Sunday, October 8, 2023

SECURITY - The game has changed whilst we weren't looking. Let's show some empathy

There's a lot more to internet security than not clicking on links and cold storage. Villains have upped their game and I'm getting quite p'd off at the general sanctimonious attitude here. Victim blaming and shaming.

Websites can be redirected without you knowing. The most recent event is Galxe but they are probably not the only one.

You can hit your regular site and it all looks the same. The URL is right, the padlock is there, no warnings from your browser etc. However that could be a hi-jacked site. DNS poisoning, man-in-the-middle-attacks being most prevalent.

You could also hit the totally legit site but there are many many other sites the home site has that you never see. Such is the power of cloud computing. A home page sends data to an authenticator which sends data to a login server which sends data to a permissions server. When you connect your wallet data can be sent to many different servers to get your balance, check prices, check fees etc. It's all invisible to you. Then there are chat servers, streaming data (price feeds etc) all coming from sources that you again are not aware of. FAQ sites with hyperlinks are often overlooked.

Anyone of these layers, servers could be hijacked and you wouldn't even know.

Dusting is not only on L2 for fake contract signing. I had a long chat with someone in r/bitcoin about why dusting is valuable to villains. It's a long game of data mining. You could have been dusted eons ago, without you noticing. Much much later, weird things start happening. Social engineering is a thing. Spoofing is a thing. Villains are patient - and they run many many bots. To seek data, examine data, to instruct other bots to act based on data.

So let's start showing mercy to victims instead of assuming they're the idiot.

And let's start asking hard questions of providers - CEX/DEX - about their security protocols. Because most of these new attacks are not about a user being reckless. There are armies out there attacking financial services (not just crypto) and a user can only do so much to prevent it.


No comments:

Post a Comment