How Crypto Communities can keep users safe from phishing accounts inside Slack #1
I recently promised to write a detailed post about all the security tips and tricks that Crypto Communities (Token launches and ICOs in particular as they’re the ones being targeted most) should take into consideration when creating and harmonizing their community inside Slack. I don’t seem to have time to write a detailed post, so I’ll write a short one for each area of potential concern.
Someone within the community told me about this security problem and I can’t remember who. But I’ll happily update the post to give them credit if it comes back to me.
Pro Tip #1
Assuming you’re new to the Crypto world, the person above looks like Taylor, the founder of MyEtherWallet.com — one of the most widely respected wallets for cryptocurrencies on the Internet.
The message screen shot above is not from Taylor. It was from me, playing the part of a “bad actor” pretending to be her.
It’s easy for any user to join a community and later update their @username, first name and surname as I did with my account inside the MyEtherWallet community. I changed my name to Taylor and my username to @tayvan0 ← that’s a ‘zero’ and not the letter ‘o’ — making it look like hers, which is @tayvano. I even changed my profile picture to the one she uses.
Now all I need to do is DM lots of other community members with a phishing link, asking them to log into their wallet on my website — why wouldn’t they trust the link if it’s coming from Taylor. This would allow me to empty their crypto wallets.
It took me less than 3 minutes to update my profile.
There is no solution today. You can’t stop people from updating their profile.
At MetaCert we’ve marked this potential threat as a priority feature. Our security app for Slack won’t stop users from updating their profile, but it will alert you the second a user changes their name. Community managers can then make sure the changes aren’t nefarious. We need to conduct more research but it might be possible for us to add other security precautions involving user profiles.
☞ Please tap or click “♥︎” to help to promote this piece to others.