Suggestion Require Two-factor authentication for Classified privileges

Please register or login

Welcome to ScubaBoard, the world's largest scuba diving community. Registration is not required to read the forums, but we encourage you to join. Joining has its benefits and enables you to participate in the discussions.

Benefits of registering include

  • Ability to post and comment on topics and discussions.
  • A Free photo gallery to share your dive photos with the world.
  • You can make this box go away

Joining is quick and easy. Log in or Register now!

OP
Brett Hatch

Brett Hatch

ScubaBoard Supporter
Staff member
ScubaBoard Supporter
Messages
1,344
Reaction score
1,978
Location
Monterey Bay


A ScubaBoard Staff Message...

Edit August 22 2024: We've decided not to require 2FA, but have made a few changes. See post #101 in this thread for a summary. Thanks everybody who provided their input on this!


Please upvote or downvote
If you are for this 2FA idea, please upvote this post, and if you are against it, please downvote. Upvote/downvote buttons are the triangles on the right side of this post. This will help us to gauge how the community feels about this idea.

Background
ScubaBoard has a perennial problem of scammers. They usually show up in the Classified sections, or send Private Messages (PMs) to users who have Classified threads up. Currently, ScubaBoard's Classifieds sections and Private Message privileges are granted once a SB account has been somewhat active in the community. But we do not require Two Factor Authentication (2FA) for these privileges.

What is the suggestion?
I propose that we start requiring 2FA before granting access to the Classified section, as well as Private Messages. The purpose of this is to help reduce the frequency and effectiveness of scams on ScubaBoard.

What is the problem?
There are a few common flavors of scammers:

- An existing account is hijacked by a scammer, and the scammer benefits from the account's good standing in the community.

This usually affects an account whose credentials are the same as some other website, and the credentials have been leaked. This type of scammer is harder to spot than the new account, because people really do come and go on ScubaBoard. Legitimately taking a break for a few years and then coming back to sell off some gear is a pretty common situation that's not a scam. Requiring 2FA for Classified and PM privileges would address most of this type of scam, since it would be much more difficult to hijack the SB account in the first place.

- A scammer makes a new account, reaches the threshold required for Classified and/or Private Message privileges, and then tries to scam people.

I don't think 2FA help much against this type of scam. It would put one more barrier up in front of potential scammers, which is always helpful in the same way that even a weak bike lock still helps prevent bike theft. But, scammers can do the steps to enable 2FA for their new scam account, and go on to attempt to scam people.

What is 2FA, how do I turn it on, and why it is helpful?
ScubaBoard already has two-factor authentication (2FA) built-in. It is currently optional, and you can turn it on in your security preferences. I highly recommend that all ScubaBoard users turn it on right away. I strongly recommend turning it on for other websites as well, especially sensitive ones like your email, your bank, your investments. It is one of the simplest, most effective security measures, because it means that even if your password is guessed or leaked, an attacker cannot use your password to sign into your account.

There are several types of 2FA. ScubaBoard supports email-based 2FA and app-based 2FA. App-based 2FA is more secure, and is most recommended. Email-based 2FA is less secure than app-based, but it is still much more secure than nothing. The reason email is less secure than an app is that if your email is compromised as well as your ScubaBoard account, then the 2FA offers no protection. This risk can be mitigated by enabling 2FA on your email as well, which of course I recommend, and do so myself.

Commentary
ScubaBoard members are generally suspicious of new accounts, and are great at reporting suspicious activity. A huge thank-you to those of you who report possible scammers! Please, please keep doing this, it is the main way mods notice scams! The Mod Squad is spread around the globe, so we see the reports pretty quickly, and once we look into an account, it is usually obvious to the mods that they are a scammer. Most of the time, we get word of the scammer and ban them before any scam takes place, but of course we can't guarantee this, and unfortunately the scammers are sometimes successful.

Other ideas I've seen
- Increasing the threshold for Classified and PM privileges. For example, we could require 100 posts
Pro: helps with the "new account" type of scammer
Con: doesn't do much for hijacked accounts
Con: inhibits legitimate users who just don't have that many posts yet

- Make it more difficult, or impossible, to use VPNs to use ScubaBoard. A VPN conceals the user's IP address
Pro: scammers use VPNs to conceal their identity, so it would help prevent some scammers entirely
Pro: if we ban the IP address of a known scammer, it would make it more difficult for the same scammer to use a new IP address and a new account to try another scam
Con: some legitimate users use VPNs for reasons besides scams; such users would need to disable their VPN while using ScubaBoard

- Require a text message (SMS) to verify the account. This suggestion is a bit like 2FA, but uses text messages instead of an app or email
Pro: Scammers would need a phone number in order to attempt a scam. Acquiring a phone number is a hurdle to get over, and often is not free
Con: Sending text messages costs money, and ScubaBoard would need to pay those costs. ScubaBoard also is not set up for this, and we would likely need to purchase more software and some cloud service send out the SMS messages

- Only allow ScubaBoard Supporters and Sponsors Classified / PM privileges
Pro: we'd put a financial barrier in front of scammers, so new accounts would need to pay money in order to attempt their scam.
Con: this would be very alienating to users who are not interested in (or not able to) become a ScubaBoard supporter
Con: this would not eliminate risk from hijacked accounts that are already ScubaBoard supports

Suggestions?
If you have any other ideas about how to address scammers on ScubaBoard, I would be happy to hear about them. You can post in this thread, or you can send me a PM. Thank you.
 
Hard no. I passionatly hate 2FA and don't see the problem as being big enough to need attention.
 
A scam is successful when the seller receives money and the buyer doesn't receive the product.
The only way to make a scam unsuccessful, is by using an escrow service.
No product received? Then the money is returned.

But SB is not an escrow service, so the best option is to make the scam as difficult as possible. 2 years ago, SB added a minimum-post-count-requirement and seller-reputation add-on.
The number of scams decreased but the ones that were posted, were a bit more sophisticated. In several scams, hacked accounts were involved. And those details are never posted publicly, scam reports from SB-members are only discussed in the backroom.

2FA is an additional security measure which would be required when starting a new thread in a classifieds subforum. If you never sell anything (= start a thread in classifieds), the requirement doesn't apply to you.
 
No, I don't work *in* infosec, but I work very closely with them in cloud computing and data platforms, and work with clients that have a lot more regulatory and commercial sensitivity constraints than scubaboard.

Did you actually read my response, or just see familiar words and try to pick it apart? I was using the age old, yet entirely false premise of complex passwords being secure to draw a parallel with exactly what is going on with every second online service today - that because some situations and incarnations of 2FA have been implemented by trusted organisations, suddently every man and his website think that 2FA is going to solve the world's security problems. Newsflash. It's not.

Example. I am coming across an increasing number of websites that don't even require me to use a password. I just enter my email address, then get sent a one-time link to log in. That's taken the "2" out of 2FA, but now totally skipped the "first" authentication method.

Then to implement 2FA, you can either do it from scratch, which is not easy to do properly and requires substantial investment. Or you rely on third party tools, products and services - all of which come with their own problems, dependencies, vulnerabilities, terms & conditions and security holes. It's very easy to end up in a mess of cookies and tokens and redirects, each of which is a potential security holes.

“No I don’t work in infosec but I work very closely with them”. That’s a big lol from me. What you’re saying you’re non-technical and don’t know what you’re talking about. 2fa works extremely well and is not prone to hacking as long as it is of the non-sms variety. It’s also very easy to implement.

The “age old” parallel you drew to complex passwords is irrelevant because anyone reasonably technical or in the know (i.e. not you) would tell you that passwords alone are not sufficient.

Still waiting for you to tell us what *is* a better solution.
 
“No I don’t work in infosec but I work very closely with them”. That’s a big lol from me. What you’re saying you’re non-technical and don’t know what you’re talking about. 2fa works extremely well and is not prone to hacking as long as it is of the non-sms variety. It’s also very easy to implement.

No, it means that I've been in the IT game for 3 decades, in large enterprises, consulting and advising large enterprises on application, integration, data, and security strategy for much of that. I do not call myself an info sec expert, but I am quite confident that I qualify more than most here to comment on the topic.

SMS based 2FA is poor, and also costly for the service provider. Email based 2FA is atrocious. And so many implementation of 2FA for low security web sites (like forums) err on the side of convenience for resetting lost auth tokens. I'm not sure what SB's process is, but I've used many sites where, if you lose your 2FA token, just reset your password using an email link. Oh look, my email got hacked, and now they can bypass all my 2FA.

The “age old” parallel you drew to complex passwords is irrelevant because anyone reasonably technical or in the know (i.e. not you) would tell you that passwords alone are not sufficient.

Still waiting for you to tell us what *is* a better solution.

You still haven't grasped my reference. The parallel I draw is completely valid. It is not to do with the technical approach. It is to do with the fact that at some point, someone decided that approach "A" provided superior security, and everyone else thtought it was a good idea. It was later shown that approach "A" actually provides inferior security whilst also increasing inconvenience. But everyone still employs approach "A".

The vast number of poorly thought out implementations of 2FA/MFA that are appearing out in the wild is repeating the mistake that the great idea of enforcing complex passwords that need to be changed every 3 months does - it provides the appearance of increased security whilst actually decreasing security and increasing inconvenience. And before you get on your high horse about me claiming that MFA doesn't provide increased security, I'm not! I'm claiming that the many *poor implementations* of it do not necessarily increase security as much as they claim.

I'm not saying that I have a better solution. But throwing a 2FA hammer at every nail and screw isn't going to fix every problem. There's plenty of posts above this one that have some great idea. Be smart, don't be naive, don't be gullible, take responsibility for you actions, online and in life.
 
If blocking VPN’s will cut down on the AI bots then do it, as for sales rip offs I think personal responsibility takes the lead, perhaps update the sticky on scam avoidance and require checking a box before being able to respond to a seller or something like that.

After all of that maybe set up roving regional security squads to visit scammers…
 
  • Like
Reactions: Zef
No, it means that I've been in the IT game for 3 decades, in large enterprises, consulting and advising large enterprises on application, integration, data, and security strategy for much of that. I do not call myself an info sec expert, but I am quite confident that I qualify more than most here to comment on the topic.

SMS based 2FA is poor, and also costly for the service provider. Email based 2FA is atrocious. And so many implementation of 2FA for low security web sites (like forums) err on the side of convenience for resetting lost auth tokens. I'm not sure what SB's process is, but I've used many sites where, if you lose your 2FA token, just reset your password using an email link. Oh look, my email got hacked, and now they can bypass all my 2FA.



You still haven't grasped my reference. The parallel I draw is completely valid. It is not to do with the technical approach. It is to do with the fact that at some point, someone decided that approach "A" provided superior security, and everyone else thtought it was a good idea. It was later shown that approach "A" actually provides inferior security whilst also increasing inconvenience. But everyone still employs approach "A".

The vast number of poorly thought out implementations of 2FA/MFA that are appearing out in the wild is repeating the mistake that the great idea of enforcing complex passwords that need to be changed every 3 months does - it provides the appearance of increased security whilst actually decreasing security and increasing inconvenience. And before you get on your high horse about me claiming that MFA doesn't provide increased security, I'm not! I'm claiming that the many *poor implementations* of it do not necessarily increase security as much as they claim.

I'm not saying that I have a better solution. But throwing a 2FA hammer at every nail and screw isn't going to fix every problem. There's plenty of posts above this one that have some great idea. Be smart, don't be naive, don't be gullible, take responsibility for you actions, online and in life.

Yeah that's why i said "non-sms based 2fa". What does work are software tokens (e.g. the ones you store in an application like google authenticator) and recovery codes as a backup means of authentication if the token is lost along with a phone or its data deleted.

I'm not talking about poor implementations. It's easy to do it the right way- and guess what, scubaboard already offers 2fa via a software token.

And yes I agree that properly educating users is still the best defense, but making it harder for scammers to gain control of accounts is also important.
 
If blocking VPN’s will cut down on the AI bots then do it, as for sales rip offs I think personal responsibility takes the lead, perhaps update the sticky on scam avoidance and require checking a box before being able to respond to a seller or something like that.

After all of that maybe set up roving regional security squads to visit scammers…
I'm not sure VPN has anything to do with bots. It's the connection that's encrypted, not the user. I could set up a bot on my PC to run over my VPN connection. If a bot can run on an HTTPS connection, it can run on a VPN.
 
I'm not sure VPN has anything to do with bots. It's the connection that's encrypted, not the user. I could set up a bot on my PC to run over my VPN connection. If a bot can run on an HTTPS connection, it can run on a VPN.
I’m also not sure but if it could help I’m all for it
 
Back
Top Bottom