- Thread starter thereal astro_zombie138
- Start date
For Sale
astro_zombie138
Champion
No clue man. Maybe mine was the test and they realized they didn't need the email.
My red flag should've been an American posting outside the US if anything ':^)
I'll be honest mate. I've had -plenty- of deals go like that on these forums and on shmups forum over the previous decade. I've even had to do the payment to a wifes account before shtick. An exception to the rule? Maybe. Too much trust and was bound to get stung eventually? More likely. A flat out dumb mistake on my part no less.
Also, not all of us are the most uhh, dedicated browsers or posters. For whatever reason that might be; mines a time and life issue. So we're not all going to be even vaguely familiar with the posting habits of some seasoned veterans. So whether an American is ESL or not could just be par for the course. My comments almost make it sound like I'm excusing ignorance, sorry if it does; I'm not. That said, you're right. It's always worth looking at post histories too as due diligence should always take priority and if you miss out you miss out. Least you got your money.
Speaking of which. I got a refund this morning. I hope the others have the same level of success.
Monstermug
Professional
Is that u or the hacker writing this....
It's him. His account was returned to him by the mods. His account has 2FA activated now too.
2FA should at least have better visibility, like a default-enabled setting during registration (so folks know it’s an option but could disable), and some announcement to existing members.
I never noticed when it was turned on and I’m here multiple times a day. Only learned about it on this thread.
Maybe a nag banner about enabling 2FA at the top of the forum you have to dismiss? I see this in a lot of software I use at work these days. It seems a lot of people didn't even know it was available here, me included.
Monstermug
Professional
So whats stopping people doing the same and blaming hackers?
astro_zombie138
Champion
An easier to find feedback system would be cool. Maybe similar to klov where its on your profile amd easy to see. Certain subreddits like r/gamesale has flair for confirmed transactions from both parties. I utilize both of those systems and think it could benefit the userbase here as well.
astro_zombie138
Champion
It wouldn't necessarily limit a hacker creater account but circumvent hacked existing account. The thing to remember is be smart and trust your gut, there may be posts in the marketplace now that are scams no one knows. Typically we can trust known users but there are plenty of new users on here posting. Have a conversation before you buy, don't just send money. Most of us are down to bs for a minute. Ask probing questions about the item. If it's wierd ask for better proof of the item. Don't let a seller hold anything over you this is not a bidding site. If people are in line first come first serve. Don't rush always trust your insticts.
Monstermug
Professional
So, if I change details on my account via a VPN, then suddenly start offering, mint cave kits for £200 a pop, then after receiving payment via bank transfers to an offshore account. Then email admin to say i cannot access my account, i can continue as normal as nothing has happened. Not saying none of the one that got hacked recently were.
A system where data would show to tell potential buyers when sensitive data on user accounts had been changed or not (i.e Passwords and emails and if 2FA) has been used or not would greatly make transactions more secure. (or even if it was changed within the last week/month would suffice) So if for example i click on a forum member, it would show (recently changed password/email. 2FA = on). Im sure users will have to allow this data to show as it might be breech of privacy?
So if you see someone that has password and or email recently changed, you can maybe ask the seller to provide a picture with their username next to the pcb for proof that it is the original seller or not?
An easier to understand feedback system would be definitely helpful for sales too.. I don't understand why AP and Klov do not have it? instead relying on users posting in a separate thread that i doubt majority of people don't even read? Every other forum seems to have it. And it makes sellers more on their toes too as they want better feedback. Then again it could be argued that reaction score is a better indicator too? people with high reaction scores would unlikely be there to scam others? but then again, could just be a chatterbox scammer? A mixture of both would be super cool though. So u can tell who has been actively contributing despite not often selling things or people who just use forums to sell and not actively contributing?
Just some suggesting that's all. Probably harder to implement than said otherwise it would have probably been done already.
A system where data would show to tell potential buyers when sensitive data on user accounts had been changed or not (i.e Passwords and emails and if 2FA) has been used or not would greatly make transactions more secure. (or even if it was changed within the last week/month would suffice) So if for example i click on a forum member, it would show (recently changed password/email. 2FA = on). Im sure users will have to allow this data to show as it might be breech of privacy?
So if you see someone that has password and or email recently changed, you can maybe ask the seller to provide a picture with their username next to the pcb for proof that it is the original seller or not?
An easier to understand feedback system would be definitely helpful for sales too.. I don't understand why AP and Klov do not have it? instead relying on users posting in a separate thread that i doubt majority of people don't even read? Every other forum seems to have it. And it makes sellers more on their toes too as they want better feedback. Then again it could be argued that reaction score is a better indicator too? people with high reaction scores would unlikely be there to scam others? but then again, could just be a chatterbox scammer? A mixture of both would be super cool though. So u can tell who has been actively contributing despite not often selling things or people who just use forums to sell and not actively contributing?
Just some suggesting that's all. Probably harder to implement than said otherwise it would have probably been done already.
There is no surefire way to stop people from scamming. There will always be scammers, as there have always been, and that's not really the risk we're here to address.
This was a very specific, targeted attack, and there are some easy steps AP can take to address this risk, rather than spinning our wheels trying to provide solutions for a bunch of 'what if' scenarios.
If im remembering correctly the feedback forum as you see it on many forums is not part of the default software package. It is an extra software module you have to pay for and usually requires a subscription, ie you pay for it every so often again. I also don't think it is made by the forum software company so compatibility and support can be an issue.
We have looked into it many times but it's just not as easy to implement as you might think. It is something I've always wanted and still do tho so I'll keep pushing for it.
One thing I think we can do is require mod approval to change an email. It looks like the scammer tried to change email a few times but the forum rejected them because they were fake. Every email is confirmed by the forum software before the account is approved.
Every single new account must be approved by a mod manually. No new account is approved by bots. We've had that in place for years now.
We have looked into it many times but it's just not as easy to implement as you might think. It is something I've always wanted and still do tho so I'll keep pushing for it.
One thing I think we can do is require mod approval to change an email. It looks like the scammer tried to change email a few times but the forum rejected them because they were fake. Every email is confirmed by the forum software before the account is approved.
Every single new account must be approved by a mod manually. No new account is approved by bots. We've had that in place for years now.
astro_zombie138
Champion
I wont pretend to know the work and pricing involved for implementing extra features. But what if arcade projects introduced a "swag" shop of sorts to pay the bills. T-shirts, stickers, ash trays, hats, etc?
Monstermug
Professional
I thought my suggestions were to stop this kinda attack as well as just making it safer overall. as the hacker will need to change the email to communicate and pay? So if u see a recent change of email address then will throw up some red flags..
Even a 1 week timer on posting on sales thread for newly changed emails..?
We are looking into things and we have found there is no way to force mod approval of email change. Looking at other suggestions such as badges etc.
As for feedback system. If we do that we will need a dedicated mod just for feedback. It's not a passive system that runs itself. Brizzo will research it again this weekend.
The best advice is still to be vigilant, be smart, change passwords often and don't use the same password on more than one site. 2FA is great but is not 100% Hack proof either.
As for feedback system. If we do that we will need a dedicated mod just for feedback. It's not a passive system that runs itself. Brizzo will research it again this weekend.
The best advice is still to be vigilant, be smart, change passwords often and don't use the same password on more than one site. 2FA is great but is not 100% Hack proof either.
Only one of the accounts had their email changed, and the only reason to change the email on their account is to redirect notifications for things like PMs, responses to threads, etc.
They could just as easily have turned off notifications in the account and generated no email notifications.
This happened because their account was taken over due to a weak password or password reuse, not because the attacker was able to change the email on their profile. Enforcing MFA for all accounts or for accounts with access to the marketplace would add an extra layer of defense from this specific attack vector.
Everything else, while maybe nice to have, would not have stopped this specific incident.
MFA is not 100% hack proof, but I doubt we're dealing with someone who has nation state backing. The whole point of defense in depth is to make it more difficult for these types of low hanging fruit attacks. Just because it doesn't address 100% of risk doesn't mean it's not a good idea to do.
Last edited:
That's the thing. This was a targeted attack of the individuals. Not a site hack. We could add all sorts of stuff to try and prevent this type of thing but we have to rely on members protecting themselves. That's even more important.
Nobody said it was a site hack. Only a few people are asking to add all sorts of stuff.
I'm asking to utilize what your forum software already has built in. And it's hard for forum members to protect themselves when longtime members here are telling you they had no idea MFA was even an option.
Hell, the LEAST you could do is make a pinned thread that shows up in all the forums that explains the situation and provides instructions on how users can enable MFA on their accounts, because I wouldn't be surprised if this happens again.
