Bankless Publishing (@banklesspublishing) • Hey
Top-shelf educational web3 content. Publishing the work of writers from BanklessDAO and beyond.
Publications
- Sybil-safe grant rounds need solid proof of personhood. Let's head through customs with @lens/hirokennelly for a look at some of the DID protocols you can use to boost your Gitcoin Passport score.
https://banklesspublishing.com/did-you-boost-your-gitcoin-passport-score/…
- https://vxtwitter.com/banklessDAO/status/1728064350378963428
- https://banklesspublishing.com/tracking-the-fear-and-greed-index/
- https://x.com/BanklessPub/status/1727093893911793791?s=20
- https://vxtwitter.com/BanklessPub/status/1726731345500450933
- The BanklessDAO Weekly Rollup has shipped!
https://banklessdao.substack.com/p/funding-what-matters-with-gitcoin…
Funding What Matters With Gitcoin by @lens/hirokennelly
Bridge to PGN to donate to Web3 Community and Education
Bankless Card go for Dec launch!
Delegated Voting Temp Check
Season 10 Proposals
- With over 200+ articles shipped to date, Bankless Publishing decided to take a trip down memory lane and pick out Seven Favorites From the Stacks! Pop the hood on BP history in this piece by @lens/frankamerica
https://banklesspublishing.com/7-favorites-from-the-bp-stacks/
- This week in State of the DAOs:
ReFi Rewards Balance and Resilience
Mission-driven DAOs Building a Sustainable Future
Get up to speed with Gitcoin Grants
https://banklessdao.substack.com/p/refi-rewards-balance-and-resilience…
- https://x.com/banklessDAO/status/1724939213232058471
- https://banklessdao.substack.com/p/two-sides-of-the-same-coin-bankless
The BP Recap has shipped!
How To Win A Hackathon
Advanced Crypto Seed Phrase Protection
Web3 Wallet Management With ENS Subnames @lens/hirokennelly lly
The Power of Real-World Connections in the Digital Age @lens/puncar
https://x.com/banklessDAO/status/1724627566643073268?s=20
- https://vxtwitter.com/BanklessPub/status/1724184503214588381?s=20
- https://twitter.com/banklessDAO/status/1723250373186740556?s=20
- https://x.com/banklessDAO/status/1723014721341944296?s=20
- https://vxtwitter.com/banklessDAO/status/1722875088461283473
- https://twitter.com/banklessDAO/status/1722359219356381436
- https://x.com/BanklessPub/status/1719198588977443115?s=20
- The BanklessDAO Weekly Rollup has shipped!
https://banklessdao.substack.com/p/lean-in-to-community-banklessdao…
Lean in to Community by @trewkat
Governance Updates
Seasonal Funding
@HowDAObook & @BanklessPub
Catch up with content from @Bankless_Africa @CryptoSapiens_ @TheRugNews @BanklessPub and more!
- With bitcoin booming lately how can you get more involved in the OG L1 blockchain? @thefrankamerica has four tips on how to stack sats via @BanklessPub banklessdao.substack.com/p/4-simple-ways-to-stack-sats
- ✨ The Layer 2 Review Is Live
https://banklessdao.substack.com/p/huh-where-did-that-come-from-layer…
💥 Layer 2 Article Summaries
🌍 Ecosystem Updates
🤖 Governance
🔥 Hot News
😻 Protocol Data
🔭 Project Watch
💸 L2 Fees & Costs Update and more via @BanklessPub
- Have you ever wondered about the difference between Ethereum and Ethereum Classic? Learn the story behind The DAO hack and the resulting Ethereum hard fork as @trewkat.lens takes us down an informative memory lane via @banklesspublishing.lens
https://banklessdao.substack.com/p/not-forking-around-the-dao-hack
- Check out this thread on DAOs!!
https://x.com/BanklessPub/status/1716884655042146729?s=20
- Improve your OpSec!!
Let's go to **Phishing School** with @d0wnlore
**Improving Your Use of 2FA**
Last week, we covered the importance of two-factor authentication (2FA). But even with this added layer of security on top of our online accounts, it does not mean we can be complacent and assume that our account is fully protected.
The security of our accounts is ultimately a shared responsibility between us and the service provider. A determined attacker can still compromise an account with 2FA enabled if either party drops the ball.
Here I will go over two ways such an account can be compromised and how hardware authenticators have properties that make it more difficult for your account to be fully compromised.
**Login Approval Notification Spam**
When a service has both a desktop/web and mobile application, they can use the mobile app as the second factor to approve logins made for the desktop/web app. Google is the most popular example, where most of their mobile apps can receive a notification asking if you want to approve a recent login attempt.
There are two ways these login approval requests are fulfilled through notifications:
The notification will have a code that you enter, similar to the codes you would get from an authenticator app like Authy.
The notification will prompt you to accept or reject the login attempt with a relevant screen on the mobile app.
There is far less friction in the latter method and here is how attackers will abuse that convenience. For this attack to be most effective, the attacker needs to know that you are using the companion mobile app as the second factor, that it prompts you to approve the request instead of giving you a code, and to know what time zone you are likely to be in at the time of the attack.
Scammer compromises your account to the point where the second factor is needed for them to continue.
They will repeatedly make the HTTP request that triggers your companion mobile app to prompt you to authorize the login.
You may think to yourself that you can just ignore the notifications and/or explicitly reject them if the service provider allows it. But depending on how the service provider has implemented this system, you may be overwhelmed with the flood of notifications that you would rather just have gone away. This becomes more dangerous if time zones come into play, as the attacker can perform this attack while you are sleeping, where you are more likely to make a mistake in your half-awoken state.
**Social Engineering**
Social engineering can be used in cases where 2FA codes are sent to you, such as through SMS and email 2FA implementations, or if your companion mobile app in the above section sends you codes.
Here the attacker will try to convince you to divulge the 2FA code you just received. To succeed it helps if they have some personal information about you that the service provider would possess, specifically your name and phone number.
Scammer compromises your account to the point where the second factor is needed for them to continue.
Scammer triggers the 2FA code to be sent to your companion mobile app. They will then call you and construct an elaborate story about why you received the code and why you should give the code to them.
While this may seem easier said than done, this scenario has occurred for at least one bDAO member in the past few weeks. The stories these attackers create will be different each time. But a popular story is that your account has allegedly been locked and the attacker, claiming to be an employee of the service provider, needs your 2FA code to unlock your account.
**How Hardware Authenticators Help**
Hardware authenticators, such as a Yubikey, are becoming a useful tool in helping secure online accounts. Other than the cryptography systems used on these devices, they are pretty simple compared to your password manager or mobile phone. But that simplicity is really useful to have in a second factor. Hardware authenticators are less likely to lead into ‘footgun’ incidents, compared to an unlocked phone or compromised password manager vault.
Let us take the above scenarios, where an online account with 2FA was enabled but still compromised, and see how the situation changes if a hardware authenticator protected our account instead.
**Login Approval Notification Spam**
Scammer compromises your account to the point where the second factor is needed for them to continue.
Assuming your hardware token is registered as your second factor, instead of the companion mobile app prompt or SMS, you will not receive a notification that could lead you to authorizing the login request by accident (and can sleep soundly at night as well). The attack stops here.
**Social Engineering**
Scammer compromises your account to the point where the second factor is needed for them to continue.
It is not trivial to give a valid code generated by your hardware token to the attacker, so the chances of you being tricked into approving the attacker’s login attempt are nearly zero. The attack stops here.
**Perform a Personal 2FA Audit**
With this new knowledge, I invite you to do a quick audit of your online accounts and check what factors those services will use to verify a login attempt. Even if you do not have a hardware authenticator right now, it is important to know what factors your services use and whether you need to disable those that are more likely to lead to compromises, such as SMS 2FA.
- The BanklessDAO Weekly Rollup has shipped!
Decoding DeFi and Financial Independence
Governance Updates
Uniswap and BANK Knowledge Session, and more!
https://banklessdao.substack.com/p/the-halfway-point-banklessdao-weekly
- Markets for commodities like #uranium have long been obscure and illiquid, but crypto is changing the investment game. @GormoExJourno (on X) explains how bringing uranium onchain creates a more accessible and liquid market for yellowcake via @banklesspublishing.lens
https://banklesspublishing.com/tokenized-uranium-a-new-asset-class-for-a-new-era/