SBD total and you will see this

Screen Shot 2017-10-12 at 09.41.09.png

CONVERT TO STEEM is a fast and easy option but you will not be getting the best rate of exchange. Hence my suggestion to use an exchange/market of your choice.

Each exchange varies slightly, so if you're really keen, have a check around for the best rates. You can see above that Steemit offers a market of it's own which would be the first place to check.

sexy banner.png

What was my conversation with @accounttransfers?

I sent him a little gratitude as you can see here... and a suggestion which I genuinely believe would help him.

Screen Shot 2017-10-12 at 06.12.21.png

his response was this

Screen Shot 2017-10-12 at 06.12.35.png

He clearly doesn't have access to my account but after a little research I understood better what he was saying and how this was achieved.

DQmfYuT5cdAaK2cwZej6pXSkT6s3TsNtzJfTL9q2cpJWp4h.gif

Consequently, I strongly suggest you all change your passwords now.

I didn't respond to his comment as I didn't feel like there was much more to say at that point! His implication that I am stealing your donations for the evacuees of Bali is laughable, given the visibility of our wallets. And you can be sure that I will document the entire journey from STEEM to solar products & water filters, photographing the smiles on their faces when they are handed over to them 😄

After not responding, he messaged me again with the following words

Screen Shot 2017-10-12 at 06.12.52.png

Well isn't that lovely of him. Good to know we are mates now!

In truth I have nothing against him, as is my way. I cannot know his experience of this world and do not judge him. However, I am still curious to know his motivations.

So @accounttransfers if you are reading this...

Perhaps you would like to leave a comment below explaining to the community why you are doing this?

Please understand that you are in one of the most loving and open-minded communities on the internet, and if you tell us your perspective we may even come to understand & support you.

Especially if you put on the WHITE HAT and use your skills to improve the security of this platform. I have seen others achieve huge pay-outs doing exactly this.

Looking forward to your response :)

Sam

Over & out for now...

Blessings from Bali.jpg

Hacking code gif source. The STEEM MATRIX gif was created by me and you are all welcome to use it as you please.

Sort:  

Glad you got this sorted out, whilst educating the rest of us with what you've learned through experience. Upvote earned!

Thank you for your support! Indeed, valuable lessons learned by all. And we are stronger as a result :)

For those of you feeling like you need a better understanding of how Steem keys (ie Passwords) work, you should check out this post by @dragosroua

The threats made by the hackers to have claimed 7000 passwords should not scare you either. They don't need to try and attack Steemit.com to gather passwords when the Steem blockchain itself is public knowledge.

Anyone can attempt attacks on the blockchain to uncover private keys, that's why your keys are a crazy long number that you don't get to pick on your own.

They're that long and inmemorable so that they are extremely hard to crack. We're talking millenia at this point in our technological state to just crack one. So the claim that they've now compromised 7000 accounts as part of the recent ddos attacks is laughable.

The only way that any hacker is going to get access to your account is if you actually give them your key. That's why it is so important to make absolutely sure you know what site you are on whenever you are using your active or owner key.

Wow! Great info here. Thank you. I am still learning so much every day thanks to people like yourself 🙏🏻

Happy to help my friend. I was so glad to see that you were able to get your account back. Also very glad to see you kept your Steem powered up. That's definitely another huge boon for the Steem blockchain that makes it stand out against the others. It's a killer feature to be able to protect your assets from being instantly withdrawn in cases just like this.

PS- I'm still looking forward to the video where you show us how to make a spinning staff like yours and some initial steps to get spinning in the right direction :)

If anyone's interested, I did a follow up post that gives a better picture on the kind of time frame we're talking to actually try to hack your private key. How Long Would it Take to Hack Your Steem Password

Thanks for sharing the other post. It was appropriate and very helpful! I posted a long reply over there too to further dig into this key issue and how best to share account security tips with new people.

Definitely, he did a great job with that post and the more people that see it the better. It really is one of the trickier things for new folks to understand especially when this is usually their first interaction with any kind of blockchain.

In truth I have nothing against him, as is my way. I cannot know his experience of this world and do not judge him.

I have the same philosophy. It's always easy to hold but it's the one that make the most sense in my opinion.

It is a sound philosophy, just difficult to implement in the moment when the heart-rate is high.

Labels like good and bad are always perspective based. Makes me think of something Esther Hicks said to demonstrate this. Upon seeing her cat eating a bird she shouted "BAD CAT!" and the cat replied, "Good bird!"

Same event. Opposite perspectives. And who is to say which one is right or wrong?

But.... if he's actually stealing people's money, then it's a bad thing. Hasn't actual money been stolen from people from these hacks? Theft is a serious issue and should not go unpunished.

yeh hes just pushing buttons at the end of the day, pushing buttons on a computer and typing and clicking, makes you wonder, since theres no actual physical violence in this sort of theft and the Op actually gave away his money when he gave away his master key... what if someone sels their steemit account for bitcoin and then does a account recovery? Hmm lots of problems we should probably trouble shoot and think out before they happen in real life! anyway yeah what if this hacker is super poor and literally has no other way to make money?

The "hacker" (and we shouldnt give them that mantle as they did not create anything special here just a lame phishing attack, more of a scammer) seems young and wa sled to beliueve maybe that theyu wouldnt be able to make much money in their world unless they sold drugs or something so this is his way to make money without a risk of going to jail or getting hurt, or so he thinks, but someone will easily track him down one day and he will get hurt, because the world is not like it was with identity theft and peopel will hire other black hats to track them down and its crazy the drknet markets have people ready to offer any service for money ! Which didnt exist before you couldnt offer service sonline for money because there was no safe way to actually accept or make payments online but now with crypto that's been taken care of, using Monero........ but npow people can actually pay to track peopel down etc

Anyway this hacker is funny,ghe tried to act like he "gave the account back" to be nice or osmething so funny

but yeah you being open minded about this will earn u many followers

ALSO im GLAD This came up to help steemut users have better secuirity AND to remind people not to fall for this stuff since steemit dioesnt use messages like that for any important things ! ive been WONDERING about account recovery and ALSO its a REMINDER for all of us to change our passwords often and to keep our private key master keys very safe and backed up in multiple physicl places etc

Alright thanks again for the posts VERY happy you got your account back!

I bet your partner is relieved lol you were like "She will forgive me in time" dounded bad lol glad youre back in business! I hope youve learned your lesson about keeping all your money in ONE wallet, i hope you now have some money in Bitcoin in a wallet on ur smartphone or laptop liek Exodus and backed up multiple times...OR just use openledger,io to keep some BTC and maybe u should also just use ur secondary steemit account u started using for a lil while there, hey u should use that one putsoem SP nit and use it as a backup! always good to have anothr steemit account with some Steempower and money in it JUST in case!

The "Transfer To Savings" is where you are supposed to move Steem or Steem Dollars that you intend to hold for a while. It takes 3.5 days to get those out of savings, and what I understood was that this was supposed to be enough time to recover your account if you need to.

But it appears that 3.5 days just isn't long enough in many cases.

Thanks for sharing your whole experience and what you have learned with everybody.

This is true. Keep the majority of your money in SP then. I only keep SBD and Savings when I know that money will be needed in the near future to pay for some service or give to some charity. Right now I have almost 1K in it, but it is because I'm preparing to pay a large bill in the near future. :) Otherwise, I would never have that much in SBD.

Good point. Though as you say 3.5 days may not be long enough. It wouldn't have been long enough in my case... though this was a slightly different situation to the norm. Assuming everyone else has access to the email with which they set up their account.

Thanks as always for your support & encouragement 🙏🏻

It looks like he had a few other responses that were missed as well. At this point, I don't know that he/she/they could ever be trusted as a white hat, especially as that is what they are claiming to be now.

Capture.PNG

Thanks! I hadn't thought to include the message in the @samstonehilltube acc. There is a certain irony to a scammer calling me a scammer.

As I have said, the wallets are visible to all and one only has to look in the @charitysteemit wallet to see their donations. When the donations are moved from this account, shortly after this I will do a post showing exactly what was bought. How is this a scam???

Anyway. Clearly an unhappy individual, whatever hat he claims to be wearing.

Hope he take my advice and starts mediating regularly.

Yeah, it seems like he is claiming that you gained a lot of upvotes from the ordeal, which might be true, but I would not say that you are notunder any obligation to return any funds gained from voluntary interaction such as upvoting and voluntary transfers.

If you can, try to keep up the conversation with him. I think you may be the right type of person for the job. I can come up with some questions.

Here are some:

Since you are a white hat, would you mind telling the type of target you were after?

How many accounts have you created on Steemit with the intention of of using them as a platform to lure victims?

How long do you post and resteem under these accounts in order to establish their legitimacy?

Can you give us some examples of the different types of attacks you carry out from your accounts?

For the spoofed website which you got me with, what are some good pointers that users should look out for in order to ensure the website is legit?

You mentioned not to use the master account key, can you explain that in layman's terms so that novice users will under stand it better?

Yeah, I'm not buying it either. The question I have is why Steemit.com hasn't shut that account down. Why leave the guy alone? Are they just trying to be nice? Who is behind it? Am I wrong to think the account should be shut down?

I think that because of what steemit is, is why they do not shut down accounts.

Is there an Etiquette Guide for Steemit?
There are no official rules for participating on Steemit.com, but one of the users @thecryptofiend has created an Etiquette Guide for the community. While it is not required to follow the suggestions in the guide, they are standards that many users in the community choose to follow.

There simply are no official rules. Also in the FAQ it reminds people that:

Accounts can not be deactivated or deleted. The account along with all of its activity is permanently stored in the blockchain.

I know with the normal safety that people expect for others taking care of us that this seems strange, but steemit really does mean that people need to own their mistakes and their actions. This in not Las Vegas where what happens there stays there. This is steemit, and it is open for the world to see, your actions good or bad.

Thanks for your suggestions here. Sorry for my slow response to them. All great questions... and I will do my best to re-open the dialogue which as been silent for a week now.

If not, don't feel compelled to do so on my behalf. I doubt they would answer those questions.

I am so happy you are back on track ...thanks for all this info very handy and good to know because you never know it's a tough world out there and some just like to take it the easy way :)

Wow the openness of this blows my mind...
Thanks for the heads up

Very useful post,

When you change your password, do you also get new passwords for posting active, owner, and memo?

very useful information for someone like me who is new on this platform.