Security posture standards checklist for @discord server owners, and good cybersecurity hygiene for server members
A 🧵......
An additional resource here:
The unbelievable horrors of Discord account security
yal.cc/discord-2021/
All Admins & MODS should have 2FA enabled in "User Settings -> MyAccount" with SMS Backup Authentication enabled
All Admins & MODS should have "SAFE DIRECT MESSAGES" set to "Keep me Safe -> Scan direct messages from everyone" and "PRIVACY & SAFETY DEFAULTS -> Allow direct messages from server members" set to "OFF"
All Admins & MODS should provide a screenshot of the AUTHORIZED APPS active on their account for review
All Admins & MODS must confirm that they have never shared their "Discord ID Token" with anyone and that NO ONE shares access to your account. Access to this token can bypass Password and 2FA settings
Everyone in server should keep an eye out for Impostors with the same name and report immediately
As well as names that mimic team members, also keep an eye out for anyone trying to pass themselves off as some sort of official support
Useful search terms for finding potential scammers are:
"admin" "support" "tech" "help desk" "helpdesk" "captcha" "announce" "moderator" "advisor" "consultant" "founder"
Run searches intermittently
If a scammer used tricky font go to a font site like LingoJam & enter their name, see if you can find the font used
Copy & paste that into your Discord search, & ban
* An acknowledgement is owed here for a thread on Twitter I can no longer find, will add to comments when & if
Before banning request the scammer request that DEV MODE is turned on so that we can get their Discord ID string by right clicking and selecting copy ID
This way you can search with this ID in case they change their name since the offending post was posted / scam was attempted
All Admins & MODS should update SERVER PROFILE handle with "handle | 'Project' MOD" & add "Will NEVER DM you 1st" to the ABOUT ME & NOTE sections
Server owners should make a mini-announcement from time to time reminding members especially in run-in to mint event
All settings should be audited every 3 days and all Admins & MODS should post screenshot proof of these settings in a dedicated bot run channel in server
Failure to do so should result in immediate Admin/MOD permissions removal
Altho the above sort of streamlines the process you would prefer Discord to allow server owners to be proxied an audit function by Admins/MODS to allow a BOT run a REPORT function with no EDIT ability
An API key to make checking instant & deviations actioned in real time
Changes were made to token security in April/May 2022 but still be aware of a novel attack vector which is well outlined in this thread by @LittlelemonsNFT
twitter.com/LittlelemonsNFT/status/1477923368053706755
The TL;DR is:
"Scammer gets on a discord call with target. Gets target to screen share. Tells target to open inspect element by pressing ctrl+shift+i. Inspect element has a discord token scammer can use to take full control of target's disc account. Bypasses 2FA + passwords"
Consider bots to:
Autoban any new members with the search terms outlined above (SS below)
Autoban new members with the same name as a Admin/MOD name with an alt font
Full CAPTCHA verification bot on entry
Use the Prune function inactive Ac's over 1 week & who have no role
Thanks for your time. Please post any corrections / suggestions in the comments.
Have a great day
💡Palantir ☆WATA☆
@CryptoPalantir
cofounder @theanswer_web3 ☆WATA☆ | Advisor @DaGOATs6 | Partner @Wisdom_Holders | 40 O.B. | 4DC | gladiator @PrimusDAO