Suggestion Require Two-factor authentication for Classified privileges

Please register or login

Welcome to ScubaBoard, the world's largest scuba diving community. Registration is not required to read the forums, but we encourage you to join. Joining has its benefits and enables you to participate in the discussions.

Benefits of registering include

  • Ability to post and comment on topics and discussions.
  • A Free photo gallery to share your dive photos with the world.
  • You can make this box go away

Joining is quick and easy. Log in or Register now!

OP
Brett Hatch

Brett Hatch

ScubaBoard Supporter
Staff member
ScubaBoard Supporter
Messages
1,344
Reaction score
1,978
Location
Monterey Bay


A ScubaBoard Staff Message...

Edit August 22 2024: We've decided not to require 2FA, but have made a few changes. See post #101 in this thread for a summary. Thanks everybody who provided their input on this!


Please upvote or downvote
If you are for this 2FA idea, please upvote this post, and if you are against it, please downvote. Upvote/downvote buttons are the triangles on the right side of this post. This will help us to gauge how the community feels about this idea.

Background
ScubaBoard has a perennial problem of scammers. They usually show up in the Classified sections, or send Private Messages (PMs) to users who have Classified threads up. Currently, ScubaBoard's Classifieds sections and Private Message privileges are granted once a SB account has been somewhat active in the community. But we do not require Two Factor Authentication (2FA) for these privileges.

What is the suggestion?
I propose that we start requiring 2FA before granting access to the Classified section, as well as Private Messages. The purpose of this is to help reduce the frequency and effectiveness of scams on ScubaBoard.

What is the problem?
There are a few common flavors of scammers:

- An existing account is hijacked by a scammer, and the scammer benefits from the account's good standing in the community.

This usually affects an account whose credentials are the same as some other website, and the credentials have been leaked. This type of scammer is harder to spot than the new account, because people really do come and go on ScubaBoard. Legitimately taking a break for a few years and then coming back to sell off some gear is a pretty common situation that's not a scam. Requiring 2FA for Classified and PM privileges would address most of this type of scam, since it would be much more difficult to hijack the SB account in the first place.

- A scammer makes a new account, reaches the threshold required for Classified and/or Private Message privileges, and then tries to scam people.

I don't think 2FA help much against this type of scam. It would put one more barrier up in front of potential scammers, which is always helpful in the same way that even a weak bike lock still helps prevent bike theft. But, scammers can do the steps to enable 2FA for their new scam account, and go on to attempt to scam people.

What is 2FA, how do I turn it on, and why it is helpful?
ScubaBoard already has two-factor authentication (2FA) built-in. It is currently optional, and you can turn it on in your security preferences. I highly recommend that all ScubaBoard users turn it on right away. I strongly recommend turning it on for other websites as well, especially sensitive ones like your email, your bank, your investments. It is one of the simplest, most effective security measures, because it means that even if your password is guessed or leaked, an attacker cannot use your password to sign into your account.

There are several types of 2FA. ScubaBoard supports email-based 2FA and app-based 2FA. App-based 2FA is more secure, and is most recommended. Email-based 2FA is less secure than app-based, but it is still much more secure than nothing. The reason email is less secure than an app is that if your email is compromised as well as your ScubaBoard account, then the 2FA offers no protection. This risk can be mitigated by enabling 2FA on your email as well, which of course I recommend, and do so myself.

Commentary
ScubaBoard members are generally suspicious of new accounts, and are great at reporting suspicious activity. A huge thank-you to those of you who report possible scammers! Please, please keep doing this, it is the main way mods notice scams! The Mod Squad is spread around the globe, so we see the reports pretty quickly, and once we look into an account, it is usually obvious to the mods that they are a scammer. Most of the time, we get word of the scammer and ban them before any scam takes place, but of course we can't guarantee this, and unfortunately the scammers are sometimes successful.

Other ideas I've seen
- Increasing the threshold for Classified and PM privileges. For example, we could require 100 posts
Pro: helps with the "new account" type of scammer
Con: doesn't do much for hijacked accounts
Con: inhibits legitimate users who just don't have that many posts yet

- Make it more difficult, or impossible, to use VPNs to use ScubaBoard. A VPN conceals the user's IP address
Pro: scammers use VPNs to conceal their identity, so it would help prevent some scammers entirely
Pro: if we ban the IP address of a known scammer, it would make it more difficult for the same scammer to use a new IP address and a new account to try another scam
Con: some legitimate users use VPNs for reasons besides scams; such users would need to disable their VPN while using ScubaBoard

- Require a text message (SMS) to verify the account. This suggestion is a bit like 2FA, but uses text messages instead of an app or email
Pro: Scammers would need a phone number in order to attempt a scam. Acquiring a phone number is a hurdle to get over, and often is not free
Con: Sending text messages costs money, and ScubaBoard would need to pay those costs. ScubaBoard also is not set up for this, and we would likely need to purchase more software and some cloud service send out the SMS messages

- Only allow ScubaBoard Supporters and Sponsors Classified / PM privileges
Pro: we'd put a financial barrier in front of scammers, so new accounts would need to pay money in order to attempt their scam.
Con: this would be very alienating to users who are not interested in (or not able to) become a ScubaBoard supporter
Con: this would not eliminate risk from hijacked accounts that are already ScubaBoard supports

Suggestions?
If you have any other ideas about how to address scammers on ScubaBoard, I would be happy to hear about them. You can post in this thread, or you can send me a PM. Thank you.
 
There’s a big problem with scams on this form. On Facebook scuba groups it’s even worse. I really believe this proposal is a good one and in everyone’s best interest. Taking personal responsibility and “being an adult” just aren’t valid counter arguments at all when we’re talking about protecting fellow divers and forum users from being needlessly ripped off. The guy I was talking to was looking to rip someone off for something like $650. That’s a nontrivial amount of money and unless people want this forum to become a Wild West of spam and scams it’s best the mods be allowed to do something proactive.
 
Like pretty much every democratic decision in this world these days, not everyone's opinion should be taken at equal value. I have no doubt that most people that have responded in this thread so far have absolutely no actual idea what they're talking about when it comes to cybersecurity, other than what they have seen online and/or heard in the media.

Stop demanding change because you think it'll make things better, without any real, evidence based knowledge of the considerations, implications and real-work positive or negative impact.

Just like when someone back in the 90's decided that having a complicated password with letters, numbers, symbols, and the requirement to change it every 3 months made things more secure. When it's been proven time and time again that those constraints actual have the effect of making passwords *less* secure.
 
IMO, requiring 2FA is a waste of everyone's time for accounts that don't hold critical personal or financial information.

Also VPN ≠ spammer. There are far more legitimate users of VPNs than otherwise. Sophisticated scammers use VPNs that aren't listed as VPNs anyway, so all you'd be doing is annoying legitimate users while giving people a false sense of security.
 
Like pretty much every democratic decision in this world these days, not everyone's opinion should be taken at equal value. I have no doubt that most people that have responded in this thread so far have absolutely no actual idea what they're talking about when it comes to cybersecurity, other than what they have seen online and/or heard in the media.

Stop demanding change because you think it'll make things better, without any real, evidence based knowledge of the considerations, implications and real-work positive or negative impact.

Just like when someone back in the 90's decided that having a complicated password with letters, numbers, symbols, and the requirement to change it every 3 months made things more secure. When it's been proven time and time again that those constraints actual have the effect of making passwords *less* secure.

What do you recommend to improve the security against scammers and the obtuse bots?

Sincere question.
 
Like pretty much every democratic decision in this world these days, not everyone's opinion should be taken at equal value. I have no doubt that most people that have responded in this thread so far have absolutely no actual idea what they're talking about when it comes to cybersecurity, other than what they have seen online and/or heard in the media.

Stop demanding change because you think it'll make things better, without any real, evidence based knowledge of the considerations, implications and real-work positive or negative impact.

Just like when someone back in the 90's decided that having a complicated password with letters, numbers, symbols, and the requirement to change it every 3 months made things more secure. When it's been proven time and time again that those constraints actual have the effect of making passwords *less* secure.

Do you work in infosec? Tell us what you know then. Two factor and complex passwords are not the same thing.
 
What do you recommend to improve the security against scammers and the obtuse bots?

Sincere question.

1721275678556.png


Perhaps the answer is to buy locally from a source where one can see the goods being purchased before the financial transaction takes place.

Perhaps there is truth in the saying "if it's too good to be true, then it most likely is".

Perhaps one should always select a means of payment for "goods and services" that provides purchaser protections when purchasing from sources that are not personally known by the buyer, instead of choosing the option of sending a "gift" to "friends and family" when the seller is ostensibly not a friend or family, just to save a few bucks on the transaction.

Perhaps one should consider ScubaBoard a little less like their own protected enclave of a personal community and realize that it is a relatively open public forum in the vast ocean (no pun intended) of the world wide web, and that the "open" and "public" aspects are some of the things that makes ScubaBoard great but also presents a certain degree of risk.

Perhaps the answer is that folks need to take personal responsibility and accountability for their actions and transactions and not rely on moderators to be their nanny when they are doing something obtuse like a financial transaction for a significant sum of money with a nameless, faceless party, for a good or service they have not personally verified exists.

Perhaps its the realization that regardless of what method the site employs, the "bad guys" will continue to find ways to circumvent it.

Perhaps it is the realization that this is not a security issue for the board administration to resolve and that protecting folks from themselves begins with a long talk between the individual and the person they see in the mirror.

Perhaps this issue should fall under the same stance that ScubaBoard administration has taken with other aspects of the board to avoid the site being accountable for users' content, such that they do not moderate for accuracy but instead moderate for tone.

Perhaps this is less a cybersecurity issue and more a personal security/personal responsibility issue that will exist no matter what the board administration does until/unless the individual realizes their own personal vulnerability and takes ownership of the need to protect themself.

Just sayin'

-Z
 
Just like when someone back in the 90's decided that having a complicated password with letters, numbers, symbols, and the requirement to change it every 3 months made things more secure. When it's been proven time and time again that those constraints actual have the effect of making passwords *less* secure.

OMG YES!
I have to reset my V.A. password every time I log on...

"Must have special character. must have lower case letter. must have capitol letter. must have number. must be longer than 5 characters. must be shorter than 15 characters. Must not be a password you used before..."

"J7^5ytyhs)(*k&^" is not "more secure" if I have to write it down on a sticky note and tape it to my monitor to use it! And if I use "save password" that's not "more secure" as a hacker can access passwords lists stored on a browser fairly easily, or use keylogger malware. Now a previous suggestion was to "ban VPN's". Right. That means every password I'm sending over the wire to a website is susceptible to eavesdropping.

False security is worse than no security, because users trust false security.

Remember when DoD got hacked about 6 years ago??? I got the letter in the mail that the DoD had been hacked, all my personal information, my dependents information, and the personal information of the people I used as references on my security clearance application was compromised. If they can hack DoD, they can hack anyone else. "Industry standard encryption"??? ....yeah Bank of America and Target was using that when they got hacked.

Have I Been Pwned: Pwned Passwords ~ Yep, I'm in there. Several times. All those companies bragged about their "encryption that meets the best industry standards" then they did the walk of shame.

Screenshot from 2024-07-18 00-14-13.png
 
  • Like
Reactions: Zef
Do you work in infosec? Tell us what you know then. Two factor and complex passwords are not the same thing.

No, I don't work *in* infosec, but I work very closely with them in cloud computing and data platforms, and work with clients that have a lot more regulatory and commercial sensitivity constraints than scubaboard.

Did you actually read my response, or just see familiar words and try to pick it apart? I was using the age old, yet entirely false premise of complex passwords being secure to draw a parallel with exactly what is going on with every second online service today - that because some situations and incarnations of 2FA have been implemented by trusted organisations, suddently every man and his website think that 2FA is going to solve the world's security problems. Newsflash. It's not.

Example. I am coming across an increasing number of websites that don't even require me to use a password. I just enter my email address, then get sent a one-time link to log in. That's taken the "2" out of 2FA, but now totally skipped the "first" authentication method.

Then to implement 2FA, you can either do it from scratch, which is not easy to do properly and requires substantial investment. Or you rely on third party tools, products and services - all of which come with their own problems, dependencies, vulnerabilities, terms & conditions and security holes. It's very easy to end up in a mess of cookies and tokens and redirects, each of which is a potential security holes.
 
  • Like
Reactions: Zef
What do you recommend to improve the security against scammers and the obtuse bots?

Sincere question.
Stop trusting the internet
Don't use the classifieds section here (or anywhere you don't know the person personally)
 
  • Like
Reactions: Zef
What do you recommend to improve the security against scammers and the obtuse bots?

Sincere question.
As has been pointed out above, since technology is not going to totally solve the scam problem, ultimately people have to protect themselves.

So, in addition to any of the proposed techniques that get implemented, how about helping people sniff out a scam by automatically generating a post (assuming that is a Xenforo (?) feature) with a canned set of words (or a link to a page with the words) after each Classified post providing info on:
- red flags to watch out for when buying or selling
- scam techniques seen on SB
- signs that lend credence that the other party is a legit SB member vice scammer
- existence of/how to get to Trader History
- use payment methods that are protected
- etc.

There's a little of the above in the Special Rules for Classifieds but providing a more complete set of info and placing it directly in front of people when considering selling or buying feels like it would help raise their awareness.

A properly worded introduction should be included to put the amount of scamming in the proper perspective and to not unduly cast a cloud over Classified transactions.

Food for thought (or chum in the water!).
 
Back
Top Bottom