Suggestion Require Two-factor authentication for Classified privileges

Please register or login

Welcome to ScubaBoard, the world's largest scuba diving community. Registration is not required to read the forums, but we encourage you to join. Joining has its benefits and enables you to participate in the discussions.

Benefits of registering include

  • Ability to post and comment on topics and discussions.
  • A Free photo gallery to share your dive photos with the world.
  • You can make this box go away

Joining is quick and easy. Log in or Register now!

OP
Brett Hatch

Brett Hatch

ScubaBoard Supporter
Staff member
ScubaBoard Supporter
Messages
1,344
Reaction score
1,978
Location
Monterey Bay


A ScubaBoard Staff Message...

Edit August 22 2024: We've decided not to require 2FA, but have made a few changes. See post #101 in this thread for a summary. Thanks everybody who provided their input on this!


Please upvote or downvote
If you are for this 2FA idea, please upvote this post, and if you are against it, please downvote. Upvote/downvote buttons are the triangles on the right side of this post. This will help us to gauge how the community feels about this idea.

Background
ScubaBoard has a perennial problem of scammers. They usually show up in the Classified sections, or send Private Messages (PMs) to users who have Classified threads up. Currently, ScubaBoard's Classifieds sections and Private Message privileges are granted once a SB account has been somewhat active in the community. But we do not require Two Factor Authentication (2FA) for these privileges.

What is the suggestion?
I propose that we start requiring 2FA before granting access to the Classified section, as well as Private Messages. The purpose of this is to help reduce the frequency and effectiveness of scams on ScubaBoard.

What is the problem?
There are a few common flavors of scammers:

- An existing account is hijacked by a scammer, and the scammer benefits from the account's good standing in the community.

This usually affects an account whose credentials are the same as some other website, and the credentials have been leaked. This type of scammer is harder to spot than the new account, because people really do come and go on ScubaBoard. Legitimately taking a break for a few years and then coming back to sell off some gear is a pretty common situation that's not a scam. Requiring 2FA for Classified and PM privileges would address most of this type of scam, since it would be much more difficult to hijack the SB account in the first place.

- A scammer makes a new account, reaches the threshold required for Classified and/or Private Message privileges, and then tries to scam people.

I don't think 2FA help much against this type of scam. It would put one more barrier up in front of potential scammers, which is always helpful in the same way that even a weak bike lock still helps prevent bike theft. But, scammers can do the steps to enable 2FA for their new scam account, and go on to attempt to scam people.

What is 2FA, how do I turn it on, and why it is helpful?
ScubaBoard already has two-factor authentication (2FA) built-in. It is currently optional, and you can turn it on in your security preferences. I highly recommend that all ScubaBoard users turn it on right away. I strongly recommend turning it on for other websites as well, especially sensitive ones like your email, your bank, your investments. It is one of the simplest, most effective security measures, because it means that even if your password is guessed or leaked, an attacker cannot use your password to sign into your account.

There are several types of 2FA. ScubaBoard supports email-based 2FA and app-based 2FA. App-based 2FA is more secure, and is most recommended. Email-based 2FA is less secure than app-based, but it is still much more secure than nothing. The reason email is less secure than an app is that if your email is compromised as well as your ScubaBoard account, then the 2FA offers no protection. This risk can be mitigated by enabling 2FA on your email as well, which of course I recommend, and do so myself.

Commentary
ScubaBoard members are generally suspicious of new accounts, and are great at reporting suspicious activity. A huge thank-you to those of you who report possible scammers! Please, please keep doing this, it is the main way mods notice scams! The Mod Squad is spread around the globe, so we see the reports pretty quickly, and once we look into an account, it is usually obvious to the mods that they are a scammer. Most of the time, we get word of the scammer and ban them before any scam takes place, but of course we can't guarantee this, and unfortunately the scammers are sometimes successful.

Other ideas I've seen
- Increasing the threshold for Classified and PM privileges. For example, we could require 100 posts
Pro: helps with the "new account" type of scammer
Con: doesn't do much for hijacked accounts
Con: inhibits legitimate users who just don't have that many posts yet

- Make it more difficult, or impossible, to use VPNs to use ScubaBoard. A VPN conceals the user's IP address
Pro: scammers use VPNs to conceal their identity, so it would help prevent some scammers entirely
Pro: if we ban the IP address of a known scammer, it would make it more difficult for the same scammer to use a new IP address and a new account to try another scam
Con: some legitimate users use VPNs for reasons besides scams; such users would need to disable their VPN while using ScubaBoard

- Require a text message (SMS) to verify the account. This suggestion is a bit like 2FA, but uses text messages instead of an app or email
Pro: Scammers would need a phone number in order to attempt a scam. Acquiring a phone number is a hurdle to get over, and often is not free
Con: Sending text messages costs money, and ScubaBoard would need to pay those costs. ScubaBoard also is not set up for this, and we would likely need to purchase more software and some cloud service send out the SMS messages

- Only allow ScubaBoard Supporters and Sponsors Classified / PM privileges
Pro: we'd put a financial barrier in front of scammers, so new accounts would need to pay money in order to attempt their scam.
Con: this would be very alienating to users who are not interested in (or not able to) become a ScubaBoard supporter
Con: this would not eliminate risk from hijacked accounts that are already ScubaBoard supports

Suggestions?
If you have any other ideas about how to address scammers on ScubaBoard, I would be happy to hear about them. You can post in this thread, or you can send me a PM. Thank you.
 
If much pushback from 2FA is challenging to get support, I think something less alienating than making someone pay to be a supporter, have a separate tier to charge a user something like $5/year to be a seller AND buyer. This seems like a good middle ground. If I were to be selling an $800 reg set, I'd gladly pay $5 annually even if I sell something once. If I were looking for a reg set, I'd feel a little bit better if I know the seller paid a fee to post the item.

Education is key, though, and unfortunately people aren't always educated on how to protect themselves online.
 
Folks, I just want to clear up a few things, in case they were lost in the wall of text of the OP.

What's being proposed here is that an account must have 2FA enabled in order to gain access to Classifieds and PMs. Users who don't use either of these, would not be affected in any way. 2FA is a step that a user takes after typing in their username and password at the login page. Personally, I always check the "Stay Logged In" box, so I type in my password and a 2FA token once per month on my laptop, and once per month on my cell phone.

The point of this is to reduce the likelihood of accounts being hijacked. It doesn't make this impossible, but it does make it much, much more difficult. It is true that if a hijacker also has access to the SB user's email address then the hijacker can get around email-based 2FA. But, gaining access to that email is already a second factor. Also, app-based 2FA is currently supported, and recommended, because app-based 2FA does not have this problem.

It has been pointed out in this thread that the 2FA proposal doesn't do squat for the type of scammer that repeatedly uses new accounts. That's entirely true. I don't see any one solution available that solves both of these problems, so we are looking at adding other options for new account scammers. A few suggestions in this thread could help here, such as a nominal fee for Classified permissions, a higher post count for permissions, blocking VPNs, and so on. I can see how these would work, and in the back room the mod squad is weighing the pros and cons.

I do take the point that one option available to us, is to do nothing. Because the only ScubaBoard policy that could completely bulletproof against scams are to eliminate Classifieds entirely. I don't think most of us want that. Another thing we could say is, if you are naive enough to get yourself scammed, too bad for you, better luck next time. At the end of the day, it is up to all of you to protect yourselves, but the Board itself can take some reasonable steps to make it a less scammy place, even if we can't eliminate it entirely. As divers, I think most of us are all on board with the idea that risk that cannot be eliminated, can at least be managed.

I'll share one anecdote that y'all might find interesting. A few years ago, one of our moderators had gone inactive for awhile, I guess they decided to take a break from ScubaBoard. One day about a year ago, the mod showed back up. They were acting a little weird, and pretty soon reports came in that the mod was trying to scam people. With the mod powers, they were able to create a lot of havoc in the back room at the same time. Pretty soon we realized that the account had been hijacked, and we were able to push the hijacker out before they caused any serious damage, and I don't believe any of their scam attempts were successful.

I think that the moderator account must have had the same password as some other website that was leaked, or had a very weak password, something along these lines. After that fiasco last year, we did some introspection on our mod permissions, and made a number of changes. I won't describe all of the changes here, but one of them was to require that all moderators and admins have 2FA enabled. There was some initial grumbling over this, because nobody likes change, nobody likes to learn another thingie, or to have to push another button. But pretty soon, we all got over it, and now we are much, much more certain that this same problem won't happen again any time soon.

Thank you for all of your suggestions, this thread has been very productive, and I hope it continues to be.
 
I would gladly give up classifieds, but PMs are very useful for discissions that dom't need to clutter up the main threads (such as scheduling dives) and definately don't want to see them 2FA restricted. Doing so will either push a lot of less relevant conversations onto the forums or else prevent them from happening at all.
 
I would gladly give up classifieds, but PMs are very useful for discissions that dom't need to clutter up the main threads (such as scheduling dives) and definately don't want to see them 2FA restricted. Doing so will either push a lot of less relevant conversations onto the forums or else prevent them from happening at all.

Fine, then don’t use them but speak for yourself.
 
Set up an optional “authorized” secure path for buying and selling and leave the rest of the message board including PMs out of it. Those that choose to color outside the lines do so at their own risk.
 
...... Another thing we could say is, if you are naive enough to get yourself scammed, too bad for you, better luck next time. At the end of the day, it is up to all of you to protect yourselves......
This is such a terrible attitude that so many have.

Scammers are profesionals in their field.
We're not imbarrased if we know less about medicine than a doctor, less about engines than a mechanic, less about flying than a pilot, less about fighting than a soldier
But somehow people are stupid when you can be manipulated by a professional manipulator!
 
This is such a terrible attitude that so many have.

Scammers are profesionals in their field.
We're not imbarrased if we know less about medicine than a doctor, less about engines than a mechanic, less about flying than a pilot, less about fighting than a soldier
But somehow people are stupid when you can be manipulated by a professional manipulator!
True. Nevertheless, buying stuff through classified ads is a convenience, not a necessity.
 
  • Like
Reactions: Zef
...... Another thing we could say is, if you are naive enough to get yourself scammed, too bad for you, better luck next time. At the end of the day, it is up to all of you to protect yourselves......
This is such a terrible attitude that so many have.

Scammers are profesionals in their field.
We're not imbarrased if we know less about medicine than a doctor, less about engines than a mechanic, less about flying than a pilot, less about fighting than a soldier
But somehow people are stupid when you can be manipulated by a professional manipulator!

This is a good example of selective reading followed by drawing the wrong conclusion.

If you would have read the whole paragraph, you realise that Brett said "could" instead of "can", followed by "but the Board itself can take some reasonable steps to make it a less scammy place, even if we can't eliminate it entirely."
 
Calm down jumpy. I never said Brett was implying that.

But if you look back through the thread you will find a number of posters saying exactly that.
 
Back
Top Bottom