@samstonehill has been hacked & cannot be re-accessed. How did this happen & what are the solutions?

in #steemit7 years ago (edited)

goobye me.jpg

After making the schoolboy error of entering my master key into a website which despite initial appearances turned out not to be our beloved steemit.com, I can do nothing now except watch the thief take around $3,500 worth of steem, week by week.

Anyone who has voted for this account in the last week, please withdraw your vote immediately to ensure they get as little as possible.

And resteem this article to build awareness of this important subject, especially now that the hackers are using my account to try and hack others. So if you see any messages from @samstonehill in your wallet, saying that they have detected unusual activity in your account, please just ignore it.

What about the account recovery process?

The recovery process won’t work for me because I didn’t write down the email address I used to confirm the account.

Screen Shot 2017-10-09 at 23.36.38.png

Account recovery link here: https://steemit.com/recover_account_step_1

It was my understanding at the time that we should set up a new email address for the purpose of confirming the steemit account and not use that email address again, as to protect our anonymity.

The Steemit registration guidelines were very clear about writing down the master key… which I did. But they did not mention to write down the email address used to confirm the account.

SO TAKE NOTE:

If your account is hacked you will need your master key and email address to recover it.


How am I feeling now?

Not great to be honest.

In truth I feel a bit let down by Steemit. Yes, I was the one who made the mistake by falling into the trap but it brings up three important questions for me:

1. Should the Steemit devs consider adding a function which enables them to terminate hackers' accounts immediately?

This particular hacker's account (despite having a rep of -3) is still active and most likely still scamming people. You can see it HERE

2. In this situation should there not be a system in place which prevents the hackers from so casually taking the STEEM using the power down system?

I would prefer to see my STEEM go back to the reward pool than watch a thief slowly take it week by week.

3. I followed the registration instructions without fault and never lost my master key, so is this a flaw in the current system?

It feels to me like something needs to change within the registration process if Steemit is going to prove itself to the masses as the awesome next generation social media platform which I still firmly believe it is!


Potential solutions

  • Create a warning system which sends out a message to EVERYONE in their wallets when there is a scam like this happening.

  • Add a FREEZE ACCOUNT function, entrusted to the Steemit Witnesses only, taking away the incentive for future scammers.

  • Add one sentence in the registration process which highlights the importance of not only the master key, but also the email address through which the account is confirmed.

I have passed on my story to the right people and I hope this will create some solid changes, making me the last person to suffer this experience.


It has been a tiring few days, checking every combination of name, password & email account provider I can think of. Without any luck.

Am considering seeing a hypnotist tomorrow who may be able to help me access this small piece of information which must be stored somewhere in this busy brain of mine.

Depending on how much a service like this costs? Hey…that would make an interesting steemit post!

It wasn't easy explaining to my french partner Sabrina that I made this mistake and consequently lost our savings, dramatically changing our plans for the future. In time she will forgive me.

The hardest part has been the mental challenge of letting this go and focusing my thoughts back on the things that make me feel good again... because I worked so incredibly hard to get my rep number up to 70.7 with 2,155 followers over the last 14 months.

...and now I have to start from square one again.

But I do believe that in time all of this will make sense to me and I will look back with a smile, knowing that everything happened exactly the way it was meant to happen.

It is rather fitting that my last post in the @samstonehill account was an Abraham of the day, entitled 'find a way to be happy wherever you are now!'
Link HERE

section.jpg

Haha... thanks Abe. Am doing my best!

sexy banner.png

How did I make this mistake?

First and foremost I was tired. Exhausted in fact.

I had been working hard on creating a donation account (@charitysteemit) and numerous posts (from the @samstonehill account) designed to raise money for the growing number of evacuees stuck in camps here in Bali waiting for their volcano to blow. My heart went out to these people and I pushed myself very hard to do what I could for them.

…and then (as a tourist here in Bali) I had to do a visa run to Kuala Lumpur. After working through the night I couldn’t sleep on the flight and with only a short turnaround before getting back on a plane to Bali, I decided to grab a coffee to keep myself awake. They had wifi so I logged on to find the following message in my wallet:

shot.jpg

I had never seen anything like this before, so I clicked on their link which took me to this page.

I sent them an email explaining that the 'unusual activity' they mentioned was most likely due to all the donations coming in to my account for the Bali fundraiser.

I also told them it was not good practice to hand out my master key in this manner. They responded straight away by email insisting that this needed to be done immediately in order to secure my account.

With only a few minutes left at this point and in fear of losing the money for the people of Bali, I glanced at the url of their site and it appeared genuine in my tired state. Now of course, I can see clearly it is not, with an I before the steemit.com

Full of fear and the knowledge that I had to run for my plane, I entered my master password and hoped all would be well.

By the time I arrived back in Bali 3 hours later the account's password had been changed and I was locked out.

The following day they took down my colourful banner and all personal information. I wonder if my family photo was messing with their sense of morality?

Now my account looks like this

Screen Shot 2017-10-10 at 04.15.54.png
and I can only imagine what rubbish they intend to spam people with.

Thankfully I had already transferred the STEEM & SBD donated from many generous steemians (for the Bali fundraiser) into the @charitysteemit account. So those who contributed can rest assured this money will be used as intended for solar panels & water filters.

But the money raised through my @samstonehill posts on this subject is gone now. And to those who voted for me with the intention of helping the people of Bali I am deeply sorry for my mistake. I can assure you it will never happen again.


What have I learned from this?

  • Rest more! When my body is tired I make mistakes.

  • Make use of the community! As soon as I was back in Bali and no longer under pressure to get on a plane, I found within 30seconds numerous posts advising people this was a scam.

  • Steemit could potentially have better security protocols & measures in place to disincentivise scammers.

  • Consider using sites like anon.steem to create your steemit account. They don't require email addresses of phone numbers, and the account is created immediately. But the best thing of all is that in this situation, they would verify that I am me through something as simple as a video call. And I would have my account back again.

  • As the popularity of this platform grows, so too will the complexity of these scams. And vigilance will be required at all times!


What now?

Last month I set up @samstonehilltube with the intention of sharing only my video work there, but now it will become an upgraded version of the @samstonehill account!

 ban 2.jpg

And I am actually a little bit excited about that 😄

It will be interesting to see how quickly I can build myself back up again with my 14 months of experience and the many wonderful friends I have made here on Steemit.

In Conclusion

I am determined to stay as positive as I can about this situation and I hope my that my experience ensures it doesn't happen to anyone else in the future.

On a final note I must tell you that I find it very hard to ask people for help. But in this moment I really do need your help.

My trading account investments are looking low right now yet I have no choice but to sell them all... and in around 2 weeks when this money is spent, I have no idea what we will do.

I could always go back to London and start making films again, but I would very much like to continue using Steemit in the way I was using it before... in order that I can continue inspiring you with my tales from around the world.

So, you can help me now with a simple upvote & resteem 🙏🏻

And I hope too you will follow this new account @samstonehilltube from which I will continue to provide quality posts worthy of your attention.

Blessings from Bali.jpg

Sort:  

Whilst I think websites like anon.steem which permit you to buy steemit accounts with no email address are GREAT, one must be aware of the potential problems in doing so.

Actually, you'd have been safer if you had used AnonSteem.

We recover accounts generally based on you having your original order ID and an old password, as well as some clear way to prove it's still you (e.g. your twitter, steemit chat account, discord etc.)

But, we can also recover accounts if we just know it's you. Maybe something as simple as a video call, to see you're clearly the same person from the images, and I'd happily enable recovery for the account.

I reported the phishing domain to GoDaddy last night after I got the spam to my own STEEM account, though they seem to be making new ones constantly.

You might be able to contact some STEEMIT staff, who could enable recovery for your account if they verify you through alternative means as I suggested.

@ned @sneak

I don't understand how accounts can be recovered in a trustless and decentralized way if someone is deciding whether or not they want to recover it.( based on their subjective opinion) Please explain

The account can only be recovered if someone knows one of the old passwords.

This means even though I can start the recovery process for an account made via AnonSteem, I can't actually change the key without having at least one of their old passwords.

Account recovery is something that cannot really be done without some form of trust system, otherwise let's say the hacker figures out your "secret information" you use for recovery? Well you're definitely screwed now.

It's possible for you to change your trustee, but you have to wait 31 days since the last password change to do that. You could for example, create an AnonSteem account, then 31 days later change the trustee to @steemit - which would make them responsible for recovering your account in an emergency. Similarly you could even set it to a friend.

Yeah. That's was the obvious part I was missing.

Also thanks for clarifying the trustee can be change. Such a well thought out feature that is this recovery account thing.

Thanks for your answer. What I don't understand is that samstonehill said steemit needs his email to recover the account, why ? They should only ask for old password not the email. no?

Account can only be recovered by the account recovery person and only if the master key has been changed in the last 30 days.

If the account has been created on Steemit.com the recovery person is @steemit If the account has been created by other means than steemit.com then the account recovery person can be chose by the person who create the account.

This is why anonsteem can be the recovery person. The can only change or recover the account if the password has been changed in the last 30 days. I'm not sure if I forgot something or if my explanation is 100% correct. Maybe @someguy123 can confirm.

Great and all untill @someguy123 dies and then what? I hope he has deadmans swicthes set up! sory to be so gloomy but ....like taylor swift has said, 'I dont trust nobody and nobody trusts me' so is anon steem realky better? ior is it just some guy? lol woah didnt even meam that but yeah isnt it just some guy trying to pretend he is like a company? i mean, i hope at least 2 people run anonsteem! bevcause if something happens to like theone guy who runs anonsteem and then u cant get ur account recovered, then what?

Sorry thats just my lil "hat if" scenari, juyst being a contrarian

yeah anyway I always used to ask about how the account recovery works, but i have to remind people, Steemit is not Bitcoin

we dont use proof of work, we have Delegated proof of stake, that chanegs everything when it comes to doing stuff like being ABLE to do stuff like a Wallet recovery when Bitcoin has no wallet recovery for hacked wallets... lol But imagine if Bitcoin network actualy decided to do a hard fork to reverse all transactions that were from hackers stealing funds, you could have like a hard fork of bitcoin where all contested transactions are reversed and you have a central authority to do that stuff, and thats kind of what steemit is because all the witnesses kinda know each other and thats one simple way to look at ity.....

but in reality the witness nodes are decentralized and steemit inc is just one steem gateway.... steemit inc cannot really do any more than any one person with steem account, a steem account can be created from any already created account..... and you can make your OWN steemit gateay like chainbb or busy.org .... thething is all witnesses have to agree tio run teh same software... that software has to behanded "down" from some centralized locaytion and thats steemit inc for now, am i right or wrong? I am not sure thats jjust my guess.... but it is only like that for now

in the future we will become more decentralized so that steemit inc can be shut down and we could still carry on... in fact if busy,org has a powerdown and withdrawl function... then i am pretty sure we could be using that incase steemit.com is down.... wel no bevcause it cannot create accounts i dont think? at least not for free?/? I think we would need a new gateway that can create steem accounts and tHEN we wouldnt need steemit.com/// but h,, yes its strange @someonewhoisme it seems counterintuitive at first BUT its not, its makes sense when you know how steemit works and how yes it is decentralized but the steemit witnesses all agree on everything or else we would not have consensus, but we have this sort of hivemind but its a decentralized horizontal hivemind.....
I think that you have to realize... steemit is not bitcoin and bitcoin does not have witnesses but just bitcoin miners and nodes and you dont have a centralized way to organize them all like you do on steemit where you can talk to everyone over the steemit forum...Bitcoin would need to freakin use Bitcointalk.com forums to actually communicate instructions and news to all of its network miners and node operators whil steem blockchain has this built in social media network that lets people talkto each other and also to amake announcements where the important ones get to the front page and everyone gets to see them!

So you see, that and how we are Delegated proof of Stake allows us to actually do things regular POW bitcoin cannot do! through consensus of witness nodes we can accomplish great things for the community! Its software and all software is maleable its just a question of getting everyone to agree on overall system wide changes, consensus, its magical!

that software has to behanded "down" from some centralized locaytion and thats steemit inc for now,

The Steem software is publicly hosted on github just the same as Bitcoin. Both can be fork. For now Steemit Inc are the one most knowledgeable about the code but anyone can study it. It's open source.

What you said about the fact that if something happen to the recovery partner is also true if the recovery partner is Steemit. If the person or persons controlling the Steemit account are ill prepare in case something happen to them then they might not be able to recover the account of their people. I think the recovery partner can be changed. I'm not sure. Not through steemit but through steemd. I'm pretty sure it can be changed.

If all witnesses agree to something then they don't have to conspire to make something happen, they all agree. That's what happen Steem is updated. I don't remember how many % of the top witness have to agree but the update goes through.

For some witnesses to conspire and trying to pass false transactions would be almost impossible I think because other nodes would realize what happened and then people would very soon vote those witnesses out of their place. It would also be much more complex than people realize and those people/witness would probably have to know how to recode part of the Steem code. Not realistic stuff for many reasons.

Creating Steem account almost for free is coming in the next update and if it wouldn't it would probably be an easy thing to code if Steemit Inc didn't want it but everyone else would want this feature. The thing is Steemit Inc want this feature probably more than anyone else.

why does steemit need email to recover the account?

It's a way to help them prevent the person who just steal the password to initiate the recovery process claiming they are the real owner of the account. They don't really need it if they can prove the identity of person trying to recover the account by another mean, in fact the email is far from being the best way but for Steemit it can help.

Anonsteem uses other means and other recovery partners could also use other means.

I know, it's a bit another issue but I have a question though.

Is it possible to get back STEEM I have sent by mistake to an account?
E.g. I sent STEEM to @minnowboster (https://steemit.com/@minnowboster) with one o instead of @minnowbooster with 2 o's?
I mean, there should be an option to reverse your actions within a given time frame.

the email is the second factor authentication on the identity part of the account and other security mechanisms for anonymity.

Wow! I was not aware of this at all. And I apologise for my assumption. I will amend this information immediately. Perhaps it might be worth adding this info on your main page? Now that hacking seems to be a topical issue, I believe it would make people feel safer.

This info certainly makes me feel a whole lot better, as this new account was bought with anon.steem! Thanks for your awesome service by the way 🙏🏻

And your suggested systems of proving identity make a lot of sense.

I have written to support@steemit.com and explained the full story... and I hope they will let me verify my identity with something as simple as a video call :)

Thank you for tagging @ned & @sneak here. I hadn't thought of that.

@samstonehilltube :D this is quite unfortunate, I wrote a bit longer of a comment and I'm sorry you lost your "fortune"

First of contact the team and ask them, any of the devs on chat, ned, sneak whoever on the rocket chat.

Second you've done the best already, I was tired of watching scam posts, but it is how it is, I was going to write a security 101 ... What I've learned from games is "Never tell anyone your password" privacy is important as is thinking, you basically went into the perfect storm, but next time, if steemit needs your password, what for, why would they, there is no reason, they have their accounts..

Pfishing is going on since emails exist even before that, people have been getting scammed out of property, whatever weak points you have will be exploited if there is gain to be earned .. some people are like that, anyways freezing accounts would be nice in such occasions, but I'm not sure how features would be implemented without the potential for abuse..

Just keep in mind there are many greedy and stupid people..

I'm happy you have grown so much :)

and that you have spread what you have earned, whatever is lost rarely is, I'm sure you will make it back up in no time, in the case of the account not getting recovered.

There was a famous quote from a millionaire that he can make everything back up even with a shirt on his back, I hope this is a worthwhile experience to any ego driven mind, which is all of us. Possessions are not worth anything and we have put a lot of value into a lot of objects

Ridiculous Account Security in a decentralised app..

I'm sure you will pull back, you have a beautiful life :)

Let the traps fall into themselves.

Thanks for the clarification on anon.steem and what you did. the next time i wanna register an account for someone who wants anonymity, i'll use your service.

I have used it many times. It's great! Especially now I know accounts can still be recovered without giving an email address :)

I am thankful that you have been able to get your account back! Losing all that work put into it would be heartbreaking.

This scam was discussed in the #security channel on steemit.chat. If anyone sees anything similar to this scam, simply get on steemit.chat and ask for help first. It doesn't hurt to check in the official #steemitabuse channel too. I had reported this particular scam to that channel as others had. The admins were working on it too.

This is really unfortunate. Thanks for staying positive and continuing to help others.

Thank you for your support. This really means a lot to me :)

I'm sure the steem team can nail this theif if they take the time? The amount of skilled people involved in this platform makes me sure the theief is only able to get away with it if we let them? Steemit def needs more user friendly security as soon as poss, otherwise as this platform increases stories like this will
increase tenfold as less web savvy users sign up and it will bring the platform into disrepute. Good luck! Upvoted and resteemed.

I'm very sorry to read this. I hope you can recover soon. I also think this a wrong doing. Our profiles have a lot of work.

I did a little investigation on this domain:


Created On: 2017-10-09 Expiration Date: 2018-10-09 Last Updated On: 2017-10-09 Registrar: GoDaddy.com URL: http://www.godaddy.com Registrant: Name: Ned Scott City: New York State: Ciudad de Mexico Country: Mexico
So the guy is very funny by putting @ned's name as a registrant. I will keep myself asking to godaddy's team support if there is a way to get a real name and email. He may have a credit card linked, or PayPal account, in order to buy this domain. As soon as I get any info I will let you know. STEEM ON!

Thanks so much for looking into this and sharing what you have learned! Kinda funny to use Ned Scott City as the name. Not so funny what they are up to. But we will get them off this platform one way or another.

TOGETHER WE ARE STRONGER!!

Thanks again for your support :)

I did what I could so far. I have reported the phishing website to godaddy's team support. They have a section where people can reports about this kind of websites.
In other news, some weeks ago I have installed this tool ethaddresslookup I use it to check ethereum addresses but just now I've realised that it works also, for phishing websites. As I have it within my Chrome Browser, as soon as I tried to look at this "hacker" website shows me a warning, so I recommend you try this kind of tools too.



source

I will do my best in order to help with this.

By the way I could notice a "downvote" on the answer you just gave me. This account: @accounttransfers gives you a downvote. If you check its transfer section you can see how this account is "hacking people too"
So let's stay away of this website too: LSTEEMIT.COM looks like they are part of the same robbing organisations.

I think this requires a follow-up post asap:

Screenshot-2017-10-10  samstonehilltube.png


Screenshot-2017-10-10  samstonehill.png

I just noticed that @flauwy... seems a bit suspect. Also pondering where a "test" transfer to @chron fits into the picture.

Bumped this up the comment list a bit, but my vote isn't worth that much... @samstonehilltube some odd activity is still going on....

It's all good my friend. In case you missed the news, I'm back in. The transfer to @chron was just to make sure everything worked right!

Still playing catch-up on all these lovely comments :)

Oh, it was just a test! Well, I guess we can all rest easy with @accounttransfers on the case /s

dam that really sucks. I'm here because I got a message in my inbox wallet .
I read this after I already posted a warning blog post. I resteemed your post.

tip! post

steemit scam alert.PNG

I'm really sorry man - one can be as smart as humanly possible but mistakes happen and I'm actually quite scared myself that one day I might go to the wrong google entry or link without noticing it.

But I'm glad that you try to see the positive side of it. And on the positive side - I haven't known your blog before and after watching the trailer for your new documentary ... you're very fascinating!

All the best!
wolf

Thanks for your support here and thanks too for watching the film! That is just the tip of the iceberg. I make many different kinds of films.

And am looking forward to sharing them all here on Steemit, even if it is from a new account :)

If you like - I still have free spots left on my Voting Bot list.

Currently capped at 10 Steemians and Auto-Upvotes on every new post through a Balance System (deposit once - no more url transfers)

Explained it in detail here: http://steem.link/introduction-wolfs-voting-bot

OMG, this is tough my friend - hope you still get it back somehow, their must be a change for the registration indeed, also an option for existing account to create / edit their security settings (or are their security settings)? Getting back later to you.

I think there may be a way but it would have to be a special circumstances kind of situation... which I am hoping this is!

Let us see how it plays out.

Remaining as optimistic as I can :)

Thanks for your support Uwe.

Sorry to hear that! Resteeming this so others woudn't fall in trap. It is little bit sily that Steemit can't stop payouts from hacked account. Followed you on second account.

Thanks. Really appreciate your support :)

Followed the first account and now I'm following this second account...sorry to hear about the scam but thank God for the @charitysteemit account you were able to transfer the donations. I know you will recover very fast because you have lots of friends here who really cares, we will outnumber the scammers. God bless you sir!

Thanks for following both accounts! Though for now there is only one.

Let us see how this pans out...

Yes, and it was certainly lucky that the last transfer I made out of the @samstonehil account was this donation money.

Many thanks for your kind words and support. In a way, I am looking forward to building this new account from scratch. The rep number moves much faster at the beginning!!! :)