Yeah, I remember reporting this exact app to the PlayStore team as soon as I spot it. Unfortunately, a lot of people got scammed by it.
It’s a hard lesson. I was skeptical, but I guess too confident in the Play Store and too excited that a mobile app had finally been released. So these wallets that obviously stole the ADA - they just live on and go about their business or is there a way to report them or freeze them?
Thanks for keeping an eye out!
Ugh. Terrible feeling - as you know.
You can “flag as inappropriate”, near the bottom of the page. It will be taken down, if it hasn’t already. The problem is the lax entry criteria and the damage done before such scamming apps are taken down.
I’m so sorry this happened to you.
Sorry this happened, the play store can give a lot of people a false sense of security. The only mobile wallets for ada that I know of is Yoroi and Infinito. Yoroi is made by Emurgo and works great.
@Theseus Apologies but I’m not exactly sure what your analogy was aimed at.
@smwilh I’m sorry for you, unfortunately scams are a plague in crypto. I really do hope that there will be some solutions presented soon such as multi factor authentication.
@maki.mukai Thank you for your input. I hope IOHK team is working on some solutions/preventions for the scam epidemic. I believe it’s the biggest barrier for most people to get into crypto and ultimately the biggest enemy of adoption. Simple two factor authentication would solve a lot of security problems, even for example if you had an option of running 2 separate instances of Daedalus one on PC to perform a transaction and second one to receive a code to verify the transaction. I’m a worrisome person and don’t trust apps run solely on windows environment.
Please tell me your working on that
2 factor authentication in the sense we use it now (like google authenticator) is not usable in this application. Hardware wallets are a form of 2 factor authentication (to withdraw funds you need phisical access and a pin code of the wallet). In crypto however if your private key is compromised as it was in this case it is game over.
I would agree that security issues are a hindrance to adoption. We will see, and are seeing a range of solutions from a number of parties who are working on this.
The problem with that is the pin code can be scraped upon installation by a malware. Having a code generated on another device for each transaction gives much more security.
Thats very unfortunate to hear. Yes, this fake app passed through to play store, and immediate alerts were raised across various channels. In general, unless you see an app announced on the official channels, best to consider it unsafe.
I am not sure 2FA would be any safer for the phishing attempts, and almost all of the cases where user have lost funds point to a phishing attack.
Such attacks rely on the user intentionally entering the information that unlocks one or multiple level of security, no matter how many levels you add. This could have also been replicated at transaction level.
Thus, it still comes down to education and following best practices
Oh Lord, did you run out of your Lithium again?
I agree that education is in the area of security is very important, however we have to consider that it is unrealistic everyone will absorb and implement that educational information. The architecture of the environment should be constructed in such way that would enable as many people to utilize the system as possible. You still have a huge chunk of population not being able to use computers not to mention latest innovations such as crypto. Furthermore even people who invest in crypto and are well versed in the matters of internet and finances are prone to scams.
I know that creating a perfect solution for security issues is impossible but we should make sure we employed strategies to mitigate the risk of scams and theft.
@Piotr The problem with phishing attacks is it (website/app/interaction) will make user think that they need to enter all information that gives them access , compromising any security method employed, I do not see any other case yet where this has not been the case. The education is not really a big learning curve to be honest.
Analogy with existing fiat currency usage (not exactly phishing, but similar):
An buyer buys iPhone XS on internet because he finds a very cheap offer, but he has to pay via a western union transfer (intentional bank transfer to anonymous recipient). Many people fell into those scams, because they intentionally made that transaction, never recieved the product and there was no way to get it back. How do you prevent that from happening? By verifying seller sources , knowing standard scam operations -> education of process
I think its very similar case here, I do not see anything that you implement at architecture/security level that will overcome such behaviour (in fact, many of us will probably be able to find susceptibility to such phishing attempts in almost any suggestion that comes up )
Sorry for your loss, it’s a hard crypto lesson.
As I’ve previously stated there is no perfect solution. Scammers will find ways to take advantage of people, it has ben ever-present threat throughout the history. Phishing is hard to deal with and education in this regard is important, I agree with that, however I was referring more to the security of transactions - prevention of transactions not initiated by the wallet user. There are some relatively easy to implement solutions that could help a lot. Providing them would’t make people immune to scams but it would make them considerably safer resulting in more interest and quicker adoption.
@rdlrt I agree with you. But there are many risks to the cryptocurrency wallet.
Cardano should consider the suggestions that the community mentioned in recent articles on wallet security. That will help a lot for cardano’s mission.
Building a second optional security class is necessary, such as 2FA or a standalone mobile application with yoroi, Daedalus wallet,… to authenticate transactions
How would that help? The cases you have seen so far were only caused by phishing attempt, there have been no suggestions that could mitigate such security
There hasn’t been a single case so far (that I know of atleast) that caused single transaction being incorrectly sent from within Daedalus , especially with spending password