What's new
By:

FS Account hacked, be smart

For Sale
benime said:
Would it be possible to limit access to the marketplace forums to accounts that have MFA enabled?

Failing that, could just make MFA a requirement on all accounts.
Click to expand...

2FA should at least have better visibility, like a default-enabled setting during registration (so folks know it’s an option but could disable), and some announcement to existing members.

I never noticed when it was turned on and I’m here multiple times a day. Only learned about it on this thread.
 
Maybe a nag banner about enabling 2FA at the top of the forum you have to dismiss? I see this in a lot of software I use at work these days. It seems a lot of people didn't even know it was available here, me included.
 
An easier to find feedback system would be cool. Maybe similar to klov where its on your profile amd easy to see. Certain subreddits like r/gamesale has flair for confirmed transactions from both parties. I utilize both of those systems and think it could benefit the userbase here as well.
 
Monstermug said:
So whats stopping people doing the same and blaming hackers?
Click to expand...
It wouldn't necessarily limit a hacker creater account but circumvent hacked existing account. The thing to remember is be smart and trust your gut, there may be posts in the marketplace now that are scams no one knows. Typically we can trust known users but there are plenty of new users on here posting. Have a conversation before you buy, don't just send money. Most of us are down to bs for a minute. Ask probing questions about the item. If it's wierd ask for better proof of the item. Don't let a seller hold anything over you this is not a bidding site. If people are in line first come first serve. Don't rush always trust your insticts.
 
So, if I change details on my account via a VPN, then suddenly start offering, mint cave kits for £200 a pop, then after receiving payment via bank transfers to an offshore account. Then email admin to say i cannot access my account, i can continue as normal as nothing has happened. Not saying none of the one that got hacked recently were.

A system where data would show to tell potential buyers when sensitive data on user accounts had been changed or not (i.e Passwords and emails and if 2FA) has been used or not would greatly make transactions more secure. (or even if it was changed within the last week/month would suffice) So if for example i click on a forum member, it would show (recently changed password/email. 2FA = on). Im sure users will have to allow this data to show as it might be breech of privacy?

So if you see someone that has password and or email recently changed, you can maybe ask the seller to provide a picture with their username next to the pcb for proof that it is the original seller or not?

An easier to understand feedback system would be definitely helpful for sales too.. I don't understand why AP and Klov do not have it? instead relying on users posting in a separate thread that i doubt majority of people don't even read? Every other forum seems to have it. And it makes sellers more on their toes too as they want better feedback. Then again it could be argued that reaction score is a better indicator too? people with high reaction scores would unlikely be there to scam others? but then again, could just be a chatterbox scammer? A mixture of both would be super cool though. So u can tell who has been actively contributing despite not often selling things or people who just use forums to sell and not actively contributing?

Just some suggesting that's all. Probably harder to implement than said otherwise it would have probably been done already.
 
Monstermug said:
So, if I change details on my account via a VPN, then suddenly start offering, mint cave kits for £200 a pop, then after receiving payment via bank transfers to an offshore account. Then email admin to say i cannot access my account, i can continue as normal as nothing has happened. Not saying none of the one that got hacked recently were.

A system where data would show to tell potential buyers when sensitive data on user accounts had been changed or not (i.e Passwords and emails and if 2FA) has been used or not would greatly make transactions more secure. (or even if it was changed within the last week/month would suffice) So if for example i click on a forum member, it would show (recently changed password/email. 2FA = on). Im sure users will have to allow this data to show as it might be breech of privacy?

So if you see someone that has password and or email recently changed, you can maybe ask the seller to provide a picture with their username next to the pcb for proof that it is the original seller or not?

An easier to understand feedback system would be definitely helpful for sales too.. I don't understand why AP and Klov do not have it? instead relying on users posting in a separate thread that i doubt majority of people don't even read? Every other forum seems to have it. And it makes sellers more on their toes too as they want better feedback. Then again it could be argued that reaction score is a better indicator too? people with high reaction scores would unlikely be there to scam others? but then again, could just be a chatterbox scammer? A mixture of both would be super cool though. So u can tell who has been actively contributing despite not often selling things or people who just use forums to sell and not actively contributing?

Just some suggesting that's all. Probably harder to implement than said otherwise it would have probably been done already.
Click to expand...
There is no surefire way to stop people from scamming. There will always be scammers, as there have always been, and that's not really the risk we're here to address.

This was a very specific, targeted attack, and there are some easy steps AP can take to address this risk, rather than spinning our wheels trying to provide solutions for a bunch of 'what if' scenarios.
 
If im remembering correctly the feedback forum as you see it on many forums is not part of the default software package. It is an extra software module you have to pay for and usually requires a subscription, ie you pay for it every so often again. I also don't think it is made by the forum software company so compatibility and support can be an issue.

We have looked into it many times but it's just not as easy to implement as you might think. It is something I've always wanted and still do tho so I'll keep pushing for it.

One thing I think we can do is require mod approval to change an email. It looks like the scammer tried to change email a few times but the forum rejected them because they were fake. Every email is confirmed by the forum software before the account is approved.

Every single new account must be approved by a mod manually. No new account is approved by bots. We've had that in place for years now.
 
Mitsurugi-w said:
If im remembering correctly the feedback forum as you see it on many forums is not part of the default software package. It is an extra software module you have to pay for and usually requires a subscription, ie you pay for it every so often again. I also don't think it is made by the forum software company so compatibility and support can be an issue.

We have looked into it many times but it's just not as easy to implement as you might think. It is something I've always wanted and still do tho so I'll keep pushing for it.

One thing I think we can do is require mod approval to change an email. It looks like the scammer tried to change email a few times but the forum rejected them because they were fake. Every email is confirmed by the forum software before the account is approved.

Every single new account must be approved by a mod manually. No new account is approved by bots. We've had that in place for years now.
Click to expand...
I wont pretend to know the work and pricing involved for implementing extra features. But what if arcade projects introduced a "swag" shop of sorts to pay the bills. T-shirts, stickers, ash trays, hats, etc?
 
benime said:
There is no surefire way to stop people from scamming. There will always be scammers, as there have always been, and that's not really the risk we're here to address.

This was a very specific, targeted attack, and there are some easy steps AP can take to address this risk, rather than spinning our wheels trying to provide solutions for a bunch of 'what if' scenarios.
Click to expand...

I thought my suggestions were to stop this kinda attack as well as just making it safer overall. as the hacker will need to change the email to communicate and pay? So if u see a recent change of email address then will throw up some red flags..

Even a 1 week timer on posting on sales thread for newly changed emails..?
 
We are looking into things and we have found there is no way to force mod approval of email change. Looking at other suggestions such as badges etc.

As for feedback system. If we do that we will need a dedicated mod just for feedback. It's not a passive system that runs itself. Brizzo will research it again this weekend.

The best advice is still to be vigilant, be smart, change passwords often and don't use the same password on more than one site. 2FA is great but is not 100% Hack proof either.
 
Monstermug said:
I thought my suggestions were to stop this kinda attack as well as just making it safer overall. as the hacker will need to change the email to communicate and pay? So if u see a recent change of email address then will throw up some red flags..

Even a 1 week timer on posting on sales thread for newly changed emails..?
Click to expand...
Only one of the accounts had their email changed, and the only reason to change the email on their account is to redirect notifications for things like PMs, responses to threads, etc.

They could just as easily have turned off notifications in the account and generated no email notifications.

This happened because their account was taken over due to a weak password or password reuse, not because the attacker was able to change the email on their profile. Enforcing MFA for all accounts or for accounts with access to the marketplace would add an extra layer of defense from this specific attack vector.

Everything else, while maybe nice to have, would not have stopped this specific incident.

Mitsurugi-w said:
We are looking into things and we have found there is no way to force mod approval of email change. Looking at other suggestions such as badges etc.

As for feedback system. If we do that we will need a dedicated mod just for feedback. It's not a passive system that runs itself. Brizzo will research it again this weekend.

The best advice is still to be vigilant, be smart, change passwords often and don't use the same password on more than one site. 2FA is great but is not 100% Hack proof either.
Click to expand...
MFA is not 100% hack proof, but I doubt we're dealing with someone who has nation state backing. The whole point of defense in depth is to make it more difficult for these types of low hanging fruit attacks. Just because it doesn't address 100% of risk doesn't mean it's not a good idea to do.
 
Last edited:
Mitsurugi-w said:
That's the thing. This was a targeted attack of the individuals. Not a site hack. We could add all sorts of stuff to try and prevent this type of thing but we have to rely on members protecting themselves. That's even more important.
Click to expand...
Nobody said it was a site hack. Only a few people are asking to add all sorts of stuff.

I'm asking to utilize what your forum software already has built in. And it's hard for forum members to protect themselves when longtime members here are telling you they had no idea MFA was even an option.

Hell, the LEAST you could do is make a pinned thread that shows up in all the forums that explains the situation and provides instructions on how users can enable MFA on their accounts, because I wouldn't be surprised if this happens again.
 
The root of this entire scam is dependent on users making payments using PayPal F&F. Full stop, this is the issue.

Second to that is using weak or reused passwords. 2FA is great, but as many of you who enabled it will have noticed there is no barrier to setting it up for your account. 2FA enhances login security with passwords, but it doesn't stop another common hacking technique which is cookie hijacking or cross site scripting (XSS), albeit this is less common and relies on malware or exploits. What I mean by there is no barrier, if we add a badge to indicate "secure account" or marketplace only for those with 2FA, doesn't create enhanced security for transactions.

At this time, given the limited and isolated nature of this event there is not a compelling reason to implement custom features or changes to the back end of the forum software.

The reason we have been hesitant to implement marketplace feedback system, isn't due to cost or subscriptions, but the moderation workload it creates around disputes... But we agreed that we will review this again this coming weekend.
 
A lot of complex ideas floating around here...

Pay via G&S would really solve all of them though.

If you're going to take a gamble on F&F, at least ask for a phone number and call the member. Might not block all scams, but it could lower the chances, and if the number goes to a real scammer, you can at least have a point of tracking them down later. That being said, I have no idea how hard it is to fake phone numbers with the correct area code now a days.
 
You must log in or register to reply here.
Back
Top