Bitcoin Forum
March 19, 2024, 08:21:30 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 »  All
  Print  
Author Topic: [Guide] Bitcointalk account security  (Read 2322 times)
sncc (OP)
Hero Member
*****
Offline Offline

Activity: 536
Merit: 513


View Profile
August 18, 2018, 02:46:13 PM
Last edit: December 27, 2018, 03:15:14 PM by sncc
Merited by Vod (10), suchmoon (10), Welsh (10), dbshck (10), LoyceV (6), qwk (5), SFR10 (5), vapourminer (4), DdmrDdmr (3), Thekool1s (3), pugman (2), TheBeardedBaby (2), Rath_ (2), bones261 (2), vphasitha01 (2), LTU_btc (1), LeGaulois (1), Coin-1 (1), The Cryptovator (1), finaleshot2016 (1), icopress (1), th3nolo (1), xOdiumNostrumx (1), Piggy (1), Hexah (1), vlad230 (1), hotforblockchain (1)
 #1

Note: For recovery of hacked/lost accounts, follow new process announced by theymos.
[1] Recovering hacked/lost accounts
[2] Account recoveries are moving again
Send email to the address written in the OP of [1].  Since the addresses will be periodically changed, check the latest ones in the OP.


Everyday we see threads about hacked/locked accounts, which are not only beginners' accounts but also for Legendary members'.  In addition to the brute force hacking risk, there are peculiar risks in the current system and by data breach on May 22, 2015.  The security of the forum account has been one of the biggest issue.  The improvement of security, e.g. requiring email verification for changing password/email, introduction of 2FA, automated account recovery system, and the new forum software with stronger security would be ideal.  

Meanwhile, until these features are implemented, what we can do now is to learn how the current bitcointalk system works, how to improve the security of your bitcointalk account, and also what you should do in case your account is hacked/locked.  In this thread, I tried to provide a thorough guide about these topics.  I hope it helps to reduce the number of hacked/lost accounts.  


Table of contents




Basics

1. Bookmark https://bitcointalk.org/ and always login from the bookmark.  Avoid bitcointalk.to, thebitcointalk.net or any other phishing site.

2. Use new email address that you don't use for any other purposes.

3. Use new password that you don't use for any other websites, with sufficient length using a combination of letter/capital characters, numbers, and special characters.  

4. You could set a secret question and its answer for password reset but most likely it increases the risk of your account to be hacked/locked.  For more details, see Tips below and Change password and email / Forgot password.

5. Do not download untrusted softwares and keep your device clean from malware.  

6. Keep all your devices and softwares updated to the latest version.

7. Stake your Bitcoin address.  See Stake Bitcoin address below for more detail.  


Tips

Tips for 1: Phishing site

- You could also bookmark the link to bypass the login captcha, see Captcha bypass for more details.

- Some phishing links are automatically replaced by [phishing] but that feature has not been introduced for bitcointalk.to and thebitcointalk.net yet, see this post.

- In case you enter your login information to phishing site, you should immediately change the password of bitcointalk.org to avoid your account to be hacked.

- Before clicking the link, make sure its true URL.  Some browsers show URL when you mouse over the link.  

- The link to bitcointalk.org internal webpage (except anchors) will be shown by green when you mouse over, whereas the link to an external site will remain blue.  This feature enables you to distinguish a link to phishing site even if a hacker pretend it to be an internal link.  

True Bitcointalk
Fake Bitcointalk  (link to google.com)

You can recognize that the second one is the fake link as it remains blue when you mouse over.  

- Be aware of homograph attack, while some of them are automatically replaced.

- There is a way to prevent your computer to access the phishing site by editing hosts file.  For more details see this post by LoyceV.


Tips for 2: Email address

- Gmail allows you to have an alias, but in this case the original mail address is exposed since for a gmail address example@gmail.com alias will be example+add@gmail.com though you can choose any letters in "add".

- Avoid yopmail as anyone can access yopmail address.

- As a related tip, it is recommended to use new or disposable email address rather than your main address for registration of bounties in the forum in order to avoid potential data breach or data collection by fake/scam bounties.


Tips for 3: Password

- For password, do not use dictionary words, your birth date, pets’ name, phone number, or anything which is easy to guess for hackers or falls into The Worst 25 Passwords of 2017.

- Since the password data breach occurred in 2015, if you have been around the forum since 2015 or before and have not change your password, it is recommended to change your password.  

- If you are using autofill feature of your browser, make sure if it checks URL or simply fill in your passwords.  For the latter case, it is recommended to turn off the autofill.  Even for the former case, the rule may be changed when the browser is updated, so you need to be careful.

- You can use "Always stay logged in" option so that you do not need to enter the password every time.  

- For password manager, see e.g. The Five Best Password Managers.

- See also this post by mapuche33 for further tips.


Tips for 4: Secret question

- There are several important things to know about the secret question feature.  

1) There is no email verification process, so most likely the secret question option increases the risk of your account being hacked or locked.  

2) If password reset via secret question is used, your account will be locked, and you need to follow Unlock your account process.  If the account is under your control, this feature is a drawback.  If it is hacked, you can use this feature to lock the account, but this case would be rare as the hacker likely to changes the secret question and you have another option to lock your account from email notification of email change within 14 days.

3) You can remove the secret question and answer.  For reference, see this post by SFR10.


Tips for 5: Untrusted softwares

- Untrusted softwares include Bitcointalk unofficial apps, whose security is not guaranteed by the forum and in principle they can steal the password of your account.

- You could use a virtual machine for those untrusted softwares or altcoin wallets.  



Change password and email / Forgot password

- You can change the password either by

1) Profile page.

2) "Forgot password" link at the login page.

3) Password reset via secret question.  Note that the account will be locked.

- In the Trust page, a password change/reset by 1) or 2) is shown for 3 days, whereas a password reset by 3) is shown for 30 days.  Both are shown in security log page for 30 days.

- You can change the email from the Profile page.  Email change history is also shown in Trust.

- Once you change your password or email, email notification will be sent to your (old) email address.


Tips

Tips for 2): How to use "Forgot password"

Click "Forgot your password?" link at the login page.  
After filling out username or email, click "send".  
You will receive the following email with the link to reset your password.  

Quote
Dear <username>,

This mail was sent because the 'forgot password' function has been applied to your account. To set a new password click the following link:

https://<link to password reset>

IP: xxx.xxx.xxx.xxx

Username: <username>

Regards,
The Bitcoin Forum Team.


Tips for 3): How to use "Secret question"

Again, note that the account will be locked if you reset your password via secret question.

Click "Forgot your password?" link at the login page.  
After filling out username or email, choose "Ask me my question" and then click "send".  
The secret question will be displayed in your browser to which you fill in the answer and you can change the password there.  
Note that there is no email verification process and the account will be locked.
(Ref: PSA: ACCOUNTS WILL BE LOCKED IF THE SECRET QUESTION IS USED TO RECOVER IT)
You will receive the following email.  

Quote
Password reminder

Please enter the answer to your question, and the password you would like to use. Your password will be changed to the one you select provided you answer the question correctly.

Warning: If you answer correctly, your password will be changed, but then your account will then be LOCKED for manual review, since the whole idea of secret questions/answers is inherently insecure. Processing unlocks due to this is one of our lowest priorities, so it could be a long time until you get your account back.

Secret Question:   <secret question you set will be displayed here>
Answer:   <enter answer>
Choose password: <enter new password>

For best security, you should use six or more characters with a combination of letters, numbers, and symbols.   

Verify password:

Drawbacks of secret question feature are it simply increases the risk of your account to be hacked as there is no email verification, and even if the feature is used appropriately as intended originally, you end up with your account locked, and you need to wait for unlock.

If you did not set the secret question and choose "Ask me my question", the following error message will be shown.

Quote
An Error Has Occurred!

Sorry, there is no secret question set for this member.




Stake Bitcoin address

Staking Bitcoin address is the most efficient way to prove your ownership of your Bitcointalk account.  Once your account is hacked, the hacker can edit/delete your previous posts but staked address quoted appropriately by other account cannot be modified unless the hacker also hacks the account quoted your post and modifies the address in the quoted post.  Therefore, you can claim that you are the original owner of the account by a signed message by using the staked address.  

1. Issue signed message following How to sign a message?! using your Bitcoin address for which you control your private key.  Legacy address would be better as everyone can verify it.  Example:

Code:
-----BEGIN BITCOIN SIGNED MESSAGE-----
This is <username> at bitcointalk.org. The current date is <date>.
-----BEGIN SIGNATURE-----
<insert Bitcoin address here>
<insert signature here>
-----END BITCOIN SIGNED MESSAGE-----

2. Before posting the signed message, verify it by yourself with Brainwallet, Blockexplorer etc.  

3. Post your signed message with address to the thread Stake your Bitcoin address here by Tomatocage.  

4. Check if your signed message is quoted and verified appropriately by other forum members.  




Lock your account

Accounts will be locked if

1) you use password reset from secret question.  
(Ref:PSA: ACCOUNTS WILL BE LOCKED IF THE SECRET QUESTION IS USED TO RECOVER IT)

2) you request it from the link of email notification for the change of the email address for the account.

3) you login after a long period of inactivity since before the 2015 data breach.

While your account is being locked, you cannot login and the following error message will appear:

Quote
An Error Has Occurred!

Sorry <username>, you are banned from using this forum!  Your account looks like it may have been hacked, so it was locked for safety.  Email <email address>


Tips

It is different from the temporal/permanent ban, for which the error message will be

Quote
An Error Has Occurred!

Sorry <username>, you are banned from posting or sending personal message on this forum!
Reason:  <reason>  
Ban duration: <duration>

You can create a temporal account and appeal by opening a topic about your ban in Meta.  However, for permanent ban, ban evasion is not allowed.  

The evil score is accumulated to the IP address that was used by banned accounts.  When an IP's evil score reached a threshold, the IP is banned to prevent ban evasion, after which one needs to pay small amount of BTC to create new accounts via the banned IP.  




Unlock your account


1. Create a signed message using the Bitcoin address you staked to prove your ownership of the locked account.  Example:

Code:
-----BEGIN BITCOIN SIGNED MESSAGE-----
My account <account> has been locked. Please unlock it. The current date is <date>.
-----BEGIN SIGNATURE-----
<insert Bitcoin address here>
<insert signature here>
-----END BITCOIN SIGNED MESSAGE-----

2. Before sending the signed message to mods, verify it by yourself with Brainwallet, Blockexplorer etc.

3. Create temporal Bitcointalk account by using a different email address.

4. Send PM to theymos, Cyrus, hilariousandco including the above signed message and the link to the post where you staked your bitcoin address.




How to notice your account is hacked


Make sure that you check "Receive forum announcements and important notifications by email" in the Profile, and that your email do not categorize emails from noreply@bitcointalk.org to spam box.

Whenever your password is changed (except by admin), you will get the following email notification from noreply@bitcointalk.org

Quote
Dear <username>,

Your Bitcoin Forum (bitcointalk.org) password was just changed by IP address xxx.xxx.xxx. If you did not do this, then you should use the forgotten password feature to change your password.

Regards,
The Bitcoin Forum Team.

Whenever your registered email is changed (except by admin), your old email address will receive the following email notification from noreply@bitcointalk.org with a link to lock your account, which is valid for 14 days.

Quote
Dear <username>,

Your Bitcoin Forum (bitcointalk.org) email address was just changed from <old email address> to <new email address> by IP address xxx.xxx.xxx. If you did not do this, then you can visit the following link within 14 days in order to lock the account:

https://<url to lock your account>

Note that you will NOT be asked for your password at that URL.

Regards,
The Bitcoin Forum Team

If you receive one or both of these emails regardless you did not change password or email, your account is likely to be hacked and a hacker changed them.

If the hacker changed

1) only password:
Use "Forgot password" feature to change the password.  You will receive the email with the link for password reset from which you can change the password.

2) only email:
Login and change the password and email from Profile page.  

3) both password and email:
Proceed to Tips below and Recovery of your hacked/lost account.


Tips

Even if you fall into 3), if the hacker's email address is yopmail.com, there is a chance that you can regain the account by yourself rather than locking your account and waiting for unlock, as yopmail address is accessible from anyone.  Follow the instruction below quoted from Hacked and Changed Email addresses Account using Yopmail accounts by Swenna:

1. I logged into my account using the "forgot password" setting. Then, a recovery link was sent to the "yopmail account" which can be used to change the password of your account.
2. After changing the password of my account, I also changed my email address, and added a new security question for additional security.
3. Afterwards, I deleted all the forum's messages in the yopmail account so as to prevent the hacker from undoing my change password nor locking my account.




Recovery of your hacked/lost account


If your account is hacked and the hacker changed the password and email, or you forgot the password and do not have an access to the registered email address and cannot use the password reset option, or admin locked your account as you had been inactive after data breach in 2015, the last resort is to request of the recovery of your account to admins.  However, do not expect too much, as the recovery of accounts seems a low priority for admin and it will typically take a long time or there is a chance you end up with no recovery.  The official announcement by theymos is given in: Recovering hacked accounts or accounts with lost passwords

1. Create a signed message using the Bitcoin address you staked to prove your ownership of the hacked account.  Example:

Code:
-----BEGIN BITCOIN SIGNED MESSAGE-----
My account <account> has been hacked/lost. Please reset the email to <email>. The current date is <date>.
-----BEGIN SIGNATURE-----
<insert Bitcoin address here>
<insert signature here>
-----END BITCOIN SIGNED MESSAGE-----

2. Before sending the signed message to admins, verify it by yourself with Brainwallet, Blockexplorer etc.

3. Create a temporal account by using an email address different from the one you want to use for the recovery of the hacked/lost account.

4. Send PM to theymos, Cyrus including the above signed message and the link to the post where you staked your bitcoin address.


Typically it will take some time, could be months to years, during which you could optionally try the following processes:

5. Create a topic on Meta section by using the temporal account.

6. Ask members to check if your PM included all necessary information for recovery of the account or other general advice.  

7. Ask DT member to red tag your hacked account with a signed message as the proof of your ownership.  


Tips

Tips for 1: Bitcoin address

If you haven't staked your Bitcoin address in advance, you could still look for other options for the proof of your ownership of your account.  While it is not the best option, the other option could be your address in a spreadsheet of addresses of participants of a bounty campaign (basically hacker cannot edit it), in any post in the past e.g. in marketplace or bounty threads (since hacker can edit/delete your posts in the past, it can be proven as the original post if it is unedited post or the last edit date is before hacking, or it is in a locked thread), or in your profile (hacker can edit/delete it so it may not be accepted without some strong support or special circumstances).  They might be regarded as proof but the best option is to stake your address and ask other member to quote and verify it in advance.

Tips for 3: PM

First time PM is the most important one, make sure to include every information necessary for admin, otherwise you would lose your chance.

Tips for 5: Bump

Bump is allowed for each 24 hours and old bumps should be deleted.  

Tips for 7: Red trust

Red tag with comments by DT clarifies the account is hacked, and prevents the hacker to fully exploit your account for e.g. participating bounty campaigns, scamming in marketplace, or selling the account, and reduce the possibility of other members being scammed by the hacker.  Once your account is back under your control, you will need to ask the DT to remove the tag with a signed message notifying the recovery of your account.




Recent successful cases of recovery


Among many accounts waiting for recovery for a long time, there are several lucky guys who succeeded to recover their hacked/lost accounts.  While these real stories provide us important lessons, things do not always go like these examples and the situation has been changing, so do not expect too much if you are in the same situation.


Account: LTU_btc Hero

Thread: Hacked account recovery. Cyrus, please help November 17, 2017

LTU_btc noticed the account was hacked by email notification for change of password and/or email, and soon after that he/she locked the account using the link in the email.  He/She created temporary account LTU_btc/2, and sent PM to Cyrus with a signed message from the bitctoin account staked the other day.  Fortunately the process went very smoothly in this case, and he/she recovered the account only in a few days.  


Account: Shazam!!! Full Member

Thread: Need help with Unlock---Please December 12, 2017

Shazam!!! had been inactive for years after the password hashes were leaked in 2015.  Such accounts were locked automatically for the high risk of being hacked.  When he/she tried to login at the end of 2017, he/she noticed that the account was locked.  He/She sent PM to Cyrus from his/her temporary account !!!Shazam!!! with a signed message.  However, he/she had not staked the address in the Tomatocage's thread.  Fortunately, Vod and minifrij helped to find out that the address was posted in several bounty threads in 2015.  Strictly speaking, if the account was hacked, the hacker can edit/delete all previous posts so the address without quotation by other member is a weaker proof of the ownership.  However in this case, it is simply locked account without being hacked, and the posts were unedited ones as well, which are sufficient for the proof.  hilariousandco also helped him/her and sent PM to theymos and Cyrus.  Within the same day as the topic was opened, the account was successfully unlocked.  After the unlock, Shazam!!! immediately staked the address to the staking thread.


Account: premium_domainer Legendary

Thread: Account Regained with the help of Loyce. Thank you all January 10, 2018

This case is a bit tricky.  BitcoinBazaar.net is a temporary account created for the recovery of the original account premium_domainer which was claimed to be hacked, but later it was claimed that the account was bought, while from the thread it is not clear how it was bought.  The owner did not stake his/her address, which is why LoyceV made a lot of effort to confirm the ownership.  LoyceV opened a thread to ask how to help out BitcoinBazaar.net and resolved the bug of incomplete private key for blockchain.info read only address.  It attracted attention of DT and the hacked account was red tagged.  Still,  the account had not been regained, and BitcoinBazaar.net continued to bump the thread.  6 months after the OP, the buyer finally asked $200 to give the account back.  He/She posted a password in the thread, claiming that if password and email are changed and $200 is not paid the account will be locked.  As you see this approach has a loophole since admin can unlock the account.  Presumably the buyer noticed it and deleted the post.  However, LoyceV noticed the post before deleted, and immediately took the account.  Later, LoyceV gave back the account to BitcoinBazaar.net.


Account: Swenna Full Member

Thread: Hacked and Changed Email addresses Account using Yopmail accounts July 15, 2018
(See also peter0425's post who independently discovered the method.)

As already mentioned above, this thread tells us how to regain your account by yourself if the hacker uses yopmail.  Recently several accounts have been hacked by the same IP address using yopmail as a new address.  The yopmail is disposable email address which does not require login.  It means that you can also access the hacker's yopmail account and change the registered email back to your email following the method:

1. I logged into my account using the "forgot password" setting. Then, a recovery link was sent to the "yopmail account" which can be used to change the password of your account.
2. After changing the password of my account, I also changed my email address, and added a new security question for additional security.
3. Afterwards, I deleted all the forum's messages in the yopmail account so as to prevent the hacker from undoing my change password nor locking my account.


1710836490
Hero Member
*
Offline Offline

Posts: 1710836490

View Profile Personal Message (Offline)

Ignore
1710836490
Reply with quote  #2

1710836490
Report to moderator
The grue lurks in the darkest places of the earth. Its favorite diet is adventurers, but its insatiable appetite is tempered by its fear of light. No grue has ever been seen by the light of day, and few have survived its fearsome jaws to tell the tale.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1710836490
Hero Member
*
Offline Offline

Posts: 1710836490

View Profile Personal Message (Offline)

Ignore
1710836490
Reply with quote  #2

1710836490
Report to moderator
1710836490
Hero Member
*
Offline Offline

Posts: 1710836490

View Profile Personal Message (Offline)

Ignore
1710836490
Reply with quote  #2

1710836490
Report to moderator
sncc (OP)
Hero Member
*****
Offline Offline

Activity: 536
Merit: 513


View Profile
August 18, 2018, 02:46:41 PM
Last edit: June 09, 2019, 03:58:09 PM by sncc
 #2

- Feedback, corrections (if any), and/or more information that you wish to be added to OP are welcome.

- Translation of this thread to post to local board is encouraged for better exposure.

- NB: Needless to say, machine translation is not allowed by the forum rule.  In addition, duplicating the whole thread without translation like this https://archive.fo/bFH96 is also breaking the forum rule and it ends up deleted.



Translations


LoyceV
Legendary
*
Online Online

Activity: 3248
Merit: 16270


Thick-Skinned Gang Leader and Golden Feather 2021


View Profile WWW
August 18, 2018, 05:47:17 PM
Last edit: August 18, 2018, 07:44:47 PM by LoyceV
Merited by SFR10 (1), sncc (1)
 #3

True https://bitcointalk.org/
Fake https://www.google.com/  (link to google.com)
Did you mean this:
True https://bitcointalk.org/
Fake https://www.google.com/  (link to google.com)

Theymos is smart Cheesy Fake links work in preview, but get fixed when posted.

However, a homograph attack can still be used to create a fake link:
True https://bitcointalk.org/
Fake https://www.google.com/  (link to google.com)

Quote
You can recognize that the second one is the fake link as it remains blue when you mouse over.
I normally don't look close enough to notice this (high resolution on a low quality screen), but it works indeed.

Quote
- There are several important things to know about the secret question feature.

1) Once you set the secret question you cannot disable the feature.
That's incorrect. You can simply remove the secret question and answer (credits to SFR10).


An addition: use a password manager! I have hundreds of different passwords, and there's no way to remember them all. They're all safely encrypted inside my password manager, so I only have to remember the master password (and make backups).

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
mdayonliner
Copper Member
Sr. Member
****
Offline Offline

Activity: 630
Merit: 420


We are Bitcoin!


View Profile
August 18, 2018, 07:27:23 PM
 #4

4. You could set a secret question and its answer for password reset.  Once you set the secret question option you cannot disable it, so before setting it, learn its pros and cons.  For more details, see Tips below and Change password and email / Forgot password.
Actually you can.
Profile > Account Related Settings >
Remove anything you have on the Secret Question field
Remove anything you have on the Answer field
Then update the profile. I have done it before when I realized that account recovery using secret question feature will lock your account. So, there are no use of it, in-fact extra risky.



Oops! LoyeceV already have it  Tongue

Quote
An addition: use a password manager! I have hundreds of different passwords, and there's no way to remember them all. They're all safely encrypted inside my password manager, so I only have to remember the master password (and make backups).
I have a text file with all the passwords I use for my web accounts. Has an eccrypted backup file as well.


- For password, do not use dictionary words, your birth date, pets’ name, phone number, ....
https://passwordsgenerator.net is very helpful.

Quote
Tips for 4: Secret question

- There are several important things to know about the secret question feature.  

1) Once you set the secret question you cannot disable the feature.

2) There is no email verification process, so most likely the secret question option increases the risk of your account being hacked or locked.  

3) If password reset via secret question is used, your account will be locked, and you need to follow Unlock your account process.  If the account is under your control, this feature is a drawback
I hope you are working on it since information about secret questions are wrong.

Quote
3) Password reset via secret question.
Don't, account will be locked.

Quote
Tips for 3) "Secret question":
You really need to update this section.

Quote
3) you login after a long period of inactivity.
I doubt it if it's not related to 2015 hack.


Anyway read the whole post and you just need to fix everything that is related to secret question other than that well done!

Be happy be at peace. Looking forward to BTC at $1M
LoyceV
Legendary
*
Online Online

Activity: 3248
Merit: 16270


Thick-Skinned Gang Leader and Golden Feather 2021


View Profile WWW
August 18, 2018, 07:39:53 PM
Merited by Thekool1s (1)
 #5

I have a text file with all the passwords I use for my web accounts.
That's very insecure! You should seriously consider getting a password manager. I use KeePassX on Linux (for Windows it's called KeePass), but there are other options too. It's worth the time to set it up once, and add all new passwords in the future.
See for instance The Five Best Password Managers.

Quote
I wouldn't trust a website for this. My password manager does this for me.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
mdayonliner
Copper Member
Sr. Member
****
Offline Offline

Activity: 630
Merit: 420


We are Bitcoin!


View Profile
August 18, 2018, 08:42:13 PM
 #6

That's very insecure!
I am the only one who use my laptop, yes I understand other possible factors too.


Quote
You should seriously consider getting a password manager. I use KeePassX on Linux (for Windows it's called KeePass), but there are other options too. It's worth the time to set it up once, and add all new passwords in the future.
See for instance The Five Best Password Managers.
That's what I need.

Thanks mate. I never had this in mind. I will check it tomorrow early morning.

Be happy be at peace. Looking forward to BTC at $1M
mapuche33
Jr. Member
*
Offline Offline

Activity: 55
Merit: 15


View Profile
August 18, 2018, 11:08:40 PM
Last edit: August 18, 2018, 11:29:39 PM by mapuche33
Merited by dbshck (3), LoyceV (2), SFR10 (2), th3nolo (1), Hexah (1), sncc (1)
 #7

Very useful, thanks. Glad to read those 'Recent successful cases of recovery' it give us (the hacked victims) some sort of hope / relief.
 
By the way, I would like to mention some other useful general security tips:
 
 
  • 1- Using multiple web-browsers on the same machine for different purposes (chrome, waterfox, opera, safari, brave, etc.) For example: one for social media purposes, another for banking / crypto, another one for surfing / researching, other for entertainment and so on. Also make sure to configure them properly installing useful add-ons. Like the following:
  • 1.1- Password manager Add-ons like LastPass or KeePass are essential both for storing + generating random combinations of characters, just make sure to setup 2FA as well as never losing access to the associated email.
  • 1.2- Ad-blockers will censor most of the annoying ads including scams / phishing pop-ups. uBlock Origin is the best.
  • 1.3- Disconnect add-on is great for saving time + bandwidth by blocking 3rd party scripts used for social media metrics, advertising, analytics, etc. Also enhances privacy.
  • 1.4- Privacy Badger add-on blocks all those undesirable trackers that let others monitor your activity.
  • 1.5- EtherAddressLookup is a must for crypto enthusiasts, it performs an automated address lookup as well as warns you against blacklisted domains. it prevents you against phishing / loosing money.
  • 1.6- Running proxy scripts on your browsers is highly recommended because hides your real IP from websites by sending fake headers with anonymous IP addresses. it is easy to setup and gives you peace of mind.
  • 1.7- Finally replace your default search engine Google with a more reliable one like Duckduckgo.com. it is private & simplified without Ads fighting to be on top of the results. You will less likely fall into fake sites, with a plus of a more personalized experience. Highly recommended doing this switch.
  • 2- Using a VPN (paid or free) in order to prevent man-in-the-middle attacks, specially if your connection is wifi and you carry a laptop, also to prevent / bypass government censorship. There are a lot of services worth trying, just pick one that doesn't keep user logs + accept crypto as payment. Also keep in mind that the free ones are great but much slower: ultrasurf.us & riseup.net
  • 3- Incorporate the habit of changing your passwords more often, let say 6 months minimum to 1-2 years max.
  • 4- Make backups more often, or make it automated. Be prepared to deal with data-loss and ransomware. Also always keep your sensitive data offline to prevent identity theft.
Hexah
Sr. Member
****
Offline Offline

Activity: 728
Merit: 265



View Profile
August 19, 2018, 04:29:56 AM
 #8

Reserved.
Feedback, corrections (if any), and/or more information that you wish to be added are welcome.
Correct the spelling on the table of contents it should be "Basics" not "Basis". So far, this thread is worth reading. +1
sncc (OP)
Hero Member
*****
Offline Offline

Activity: 536
Merit: 513


View Profile
August 19, 2018, 05:13:38 AM
 #9

Thanks guys for corrections and feedback, will revise OP.

Did you mean this:
True https://bitcointalk.org/
Fake https://www.google.com/  (link to google.com)

Theymos is smart Cheesy Fake links work in preview, but get fixed when posted.

However, a homograph attack can still be used to create a fake link:
True https://bitcointalk.org/
Fake https://www.google.com/  (link to google.com)

Right I checked it in preview but in the post it was replaced to the real link.  The homograph attack is also interesting one, seems like o is the cyrillic letter.

I have a text file with all the passwords I use for my web accounts.
That's very insecure! You should seriously consider getting a password manager. I use KeePassX on Linux (for Windows it's called KeePass), but there are other options too. It's worth the time to set it up once, and add all new passwords in the future.
See for instance The Five Best Password Managers.

Related to the password manager, I was wondering if anyone is using physical security keys?  Google started requiring employees to use physical security keys and neutralized phishing.  KeePass has portable version so LoyceV are you using it by installing it in e.g. USB drive?

Very useful, thanks. Glad to read those 'Recent successful cases of recovery' it give us (the hacked victims) some sort of hope / relief.

That's one of the ideas, hope you will be also listed there eventually.

Quote
By the way, I would like to mention some other useful general security tips:
<...>

Thanks for tips, actually I was wondering why your account was hacked since you did these security measures?  If you have somehow identify the reason why your account was hacked and potential loophole of the above strategies that would be worthwhile to share.
LoyceMobile
Hero Member
*****
Offline Offline

Activity: 1638
Merit: 678


LoyceV on the road. Or couch.


View Profile WWW
August 19, 2018, 07:38:23 AM
 #10

Related to the password manager, I was wondering if anyone is using physical security keys?  Google started requiring employees to use physical security keys and neutralized phishing.  KeePass has portable version so LoyceV are you using it by installing it in e.g. USB drive?
No, I don't use physical keys.

LoyceV on the road Advertise here for LN Don't deal with this account (exception)
Advertise here for LN Tip my kids
My useful topics: Meritt & Trust & Moreee Art Advertise here for LN Forum Features
esmanthra
Hero Member
*****
Offline Offline

Activity: 504
Merit: 732


View Profile
August 19, 2018, 07:48:14 AM
 #11

2. Use new email address

And don't tell about it anyone. It should be applied to that registration only - not communications nor registrations in other services.

Quote
5. Do not download untrusted softwares and keep your device clean from malware

This also concerns browser scripts and extensions.

Quote
6. Keep your device and browser updated to the latest version.

Not only browser and device. It includes:
 - all the software you use (especially related to cryptocurrencies - wallets, for example);
 - all the devices you use on a par with your computer (smartphones, tablets, routers etc.).
Some of these need extra tuning to be secure. Also some of them could be more or less secure from the start.

Quote
- Some phishing links are automatically replaced by [phishing link]

I guess you mean that [Suspicious link removed] thing.

Quote
- Before clicking the link, make sure its true URL.  Some browsers show URL when you mouse over the link

You can always see the URL in the status bar while hovering the link (it usually is displayed somewhere at the bottom of the window).

Quote
- The link to bitcointalk.org internal webpage will be shown by green when you mouse over, whereas the link to an external sites will remain blue

It seems that it doesn't work for some links with anchors (see some of the links in your original post for example).

Quote
- There is a way to prevent your computer to access the phishing site by editing hosts file.

Mind the viruses. Viruses also can change your hosts file. They even can change the DNS in your router to achieve the same effect.

Quote
Accounts will be locked if

I consider it to be a little different here (though I didn't yet receive the whole picture).

Quote
Bump is allowed for each 24 hours

And old bumps should be deleted (according to p.21 of the forum rules).
TheBeardedBaby
Legendary
*
Offline Offline

Activity: 2184
Merit: 3134


₿uy / $ell


View Profile
August 19, 2018, 12:29:36 PM
 #12

Great guide, man. I think now we need what Vod suggested earlier, a separate section only for guides, we have have enough guides to support the suggestion.


DdmrDdmr
Legendary
*
Offline Offline

Activity: 2254
Merit: 10605


There are lies, damned lies and statistics. MTwain


View Profile WWW
August 19, 2018, 02:48:44 PM
 #13

Great guide, man. I think now we need what Vod suggested earlier, a separate section only for guides, we have have enough guides to support the suggestion.
Very nice guide indeed. Well done and thank you.

By the way, the Italian board already has a child board for guides which looks rather neat and has plenty of usefull guides there: https://bitcointalk.org/index.php?board=153.0. This should be a general practice and perhaps some of the OPs of the guides could get them translated for other guide child boards alike.

The only drawback I’ve seen there is that not all guides are thorough, and some of them are basically a link to an external article or video. There are therefore good looking guides and vail attempts in the guide child board, but at least they are all in a single place for reference.

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
LoyceV
Legendary
*
Online Online

Activity: 3248
Merit: 16270


Thick-Skinned Gang Leader and Golden Feather 2021


View Profile WWW
August 19, 2018, 05:15:21 PM
 #14

By the way, the Italian board already has a child board for guides which looks rather neat and has plenty of usefull guides there: https://bitcointalk.org/index.php?board=153.0. This should be a general practice and perhaps some of the OPs of the guides could get them translated for other guide child boards alike.
Wouldn't a sticky thread with links be better than a child board? If one person maintains it with updated links to all new guides, the guides don't even have to be on the same board.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
DdmrDdmr
Legendary
*
Offline Offline

Activity: 2254
Merit: 10605


There are lies, damned lies and statistics. MTwain


View Profile WWW
August 19, 2018, 05:31:08 PM
 #15

Wouldn't a sticky thread with links be better than a child board? If one person maintains it with updated links to all new guides, the guides don't even have to be on the same board.
Perhaps. Nevertheless the way it is organized on the Italian board seems easy to find too. If only one sticky acts as an index, and is maintained by a specific user, then he/she can sort of "supervise" the guide quality/utility before adding it to the sticky post. On the other hand, the Italian solution allows for a decentralized approach, where all guides are concentrated under one child board. The downside to this is what I mentioned previously: not all guides there are good really, but anyone can add a guide to something there.

I guess that, from a quality point of view, the single user managed sticky thread would be better, but from the freedom to add a guide point of view, then the latter option is fine. One option is like an index, and the other like a directory.

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
LTU_btc
Legendary
*
Offline Offline

Activity: 2996
Merit: 1323


Slava Ukraini!


View Profile WWW
August 19, 2018, 09:28:17 PM
 #16

Thanks for making this very detailed guide about Bitcointalk account security. I hope that people will use your advices to secure their accounts.. I see that you mentioned my name in your article Smiley. Well, I'm so happy that Cyrus recovered my account so fast. But at the same time I'm feeling so sad for users who are waiting long months or years for account recovery. I hardly can imagine their feelings. Unfortunately, in recent months I haven't saw users who regained access to their accounts. It seems that admins stopped to recover accounts. But theymos said that he are making automated account recovery system, I hope that he will release it soon and users will get chance to get their accounts back.

sncc (OP)
Hero Member
*****
Offline Offline

Activity: 536
Merit: 513


View Profile
August 20, 2018, 12:32:26 AM
 #17

<...>
Good catch, will work on them.

Great guide, man. I think now we need what Vod suggested earlier, a separate section only for guides, we have have enough guides to support the suggestion.
Wouldn't a sticky thread with links be better than a child board? If one person maintains it with updated links to all new guides, the guides don't even have to be on the same board.
Perhaps. Nevertheless the way it is organized on the Italian board seems easy to find too. If only one sticky acts as an index, and is maintained by a specific user, then he/she can sort of "supervise" the guide quality/utility before adding it to the sticky post. On the other hand, the Italian solution allows for a decentralized approach, where all guides are concentrated under one child board. The downside to this is what I mentioned previously: not all guides there are good really, but anyone can add a guide to something there.

I guess that, from a quality point of view, the single user managed sticky thread would be better, but from the freedom to add a guide point of view, then the latter option is fine. One option is like an index, and the other like a directory.
Actually I had the same idea of the index thread and opened it in Japanese local board collecting the links to the guide threads in Japanese board with basic FAQs for Newbies, which has been pinned and seems to be working well.  While the index thread is sufficient for Japanese local board rather than guide section as it is not so active board but for English main board I am not quite sure which option suits better.  One thing is that for index thread we could also discuss the qualities of guides using replies to the index thread so not necessarily completely depending on one person's decision.

Thanks for making this very detailed guide about Bitcointalk account security. I hope that people will use your advices to secure their accounts.. I see that you mentioned my name in your article Smiley. Well, I'm so happy that Cyrus recovered my account so fast. But at the same time I'm feeling so sad for users who are waiting long months or years for account recovery. I hardly can imagine their feelings. Unfortunately, in recent months I haven't saw users who regained access to their accounts. It seems that admins stopped to recover accounts. But theymos said that he are making automated account recovery system, I hope that he will release it soon and users will get chance to get their accounts back.
You were extremely lucky and yes the recovery of the hacked/lost accounts is one of the biggest issue so I hope the guide thread will work and partially remedy the problem. 
LoyceV
Legendary
*
Online Online

Activity: 3248
Merit: 16270


Thick-Skinned Gang Leader and Golden Feather 2021


View Profile WWW
August 20, 2018, 05:50:52 AM
Last edit: August 20, 2018, 10:09:47 AM by LoyceV
Merited by TheBeardedBaby (1)
 #18

Actually I had the same idea of the index thread and opened it in Japanese local board collecting the links to the guide threads in Japanese board with basic FAQs for Newbies, which has been pinned and seems to be working well.  While the index thread is sufficient for Japanese local board rather than guide section as it is not so active board but for English main board I am not quite sure which option suits better.  One thing is that for index thread we could also discuss the qualities of guides using replies to the index thread so not necessarily completely depending on one person's decision.
How about I just create an index thread? I'll start working on it later today. This doesn't have to wait for a child board, and if the list gets long enough, it can be used as an argument for a child board.
Update: [GUIDES] on Bitcointalk. Index thread (work in progress).
When there is a child board, insubstantial topics can be Reported and moved. As an alternative: if users can't create new topics on that board, only Mods can move existing good topics, which keeps the quality high.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
edwardceng
Member
**
Offline Offline

Activity: 266
Merit: 50


View Profile
August 20, 2018, 06:20:23 AM
Merited by TheBeardedBaby (1)
 #19

nice,
I found a good thread about the index made by xtraelv with use search "[GUIDE]", maybe you can just add a topic that isn't there yet.
https://bitcointalk.org/index.php?topic=4422529.0

vlad230
Sr. Member
****
Offline Offline

Activity: 616
Merit: 279



View Profile
August 20, 2018, 07:42:24 AM
 #20

Thanks for the guide! It looks good Smiley

I would also add in the password section that one shouldn't use the same password for multiple websites.

This is the main issue with many of the account hacks (along side phishing of course), there are a lot of people requesting others to sign-up on their new website (bounty campaign, new coin etc) and people make the mistake to use their bitcointalk credentials or use the same password.

It is extremely easy to setup a site that only collects that information and people may unknowingly give away their credentials for a couple bucks.
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!