image source: Avel Chuklanov on Unsplash.com · editing by me
There have been many phishing attacks lately, both on the Hive blockchain as well as our legacy blockchain, Steem. Phishing attacks are executed in two steps. First, a fake website is carefully crafted to look like a trusted website, complete with "username" and "password" fields and a login button. If anyone enters information there, it is sent to the thief who created the website. Second, people are lured to that website with promises of "Free Crypto!" and such. The biggest phishing scam at the moment is promising 100 HIVE if you click a link to "vote for my witness."
Now, seriously — does anyone actually think someone will pay 100 HIVE (currently worth about USD $32) just for a single witness vote? That could easily amount to thousands of dollars in short time, and the person making the offer would go broke. NOTHING IS FREE! But, still, people click those links, enter their username and Keys on the fake website, and lose control of their accounts... it's happening every day. 😕
Once the thieves have your account's credentials, they'll change the Keys so you can't login again and start transferring your hard-earned crypto to their own accounts. Then, they will start posting comments with your account on other people's posts. Those other people will say, "Oh, Maria shared a link in a comment. I know Maria, so her link must be trustworthy!" and then they click on it, too, and lose their accounts as well.
By the way, if you click a link to a fake website and voluntarily enter your login credentials, you were not "hacked." Hackers break into websites, quietly, and swipe tons of data from many users, all at once, when no one is looking. If you drive to the market and hand your car keys to a stranger, telling him that he can use your car while you shop, you can't tell anyone later that you were "carjacked" — you voluntarily handed your keys to a stranger. That is exactly what is happening if you fall victim to a phishing scam.
You were not "hacked" but handed your Keys to someone else, voluntarily.
If one falls victim to a phishing scam, what should one do?
If you suspect you have fallen victim to a phishing scam, the first thing to do is to try to beat the thief to the changing of credentials for your account. This involves generating a new Master Password, a seed from which a new Owner Key, Active Key, Posting Key, and Memo Key will be derived. To do this on the enhanced PEAKD interface to the Hive blockchain, go to your blog page, click on "Account Actions," "Keys & Permissions," and "Change Password" as shown in the screenshot below:
Users of the enhanced ECENCY interface will find a similar screen by clicking on "Settings" and "Change Password." Users of the default HIVE.BLOG interface can find the page under "Wallet" and "Change Password."
The thieves usually act quickly, so you should attempt to change your Master Password and Keys as soon as possible after visiting their fake website. Otherwise, they will lock you out of your own account.
What if I am locked-out of my own account?
The HIVE blockchain is decentralized. That means there is no one central authority, no one person "in charge" of things, no big company overseeing operations. We, the users of the blockchain are "in charge," every one of us, by the votes we cast for witnesses (similar to what some other blockchains refer to as "Block Producers"). So, there is no single authority which can help us recover our account. However, we have an Account Recovery operation built into our wonderful blockchain!
To utilize this option, however, it is necessary to designate someone ahead of time that will assist you, should the need arise. This is referred to as your "Recovery Account" and should be the username of a trusted friend, witness, or project on-chain that can come to your rescue. This is similar to giving a key to your house to a neighbor, in case you're ever locked-out of your own house. After you're locked-out, it's too late to give that spare key to anyone.
By default, the Recovery Account is probably set to the entity that created the account for you. This could be PEAKD, ECENCY, TIPU, 3SPEAK, or any number of other projects on-chain, and all of them will be happy to assist you if you are locked-out of your account. To check the setting for your Recovery Account, visit the HiveBlocks.com site, enter your username, and scroll down the left side-bar until you see:
In order for anyone to assist you in recovering your account, it is necessary that you have the Owner Key to your account! In fact, this is the only time your Owner Key should be used, when proof is required that you own the account during a Recovery process. If you do not have your Keys saved, I advise that you get them now! As stated earlier, you should have a Master Password, a seed from which a new Owner Key, Active Key, Posting Key, and Memo Key are derived. You can see them on the Wallet page on HIVE.BLOG, the Settings page on ECENCY, and the Keys&Permissions page on PEAKD.
⚠️ On 20-Mar-2020, the Hive blockchain forked from the Steem blockchain. Anyone who had an account on Steem prior to that date probably had @steem as their Recovery Account, by default. Those settings were copied to Hive when the Hive blockchain launched. Your Hive account should now have a different Recovery Account set, as Steem will not assist in the recovery of a Hive account! So, change that now if you have not already done so! Several users have recently lost their accounts, permanently, because of this very thing, still having @steem set as the Recovery Account on Hive.
Also, do not set your Recovery Account to yourself! Two users on Hive have recently lost their accounts by doing this. Setting one's own self as 'Recovery Account' is similar to writing your own name on an "In Case of Emergency..." form. If you are hospitalized in an emergency, who should the doctors contact? Instead of a family member or friend, you tell them to contact you! 😬 Always be sure that your Recovery Account is set to someone else, not yourself!
Trusted witness and developer @arcange has automated the Account Recovery process for anyone who chooses to use his service. Detailed information can be found in his Hive Account Recovery - User Guide. Anyone not wishing to use Arcange's automated recovery service can use any other service, project, or person they wish, however be sure that is is:
- someone you trust!
- someone who is able to identify you with certainty!
- someone who will not be leaving the blockchain!
- someone who will be available when you need them!
- someone who knows how to execute the custom recovery code!
If your Recovery Account falls short on any one of the above requirements, you might be stuck with an unrecoverable account! The following screen shows how to change your Recovery Account via the PEAKD interface. You can also set your Recovery Account on HiveTasks.com. But, the easiest way, imho, is by using Arcange's automated Hive Account Recovery service.
Once the Recovery Account has been changed, there is a 30-day waiting period for it to take effect. This is to mitigate abuse of the system.
It is a good idea for everyone to review their Recovery Account information periodically, to make sure it is up-to-date. If the time comes when you need it, it's too late to fix it then!