ALIS
ALIS
Jul 28, 2017 · 5 min read

How to determine if ICO projects are dangerous(Chapter: Team administration / first part)

Recently the ICO(Initial Coin Offering) of Cryptocurrency is rising. However, some projects have had trouble with incidents of cracking and scamming.

This raises the question as to why these incidents were happening. Is it possible to prevent this? When someone invests in an ICO, how can they protect themselves financially?

Let’s try take a look at some potential solutions.

First off, it’s important to take a closer look at how a team of any project is being managed.

I will cover these following projects:

  • CoinDash
  • Bancor
  • Status
  • Inflex

These are all ambitious projects. However, they unfortunately lost user tokens during the ICO.

Example 1: Cracking an ICO website

CoinDash is an Israeli startup described as an E-Trade for blockchain.
Fraudsters stole $7 million by cracking their ICO.

They announced that this was due to crackers rewriting their website’s Ethereum address of the ICO.

How can we prevent this from happening?
There are some steps that be taken to reduce this risk such as:

  • The website for the ICO should be created static and serverless.
  • The number of people who have access to making to changes to the website should be kept to a minimum.

Further details are listed below:

The website for the ICO should be created as static and serverless.

I took a look at the CoinDash website when they were cracked and discovered that Nginx was the web server in use.

Currently the website is still using Nginx. This may have been the case with the ICO website.

I used Wappalyzer chrome extension known as website analyser.

I also took a look at the website’s form tags to get some user information. It maybe using Heroku or their own system. This means that the system could run on a dynamic application such as Ruby, Node, PHP or others.

When cracking incident occurred, the website could be rewritten by crackers. In my opinion, we should create a static and serverless website until it is absolutely necessary.

Otherwise we may be subjected to large security risks.

In the ALIS project, we are using AWS S3 instead of our own infrastructure and will continue to do so until the ICO has ended. We are not currently using a dynamic system because it is not necessary. It is important to consider security.

If you are interested, please visit the ALIS website with the Chrome extension above.

The number of people who have access to making to changes to the website should be kept to a minimum

In this case, there is a higher a possibility of fraudulence if more people have access.

Normally, the access to a project is not so strict, especially within a close team. Most team members trust one another.

However in regards to security, it is important to be vigilant and to minimize the risk. In order to do so, regardless of whether or not you trust your team members, you should always keep an eye on one another. Lack of security awareness can make a project stagnant. Keeping your eyes open can help to prevent this from happening.

The ALIS website is currently using S3.
AWS authentication is very important .

In the ALIS project, the AWS root account is locked by a 2 factor authentication. Typically we do no use the root account.
When we want to access the system, we use IAM with specific policies. For example, the IAM for logging onto the AWS management console was given to only 2 people, myself and the founder Yasu.
The minimizing access makes project secure.
The IAM is also protected by 2 factor authentication.

Previously, we used GitHub Flow for creating the website.
When merged to the master branch, it was deployed automatically. We were not concerned because we monitored the security of the GitHub accounts.

However, we decided to change the deploying strategy from deploying automatically. Even thought the risk is minimal we decided to take further security steps due to other projects’ incidents. We feel that we can never be too careful.

Example 2: Slackbot Scam

Slack is chat service designed for business teams. In ICO projects, it is a de facto standard for communicating with team members, investors and supporters.

This scam using Slackbot is simple. The target victims were users of an official Slack channel.
The targeted individual receives a private message from Slackbot like the one below.

This is an actual message that one of our team members received from the scammer.

It looks like an official message and attempts to trick the user into believing that it from a genuine person who is part of the project. Eventually, they ask the user to send tokens. As far as I know, the same fraud scheme occurred on Bancor, Inflex, TokenCard.

Why was this scam successful?
One reason is the specification of Slack.
Slack has Slash Command functions and it includes /remind command. The command provides reminders to specific users at a specific time from Slackbot.

Some weak points are:

  • Anyone can use it (even non admin users).
  • We cannot disable Slash Command functions because of the Slack specification.
  • The fraudulent message is sent from Slackbot, making it appear to be an official message.

In my opinion, the Slack team needs to address this issue as soon as possible. Unfortunately this is still an ongoing problem (the incident described above occurred today on July 27, 2017).

One approach is to not use Slack at all.
However, Slack is the de facto standard, so it is a very important channel.
Most projects are likely to continue using it, including the ALIS team.

ALIS is keeping an eye on Slack with the approach below.

  • We put the notification of this scam on Topic of the#general channel. This special channel includes every user and no one can leave. Also, this is the first channel that everyone sees. This means everyone will see the notification. (In ALIS, we changed this channel’s name to #announcement)
  • Only the official account can post on the #announcement channel.
  • Only the official account can use the special wide mention @everyone.
  • The official account and team members are using 2 factor authentication.

We will continue to monitor this problem on Slack. If interested, you can join ALIS’s Slack by clicking the link below.

— — —

I will continue this discussion in a separate posting. The second half will be posted soon.

Note.
We are using 2 factor authentication for all of our official and personal accounts.

ALIS. A Rewards System to Distinguish Trustworthy Articles.

Slack

Twitter

Written by

ALIS

A Rewards System to Distinguish Trustworthy Articles. ALIS is Japan’s First Social Media Platform Using Blockchain Technology. https://alismedia.jp

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade