|
Title: Proposal: E-mail change should require e-mail confirmation for added security Post by: Boxman91 on September 10, 2013, 11:46:14 AM As it stands, the e-mail address of a user can be changed with only the password of the account. This gives phishers an edge: when they get your password, they can take over the entire account.
I propose that attempting to change the e-mail address of an account should yield a confirmation e-mail to the original e-mail address, which has to be confirmed by the actual owner. This way, phishers get much less of a chance to take over the account because they would then need control over both the bitcointalk.org account, and the victims e-mail account. With such e-mail confirmation, the owner can always recover their account. I became victim of phishing and with no notice, the perpetrator used just my password to change my password and e-mail address, rendering me powerless to get my account back without intervention from theymos. Title: Re: Proposal: E-mail change should require e-mail confirmation for added security Post by: b!z on September 10, 2013, 12:01:23 PM I agree with this. If you are logged into someone's account, you can change the email, and password too easily. There should be confirmation or some sort of verification.
Title: Re: Proposal: E-mail change should require e-mail confirmation for added security Post by: BadBear on September 10, 2013, 12:01:56 PM That would be better, at the least it would give people a heads up that there is activity unknown to them, and would save admins time.
Title: Re: Proposal: E-mail change should require e-mail confirmation for added security Post by: tysat on September 10, 2013, 12:13:04 PM Would probably save a lot of time for everyone, good idea!
Title: Re: Proposal: E-mail change should require e-mail confirmation for added security Post by: Boxman91 on September 10, 2013, 12:21:00 PM Great to see people agree. I hope it's not too much of a PITA to implement such measures.
Mod Note: Message sent. -Maged Title: Re: Proposal: E-mail change should require e-mail confirmation for added security Post by: Boxman90 on September 10, 2013, 06:27:03 PM This message was posted by the one who took over my account, who, surprisingly, gave it back to me. Sort of thank you, I guess? Title: Re: Proposal: E-mail change should require e-mail confirmation for added security Post by: Peter Lambert on September 10, 2013, 06:32:38 PM This assumes that you still have control of your old email address. What happens if you no longer have access to that email?
Title: Re: Proposal: E-mail change should require e-mail confirmation for added security Post by: Boxman90 on September 10, 2013, 10:38:20 PM The chances of both your e-mail address and bitcointalk account being compromized at the same time, are very small, I'd say.
Title: Re: Proposal: E-mail change should require e-mail confirmation for added security Post by: cbhelp on September 10, 2013, 10:40:24 PM What?
The chances are better than they are worse, actually. Title: Re: Proposal: E-mail change should require e-mail confirmation for added security Post by: qwk on September 10, 2013, 11:06:21 PM You just gave me an idea:
https://bitcointalk.org/index.php?topic=292074.0 (https://bitcointalk.org/index.php?topic=292074.0) Title: Re: Proposal: E-mail change should require e-mail confirmation for added security Post by: tysat on September 10, 2013, 11:15:50 PM This assumes that you still have control of your old email address. What happens if you no longer have access to that email? Then it sounds like you f'ed up, email account recovery is fairly standard. What? The chances are better than they are worse, actually. Solid idea! Title: Re: Proposal: E-mail change should require e-mail confirmation for added security Post by: qwk on September 10, 2013, 11:19:13 PM Then it sounds like you f'ed up, email account recovery is fairly standard. I once lost control of an email address because I forgot about it and cancelled the domain registration. Account recovery under those circumstances is near impossible. And worse, the new domain owner could easily steal your identity. Not that that happened a lot... Title: Re: Proposal: E-mail change should require e-mail confirmation for added security Post by: HeroC on September 12, 2013, 07:20:22 PM It is a good idea in theory, but what if you no longer have access to the email? Like lavabit shutting down, you cannot access the email to confirm that you want to change your email. ;)
Title: Re: Proposal: E-mail change should require e-mail confirmation for added security Post by: tysat on September 12, 2013, 07:55:17 PM It is a good idea in theory, but what if you no longer have access to the email? Like lavabit shutting down, you cannot access the email to confirm that you want to change your email. ;) You deal with the admin, I don't think it's something that will happen very often. Title: Re: Proposal: E-mail change should require e-mail confirmation for added security Post by: FeedbackLoop on September 13, 2013, 04:59:20 PM It is a good idea in theory, but what if you no longer have access to the email? Like lavabit shutting down, you cannot access the email to confirm that you want to change your email. ;) You deal with the admin, I don't think it's something that will happen very often. I lost one email address once because their whole database got compromised and they decided, for the sake of their users (...), to reset all passwords and the only way they cared to send a new password was to "the secondary email" which I did not have defined. They seemed like a perfectly fine service until that very occasion. |