Create an option to get an e-mail notification someone logs in - page 2.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18706

Wow. What a thread.

Quote from: bones261 on June 05, 2019, 03:55:28 PM

Unfortunately, no information from the OP on thread to indicate exactly how he may have gotten compromised.

He did say this:

Quote from: kenzawak on June 04, 2019, 01:21:44 PM

I do logon from hotel wifis when abroad, I don't have much choice if I wanna get online.

If you look at the picture of theymos' PM, you can see he logs in from 5 different USA IPs in less than 12 hours. Assuming he was in New York for a few days, it seems he could well have logged in to dozens of different public WiFis, and then less than a week later, his account is used to scam. As most of us know, if you log in to a public WiFi without any sort of encryption it is entirely possible for that WiFi owner to see absolutely everything you send and receive, including usernames and passwords. I'm not saying this is definitely what happened, but it's a very obvious vector of attack.

bones261

legendary

Activity: 1806

Merit: 1828

Quote from: o_e_l_e_o on June 05, 2019, 03:44:57 PM

Quote from: bones261 on June 05, 2019, 02:38:57 PM

It appears that some scammers on Telegram are trying to gain confidence from people by telling them they are a bitcointalk member. It appears one scammer may have gotten access to a reputed members account and sent PMs under the member's nose.

I don't understand how this happened? Did the user in question just give out their password?

Here is the thread in question that I am talking about. https://bitcointalksearch.org/topic/weird-emails-and-pms-about-a-paypal-transaction-i-never-made-5150479 I am leaning toward believing that the OP is telling the truth; however, it is possible that it is just an excuse. Unfortunately, no information from the OP on thread to indicate exactly how he may have gotten compromised.
Here is a similar described incident. But I don't think the telegram scammer actually had access to the bitcointalk account to confirm the credentials that he was giving. https://bitcointalksearch.org/topic/i-have-been-scammed-twice-stop-these-scammers-from-scamming-again-5148419

o_e_l_e_o

legendary

Activity: 2268

Merit: 18706

Quote from: suchmoon on June 05, 2019, 12:39:05 PM

Perhaps add another alert for user agent then. I bet no hacker would guess that my browser is "NCSA_Mosaic/1.0 (Windows 3.1)".

They will now that you've told them! I'd recommend switching immediately - I use WorldWideWeb/0.18 (NeXTSTEP 3.3).

Some people constantly spoof their user agent, so again, wouldn't work for everyone, but it certainly could be offered alongside the IP option. Between the two of them, I suspect that would cover most people who are worried about it.

Quote from: bones261 on June 05, 2019, 02:38:57 PM

It appears that some scammers on Telegram are trying to gain confidence from people by telling them they are a bitcointalk member. It appears one scammer may have gotten access to a reputed members account and sent PMs under the member's nose.

I don't understand how this happened? Did the user in question just give out their password?

Joel_Jantsen

legendary

Activity: 1988

Merit: 1317

Get your game girl

Quote from: bones261 on June 05, 2019, 02:38:57 PM

It appears that some scammers on Telegram are trying to gain confidence from people by telling them they are a bitcointalk member. It appears one scammer may have gotten access to a reputed members account and sent PMs under the member's nose. Unfortunately, for the reputed member, there is really no way to prove definitively that he was "hacked."

One of the hackey ways I could think of is, checking the Last Active option of your account and verifying with your actual Last Active time. OF COURSE, you've to check it without logging in on the website and opening your profile.

Quote from: bones261 on June 05, 2019, 02:38:57 PM

Now he is being asked to potentially make up for the victim's loss. I just want to make it harder for scammer's to use another person's account on the down low. I realize that e-mail notification is not a fail-safe. However, offering as many tools as possible to give people notification that their account may be compromised is a good thing. I personally don't want to force additional security options on people though. I think it should be up to the person to use the extra tool or not.

2FA can potentially solve the above issue but we have it coming up in the new forum (hopefully). IP based verification should be used in connection with the login logic. Something what LBC does, if they find youe opening the site from a different IP that doesn't exist before, you're forced to do confirm a link sent in your email.

bones261

legendary

Activity: 1806

Merit: 1828

Quote from: CryptopreneurBrainboss on June 05, 2019, 02:08:55 PM

Before I vote, I need to be cleared on the whole idea of email notification, what's the aim of this suggestion, is it that you want to to get notified each time your account get logged into or you're trying to prevent hackers from accessing our account?.

How about recieving this notification only when there is a change in users IP address instead of receiving a notification for every login attempt. Most platform uses this feature and it helps prevent hack attempts.

If the whole suggestion is about preventing hackers from gaining access to your account I don't see the usefulness of a notification when it might be too late before you can do anything about it.

It appears that some scammers on Telegram are trying to gain confidence from people by telling them they are a bitcointalk member. It appears one scammer may have gotten access to a reputed members account and sent PMs under the member's nose. Unfortunately, for the reputed member, there is really no way to prove definitively that he was "hacked." Now he is being asked to potentially make up for the victim's loss. I just want to make it harder for scammer's to use another person's account on the down low. I realize that e-mail notification is not a fail-safe. However, offering as many tools as possible to give people notification that their account may be compromised is a good thing. I personally don't want to force additional security options on people though. I think it should be up to the person to use the extra tool or not.

Quickseller

copper member

Activity: 2926

Merit: 2348

Quote from: bones261 on June 05, 2019, 02:05:28 PM

Quote from: Quickseller on June 05, 2019, 12:54:53 PM

If you are infected with malware, it is possible someone could access your account without logging in. The hacker could possibly access your account locally on your computer, or they could copy the cookie used to validate you and logged in.

Well, I realize that my proposed solutions won't make someone's security foolproof. Just another pesky pawn that one could place to get in the way of the hacker's queen.

Having an option to receive an email notification when a PM is sent would be beneficial. Obviously not everyone has a real email attached to their account or activity monitors their attached email.

The email sent to respond to a message contains a link to reply to the message. I can see a lot of people accidentally clicking on the security link when receiving a email saying they just sent a PM, if they are in the middle of a PM conversation.

CryptopreneurBrainboss

legendary

Activity: 2380

Merit: 4265

eXch.cx - Automatic crypto Swap Exchange.

Before I vote, I need to be cleared on the whole idea of email notification, what's the aim of this suggestion, is it that you want to to get notified each time your account get logged into or you're trying to prevent hackers from accessing our account?.

How about recieving this notification only when there is a change in users IP address instead of receiving a notification for every login attempt. Most platform uses this feature and it helps prevent hack attempts.

If the whole suggestion is about preventing hackers from gaining access to your account I don't see the usefulness of a notification when it might be too late before you can do anything about it.

bones261

legendary

Activity: 1806

Merit: 1828

Quote from: Quickseller on June 05, 2019, 12:54:53 PM

If you are infected with malware, it is possible someone could access your account without logging in. The hacker could possibly access your account locally on your computer, or they could copy the cookie used to validate you and logged in.

Well, I realize that my proposed solutions won't make someone's security foolproof. Just another pesky pawn that one could place to get in the way of the hacker's queen.

Quickseller

copper member

Activity: 2926

Merit: 2348

Quote from: bones261 on June 05, 2019, 11:52:49 AM

Edit: I forgot to take a screen shot of the previous poll. It was 9 to 5 in favor of adding an option to get e-mail notification when sending a PM.

If you are infected with malware, it is possible someone could access your account without logging in. The hacker could possibly access your account locally on your computer, or they could copy the cookie used to validate you and logged in.

suchmoon

legendary

Activity: 3654

Merit: 8909

https://bpip.org

Quote from: o_e_l_e_o on June 05, 2019, 12:18:14 PM

it wouldn't work well with Tor or anyone who frequently rotates to new VPN servers.

Perhaps add another alert for user agent then. I bet no hacker would guess that my browser is "NCSA_Mosaic/1.0 (Windows 3.1)".

o_e_l_e_o

legendary

Activity: 2268

Merit: 18706

Quote from: DdmrDdmr on June 05, 2019, 10:43:11 AM

An email notification when someone logs into an account could be useful in order to act as quick as possible. This could have it’s tweaks such as only notify when you do so from a new IP (to delimit the number of notifications), and have an opt-in option to activate it.

I think this is the neatest solution. We know from theymos' topic Retention/privacy info and from the page https://bitcointalk.org/privacy.php that your IP is logged for at least 3 months, and partially up to 2 years. It would be fairly easy to implement a simple check upon login of the current IP compared to all previous IPs, and fire off an email notification if the IP is brand new. That would stop users who wanted this option from being flooded with emails. The obvious drawback here is that it wouldn't work well with Tor or anyone who frequently rotates to new VPN servers.

darklus123

hero member

Activity: 1246

Merit: 588

Quote from: TryNinja on December 05, 2017, 09:44:30 PM

Why even bother to use Google Authenticator? You can download a open source 2FA app such as andOTP[1] that has the option to backup and restore 2FA codes. Then, you can just set up your 2FA and upload an encrypted backup to any free cloud provider you want. Never losing access to your accounts again.

[1] https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp&hl=pt_BR

Note: It is mainly your responsibility to take good care of your account and add up as much security as you can so you don't have to rely on the current forum features.

bones261

legendary

Activity: 1806

Merit: 1828

I have changed the poll and topic to explore if it would be better to just have the option to get notified whenever they log in.

Edit: I forgot to take a screen shot of the previous poll. It was 9 to 5 in favor of adding an option to get e-mail notification when sending a PM.

DireWolfM14

copper member

Activity: 2296

Merit: 4460

Join the world-leading crypto sportsbook NOW!

Quote from: Pmalek on June 05, 2019, 04:44:23 AM

Having an option like that would only make sense if the option can't be turned off.

This is true, and would be a pain in the ass in my opinion. I don't need a notification sent to my email whenever I send a PM. I'm already getting notifications for received PMs, and I hate to say it but the Maggiordomo bot has been getting a bit irritating in that regard. Removing the option to not save outgoing PM in the outbox isn't going to do much, because the hacker can just delete the message after it's sent.

The situation that spurred bones to create this topic is a bit concerning, but I would like to think it's an isolated case. I don't recall learning about any other situation with a similar account breach.

Since most of us are into cryptocurrency we should all understand the importance of self reliance and accountability when it comes to our own security. Maybe some people don't take the security of their forum account as seriously as their bitcoin wallet, but maybe that's what needs to change. This is especially true for those of us who've developed a trusted reputation here, it's not only our account and reputation that are on the line, but someone may get scammed. Continuing to ask theymos to implement troublesome features to compensate for a few members' lack of accountability and responsibility isn't a great solution.

ReverseDirect

newbie

Activity: 2

Merit: 0

Quote from: bones261 on June 05, 2019, 08:45:37 AM

Quote from: logfiles on June 05, 2019, 03:57:31 AM

If it's just an Option that can be checked and unchecked, then the hackers will disable the option when they are using victims' accounts to send messages just like they would u check "save copy to my inbox"

My suggestion is that maybe we have the account automatically locked when there is a sudden change in the IP address log from the usual pattern accompanied with a verification email with information about a mandatory security check.
2FA will not be implemented on this forum software. Maybe on the new forum software. This has been suggested multiple times but nothing has been done.

I already thought about hackers disabling the option.

Quote from: bones261 on June 05, 2019, 02:22:30 AM

Also, an e-mail notification would be sent whenever someone decides to opt-in or opt-out.

If a hacker was trying to cover his tracks by disabling, sending PM and then enabling again, you would get 3 e-mails. It would probably be better if someone had the option of getting a text by phone. However, I'm not sure this is possible, or if this site even wants to store something as sensitive as a phone number.

Quote from: CryptopreneurBrainboss on June 05, 2019, 03:02:21 AM

How about the option of making the "save a copy to my outbox" a default setting that can't be changed and message saved in outbox can only be deleted after certain number of days like 30days period.

Some people may not want a certain PM stored in their outbox for any period of time. They may want to convey some personal information that they also request the receiver delete when they are done with it. I realize there are better ways to go about this, though.

I don't like the idea of sharing your phone number in this forum. This beats the purpose of anonymity and the hacker will get far more valuable information if they can check out your phone number after hacking your account.
I really like the idea of changing the password via email only. This will ensure that a foreign IP cannot log you out of your account. If notifying by email isn't possible, maybe share the login time and all the activities of the user's database on another website? This will also help Mods trace out scammers. The fact that you can delete all your past activities in a forum where a transaction is built on trust is scary.

DdmrDdmr

legendary

Activity: 2338

Merit: 10802

There are lies, damned lies and statistics. MTwain

Quote from: bL4nkcode on June 05, 2019, 02:28:03 AM

<…>
What if there's an email notification every time a user login on its forum account to top this. And with this ,

Quote

Perhaps these e-mails can also come with an option to lock the account.

I’d say that this is a better option. A person can perform a silent hack into someone’s account (not changing the credentials nor email) and not just PM some shady stuff, but also create posts such as those seen recently in this and other threads: Please disable Fake ANNs download links , theymos !. A couple of related cases were reported as silent hacks, and verified to be so to the extent that can be done through taking a look at the IP logs.

An email notification when someone logs into an account could be useful in order to act as quick as possible. This could have it’s tweaks such as only notify when you do so from a new IP (to delimit the number of notifications), and have an opt-in option to activate it.

erikalui

legendary

Activity: 2632

Merit: 1094

Quote from: Pmalek on June 05, 2019, 04:44:23 AM

Having an option like that would only make sense if the option can't be turned off. If a hacker manages to gain access to an account and un-tick the option for sending a notification via email when a PM is sent we are back to square one.

But in that case we will encounter the problem that LoyceV highlighted. Possibly getting 1000 emails and notifications of sent PMs.

The best option I think is having all sent PMs automatically go to the Outbox folder like CryptopreneurBrainboss suggested.

Can't the hacker delete the sent PMs from the user's account? When they can send PMs without the knowledge of the user, they can easily delete their own sent PMs as well as we can do now manually.

bones261

legendary

Activity: 1806

Merit: 1828

Quote from: logfiles on June 05, 2019, 03:57:31 AM

If it's just an Option that can be checked and unchecked, then the hackers will disable the option when they are using victims' accounts to send messages just like they would u check "save copy to my inbox"

My suggestion is that maybe we have the account automatically locked when there is a sudden change in the IP address log from the usual pattern accompanied with a verification email with information about a mandatory security check.
2FA will not be implemented on this forum software. Maybe on the new forum software. This has been suggested multiple times but nothing has been done.

I already thought about hackers disabling the option.

Quote from: bones261 on June 05, 2019, 02:22:30 AM

Also, an e-mail notification would be sent whenever someone decides to opt-in or opt-out.

If a hacker was trying to cover his tracks by disabling, sending PM and then enabling again, you would get 3 e-mails. It would probably be better if someone had the option of getting a text by phone. However, I'm not sure this is possible, or if this site even wants to store something as sensitive as a phone number.

Quote from: CryptopreneurBrainboss on June 05, 2019, 03:02:21 AM

How about the option of making the "save a copy to my outbox" a default setting that can't be changed and message saved in outbox can only be deleted after certain number of days like 30days period.

Some people may not want a certain PM stored in their outbox for any period of time. They may want to convey some personal information that they also request the receiver delete when they are done with it. I realize there are better ways to go about this, though.

Pmalek

legendary

Activity: 2730

Merit: 7065

Having an option like that would only make sense if the option can't be turned off. If a hacker manages to gain access to an account and un-tick the option for sending a notification via email when a PM is sent we are back to square one.

But in that case we will encounter the problem that LoyceV highlighted. Possibly getting 1000 emails and notifications of sent PMs.

The best option I think is having all sent PMs automatically go to the Outbox folder like CryptopreneurBrainboss suggested.

TheBeardedBaby

legendary

Activity: 2240

Merit: 3150

₿uy / $ell ..oeleo ;(

Maybe just have a visible statistics of sent messages per day/week/month instead of notifications, like
Messages sent today 0. I don't know where it could be placed but should be on a easy-to-spot place.

Topic: Create an option to get an e-mail notification someone logs in - page 2. (Read 1102 times)