News of fake Steem Engine + compromised accounts. Be careful people! + Question about Changing Recovery Accounts


You may have seen @ aggroed's post from yesterday, creating awareness among steemians that there is someone out there posing as steem-engine.com, but using a similar domain name. I resteemed it as well.

The phisher asks for your private keys on the fake steem engine site. Don't enter your private keys on this steemengine dot net site!

There were also two reports by @spaminator about thousands of accounts compromised by a botnet and blacklisted by @ spaminator. They provide the instructions what to do, if you are on the list of affected accounts.
https://steempeak.com/spaminator/@spaminator/fiftysats-botnet-are-you-blacklisted-and-don-t-know-why
https://steempeak.com/spaminator/@spaminator/fiftysats-botnet-more-victims-found

That looked like a Friday 13th, indeed!

I hope people will pay attention and those affected will soon get their accounts back in order!

But on this subject I have one important question (important in my mind at least), for which I didn't find an answer yet.

How can one change the recovery account?

First of all what is the recovery account and where can you find which is it?

The recovery account is another Steem account which is able to initiate the recovery of your account, in case you solicit it after your account has been compromised. For the recovery to be possible, you often need to go through a process. On Steemit, Inc. you need to send them a recent password for your account, used no longer than 30 days ago. More information will be required to determine that you are the rightful owner.

Where can you find which is the recovery account for your account?

One way to find out which is your recovery account is to look in steemd (i.e steemd.com/@yourusername)
image.png

In my case for my main account it says it's @steem, meaning Steemit, Inc.

Why would anyone want to change the recovery account?

Even if it's sometimes called the trustee, it's not a matter of trusting that account owner with your account, as they can't do anything without your help, since you are the owner.

But there is a case where this matters: what if the recovery account holder becomes inactive or otherwise unreachable and your account is compromised? How do you recover your account then?

That becomes and will be even more of an issue, the more accounts are created by regular users who claimed account tickets using their unused resource credits and use them to create accounts for others.

When they create an account using their available tickets, they are set by default as the "recovery account". A responsibility maybe they didn't know they have, didn't ask for and don't want.

Some may become inactive over time or will be unreachable when someone needs them to recover their account. Then there's a problem.

I know there is a way to change the recovery account. I just didn't find out how yet. It would be a great idea if someone would share some light on this issue. Either by commenting here, or better yet, by implementing the necessary feature in a high-profile interface/tool.

I see @steemchiller has a nice account recovery tool on SteemWorld. Maybe a way to change the recovery account can be included, if or when he can.

EDIT: @ steemchiller answered almost immediately: see how you can change the recovery account in his comment below. Obviously, you can use SteemWorld, I just missed it and looked elsewhere. :)

Also, maybe there should be an automated procedure to change inactive recovery accounts to others still active and which have performed at least one account recovery recently (not sure how long "recently" should be).


Comments 20


Maybe a way to change the recovery account can be included, if or when he can.

14.12.2019 12:30
19

Ah, thank you! I was only looking at "Account Recovery" tool at the bottom.

14.12.2019 12:33
0

Hey @steemchiller, a friend from me has an account who only have his private posting key.

Is it possible to recover with your tool that account when I'm the recovery account??

If so, is there somewhere a post about how this is working??

14.12.2019 13:20
1

no, you cannot recover an account with only the posting key. You need an owner key or a master password that was valid within the last 30 days.

14.12.2019 14:06
4

To listen to the audio version of this article click on the play image.

Brought to you by @tts. If you find it useful please consider upvoting this reply.

14.12.2019 12:42
1

maybe worth mentioning here: it takes 30 days after changing the recovery account until the change becomes active.

14.12.2019 14:07
3

Definitely worth mentioning. So, in the meantime, the old recovery account remains active, right?

I understand the reason for this 30 days window, so a hacker won't be able to quickly change the recovery account too. Then a compromised account would be completely at the mercy of the hacker.

14.12.2019 14:12
0

yes, the old remains active until then. So don't worry if you change the recovery account and the change isn't visible immediately on steemd.
Yes, if this change were immediate there would be no point in the recovery mechanism. A hacker would just change both the keys and the recovery account and the account would be lost completely.

14.12.2019 14:21
2

Thanks!

One more question. Does or should the "receiving" recovery account (the account being set as account recovery) have a say about it?

For example, I created a test account using my claimed tickets to see if I would be set as the recovery account. If I want to set the recovery account for that account from 'gadrian' to 'steem', should 'steem' have any say in this?

Steemit Inc. collects some information about users they sign up to Steem. The reason provided for the data collection is that it will be used in case of an account recovery, to proof it's you.

But what does Steemit Inc. know about the account I would set 'steem' account recovery for, if I created it (and that is a clear case, but I could have created an account for someone I didn't know). How would their mechanism of verifying the ownership work then?

14.12.2019 14:32
0

you can set any account as recovery account. The chosen account is not 'asked' nor has a veto. However, it should be in your interest that the account you set as recovery partner 'knows' you to some extend. If your account gets hacked and you submit a recovery request to your recovery account, this account has to make sure that the person requesting recovery is the actual/original owner of the account. If you accidentally leaked your master password to the public/blockchain, anyone could submit the recovery request for your account.

For all accounts Steemit has created, the users have provided a phone number and an email address. I think they use this information to verify that the person requesting recovery is the original owner. I doubt that they'd recover an account for which they don't have this or equivalent information. I wouldn't set @steem as recovery account for an account I created myself.

14.12.2019 15:47
1

This account also needs to know how to proceed in case an account recovery has been filed.

So, if you add your buddy as a recovery account because he knows you, but he isn't quite savvy about Steem, you might still get in a dead end, or at least delay the recovery quite enough, before everyone involved finds out what needs to be done.

Good point about not setting @steem as a recovery account.

Well, thanks a lot! This is information good to know long before one needs it, because for now I don't particularly need it.

14.12.2019 16:01
0

Yeah, I must admit, account recovery isn't the easiest thing to do for regular users. However, there are options:

14.12.2019 16:10
4

Thank you for listing more options. I only knew about SteemWorld.

14.12.2019 16:17
0

Salut Adrian!
Nu stiam de faptul ca exista o clona a lui steem-engine, dar de aproape o saptamana nu pot face trade... si eram curios daca la fel e si la tine!
Imi tot da eroare legata de data si ora...

14.12.2019 18:19
1

Salut! Mai, eu nu am probleme cu steem-engine. Vezi sa intri pe steem-engine.com, nu pe alt site. Daca ai intrat pe vreun site cu nume similar, te sfatuiesc sa revoci autorizatiile catre toate aplicatiile si sa iti schimbi parola la cont.

14.12.2019 19:13
1

Am intrat tot timpul pe adresa mentionata... folosesc site-ul din prima zi de la lansare!
Uite ce imi apare mie:
Screenshot_2019-12-15-00-13-09.png

Ai cumva idee ce poate fi?

15.12.2019 04:21
1

Nu poti sa instalezi Steem Keychain? E posibil sa fie o eroare care sa fie legata doar de folosirea combinatiei Steem-Engine + SteemConnect. Daca nu merge sau daca ai nevoie de ajutor cu Keychain-ul, sa-mi zici.

15.12.2019 08:55
1

That is a great tip @gadrian, change the recovery account if it becomes inactive or you just want another, stay awesome.

14.12.2019 20:44
0

Thanks! Yeah, a reliable recovery account is important. I will probably make a tutorial tomorrow.

14.12.2019 21:25
1