No clue man. Maybe mine was the test and they realized they didn't need the email.I got my account back and it still has my original email address. Curious why they messed with yours and not mine?
"send $600 friend and family and let me know please. Now i'm waiting confirm." should have been a red flag between the esl and unnecessary urgency. not to mention the completely unrelated name on the email address and "my wife".
I got my account back and it still has my original email address. Curious why they messed with yours and not mine?
Would it be possible to limit access to the marketplace forums to accounts that have MFA enabled?
Failing that, could just make MFA a requirement on all accounts.
It wouldn't necessarily limit a hacker creater account but circumvent hacked existing account. The thing to remember is be smart and trust your gut, there may be posts in the marketplace now that are scams no one knows. Typically we can trust known users but there are plenty of new users on here posting. Have a conversation before you buy, don't just send money. Most of us are down to bs for a minute. Ask probing questions about the item. If it's wierd ask for better proof of the item. Don't let a seller hold anything over you this is not a bidding site. If people are in line first come first serve. Don't rush always trust your insticts.So whats stopping people doing the same and blaming hackers?
There is no surefire way to stop people from scamming. There will always be scammers, as there have always been, and that's not really the risk we're here to address.So, if I change details on my account via a VPN, then suddenly start offering, mint cave kits for £200 a pop, then after receiving payment via bank transfers to an offshore account. Then email admin to say i cannot access my account, i can continue as normal as nothing has happened. Not saying none of the one that got hacked recently were.
A system where data would show to tell potential buyers when sensitive data on user accounts had been changed or not (i.e Passwords and emails and if 2FA) has been used or not would greatly make transactions more secure. (or even if it was changed within the last week/month would suffice) So if for example i click on a forum member, it would show (recently changed password/email. 2FA = on). Im sure users will have to allow this data to show as it might be breech of privacy?
So if you see someone that has password and or email recently changed, you can maybe ask the seller to provide a picture with their username next to the pcb for proof that it is the original seller or not?
An easier to understand feedback system would be definitely helpful for sales too.. I don't understand why AP and Klov do not have it? instead relying on users posting in a separate thread that i doubt majority of people don't even read? Every other forum seems to have it. And it makes sellers more on their toes too as they want better feedback. Then again it could be argued that reaction score is a better indicator too? people with high reaction scores would unlikely be there to scam others? but then again, could just be a chatterbox scammer? A mixture of both would be super cool though. So u can tell who has been actively contributing despite not often selling things or people who just use forums to sell and not actively contributing?
Just some suggesting that's all. Probably harder to implement than said otherwise it would have probably been done already.
I wont pretend to know the work and pricing involved for implementing extra features. But what if arcade projects introduced a "swag" shop of sorts to pay the bills. T-shirts, stickers, ash trays, hats, etc?If im remembering correctly the feedback forum as you see it on many forums is not part of the default software package. It is an extra software module you have to pay for and usually requires a subscription, ie you pay for it every so often again. I also don't think it is made by the forum software company so compatibility and support can be an issue.
We have looked into it many times but it's just not as easy to implement as you might think. It is something I've always wanted and still do tho so I'll keep pushing for it.
One thing I think we can do is require mod approval to change an email. It looks like the scammer tried to change email a few times but the forum rejected them because they were fake. Every email is confirmed by the forum software before the account is approved.
Every single new account must be approved by a mod manually. No new account is approved by bots. We've had that in place for years now.
There is no surefire way to stop people from scamming. There will always be scammers, as there have always been, and that's not really the risk we're here to address.
This was a very specific, targeted attack, and there are some easy steps AP can take to address this risk, rather than spinning our wheels trying to provide solutions for a bunch of 'what if' scenarios.
Only one of the accounts had their email changed, and the only reason to change the email on their account is to redirect notifications for things like PMs, responses to threads, etc.I thought my suggestions were to stop this kinda attack as well as just making it safer overall. as the hacker will need to change the email to communicate and pay? So if u see a recent change of email address then will throw up some red flags..
Even a 1 week timer on posting on sales thread for newly changed emails..?
MFA is not 100% hack proof, but I doubt we're dealing with someone who has nation state backing. The whole point of defense in depth is to make it more difficult for these types of low hanging fruit attacks. Just because it doesn't address 100% of risk doesn't mean it's not a good idea to do.We are looking into things and we have found there is no way to force mod approval of email change. Looking at other suggestions such as badges etc.
As for feedback system. If we do that we will need a dedicated mod just for feedback. It's not a passive system that runs itself. Brizzo will research it again this weekend.
The best advice is still to be vigilant, be smart, change passwords often and don't use the same password on more than one site. 2FA is great but is not 100% Hack proof either.
Nobody said it was a site hack. Only a few people are asking to add all sorts of stuff.That's the thing. This was a targeted attack of the individuals. Not a site hack. We could add all sorts of stuff to try and prevent this type of thing but we have to rely on members protecting themselves. That's even more important.