account recovery staff | Bitcointalksearch.org

hilariousandco

global moderator

Activity: 3990

Merit: 2717

Join the world-leading crypto sportsbook NOW!

Quote from: samuel999 on November 23, 2015, 10:31:46 AM

I know that database access can be dangerous, but what if they just had read-only access. Then that staff member would only need to be trusted to not give any information away. He can read what is in the database in order to ask the right questions but can't modify it so it isn't harmful to the site if the wrong command is sent.

Also with sending the reset emails, why would this need database access? The user is providing an email address and there is already an automatic mechanism to send the recovery emails and to reset the password through that email. Couldn't the staff member just send that recovery email for an account to the specified address?

Having access to that sort of information is still a massive responsibility, but a person would need some sort of access to the database to reset accounts etc.

samuel999

sr. member

Activity: 256

Merit: 250

CSGOBetGuide.com - Esports Gambling List

Quote from: shorena on November 23, 2015, 05:31:53 AM

Quote from: Shield on November 23, 2015, 02:39:58 AM

Quote from: hilariousandco on November 23, 2015, 02:36:44 AM

I agree account recovery is currently an issue and isn't really getting dealt with properly but it's difficult to find mods who can be trusted with having access to the database/being an admin. The fewer people who are the better and more secure for everybody but I do think either another admin or someone who could deal with account recoveries would be beneficial but it's probably not a priority as frustrating as that may be for those who have lost access to their accounts.

No need someone to have access to database, but someone in middle who can check, verify and after everything looks fine, forward approved request to admin,this way admin's inbox won't filled with spam and he will get only approved request with proofs that he can take action to reset details.

The way I understand it is that you need database access to approve a request. A signed message is only the start of what needs checked. I read from time to time that those with locked accounts due to using the security question were asked additional questions. I assume these are cross checks with data directly from the database, e.g. from PMs.

I know that database access can be dangerous, but what if they just had read-only access. Then that staff member would only need to be trusted to not give any information away. He can read what is in the database in order to ask the right questions but can't modify it so it isn't harmful to the site if the wrong command is sent.

Also with sending the reset emails, why would this need database access? The user is providing an email address and there is already an automatic mechanism to send the recovery emails and to reset the password through that email. Couldn't the staff member just send that recovery email for an account to the specified address?

shorena

copper member

Activity: 1498

Merit: 1528

No I dont escrow anymore.

Quote from: Shield on November 23, 2015, 02:39:58 AM

Quote from: hilariousandco on November 23, 2015, 02:36:44 AM

I agree account recovery is currently an issue and isn't really getting dealt with properly but it's difficult to find mods who can be trusted with having access to the database/being an admin. The fewer people who are the better and more secure for everybody but I do think either another admin or someone who could deal with account recoveries would be beneficial but it's probably not a priority as frustrating as that may be for those who have lost access to their accounts.

No need someone to have access to database, but someone in middle who can check, verify and after everything looks fine, forward approved request to admin,this way admin's inbox won't filled with spam and he will get only approved request with proofs that he can take action to reset details.

The way I understand it is that you need database access to approve a request. A signed message is only the start of what needs checked. I read from time to time that those with locked accounts due to using the security question were asked additional questions. I assume these are cross checks with data directly from the database, e.g. from PMs.

Shield

sr. member

Activity: 333

Merit: 250

Quote from: hilariousandco on November 23, 2015, 02:36:44 AM

I agree account recovery is currently an issue and isn't really getting dealt with properly but it's difficult to find mods who can be trusted with having access to the database/being an admin. The fewer people who are the better and more secure for everybody but I do think either another admin or someone who could deal with account recoveries would be beneficial but it's probably not a priority as frustrating as that may be for those who have lost access to their accounts.

No need someone to have access to database, but someone in middle who can check, verify and after everything looks fine, forward approved request to admin,this way admin's inbox won't filled with spam and he will get only approved request with proofs that he can take action to reset details.

hilariousandco

global moderator

Activity: 3990

Merit: 2717

Join the world-leading crypto sportsbook NOW!

I agree account recovery is currently an issue and isn't really getting dealt with properly but it's difficult to find mods who can be trusted with having access to the database/being an admin. The fewer people who are the better and more secure for everybody but I do think either another admin or someone who could deal with account recoveries would be beneficial but it's probably not a priority as frustrating as that may be for those who have lost access to their accounts.

Shield

sr. member

Activity: 333

Merit: 250

I agree, Theymos should promote someone who is experienced to co-admin or make a new rank.where the person can check and verify everything and if everything looks fine forward it to theymos. this will stop a lot of message in his inbox about account recovery, someone in middle will handle those request and forward only legit and approved requests with proofs to theymos.

target

legendary

Activity: 2282

Merit: 1041

this is hard job. he has to track if a user who claim is indeed the real owner so investigation is needed.

xinzark

legendary

Activity: 1120

Merit: 1001

Nice suggestion. While looking at current situation it us impossible to recover a locked or hacked account

My brother is trying to recover his account from the last 2 months. He also signed message from the address posted and sent email and pm to theymos but never got any response

And his only Fault was that he used a feature which was kept there to use that is 'Secret question'
theymos should have at least warned users not to use that feature or remove or reset that feature.

Now my brother is just hanging and waiting for the issue to get solved and that really makes him feel like he is being kicked out from bitcointalk and his only fault was he stays Honest

Very bad to see thousands of users got their account locked and even in this situation we still heared no response from theymos

actmyname

copper member

Activity: 2562

Merit: 2510

Spear the bees

Quote from: samuel999 on November 22, 2015, 09:19:16 PM

Quote from: --Encrypted-- on November 22, 2015, 06:55:29 PM

it is possible but theymos have to give them permission to change/view passwords and view IPs and other stuff to see if an account was indeed hacked.. very huge responsibility.

They wouldn't need to have permission to change or view the passwords (and hopefully Bitcointalk does not save the passwords so that they can be viewed, just a salted hash because otherwise that would be a huge security risk). They would only need to be able to send out the recovery emails, which are already done automatically when someone requests a password reset via email. Other stuff though for determining whether an account was hacked, that would mean they have some access to more stuff like logs, but I don't think it would be terribly huge of a responsibility. I don't think they would have access to PMs or access to the database itself since that wouldn't really be necessary.

There must be a validation process, though. I would also like to say that there isn't really a need for a specific staff role of recovering accounts.

You can't possibly think that there are enough people losing their accounts for this to be necessary to come up, right? Recovering accounts - the process, does take a lot of time and effort, but being useful only for recovering accounts on BCT is kind of a waste.

Encrypted also brought up that they would need permission. We already have trustworthy staff members to sort out these situations; having people specifically for the role does call in some concerns with power...

I don't know, though. I'm just some guy on the Internet.

samuel999

sr. member

Activity: 256

Merit: 250

CSGOBetGuide.com - Esports Gambling List

Quote from: --Encrypted-- on November 22, 2015, 06:55:29 PM

it is possible but theymos have to give them permission to change/view passwords and view IPs and other stuff to see if an account was indeed hacked.. very huge responsibility.

They wouldn't need to have permission to change or view the passwords (and hopefully Bitcointalk does not save the passwords so that they can be viewed, just a salted hash because otherwise that would be a huge security risk). They would only need to be able to send out the recovery emails, which are already done automatically when someone requests a password reset via email. Other stuff though for determining whether an account was hacked, that would mean they have some access to more stuff like logs, but I don't think it would be terribly huge of a responsibility. I don't think they would have access to PMs or access to the database itself since that wouldn't really be necessary.

--Encrypted--

copper member

Activity: 924

Merit: 1007

hee-ho.

it is possible but theymos have to give them permission to change/view passwords and view IPs and other stuff to see if an account was indeed hacked.. very huge responsibility.

samuel999

sr. member

Activity: 256

Merit: 250

CSGOBetGuide.com - Esports Gambling List

Quote from: shorena on November 22, 2015, 02:38:37 PM

Some accounts just dont get recovered though, even though there is a signed message. If someone has to wait for a month and longer I dont think its because theymos and / or BadBear dont have the time to handle it. Its way more likely that there is more and its just not publicly known.

But at least letting the person know that the account won't be recovered for X reason would be nice. It seems like BadBear and Theymos don't do that, they just leave the user in the dark. If we had dedicated staff, they could formulate a decent response and work with the person instead of just ignoring them and keeping them guessing as to what they did wrong.

Quote from: DiamondCardz on November 22, 2015, 03:22:51 PM

I feel like if this was really a very, very pressing issue, they would have promoted another global moderator to an administrator position. Ultimately you should be responsible for your account yourself, with such a large forum a recovery procedure that isn't just a regular email reset is obviously going to take a long time.

Even with the email resets, some people don't use real emails since they aren't really necessary. You need an email to sign up, but it isn't verified. For some people, they think using the secret question will be faster and easier, but end up getting themselves locked out. In those cases, then they can't do anything and just need to wait for Theymos or BadBear to recover the account for them. It would be much faster if some staff actually did it as a job.

DiamondCardz

legendary

Activity: 1134

Merit: 1118

I feel like if this was really a very, very pressing issue, they would have promoted another global moderator to an administrator position. Ultimately you should be responsible for your account yourself, with such a large forum a recovery procedure that isn't just a regular email reset is obviously going to take a long time.

shorena

copper member

Activity: 1498

Merit: 1528

No I dont escrow anymore.

Quote from: samuel999 on November 22, 2015, 02:24:48 PM

Quote from: OmegaStarScream on November 22, 2015, 02:22:11 PM

I got you , but that would be insecure and I'm not saying that moderators are not trustworthy .. It's just that giving Database access to different people can cause some problems and moderators can get hacked and that will result in hackers getting database access etc ... I don't think it worth it (at least this is how I see it) . The less people have control the better .

But do they really need database access? The recovery would just be sending the person the recovery email. All that staff needs to do is to figure out whether that account should be recovered by whoever is contacting them. Then they just send the recovery email if the account should be recovered.

Some accounts just dont get recovered though, even though there is a signed message. If someone has to wait for a month and longer I dont think its because theymos and / or BadBear dont have the time to handle it. Its way more likely that there is more and its just not publicly known.

samuel999

sr. member

Activity: 256

Merit: 250

CSGOBetGuide.com - Esports Gambling List

Quote from: OmegaStarScream on November 22, 2015, 02:22:11 PM

I got you , but that would be insecure and I'm not saying that moderators are not trustworthy .. It's just that giving Database access to different people can cause some problems and moderators can get hacked and that will result in hackers getting database access etc ... I don't think it worth it (at least this is how I see it) . The less people have control the better .

But do they really need database access? The recovery would just be sending the person the recovery email. All that staff needs to do is to figure out whether that account should be recovered by whoever is contacting them. Then they just send the recovery email if the account should be recovered.

OmegaStarScream

staff

Activity: 3500

Merit: 6152

Quote from: samuel999 on November 22, 2015, 02:16:54 PM

Quote from: OmegaStarScream on November 22, 2015, 02:13:30 PM

There is probably two (or three if Sirius is involved) administrators who have access to the database and they are Theymos and BadBear and they are the only people who can recover accounts of people .
If you want to recover a lost account , you should sign a message using your old bitcoin address posted on one of your posts . If you don't have that then you won't really be able to recover anything and you should make a new brand account . See more : https://bitcointalksearch.org/topic/recovering-hacked-accounts-or-accounts-with-lost-passwords-497545

That's not what I am asking. I am asking whether we can have more staff whose only job is to recover people's acounts. Theymos and BadBear are incredibly busy doing a bunch of other stuff, not just with recovering accounts. If we had staff who only had to recover people's accounts, then the process would go much faster. Instead of having BadBear and Theymos recover accounts among all of the other stuff they have to do, we can have 2 or 3 people recover accounts and that is the only thing that they do. They verify signed messages and also let the user know whether the account can be recovered or not, instead of just not responding to them at all. The process for recovery would be the same, you would just be talking to another person.

I got you , but that would be insecure and I'm not saying that moderators are not trustworthy .. It's just that giving Database access to different people can cause some problems and moderators can get hacked and that will result in hackers getting database access etc ... I don't think it worth it (at least this is how I see it) . The less people have control the better .

In the meanwhile , people should learn to not download any .exe they found on the internet so they don't get hacked and also store their passwords safely so they don't lose access to their accounts .

tarsua

sr. member

Activity: 266

Merit: 250

Only a few of these cases appear a week, im sure the forum wont want to pay someone to work 1 or 2 hours a week, and the current mods have as much on their hands as is

samuel999

sr. member

Activity: 256

Merit: 250

CSGOBetGuide.com - Esports Gambling List

Quote from: OmegaStarScream on November 22, 2015, 02:13:30 PM

There is probably two (or three if Sirius is involved) administrators who have access to the database and they are Theymos and BadBear and they are the only people who can recover accounts of people .
If you want to recover a lost account , you should sign a message using your old bitcoin address posted on one of your posts . If you don't have that then you won't really be able to recover anything and you should make a new brand account . See more : https://bitcointalksearch.org/topic/recovering-hacked-accounts-or-accounts-with-lost-passwords-497545

That's not what I am asking. I am asking whether we can have more staff whose only job is to recover people's acounts. Theymos and BadBear are incredibly busy doing a bunch of other stuff, not just with recovering accounts. If we had staff who only had to recover people's accounts, then the process would go much faster. Instead of having BadBear and Theymos recover accounts among all of the other stuff they have to do, we can have 2 or 3 people recover accounts and that is the only thing that they do. They verify signed messages and also let the user know whether the account can be recovered or not, instead of just not responding to them at all. The process for recovery would be the same, you would just be talking to another person.

OmegaStarScream

staff

Activity: 3500

Merit: 6152

There is probably two (or three if Sirius is involved) administrators who have access to the database and they are Theymos and BadBear and they are the only people who can recover accounts of people .
If you want to recover a lost account , you should sign a message using your old bitcoin address posted on one of your posts . If you don't have that then you won't really be able to recover anything and you should make a new brand account . See more : https://bitcointalksearch.org/topic/recovering-hacked-accounts-or-accounts-with-lost-passwords-497545

samuel999

sr. member

Activity: 256

Merit: 250

CSGOBetGuide.com - Esports Gambling List

Would it be possible to have staff members whose sole job is to recover people's accounts? I have seen a lot of threads about people complaining about locked and stolen accounts, and many times it looks like people have to wait a long time, the account never gets recovered, and they never get a response. If we had staff that worked on recovering accounts, we wouldn't have this problem, and they could at least tell the user why an account cannot be recovered instead of leaving them in the dark with no response.

Topic: account recovery staff (Read 997 times)