image source: Avel Chuklanov on Unsplash.com · editing by me
There have been many phishing attacks lately, both on the Hive blockchain as well as our legacy blockchain, Steem. Phishing attacks are executed in two steps. First, a fake website is carefully crafted to look like a trusted website, complete with "username" and "password" fields and a login button. If anyone enters information there, it is sent to the thief who created the website. Second, people are lured to that website with promises of "Free Crypto!" and such. The biggest phishing scam at the moment is promising 100 HIVE if you click a link to "vote for my witness."
Now, seriously — does anyone actually think someone will pay 100 HIVE (currently worth about USD $32) just for a single witness vote? That could easily amount to thousands of dollars in short time, and the person making the offer would go broke. NOTHING IS FREE! But, still, people click those links, enter their username and Keys on the fake website, and lose control of their accounts... it's happening every day. 😕
Once the thieves have your account's credentials, they'll change the Keys so you can't login again and start transferring your hard-earned crypto to their own accounts. Then, they will start posting comments with your account on other people's posts. Those other people will say, "Oh, Maria shared a link in a comment. I know Maria, so her link must be trustworthy!" and then they click on it, too, and lose their accounts as well.
By the way, if you click a link to a fake website and voluntarily enter your login credentials, you were not "hacked." Hackers break into websites, quietly, and swipe tons of data from many users, all at once, when no one is looking. If you drive to the market and hand your car keys to a stranger, telling him that he can use your car while you shop, you can't tell anyone later that you were "carjacked" — you voluntarily handed your keys to a stranger. That is exactly what is happening if you fall victim to a phishing scam.
You were not "hacked" but handed your Keys to someone else, voluntarily.
If one falls victim to a phishing scam, what should one do?
If you suspect you have fallen victim to a phishing scam, the first thing to do is to try to beat the thief to the changing of credentials for your account. This involves generating a new Master Password, a seed from which a new Owner Key, Active Key, Posting Key, and Memo Key will be derived. To do this on the enhanced PEAKD interface to the Hive blockchain, go to your blog page, click on "Account Actions," "Keys & Permissions," and "Change Password" as shown in the screenshot below:
Users of the enhanced ECENCY interface will find a similar screen by clicking on "Settings" and "Change Password." Users of the default HIVE.BLOG interface can find the page under "Wallet" and "Change Password."
The thieves usually act quickly, so you should attempt to change your Master Password and Keys as soon as possible after visiting their fake website. Otherwise, they will lock you out of your own account.
What if I am locked-out of my own account?
The HIVE blockchain is decentralized. That means there is no one central authority, no one person "in charge" of things, no big company overseeing operations. We, the users of the blockchain are "in charge," every one of us, by the votes we cast for witnesses (similar to what some other blockchains refer to as "Block Producers"). So, there is no single authority which can help us recover our account. However, we have an Account Recovery operation built into our wonderful blockchain!
To utilize this option, however, it is necessary to designate someone ahead of time that will assist you, should the need arise. This is referred to as your "Recovery Account" and should be the username of a trusted friend, witness, or project on-chain that can come to your rescue. This is similar to giving a key to your house to a neighbor, in case you're ever locked-out of your own house. After you're locked-out, it's too late to give that spare key to anyone.
By default, the Recovery Account is probably set to the entity that created the account for you. This could be PEAKD, ECENCY, TIPU, 3SPEAK, or any number of other projects on-chain, and all of them will be happy to assist you if you are locked-out of your account. To check the setting for your Recovery Account, visit the HiveBlocks.com site, enter your username, and scroll down the left side-bar until you see:
HOWEVER...
In order for anyone to assist you in recovering your account, it is necessary that you have the Owner Key to your account! In fact, this is the only time your Owner Key should be used, when proof is required that you own the account during a Recovery process. If you do not have your Keys saved, I advise that you get them now! As stated earlier, you should have a Master Password, a seed from which a new Owner Key, Active Key, Posting Key, and Memo Key are derived. You can see them on the Wallet page on HIVE.BLOG, the Settings page on ECENCY, and the Keys&Permissions page on PEAKD.
⚠️ On 20-Mar-2020, the Hive blockchain forked from the Steem blockchain. Anyone who had an account on Steem prior to that date probably had @steem as their Recovery Account, by default. Those settings were copied to Hive when the Hive blockchain launched. Your Hive account should now have a different Recovery Account set, as Steem will not assist in the recovery of a Hive account! So, change that now if you have not already done so! Several users have recently lost their accounts, permanently, because of this very thing, still having @steem set as the Recovery Account on Hive.
Also, do not set your Recovery Account to yourself! Two users on Hive have recently lost their accounts by doing this. Setting one's own self as 'Recovery Account' is similar to writing your own name on an "In Case of Emergency..." form. If you are hospitalized in an emergency, who should the doctors contact? Instead of a family member or friend, you tell them to contact you! 😬 Always be sure that your Recovery Account is set to someone else, not yourself!
Trusted witness and developer @arcange has automated the Account Recovery process for anyone who chooses to use his service. Detailed information can be found in his Hive Account Recovery - User Guide. Anyone not wishing to use Arcange's automated recovery service can use any other service, project, or person they wish, however be sure that is is:
- someone you trust!
- someone who is able to identify you with certainty!
- someone who will not be leaving the blockchain!
- someone who will be available when you need them!
- someone who knows how to execute the custom recovery code!
If your Recovery Account falls short on any one of the above requirements, you might be stuck with an unrecoverable account! The following screen shows how to change your Recovery Account via the PEAKD interface. You can also set your Recovery Account on HiveTasks.com. But, the easiest way, imho, is by using Arcange's automated Hive Account Recovery service.
Once the Recovery Account has been changed, there is a 30-day waiting period for it to take effect. This is to mitigate abuse of the system.
It is a good idea for everyone to review their Recovery Account information periodically, to make sure it is up-to-date. If the time comes when you need it, it's too late to fix it then!
16-Jul-2021
This is very informative. I was wondering what if I created a second account just for recovery purpose, would that be advisable? Thank you for sharing!👍
Ahhh... so the key is to understand the process of account recovery first. Thank you for sharing!🙏
Just came across this post now but I really can't see myself leaving without thanking you immensely for this great informative post.... Thanks a lot.
I haven't even explored this side of the Blockchain but with these information, I'll surely do what's expected of me
You should absolutely add to the list of characteristics that the recovery account must have "someone who is able to identify you with certainty"!
I explained why in detail in this post. This point is important and is often underestimated.
That being said, thank you for the shout out about @hive.recovery
Thank you for the feedback! I have added "someone who is able to identify you with certainty" to the post!
Don’t go over the links of the crooks!
Better give them that answer!
gotchanose!
This is an extremely valuable reminder, and I would like to add one thing to it:
NEVER even use your Master password to sign in ANYWHERE!!!
The Owner's key and the Master password should ONLY be used for account recovery as you have clearly stated, that way if anyone does accidently click on a fake link, the thief may get a little out of your account, but you can recover it quickly and change the keys and password. But if one does use his Master password, as this is exactly what has been happening, the thief changes the account keys and password and bye bye account with all of it's assets.
Another option for those who may not have someone on the blockchain that they are close to and trust, is to create an account just for their recovery account. They can give the credentials/login information to a trusted friend or family member outside of the chain instead.
This is what I did as soon as I left Steemit and received my Hive account. My husband has all of the information and instructions he needs to recover my account should that be a need.
Good advice and I hope people take notice. I expect the phishing crooks have automated their activities, so they may change your keys immediately. It may be that some people have not given away their keys, but they have giving their posting authority to a rogue site. You can revoke those in peakd. Too many people have lost their accounts and we have to raise awareness of the risks.
!PIZZA
Oh hey Steve!
Problem with being online is that people can follow you around. Now you've scared the cat!
😆
@thekittygirl! I sent you a slice of $PIZZA on behalf of @steevc.
Learn more about $PIZZA Token at hive.pizza (4/10)
I am gonna reblog Ofcourse
My friend was a victim of this, she just decided to create a new account
Sorry, out of BEER, please retry later...
Thank you for giving us this information about what is happening now, as it will be very helpful to those users who do not know about this.
I am sorry kitty unblock me from discord please
thanks. useful.
fear that, due to decentralization, this trend is getting worse and worse, driving users away instead of attracting them
This is the nature of decentralisation, the user has to be responsible for his/her own affairs
Yes... you're right.
Like all drivers need to be responsible, but if everyone starts driving badly and you can no longer walk peacefully on the sidewalk, the city becomes unlivable or, in other words, it loses points of appreciation.
I think the drivers are driving badly on the road but they're not on the sidewalk. You can ignore these bad drivers. Perhaps a more appropriate driving analogy would be there are many bogus taxi drivers offering fake free rides, people jump on board and end up getting robbed. If they just ignore these bogus taxi drivers and stick to the proper licensd taxis and public transport, they will be ok
Correct.
My analogy pointed more to personal safety. cars can get on sidewalks and run you over.
"Make an attempt on your life".
But yes... your example is more pertinent to the issue
The rewards earned on this comment will go directly to the person sharing the post on Twitter as long as they are registered with @poshtoken. Sign up at https://hiveposh.com.
Very important and it’s sad that we need to repeat this (because of bad actors continuing to try to exploit victims). But everyone needs to take some care to secure their own account keys.
It's sad we need to repeat, not because of the bad actors, but because people aren't vigilant enough no matter how many times they are told. Sadly some can't resist clicking on links that offer free money or airdrop
I agree, phishing is not hacking. However, it is fraud.
Buena información, nunca sabemos quién anda con malas intenciones 🤔
Reblogged! this needs to get to many hive users especially the newbies who knows little or nothing about phishing links, it was last week a friend of mine complained to me that his friend lost his hive account as a result of this phishing links spreading around....
This post has received a 100.00% upvote from @fambalam! Join thealliance community to get whitelisted for delegation to this community service.
thank you for this very informative post. People think because the monster long passwords that they are safe and it's not totally true. Careful out there!
I went to Hive Account Recovery - User Guide and tried to do the change recovery acct and all I got on the site was a pink box saying it didn't work. I'm too illiterate at this stuff to figure it out. I saw someone else had tried and gotten the pink box but no one had responded to the request for help.
I am sorry to hear you received an error. What did the error in the pink box say? Maybe @arcange can assist you if he knows which error you received!
I gave up and closed the try. I'd have to try all over again. I did see on that post @arcange made that someone else had the same problem but got no replies to their request for help, and that was last year.
I decided to go to the site and enter your name to see if I could find the error, but the pink box did not appear. This is what I saw, that your Recovery Account is @steem and then the red button to click for changing the info. 😕 That is what should be showing for you, too!
Yes, I got that far, and it asks for your master key, which I entered. That's when the pink box appears. Thank you for your help!
There are 3 things to do on that page:
Then, the "SUBMIT" button should no longer be grayed-out, but clickable.
See if that works for you, please!
I did all of those things, and then the pink error box appeared. I tried it 2 or 3 times, in case I'd made a mistake, same thing each time. I appreciate your helping me!
Was there any error in the "pink box"?
Can you provide us with a screenshot?
As mentioned in the user guide, support is provided on Discord rather than using comments on posts.
Oh! I missed the reference to Discord. I will try again and post on Discord. Sorry! Thanks for the reply.
Very useful and interesting information. Reblog for difussion. Thank you @thekittygirl for this valuable contribution!🤗😘🌹
This is such great advice! Thank you for taking the time to put out this announcement!
Thanks for the reminder, almost no user knows this and it is one of the most important things to do! Why isn't there a reminder from frontends like peakd to change the recovery user? That would be very helpful for new users like me.
oh, I didn't know that! I've been around here for a few months now, it's still hard for me to distinguish between steem and hive as well
Your content has been voted as a part of Encouragement program. Keep up the good work!
Use Ecency daily to boost your growth on platform!
Support Ecency
Vote for Proposal
Delegate HP and earn more
Hello. Excellent advice and reminder. I have already switched my recovery account from Steem. I will reblog your post to spread the word.
Thank you for taking the time to compile this article for all members of Hive.
Take care and have a good week ahead.
Thank you!
Valuable information!
Wow, nothing comes for free, thanks for informing me