Discord: The Importance of Cold Admin Accounts
By: Jamélie Myre
What is Discord?
Discord is an instant messaging platform that is frequently used within different types of communities and projects called ‘servers.’ Community members can create themselves an account and then proceed to joining servers through invites, communicate easily within and without discord servers through text messaging, voice or video chat, as well as private messaging/direct messaging. Many NFT (Non Fungible Token) project founders use Discord to hold the main hub of their projects, where their communities can get quick access to information about the project they are interested in or investing into, straight from the source.
Discord servers are controlled and managed by accounts with Administrator Permissions. Admin accounts are in charge of managing everything about the server, from creating channels and editing the layout of the server to inviting and managing Bots. Servers can have a 500 channel limit, such as general chat, project information, official links, and so on. As well as a series of Bots like MEE6, Dyno, Wick, etc. All of these Bots have more or less the same functions. In brief, they can help control, secure, moderate, create custom announcements or post links, stream music from youtube, hold a series of games, translate, and way more. Of course it is highly advised to DYOR (do your own research) about a Bot prior to inviting one into the server.
Security specialist and Founder of Server Forge @Plumferno tweeted in response to a jeopardized Bot situation that “You can protect against a situation like that with cold admin accounts. We can’t be 100% sure of any bots, but we can def[inetely] make plans for a situation in which they’re compromised. Don’t give them more perm[issions] than they need.”
The level of significance in having a cold administrator account for any discord server, especially one that holds a community and an NFT project, is critical to say the least. Any account that has administrator permissions is a high target to hackers since those permissions allow a user to add/remove or manage bots, webhooks, channels, users, messages, announcements as well as tagging @everyone, that is to say having total control over the server, but the risks can be mitigated.
Hot Account vs. Cold Account
The difference between a hot account and a cold account is fairly straightforward. A hot account takes on many and most likely day-to-day discord activities such as, befriending, joining multiple discord servers, direct messaging, being seen on a pedestal of a server as a founder or team member and so on. Hence a hot account should not under any circumstances have admin permissions, regardless of being the owner of the discord server or founder of the project, and especially being the owner of the server or founder of the project.
The cold account will have administrator permissions of the server, in other words, the account will be online solely to perform administrator tasks such as adding bots, managing webhooks, adding/deleting channels and creating announcements. Aside from server management, no other activities will be performed and the account will be offline (cold.) While having one cold account is good, it’s even better to have multiple cold accounts with administrator permissions, one with ownership of the server and one acting as server developer, in the misfortune that one of the cold accounts gets compromised. In that case, the other cold administrator account can absorb and rectify the attacks of the hacker while stopping him/her dead in their tracks.
The Importance of 2FA
Creating a cold account can be as simple as creating a new discord account which is used exclusively for the purposes of server management and administration. Although it is highly recommended if not mandatory that you and any other team member with moderation permissions have 2FA (two factor authentication) enabled since moderation permissions include kick/ban and delete messages. 2FA is an additional method that strengthens the verification security ensuring that you are the one logging into your account. It can easily be set up through your discord account settings by switching 2FA on, and downloading either the Authenticator app or the Authy app into your phone. It is highly suggested that both your accounts have 2FA enabled. You can also use 2FA through SMS, although Discord will allow an account to link to a phone number only once.
Overall, the key to mitigating risks of having a hacked or compromised discord server is to have cold admin accounts strictly for server management with administrator permissions. While using your regular hot account for day-to-day discord activities with extremely limited permissions within the server, for instance moderation permissions to kick/ban through special commands and delete messages, without forgetting 2FA for enhanced security measures in accessing your accounts.