This post was originally published on Twitter.


In the light of OpenSea (alleged) phishing campaign, how large is the problem, how responsibility should be divided and what can we do to fix phishing?

A thread

2/ Phishing is age olds problem that predates the internet.

I do not know any studies on it, but I would guess phishing has become more of a problem recently.
3/ Phishing may have increased due to

- Globalisation and free trade, as you always end up importing a bit of crime
- Internet and online services kill brick and mortar, less in-person trade
- Geopolitics, China and Russia do not need to play nice with West
4/ Here are some articles on the topic phishing and banking:

Bank fraud seems to be GBP 700M in the UK. Fraud COVID relief loans were 4.5B.

5/ Bank fraud in the UK - the scam…
6/ "The Finnish Ombudsman Bureau has resolved some 20 disputes so far this year involving members of the public who have fallen victim to phishing scams, which redirect users to fake banking sites in order to steal their account login details."
7/ "Plans are in motion to force all UK banks to reimburse victims of authorised push payment (APP) scams, marking a landmark win for scam victims. "…
8/ What is phishing - let's break it down

9/ I would break down phishing into two categories

- First party phishing: someone pretends to be your bank and tricks you to give access to your full bank account
- Third-party phishing: someone pretends to be Amazon/Shopify/etc. and tricks you buy something on a fake website
10/ Only first-party phishing is a systematic problem. Banks are safeguarding your money, so if they fail on their job and then it is on them.

And oh boy banks do fail.
11/ Basically the scam is this:

You give your bank account access to someone else. Then this someone uses your access details and takes your money
12/ In theory this should be easy to prevent. And it is. Just make sure a bank website uses strong authentication and two-factor.
13/ But in practice, some banks fail on this, because:
14/ They use email as a two-factor, like my local bank. This is not actually two-factor is bank sends you emails and two-factor in the same channel. One channel != two factors. Any Windows Remote Access Trojen simply grabs the code from email.
15/ Banks use SMS two-factor. Telcom operators have been telling the last 30 years SMS is unsafe, travels plain text in the network, the sender can be forged and SHOULD NOT BE USED AS A…
16/ Obviously, because these weaknesses are so well known, banks should compensate phishing victims in the case phishers get access thru two-factor weakness.

If banks get your deposits on the premise they safeguard your money and break this promise, it's false advertising.
17/ How about crypto and third party phishing

18/ Third party phishing is more tricky. If you want to send money to someone and you do it yourself, you should be able to do so even if you put yourself in harm.
19/ This, except in Canada where mere act of attempting to transfer money can make you criminal and have your all asetes…
20/ Crypto is self-custodial. You are in control of your assets. Not your bank. You safeguard themselves on the premise of you can fool around. Thus, a greater responsibility on a crypto needs to fall on the user.
21/ Or to put it other away... if you transfer value to a phishers the only party that could have stopped to do you so is you.
22/ It is not ideal and many people will learn about geopolitics and the nastiness of Internet crooks in a hard way, as mentioned earlier.
23/ But as long it is not a systematic problem, not too much crypto being stolen for all the holders, then it is not a "major" problem for the economy as a whole.
24/ At the moment crypto phishing is mostly nuisance and not a systematic problem. This is mostly because media, correctly, has scared people out of their shit when dealing with crypto.
25/ Furthermore the current AML works! The Bitfinex hack $3.5B confiscation is a sign of that. So victims should seek remedy through litigation and make CEX/fiat off ramps to return stolen assets. Forcing pain on fiat offramps will make phishing less attractive.
26/ I spoke with my friend who works for a crypto AML company. The threshold when legal action to get money back from CEXes, Binance being scammers favourite, is around ~$20,000.

So if you lose more than $20,000 an international lawyer starts making sense.
27/ What can be done to stop phishing?

We have still tech mileage left and cannot go to full victim-blaming mode yet.

28/ Authenticate websites with WebAuthn. Stop using passwords. This is the ultimate tech solution to fix the phishing problem forever. It's ready, but no adoption yet.@codekaiju by
Image 29/ Design better smart contract standards and transaction interfaces. This is a screenshot from a wallet. I am the top 0.00001% Ethereum developer in the world and do not know what exactly is going to happen if you click Ok.
30/ WALLETS CANNOT FIX THIS. Wallets will display only transaction information from Dapps and if that information is low quality, there. is nothing to be done.

The problem is that Solidity devs or security experts often do not look the wider picture of the security.
31/ This is why I opened a discussion for Simple Phishing Protection ERC here:

If you are #Ethereum dev please read this.…
32/ User education, protect your self-custodial assets.

This is the "don't click EXEs" advice. Most of the users would be better off without Microsoft Windows.

Image 33/ FIN

Now back to the coffee.