Important advice from an ethical hacker

Since the forum homepage is now officially full of people getting rekt and chasing their lost funds, I decided to add my 2 cents as a former web security professional / ethical hacker. Read carefully and your funds will be protected. Forever.

Fake websites. Currently the most common attack out there. Targeting Anchor users, the attacker clones the source code of the Anchor web UI (HTML, CSS, JS), and spins up an identical website on a slightly different domain. It sounds like a noobish mistake to fall for this, but it has more depth to it than you’d think.

First and foremost: when you try to interact with Anchor, always check the website’s domain up there in your browser. If you are NOT on app (.) anchorprotocol (.) com, close the page and delete your browsing history. If you are not certain, how you got there (e.g. unsure if you clicked a malicious link), immediately remove all browser extensions, plus run an antivirus scan with trusted software (malwarebytes for example).

I suggest twofold prevention for this:

• First: Bookmark Anchor, and only use it by clicking the bookmark from now on.
• Second: In Chromium-based browsers (Chrome, Brave, etc.) right click the Terra Station extension icon, and choose “This can read and change site data >” “On app (.) anchorprotocol (.) com”. This way, Anchor will instantly load your balances without human interaction ONLY when you access the real website.

The domain is correct, yet you’re on a fake Anchor website. Yes, this can happen. The domain translation is a complex process, relies on multiple DNS servers, ISPs, and configuration. It’s a big chain of trust, any node becoming malicious means you’re compromised.

Say, you accessed Anchor through public Wifi. The network settings usually default to using the ISP’s DNS settings, thus the Wifi owner can force you to load the website from a different IP address. Moreover, you can’t trust the lock either. The lock next to the domain name only means, the connection is encrypted with the other party, but does not guarantee, who the other party is.

Thus, do not use public Wifi for doing anything crypto-related. If you cannot avoid this on the go, spin up a trusted VPN service, and make sure, you access the website through a secured VPN connection. In this case you don’t have to trust the wireless network operator, but need to trust the VPN provider instead. You generally don’t want to go for the cheapest no-name VPN provider out there.

Also, you might want to manually set your computer to use a trusted DNS server. For example, Google’s Open DNS servers are 8.8.8.8 (primary) and 4.4.4.4 (secondary). Open network settings and explicitly set these addresses.

Limit your use of browser extensions. Dedicate a browser or standalone browser profile for transactions. Do not install browser extensions other than the very neccessary Terra Station Browser Extension or the official Metamask. When installing Terra Station, make sure you are on a reliable network, the real app store, the extension has real users and reviews. Most extensions have the rights to see or completely fake anything you see online. In general we go for the whitelist approach if possible, only allow certain extensions to read/change data on certain websites, like I mentioned above with Terra Station.

Use a hosts file. The hosts file is present on all major operating systems, Windows, MacOS, Linux. It’s found at C:\\Windows\System32\drivers\etc or /etc/hosts. If you happen to know a known phishing website, don’t be afraid to block access to it. Add one line in the following format:

0.0.0.0 malicious-anchorprotocol (.) com

Then your browser will never be able to load the phishing website. It can also be done in the opposite direction to bind the legit IP address to a legit website.

Use a hardware wallet. So you are forced to interactively approve every single transaction with the device. Ledger and Trezor supports Terra. I don’t think this needs more explanation on this forum. Or does it?

Let’s get into it, then. How to use a hardware wallet properly?.

• Order it from the official website from a trusted computer, from a browser in incognito mode with no browser extensions installed, from a trusted network.
• The shipping address should NOT be your home address. Use your workplace, delivery box or something. Preferably order it from an email address you don’t use at any crypto-related websites, exchanges.
• Check the parcel for any damage before opening it. In the case of any damage, document, discard, and request a new device from the manufacturer before using it.
• Use the manufacturer’s website or software with similar precautions to verify if your device is original.
• Then you generate a new keypair, and write down the seed phrase. Store the seed phrase in a secure place (or more places, split in pieces). Don’t be afraid to get hardcore with this: you can encrypt your seed phrase (OFFLINE!), find out some algorithm that’s easy to remember, yet if anyone gets access to your encrypted seed phrase, they: either do not know at first, that it’s a seed phrase or: they have no idea how to map the text to the original seed phrase.
• Never ever type your seed phrase in any electronic device, be it phone, computer or tablet.
• Order a backup device.
• If someone accesses your seed phrase, immediately send your funds to a different, safe wallet.
• Always check the amounts and the recipients (contract addresses) in your transactions before allowing.

Allowances. In general, you don’t want to allow any contract on any network to access more funds than you are willing to spend. For example if you want to swap 1 ETH to 33 LUNA on Uniswap, don’t stick with the default settings that Uniswap can spend Unlimited amount of ETH. Set it to 1 ETH (or in some cases, double the amount, if the transaction fails, but never give access to all your funds). Yes, more fees for regular transactions, but peace of mind in return.

I’m planning to release a Terra allowance checker soon, where you’ll be able to see what you gave access to, and revoke it.

Finally, one last advice: avoid clicking any links on this forum, or hover over them and double-check the address before doing so.

Decentralized finance is a great invention, but comes with great responsibility.

Hope you find this helpful. Peace

Continuing this discussion, which I think is great btw. I think you can distill this into the pertinent points:

1. Dedicated Chrome/Brave browser with only Terrastation and password manager plugins
2. Favourite all your used services in the bookmarks bar or set them to pop up as your homepage
3. The problem with advising people to use VPN is that they’ll forget to swtich it on, personally I use an always-on Wireguard proxy running on a dedicated cloud host. I flat out don’t trust 3rd party VPNs as performing a MITM and selling your data to 3rd parties is to be expected these days

If you follow the above three things, I don’t think you even need a hardware wallet. I personally don’t like them as they identify you as a crypto hodler.

Big risk in my eyes comes from:

• Copy-cat websites (mitigated by using favourites)
• Keyloggers
• MITM on public wifi
• Social engineering (Anchor Support scams on Telegram)

Thanks. Some more side notes:

I personally use my own VPN server, which I host, with DNSSec and IPSec enabled. But I don’t expect most people to do the same. The way to go is to completely avoid public or untrusted networks.

There are levels of paranoia, virgin computers for crypto, manually checking the smart contract code (who on earth does that btw?). I promote hardware wallets because I think, using hot wallets and DeFi has way higher risk involved than someone coming after you (especially if they don’t know how much you exactly hold).

MacOS has pretty good built-in defence against keyloggers. It by default asks for permission to record keystrokes with any application.

Telegram, a good mention. So much shit going on there, I would rather avoid Telegram and Discord completely.

I think you can also fail to use a hardware wallet properly if you expose your recovery codes, which makes it about as useful as simply keeping your passphrase in a password manager because it’s still a single point of failure.

Reducing your attack surface is another one.

If you’re on Windows and managing your crypto on the computer you use to Torrent/NZB software, then you have a massive attack surface and you are likely compromised in ways that haven’t yet been identified (zero-day.)

The case for using a hardware key is thin in my eyes:

FOR

• Can’t transact without it
• More secure than your codes on a bit of paper in a safe

AGAINST

• Devices have a battery which run out, chance of hardware failure etc.
• Who manufactured it? What is the supply chain? Are they trustworthy?
• If I see one, I know you have crypto
• So your crypto is secure, but what did you do with the recovery code? Same problem as not using a hardware wallet so it’s kinda moot as an exercise

Hardware wallets add friction to the process of transacting which many percieve as ‘being more secure’ but personally i’m not so sure.

In most cases, that’s true, but that’s why I pointed out extra caution to storing the seed phrase. It’s not necessarily a single point of failure. Say, you

• remember the first 4 words
• store the next 10 words hand-encrypted with an algorithm unknown to anyone
• store the last 10 words in a bank vault in a different continent.

Forget the words and PIN → you can still bruteforce relatively easily, knowing the other words.
Forget the PIN → gather all pieces and recover
Forget the words → Still have access to the device to send funds over
Bank vault is compromised → Noone can do anything with it
Other safe place is compromised → Noone can do anything with it
Both are compromised → The attacker still doesn’t know how you encrypted one of the chunks.
Both are compromised and the genius attacker is unnoticed social engineering into someone else’s bank vault, plus manages to find out how to decrypt the words → He still needs time to bruteforce the last 4 words, enough time for you to be able to save your funds

Ah but see now we’re dwelling on the hypothetical and dreaming of situations that are most secure.

The average person is not going to:

• Remember 10/20 words (that they didn’t pick themselves)
• Split the code and store it in more than one physical location
• Involve banks or security deposit boxes

Personally I use Defi so I don’t need physical bits of paper and dongles.

In your hypothetical, you’ve listed what you percieve to be a threat, AKA what ‘you know’ but the problem often isn’t what we know, but what we don’t know.

So I personally would reel it right in:

1. I don’t need to worry about physical security because I don’t have a device or passphrase written down anywhere.
2. I don’t need to worry about my keys existing in plain text on my computer because I store them base64 encoded even in my password manager.
3. I don’t need to worry about my browser because it’s not used for anything but managing crypto and i’ve whitelisted my sites.

etc…

My point is that i’m not considering big picture security via convoluted means and physical devices from questionable 3rd parties. Instead i’m reducing my attack surface by limiting involvement with external services and being incredibly selective about how I interact with the chain.

These companies built their trust, income and existence on providing a secure alternative. If it turned out that some of the hardware wallets were maliciously tampered, they are out of business overnight. And it needs only one case and some media attention. Access to one wallet’s funds vs constant income for years as an industry-leader company. It would make no sense to risk it.

Also don’t forget, that these devices are NOT connected to the internet (if they were, this would be easily verifiable). The only reasonable attack vector here, is that the generated private keys are not random enough. The firmware is open-source, you can check the hashes, and verify that the source code is indeed what’s on the device. So read the source code, especially the part that generates numbers randomly. Match the checksums. There are tools for this.

Moreover, security researchers are paid big bucks to find any vulnerabilities in the firmware or hardware.

Yet all it takes is a bad internal actor, reliance on broken 3rd party libraries or clever disruptions to the supply chain (used and carefully repackaged devices) for it to become headline news.

Also as you mention, a lot is at stake for these organisations. So is it in their interests to report security vunerabilities? Seems like a conflict of interest.

All of this simply proves that public key cryptography works and gives you reasonable confidence that the device works as intended. But we kinda know that already else people wouldn’t be buying them.

Personally I choose to have faith in public key cryptography without feeling the need to pay someone else to reinvent it. I maintain that if you have a basic to intermediate understanding of cryptography then hardware wallets are but a solution in search of a problem to solve.

My point here isn’t to poo-poo everything you’re saying, I applaud you for helping people to protect themselves. But what i’m trying to say is that advice can change and conflicting interests often undermine commerical applications (regardless of how secure they are percieved to be) which I believe is why we’re all here!

When I googled the ‘f’ out of hardware wallets, I was hardpressed to find impartial studies of the devices that didn’t have a vested interest eg. sponsored articles, infomercials and in some cases downright disinformation.

Rings alarm bells for me in a big way.

In the case of depositing on Anchor, also remember that using a hardware device will only protect your aUST (the tokens you receive as a receipt for your deposit) and if Anchor is somehow hacked and drained of UST, your aUST will be worthless. Totally secure, but worthless.

Some great points from OP - thanks for sharing.

A good reminder but not necessarily related to security

That’s an important part. Elementary defense is these two elements:

1. Use a separate computer, that remains shut off whenever not used, for crypto transactions and any wallets that can’t be hardware. Do not use it for general web browsing, downloads or anything else. Keep it patched and secure with minimal applications (a few web browsers - avoid Chrome if you can, hardware wallet app, and good AV + anti-malware software). Any crypto-related extensions only enable when you need it, and always have it set for “deny all, except (…)” and only allow known valid dApp sites (like app dot anchorprotocol dot com).

2. Always use 2FA (exchanges etc.). Do not enable SMS 2FA. Use a 2FA app. 2FA app should reside on a phone with no SIM card, no wifi access. Basically, keep your old phone and use it for 2FA and nothing else.

There’s more, but for most people just doing these two parts will go a long way. All it takes is keeping and not throwing away or selling for peanuts your old phone and computer. Reformat and repurpose instead.

As for low-stakes transactions, what you don’t mind to lose you can keep in a software wallet and on your everyday computer. Keep two wallets. “Play” wallet (soft) on every day computer, for easy every-day interacting with dApps, smart contracts, etc. And then “savings” wallet hardware and for those transactions use a separate secured device.

Hi, this just happened to me and I’m desperately chasing me and my boyfriend’s funds. One week ago we put ou money on Terra wallet and staked TUSD on Anchor protocol, while this morning both our (and apparently at least 9 more people’s accounts) were emptied and transferred to a random wallet address we never heard of terra1yf9uk9v4q6ykunzjlvm02fzshm8duswlqg8shx. I believe we followed all the correct protocols when opening the site and creating the wallet. It was even done on 2 separate computers, so we have no idea how all this could have happened. Please please tell us there’s something that can be done to find these scammers and retrieve our funds??

Sorry this happened to you. Same thing happened to me last week. I verified I was on the right domain, home wifi, never revealed my keys, blah blah blah… Still got hacked. Something more sinister is happening with Terra Station, and nobody seems to care or is doing anything about it, and I with never use it again. All this talk about “not your keys, not your crypto” is laughable. I’ve never had any funds stolen from a centralized exchange. The first time I try investing from a “private wallet,” my funds got stolen.You can invest UST in Anchor directly from Okcoin (evil centralized exchanges) and still get the same rate without all the hassle or theft.

Sorry it happend to you too. Please tell me you found a solution on how to retreive it? There has to be something, I can’t begin to believe that no one can do anything about these scams while so many are happening.

I did not retrieve my funds and likely never will. The funds were eventually sent through Terra Bridge, so there’s no way to trace it after that. I’ve searched all over and no one has any answers. I emailed Terra Station Devs and got no reply. The most maddening thing is that I was NOT on a phishing site and I used a brand new Terra Station wallet downloaded from from Google Play, and never gave my keys to anyone. At this point I would just like to know HOW it happened, because none of the things that were mentioned in this article applied.

Odds are your data was acquired and leaked on the black market. There really isn’t any other way and if it was a problem with Station it would be public news almost immediately as hacker circles (both black and white) are always thinking about the wallets.

But how would my data have been hacked? I created a new wallet one day and the next day my wallet was cleaned out. My key phrase was not on my computer. This isn’t just happening to me. I’ve heard of a lot of people with the same story. There’s something else going on here. I just would like to know so I can prevent it from happening again.

There really is no way for a security breach that you’re discussing. I would reccomend researching internet security.

The only thing that would explain something like this is phishing/malware software.