Proposal: E-mail change should require e-mail confirmation for added security

FeedbackLoop

hero member

Activity: 742

Merit: 500

Quote from: tysat on September 12, 2013, 02:55:17 PM

Quote from: HeroC on September 12, 2013, 02:20:22 PM

It is a good idea in theory, but what if you no longer have access to the email? Like lavabit shutting down, you cannot access the email to confirm that you want to change your email. Wink

You deal with the admin, I don't think it's something that will happen very often.

I lost one email address once because their whole database got compromised and they decided, for the sake of their users (...), to reset all passwords and the only way they cared to send a new password was to "the secondary email" which I did not have defined. They seemed like a perfectly fine service until that very occasion.

tysat

legendary

Activity: 966

Merit: 1004

Keep it real

Quote from: HeroC on September 12, 2013, 02:20:22 PM

It is a good idea in theory, but what if you no longer have access to the email? Like lavabit shutting down, you cannot access the email to confirm that you want to change your email. Wink

You deal with the admin, I don't think it's something that will happen very often.

HeroC

legendary

Activity: 858

Merit: 1000

It is a good idea in theory, but what if you no longer have access to the email? Like lavabit shutting down, you cannot access the email to confirm that you want to change your email. Wink

qwk

donator

Activity: 3542

Merit: 3413

Shitcoin Minimalist

Quote from: tysat on September 10, 2013, 06:15:50 PM

Then it sounds like you f'ed up, email account recovery is fairly standard.

I once lost control of an email address because I forgot about it and cancelled the domain registration. Account recovery under those circumstances is near impossible. And worse, the new domain owner could easily steal your identity. Not that that happened a lot...

tysat

legendary

Activity: 966

Merit: 1004

Keep it real

Quote from: Peter Lambert on September 10, 2013, 01:32:38 PM

This assumes that you still have control of your old email address. What happens if you no longer have access to that email?

Then it sounds like you f'ed up, email account recovery is fairly standard.

Quote from: cbhelp on September 10, 2013, 05:40:24 PM

What?

The chances are better than they are worse, actually.

Solid idea!

qwk

donator

Activity: 3542

Merit: 3413

Shitcoin Minimalist

You just gave me an idea:
https://bitcointalksearch.org/topic/suggestion-bitcoin-address-as-added-security-feature-for-accounts-292074

cbhelp

newbie

Activity: 56

Merit: 0

What?

The chances are better than they are worse, actually.

Boxman90

hero member

Activity: 518

Merit: 500

The chances of both your e-mail address and bitcointalk account being compromized at the same time, are very small, I'd say.

Peter Lambert

hero member

Activity: 756

Merit: 500

It's all fun and games until somebody loses an eye

This assumes that you still have control of your old email address. What happens if you no longer have access to that email?

Boxman90

hero member

Activity: 518

Merit: 500

~~I disagree~~

This message was posted by the one who took over my account, who, surprisingly, gave it back to me. Sort of thank you, I guess?

Boxman91

newbie

Activity: 9

Merit: 0

Great to see people agree. I hope it's not too much of a PITA to implement such measures.

~~Now, not trying to be selfish, but would a mod help me out get Boxman90 back to my control, and/or tell me the procedure for this via PM as to not derail this thread? :p~~
Mod Note: Message sent. -Maged

tysat

legendary

Activity: 966

Merit: 1004

Keep it real

Would probably save a lot of time for everyone, good idea!

BadBear

legendary

Activity: 1652

Merit: 1128

That would be better, at the least it would give people a heads up that there is activity unknown to them, and would save admins time.

b!z

legendary

Activity: 1582

Merit: 1010

I agree with this. If you are logged into someone's account, you can change the email, and password too easily. There should be confirmation or some sort of verification.

Boxman91

newbie

Activity: 9

Merit: 0

As it stands, the e-mail address of a user can be changed with only the password of the account. This gives phishers an edge: when they get your password, they can take over the entire account.

I propose that attempting to change the e-mail address of an account should yield a confirmation e-mail to the original e-mail address, which has to be confirmed by the actual owner. This way, phishers get much less of a chance to take over the account because they would then need control over both the bitcointalk.org account, and the victims e-mail account.

With such e-mail confirmation, the owner can always recover their account.

I became victim of phishing and with no notice, the perpetrator used just my password to change my password and e-mail address, rendering me powerless to get my account back without intervention from theymos.

Topic: Proposal: E-mail change should require e-mail confirmation for added security (Read 1035 times)