Suggestion Require Two-factor authentication for Classified privileges

[Brett Hatch]

Please upvote or downvote
If you are for this 2FA idea, please upvote this post, and if you are against it, please downvote. Upvote/downvote buttons are the triangles on the right side of this post. This will help us to gauge how the community feels about this idea.

Background
ScubaBoard has a perennial problem of scammers. They usually show up in the Classified sections, or send Private Messages (PMs) to users who have Classified threads up. Currently, ScubaBoard's Classifieds sections and Private Message privileges are granted once a SB account has been somewhat active in the community. But we do not require Two Factor Authentication (2FA) for these privileges.

What is the suggestion?
I propose that we start requiring 2FA before granting access to the Classified section, as well as Private Messages. The purpose of this is to help reduce the frequency and effectiveness of scams on ScubaBoard.

What is the problem?
There are a few common flavors of scammers:

- An existing account is hijacked by a scammer, and the scammer benefits from the account's good standing in the community.

This usually affects an account whose credentials are the same as some other website, and the credentials have been leaked. This type of scammer is harder to spot than the new account, because people really do come and go on ScubaBoard. Legitimately taking a break for a few years and then coming back to sell off some gear is a pretty common situation that's not a scam. Requiring 2FA for Classified and PM privileges would address most of this type of scam, since it would be much more difficult to hijack the SB account in the first place.

- A scammer makes a new account, reaches the threshold required for Classified and/or Private Message privileges, and then tries to scam people.

I don't think 2FA help much against this type of scam. It would put one more barrier up in front of potential scammers, which is always helpful in the same way that even a weak bike lock still helps prevent bike theft. But, scammers can do the steps to enable 2FA for their new scam account, and go on to attempt to scam people.

What is 2FA, how do I turn it on, and why it is helpful?
ScubaBoard already has two-factor authentication (2FA) built-in. It is currently optional, and you can turn it on in your security preferences. I highly recommend that all ScubaBoard users turn it on right away. I strongly recommend turning it on for other websites as well, especially sensitive ones like your email, your bank, your investments. It is one of the simplest, most effective security measures, because it means that even if your password is guessed or leaked, an attacker cannot use your password to sign into your account.

There are several types of 2FA. ScubaBoard supports email-based 2FA and app-based 2FA. App-based 2FA is more secure, and is most recommended. Email-based 2FA is less secure than app-based, but it is still much more secure than nothing. The reason email is less secure than an app is that if your email is compromised as well as your ScubaBoard account, then the 2FA offers no protection. This risk can be mitigated by enabling 2FA on your email as well, which of course I recommend, and do so myself.

Commentary
ScubaBoard members are generally suspicious of new accounts, and are great at reporting suspicious activity. A huge thank-you to those of you who report possible scammers! Please, please keep doing this, it is the main way mods notice scams! The Mod Squad is spread around the globe, so we see the reports pretty quickly, and once we look into an account, it is usually obvious to the mods that they are a scammer. Most of the time, we get word of the scammer and ban them before any scam takes place, but of course we can't guarantee this, and unfortunately the scammers are sometimes successful.

Other ideas I've seen
- Increasing the threshold for Classified and PM privileges. For example, we could require 100 posts
Pro: helps with the "new account" type of scammer
Con: doesn't do much for hijacked accounts
Con: inhibits legitimate users who just don't have that many posts yet

- Make it more difficult, or impossible, to use VPNs to use ScubaBoard. A VPN conceals the user's IP address
Pro: scammers use VPNs to conceal their identity, so it would help prevent some scammers entirely
Pro: if we ban the IP address of a known scammer, it would make it more difficult for the same scammer to use a new IP address and a new account to try another scam
Con: some legitimate users use VPNs for reasons besides scams; such users would need to disable their VPN while using ScubaBoard

- Require a text message (SMS) to verify the account. This suggestion is a bit like 2FA, but uses text messages instead of an app or email
Pro: Scammers would need a phone number in order to attempt a scam. Acquiring a phone number is a hurdle to get over, and often is not free
Con: Sending text messages costs money, and ScubaBoard would need to pay those costs. ScubaBoard also is not set up for this, and we would likely need to purchase more software and some cloud service send out the SMS messages

- Only allow ScubaBoard Supporters and Sponsors Classified / PM privileges
Pro: we'd put a financial barrier in front of scammers, so new accounts would need to pay money in order to attempt their scam.
Con: this would be very alienating to users who are not interested in (or not able to) become a ScubaBoard supporter
Con: this would not eliminate risk from hijacked accounts that are already ScubaBoard supports

Suggestions?
If you have any other ideas about how to address scammers on ScubaBoard, I would be happy to hear about them. You can post in this thread, or you can send me a PM. Thank you.

 

[flymolo]

Adding an app means increased battery usage, decreased resources available for the apps you want to be using, decreased privacy, and an additional security risk.

I just looked at the settings and you recommend Google Authenticator or Authy. Both are pervasive and collect a bunch of unnecessary data which they sell off for advertising purposes. The developers of Authy was also just hacked.

Twilio Confirms Data Breach After Hackers Leak 33M Authy User Phone Numbers

Twilio has confirmed a data breach after hackers leaked 33 million phone numbers associated with the Authy app.

www.securityweek.com

Twilio found no evidence that the hackers gained access to its systems or that they obtained other sensitive data, but as a precaution urged Authy users to install the latest Android and iOS security updates.

“While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving,” Twilio said.

You’re really going to make the battery usage and system resources argument? Good god. Just launch the app, get the number, type it, and close the app. Use the trivial amount of system resources you just freed up to get a grip. Anyways, there are a million other ways to store a one time passcode token if you don’t like either of those.

And in terms of getting hacked, it’s never a question of if, but when.

 

[lowwall]

You’re really going to make the battery usage and system resources argument? Good god.

Yes I am. Most people get by with older smartphones that were midrange to start with at best. Think about the average demographics of people using the classifieds on this site. We aren't young and we are folks trying to make or save a few bucks. What should that tell you about our phones.

There are a million other ways to store a one time passcode token if you don’t like either of those.

What does this even mean in this context? There are two options given for 2fa on this site, app or e-mail.

And in terms of getting hacked, it’s never a question of if, but when.

Which is why you want to reduce your attack surface, including by not adding superfluous apps. And why you need to think critically about online transactions instead of relying on random bits of tech to protect you.

 

[Tanks A Lot]

There are a wealth of misconceptions in this thread.

• Complex passwords are inherently more secure than shorter, easier passwords. There is not a single study that says otherwise. Not a single tech company that I know of allows short and easy passwords. A complex password must include A-Z, a-z, 0-9, as well as special characters. A nine-character password with the aforementioned characteristics would take a modern PC around a day to crack by brute force; 10 characters hold up around two weeks, 11 characters half a year, 12 characters three years, and at 13 characters, it would take three decades for the password to be brute forced.
• There are a couple of caveats as to why complex passwords can become insecure, but these reasons are always due to user error. Reusing complex passwords can mean that a breach in one service can lead to a breach in all services where this password has been used. Complex passwords have the advantage of protecting against hask cracking techniques. Writing the complex password down on a sticky note is equally a user error. Due to this, the need for changing passwords has largely been abandoned by the tech sector. A good password today is still a good password in three months. If the password was breached, the change after three months will be far too late anyway. The underground sector moves incredibly quick when breaches occur.
• A complex password should not be memorable but locked behind a password vault with a secure master password. This means you just need to remember one complex password or a long passphrase. There are great open-source tools like Bitwarden or more notably KeePass that make remembering complex passwords a thing of the past. For people who find these tools intimidating, the three big tech companies do offer alternatives. I'm well aware of the downsides and breaches of privacy these offers bring along, but for the technically uneducated, they are a great alternative.
• I highly doubt that any scammer has ever used a tool like Hydra to directly brute force the password of a Scubaboard account. In fact, I'm almost certain that the server would be configured to block unsophisticated attempts with Hydra-like tools. The accounts that get breached will have their passwords compromised on a different service. Either it was breached in plaintext or, more commonly, in a hash table. If the password was weak, it is trivial to crack it from its hashed form, either by brute force, rainbow table, dictionary attack, masking attack, or similar methods.

I'm less than happy to read the suggestion about VPN blockage. A lot of what has been said is either misguided or misinformed.

• The reasons to use a VPN are too long to write down here, but suffice it to say that they are an integral part of online usage for many people, myself included.
• Blocking VPNs is close to impossible, as all that can be done to block a VPN for good is blocking its IP address. There are other methods available that try to snoop out VPN-originating requests, but none that is fool-proof. Look at Reddit and their failing attempts to block access via VPNs. It is trivial to circumvent. As VPN server IP addresses change frequently, even IP blocking is only short-lived.
• I must admit I do not know if scammers actually use VPNs on Scubaboard, but looking at the whole industry, these scams often come from "farms" in Africa, India, or Asia. They have no reason to hide their IP addresses via a VPN and, as far as I know, most do not.
• Even if the point is granted that scammers on Scubaboard use VPNs, they are far from the only tool to conceal IP addresses. Shadowsocks, Psiphon, proxies, or Tor are among a plethora of tools to do so.

Two-factor authentication has been proven over and over again to be a great security tool. It is, however, not a magic bullet.

• There are several industry standards, notably TOTP, HOTP, or MOTP. These either use SHA1, SHA256, or SHA512 on a password, often called a "secret." This is not to be confused with your real password for the service. The other important factor is the number of digits for the 2FA, as well as the refresh time, usually between 30 to 90 seconds. With these parameters, it is a simple calculation to determine what the next 2FA token will be. There are very rare exceptions to this rule, Steam or Yandex being among them.
• 2FA is usually never tied to a certain app or platform. As per the above standards, any app or software for 2FA can calculate the tokens for any service.
• There are great open-source alternatives to the well-known offerings from Google or Microsoft. Bitwarden, KeePass, or Aegis for Android, for example, which is also available on F-Droid, so Google will never have to be touched. There is no drain on the battery, except when the app is used, of course. This impact is absolutely minuscule.
• App-based 2FA has been breached in the past, but always required social engineering. Calls late at night from the "IT-Team" are just one example. No one would go through that trouble for a Scubaboard account. Other methods that involved clearer usage of session cookies have been used as well, but are of no interest to us here at Scubaboard. This is way out of scope!
• I want to reiterate that 2FA has nothing to do with a phone, it can be equally set up on your computer. There are programs for MacOS, Linux and Windows to do so. You don't have to go up and get your phone.

For the original suggestion to make sense, a few points must be considered.

• Insecure 2FA methods like email or SMS must not be allowed. Although I highly doubt that anyone would go through the trouble of SIM swapping to gain access to a Scubaboard account. Email is by far the worst, as compromised accounts often get compromised due to password reuse. A compromised Scubaboard account should be considered a compromised email account.
• The 2FA must not be resettable via email or any other way besides reset tokens that the user received upon 2FA enabling.
• 2FA is trivial to add to any account, for the legitimate owner of the account or an adversary.
• If access to the Classifieds is locked behind 2FA, it would only make sense when 2FA is activated at account creation. It is impossible for anyone to distinguish between a legitimate owner enabling 2FA at a later date or an adversary doing it.

I'm all for 2FA and believe either tokens or passkeys should be mandatory for any account online. Unfortunately, due to the last two points stated above, I do not think that the original suggestion would make any change at all. If not implemented at account creation, 2FA grants no added security against scammers whatsoever. The only solution would be to mandate 2FA from now on, going forward. Unfortunately, as can be seen in the thread, this would alienate a lot of users, albeit for mostly misguided reasons.

 

[flymolo]

Yes I am. Most people get by with older smartphones that were midrange to start with at best. Think about the average demographics of people using the classifieds on this site. We aren't young and we are folks trying to make or save a few bucks. What should that tell you about our phones.


What does this even mean in this context? There are two options given for 2fa on this site, app or e-mail.


Which is why you want to reduce your attack surface, including by not adding superfluous apps. And why you need to think critically about online transactions instead of relying on random bits of tech to protect you.

Honestly I think you should just do some reading on the topic. I don't think there's anyone in the security field making the claim that app-based 2 factor authentication makes you less secure or is at all heavyweight.

 

[lowwall]

There are a wealth of misconceptions in this thread.

• Complex passwords are inherently more secure than shorter, easier passwords. There is not a single study that says otherwise. Not a single tech company that I know of allows short and easy passwords. A complex password must include A-Z, a-z, 0-9, as well as special characters. A nine-character password with the aforementioned characteristics would take a modern PC around a day to crack by brute force; 10 characters hold up around two weeks, 11 characters half a year, 12 characters three years, and at 13 characters, it would take three decades for the password to be brute forced.

You danced around it with your wording, but the problem is with short passwords. Complex password requirements were added in an attempt to work around the limitation in password length - often less than 8 characters - in early systems.

The solution is longer passwords which literally exponentially increases the difficulty of attack instead of geometrically increasing in by making the character set larger. Complex passwords have stuck around long after the length limitation disappeared only because uninformed people think it looks stronger.

Modern best practices specifically disavow complex passwords.

Password strength - Wikipedia

en.m.wikipedia.org

The forcing of lowercase, uppercase alphabetic characters, numbers, and symbols in passwords was a common policy but has been found to decrease security, by making it easier to crack. Research has shown how predictable the common use of such symbols are, and the US,[33] UK[34] government cyber security departments advise against forcing their inclusion in password policy. Complex symbols also make remembering passwords much harder, which increases writing down, password resets, and password reuse – all of which lower rather than improve password security. The original author of password complexity rules, Bill Burr, has apologized and admits they decrease security, as research has found; this was widely reported in the media in 2017.[35] Online security researchers[36] and consultants are also supportive of the change[37] in best practice advice on passwords.