SCAM ALERT: No witness will ever ask you for your passwords or keys!

in #security7 years ago

All those who vote for me (and read my posts) should already know that they should never, ever reveal their keys to anyone!

I will never ever pay for votes.
Vote for witnesses that are worth it, not because they promise you something in exchange.
Well, except that I promise to do my best for platform security and reliability.

Do not enter your password or keys on sites you don’t trust.
Always check the address bar to make sure that you are loading the correct website.
Scammers can make their sites look exactly same as a page you expect to see.
Again:

Always check the address bar to make sure that you are loading the correct website.

If you have any doubts, you shouldn’t use the website.

Make sure the users you contact are who they say they are.
My account name is @gtg, but I also use the account @gandalf on Steem and steem.chat.
But even if I would tell you to enter your password somewhere or send me some funds.
Do not. It's not me.

If you already have made that mistake, change your password immediately.

If you are not sure about it, change your password immediately.

Treasure your passwords /パスワードを大切に by @fukako

SteemConnect

Of course, there are sites other than https://steemit.com where you can use your keys, such as Busy or DTube but you should always decide if you want to provide your key to such websites.
In a perfect world, a website should only use your key to sign the transactions that you are willing to make within your browser - in other words, your key never leaves your machine.

There’s a project called SteemConnect that was designed to help the developers with all that hassle with regarding keys and passwords. It is a preferred way of handling user authentication and authorization.

But even when you use SteemConnect, you should be careful and always check what your keys will be used for. Here are some examples:

If you’re voting for me as a witness, you see:

voting gtg for witness using steemconnect

You can clearly see what operation will be performed. Also make sure that your address is what you expect it to be. Even if only one letter is different in the domain name, this means that something is wrong.
It should be exactly https://steemconnect.com/. In this case, the full address will be:
https://steemconnect.com/sign/account-witness-vote?witness=gtg&approve=1

steemconnect-02.png
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

SteemConnect reminds you to check it.

In order to transfer funds or vote for witnesses, you need your Active Posting Key, but you should be VERY careful whenever you use this key.
Use the least powerful key possible instead of using your Master Password. For example if you simply want to post or upvote content, all you need is your Private Posting Key.

Also, instead of using a single operation, such sites as Busy or DTube might want you to authorize certain types of operations - read what they say very carefully and check if the application is what you expect:

steemconnect-04.png

Even though such authorization will use your posting authority to Vote, Comment, etc. it will require you to enter your Active Private Key to confirm such authorization.

steemconnect-03.png

I will write it again: confirm that you are on steemconnect.com site before entering your password and that you are authorizing actions that you really want to perform.



If you believe I can be of value to Steem, please vote for me (gtg) as a witness on Steemit's Witnesses List or set (gtg) as a proxy that will vote for witnesses for you.
Your vote does matter!
You can contact me directly on steem.chat, as Gandalf



Steem On

Sort:  
There are 2 pages
Pages

I'm so glad steemconnect exists, I hate giving my privacy keys out even to sites like steemengine and dtube

I wish I could have see some of these posts sooner. I was scammed friday Mar 2 by Gtg.witnesses and good-kama I lost 663.834 in SBD and posted on it tonight. - Blessings - Troy

I'm sorry to hear that. Have you already changed your password?

I have changed my master key. I learned that they took all my SBD - 663.843 (over $2,000 in dollars) and traded it on block trades. The transaction was traced to Romania , Switzerland and Amsterdam. I sense they are high tech. It is a shame they allow these folks to continue on Steemit. It is also a shame that these folks continue to get by with this. It would be good if we had a group on Steemit who could address these concerns or victims of this abuse. From what I learned they continue to do this on Steemit and send you to Steewit. They also scammed my comments, compromised my reputation and took 22.641 in steem tokens and exceeded my bandwitdth. My upvote is worthless for at least the next 7 days. I worked with a steemian via phone from Hampton, IA USA to change my master key and send some emails out to Steemit abuse on steemit chat and blocktrades. Feel free to read my bog. Thanks for responding. I wish justice could be served. Do you have any suggestions???? Blessings - Troy

Steem is a decentralized platform. No party could stop others from using it so for example totalitarian government can't effectively stop their citizens from posting... but that also means that there's no central "police" that can stop such abuse.
But if you can identify abuser (and usually, even if they are trying hard, sooner or later they make a mistake that allows to identify them, and prosecute under their own jurisdiction).

Thanks for thend kind response. They do their harm by misrepresentation. They have taken your name and misrepresent it as gtg.witnesses (slightly different) and the same with good-karma and good-kama (the later they use). Finally they send you to a misrepresented Steemit as steewit. Clever. Well folks need to know this stuff to protect themselves. Without policing this is allowed to thrive. Thanks my friend.

gtg I have upvoted and resteemed your post because I believe it may be helpful to a number of my 1400 followers. Although your content may be helpful to many, I find it's not that simple to follow and therefore would have also appreciated the whole thing in baby language for people my age and computer competency. Thank you again.

Thank you for feedback.
I agree that so called "ELI5" (yet, 100% accurate) type of docs & tutorials about Steem and surrounding technologies would be very helpful.

the keyword is the best priority and it must be really occupied, the wrong keywords will be bad for yourself. I have not known you and I are newcomers in steemit, but you are an inspiration to me, you are the best...

Hey @gtg . I just had this scam message in my wallet and wanted to make a warning post about it. Instead I now reblog your post.
Very sad. Recently these kind of phishing tries are seen much more often. Even worse there is users that fall for it. Ive seen ppl in discord channels.
There is really no chance to stop them, right? Somehow steemit should have a ban list to not show their messages to protect new ppl better.
Cheers J

Thank you :-)
Well, yes, there's no good way for stopping such scam attempts. There will be always new ways and new ideas on how to trick users. Of course scammers usually make mistakes and sooner or later they will be punished, but new will come, as long as people will fall for it.

Those guys also tried to trick me but I know that you are the kind of witness who would never do such silly and tricky stuff! I simply ignored and muted them. Hope you are well!

Thanks for this info my friend! Yesterday i take a memo with the account name gtg.witness
Here is what they send me. I know that this is fake account:

https://steemit.com/scam/@paradise/atention-to-all-steemians-take-2-min-to-read-this

Thank you, good catch.

You welcome! :)
they use name of important users to be trusted by users that not have to much information here...
You have make good catch too :) See you my friend

Thanks for writing this post! I just was wondering the other day why an app was asking for active key although I was just wanting to post. It did go through Steem connect and after asking around heard that Steem connect is a trust worthy site, so I ended up using it. Does Steem connect need to use the active key just for posting though?

If you want to post once using SteemConnect then posting key is enough, but in your case you were changing posting authority which require active key (you authorized both: dlive.app and busy.app to post on your behalf).
You can see details here: https://steemd.com/@polebird
As you can see those accounts are listed under "Posting" but to list them there you had to use your Active Key.

Ah so they are still ok though right? As long as it’s through Steem connect? Are there circumstances we shouldn’t be providing active using Steem connect assuming that the site is requiring use of more than just the posting key?

First of all, the best approach is to treat every case of "enter your secret here:" as NOT-OK situation. Scammers always do their best to present you something that looks ok. Similar domain name, same page layout that you are familiar with, etc.
After you are sure that it's really SteemConnect asking you for a key, you still need to make sure what it will be used for.
For example you can use this link:
https://steemconnect.com/sign/vote?voter=polebird&author=polebird&permlink=re-gtg-re-polebird-re-gtg-scam-alert-no-witness-will-ever-ask-you-for-your-passwords-or-keys-20180227t054353477z&weight=1
to 1% upvote your own comment (that I'm now replying to).
SteemConnect will ask you if you want to confirm this operation (explicitly stating what it will be), or in case of an applications if you want to authorize certain Steem account @some_application.app to use your posting role (it shouldn't be asking for anything more than posting role, but as I wrote before, to authorize some app to use your posting role you have to confirm that with your active authority (app itself will not get that privilege)).
Of course there's a risk that app will become malicious, so it's not wise to authorize random apps without ensuring first that they have solid reputation.

Thank you! it's very good that you talk about it, because there are very trusting people.
(thanks again)

Resteemed and upvoting for visibility - tipuvote! 0.3

Thank you :-)

This scammer has Got to go!

No one can replace the real Got to go.....

thanks for alert; would you please tell me about busy.org?
how can we trust the third parties like busy.org?
is steemconnect owned by steem?

I don't feel logging in with my private key in a third party as we used to do with open ID logins like google.com

should I change my mindset? :))

As you can see on the SteemConnect site:
"A Steemit Inc + Busy project"
We shouldn't fully trust anyone :-)
SteemConnect is most likely be the Steem platform standard for authentication and authorization with some similarities to OpenID.

I appreciate your time buddy 🙇‍♂️
Thanks a lot

I resteemed this post.

Thank you :-)

I only log in third parties. .. if has steemconnect ... but there's new websites trying to scam... they using steem connect looks but the web link is different. .. they trying to scam !!!

That's why it's very important to always check if you are on a correct website.

When I arrived at Steemit, you were the first witness I met, I mean at that time I haven't idea about witnesses or even about blockchain, then you vote my presentation post and I start to follow you, in fact you were the first witness that I voted.

The first thing I learned in your posts was the important about use carefuly our password and I really apreciate it, thank you so much for everything you do for steemit and for all of us because I'm sure if you weren't here, steemit's couldn't exist, you're the best witness ever <3.

@gtg wish I found this post earlier. I wasn't thinking and I opened a link from some fake account "gtg.witnesses". It didn't load and I wasn't even thinking about giving any of my passes if it did load but... You think I should scan my PC for worms and change my passes anyway? Or am I safe?

You couldn't be harmed just by opening that page, it wasn't using any malware it was made to trick you into putting there your password. If you haven't then you should be OK.

I was very lucky to find your post, a few days ago there was a resteem about this ... I forgot the name of the account.
There are some new services namely steemgar,, I did not dare to access, because I was afraid of losing the account, whether the steemgar was proven or scam?
have a way to know the site is a scam??
thanks @gtg for this info

It's not easy to tell, usually over the time websites can earn its reputation but I would recommend using only those that are doing their authentication/authorization through SteemConnect (you still need to make sure that it's real SteemConnect site used for that and that you are ok with permissions that such site requires from you)

Common sense but i could see being a problem for the populations on steemit without a great education. So thanks for the share!

Thank you for alerting us with this warning. It is sometimes really nice if posts like this passes through our sight thru our feed, makes us wanna take care of our passwords more secured.

Gandalf, did you see this guy? It looks like phishing to me

https://steemit.com/@gtg.witnesses/transfers

Yes, of course, that's the very reason I've written this post.
No one should trust such messages.

Yeah, I discover a few minutes later ;)
I was in a mood - act immediately, think latter - just in case :D

Perhaps we as a witness should all warn other Steemians on how to properly use their keys and be aware of scam sites.

We are continuously doing so. Awareness among users is very important.

someone really hates you. that's a shame. i knew it was not you

Thank you :-)
By the way, I don't think that has anything to do with feelings towards me, it's just a pathetic way of stealing money from people.

The more people know about crypto ans the wider the public acceptance the more scams will take place. Be careful out there, guys.

Thank you for the information as a newbie I am learning so much, I have seen a few post asking for money but I have just moved on.

I just voted you. Good luck!

Everyone should be careful with their own private keys.

Thank you :-)

It lies within the nature humans to destroy everything they love over time. Greed and hunger for more than one can eat will once destroy humanity and it seems nobody can prevent us from this.

The internet was a great invention; today you need to watch every step since if you are not, you will be robbed.

Blockchain, even though the technology is supposed to be safe, is going the same route. Fake ICOs, stolen wallets, hacked exchanges, robbed passwords and identities it all happens again and people are wondering why adoption is not moving faster. And those are crying that governments are aiming for regulation.

Why can people not just grant success to you and not try to steal ​the next moment? Isn't that shameful?

Thank you very much for this wonderful information ,,, and give us tips to avoid people deceiving and quirks ,,, You are a good person and deserve the best ,,, I wish you more success.
Good luck my dear friend @gtg 👍👍😉

Good info and so true and important.

Alot of people theese days will do anything to get hold on your cryptos.

Be carefull and use your bigger muscle (The brain) then you should be good off.

I had this scam message in my wallet'. Fortunately, I read about this scam in the post of @dragosroua https://steemit.com/steemit/@dragosroua/the-gtg-witnesses-scam-decomposed.

Thanks for sharing, I indeed changed my password once I went in a website I shouldn't have

Good work, stay safe :-)

You did such a good job. Your posts are the source of the knowledge necessary about Steemit. Keep it up!

Thank you :-)

One of the greatest gift someone can give to a fellow human is information.
information is the key to success.
you are a true steemian.
am so much grateful for the gift

Thank you so much for sharing!! I will ask for new password right now since I’m not already sure if those steemconnect authority I have been giving are legit. So much help!

Good idea, stay safe! :-)

Certainly that's why these scammers use these known bodies like steemconnect to try and scam people, I'd say people should beware, these is really getting out of hand

Money will always lure variety of scammers. People have to learn how to avoid getting into troubles. Sometimes it's enough to stop for a while and think about actions and their possible outcomes.

Thanks @gtg, the importance of keeping your password secure is very fresh in my mind. Just this week I was in the process of changing my password by generating a new one. To cut a long story short I lost my newly generated password before I was able to save a copy of it.

This was due to carelessness on my side, however I was locked out of Steemit for days. Fortunately, I knew my previous master key and immediately began the account recovery process. Thanks to Steemit my account was recovered in a matter of days, but it was an extremely nerve wracking couple of days.

Becareful with your master keys folks, there is too much at stake to be careless with them.

Btw @gtg, do you know if anyone is working on getting Steem onto a hardware wallet like ledger or trezor?

True. I'm glad it ended up well.

As for hardware wallets - I don't know, I've heard some wanna-be-working-on-that kind of gosspis but no idea about actual efforts or progress.

Hi Gandalf! Hope you and you wife are good. Hey, I write you because someone is voting to comments with a link to a fake Steemit web with your name (kind of), this is the user @gtg.witnesses. Have power delegated so, he is getting the comment all to the top of the comment list.

In my last post there is one of this comments, maybe you can help me to flag it
https://steemit.com/life/@juanmiguelsalas/20180302t171141786z-post#@ana-maria/re-20180302t171141786z-post-500

Greetings!!!

Thank you for info :-)

I am new here and there is a lot to learn i signed up for zappl with my master key before i even knew their were other keys to use, after i found out i was like man i hooe that password doesn't get compromised. Since then when signing up for other sites i do try to use my posting keys but most want the master key and since getting all these warnings i'm scared to use it so just don't bother signing up just ti be safe than sorry.

Don't wory, in time you will have enough experience to be able to tell if certain actions are safe or not. Also developers will be trying to make this realm a safer place by providing tools and solutions for safe authentication and authorization to various services on the Steem platform.

Thank you, one question if you would like to answer would you consider it safe for me to use steemconnect to log into busy? can't use the posting key to log in there need the active or master key.

While taking appropriate precautions - yes.
First make sure that you are really on a busy.org site by checking address bar of your browser, it should start with https://busy.org
Then follow the link from the top right corner of a page. Make sure that's the link from busy site itself, i.e. not a link from someone's post.
Then you should be redirected to steemconnect. Again check your address bar. It should start from https://steemconnect.com.
It will ask you:

Do you want to authorize the Steem account @busy.app to use your posting role?

Important part is that it will ask you to authorize account busy.app (no other) and your posting role.

So it will in fact be authorized to use only posting-key operations, but you need your active key to confirm that you are allowing this.

busy_connect.png

Here you can see details about what exactly you are authorizing busy.app to perform on your behalf.

Thank you so much you have been so kind to a newbie like myself i will not forget your kindness.

Someone I introduced to Steemit fell into this trap. Before we could realize what was happening, all his SBD was transferred to blocktrades without him knowing anything about it. He had saved these funds since the day he joined Steemit, 5 months ago, hoping to sell it im future. All of it just went down the drain like that.

This should be re-steemed as many times as posible so that as many people as possible can see it.
The scammers just want to lazy around and feed on other people's hard-earned funds.

Thank you so much for sharing this @gtg

Oh dear, you'd have to be a bit daft to give them out, although scammers can be very convincing.
Private key is a big risk in blockchain solutions, once they're gone, they're gone.

Thank you for this useful piece of information about account security. This means I have been doing the right thing so far because I only use those apps that only needs your posting key for authorization.
But I have one question related to steemconnect i.e, sometimes in the address bar it is written something like v2.steemconnect and sometimes like only steemconnect, I really want to know are these the same or they are different? Hope you understand my question.

That was for the purpose of transition between old and new version of SteemConnect, now you should see just https://steemconnect.com

Thank you for clearing it out.... :))

Password , password , password...Everything in our lives is encrypted.I have about 50 passwords in my notebook. :)) @gtg

Hopefully your notebook is backed up and encrypted too :-)

HA HA HAAA :)))))) You're right ! You say you're backing up now,I hope nothing happens to my computer.I'm afraid now :)))) @gtg

Really great information. I will change the password now because I really signed up with this mistake. Thank you. You are a really successful person. I hope to become like you some day. You are like me here

Thanks @gtg do you know any wallet for saving passwords because it is to large and never to remember it?

If you can remember the password, it's not secure :-)
You might want to take a look at password managers like LastPass or KeyPass2, etc.

Thanks dear friend 👍🏻

oooh really?
Thank God , i didn’t give my password
Thanks @gtg For the guidance, thia will help alot of steemians

this is good information for me, because it is new in steemit, and I just have a lie that is done by people who are not responsible, thank friend

how many days i am looking for this information. It was very helpful. thank you. :)

thank you for this post. ^_^

Thank u so much @gtg for the valuable info really interesting

There are 2 pages
Pages