Topic: Major Flaw in Security (Read 5424 times)
Bump.
How about the option of 3-factor? 
. Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email?
Why not? The more the better if you ask me.. Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email? I actually agree. More would make me feel more secure but it could also lead to more problems. People will likely complain if they lose access to their 2-factor and then pester theymos to remove them which if he does it's not very secure and if he doesn't then their accounts are screwed. Always going to be a catch 22.
Every single member is obligated to know their password/or in this instance their 2/3-factor.
global moderator
Activity: 4018
Merit: 2728
Join the world-leading crypto sportsbook NOW!
How about the option of 3-factor? . Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email?
Why not? The more the better if you ask me.. Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email? I actually agree. More would make me feel more secure but it could also lead to more problems. People will likely complain if they lose access to their 2-factor and then pester theymos to remove them which if he does it's not very secure and if he doesn't then their accounts are screwed. Always going to be a catch 22.
How about the option of 3-factor? . Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email?
Why not? The more the better if you ask me.. Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email? Google auth isn't a risk at all if used correctly. Why not buy an smartphone from a Chinese manufacturer (very cheap) and use it only for auth? Your device won't get hacked I'm sure.
What if you lose your phone? I'm sure I read there's alternative ways to restore access to it if you lose it.
Contact the support and get your account back. Authy binds the 2FA to your phone numbers. You would need to reset the phone using your email and key in your password and you would gain access to your 2FAs. It isnt hard to get a new sim card for your phone number. This kind of 2FA can be a bit dangerous compared to google authenticator.The email + 2FA is the best solution in my opinion. I think the email verification is easy to add here in the forum, but theymos don't want (or am I wrong ?).
Problem solved : https://bitcointalksearch.org/topic/m.7733979 It takes only a few changes and it is ready for the bitcointalk forum.
The problem is that addons can always be a potential security risk. But it's great and I hope the bounty of Stunna gets fulfilled soon
What if you lose your phone? I'm sure I read there's alternative ways to restore access to it if you lose it.
Contact the support and get your account back. Authy binds the 2FA to your phone numbers. You would need to reset the phone using your email and key in your password and you would gain access to your 2FAs. It isnt hard to get a new sim card for your phone number. This kind of 2FA can be a bit dangerous compared to google authenticator.The email + 2FA is the best solution in my opinion. I think the email verification is easy to add here in the forum, but theymos don't want (or am I wrong ?).
Problem solved : https://bitcointalksearch.org/topic/m.7733979 It takes only a few changes and it is ready for the bitcointalk forum.
What if you lose your phone? I'm sure I read there's alternative ways to restore access to it if you lose it.
Contact the support and get your account back. Authy binds the 2FA to your phone numbers. You would need to reset the phone using your email and key in your password and you would gain access to your 2FAs. It isnt hard to get a new sim card for your phone number. This kind of 2FA can be a bit dangerous compared to google authenticator.The email + 2FA is the best solution in my opinion. I think the email verification is easy to add here in the forum, but theymos don't want (or am I wrong ?).
What if you lose your phone? I'm sure I read there's alternative ways to restore access to it if you lose it.
Contact the support and get your account back. Authy binds the 2FA to your phone numbers. You would need to reset the phone using your email and key in your password and you would gain access to your 2FAs. It isnt hard to get a new sim card for your phone number. This kind of 2FA can be a bit dangerous compared to google authenticator.The email + 2FA is the best solution in my opinion. I think the email verification is easy to add here in the forum, but theymos don't want (or am I wrong ?).
What if you lose your phone? I'm sure I read there's alternative ways to restore access to it if you lose it.
Contact the support and get your account back. Authy binds the 2FA to your phone numbers. You would need to reset the phone using your email and key in your password and you would gain access to your 2FAs. It isnt hard to get a new sim card for your phone number. This kind of 2FA can be a bit dangerous compared to google authenticator. How about the option of 3-factor? . Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email?
. Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email? The Google Authenticator keys are stored on your device, not on a Google server. This means that a potential hacker needs access and control of your device. So pay attention while browsing, downloading etc. anything with your mobile phone.
global moderator
Activity: 4018
Merit: 2728
Join the world-leading crypto sportsbook NOW!
What if you lose your phone? I'm sure I read there's alternative ways to restore access to it if you lose it.
How about the option of 3-factor? . Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email?
no. Google auth has nothing to do with email. You are given a qr code to scan and anyone that has access to the qr code can display the 6 digit code you enter that proves you controlled the accoint at the time it was set up. It is similar to signing a message . Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email? global moderator
Activity: 4018
Merit: 2728
Join the world-leading crypto sportsbook NOW!
How about the option of 3-factor? . Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email?
. Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email?
I think 2fa in general would be beneficial. But I don't think email is the right way to do it. Maybe Google authentator would be a better solution.
I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address [email protected]
I obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.
You're wrong on so many levels. Why in the name of all that exists would you : a) buy an email accountI obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.
b) set up an account with an email that you've bought ?
Recovering via email increases security by a huge factor, especially if your account is protected by an not crack able password/encrypted. Waiting a year for this feature is way too much.
Yes , you're right . It is also possible to use the 2FA , and it will add a major level of security to the email address.
I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address [email protected]
I obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.
You're wrong on so many levels. Why in the name of all that exists would you : a) buy an email accountI obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.
b) set up an account with an email that you've bought ?
Recovering via email increases security by a huge factor, especially if your account is protected by an not crack able password/encrypted. Waiting a year for this feature is way too much.
I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address [email protected]
I obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.
You're wrong on so many levels. Why in the name of all that exists would you : a) buy an email accountI obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.
b) set up an account with an email that you've bought ?
Recovering via email increases security by a huge factor, especially if your account is protected by an not crack able password/encrypted. Waiting a year for this feature is way too much.
I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address [email protected]
I obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.
I obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.
First of all, I would have completely lost access to this account in the past had it not been for this feature. Disregarding that, what you describe sounds like a fairly uncommon method of account theft. I think it is safe to say that most accounts are stolen when the password is compromised, not the email, and requiring email confirmation for password/email changes would result in a net positive effect on account security, not a negative one.
I do think the rule that an email address can only be associated with one account should be lifted. If someone were to try to hack accounts via this method then they could attempt to change their a number of email addresses they think they can hack and when they get an error saying that email is associated with another account they know they can try to hack it
I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address [email protected]
I obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.
I obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.
First of all, I would have completely lost access to this account in the past had it not been for this feature. Disregarding that, what you describe sounds like a fairly uncommon method of account theft. I think it is safe to say that most accounts are stolen when the password is compromised, not the email, and requiring email confirmation for password/email changes would result in a net positive effect on account security, not a negative one.
I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address [email protected]
I obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.
I obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.
Jump to: