Suggestion Require Two-factor authentication for Classified privileges

Please register or login

Welcome to ScubaBoard, the world's largest scuba diving community. Registration is not required to read the forums, but we encourage you to join. Joining has its benefits and enables you to participate in the discussions.

Benefits of registering include

  • Ability to post and comment on topics and discussions.
  • A Free photo gallery to share your dive photos with the world.
  • You can make this box go away

Joining is quick and easy. Log in or Register now!

OP
Brett Hatch

Brett Hatch

ScubaBoard Supporter
Staff member
ScubaBoard Supporter
Messages
1,344
Reaction score
1,978
Location
Monterey Bay


A ScubaBoard Staff Message...

Edit August 22 2024: We've decided not to require 2FA, but have made a few changes. See post #101 in this thread for a summary. Thanks everybody who provided their input on this!


Please upvote or downvote
If you are for this 2FA idea, please upvote this post, and if you are against it, please downvote. Upvote/downvote buttons are the triangles on the right side of this post. This will help us to gauge how the community feels about this idea.

Background
ScubaBoard has a perennial problem of scammers. They usually show up in the Classified sections, or send Private Messages (PMs) to users who have Classified threads up. Currently, ScubaBoard's Classifieds sections and Private Message privileges are granted once a SB account has been somewhat active in the community. But we do not require Two Factor Authentication (2FA) for these privileges.

What is the suggestion?
I propose that we start requiring 2FA before granting access to the Classified section, as well as Private Messages. The purpose of this is to help reduce the frequency and effectiveness of scams on ScubaBoard.

What is the problem?
There are a few common flavors of scammers:

- An existing account is hijacked by a scammer, and the scammer benefits from the account's good standing in the community.

This usually affects an account whose credentials are the same as some other website, and the credentials have been leaked. This type of scammer is harder to spot than the new account, because people really do come and go on ScubaBoard. Legitimately taking a break for a few years and then coming back to sell off some gear is a pretty common situation that's not a scam. Requiring 2FA for Classified and PM privileges would address most of this type of scam, since it would be much more difficult to hijack the SB account in the first place.

- A scammer makes a new account, reaches the threshold required for Classified and/or Private Message privileges, and then tries to scam people.

I don't think 2FA help much against this type of scam. It would put one more barrier up in front of potential scammers, which is always helpful in the same way that even a weak bike lock still helps prevent bike theft. But, scammers can do the steps to enable 2FA for their new scam account, and go on to attempt to scam people.

What is 2FA, how do I turn it on, and why it is helpful?
ScubaBoard already has two-factor authentication (2FA) built-in. It is currently optional, and you can turn it on in your security preferences. I highly recommend that all ScubaBoard users turn it on right away. I strongly recommend turning it on for other websites as well, especially sensitive ones like your email, your bank, your investments. It is one of the simplest, most effective security measures, because it means that even if your password is guessed or leaked, an attacker cannot use your password to sign into your account.

There are several types of 2FA. ScubaBoard supports email-based 2FA and app-based 2FA. App-based 2FA is more secure, and is most recommended. Email-based 2FA is less secure than app-based, but it is still much more secure than nothing. The reason email is less secure than an app is that if your email is compromised as well as your ScubaBoard account, then the 2FA offers no protection. This risk can be mitigated by enabling 2FA on your email as well, which of course I recommend, and do so myself.

Commentary
ScubaBoard members are generally suspicious of new accounts, and are great at reporting suspicious activity. A huge thank-you to those of you who report possible scammers! Please, please keep doing this, it is the main way mods notice scams! The Mod Squad is spread around the globe, so we see the reports pretty quickly, and once we look into an account, it is usually obvious to the mods that they are a scammer. Most of the time, we get word of the scammer and ban them before any scam takes place, but of course we can't guarantee this, and unfortunately the scammers are sometimes successful.

Other ideas I've seen
- Increasing the threshold for Classified and PM privileges. For example, we could require 100 posts
Pro: helps with the "new account" type of scammer
Con: doesn't do much for hijacked accounts
Con: inhibits legitimate users who just don't have that many posts yet

- Make it more difficult, or impossible, to use VPNs to use ScubaBoard. A VPN conceals the user's IP address
Pro: scammers use VPNs to conceal their identity, so it would help prevent some scammers entirely
Pro: if we ban the IP address of a known scammer, it would make it more difficult for the same scammer to use a new IP address and a new account to try another scam
Con: some legitimate users use VPNs for reasons besides scams; such users would need to disable their VPN while using ScubaBoard

- Require a text message (SMS) to verify the account. This suggestion is a bit like 2FA, but uses text messages instead of an app or email
Pro: Scammers would need a phone number in order to attempt a scam. Acquiring a phone number is a hurdle to get over, and often is not free
Con: Sending text messages costs money, and ScubaBoard would need to pay those costs. ScubaBoard also is not set up for this, and we would likely need to purchase more software and some cloud service send out the SMS messages

- Only allow ScubaBoard Supporters and Sponsors Classified / PM privileges
Pro: we'd put a financial barrier in front of scammers, so new accounts would need to pay money in order to attempt their scam.
Con: this would be very alienating to users who are not interested in (or not able to) become a ScubaBoard supporter
Con: this would not eliminate risk from hijacked accounts that are already ScubaBoard supports

Suggestions?
If you have any other ideas about how to address scammers on ScubaBoard, I would be happy to hear about them. You can post in this thread, or you can send me a PM. Thank you.
 
What happens if somebody calls you, and you hear your phone ringing in the distance, somewhere on the other end of your house?

If you make it there before your phone stops ringing, will you answer the call in a grumbling mood? Will it irritate you for a day or so afterwards?
Never a problem. I keep the ringer turned off.

If somebody needs to talk to me, they have my real, honest to whatever-diety-floats-your-boat (or none) landline number.
 
The fundamental problem here is social, not technical. Technical solutions will not prevent scams.

The use of 2FA might help prevent some account hijacking, but I do wonder how often that actually happens.
The prohibition on use of VPNs is impossible to fully enforce and wouldn't necessarily make any difference, as well as having a lot on unintended consequences.

There are some solutions that could help, depending on the social fabric of Scubaboard, the direction that The Chairman wants to take with the site, and the amount of effort people are willing to invest, etc.

For example, Scubaboard could build a web of trust, based on the judgements of SB members, with a minimum score required to access buy & sell.

A member ranking could be a score based on things like -- in order of weighting (least to most)
  1. number of years on SB
  2. number of posts on SB
  3. number of recent posts
  4. number of "likes" received
  5. feedback on previous buy/sell experiences with the member
  6. number of SB members who have met (dived with?!) the member in real life

Scores could be weighted by factors like:
  • scores of the member vetting the other person
  • the scores of members who "like" the other person's posts
Of course, this scheme depends on a lot of SB members participating, and may fundamentally change the culture of SB and drive away users, and would certainly inhibit some legitimate users from participating in selling/buying on SB.

This is just an off-the-cuff idea, not intended as a full proposal, but it illustrates one social solution to the scammer problem.
 
I down voted.

I've purchased a reasonable number of Scubaboard listed items from $20 reels to $800 computers, and only had a problem once, and PayPal quickly refunded my money. To not pay with some sort of buyer protection is just foolish.

If a deal is "too good" or I get a bad feeling in the communications, I pass on it.

If 2FA does get approved, I'll just add it to my password manager, so no big deal for me. But for the reasons stated, the 2FA technology doesn't completely solve the problem and raising the bar with technology and/or history and payment will probably just mean less item postings, and I already have all the protection I need in doing my diligence and backing it up with buyer protection.

The suggestion I have a bigger issue with is with blocking VPN. When I am traveling and using a public WiFi such as a hotel, I won't connect to an outside router without a VPN. And even on trusted routers, I need to run a VPN just to connect to certain servers, so that would cut down my participation.
 
Almost everyone who doesn't want this appears to think they'll have to use 2FA every time they log in. lol
Speaking for myself, I certainly understood that the 2FA, history and/or reaction score increase, or paid Supporter requirement could/would only apply to Classifieds - though I assume all DMs, since I am guessing the system couldn't detect "classified DMs" only - but I am always happy to learn new things.

I reiterate that they don't really prevent the scamming and spoofing problems described, as much as common sense and buyer protection, and would likely lead to less postings from those you describe as "Almost everyone who doesn't want this appears to think...".

In technology development & implementation, if you have to complain why users don't really understand your super terrific solution, you don't really have a super terrific solution.
 
The use of 2FA might help prevent some account hijacking, but I do wonder how often that actually happens.

It just happened the other day. I can think of at least two other times in addition to that.

but sure keep dreaming up your web of trust project for someone else to do when they’ve already proposed a solution that will help
 
It just happened the other day. I can think of at least two other times in addition to that.
The plural of "anecdote" is not "data".

Sure, with several thousand members, account hijacking will happen, and as I said, 2FA might prevent some instances.

but sure keep dreaming up your web of trust project for someone else to do when they’ve already proposed a solution that will help

Why such hostility in response to a constructive example of a solution that would apply to more than just hijacked accounts, and which could be layered with other mechanisms, such as 2FA?

What do you propose to prevent scammers who sign up for their own accounts or who have also hijacked a user's alternate communications channel for 2FA (email, text) -- and in either case will be able to supply a second form of authentication when they try to scam someone?
 
OK if it's only used for marketplace and not general forum login.
 
I have no issue with 2FA for financial related sites etc. but regular message boards like SB…not so much. That said I’m currently not a “supporter” so you’re gonna do what you’re gonna do. All IMHO, YMMV.
EXACTLY. Requiring 2FA on SB is like requiring a NICS check to buy a Whopper at McDonalds. Would that keep the bad guys out of McDonalds? Sure.

There has to be a trade off in security and common sense convenience.
 
Lets just do away with the buying and selling on SB altogether.

"Some people" want to Western Union some stranger with 6th grade grammar thousands of dollars, then blame the platform. All users shouldn't have to be forced into annoying and inconvenient 2FA just because a few have made the poor decision to pay tuition to the con man.

That's the reason I stopped paying Apple 99 cents per month for 50Gb of cloud storage. Every time I needed to log in I had to get up and go find my iPhone, click approve, then go back to my computer and enter the "secret code" to log in. The annoyance isn't worth it.

ScubaBoard isn't the IRS or my online bankng. Nothing here is worth the 2FA hassle. Some of us don't sit around like the young kids with their phones up their butts 24/7.
2fa would be required only for users wanting to use the marketplace section on scubaboard. It's probably been stated about 3-4 times in this thread already.
 
Back
Top Bottom