EDCON, the Ethereum European Development Conference, is being held in Paris from February 17-18, 2017. The event, organized by LinkTime (a startup developing on Ethereum), will cover Ethereum’s base-layer technology, privacy, Dapps, current research regarding Proof-of-Stake and scalability, the growing Ethereum community, and more.
According to a reddit post by LinkTime CEO Pandia Jiang, the EDCON registration website was hacked. The hacker, who went by the alias The DAO Hacker, posted all of the stolen information online. Due to the unsecured nature of the registration website (a major oversight) the hacker was able to access the names, email addresses, and phone numbers of registrants. Pandia Jiang’s post reads:
“Hello everyone, I am the LinkTime CEO, Pandia Jiang.
The EDCON registration website was hacked recently, leading to names, email addresses and phone numbers being leaked. I wanted to clarify a few things about the EDCON registration website hack.
- First, we are very sorry for any troubles caused to anyone participating at the conference because of us not taking sufficiently complete security measures on our website to prevent the hack. We hope people affected can take any necessary measures to protect their information.
- Any issues have nothing to do with Vitalik or the Ethereum development team or Ethereum technology.
- We are trying out [sic] best to help Ethereum grow and support the community, and even if we make mistakes we hope that our community will continue to work hard and push forward; we look forward to Ethereum's contiuing [sic] success.
- We have already handled the present security issues with the website, everyone please stay calm.
- We thank the hacker for their interest and suggestions; we will continue to work hard and improve. Thank you.
In the end, We wish everyone a happy Valentine's day.
Jiang is being upfront about what happened, and making sure to point the blame away from Ethereum. The hacker seems to have done this simply because they could. When they dumped the info online, the hacker mentioned they “choose to publicly disclose everything, instead of ransom, racketeering, phishing users or organizers.” Except what they did is just as bad, as they effectively doxxed every registered EDCON attendee – releasing a fair amount of their identifying information to the public.
As a warning to anyone who registered for EDCON, it’s recommended you turn off two-factor authentication (2FA) on all your accounts. This is due to an attacker’s ability to hijack your phone number for themselves by using your compromised information to convince your phone company's customer service that they're you (which is apparently quite easy and a major security flaw). Then, using 2FA, they can reset passwords to your accounts. The attacker does this by sending a confirmation code to your phone number, which you won’t see because the hacker controls your number now.
When there’s a chance your information has been leaked, there are some common precautionary steps worth taking. Remove your phone number as 2FA from your accounts, and change all your passwords. This is also a good time to rethink the strength of your passwords. If you’re still interested in using a form of two-factor authentication, then it’s recommended you use Google Authenticator.
Authenticator is an app built just for authentication that’s more secure than an SMS text messaged code. Because it’s an app, not only would an attacker need your phone number, they’d also need your actual device to proceed with 2FA. This is different from just Google 2-Step Verification, which simply uses your password and your phone number. Google Authenticator adds another layer of security to 2FA by generating verification codes on your mobile device, all without a data connection. So in addition to your password, you’d need a Google Authenticator generated code to access an account. Since the code is generated offline, it offers protection against any sort of man-in-the-middle attack.
Social engineering is becoming popular as a way to hack through people, instead of through machines. Something as simple as a compromised phone number can lead to a person losing access to all of their accounts. Two-factor authentication is intended to increase security, but sometimes has the opposite effect. Remain aware of this fact, and make sure you’re following best practices to secure your accounts and crypto-assets.
ETHNews will be actively following this story for potential updates.