News of fake Steem Engine + compromised accounts. Be careful people! + Question about Changing Recovery Accounts

avatar
(Edited)

You may have seen @ aggroed's post from yesterday, creating awareness among steemians that there is someone out there posing as steem-engine.com, but using a similar domain name. I resteemed it as well.

The phisher asks for your private keys on the fake steem engine site. Don't enter your private keys on this steemengine dot net site!

There were also two reports by @spaminator about thousands of accounts compromised by a botnet and blacklisted by @ spaminator. They provide the instructions what to do, if you are on the list of affected accounts.
https://steempeak.com/spaminator/@spaminator/fiftysats-botnet-are-you-blacklisted-and-don-t-know-why
https://steempeak.com/spaminator/@spaminator/fiftysats-botnet-more-victims-found

That looked like a Friday 13th, indeed!

I hope people will pay attention and those affected will soon get their accounts back in order!

But on this subject I have one important question (important in my mind at least), for which I didn't find an answer yet.

How can one change the recovery account?

First of all what is the recovery account and where can you find which is it?

The recovery account is another Steem account which is able to initiate the recovery of your account, in case you solicit it after your account has been compromised. For the recovery to be possible, you often need to go through a process. On Steemit, Inc. you need to send them a recent password for your account, used no longer than 30 days ago. More information will be required to determine that you are the rightful owner.

Where can you find which is the recovery account for your account?

One way to find out which is your recovery account is to look in steemd (i.e steemd.com/@yourusername)
image.png

In my case for my main account it says it's @steem, meaning Steemit, Inc.

Why would anyone want to change the recovery account?

Even if it's sometimes called the trustee, it's not a matter of trusting that account owner with your account, as they can't do anything without your help, since you are the owner.

But there is a case where this matters: what if the recovery account holder becomes inactive or otherwise unreachable and your account is compromised? How do you recover your account then?

That becomes and will be even more of an issue, the more accounts are created by regular users who claimed account tickets using their unused resource credits and use them to create accounts for others.

When they create an account using their available tickets, they are set by default as the "recovery account". A responsibility maybe they didn't know they have, didn't ask for and don't want.

Some may become inactive over time or will be unreachable when someone needs them to recover their account. Then there's a problem.

I know there is a way to change the recovery account. I just didn't find out how yet. It would be a great idea if someone would share some light on this issue. Either by commenting here, or better yet, by implementing the necessary feature in a high-profile interface/tool.

I see @steemchiller has a nice account recovery tool on SteemWorld. Maybe a way to change the recovery account can be included, if or when he can.

EDIT: @ steemchiller answered almost immediately: see how you can change the recovery account in his comment below. Obviously, you can use SteemWorld, I just missed it and looked elsewhere. :)

Also, maybe there should be an automated procedure to change inactive recovery accounts to others still active and which have performed at least one account recovery recently (not sure how long "recently" should be).



0
0
0.000
20 comments
avatar

Maybe a way to change the recovery account can be included, if or when he can.

0
0
0.000
avatar
(Edited)

Ah, thank you! I was only looking at "Account Recovery" tool at the bottom.

0
0
0.000
avatar

Hey @steemchiller, a friend from me has an account who only have his private posting key.

Is it possible to recover with your tool that account when I'm the recovery account??

If so, is there somewhere a post about how this is working??

0
0
0.000
avatar

To listen to the audio version of this article click on the play image.

Brought to you by @tts. If you find it useful please consider upvoting this reply.

0
0
0.000
avatar
(Edited)

.

0
0
0.000
avatar

Definitely worth mentioning. So, in the meantime, the old recovery account remains active, right?

I understand the reason for this 30 days window, so a hacker won't be able to quickly change the recovery account too. Then a compromised account would be completely at the mercy of the hacker.

0
0
0.000
avatar
(Edited)

.

0
0
0.000
avatar
(Edited)

Thanks!

One more question. Does or should the "receiving" account recovery (the account being set as account recovery) have a say about it?

For example, I created a test account using my claimed tickets to see if I would be set as the recovery account. If I want to set the recovery account for that account from 'gadrian' to 'steem', should 'steem' have any say in this?

Steemit Inc. collects some information about users they sign up to Steem. The reason provided for the data collection is that it will be used in case of an account recovery, to proof it's you.

But what does Steemit Inc. know about the account I would set 'steem' as an account recovery for, if I created it (and that is a clear case, but I could have created an account for someone I didn't know). How would their mechanism of verifying the ownership work then?

0
0
0.000
avatar
(Edited)

.

0
0
0.000
avatar

This account also needs to know how to proceed in case an account recovery has been filed.

So, if you add your buddy as a recovery account because he knows you, but he isn't quite savvy about Steem, you might still get in a dead end, or at least delay the recovery quite enough, before everyone involved finds out what needs to be done.

Good point about not setting @steem as a recovery account.

Well, thanks a lot! This is information good to know long before one needs it, because for now I don't particularly need it.

0
0
0.000
avatar
(Edited)

.

0
0
0.000
avatar

Thank you for listing more options. I only knew about SteemWorld.

0
0
0.000
avatar

Salut Adrian!
Nu stiam de faptul ca exista o clona a lui steem-engine, dar de aproape o saptamana nu pot face trade... si eram curios daca la fel e si la tine!
Imi tot da eroare legata de data si ora...

0
0
0.000
avatar

Salut! Mai, eu nu am probleme cu steem-engine. Vezi sa intri pe steem-engine.com, nu pe alt site. Daca ai intrat pe vreun site cu nume similar, te sfatuiesc sa revoci autorizatiile catre toate aplicatiile si sa iti schimbi parola la cont.

0
0
0.000
avatar

Am intrat tot timpul pe adresa mentionata... folosesc site-ul din prima zi de la lansare!
Uite ce imi apare mie:
Screenshot_2019-12-15-00-13-09.png

Ai cumva idee ce poate fi?

0
0
0.000
avatar

Nu poti sa instalezi Steem Keychain? E posibil sa fie o eroare care sa fie legata doar de folosirea combinatiei Steem-Engine + SteemConnect. Daca nu merge sau daca ai nevoie de ajutor cu Keychain-ul, sa-mi zici.

0
0
0.000
avatar

That is a great tip @gadrian, change the recovery account if it becomes inactive or you just want another, stay awesome.

0
0
0.000
avatar

Thanks! Yeah, a reliable recovery account is important. I will probably make a tutorial tomorrow.

0
0
0.000