|| Problem on losing/hack of accounts

lulucrypto

sr. member

Activity: 709

Merit: 336

You need someone to develop your Web project ?

Quote from: coupable on November 30, 2019, 06:13:24 PM

Quote from: lulucrypto on November 30, 2019, 06:01:25 PM

Oh, as much for me, I did not know about that.

So, if I understand ( Following the presentation of Theymos ), the process does not seem automated ?
In case of problem, we have to manually contact Theymos to trigger the process of restoration of the old ?

I am wrong ?

No it's not automatic and all steps are supposed to be made manually. There is a dedicated team called "Cryptios" who is working on this with Cyrius [stuff] . Contact with them can be made using emails, they also have forum profiles but i doubt if they accept change request through forum pms.

Okay, it's a shame that the process is not automated, it would not be very difficult to develop a script to automate the whole process.

After, I say that it allows to keep some control over the process, thus appearing a gain of additional security.

coupable

hero member

Activity: 2338

Merit: 757

Quote from: lulucrypto on November 30, 2019, 06:01:25 PM

Oh, as much for me, I did not know about that.

So, if I understand ( Following the presentation of Theymos ), the process does not seem automated ?
In case of problem, we have to manually contact Theymos to trigger the process of restoration of the old ?

I am wrong ?

No it's not automatic and all steps are supposed to be made manually. There is a dedicated team called "Cryptios" who is working on this with Cyrius [stuff] . Contact with them can be made using emails, they also have forum profiles but i doubt if they accept change request through forum pms.

lulucrypto

sr. member

Activity: 709

Merit: 336

You need someone to develop your Web project ?

Quote from: coupable on November 30, 2019, 02:19:12 PM

@Lulucrypto "Ownership change for accounts" works in the way you described. So it's possible to change the email if have no access to the original one, and cancel the change process using the original email if the account is compromised.

Quote from: theymos on December 13, 2018, 11:41:28 PM

As an extra protection against any possible social engineering attacks, whenever^* the administration changes an account's email address from its current value, the following process occurs:
- The change is queued.
- It is listed in seclog.php.
- The old email receives a warning.
- After 7 days, the change goes through and another seclog.php entry is added.

The account stays locked throughout all of this.

Hopefully it will be essentially unheard of, but if an account is going to be incorrectly transferred, everyone who knows about the incorrect change should noisily post all of the evidence they have so that we can at least put the change on hold and re-review the evidence.

^{* Admins can act outside of procedure and bypass the queue if necessary, but hardly ever will.}

This system has been implemented since about a year. Not so different from the old one except about displaying data in Seclog and if your account is hacked you had 14 days to lock it through original email.

Oh, as much for me, I did not know about that.

So, if I understand ( Following the presentation of Theymos ), the process does not seem automated ?
In case of problem, we have to manually contact Theymos to trigger the process of restoration of the old ?

I am wrong ?

coupable

hero member

Activity: 2338

Merit: 757

Quote from: JeromeTash on November 30, 2019, 05:10:37 PM

The email address change without authorization through the original email should be based on IP logs.

If sudden a request for an email address change was made from an unfamiliar IP address, the system would then be automatically triggered to ask the user to first authorized the email address change through a link from the original email address.

This means that if i loose access to my original email i will not be able to change it. The message sent to the original email shouldn't be for ownership change confirmation but only to cancel the change if the change is made by a hacker.
IP logs can be used to prevent hack attempts but i don't think there isn't an urgent need for it, as the actul system is working good.

JeromeTash

legendary

Activity: 2338

Merit: 1261

Heisenberg

I also observed the same thing when my account go hacked back in mid 2018. The person just easily changes you email address so long as they know your accounts password.

I think to avoid the problem of locking out someone from their account in case they genuinely wanted to change their email address. The email address change without authorization through the original email should be based on IP logs.

If sudden a request for an email address change was made from an unfamiliar IP address, the system would then be automatically triggered to ask the user to first authorized the email address change through a link from the original email address.

Danydee

legendary

Activity: 2576

Merit: 1248

Quote from: bittraffic on November 30, 2019, 03:12:15 PM

Quote from: Gyfts on November 29, 2019, 09:32:03 PM

Quote from: Danydee on November 29, 2019, 09:13:34 PM

This can easily be palied by setting a (confirmation demand) from the existing email address, or even for emails accounts that can not longer riched/on troubles on email receiving, setting a minimum time delay before changing to the new email address.

I imagine one of the main reasons people would change the email associated with their account would be that they don't have access to the original account which would mean this method wouldn't work.

And this I guess the reason why posting BTC address and signing message is important for the users here. However we can also see how slow the recovering of hacked accounts. For now the only solution is to just remember your password and the address you have posted here in the forum where you can sign message, afaik ETH address right now is acceptable when you sign message.

(Optional) Automatic signing message verification could be great F2A option!
Imagine 'Bitcointalk' the first to do the thing Shocked

bittraffic

hero member

Activity: 3038

Merit: 617

Quote from: Gyfts on November 29, 2019, 09:32:03 PM

Quote from: Danydee on November 29, 2019, 09:13:34 PM

This can easily be palied by setting a (confirmation demand) from the existing email address, or even for emails accounts that can not longer riched/on troubles on email receiving, setting a minimum time delay before changing to the new email address.

I imagine one of the main reasons people would change the email associated with their account would be that they don't have access to the original account which would mean this method wouldn't work.

And this I guess the reason why posting BTC address and signing message is important for the users here. However we can also see how slow the recovering of hacked accounts. For now the only solution is to just remember your password and the address you have posted here in the forum where you can sign message, afaik ETH address right now is acceptable when you sign message.

coupable

hero member

Activity: 2338

Merit: 757

@Lulucrypto "Ownership change for accounts" works in the way you described. So it's possible to change the email if have no access to the original one, and cancel the change process using the original email if the account is compromised.

Quote from: theymos on December 13, 2018, 11:41:28 PM

As an extra protection against any possible social engineering attacks, whenever^* the administration changes an account's email address from its current value, the following process occurs:
- The change is queued.
- It is listed in seclog.php.
- The old email receives a warning.
- After 7 days, the change goes through and another seclog.php entry is added.

The account stays locked throughout all of this.

Hopefully it will be essentially unheard of, but if an account is going to be incorrectly transferred, everyone who knows about the incorrect change should noisily post all of the evidence they have so that we can at least put the change on hold and re-review the evidence.

^{* Admins can act outside of procedure and bypass the queue if necessary, but hardly ever will.}

This system has been implemented since about a year. Not so different from the old one except about displaying data in Seclog and if your account is hacked you had 14 days to lock it through original email.

Danydee

legendary

Activity: 2576

Merit: 1248

A month, or may more. Whatever it's more longer, it can be not enough

lulucrypto

sr. member

Activity: 709

Merit: 336

You need someone to develop your Web project ?

Quote from: Gyfts on November 29, 2019, 09:32:03 PM

I imagine one of the main reasons people would change the email associated with their account would be that they don't have access to the original account which would mean this method wouldn't work.

As @Gyfts says I also think it's for those who lose access to their email, that the system works this way.

One solution would be to have some kind of retraction time ( A week ? A month ? ).
For this solution to work, it would be necessary first to send an email alert on the old email, and in the email, it would include a link to cancel the change of email.

It would not be very complicated to develop, and it will add real security in addition to the forum I think

Danydee

legendary

Activity: 2576

Merit: 1248

Quote from: Blacknavy on November 29, 2019, 11:22:38 PM

Quote from: jackg on November 29, 2019, 09:42:01 PM

I thought there was a cooling off period for email changes? Like 7 days or something already?

So you could lock an account if the email/password were changed.

Yes, it should be 14 days.

I think in the minimum, Regarding the stats of login, (Device, IP, if the account just woke up ...).

Quote from: SFR10 on November 30, 2019, 12:19:52 AM

Quote from: Danydee on November 29, 2019, 09:13:34 PM

This can easily be palied by setting a (confirmation demand) from the existing email address, or even for emails accounts that can not longer riched/on troubles on email receiving, setting a minimum time delay before changing to the new email address.

"Gyfts" made a great point + 2FA ^{[with an authenticator app]} would be a better ^{[has its own pros and cons]} option and it's listed under "Planned Features" for our new forum.

May use PGP, or maybe just signing a btc address, asking for signing a message auto-generated from an address, no need for APP, just access to the address ..

SFR10

legendary

Activity: 2968

Merit: 3406

Crypto Swap Exchange

Quote from: Danydee on November 29, 2019, 09:13:34 PM

This can easily be palied by setting a (confirmation demand) from the existing email address, or even for emails accounts that can not longer riched/on troubles on email receiving, setting a minimum time delay before changing to the new email address.

"Gyfts" made a great point + 2FA ^{[with an authenticator app]} would be a better ^{[has its own pros and cons]} option and it's listed under "Planned Features" for our new forum.

Blacknavy

legendary

Activity: 1218

Merit: 1291

Quote from: jackg on November 29, 2019, 09:42:01 PM

I thought there was a cooling off period for email changes? Like 7 days or something already?

So you could lock an account if the email/password were changed.

Yes, it should be 14 days.

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

I thought there was a cooling off period for email changes? Like 7 days or something already?

So you could lock an account if the email/password were changed.

Gyfts

legendary

Activity: 2828

Merit: 1515

Quote from: Danydee on November 29, 2019, 09:13:34 PM

This can easily be palied by setting a (confirmation demand) from the existing email address, or even for emails accounts that can not longer riched/on troubles on email receiving, setting a minimum time delay before changing to the new email address.

I imagine one of the main reasons people would change the email associated with their account would be that they don't have access to the original account which would mean this method wouldn't work.

Danydee

legendary

Activity: 2576

Merit: 1248

Just accessing the acount you can freely change the email address linked to (when knowing the password). So that's make a situation where every Hacker if gets the password can easily and systematically appropriate the account. That's increase sinificatlly the number of hacked accounts and make the process of recovering it pretty hard.

This can easily be palied by setting a (confirmation demand) from the existing email address, or even for emails accounts that can not longer riched/on troubles on email receiving, setting a minimum time delay before changing to the new email address.

Topic: || Problem on losing/hack of accounts (Read 263 times)