Proposal: E-mail change should require e-mail confirmation for added security

[Boxman91]

As it stands, the e-mail address of a user can be changed with only the password of the account. This gives phishers an edge: when they get your password, they can take over the entire account.

I propose that attempting to change the e-mail address of an account should yield a confirmation e-mail to the original e-mail address, which has to be confirmed by the actual owner. This way, phishers get much less of a chance to take over the account because they would then need control over both the bitcointalk.org account, and the victims e-mail account.

With such e-mail confirmation, the owner can always recover their account.

I became victim of phishing and with no notice, the perpetrator used just my password to change my password and e-mail address, rendering me powerless to get my account back without intervention from theymos.

[b!z]

I agree with this. If you are logged into someone's account, you can change the email, and password too easily. There should be confirmation or some sort of verification.

[BadBear]

That would be better, at the least it would give people a heads up that there is activity unknown to them, and would save admins time.

[tysat]

Would probably save a lot of time for everyone, good idea!

[Boxman91]

Great to see people agree. I hope it's not too much of a PITA to implement such measures.

Now, not trying to be selfish, but would a mod help me out get Boxman90 back to my control, and/or tell me the procedure for this via PM as to not derail this thread? :p
Mod Note: Message sent. -Maged

[Boxman90]

I disagree

This message was posted by the one who took over my account, who, surprisingly, gave it back to me. Sort of thank you, I guess?

[Peter Lambert]

This assumes that you still have control of your old email address. What happens if you no longer have access to that email?

[Boxman90]

The chances of both your e-mail address and bitcointalk account being compromized at the same time, are very small, I'd say.

[cbhelp]

What?

The chances are better than they are worse, actually.

[qwk]

You just gave me an idea:
https://bitcointalk.org/index.php?topic=292074.0

[tysat]

This assumes that you still have control of your old email address. What happens if you no longer have access to that email?

Then it sounds like you f'ed up, email account recovery is fairly standard.

What?

The chances are better than they are worse, actually.

Solid idea!

[qwk]

Then it sounds like you f'ed up, email account recovery is fairly standard.

I once lost control of an email address because I forgot about it and cancelled the domain registration. Account recovery under those circumstances is near impossible. And worse, the new domain owner could easily steal your identity. Not that that happened a lot...

[HeroC]

It is a good idea in theory, but what if you no longer have access to the email? Like lavabit shutting down, you cannot access the email to confirm that you want to change your email. 

[tysat]

It is a good idea in theory, but what if you no longer have access to the email? Like lavabit shutting down, you cannot access the email to confirm that you want to change your email. 

You deal with the admin, I don't think it's something that will happen very often.

[FeedbackLoop]

It is a good idea in theory, but what if you no longer have access to the email? Like lavabit shutting down, you cannot access the email to confirm that you want to change your email. 

You deal with the admin, I don't think it's something that will happen very often.

I lost one email address once because their whole database got compromised and they decided, for the sake of their users (...), to reset all passwords and the only way they cared to send a new password was to "the secondary email" which I did not have defined. They seemed like a perfectly fine service until that very occasion.