imToken
Published in

imToken

Wallet Security Newsletter # 4: QR code scams

Welcome to the fourth version of the security newsletter in which we dissect scams found by our security team. We hope to bring you some insight and more protection against common scams.

In August, our security team marked 6 tokens, 55 DApps and 295 addresses as risky.

Read our earlier newsletters below:

#1 Fake websites and wallets

#2 Exchange customer service scams

#3 Crypto wallet scams: Fake Apps, texts and Mnemonics

In this one, we’ll explain how phishing websites and ‘approve’ scams work so that you can recognize and avoid these scams.

Phishing websites

When visiting websites, you may not pay much attention to the address bar of the browser. But if you look a little closer, you will see a security icon such as 🔒 or 🛡️ in front of the address bar.

This icon matters a lot to the security of your assets, and if you don’t see 🔒 or 🛡️ when visiting a wallet website, then you’re probably visiting a phishing website that attempts to trick you into installing a fake wallet.

Take MetaMask for example. MetaMask is a popular wallet that customers use when they interact with DApps on their computers. If a newbie wants to add MetaMask to his browser, the first step he will do is probably Google MetaMask and install it.

However, the search results may lead you to a phishing website such as the one below. If the newbie doesn’t realize the warning icon ⚠️ in the address bar, then he may download a fake App and generate a mnemonic phrase that has already been compromised.

Fake Website

So search engines like Google are not reliable. We explained the reason in #1 Fake websites and wallets that scammers paid ads on Google to promote their fake websites.

So how to identify whether the website you are visiting is real or not? The most reliable way is to bookmark the websites of commonly used wallets.

imToken: https://token.im

MathWallet: https://mathwallet.org

TokenPocket: https://www.tokenpocket.pro

MetaMask: https://metamask.io

What’s more, you should make sure there is a security icon 🔒 or 🛡️ to the left of the url when visiting.

Real Website

The icon 🔒 or 🛡️ suggests reliability, and if you click the address bar twice, you can see https:// in the url indicating this website is secured.

Real Website

What is HTTPS?

In 1991, Tim Berners-Lee, father of the World Wide Web, proposed the Hypertext Transfer Protocol(HTTP) which defines the format of communication between a client and a server.

When we enter a URL in a browser, it retrieves information from the server based on that URL and returns it to the client. However, this information can be intercepted and tampered with by hackers on the way from the server to the client.

In order to enhance security, HTTPS was born, and S stands for Secure, which ensures that information can be securely transferred from the server to our computer.

So when visiting websites, you need to pay attention to whether it has https in its url.

QR code approval scam

Making payment via QR codes is extremely common these days because it is much quicker compared to other modes of payment. However, convenience can also bring some problems. By scanning a QR code your assets may be stolen.

How can this happen? You kept your mnemonic phrase in a secure place, but you still lost your assets.

This is how the scam usually happens: You scan a QR code, which opens a scam website mimicking the transfer page of your wallet app. The site takes you through an imitation of the familiar transfer interface. Instead of the transaction confirmation, a window for approving unlimited token balance shows.

The token approval allows the scammer to manage the full balance of the specified token in your wallet. This way they can move your funds to their own wallets without knowing your mnemonic or password.

In any case — such as scanning a payment QR code — there a few steps that help you to stay safe:

  1. Check whether the QR opens a legit transfer
  2. Check whether you are giving unlimited token allowance
  3. You can also ask for the text version of the recipient’s address. It’s a little inconvenient, but it’s much safer.

End

Stay tuned, stay alert. Read more on how to stay secure:

If you recognize any risky DApps or tokens, please report to us via support@token.im to help more users avoid being deceived.

Download imToken: Google Play | Apple App Store
And follow us: Twitter | Support | token.im

--

--

--

Digital Assets Within Your Control

Recommended from Medium

Wallet security letter #2: Exchange customer service scams

The Basic of Networks

Why do people still trust Cheetah Mobile in 2018?

How to Make Google Analytics GDPR Compliant So You Don’t Need to Ask for User Consent

How to get yourself in whitelist : Cryptotales NFT

Cyber security 2020 : The Latest Trends

TryHackMe : Blue (Write-Up)

An Open Letter to President Obama: This is About Math, Not Politics

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
imToken

imToken

Wallet for Ethereum ETH, Bitcoin BTC, Arbitrum, Optimism, zkSync, Aztec, Polkadot DOT, Kusama KSM, LTC, EOS, Tron TRX, Cosmos ATOM, BCH, Nervos and more

More from Medium

Interviewing a DEV — Featuring TT Farm!

How to Experiment with QuickSwap on the Mumbai Testnet

ProBit Global Lists SUBX FINANCE LAB (SFX)

Idena Chronicles