Topic: Why is this system not set up for the Bitcointalk forum? (Read 562 times)

Because if there is an email about confirming the OTP code, the hacker will know that the email was used to register for bitcointalk. It's possible to delete OPT confirmation emails, but most people forget to do that. Without an OTP code, no one knows if the email was used to register with bitcointalk. You don't need to worry if your email is hacked, there is no proof that your email has a connection to bitcointalk

I think it’s important to leave the settings to the user’s preferred level of privacy and security. There’s good and bad in this, but overall I think the good sides lead.

• I can create an account using a disposable e-mail address.
• I can own and use my account from anywhere without having to use or have mandatory 2FA.
• I can use the typical login page or I can remember and write down the ccode page and use that one to avoid Google’s captchas
• I don’t need a phone to use the forum. Some countries still have a very negative view on Bitcoin and try to oppress its use and users. How do you enter Bitcointalk then if you’re scared the government might find out?
• Since you can use disposable e-mail addresses to create a Bitcointalk account (I think you can even create one by introducing a fake address in there) and you can enter even using Tor, should you want to be private you’re given that choice.

And more.

The least third parties you use, the better if you want privacy. If you don’t care, of course you can use your primary e-mail and even set your phone number as the answer to the secret questions too. But the important word here is choice. You get to choose if you want an IP retention limit and nothing’s mandatory, unlike other websites.

If I wanted to have privacy on about any website, I’d have to think how to create an anonymous e-mail address (you can’t even have a disposable one because you’ll need to confirm e-mail address every login), how to get a disposable phone number to register and eventually how to access the website without having my IP registered on there. It’s tough and it only shows how much theymos cares.

I guess now I should argue why it’s the good leading in theymos’s choice of running the forum like this: we’ve all noticed that introducing limits and mandatory settings typically leads to only more restrictions and mandatory settings. By leaving it to our choice, this is avoided. We’re fortunately on a website where user’s opinion and word counts and isn’t rejected and kicked out because the other users have other ideologies and politics. Although it’s Bitcointalk, there have been users before who hate Bitcoin and publicly showed this, but they never got kicked out by the administration. This freedom can only work as long as the mind leading this forum is okay with giving users their freedom of speech and choice.

Afaik, this forum does not use google to take advantage of its commercial side, such as ad space.
After all, crypto-related sits are almost entirely using google analytics tools, so I honestly have no idea how to avoid them all even if captcha verification is removed on this forum only.

The primary focus of the forum is to be private and anonymous. All those mentioned by you are good suggestion! There is only one problem, in one way or another they compromise the privacy and anonymity aspect of an user. I was against the use of Google CAPTCHA for logging in as it is a privacy issue.  The responsibility to keep the account secure should be owned by the user and not the forum. As you said it is not that easy to rank up in the forum. If a user knows it then why not take the same responsibility of keeping the account secure. That is what we have been preaching from the day someone buys Bitcoin. Therefore the same principle applies here too.

Don't you think there's more to this than just hackers hacking and selling at a low price? What if a user decides to leave the forum and sells his or her account? Can't that happen as well? Because the forum makes it simple to create a new account, a user whose account has been hacked can simply create a new one and notify the moderators that his account has been hijacked and the hacker is now using it.

If I'm not mistaken, I once saw a post from a user stating that his account had been hacked and that a new user was already in control of it and utilizing it in the forum. A compromised account, in my opinion, can easily reported to the forum and maybe not all sold accounts are actually sold by hackers.


I'm just imagining it, but won't it make it more difficult for people to join the forum or even boost their security when changing passwords by email?

The forum is open for everyone and in as much as they are strict on their rules the forum also give a free chance for people to access it freely, despite anything, to enable everyone have full access to their account in order to promote the wide spread of bitcoin and its adoption. From my point of view, this was remove to enable people ease stress to get back their account, in other way round it should be something that would had required OTP at least people wouldn't have lost their account or having that chance to sell account in this forum.

Nevertheless, there are people who are old enough for them not to be seating like you and I to operate in this forum or possibly had gain other work that occupies their attention they may decides to sell their account to other people, but looking down to it, is not something that we should encourage over the forum because those people buying it might likely used it for evil or scam. That is why any account that changes hands are likely to be tag and if they found unusual activity or spam such account is at risk of getting penalized for their evil deed. 

2FA is in many cases not a low maintenance option. It's not a swiss knife solution if you're sloppy with other good practices for security. 2FA is often done with apps on mobile phones. People loose them or have them stolen. They forget to safely store their 2FA initial details offline. They forget or aren't able to migrate 2FA data to a new shiny mobile device. You can continue this nearly ad infinitum.
If 2FA needs to be reset, that's not too easy to do safely and with low support.

It has already been said that every user can protect its account by signing a Bitcoin message and posting it here at the appropriate places.


Some simple rules for account security (by no means a complete list):

• use a separate email address for account registration which you don't use for everyday communication
• use 2FA for above email address
• use a long and complex random password, never reuse a password for multiple accounts; (this implies the use of a safe and reputed password manager; take the safety of your password vault very seriously, obviously you should have a long, strong and unguessable vault main password)
• don't click on links that beg you for it without ever checking where it will take you
• be careful which browser extension you activate, especially when those extension ask for extensive rights in your browser
• don't let greed cloud your brain and actually use your brain wisely; it's there for a purpose
• learn how to maintain good security while using your digital devices and surfing the internet

There is no ban for selling accounts on the forum. There's nothing moderators can do here, since selling accounts on the forum is not officially forbidden. But it's not welcomed. And it's already a matter of trust. If someone proves that a high-ranking account was sold, then those who are in DT1 and DT2 lists will leave negative marks that the account was sold and it's better not to do business with such. And such an account will be just a waste of money for the person who bought it.

I understand how this works, but hasn't it been too long since the implementation of the merit system to not understand which accounts reached their high rank before it was implemented? I mean, now the sale and activation, for example, of a hero account that became a hero before the merit system, will be a very noticeable event, because it will be clear that this account has not earned merits during all this time. Or, if a hero account that has recent merite is for sale, this means that the account farmer had to maintain such an account in the active phase for a long time and write something worthwhile in order to earn merits. But this is too much work, is it worth the money for which such an account can be sold? Moreover, reputation is valued on the forum, and accounts that receive regular merits become quite recognizable both in terms of writing style and topics discussed. If these characteristics suddenly change, then the suspicion will naturally arise that the owner has changed, and then other users can report this to the moderators and contribute to the ban of such an account. In general, I don’t quite understand why this is still the case, if it is quite easily to understand that the account was bought?

When this forum was created it just all talks and discussions about the development of Bitcoin, they never thought that this forum will become a promotion platform for projects through Signature, it works like a regular forum, and the members are the ones benefiting from these incentives so each member should be responsible for his account



There are already parameters on how to recover your account in case, we are not paying or sharing our earnings with the administrators in fact they are using their own money to run and maintain the site's security, so maintain your account if it's your livelihood or you have projects being promoted here.

Exactly my thought. Theymos has that ideology of freedom and decentralization. Even if the forum moderation is not decentralized, bitcoin it's is.
No one should care you submitting your emails and if possible your phone number for OTP.

Theymos do not want to deprive someone from participating in the group because they don't have an email. That is why it is even possible to use the forum and access everything even in the guest mode.

You have the responsibility of protecting your account outside the forum by being careful and inside the forum by signing a message or staking your bitcoin address.
This might not change anytime unless in the new software in anticipation.

There are cases of reported hacked accounts but i don't think they are on a regular basis, this are occassional experience and that has nothing to do with the forum being responsible, because they have already set the pace to remain private and secured but we often go beyond expectations on inviting what will harm us and get us under attack.

 
If one's account got hacked it's a different case and if the hacker now wish to sell ot to someone else then it's another serious case on itself, that selling aspect is where the forum may now come in but not when your carelessly loose control of your account for hackers


Because the forum preached privacy and it has to be from here where you get the best privacy that you could wanted to have on open platform like this.



No OTP is required at all in either of the process, since it is believed that you're the bearer of the account but whenever you wanted to change your email address or password is when you will discover the importance of using a correct email for registration, so if someone doesn't get hold of your email address, or bitcointalk forum login password, he may not acquire the account from you.

Ye, most of them make sense, but this is a very old forum who is currently working a new forum software and probably all of the mentioned features will be available there. Unfortunately there is no exact date when it will be available to use.

It's uncommon for a user to register an account with an email that does not exist, the purpose of the email is for account recovery and getting updates about the platform

This will compel us to use the strongest possible password for our account having a 2FA will not motivate us to use a strong password because we will be comfortable in thinking we have a 2FA to rely on in case there is an attempt on our account.

We already have the captcha to protect us from hackers, two things that can get your account in trouble and these are not putting the right security in your email and not using a strong password here in Bitcointalk.

If you think your account is very valuable to you then it's your initiative to put the best security in your email where hackers can get a shortcut to get access to your account, and using a strong password, I think Bitcointalk is telling us it's our business to protect our account, so the challenge is with us.

The security of your account is your own responsibility - of course there must be good security methods for you such as signing bitcoin messages and having an active email with a strong password. You can combine your account password with a strong one and take security measures as suggested. Account hacking can happen even if you have 2FA - so it won't be a 100% guarantee to be safe.

Then from that, the average sold account is not an account that was built after the merit system was introduced, but mostly old accounts that had high rank before the merit system was introduced.

It’s true selling of bitcointalk accounts is not against the forum rules and people are free to sell their accounts but the buyers of these accounts should bear in mind that they stand the risk of getting scammed by the supposed seller and even when they successfully buy an account, they could get a neutral tag or even in cases a negative tag. The whole account sales business is generally perceived as shady business.

Actually account farmers are still there, there are many places in the forum where merit earning can be done easily. In fact, it is easier for those who know and they are the ones who do account farming. But it is true that now phishing, hacking is more likely than farming.
Sometimes 2-factor authentication plays a big role in this case, and forum users can fall into phishing traps by mistake. I also think that it is not enough to blame the user here. There is an option of recovery but I think it can become a kind of hassle for the user. And since I saw in someone's post that already someone offered a script so action should be taken on this matter
The question is not that whether the forum or its database is secure or not. Nowadays, Phishing is becoming very complicated, and for this reason almost all platforms now provide 2FA authentication to protect users, which largely saves users from hacking. I hope you always maintain your own security and never fall into a phishing trap

This forum is very secure. I'm here since August, 2021 and my account hasn't been hacked. I'm even more sure that it will never get hacked if forum doesn't experience any data leak. People have to learn that they have to take care of their own security and that's why I like the freedom that this forum gives us. This also helps and prepares you to take care of your wallet and keep it more secure.

Probably, one of his account got banned and he finds out a little bit hard to earn merits and rank up his account. Probably, that made him angry enough to open a new thread and reveal his secret.
Just kidding but I'm sure there is a 51% chance that what I wrote is true

You're right with those critical issues you raised in all. Email confirmation and OTP should at least be a part of account verification process in this forum. Now that we don't have such, we should at least have a 2FA kind of security. I believe this will help reduce the numerous account hacks we often have here. Yeah, I know there's a thread one can stake one's address by signing it to facilitate quick account recovery when it's hacked but we shouldn't wait for an account to be hacked and then go through that process. It's cumbersome. Preventive measures should be better approach. I don't like the idea of "secret question" because it can be easily bridged.

When the merit system weren't implementation we barely had information of account sale or account hack because there where no stress to increase account rank. From your points you made a good suggestion of enabling 2fa I think that would increase the security aspect of the forum by reduce that rate at which people sells account.

If 2fa is included and the account is being bridge I think all security aspect has been destroyed because there's also a secret question option provided and once account is being hacked I don't have this assurance that it would be active any longer. I believe there may be solution to this to eliminate the rate at which account sales fly's over here.

It is not a matter of initiative for me.  When I registered the account I found that It was not asked for any email confirmation. And since I have a business partner in this forum, I constantly call him and ask him a lot about the forum at the end of business discussions.  And since he is an old member here, I can learn many things from him and I have heard these things from his. The story of my coming to the forum I mentioned earlier in my interview

I am not completely sure about this and I do not guarantee that all the accounts sold here are hacked accounts. But as it is difficult to rank up yourself in this forum, I have said from my thoughts that, no one will interested to sell his hard builded account. Would you agree to sell your account for cash even if someone offered you $100k? Definitely not  

i Don't know much about cryptotalk but Yobit is totally shit place including there exchange platform so I never interested in using Yobit

Some newbies might not be familiar with this simple but helpful security process. That is why I commend op for this thread. I also think that it will be difficult for hackers to successfully take full control of a hacked account if members are security conscience. If an account has been hacked the owners can immediately inform the forum, I have even seen threads of members informing the community that their accounts have been hacked. And they will be asked to sign a signature from an address. That's why it is important to attach an address to your account.

But sometimes hackers have access to inactive accounts and the users do not know about the hack. This will make these hackers successfully own the account because the owner might not complain about the hack until it is discovered after some time. So logging into an account periodically even when not in use could be helpful.

First of all, you need to know that this is not a ordinary forum, this is a bitcoin forum. Remember that bitcoin is decentralized.

Although we do have a password to access the forum, but there are many other things which you setup, it will be impossible for anyone to hack the account. For example, if you sign your bitcoin address and later if somehow your account is hacked, you can claim it back.
Secondly a hacker simply can't hack your account and start using it, as you will always come up and proof that the account belongs to you.

Signing a bitcoin message to prove the ownership of your account is a much better way than to use the email OTP's and 2fa's that are being used all over the internet.

I was also frustrated to see a newbie with all these concerns, but I'm not ruling out the possibility of an alt account from an older member who doesn't want to be told off in such cases. I was also a little disheartened when the merit system was introduced a few years ago, but ultimately, it wasn't that hard to rank up. I was too young to see the positive side. Generally, account sales have been reduced compared to a few years ago when members were farming accounts due to it being easy to rank up; you just had to be active and post.

2FA is generally a decent measure to tackle any malicious attempts; however, most hacked accounts are older and abandoned accounts that suddenly wake up after being penetrated and sold on the market. Personally, I understand the desire for 2FA, but I don't believe that it's necessary.

OP, you registered in March of this year and you have all of this knowledge of forum issues/drama/etc. how....?  And since ostensibly you've only been a member here for about 3 months, why is this is a major concern for you?

I would also challenge your assertion that most account sales are those of hacked accounts.  I've been here for years now and have never seen any hard data on anything that would support or contradict that.  In fact I think account sales have decreased dramatically at least since the merit system came about, and that's likely because account farmers got cut off at the knees overnight in Jan. 2018.

The account registration security isn't really affecting you directly, right?  If that's the case and you don't like how outdated bitcointalk is (and I can't argue with you on that one), try another discussion forum.  Like cryptotalk.  That Yobit monstrosity of a website posing as a place where ideas and knowledge are shared--and that's if it still exists. 

There's just nothing like bitcointalk.  All the other forums are deader than dead.

While we are all telling OP, this is that, and that is this. He got some legit points that the forum admins should care about. 2FA was discussed in this forum multiple times. If I am not wrong, someone already wrote a patch for the forum, and I don't know why it wasn't implemented. Stunna offered Bitcoin for the patch. You cannot just blame users for not being careful and let things go on. Everyone doesn't learn things in a single day. There are a lot of people who don't care about their security till they fall into a trap. The platform can play a significant role in keeping its users safe and secure. Sometimes a new forum member needs to spend months learning more about security.

OP, if you're familiar with online security techniques and know the weaknesses in your account, you'll be hard to hack. If you do not click on other people's links, use your account separately from visiting other sites, have a strong password, and are always attentive, it is unlikely that your account will be of interest to a hacker. You should always take responsibility for keeping your data in your own hands. First, check yourself to see if you behave correctly on the Internet, among other things, sign your Bitcoin address on the forum, and sleep well.
Your safety is in your hands.

Due to ipevil restrictions, signing up with an exclusive email might be a wasteful decision the first time, unless you're willing to buy a copper membership. It's better to get the desired username first with a random email before syncing with the real email.

After all, forums have a method of security and account recovery that is known to be compromised very rarely: Signed bitcoin addresses.
All reputable account owners with high commercial value do this and almost never complain about the forum's security system.

It's freedom.

It's a Bitcoin forum and you can sign a Bitcoin message to prove your account ownership for account recovery.

• How to sign a message!!
• Stake your Bitcoin message here
• Recovering hacked/lost accounts

To change your email address, you will need to type your current password.

It was disabled long time ago after that if anyone use a secret question, that account will be locked.

2FA was asked many times. It won't be deployed on SMF-based forum, this one.

You can request it for a new forum, Epochtalk. New forum software

• Can bitcointalk.org get 2 factor authentication?
• Why doesn't Bitcointalk support 2FA?
• 2FA on bitcoin talk
• Isn't it time to introduce 2FA to enhance user account security ?
• Bitcointalk.org 2FA option/feature
• Should there be an option of adding 2fa for forum accounts?

When people lose access to their accounts (because they got hacked), it is not uncommon for them to also lose access to their email accounts. Unfortunately, it is hard to provide protection to individuals who neglect or remain ignorant about securing their online accounts. Sometimes, it boils down to poor security practices.

I really like that this forum doesn't even ask for a working email address. It is great for maintaining online privacy and keeping things anonymous, which is something many people in this community really want.

To avoid such an act of account compromise, the forum has made all users' email addresses hidden; therefore, we cannot blame the forum if our accounts are hacked due to our weak passwords or if we reveal our emails for everyone to see in the forum.

I'm not sure what pattern people who sell accounts use to hack users' forum accounts, even though the forum has made users' emails hidden by default; to some extent, I suspect that those selling accounts are forum users who have multiple accounts and would like to get rid of them, because it would be difficult for someone with only one forum account to decide to sell the account.

It's not that I'm supporting selling of accounts kind of business, but from my knowledge its quite convincing that if someone should portray that he or her want to his account of bitcointalk theirs is every tendency that the account might belong to the person, because at sometime some people doesn't like to be in forum till eternity, some people will like to sell out their account to a reasonable amount of money since they feel that they are tired or fade up using forum, when some is old enough or start having a sight challenge you will not be comfortable to logins your bitcointalk account and react to a certain suggestion or conversations again, so selling of account is a decision and also allow but it usually be negotiated outside the community of bitcointalk.

well i have not seen many cases of hackers in my little time on this platform and if there is any they are only few due to many of the reasons that could compromise someone's wallet, as crypto is totally about digitalization where phising attacks and other types of attacks are common and if someone got into them then they could be compromised and everything linked to there pc will also be compromised like this platform.
Plus i have seen so far, if someone get caught in selling or buying accounts they will be tagged and anyone could know they are selling the accounts or buying and this there reputation on the platform will be done. (means finished).
Cases of account selling
1   2   3  4 There are more on the list but to proof you that, forum is doing everything to overcome these problems.
i have no answers for these but i think there must be some authentic reason behind it but let's hear it from the most seniors.
AFAIK, i think there is one feature that helps you to recover your account, its like you have to sign a message with some wallet address (BTC) and then you will have to sign that wallet address to you BTT to prove you account ownership to admin once you got hacked by providing them the key which you will be provided. its like a 2FA. Note* i am not sure where i read it on this platform but i do know there are topics on how to do that, but i can not find any topic right now, i hope another member could mention those. or maybe i mistold you some step so please forgive me for that.

A very simple answer to your this question is that the forum is already secured to its best levels and hacking an account of this forum isn't an easy thing, but the users who have set weak passwords in first place and who hasn't hidden their email addresses might be vulnerable to brute force attacks. But, those kind of attacks can work on almost any forum or website and that depends on a user's technical knowledge during the time of new account registration.

Those accounts that are often sold by some newbie members are basically farmed accounts and they were farmed in those times when merit system wasn't implemented and any member could rank up in those days by just creating posts. The shit-posters were also able to rank up because only activity was needed to get higher ranks back then. That issue was resolved with the introduction of the merit system.



The simple answer to all of your remaining questions is that the forum has a simplistic design and it works best in this way. Those users who aren't good at technology in first place are vulnerable because of their own fault and their other accounts can also be compromised because they might have used same password on multiple websites. The forum has high privacy and the morals are of very high levels. The forum was basically created to serve as an answer book for the users so they could share their ideas with each other.

That purpose is still being served even till this day, and this is the only forum that's still following the simplistic design and ease of use for its users. And, I don't think that adding all those additional features are needed to make the forum better because those features could make it hard for new users to create accounts in first place and that's not a good thing at all.

You’re right, it’s not likely that someone would build an account to a high rank just to sell the account afterwards. Most sold accounts are usually accounts registered before the merit system came to place, back then it was easy to increase your rank by just posting. Account farmers took advantage of this opportunity to make some money without doing any work.


I have no problem with the way the forum is set up. You’re free to choose what you want, if you open an account with a fake email address, you will have yourself to blame if you forget your password and want to recover your account.

Did you search if this topic has been discussed before??

Forum accounts are regularly hacked and there are many stories of forum accounts being bought and sold. And these accounts are mostly sold by hackers. Those who hack accounts and sell them to someone for a low price. It is not possible to build a high ranking account in one night on this forum. So I don't think a person would be interested in selling an account after achieving a high rank. Because the high rank account of this forum has a value that cannot be compared with money. So why is the security of this forum not increased despite developing so much?

- Why is email confirmation not requested during account registration? I have checked that it is possible to open a forum account with an email address that does not exist or has not yet been created.
- Email OTP is not asked during password change. But why the OTP of the current email is not asked even when changing the account email address?
- There is a Secret Question facilities. which is work as a second password.  but anyone can remove it after logging in the account without giving any answer or verifying any OTP.
- Where all platforms have 2FA option for their users, why this forum has not put this option in the user account for security reasons.

I don't understand why this is not in this forum where everyone including the admin knows these things.  And since the forum was created almost 14 years ago, why has this not been done yet?  Is there any secret behind it?