Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Show a Warning When dumpwallet Command is Used #290

Closed
catchingknives opened this issue Oct 13, 2018 · 19 comments
Closed

Show a Warning When dumpwallet Command is Used #290

catchingknives opened this issue Oct 13, 2018 · 19 comments
Assignees

Comments

@catchingknives
Copy link
Contributor

Since we introduced Znodes, dozens of users have been scammed out of their Znode collateral and any additional funds they had.

The Problem

Scammers usually operate like this:

  • They copy a team member's Discord or Telegram profile. As Telegram has unique user names, they have to choose something similar-sounding (like "reubsterr" instead of "reubster"). Discord, however, allows an almost identical copy of the username and user tag (format: user#tag, e.g. catchingknives#5168) with only the underlying ID being different. This ID, though, is hard to access in the UI, especially for inexperienced users. Willingness to recognise or even act on the issue on the the side of Discord is close to zero. When asked, they replied they're a plaform for gamers, not traders.
  • They prey on users with issues in the channel and then approach them via private message to offer their "help". This should be red flag number 1 as we have in interest in keeping all support queries public. Scammers cannot operate in public!
  • After asking some typical "tech support"-type decoy questions, they then ask the user to send them their log file for further diagnosis. This, however, is not the file debug.log. Instead, the scammer asks their victim to "generate a log file". This should be red flag number 2 for users as we already have a debug file that does not need to be separately generated and no other logs are kept. Red flag number 3 is that, in order for them to successfully use the subsequent command, the user has to unlock their wallet using walletpassphrase. Unlocking, however, is only needed for coin-related functions (i.e., sending, minting and spending) and nothing else. The command the scammer uses to have the user "generate logs" is dumpwallet. This command's name is inconspicuous enough for the average user as it could be thought of referring to dumping the wallet's logs. In reality of course it dumps all private keys. The command the scammer has the user enter is usually something along the lines of dumpwallet logfile.zip. This is another cover-up tactic as the generated file is plain-text but is likely recognised as an archive by the user's OS based on the ending. The average computer user will thus not be able to check the file's content before sending it to the scammer.
  • Once the scammer has received the files, he immediately takes control of the coins and sends them to a wallet under his control.

Proposed Solution

As dumpwallet does not seem to be suspicious to the average user, there should be a warning added to the command's output.

I suggest something along the lines of:
WARNING! This command exports all your private keys. Whoever has this output can gain complete control over your funds

Faced with an output like this, the user would likely reconsider sending the file to the scammer.

@reubenyap
Copy link
Member

I'm in favor of this because of the increasing amount of scams, although I'm sure that scammers will find new ways to scam or explain out of this way, it makes sense for this small change. Given that this scam targets people who aren't technically inclined, I propose to make the message more easy to understand.

WARNING! This command prints all your private keys. Anyone with these private keys has complete control of your funds. If anyone is requesting for any of the info or output from this dumpwallet command, chances are high that they are scammers. This command is never needed for any Znode setup.

Assigning this to @a-bezrukov which should be a straightforward text change.

@yura-pakhuchiy
Copy link

yura-pakhuchiy commented Oct 14, 2018

I propose to force user to enter: dumpwallet <filename> I'M-AWARE-THAT-THIS-FILE-CONTAINS-KEYS-FOR-ALL-MY-FUNDS-AND-I-CAN-LOSE-THEM-IF-IT-SHARED-WITH-3RD-PARTY or something similar, otherwise reject dumpwallet request. Will be kinda difficult for scammer to convince user in this case to type it. User should be able to copy-n-paste this long string, so it will not be extremely annoying for legitimate cases. Users tends to skip reading warnings, but forcing to type (or copy-n-paste) should hopefully draw more attention.

@riordant
Copy link
Contributor

PR created: #291

@reubenyap
Copy link
Member

Yura's idea is not bad. Is it difficult to implement?

@riordant
Copy link
Contributor

riordant commented Oct 14, 2018

No it's straightforward. Where will the string be hosted? For example, it could be shown by running the dumpwallet command without any arguments (the help menu for that command).
Personally though I don't see how entering a string is any more secure than showing a warning to the user, especially if they're just going to copy and paste it anyway. For example, scammer just says (eg.) "Ok next, copy and paste the second string after running ./zcoin-cli dumpwallet".
Of course, we could do both.

@yura-pakhuchiy
Copy link

Yes, it should be shown when dumpwallet is invoked without arguments or without this string. And yes, we should do both warnings. Just print longer explanation from current PR, and try to get users attention by this shorter string which he have to type/copy. I believe it is more secure because users tends to skip reading warnings, but forcing to type (or copy-n-paste) might draw more attention. Of course it is not 100% fail proof, but I believe we can do nothing if user will ignore both these warnings.

@riordant
Copy link
Contributor

riordant commented Oct 14, 2018

Sure. I think the best option is to add both. At that point it's really out of our control. Will update the code tomorrow.

@catchingknives
Copy link
Contributor Author

catchingknives commented Oct 15, 2018

How do you like this version of the text:

WARNING! This command exports all your private keys. Anyone with these keys has complete control over your funds. If someone asked you to type in this command, chances are they want to steal your coins. This is never needed for Znode setup or diagnosis!

@riordant
Copy link
Contributor

riordant commented Oct 15, 2018

https://github.com/zcoinofficial/zcoin/pull/291/files Updated to include Yura's method.
Original text remains the same, Though I like your updated text @catchingknives.

@catchingknives
Copy link
Contributor Author

But why ;) I think we have to consider that most people aren't native speakers of English or very computer-literate. To them "print" doesn't mean screen output for example. That's what I tried to fix in my version. Also edited for clarity, got rid of redundancy, shortened sentences, explicitly added troubleshooting (which is exactly the context of the scam!) etc.

@riordant
Copy link
Contributor

Ok. Any feedback @reubenyap @yura-pakhuchiy ?

@yura-pakhuchiy
Copy link

yura-pakhuchiy commented Oct 15, 2018

Since user probably will be confused at this point, information text may also include where he can seek help and that he should not accept private messages and ask for assistance via public channels.
Everything else utACK.

@riordant
Copy link
Contributor

I think the other way to look at it is if the user wants to use dumpwallet, they're likely to be somewhat technically savvy already, right? What we're protecting here is novice users who are being told what to do by a scammer. So making it intentionally difficult to execute the command will hopefully alert them to what they're doing.

@yura-pakhuchiy
Copy link

yura-pakhuchiy commented Oct 15, 2018

My point is we are trying to protect user who is being scammed and probably receiving instruction from private messages. At point he enters dumpwallet command and sees our text he will be confused, because text will contradict with what scammers says. So we need to point him to the correct channel of receiving help.

@catchingknives
Copy link
Contributor Author

All new and refined:

WARNING! This command exports all your private keys. Anyone with these keys has complete control over your funds. If someone asked you to type in this command, chances are they want to steal your coins. Zcoin team members will never ask for this command's output and it is not needed for Znode setup or diagnosis!

Please seek help on one of our public channels.
Telegram: https://t.me/zcoinproject
Discord: https://discordapp.com/invite/4FjnQ2q
Reddit: https://www.reddit.com/r/zcoin/

Thumbs up or thumbs down please, gents

@reubenyap
Copy link
Member

I like the new wording.
Waiting on @a-bezrukov to comment whether if we change the dumpwallet command would it break any compatibility with other third party for e.g. Bitcore/Electrum.

@riordant
Copy link
Contributor

The issue with the current solution (the blocking part that waits for a response from the user) is that it requires daemon=1. All interaction has to take place in the same console. I don't think it should be implemented as a result, and we should think of another way to go about it. We could return the warning as a string?

@a-bezrukov
Copy link
Contributor

This can be implemented as intended in another layer of RPC calls. The filter may be implemented in or around rpc/server.cpp and work for zcoin-cli and zcoin-qt.

@reubenyap
Copy link
Member

This is now implemented in #291 and merged to master.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants