Stay frosty on security

in LeoFinance27 days ago

Tonight I saw that one account that I have followed for years recently lost control of their keys and have lost everything they have accumulated on Hive, which was a substantial amount. This started off a discussion in a chat about security and reminded me that I need to up my game in some areas also and get some of my assets off of exchanges, because "not your keys, not your crypto".

image.png

While I little bit less convenient, I have it set up to my MetaMask wallet for transaction confirmation, which means I use it every time I harvest DeFi. This gives me another layer of security on top of what is already in place. It is really easy to do in MetaMask, by just clicking on the profile, selecting "Connect hardware wallet" and choosing which address it will be bound to.

image.png

I will get onto moving assets over in the next days as it is getting late and tired people shouldn't move crypto. But in the meantime, I ordered another Trezor One. as I have been really happy with the one I got last year, even though I only started using it a couple months ago. Actually, I ordered three - it is weird that they come in packs of three also, but I am guessing that they are also becoming more necessary as prices rise and people are looking to decentralize their decentralized assets a little further. For me, since I use mine daily and it has buttons, I also want a clean backup, just in case the one I have fails, as it takes time for delivery.

I have Ledger Nano S as well, but it is quite unwieldy in the way that it handles storage, though some people prefer it. It is good to of course have different kinds of storage media, and I also use Exodus a little as well, but that has ERC 20 tokens on there, so to move them costs an arm and a leg - so they can wait there for a while. Using the BSC chain so much of late has made me realize how crappy Eth is at the moment for daily use.

The other thing I did tonight was revoke access to any apps I don't use. I went through https://peakd.com/ for this - account actions/ authorities.

image.png

You can also set up a recovery account in there, something that everyone should do, especially if their current recovery account is "Steem" - because that ain't gonna happen.

image.png

It takes 30 days to set a recovery account and you want to make sure it is one that you trust. I trust my own, so I created a cold account that will never have its keys online and I have a couple people I trust who have the keys to it, in the case of my own demise.

The reason I am writing this short post tonight is a reminder that key security is not to be taken lightly - It sucks to see people's financial hope pulled out from under them because of mistakes they made. A lot of people complain about the personal responsibility of storing keys - but it really is the only way to keep them safe currently that can be trusted - Though I think there will be better options available with added security later.

When transacting, be mindful, check addresses before connecting, don't click on random links and in Discord, no one offering you quick money or ROI in a random Discord is your friend. Whenever you need to use your keys, be very fucking careful. Use Keychain or Peakd Lock rather than constantly cutting and pasting keys in, because as soon as your key accidentally goes into a comment or a post, there are bots on the lookout for it, that will take it and immediately change your master keys. Often, like the account lost I mentioned, there is nothing that can be done.

A lot of people end up getting caught up in the moment of it all and in such a rush to earn, they fail to secure their wallet, fail to protect their keys, their home. Even after years of doing this, it is easy to become complacent and let security slide, but use the times that others get caught out as warnings - it really can happen to anyone, so learn about security and stay frosty.

Taraz
[ Gen1: Hive ]

Posted Using LeoFinance Beta

Sort:  

it has buttons

Priorities XD

as soon as your key accidentally goes into a comment or a post, there are bots on the lookout for it, that will take it and immediately change your master keys

DO NOT USE OWNER KEY/MASTER PASSWORD FOR ANYTHING OTHER THAN CHANGING OTHER KEYS D:

I know you know XD

DO NOT USE OWNER KEY/MASTER PASSWORD FOR ANYTHING OTHER THAN CHANGING OTHER KEYS D:

Not even in pump and dump Discord groups?

Posted Using LeoFinance Beta

Why would you do that XD

My owner key is buried under Jimmy Hoffa. The only downside is that I can't change my recovery account without digging it up.

I changed mine when Hive started - definitely recommended.

Posted Using LeoFinance Beta

I haven’t seen a master key leak in months. And I doubt that other bots are faster than mine...

I am guessing most are lost in phishing scams now. I am glad that you are on the ball.

BTW, Do you know if your bot has been beaten?

Posted Using LeoFinance Beta

most are lost in phishing scams now

Correct, even though we discouraged them enough and they continued spamming phishing links only on Steem (see my auto-reply there for users that still use the same keys on Hive).
I'm not sure how the very last phishing wave hit, we're still investigating but most likely off chain - eg. on Discord.

Do you know if your bot has been beaten

Unfortunately (unless there's a way that I'm not aware of) I can't know in an automated way. Even if I find something that looks like a master key there's no way for me to know if it indeed was a leaked master key if it stops working even a few milliseconds before I automatically find it and try to see if it works. If I get there first I already change the keys (and send them to GP). The last week of April I plan on reviewing my code and try to optimize it even further.

Shortly after we got back from Krakow, someone got me good. I remember reaching out to @eveuncovered and she calmed me down a lot. Then @crimsonclad was a rockstar and helped me go through the recovery process. I still don’t know how it happened but someone got ahold of my keys and locked me out immediately. Luckily I had no liquid Steem at the time as everything was powered up. Either way...yeah. Be careful. I hope whomever got boned tonight somehow can recover.

Yeah it happens a fair bit. There are a couple of "big name" people who have lost their keys a couple times - which I find weird. But hey, mistakes happen and there is always an arsehole waiting to cash in.

Posted Using LeoFinance Beta

That’s one of the negative aspects of crypto...just how many shady scuzzbuckers are lurking and scheming.

As for keys, I hope I never find myself in that position again.

You can't underestimate the importance of security! I've thought about spreading my stake here across more accounts TBH - it would make sense!

I should buy another Trezor too TBH. Handy to have a back up for sure!

Yeah it would make sense and I might do the same as time wears on - but also, I like having it together too. I guess I could delegate from a "very cool" account to my main.

Pick another for sure. Just think, if the one you have dies now, you would have to order anther one and that can take weeks, especially with Covid nonsense.

Posted Using LeoFinance Beta

THat's what I was thinking of - delegating!

It might even make sense to move the whole lot to a cold account or two and delegate from that/ them.

I think I'll order a second Trezor when I do my monies at the end of the month!

There are many posted guides about changing your recovery key, but few and far between about how to change your keys. I’d guess that many people who started on the old chain are still using their old keys here.

Posted Using LeoFinance Beta

but few and far between about how to change your keys.

I wrote a guide a few years ago for it for this reason. I think people are scared of changing their keys - rightfully so - but everyone should learn.

Posted Using LeoFinance Beta

That sucks. Did the person say how they were able to get hacked like that? It would be good to be able to avoid that. I was just thinking the other day that I need to go through my account and revoke all of the stuff that I am no longer using. I think a lot of people left their Hive keys the same as their STEEM keys and it is a good idea to switch those up. It was one of the first things I did.

Posted Using LeoFinance Beta

Did the person say how they were able to get hacked like that?

No, but I suspect phishing. Also, some people have authorities from years back that are not even on Hive, but never changed their keys when coming to Hive. The early authorities often asked for active, not just posting. Some even asked for owner and got it. The first thing I did also, was change my keys here.

Posted Using LeoFinance Beta

Oh dang, that really sucks for them. Did that new Hive keyprotector service not catch it?

Posted Using LeoFinance Beta

I'll be raking out some time to read more about jets security. I've taken it for granted for a while now because people over here hardly know what keys and cryptocurrency are about. But what if, just what if.
Thank you for the heads up.

If you value what you have, definitely take the time to learn a bit more about it.

Posted Using LeoFinance Beta

Yes, I have heard sad stories about lost keys due to misery,
Well, I still don't have amounts so significant as to store a cold wallet, but if something needs to be done, to maintain our security, someone asks me
You have the safe keys, I tell him of course that if I already have a physical copy in the top of some trees, I hope the birds and insects or rodents do not leave me without my contingency plan, jaaaaaaaaaa that's a joke although maybe at some point it might be necessary
Everyone is talking about this as someone has the ability to enter and unwrap the leos enter metamask connect use the seed, connect BSC transfer from here to there, for God's sake imagine a 60-year-old man who has never touched a computer how he will do it. reason we must begin to train our relatives so that this does not happen.
We must also be very diligent with our teams, we do not want what today are a few things to become a fortune tomorrow end in limbo for lack of diligence.

Posted Using LeoFinance Beta

Diligence starts at the beginning, don't wait until you "have enough" to lose before building the habit to protect what you own. I think part of the training of people entering is to make sure they understand that security is their responsibility.

In the future there will be better solutions, but for now, be prepared.

Thanks see, yes we need be more carefully with our keys.

Your post is reblogged and upvoted by me. It is a good post. Thank you @tarazkp