General Web3 Security Threads
Securing Your Twitter Account
Twitter Account Hack Alert
This is how it has been reported to me that projects (JRNYclub, nounsdao, potentially others earlier this year) are having their Twitter accounts hacked... And here is how you can protect yourself, your project, and your community.
Quite frankly, this is a pretty old trick. An attacker will contact your mobile phone service provider and convince them to switch your phone number over to a sim card they control. This can be accomplished even with the last 4 of your SSN in some cases. Phone numbers ≠ secure.
"But I have 2FA on my Twitter account!" you scream into the void. Yes, you might have 2FA, or a security key on your account, but anyone logging in has the option of choosing ANY of the options you have enabled, including SMS. But there is a pretty easy fix... read on
In your Twitter Account's settings, navigate to: Your Account>Account Information>Phone And just delete it. They removed the requirement to have a phone number like 2 years ago. That's pretty much it. But if you had your phone number linked and it was an option for 2FA, there could be some nasty things potentially hiding in wait still. 1. Turn off TweetDeck Teams if you're not using it. 2. Go to Security>2FA - check that all the methods are things you set up. 3. Go to backup codes and temporary password, regen both. 4. in Apps and Sessions, review connected apps, revoke old ones. 5. Review sessions, revoke all sessions if you don't recall any. 6. Check account access history for anything spooky recently. 7. In Connected Accounts ensure those accounts are still under your control or revoke.
Please take a little bit of time to review your own Twitter account, as well as any project's Twitter accounts you might have access to. This has been a lot more prevalent lately and shows no signs of stopping, so take the 5mins to go check. Thank you all.
Physical Security at IRL Events
NFT NYC Security Tips
I've seen a couple posts about NFT NYC and keeping your digital assets secured while there... Honestly I don't think most of the posts or threads go nearly far enough. You are a major target, and here is how you can protect yourself:
1: Don't wear NFT swag/merch outside of events or the venue. Seriously, normal people know BAYC too - people will try to mug you, this has already been happening heavily in the general crypto space. Your goal is to not look like a crypto or NFT nerd.
2: Do not tell anyone your hotel room number. Do not tell people where you are staying. Put anything electronic you're leaving at the hotel in a safe. Make sure you don't accidentally show your hotel key when opening your wallet When you leave put the Privacy sign on the door.
3: Leave your valuables at home, in a cold wallet. Do not bring your valuable NFTs to NYC. Leave them at home, in a cold wallet or hardware wallet. Any projects that require you to show a valuable NFT at the door and aren't using a solution like chainpass should be shamed.
4: Ideally, bring a burner phone, burner laptop, and charging pack. Your main phone is going to be a huge target. It is much better if you can bring a burner instead, or buy a prepaid phone just for the event. A prepaid smart phone can cost as little as $120 with a plan.
5: Wipe your burner phone, laptop, and anything else you brought with you once you get home. Especially if you plan on continuing to use them for anything NFT or crypto related.
6: If you bring your main phone/laptop... You need to disable WiFi, Bluetooth, NFC, any apps that have permission to turn those on, and any other nearby sharing apps or protocols your phone might support. Ideally, turn off your phone at all times. Only turn it on if needed.
7: When you connect to the internet, use a VPN. Do not use public wifi, use your phone data as a hotspot (not advised), and still connect with a VPN. Do so only in private places. If forced to use hotel internet, bring an ethernet cord and plug in directly (but not advised.)
8: Do not plug your phone into anything. No free chargers, no dongles, nothing. Do not give your phone to anyone. Not to add an email address or their number. Never leave your phone anywhere unattended. Trust no one.
9: Make sure you exchange numbers with people you will be travelling with or at the event with. If you run into an issue or need assistance it really does help to have trusted contacts you can reach out to. (Got to be safe out there!)
10: Before you get to NYC, make sure EVERYTHING you're bringing has been patched and updated. Here's a twitter thread from Grassy about how to update different devices/OS/apps: https://twitter.com/GrassyEth/status/1534638778119344134
11: Make sure everything you're bringing is hard drive encrypted. This means you need to enter a password when you open the device before the hard drive and the data inside it is unencrypted. When not using a device or leaving the hotel room, turn it off.
12: Be somewhat quiet about your travel plans. Don't livestream your location if you're out walking around on the street. When you leave the venue, take off your badge. Don't broadcast your name and that you're an NFT nerd.
13: If you need to bring a digital wallet with you for events or otherwise, bring only a burner wallet. Do not bring your main wallet. Transfer your NFTs or assets back to a more secure wallet once you get home.
14: Don't get too drunk - and drink plenty of water while in NYC!
Overall - just don't bring anything with you that you can't afford to lose. Be safe, don't trust anyone, and have a really good time! Please share this with any friends you know are heading to NFT NYC.
Member discussion