Avoid multi-auth phishing attack #3343
Comments
|
Some ideas for long-term solution:
|
|
A quick workaround is to disable the drop down list temporarily. or only "my accounts" and "contacts" or “history” can be in this list. There hava a BTS ID for every account, maybe as a authentication for “multi-auth” confirm. |
Actually the multi-auth phishing accounts are identified as "my accounts" now, because the victims "own" a weight of those accounts. We need to figure out a way to distinguish them (probably via UX). By the way, if pay attention, when transferring, accounts in contacts now show an "star" icon, while my accounts and such phishing accounts show a user icon, and the account inputted has no icon if not in my accounts, contacts or known scam account list. The screenshot below was for reproducing a scenario that assumes
The workaround in pull request #3344 won't show my accounts at all, which is a bit inconvenient but safer (a test environment is temporarily available at https://pr.bts.mobi/):
|
|
I think this is fixed. |
Is your feature request related to a problem? Please describe.
Several people have been phished by so-called "multi-auth attack" recently.
The attacker registered a lot of phishing accounts which are similar to exchange deposit accounts or frequent recipients of victims, and added the victims' to the phishing accounts' active authorities with a low weight. When a victim opens the "Send" dialogue, a phishing account will appear in the drop down list of "to" field automatically, if the victim didn't pay attention but clicked the phishing account, funds will be sent to the phishing account.
Note: it only affects key-file (.bin file or local wallet) login mode.
I've tried to reproduce, see screenshots below.
Describe the solution you'd like
A quick workaround is to disable the drop down list temporarily.
Better solutions are to be discussed.
The text was updated successfully, but these errors were encountered: