OWN IOTA? YOU NEED TO TAKE STEPS TO PROTECT IT!!! HERE ARE METHODS TO HELP!!!

in #iota7 years ago (edited)

As more money flows into crypto, there's inevitably more shady muthafuckaz workin' to get their hands on it in not-so-cool ways.

Whether the motivation is strictly for profit, or part just for the challenge of seeing how they can outsmart some, hackers are at bay.

And, some just managed to walk away with millions worth of IOTA:

Emptied IOTA Wallets: Hackers Steal Millions Using Malicious Seed Generators

itoahack.jpg
The IOTA community has recently been hit with a bit of drama, as some individuals have been left with their wallets drained due to malicious websites providing users with a new wallet seed.

Just two days ago, many users reported having their funds (an estimated $4 million) in their IOTA wallets stolen from an unknown source. The cause? Online seed generators.

Online seed generators for IOTA are websites that provide users with a quick solution to generate a new seed for their IOTA wallet.

When creating a new IOTA wallet, users are tasked with creating an 81-character seed rather than generation being baked-in. There are workarounds as outlined by the HelloIOTA website, which includes using an IPFS seed generator, or creating a key using either the Mac or Linux terminal. However, neither of which is as user-friendly as other wallets – possibly leaving new users turning toward these online generators.

The top hit for online seed generation for IOTA wallets has since taken down its website, leaving a message simply stating “Taken down. Apologies.” The generator would require viewers to move their mouse around to “generate randomness,” and then provide a seed that fit the requirements of an IOTA wallet. It also provided a version of the seed encoded as a mnemonic phrase as well.

According to a blog post from IOTA Evangelist Network member Ralf Rottmann, the attackers deployed a DDoS attack against popular IOTA fullnodes, leaving victims of the robbery unable to rescue any of their funds.

The attackers knew the seeds. You invited them into your wallet, by handing them your keys on a silver platter. The community of fullnode operators is discussing various strategies to better protect public community nodes from this specific and similar DDoS attacks in the future.

The IOTA community has been quite clear about online seed generators, encouraging users to change elements of the seed in order to prevent any vulnerabilities. They have also been repeatedly pointing to the fact that the vulnerability has nothing to do with IOTA’s technology, and rather just seed generating services.

~ source: CNN

Kinda sad these types of things happen. But they do.

And, the "hackers" can't really be blamed.

Part of the crypto game is taking full responsibility for one's security protocols and ensuring we don't leave ourselves susceptible to such attack - because they're going to happen.

It sure must suck for the people who used these websites and lost their Iota. But, there are some important lessons in this story for us all.

Namely:

Never trust third-party sites and wallets.
If you're downloading a wallet to store your crypto, make sure it's from the official website.

And as to why people were using a third-party site to generate a seed... such dumbfounds me.

If you were to download the official Iota wallet, you'd be asked to create a seed phrase for your wallet. Is it really THAT difficult to do yourself?

If so, maybe the lost funds were just a stupid tax.

For real...

Whether it's a seed phrase or password, these are the keys to your vault.

Creating a string of words to use as a seed/password is not rocket science.

It should not take a third-party website to come up with a sequence of random words.

I'm tempted to say sorry here, for the suckers that got reeled into this malware scam - but let's be real. Relying on such a site to generate 81 characters worth of words is just sheer laziness and irresponsibility.

In the crypto game, ignorance is not an excuse.

If you input your seed/password into ANY third-party website, you may be asking for trouble.

Always ensure that any website you're engaging on is legit.

Make sure you do you your research to find out if a wallet is legit.

Verify the website address.

Never input your personal data - password and seed phrases included - into any website that you aren't 100% certain is fully legitimate. Ever.

And if you need to generate a seed phrase for a wallet:

Do it your fucking self.
Seriously.

If you're that brain-dead that coming up with 12+ words is difficult, grab the closest book to you and pick out some at random and write them down yourself.

Sorry to say it, but relying on a random website to generate a phrase for you - especially if you're searching for the name of the wallet you're trying to generate one for - is just a ridiculously horrible idea.

Given that this news is coming from CNN, we might not know the full validity or background of it. Yet, let's keep in mind the nature of mainstream media sources like this.

Yeah, they probably wanna present the story to invoke FUD (fear, uncertainty, and doubt).

Yet, they're missing a key fact: whoever fell for these traps had it coming.

Had they taken full responsibility for their own security protocols, it would not have happened to them.

But because they'd rather rely on a random website that their own creativity to generate twelve words as a password and give away the keys to their wallet to an unknown website, they fucked themselves.

Don't be that guy/girl.

Need more be said...?

Probably not.

Nevertheless, these types of situations happen. And will continue to.

So when you're setting up your wallets, creating your passwords, and storing your keys...

Play it smart.