Topic: [Guide] Bitcointalk account security - page 3. (Read 2340 times)

Did you mean this:
True https://bitcointalk.org/
Fake https://www.google.com/  (link to google.com)
Theymos is smart Fake links work in preview, but get fixed when posted.

However, a homograph attack can still be used to create a fake link:
True https://bitcointalk.org/
Fake https://www.google.com/  (link to google.com)

I normally don't look close enough to notice this (high resolution on a low quality screen), but it works indeed.

That's incorrect. You can simply remove the secret question and answer (credits to SFR10).

---

An addition: use a password manager! I have hundreds of different passwords, and there's no way to remember them all. They're all safely encrypted inside my password manager, so I only have to remember the master password (and make backups).

- Feedback, corrections (if any), and/or more information that you wish to be added to OP are welcome.

- Translation of this thread to post to local board is encouraged for better exposure.

- NB: Needless to say, machine translation is not allowed by the forum rule.  In addition, duplicating the whole thread without translation like this https://archive.fo/bFH96 is also breaking the forum rule and it ends up deleted.

---

Translations

• Japanese: [ガイド] Bitcointalkアカウントのセキュリティ by sncc
• French: [Guide] Sécurité des comptes Bitcointalk by F2b
• Pilipinas: [Gabay] Seguridad sa Bitcointalk account by Colt81

Note: For recovery of hacked/lost accounts, follow new process announced by theymos.
[1] Recovering hacked/lost accounts
[2] Account recoveries are moving again
Send email to the address written in the OP of [1].  Since the addresses will be periodically changed, check the latest ones in the OP.

---

Everyday we see threads about hacked/locked accounts, which are not only beginners' accounts but also for Legendary members'.  In addition to the brute force hacking risk, there are peculiar risks in the current system and by data breach on May 22, 2015.  The security of the forum account has been one of the biggest issue.  The improvement of security, e.g. requiring email verification for changing password/email, introduction of 2FA, automated account recovery system, and the new forum software with stronger security would be ideal.  

Meanwhile, until these features are implemented, what we can do now is to learn how the current bitcointalk system works, how to improve the security of your bitcointalk account, and also what you should do in case your account is hacked/locked.  In this thread, I tried to provide a thorough guide about these topics.  I hope it helps to reduce the number of hacked/lost accounts.  


Table of contents

• Basics
• Change password and email / Forgot password
• Stake Bitcoin address
• Lock your account
• Unlock your account
• How to notice your account is hacked
• Recovery of your hacked/lost account
• Recent successful cases of recovery

---

1. Bookmark https://bitcointalk.org/ and always login from the bookmark.  Avoid bitcointalk.to, thebitcointalk.net or any other phishing site.

2. Use new email address that you don't use for any other purposes.

3. Use new password that you don't use for any other websites, with sufficient length using a combination of letter/capital characters, numbers, and special characters.  

4. You could set a secret question and its answer for password reset but most likely it increases the risk of your account to be hacked/locked.  For more details, see Tips below and Change password and email / Forgot password.

5. Do not download untrusted softwares and keep your device clean from malware.  

6. Keep all your devices and softwares updated to the latest version.

7. Stake your Bitcoin address.  See Stake Bitcoin address below for more detail.  


Tips

Tips for 1: Phishing site

- You could also bookmark the link to bypass the login captcha, see Captcha bypass for more details.

- Some phishing links are automatically replaced by [phishing] but that feature has not been introduced for bitcointalk.to and thebitcointalk.net yet, see this post.

- In case you enter your login information to phishing site, you should immediately change the password of bitcointalk.org to avoid your account to be hacked.

- Before clicking the link, make sure its true URL.  Some browsers show URL when you mouse over the link.  

- The link to bitcointalk.org internal webpage (except anchors) will be shown by green when you mouse over, whereas the link to an external site will remain blue.  This feature enables you to distinguish a link to phishing site even if a hacker pretend it to be an internal link.  

True Bitcointalk
Fake Bitcointalk  (link to google.com)

You can recognize that the second one is the fake link as it remains blue when you mouse over.  

- Be aware of homograph attack, while some of them are automatically replaced.

- There is a way to prevent your computer to access the phishing site by editing hosts file.  For more details see this post by LoyceV.


Tips for 2: Email address

- Gmail allows you to have an alias, but in this case the original mail address is exposed since for a gmail address [email protected] alias will be [email protected] though you can choose any letters in "add".

- Avoid yopmail as anyone can access yopmail address.

- As a related tip, it is recommended to use new or disposable email address rather than your main address for registration of bounties in the forum in order to avoid potential data breach or data collection by fake/scam bounties.


Tips for 3: Password

- For password, do not use dictionary words, your birth date, pets’ name, phone number, or anything which is easy to guess for hackers or falls into The Worst 25 Passwords of 2017.

- Since the password data breach occurred in 2015, if you have been around the forum since 2015 or before and have not change your password, it is recommended to change your password.  

- If you are using autofill feature of your browser, make sure if it checks URL or simply fill in your passwords.  For the latter case, it is recommended to turn off the autofill.  Even for the former case, the rule may be changed when the browser is updated, so you need to be careful.

- You can use "Always stay logged in" option so that you do not need to enter the password every time.  

- For password manager, see e.g. The Five Best Password Managers.

- See also this post by mapuche33 for further tips.


Tips for 4: Secret question

- There are several important things to know about the secret question feature.  

1) There is no email verification process, so most likely the secret question option increases the risk of your account being hacked or locked.  

2) If password reset via secret question is used, your account will be locked, and you need to follow Unlock your account process.  If the account is under your control, this feature is a drawback.  If it is hacked, you can use this feature to lock the account, but this case would be rare as the hacker likely to changes the secret question and you have another option to lock your account from email notification of email change within 14 days.

3) You can remove the secret question and answer.  For reference, see this post by SFR10.


Tips for 5: Untrusted softwares

- Untrusted softwares include Bitcointalk unofficial apps, whose security is not guaranteed by the forum and in principle they can steal the password of your account.

- You could use a virtual machine for those untrusted softwares or altcoin wallets.  

---

- You can change the password either by

1) Profile page.

2) "Forgot password" link at the login page.

3) Password reset via secret question.  Note that the account will be locked.

- In the Trust page, a password change/reset by 1) or 2) is shown for 3 days, whereas a password reset by 3) is shown for 30 days.  Both are shown in security log page for 30 days.

- You can change the email from the Profile page.  Email change history is also shown in Trust.

- Once you change your password or email, email notification will be sent to your (old) email address.


Tips

Tips for 2): How to use "Forgot password"

Click "Forgot your password?" link at the login page.  
After filling out username or email, click "send".  
You will receive the following email with the link to reset your password.  

---

If your account is hacked and the hacker changed the password and email, or you forgot the password and do not have an access to the registered email address and cannot use the password reset option, or admin locked your account as you had been inactive after data breach in 2015, the last resort is to request of the recovery of your account to admins.  However, do not expect too much, as the recovery of accounts seems a low priority for admin and it will typically take a long time or there is a chance you end up with no recovery.  The official announcement by theymos is given in: Recovering hacked accounts or accounts with lost passwords

1. Create a signed message using the Bitcoin address you staked to prove your ownership of the hacked account.  Example:


2. Before sending the signed message to admins, verify it by yourself with Brainwallet, Blockexplorer etc.

3. Create a temporal account by using an email address different from the one you want to use for the recovery of the hacked/lost account.

4. Send PM to theymos, Cyrus including the above signed message and the link to the post where you staked your bitcoin address.


Typically it will take some time, could be months to years, during which you could optionally try the following processes:

5. Create a topic on Meta section by using the temporal account.

6. Ask members to check if your PM included all necessary information for recovery of the account or other general advice.  

7. Ask DT member to red tag your hacked account with a signed message as the proof of your ownership.  


Tips

Tips for 1: Bitcoin address

If you haven't staked your Bitcoin address in advance, you could still look for other options for the proof of your ownership of your account.  While it is not the best option, the other option could be your address in a spreadsheet of addresses of participants of a bounty campaign (basically hacker cannot edit it), in any post in the past e.g. in marketplace or bounty threads (since hacker can edit/delete your posts in the past, it can be proven as the original post if it is unedited post or the last edit date is before hacking, or it is in a locked thread), or in your profile (hacker can edit/delete it so it may not be accepted without some strong support or special circumstances).  They might be regarded as proof but the best option is to stake your address and ask other member to quote and verify it in advance.

Tips for 3: PM

First time PM is the most important one, make sure to include every information necessary for admin, otherwise you would lose your chance.

Tips for 5: Bump

Bump is allowed for each 24 hours and old bumps should be deleted.  

Tips for 7: Red trust

Red tag with comments by DT clarifies the account is hacked, and prevents the hacker to fully exploit your account for e.g. participating bounty campaigns, scamming in marketplace, or selling the account, and reduce the possibility of other members being scammed by the hacker.  Once your account is back under your control, you will need to ask the DT to remove the tag with a signed message notifying the recovery of your account.

---

Among many accounts waiting for recovery for a long time, there are several lucky guys who succeeded to recover their hacked/lost accounts.  While these real stories provide us important lessons, things do not always go like these examples and the situation has been changing, so do not expect too much if you are in the same situation.


Account: LTU_btc Hero

Thread: Hacked account recovery. Cyrus, please help November 17, 2017

LTU_btc noticed the account was hacked by email notification for change of password and/or email, and soon after that he/she locked the account using the link in the email.  He/She created temporary account LTU_btc/2, and sent PM to Cyrus with a signed message from the bitctoin account staked the other day.  Fortunately the process went very smoothly in this case, and he/she recovered the account only in a few days.  


Account: Shazam!!! Full Member

Thread: Need help with Unlock---Please December 12, 2017

Shazam!!! had been inactive for years after the password hashes were leaked in 2015.  Such accounts were locked automatically for the high risk of being hacked.  When he/she tried to login at the end of 2017, he/she noticed that the account was locked.  He/She sent PM to Cyrus from his/her temporary account !!!Shazam!!! with a signed message.  However, he/she had not staked the address in the Tomatocage's thread.  Fortunately, Vod and minifrij helped to find out that the address was posted in several bounty threads in 2015.  Strictly speaking, if the account was hacked, the hacker can edit/delete all previous posts so the address without quotation by other member is a weaker proof of the ownership.  However in this case, it is simply locked account without being hacked, and the posts were unedited ones as well, which are sufficient for the proof.  hilariousandco also helped him/her and sent PM to theymos and Cyrus.  Within the same day as the topic was opened, the account was successfully unlocked.  After the unlock, Shazam!!! immediately staked the address to the staking thread.


Account: premium_domainer Legendary

Thread: Account Regained with the help of Loyce. Thank you all January 10, 2018

This case is a bit tricky.  BitcoinBazaar.net is a temporary account created for the recovery of the original account premium_domainer which was claimed to be hacked, but later it was claimed that the account was bought, while from the thread it is not clear how it was bought.  The owner did not stake his/her address, which is why LoyceV made a lot of effort to confirm the ownership.  LoyceV opened a thread to ask how to help out BitcoinBazaar.net and resolved the bug of incomplete private key for blockchain.info read only address.  It attracted attention of DT and the hacked account was red tagged.  Still,  the account had not been regained, and BitcoinBazaar.net continued to bump the thread.  6 months after the OP, the buyer finally asked $200 to give the account back.  He/She posted a password in the thread, claiming that if password and email are changed and $200 is not paid the account will be locked.  As you see this approach has a loophole since admin can unlock the account.  Presumably the buyer noticed it and deleted the post.  However, LoyceV noticed the post before deleted, and immediately took the account.  Later, LoyceV gave back the account to BitcoinBazaar.net.


Account: Swenna Full Member

Thread: Hacked and Changed Email addresses Account using Yopmail accounts July 15, 2018
(See also peter0425's post who independently discovered the method.)

As already mentioned above, this thread tells us how to regain your account by yourself if the hacker uses yopmail.  Recently several accounts have been hacked by the same IP address using yopmail as a new address.  The yopmail is disposable email address which does not require login.  It means that you can also access the hacker's yopmail account and change the registered email back to your email following the method: