New security concern over Slack’s decision to remove the unique @username

I receive emails everyday from crypto enthusiasts — either asking for advice, providing advice, or to bring my attention to something new and which I might find interesting.

Today, Edwin Carlson from Investrport & SmartBit Auto DM’d me inside the MetaCert Slack community to bring my attention to the depreciation of the @username inside Slack.

This concerns me.

It has always been easy for cybercriminals to change their Slack name to impersonate a Crypto community admin and then send out phishing scams. Until now, it wasn’t possible for them to copy the @username — they could make it look similar but not identical. This allowed communities to only display usernames — to make it more difficult for cybercriminals to create identical looking names.

Today that changes. Slack has just removed the unique @username feature in favor of “more expressive and flexible concept of display names”.

According to the Slack website:

As fellow developers, we know you’ll have some feelings about the sunset of @usernameconsidering its historical significance in computing, networking, and digital identity. From mainframes to UNIX to BBSes to IRC, maybe you've used the same name for what seems like centuries.

They recognize that usernames have been used as a form of “digital identity”. So given that we live in a world where identity is more important than ever, why would they chose to remove it? I’m baffled.

Look at the screenshot above. How do you know who the real Edwin Carlson is? I didn’t change my profile picture so you could see that they’re two different accounts. Impersonators can also change their profile picture/avatar.

I’m not only concerned for Cryptocurrency communities who are literally getting hammered every hour of every day by phishing attacks from impersonators inside Slack. I’m concerned for the future of company collaboration inside Slack. Slack also announced that it’s opening up a whole new world of collaboration where one company can share channels with another. That’s a blog post waiting to be written — security implications? Eek.

Slack’s response to Crypto communities has always been “well, Slack isn’t designed for communities. It’s designed for companies that verify the integrity of team members”. First of all, IT Professionals are more concerned about insider threats than they are about external hacks, so Slack’s response isn’t a great one — it’s certainly can’t be written by a member of the security team. So what are the IT Admins and Infosec teams going to make of company-to-company collaboration where 100,000 employees that belong to another company, don’t need to have a unique username?!

MetaCert’s response

MetaCert already protects many of the most popular crypto communities from phishing attacks. But we need to up our game. We now need to build a notification alert system into the Slack security app so administrators/moderators are immediately alerted when someone changes their name. This will allow them to publish their own terms of service, requiring users to pick a name and stick to it. Anyone who changes their name could then be automatically banned from the community through the security app. Boy, Slack isn’t making our job any easier but it’s certainly providing companies and communities with lots of reasons to install our software.

☞ Please tap or click “👏” to let Paul and others know that you appreciated this post. The number of claps indicates how much you liked the post so put those hands together as many times as you like.

Like what you read? Give Paul Walsh a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.