I have been reading a lot of articles here on Steemit. Even though there is a lot of good material around on the topic of how to keep your money safe, it still seems to me that there is also a lot of confusion. Because of this, I have decided to make an attempt at writing a complete list of things that can go bad, along with high-level explanations and recommendations on how to avoid those mistakes. I stress the 'make an attempt' part since I will probably still miss certain things, and also my recommendations may or may not be flawed. As always when it comes to security I suggest you do not trust one single source. Use this post as a kind of index that gives you a picture of all the things you need to keep in mind, then do the deeper research yourself.
What we understand under the term 'Phishing' is the process of some malicious third party trying to fool users into giving away privileged information like passwords or download malware. In the majority of cases, this is done by sending e-mails to users that look like they were sent by some person or organization the user knows and trusts. There are (at least) two different 'flavors' of Phishing, which deserve different explanations:
This is the more common (and arguably also the less dangerous) variant. The principle is quite simple: An attacker will create an email that looks like it was sent by some well known online platform like PayPal or Facebook. The message will contain some text that is seemingly legitimate and that makes it clear to the user that he must react quickly. There will also be some kind of hyperlink or button that the message will encourage the user to use. If done well, the message will look quite convincing, especially because it is possible to fake ('spoof') the sender address that is displayed in your mailing client.
The important thing to understand is that the link that this faked message provides might look legitimate, but when you click on it you will be redirected to some website you didn't want to open. The target of this misleading link might either be a website that looks like a legitimate login-page of the service that sent the message, or it could just be some random site that will try to install malware on your machine. Look at the link below for an example of this; while the link seems to be pointing to google, you'll end up on yahoo:
Interestingly enough I haven't received any good attempts at Phishing recently, so I had to google around for this good example of an attempt at your PayPal credentials:
Here's what jumps out at me from this message:
Depending on the amount of work an attacker is willing to put into designing those faked messages and the websites they link to, it might already be quite difficult to decide whether a certain message is authentic or not. In the past however most normal Phishing-attempts were poorly designed and easy to spot.
Much more dangerous than the above mentioned 'normal' version is Spear-Phishing. The principle is still the same, but the attacker no longer attacks a large number of individuals he knows nothing about. Instead, the focus is on a small number of people (maybe even just one). The attacker tries to exploit knowledge he obtained either from other attacks or simply from reading one of the victim's social-media pages.
To make these attacks even more successful attackers try to make it look like they were sent from a person the victim either knows personally or who has some authority over the victim:
[...] Spear-phishing messages, on the other hand, are more likely to appear as originating from someone within the target's own organization, generally someone in a position of authority.
National Security Agency expert and West Point instructor Aaron Ferguson calls it the 'colonel effect.'
As an illustration, Ferguson sent e-mail messages to 500 cadets, asking them to click on a link to verify their grades. The message appeared to come from a Colonel Robert Melville of West Point, and the result was that over 80 percent of the recipients clicked on the link.
One of the simplest solutions would, of course, be using GPG-signed emails, but for whatever reason, this technique does not seem to find many users outside the hardcore tech-community. Therefore let's look at some less techy recommendations:
The principle is very similar to Phishing emails: Some malicious third party wants to gain access to people's accounts or private data. We can distinguish two different cases: Fake sites and scam sites.
Like Phishing messages are designed to look as if they were sent by some genuine company, fake websites are designed to look exactly like real websites. The goal: Make potential victims believe they're on the real website, and let them enter their username and password. A clever attacker could even fake a request for a second authentication factor like a code from Google Authenticator. Once the victim hits enter, the login data will be used by the malicious party to log into the real website and steal the victim's data/money within seconds.
Usually, those faked websites will use URLs that are very similar to the ones of the real sites (e.g. www.googl.com to get people who want to access www.google.com), such that a typo in the address-bar of the victim's browser would lead him/her there.
Unlike fake sites, scam sites do not attempt to imitate an existing website. Instead, they will claim to represent a new legitimate service. The most potent cases of such sites in the context of crypto currencies are probably faked ICO's (ICO = Initial Coin Offer). The malicious third party might, for example, claim to be some new group that has designed some very fancy new crypto currency that they are going to sell off at a high discount before trading is initialized. Users will be given the opportunity to create an account (thereby possibly already giving away e-mail-address/password combinations they have used on a number of other accounts), set up a wallet, and transfer real money (be that dollars or BTC/ETH/...) to buy this new currency. Of course, this new currency does not exist, but people won't know that until they have already sent their money.
There are already a lot of good tools active on the internet that try to prevent users from falling victim to either fake- or scam websites. Nevertheless, you should do what you can yourself. Here are my recommendations:
Malware is a piece of software that does something you don't want it to do, probably in such a way that you don't even realize it's there. Viruses, worms, trojans, adware, ransomware, all of those are malware. You might pick it up by visiting a new website, or by plugging in a USB stick that a friend of yours had plugged into his compromised computer. There really is no limit to the ways a system might get infected. Even worse, there's really no way to prevent this, because programmers would have to be able to think of an infinite number of possible attack vectors to make their software safe.
Long story short: Always assume your computer is at least a little bit infected. Even if you have ten different anti-malware-tools installed.
With this in mind, let's look at the ways malware could possibly compromise the security of our crypto currencies:
I could go on for hours, but I think you get the idea. Malware is bad.
That's actually a tricky question. You can stay reasonably safe if you follow those points:
But, as I mentioned above, there are always bugs and flaws, and even if you trust a piece of software, it could still contain bad code that allows malware into your system. Therefore I would recommend the following, especially if you are moving around larger sums of money often:
This should keep you pretty safe. It's still far from a 100%, but it's a reasonable mix between required skill, caused inconvenience and security. If this still isn't secure enough for you, then you might want to think about creating a live system on a SD-card. Because SD-cards have a hardware-switch that prevents write access to the card, the image of this live system can never be changed by anything. Let me know if you are interested in more details about this.
The same way your computer will never be completely safe from malware, servers of large coin-exchanges or online-wallets will always have some security flaws. This might be caused by incorrect configurations, software that is not up to date or simply by an insider who is corrupt. Large companies may have significantly more knowledge and resources than a single person, but since there's so much to gain from a single successful attack, the time and effort an attacker will be willing to invest is also significantly bigger.
In most cases it is very simple to protect yourself from this kind of loss:
Unfortunately, there are also services that almost force you to have your currency on their servers. One such example is Steemit itself. It is certainly possible to use the cli_wallet to interact with the blockchain directly from your computer, but I assume most people will find that too inconvenient.
