Account security improvement: e-mail confirmation to change password and mail

Kavelj22

legendary

Activity: 1778

Merit: 1474

🔃EN>>AR Translator🔃

After reading all above posts, i think there is a missed information:
When an account is proceeded for ownership change (email change), the following process occurs:

Quote from: theymos on December 13, 2018, 11:41:28 PM

- The change is queued.
- It is listed in seclog.php.
- The old email receives a warning.
- After 7 days, the change goes through and another seclog.php entry is added.

The account stays locked throughout all of this.

It means that when you receive an email informing you that the email address has been changed to a new one, you have some few options which i find sufficent enough:
- Lock the account with the link received in the email during the next 14 days as mentioned here:

Quote from: theymos on October 17, 2017, 09:47:10 PM

Whenever your email is changed (except by an administrator), your old email will get an email about it with a link to lock your account. The link is valid for 14 days.

- During the one week period of ownership change, you can post all the evidence you have about the ownership of your account (staked btc address or PGP key / full control over the original email which you used to create the account...) so the administration can take hand of the situation and correct it:

Quote from: theymos on December 13, 2018, 11:41:28 PM

Hopefully it will be essentially unheard of, but if an account is going to be incorrectly transferred, everyone who knows about the incorrect change should noisily post all of the evidence they have so that we can at least put the change on hold and re-review the evidence.

^{* Admins can act outside of procedure and bypass the queue if necessary, but hardly ever will.}

Up to this point, all what you have to do is to secure your account following those advices, which i find essential and enough, based only on my opinion:

Quote from: tranthidung on January 29, 2019, 08:16:11 AM

- Strong password: should be as strong as possible, lower & upper case, letter, etc. And, the account's password should be totally different than any other accounts on other platforms (in the case using the same email for different platform).
- 2FA for email that used to register forum account;
- Strong antivirus software, and keep it always updated.
- Staking bitcoin signed address in the forum;
- Keeping the wallet (on computers) as safely as possible.

So no need to ask/suggest adding more features to the forum or more restrictions. Active 2FA for the email is fundamental.

Related threads to this, started by admin:
FYI: "ownership change queued"
Recovering hacked/lost accounts
Account recoveries are moving again
I have created this topic to record entries in SecLog : All the Ownership-Changed and Restored accounts

^{*Don't hesitate to correct me if you find anything wrong in this post.}

tranthidung

legendary

Activity: 2310

Merit: 4085

Farewell o_e_l_e_o

In a nutshell, [after read all above posts] I would say some steps are neccessary to secure accounts:
- Strong password: should be as strong as possible, lower & upper case, letter, etc. And, the account's password should be totally different than any other accounts on other platforms (in the case using the same email for different platform).
- 2FA for email that used to register forum account;
- Strong antivirus software, and keep it always updated.
- Staking bitcoin signed address in the forum;
- Keeping the wallet (on computers) as safely as possible.

All those four steps are essential and enough to secure accounts, in my opinion.

I remembered that I read a topic from a Hero/ Ledgendary who get their account back almost immediately after get the email notification.
When I saw the topic again, I will leave the link here.

sheenshane

legendary

Activity: 2492

Merit: 1232

Quote from: CryptopreneurBrainboss on January 29, 2019, 12:06:18 AM

Quote from: theymos on October 17, 2017, 09:47:10 PM

I added email notifications for some security events:

Whenever your password is changed (except by an administrator), you will get an email about it.

Whenever your email is changed (except by an administrator), your old email will get an email about it with a link to lock your account. The link is valid for 14 days.

Let me know if you find any bugs.

Snip-

Email notification is enough for security purposes as what have theymos said as long as your email account is not hacked too, I think 2FA is not needed since there's an email to your email account were you receive if somebody changing your profile info or something your account has stolen. Together with the signed address on this forum is a solid proof to recover account once it is quoted with someone else.

I think there's nothing to change with the account security system settings, besides it is our responsibility to keep our account safe. So, it is impossible to get hack unless if you sell your account and trying to get back and claiming it is getting hacked.

CryptopreneurBrainboss

legendary

Activity: 2408

Merit: 4282

eXch.cx - Automatic crypto Swap Exchange.

This email issue and 2FA security sittings have been discuss numerous times and he's an official statement from theymos on the issue.
From what I understand view this quote below although I haven't been hacked before so don't know how effective it's

Quote from: theymos on October 17, 2017, 09:47:10 PM

I added email notifications for some security events:

Whenever your password is changed (except by an administrator), you will get an email about it.

Whenever your email is changed (except by an administrator), your old email will get an email about it with a link to lock your account. The link is valid for 14 days.

Let me know if you find any bugs.

Then few hours later this user confirmed the system is working just fine.

Quote from: Meuh6879 on October 18, 2017, 06:31:13 AM

Quote from: theymos on October 17, 2017, 09:47:10 PM

Whenever your password is changed (except by an administrator), you will get an email about it.

Verified , no problem, email received if password is changed.

+logout
+login to test changed password
= no problem.

+forgot password link
+email received to reset password
+change password
= no problem.

lobcmt2

full member

Activity: 462

Merit: 155

Or with terrible support of yahoo mail. It is a terrible scenario.

Quote from: Findingnemo on January 28, 2019, 11:20:14 PM

I think its is already suggested by our community early,but why it is not wise to implement means!

Practically someone will change email address only if they lost access to old one,so what happens if they lost their access to old email and to add new email?

SO just stick with what we have now and hope to see something to prevent hacks in new forum software.

My proposal is the combination of two security methods:
- 2FA (for users to increase their security level by themselves)
- Bitcoin signed address: if they lost control of 2FA, the bitcoin signed address might give them chances to recover their accounts. Of course, the one only helpful if they have full control of their bitcoin signed address.

If they lose all of them, they should accept the fact that accounts totally gone.

Findingnemo

hero member

Activity: 2366

Merit: 793

Bitcoin = Financial freedom

I think its is already suggested by our community early,but why it is not wise to implement means!

Practically someone will change email address only if they lost access to old one,so what happens if they lost their access to old email and to add new email?

SO just stick with what we have now and hope to see something to prevent hacks in new forum software.

mk4

legendary

Activity: 2870

Merit: 3873

Paldo.io 🤖

Quote from: tranthidung on January 28, 2019, 10:07:21 PM

Wrong!
For someone who still thought that 2FA is the best solution, let's spend a minute to think of what will happen if account owners lost their 2FA backup?
Then, they will open a topic in Meta, complaining and asking for help.
2FA backups can be lost, but the quoted of your bitcoin signed address in the forum will not be lost at any odds.
The probability that both your original bitcoin signed address post and quoted-post from your original post deleted together are scarce, almost impossible.

Can't you say the same with your bitcoin wallet's private keys though? You can lose access to your 2FA if you lose your backup or if you didn't do a backup to start with; and at the same time, you can also lose access to your staked bitcoin address if you lose access to your wallet's private keys.

In the end, if you want to me more secure, you'd need to take these small extra responsibilities to do so. And for now, 2FA(along with signing a message of your staked address), is one of the best security practices that we can use right now.

tranthidung

legendary

Activity: 2310

Merit: 4085

Farewell o_e_l_e_o

This is one of the best solutions, I think.

Quote from: bitmover on January 28, 2019, 07:20:08 PM

theymos wants to create an automated process of recovering accounts signing a bitcoin address, which is a more elegant solution and fits the forum

Wrong!
For someone who still thought that 2FA is the best solution, let's spend a minute to think of what will happen if account owners lost their 2FA backup?
Then, they will open a topic in Meta, complaining and asking for help.
2FA backups can be lost, but the quoted of your bitcoin signed address in the forum will not be lost at any odds.
The probability that both your original bitcoin signed address post and quoted-post from your original post deleted together are scarce, almost impossible.

Quote from: Cashi on January 28, 2019, 08:30:07 PM

Yes, 2FA is also a very good feature

Cashi

member

Activity: 392

Merit: 49

Yes, 2FA is also a very good feature, I hope it will be enabled in the new forum software. In the old one it seems to be too difficult to add. There are many cases where hacks woldn't have happened if we had a confirmation mail or 2FA. A confirmation mail should be easier to implement or am I wrong?

When my password got resetted I receive a mail as a notice but I can't access my account anymore if the hacker is fast and changes my mail. In addition, it should be possible to send a mail before the password is changed. Afterwards the mail is not very useful. I can just lock my account but I would be locked out by myself: Undecided

Quote

Dear ~,

Your Bitcoin Forum (bitcointalk.org) email address was just changed from ~ to ~ by IP address ~. If you did not do this, then you can visit the following link within 14 days in order to lock the account:
~link~
Note that you will NOT be asked for your password at that URL.

Regards,
The Bitcoin Forum Team

The link gives an option to lock the account:

Quote

Your account will be locked. Nobody will be able to log in and access any of the account's functions. Administrative action will be required to unlock it. You should contact an admin after this (see the sticky in Meta). Be warned that although it will be easier to recover an account after this locking tool is used than if you do nothing and your account is compromised, our account-recovery throughput is very limited, and it could be a long time before you get your account back.

crwth

copper member

Activity: 2940

Merit: 1280

https://linktr.ee/crwthopia

This would be a great idea combined with all the other topics raised like this: https://bitcointalksearch.org/topic/why-cant-we-set-up-2fa-on-this-forum-it-would-be-a-good-idea-5073921

Every time I think of changing passwords or email, it can be seen as a suspicious activity in one's account, except if you proved it that it's still you. I'm up for the confirmation email, changing the password, etc. Creating that would be time-consuming and this is an old post.

Quote from: theymos on March 19, 2014, 10:17:55 PM

If someone wants to write a patch for it, I will seriously consider adding it. I believe that safely adding 2FA would be very time-consuming, so I'm not willing to do it myself or direct Slickage to do it.

bitmover

legendary

Activity: 2352

Merit: 6089

bitcoindata.science

This was already suggested many times, like 2FA and similar, but none of those suggestions were implemented. The only thing you can do now is to freeze your account. That´s good, but certainly not enough.

theymos wants to create an automated process of recovering accounts signing a bitcoin address, which is a more elegant solution and fits the forum

Becky666

full member

Activity: 756

Merit: 231

Quote from: Cashi on January 28, 2019, 05:36:29 PM

To improve the security of our Bitcointalk accounts it would be a good decision to allow password-changes or changes of our current e-mail address only if we have to verify a confirmation mail which is send to our current e-mail address.

I'm sure that will help to prevent many hacks. If we set a confirmation e-mail as requirement the hackers need access to the Bitcointalk account and the e-mail account. Right now, a hacker needs only to have access to the Bitcointalk account and he can change e-mail address and password without any difficulty and lock out the legitimate owner.

Is it possible to implement such a feature? I would really like to have this additional security measure to protect my account from hacks.

Although there had been many account hack recent times in this forum and issues concerning security had been discussed extensively and groups has been set up for account recovery ..etc.

This suggestion looks pretty good for another level of security to the ones already out played which has not actually given lasting solutions to the issues of hacks in the forum. Theymos should take a look at this suggestion to see if its possible to move the security level of account protection a bit higher than what we have on ground. Just my personal opinion!!.

Cashi

member

Activity: 392

Merit: 49

To improve the security of our Bitcointalk accounts it would be a good decision to allow password-changes or changes of our current e-mail address only if we have to verify a confirmation mail which is send to our current e-mail address.

I'm sure that will help to prevent many hacks. If we set a confirmation e-mail as requirement the hackers need access to the Bitcointalk account and the e-mail account. Right now, a hacker needs only to have access to the Bitcointalk account and he can change e-mail address and password without any difficulty and lock out the legitimate owner.

Is it possible to implement such a feature? I would really like to have this additional security measure to protect my account from hacks.

Topic: Account security improvement: e-mail confirmation to change password and mail (Read 347 times)