Create an option to get an e-mail notification someone logs in

[bones261]

    Recently, we had an incident where a member states that PMs were sent from his account, without him being aware. https://bitcointalk.org/index.php?topic=5150479.0 It definitely is possible for a hacker to log into someone's account, send a PM with the "save a copy to my outbox" unchecked, and the real owner of the account not being made aware. Would it do any good to allow an option to be notified by e-mail whenever a PM is sent from your account? Also, an e-mail notification would be sent whenever someone decides to opt-in or opt-out. Perhaps these e-mails can also come with an option to lock the account.

Edit:Perhaps just having the option to get notification when someone logs into your account would be better. It doesn't even need to include the ip like many sites have implemented. That way, a hacker cannot circumvent it by simply turning the option off since you would be notified of the initial log in. Also, an option to either lock the account or automatically log off all sessions with the e-mail would be helpful.

[1714038562]

1714038562

[1714038562]

1714038562

[bL4nkcode]

It definitely is possible for a hacker to log into someone's account, send a PM with the "save a copy to my outbox" unchecked, and the real owner of the account not being made aware.

What if there's an email notification every time a user login on its forum account to top this. And with this ,

Perhaps these e-mails can also come with an option to lock the account.

[CryptopreneurBrainboss]

Voted yes but just wondering if such a feature can be implemented that easily and how productive it'll be since it doesn't stop the hacker from sending the PM. On all socal media related sites i have seen the feature of receiving a notification when you receive a PM but haven't seen any for receiving a notification for PM sent.

How about the option of making the "save a copy to my outbox" a default setting that can't be changed and message saved in outbox can only be deleted after certain number of days like 30days period.

[thd26bct]

What if users do not use main emails (that used for their jobs) to register their accounts in the forum? Those users likely don't log in emails (used to register forum accounts) too often.
For inactive users, whom fall into inactive status for months or years, such email notifications don't make sense.
If such email notifications when PM sent activated, it should be limited on PMs sent from strange IPs of each account. Recent months, when Gmail's users log in from strange IP, strange devices, they have to do some confirmations to log in their emails.

[Jet Cash]

It's already in your profile. Just set "Notify by email every time you receive a personal message:  " to "always" and you will receive notifications.

It's in the private message section of your profile.

[Quickseller]

It's already in your profile. Just set "Notify by email every time you receive a personal message:  " to "always" and you will receive notifications.

He wants to receive notifications when he sends a PM, not when he receives one.

[erikalui]

Better than that, can't we have access to our own IP logs? We get such information from exchanges and even Google so if possible, we can see if any other IP address has been accessing your account. Also, if the login IP changes, it would be better if we receive notifications via email and a 2FA like exchanges do.

[logfiles]

If it's just an Option that can be checked and unchecked, then the hackers will disable the option when they are using victims' accounts to send messages just like they would u check "save copy to my inbox"

My suggestion is that maybe we have the account automatically locked when there is a sudden change in the IP address log from the usual pattern accompanied with a verification email with information about a mandatory security check.

2FA like exchanges do.

2FA will not be implemented on this forum software. Maybe on the new forum software. This has been suggested multiple times but nothing has been done.

[LoyceV]

I don't think this is going to help. I have 1847 sent messages. If I would have received 1847 emails, I would have disabled that option a long time ago, or filter them to be deleted.

Better than that, can't we have access to our own IP logs? We get such information from exchanges and even Google so if possible, we can see if any other IP address has been accessing your account.

That wouldn't only work for you, it would also give someone who gains access to your account access to your IP (and approximate location).

I've seen cases indeed where a hacker doesn't change the password so the account doesn't get locked. I'd say that means the account locking and recovery system is starting to pay off!
It's still quite rare to happen, so a solution that can only prevent a small fraction of this rare thing won't really help much.

[erikalui]

2FA will not be implemented on this forum software. Maybe on the new forum software. This has been suggested multiple times but nothing has been done.

2FA has not been considered for the new forum software but something like an email notification when the IP changes also would prove to be useful. Your suggestion of locking such an account also would be good but people would keep complaining everytime their account gets locked so a notification also would suffice.

[mikeywith]

"a default setting that can't be changed and message saved in outbox can only be deleted after certain number of days like 90days period.

This seems like a better option ( 90 days is a lot , maybe 30 ?) since there is no guarantee the user will see the Email before their account is used to scam, or maybe the two together for better security? But most importantly people should start using more complex passwords and take care of their own accounts security, babysitting does not always solve the problem.

Or requesting a confirmation via email before a PM can be sent?

No please , ain't nobody got time for that.

[TheBeardedBaby]

Maybe just have a visible statistics of sent messages per day/week/month instead of notifications, like
Messages sent today 0.  I don't know where it could be placed but should be on a easy-to-spot place.

[Pmalek]

Having an option like that would only make sense if the option can't be turned off. If a hacker manages to gain access to an account and un-tick the option for sending a notification via email when a PM is sent we are back to square one.

But in that case we will encounter the problem that LoyceV highlighted. Possibly getting 1000 emails and notifications of sent PMs.

The best option I think is having all sent PMs automatically go to the Outbox folder like CryptopreneurBrainboss suggested.   
 

[bones261]

If it's just an Option that can be checked and unchecked, then the hackers will disable the option when they are using victims' accounts to send messages just like they would u check "save copy to my inbox"

My suggestion is that maybe we have the account automatically locked when there is a sudden change in the IP address log from the usual pattern accompanied with a verification email with information about a mandatory security check.
2FA will not be implemented on this forum software. Maybe on the new forum software. This has been suggested multiple times but nothing has been done.

     I already thought about hackers disabling the option.

    Also, an e-mail notification would be sent whenever someone decides to opt-in or opt-out.

If a hacker was trying to cover his tracks by disabling, sending PM and then enabling again, you would get 3 e-mails. It would probably be better if someone had the option of getting a text by phone. However, I'm not sure this is possible, or if this site even wants to store something as sensitive as a phone number.

How about the option of making the "save a copy to my outbox" a default setting that can't be changed and message saved in outbox can only be deleted after certain number of days like 30days period.

Some people may not want a certain PM stored in their outbox for any period of time. They may want to convey some personal information that they also request the receiver delete when they are done with it. I realize there are better ways to go about this, though.

[erikalui]

Having an option like that would only make sense if the option can't be turned off. If a hacker manages to gain access to an account and un-tick the option for sending a notification via email when a PM is sent we are back to square one.

But in that case we will encounter the problem that LoyceV highlighted. Possibly getting 1000 emails and notifications of sent PMs.

The best option I think is having all sent PMs automatically go to the Outbox folder like CryptopreneurBrainboss suggested.   
 

Can't the hacker delete the sent PMs from the user's account? When they can send PMs without the knowledge of the user, they can easily delete their own sent PMs as well as we can do now manually.

[DdmrDdmr]

<…>
What if there's an email notification every time a user login on its forum account to top this. And with this ,

Perhaps these e-mails can also come with an option to lock the account.

I’d say that this is a better option. A person can perform a silent hack into someone’s account (not changing the credentials nor email) and not just PM some shady stuff, but also create posts such as those seen recently in this and other threads: Please disable Fake ANNs download links , theymos !. A couple of related cases were reported as silent hacks, and verified to be so to the extent that can be done through taking a look at the IP logs.

An email notification when someone logs into an account could be useful in order to act as quick as possible. This could have it’s tweaks such as only notify when you do so from a new IP (to delimit the number of notifications), and have an opt-in option to activate it.

[ReverseDirect]

If it's just an Option that can be checked and unchecked, then the hackers will disable the option when they are using victims' accounts to send messages just like they would u check "save copy to my inbox"

My suggestion is that maybe we have the account automatically locked when there is a sudden change in the IP address log from the usual pattern accompanied with a verification email with information about a mandatory security check.
2FA will not be implemented on this forum software. Maybe on the new forum software. This has been suggested multiple times but nothing has been done.

     I already thought about hackers disabling the option.

    Also, an e-mail notification would be sent whenever someone decides to opt-in or opt-out.

If a hacker was trying to cover his tracks by disabling, sending PM and then enabling again, you would get 3 e-mails. It would probably be better if someone had the option of getting a text by phone. However, I'm not sure this is possible, or if this site even wants to store something as sensitive as a phone number.

How about the option of making the "save a copy to my outbox" a default setting that can't be changed and message saved in outbox can only be deleted after certain number of days like 30days period.

Some people may not want a certain PM stored in their outbox for any period of time. They may want to convey some personal information that they also request the receiver delete when they are done with it. I realize there are better ways to go about this, though.

I don't like the idea of sharing your phone number in this forum. This beats the purpose of anonymity and the hacker will get far more valuable information if they can check out your phone number after hacking your account.
I really like the idea of changing the password via email only. This will ensure that a foreign IP cannot log you out of your account. If notifying by email isn't possible, maybe share the login time and all the activities of the user's database on another website? This will also help Mods trace out scammers. The fact that you can delete all your past activities in a forum where a transaction is built on trust is scary.

[DireWolfM14]

Having an option like that would only make sense if the option can't be turned off.

This is true, and would be a pain in the ass in my opinion.   I don't need a notification sent to my email whenever I send a PM.  I'm already getting notifications for received PMs, and I hate to say it but the Maggiordomo bot has been getting a bit irritating in that regard.  Removing the option to not save outgoing PM in the outbox isn't going to do much, because the hacker can just delete the message after it's sent.  

The situation that spurred bones to create this topic is a bit concerning, but I would like to think it's an isolated case.  I don't recall learning about any other situation with a similar account breach.  

Since most of us are into cryptocurrency we should all understand the importance of self reliance and accountability when it comes to our own security.  Maybe some people don't take the security of their forum account as seriously as their bitcoin wallet, but maybe that's what needs to change.  This is especially true for those of us who've developed a trusted reputation here, it's not only our account and reputation that are on the line, but someone may get scammed.   Continuing to ask theymos to implement troublesome features to compensate for a few members' lack of accountability and responsibility isn't a great solution.

[bones261]

I have changed the poll and topic to explore if it would be better to just have the option to get notified whenever they log in.

Edit: I forgot to take a screen shot of the previous poll. It was 9 to 5 in favor of adding an option to get e-mail notification when sending a PM.

[darklus123]

to be notified by e-mail whenever a PM is sent from your account?

There is actually an option like this. I've been receiving email notifications everytime a got a pmed.

I think the best thing to do right now than waiting for theymos to do your suggestions which is actually has a very  small percentage of getting considered. Try to add a 2fa security for a higher security of your account. Here is a very good guide

https://bitcointalk.org/index.php?topic=5041789.0;all

Here as well

Why even bother to use Google Authenticator? You can download a open source 2FA app such as andOTP[1] that has the option to backup and restore 2FA codes. Then, you can just set up your 2FA and upload an encrypted backup to any free cloud provider you want. Never losing access to your accounts again.

[1] https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp&hl=pt_BR

Note: It is mainly your responsibility to take good care of your account and add up as much security as you can so you don't have to rely on the current forum features.