Suggestion Require Two-factor authentication for Classified privileges

Please register or login

Welcome to ScubaBoard, the world's largest scuba diving community. Registration is not required to read the forums, but we encourage you to join. Joining has its benefits and enables you to participate in the discussions.

Benefits of registering include

  • Ability to post and comment on topics and discussions.
  • A Free photo gallery to share your dive photos with the world.
  • You can make this box go away

Joining is quick and easy. Log in or Register now!

OP
Brett Hatch

Brett Hatch

ScubaBoard Supporter
Staff member
ScubaBoard Supporter
Messages
1,344
Reaction score
1,978
Location
Monterey Bay


A ScubaBoard Staff Message...

Edit August 22 2024: We've decided not to require 2FA, but have made a few changes. See post #101 in this thread for a summary. Thanks everybody who provided their input on this!


Please upvote or downvote
If you are for this 2FA idea, please upvote this post, and if you are against it, please downvote. Upvote/downvote buttons are the triangles on the right side of this post. This will help us to gauge how the community feels about this idea.

Background
ScubaBoard has a perennial problem of scammers. They usually show up in the Classified sections, or send Private Messages (PMs) to users who have Classified threads up. Currently, ScubaBoard's Classifieds sections and Private Message privileges are granted once a SB account has been somewhat active in the community. But we do not require Two Factor Authentication (2FA) for these privileges.

What is the suggestion?
I propose that we start requiring 2FA before granting access to the Classified section, as well as Private Messages. The purpose of this is to help reduce the frequency and effectiveness of scams on ScubaBoard.

What is the problem?
There are a few common flavors of scammers:

- An existing account is hijacked by a scammer, and the scammer benefits from the account's good standing in the community.

This usually affects an account whose credentials are the same as some other website, and the credentials have been leaked. This type of scammer is harder to spot than the new account, because people really do come and go on ScubaBoard. Legitimately taking a break for a few years and then coming back to sell off some gear is a pretty common situation that's not a scam. Requiring 2FA for Classified and PM privileges would address most of this type of scam, since it would be much more difficult to hijack the SB account in the first place.

- A scammer makes a new account, reaches the threshold required for Classified and/or Private Message privileges, and then tries to scam people.

I don't think 2FA help much against this type of scam. It would put one more barrier up in front of potential scammers, which is always helpful in the same way that even a weak bike lock still helps prevent bike theft. But, scammers can do the steps to enable 2FA for their new scam account, and go on to attempt to scam people.

What is 2FA, how do I turn it on, and why it is helpful?
ScubaBoard already has two-factor authentication (2FA) built-in. It is currently optional, and you can turn it on in your security preferences. I highly recommend that all ScubaBoard users turn it on right away. I strongly recommend turning it on for other websites as well, especially sensitive ones like your email, your bank, your investments. It is one of the simplest, most effective security measures, because it means that even if your password is guessed or leaked, an attacker cannot use your password to sign into your account.

There are several types of 2FA. ScubaBoard supports email-based 2FA and app-based 2FA. App-based 2FA is more secure, and is most recommended. Email-based 2FA is less secure than app-based, but it is still much more secure than nothing. The reason email is less secure than an app is that if your email is compromised as well as your ScubaBoard account, then the 2FA offers no protection. This risk can be mitigated by enabling 2FA on your email as well, which of course I recommend, and do so myself.

Commentary
ScubaBoard members are generally suspicious of new accounts, and are great at reporting suspicious activity. A huge thank-you to those of you who report possible scammers! Please, please keep doing this, it is the main way mods notice scams! The Mod Squad is spread around the globe, so we see the reports pretty quickly, and once we look into an account, it is usually obvious to the mods that they are a scammer. Most of the time, we get word of the scammer and ban them before any scam takes place, but of course we can't guarantee this, and unfortunately the scammers are sometimes successful.

Other ideas I've seen
- Increasing the threshold for Classified and PM privileges. For example, we could require 100 posts
Pro: helps with the "new account" type of scammer
Con: doesn't do much for hijacked accounts
Con: inhibits legitimate users who just don't have that many posts yet

- Make it more difficult, or impossible, to use VPNs to use ScubaBoard. A VPN conceals the user's IP address
Pro: scammers use VPNs to conceal their identity, so it would help prevent some scammers entirely
Pro: if we ban the IP address of a known scammer, it would make it more difficult for the same scammer to use a new IP address and a new account to try another scam
Con: some legitimate users use VPNs for reasons besides scams; such users would need to disable their VPN while using ScubaBoard

- Require a text message (SMS) to verify the account. This suggestion is a bit like 2FA, but uses text messages instead of an app or email
Pro: Scammers would need a phone number in order to attempt a scam. Acquiring a phone number is a hurdle to get over, and often is not free
Con: Sending text messages costs money, and ScubaBoard would need to pay those costs. ScubaBoard also is not set up for this, and we would likely need to purchase more software and some cloud service send out the SMS messages

- Only allow ScubaBoard Supporters and Sponsors Classified / PM privileges
Pro: we'd put a financial barrier in front of scammers, so new accounts would need to pay money in order to attempt their scam.
Con: this would be very alienating to users who are not interested in (or not able to) become a ScubaBoard supporter
Con: this would not eliminate risk from hijacked accounts that are already ScubaBoard supports

Suggestions?
If you have any other ideas about how to address scammers on ScubaBoard, I would be happy to hear about them. You can post in this thread, or you can send me a PM. Thank you.
 
Why go with just one solution?
Requiring someone to have 100 posts just encourages someone to post garbage. I prefer quality over quantity.
Maybe a combination of factors could be used to determine how real someone is. Having 100 posts and being registered for at least a year might be one way and paying to be a sponsor might be another way.
The reaction score might be a better indicator than post count alone.

I also wanted to add that I signed up for 2FA because your post made me aware it was available and I use it where I can. I just wish I could use my Yubikey here.
 
no. No. NO. NOPE.

Same sort of situation existed on another hobby forum (hamateur radio) community I was once active on.

They have a fairly active "swap" section to their site. Somebody had the great idea to require 2FA. It is a pain in the ass to have to go hunt down a phone and launch an authenticator app. But I acquiesced.

Result? It got to be way too much of a bother to trundle off to find the phone somewhere in the other end of the house, make my way to where I started from at the computer, and put in the damnable six digits in the few times a day/week that I'd check in on the site. I got to the point where I almost completely dropped off the site because of the annoyance factor. I can think of only 3 times in the last year that I've gone to the community. The rare occasions where I have to look somebody's contact info up I grumble the whole way to the bedroom and back and it irritates me for a day or so afterwards. Grudges area separate hobby. It was probably one of the factors that caused me to curtail my on-air (and in-person) activity significantly.

They made EVERYBODY incur extra, frustrating work every time, just to protect the few that couldn't be bothered to protect themselves in the first place.

There are already mechanisms in place for folks to protect themselves. If a guy on the street walked up to you and says "Hey, you got a dive flag bumper sticker, I bought a brand new Scubapro MK11t years ago that I've never had out of the box and I need to go to McWhopper and get a value meal for lunch. I'll sacrifice that regulator for $100 so I can buy lunch before the price edges up much more. If you give me cash, I'll run right home and get it while you stand here and wait." You wouldn't just give him a C-note up front and watch him disappear around the corner. Even if he showed you a driver's license (analogous to 2FA). Don't do that here.

That was easy. PP is not perfect, but they're pretty good. I'm not making excuses, but it's not a perfect world and trying to make it perfekt, well the cost (annoyance to everyone) to protect the few that won't take reasonable precautions to protect themselves, well, the cost outweighs the benefit.

If you want to do something along the 2FA line, maybe require it only for listing in the Classified Sales section. I am still strongly opposed to requiring 2FA just to make DM communication.

Maybe if we posted a pinned thread on each Classified section that had something like

"How to avoid Scams on ScubaBoard..."​

 
no. No. NO. NOPE.

Same sort of situation existed on another hobby forum (hamateur radio) community I was once active on.

They have a fairly active "swap" section to their site. Somebody had the great idea to require 2FA. It is a pain in the ass to have to go hunt down a phone and launch an authenticator app. But I acquiesced.
The ham radio swap/sales sites that I'm familiar with require you to put your QSL card in the photo of the item you're selling.
 
no. No. NO. NOPE.

Same sort of situation existed on another hobby forum (hamateur radio) community I was once active on.

They have a fairly active "swap" section to their site. Somebody had the great idea to require 2FA. It is a pain in the ass to have to go hunt down a phone and launch an authenticator app. But I acquiesced.

Result? It got to be way too much of a bother to trundle off to find the phone somewhere in the other end of the house, make my way to where I started from at the computer, and put in the damnable six digits in the few times a day/week that I'd check in on the site. I got to the point where I almost completely dropped off the site because of the annoyance factor. I can think of only 3 times in the last year that I've gone to the community. The rare occasions where I have to look somebody's contact info up I grumble the whole way to the bedroom and back and it irritates me for a day or so afterwards. Grudges area separate hobby. It was probably one of the factors that caused me to curtail my on-air (and in-person) activity significantly.

They made EVERYBODY incur extra, frustrating work every time, just to protect the few that couldn't be bothered to protect themselves in the first place.

There are already mechanisms in place for folks to protect themselves. If a guy on the street walked up to you and says "Hey, you got a dive flag bumper sticker, I bought a brand new Scubapro MK11t years ago that I've never had out of the box and I need to go to McWhopper and get a value meal for lunch. I'll sacrifice that regulator for $100 so I can buy lunch before the price edges up much more. If you give me cash, I'll run right home and get it while you stand here and wait." You wouldn't just give him a C-note up front and watch him disappear around the corner. Even if he showed you a driver's license (analogous to 2FA). Don't do that here.

That was easy. PP is not perfect, but they're pretty good. I'm not making excuses, but it's not a perfect world and trying to make it perfekt, well the cost (annoyance to everyone) to protect the few that won't take reasonable precautions to protect themselves, well, the cost outweighs the benefit.

If you want to do something along the 2FA line, maybe require it only for listing in the Classified Sales section. I am still strongly opposed to requiring 2FA just to make DM communication.

Maybe if we posted a pinned thread on each Classified section that had something like

"How to avoid Scams on ScubaBoard..."​

Did you even bother to read the mod posts? Scubaboard already has app-based 2fa available and it’s only required once a month.
 
If you want to do something along the 2FA line, maybe require it only for listing in the Classified Sales section. I am still strongly opposed to requiring 2FA just to make DM communication.

This is what this whole idea was about from the start. But..... selective reading.....
 
Result? It got to be way too much of a bother to trundle off to find the phone somewhere in the other end of the house, make my way to where I started from at the computer, and put in the damnable six digits in the few times a day/week that I'd check in on the site. I got to the point where I almost completely dropped off the site because of the annoyance factor. I can think of only 3 times in the last year that I've gone to the community. The rare occasions where I have to look somebody's contact info up I grumble the whole way to the bedroom and back and it irritates me for a day or so afterwards. Grudges area separate hobby. It was probably one of the factors that caused me to curtail my on-air (and in-person) activity significantly.
What happens if somebody calls you, and you hear your phone ringing in the distance, somewhere on the other end of your house?

If you make it there before your phone stops ringing, will you answer the call in a grumbling mood? Will it irritate you for a day or so afterwards?

I hope your house isn't too big. Because once you read the damnable 6-digit code, you have less than 30 seconds to make it back to your computer and type in the correct code.

The good parts: you train your muscles and your memory.

Other people usually have their phone with them. That's why they're called mobile, they will work basically everywhere.

There is more good news. Although we had weeks of debate about it, ScubaBoard decided to use 2 Factor Authentication without the Annoyance Factor add-on. And no, it won't be installed just for you.

Shall I give you a call?
 
Did you even bother to read the mod posts? Scubaboard already has app-based 2fa available and it’s only required once a month.
Adding an app means increased battery usage, decreased resources available for the apps you want to be using, decreased privacy, and an additional security risk.

I just looked at the settings and you recommend Google Authenticator or Authy. Both are pervasive and collect a bunch of unnecessary data which they sell off for advertising purposes. The developers of Authy was also just hacked.


Twilio found no evidence that the hackers gained access to its systems or that they obtained other sensitive data, but as a precaution urged Authy users to install the latest Android and iOS security updates.

“While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving,” Twilio said.
 
The OP said it was only for the Classified section.
I have been using two part authentication for many decades from hard tokens for work to email to SMS in general. These are all hurdles and not foolproof. It won't help if the destination (email, phone) are compromised but that is something you have to protect anyway whether you use 2PA or not.
I don't have a problem with a little more work or inconvenience.
I upvote though I don't have a dog in the classifieds fight. I don't buy or sell on SB (mostly due to living in Mexico, issues shipping from outside the country and Mex Customs), it seems that members are being scammed.
2PA can be turned off.
 
Back
Top Bottom