Warning - Account Security

[krebetman]

  On 07/11/2022 at 7:11 AM, aussievintage said:

 

Actually to use it in it's basic form, just install and use it, no faff at all.  I manually copy the updated database to my other devices, and never try to use it to fill in passwords automatically, so no integration needed.

Expand  

 

Yes, fair.  The faff bit for me was setting up auto-sync to google drive (for which I also have MFA of course) and to make all my devices share the updates to my password vault.

[blownaway]

  On 07/11/2022 at 3:13 AM, April Snow said:

Google Authenticator is fine -

we use it at work for Government websites etc.

I have had it set up for SNA for a few months now - no issues and no payments are ever required.

Expand  

Thanks April

 

[DAMO 1147]

Hi Marc

i think I have set this up, it says enabled on my account.

However, when I logged back in with my phone I was expecting a promt for a code.

and the site just logged in using my face recognition on my account phone.

 

Is that correct?

regards Damo 

[Guest]

I won't go into too many details here - but there a number of parameters now to do with how you use the site that may ask you to reauthenticate.

[almikel]

Multi factor authentication (MFA) / 2 factor authentication (2FA) only slightly impacts legitimate users (I implemented MFA on Stereonet ages ago, but only get prompted for MFA when adding new devices), but provides excellent mitigation against "bad actors" using your account.

 

As an IT manager, I can't count the number of times people in organisations I've worked for have fallen for a "credential phish", and provided their legitimate login credentials to the "bad actor", but MFA has prevented the "bad actor" gaining access.

When IT contacts the person to tell them their account was compromised and to change their password, they always deny they'd clicked on some dodgy link and provided their credentials...clearly they had, and we make them change their password.

 

Many will disagree, but I'm OK with Edge/Chrome choosing my passwords - they're unique and complex and protected by MFA - so way better than re-using passwords - but if you use this approach, please ensure your Edge/Chrome account password has good security, eg a long unique pass phrase you can remember, but would be hard to crack, like "I like audio but swim often!".

 

cheers,

Mike

[Esoterica]

What about using iOS ‘strong passwords’? I often do this. 
 

Edit: @Marc I just set up 2FA. Downloaded the app, pasted the SNA key in the app, then typed the Google authenticator code into SNA. All good. Signed out and back in, expecting to have to do 2nd authentication, but didn’t have to. I’m guessing that initial 2FA is all that’s required? If so, it’s too easy and everyone should get onto it. Maybe different (not as simple) depending on which device you do it on? In my case, it’s an iPad Pro with face I.D. Haven’t had it long but already love face I.D. Signing into everywhere is so easy.

Edited November 9, 2022 by Esoterica
Extra info

[Guest]

@Esoterica great stuff. 
Now it’s set up, you only need it when you do certain things with your account (or when you log on from other or new devices). 

[Sky2K01]

For those thinking (or are under the impression) you must use Google Authenticator app, you don't specifically need to if you don't wish to.

I prefer MS Authenticator app and was able to implement the 2FA to my account just fine.  

 

As an aside, I'm an advocate for and been a long-time user of 1password.

Of course, everyone's personal circumstances and mileage varies.  

Cheers

[lasseo]

Perhaps this was already answered in the support section and I missed it, but what action should I take if I suspect another user's account has been compromised here? I might be a little jumpy right now as it recently happened to my dad's account elsewhere, and I received a few messages that seemed innocent enough to start with.

[Guest]

Please open a support ticket to bring out attention to important and confidential information.

[ThirdDrawerDown]

Obligatory xkcd

 

 

and a good description as to what the comic was on about, is found here:

 

https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength

[Guest]

A new issue is emerging. Once upon a time it was quite easy to detect scammers at the first instance and we'd become quite versed in recognising the tell-tale signs upon registered and their first actions. In fact, we've built quite a few systems in place to automatically detect and flag these to us.

 

However, with data breaches becoming very common now, a new approach is for a hacker to obtain details from a data breach, and then hijack someone's email box. The hackers now show much more patience, and will monitor this inbox to learn their online activities, including noticing what websites the user frequents. More recently, we've experienced three of these on StereoNET, and in two of those cases we established the known StereoNET member has involved in the Optus data breach.

 

The hacker waits a while, then logs into StereoNET with proper credentials after resetting their password (remember, the hacker has the user's email address and access to their inbox). In all these cases, multi factor authentication was not enabled on the user's account here (which would have prevented this). Given the user may (and in these cases) did have a good standing in the community (length of membership, positive trader feedback), they are considered 'trusted'. However, the person (hacker) now in control of the account is a bad actor.

 

They then proceed to post an ad that either seemingly looks genuine, and usually a product that is highly sought after (an iPhone, for example), or for the more patient hacker, they will research and uncover highly sought after products relevant to the website or community they are engaging in. Sometimes the offer is too good to be true, or just slightly cheaper than it should be (if they are more patient). What will be unusual is the difficulty trying to inspect before purchasing, insisting on shipping only, or questionable payment methods. If you have any concerns whatsoever, walk away! (and report the conversation or thread to us immediately).

 

Do not be fooled just because someone gives you a contact number and is even prepared to speak to you on the phone. These people are experienced scammers - they're just as good on the phone as they are online. 

 

In a most recent case, we were alerted immediately to an advertisement before it was even approved, and when asked to prove their identity, of course they did, including name, address, and even who the product was purchased from within the industry (because they had built a thorough understanding of this member by combing through their emails). This was all very believable, until I realised what was going on. There is a slither of hope that I am wrong, but I suspect not. 

 

Due to this - we're going to need to adopt a shoot first, ask questions later approach now. If there is any doubt about the authenticity of a user or an advertisement, there will be no benefit of the doubt given. The account will be frozen and locked immediately. It will then be up to the genuine owner of the account to contact us and prove that they are either legitimate, and/or acknowledge their account was compromised and what has been done to regain control and secure the account etc. 

 

We will all need to be more vigilant when it comes to the integrity and security of accounts. Please members, enable Multi Factor Authentication.

[Guest]

Members, another account was hijacked this morning and an advertisement posted by the hacker. The hacker used the correct credentials to access this user's account - which means either the member's email account has been compromised (likely), or they've used the credential on this site on other sites which may have had a data breach. 

 

There is nothing we can do to prevent this type of incident from happening, other than suggesting Multi-factor Authentication (2FA/MFA) is enabled on your account. I know I'm going on about it, but this would prevent every single one of these incidents from happening. 

 

To setup 2FA on your account go to https://www.stereonet.com/forums/settings/account-security/

 

We have caught it and dealt with it quickly, but not before a few members made contact with interest in purchasing it seems.

[aussievintage]

  On 17/12/2022 at 10:30 PM, Marc said:

Members, another account was hijacked this morning and an advertisement posted by the hacker. The hacker used the correct credentials to access this user's account - which means either the member's email account has been compromised (likely), or they've used the credential on this site on other sites which may have had a data breach. 

 

There is nothing we can do to prevent this type of incident from happening, other than suggesting Multi-factor Authentication (2FA/MFA) is enabled on your account. I know I'm going on about it, but this would prevent every single one of these incidents from happening. 

 

To setup 2FA on your account go to https://www.stereonet.com/forums/settings/account-security/

 

We have caught it and dealt with it quickly, but not before a few members made contact with interest in purchasing it seems.

Expand  

 

 

With all the stories in the paper this morning about hacked/fake mygov accounts, even our government cannot handle what is happening in cyber security.  All we can do is lock it up as securely as we can.  I think things are coming to a head and some radical changes to the way we do business are needed.   Time for everyone to get a microchip inserted???   

 

Meanwhile, yeah, turn on 2FA.

 

Thanks Marc.

[The Rock Puppy]

Turn on this 2FA thing, folks. If I can do it, then it's idiot-proof. It was really simple and only took a couple of minutes. 

[ray4410]

  On 18/12/2022 at 12:24 AM, The Rock Puppy said:

Turn on this 2FA thing, folks. If I can do it, then it's idiot-proof. It was really simple and only took a couple of minutes. 

Expand  

what can you do if you don't have one of these smart phones?

[Guest]

  On 18/12/2022 at 12:47 AM, ray4410 said:

what can you do if you don't have one of these smart phones?

Expand  

 

I did some searching on this and haven't yet been able to come up with a solution (that I'm able to implement yet), I'm afraid.

[The Rock Puppy]

  On 18/12/2022 at 12:47 AM, ray4410 said:

what can you do if you don't have one of these smart phones?

Expand  

 

If you can scratch up some money, smart phones can be found for around $150 or so. Not recommending them or anything, just saying is all. On top of that, though, you have to factor in the price of the connection to the network provider you choose, but you can get cheap prices there, too. Possibly worth considering it though, as lots of places are now requiring their use.

[Guest]

  On 18/12/2022 at 2:53 AM, The Rock Puppy said:

you have to factor in the price of the connection to the network provider you choose

Expand  

 

Or use your home wi-fi to save on an extra connection - of course this only helps you when you are at home.

[BillyC]

How about making the Google Authenticator 2FA as default setting in the background, and not an option?

 

[Guest]

  On 18/12/2022 at 3:55 AM, BillyC said:

How about making the Google Authenticator 2FA as default setting in the background, and not an option?

 

Expand  

 

Not everyone is ready for that. We won't force people to get aboard a Google owned product as some are quite passionately opposed to it. It's still optional, but it's of course in everyone's best interests and should be encouraged.

 

I am working on alternate 2FA options, such as Authy. Other options such as an email generated code are not effective as most account hijackings involve email account takeover.

[Grant Slack]

  On 08/09/2021 at 11:55 PM, Marc said:

We can do everything possible on our end, but if you have a weak password that is used across multiple sites, and are also not using 2FA it's not a matter of 'if' your account will be compromised, but 'when'.

Expand  

Hi Marc,

 

when are you going to implement Apple Passkey on SNA? Weak passwords and 2FA will not matter for Apple users once that is done.

 

cheers

Grant

[Guest]

  On 18/12/2022 at 6:46 AM, Grant Slack said:

Hi Marc,

 

when are you going to implement Apple Passkey on SNA? Weak passwords and 2FA will not matter for Apple users once that is done.

 

cheers

Grant

Expand  

 

That is not up to me - it is up to the forum software authors and I am not aware if it's even on their roadmap.

I do try and stay up to date with upcoming features and technology though so will embrace this if it becomes available.
It's an alliance between the "big three" I believe - and so will be sure to grow in popularity in coming years. 

[Cloth Ears]

  On 18/12/2022 at 2:53 AM, The Rock Puppy said:

 

If you can scratch up some money, smart phones can be found for around $150 or so. Not recommending them or anything, just saying is all. On top of that, though, you have to factor in the price of the connection to the network provider you choose, but you can get cheap prices there, too. Possibly worth considering it though, as lots of places are now requiring their use.

Expand  

I bought one to use for 2FA for a couple of FI's I work for - for $39. Admittedly, that's for PingID and SecureID - and doesn't require a SIM card in the phone. Unsure if that's appropriate here or not.

 

[edit]I loaded Google Authenticator on this phone - it's a ZTE BLADE A125 and then used it to authenticate my sign-in here. There's various other ZTE BLADE phones available for under $50, and I'm guessing they will work the same way. [/edit]

Edited December 19, 2022 by Cloth Ears

[Yong Lee]

Thanks for the great job.