Create an option to get an e-mail notification someone logs in

[o_e_l_e_o]

An email notification when someone logs into an account could be useful in order to act as quick as possible. This could have it’s tweaks such as only notify when you do so from a new IP (to delimit the number of notifications), and have an opt-in option to activate it.

I think this is the neatest solution. We know from theymos' topic Retention/privacy info and from the page https://bitcointalk.org/privacy.php that your IP is logged for at least 3 months, and partially up to 2 years. It would be fairly easy to implement a simple check upon login of the current IP compared to all previous IPs, and fire off an email notification if the IP is brand new. That would stop users who wanted this option from being flooded with emails. The obvious drawback here is that it wouldn't work well with Tor or anyone who frequently rotates to new VPN servers.

[1713481206]

1713481206

[1713481206]

1713481206

[1713481206]

1713481206

[1713481206]

1713481206

[suchmoon]

it wouldn't work well with Tor or anyone who frequently rotates to new VPN servers.

Perhaps add another alert for user agent then. I bet no hacker would guess that my browser is "NCSA_Mosaic/1.0 (Windows 3.1)".

[Quickseller]

Edit: I forgot to take a screen shot of the previous poll. It was 9 to 5 in favor of adding an option to get e-mail notification when sending a PM.

If you are infected with malware, it is possible someone could access your account without logging in. The hacker could possibly access your account locally on your computer, or they could copy the cookie used to validate you and logged in.

[bones261]

If you are infected with malware, it is possible someone could access your account without logging in. The hacker could possibly access your account locally on your computer, or they could copy the cookie used to validate you and logged in.

Well, I realize that my proposed solutions won't make someone's security foolproof.  Just another pesky pawn that one could place to get in the way of the hacker's queen.

[CryptopreneurBrainboss]

Before I vote, I need to be cleared on the whole idea of email notification, what's the aim of this suggestion, is it that you want to to get notified each time your account get logged into or you're trying to prevent hackers from accessing our account?.

How about recieving this notification only when there is a change in users IP address instead of receiving a notification for every login attempt. Most platform uses this feature and it helps prevent hack attempts.

If the whole suggestion is about preventing hackers from gaining access to your account I don't see the usefulness of a notification when it might be too late before you can do anything about it.

[Quickseller]

If you are infected with malware, it is possible someone could access your account without logging in. The hacker could possibly access your account locally on your computer, or they could copy the cookie used to validate you and logged in.

Well, I realize that my proposed solutions won't make someone's security foolproof.  Just another pesky pawn that one could place to get in the way of the hacker's queen.

Having an option to receive an email notification when a PM is sent would be beneficial. Obviously not everyone has a real email attached to their account or activity monitors their attached email.

The email sent to respond to a message contains a link to reply to the message. I can see a lot of people accidentally clicking on the security link when receiving a email saying they just sent a PM, if they are in the middle of a PM conversation.

[bones261]

Before I vote, I need to be cleared on the whole idea of email notification, what's the aim of this suggestion, is it that you want to to get notified each time your account get logged into or you're trying to prevent hackers from accessing our account?.

How about recieving this notification only when there is a change in users IP address instead of receiving a notification for every login attempt. Most platform uses this feature and it helps prevent hack attempts.

If the whole suggestion is about preventing hackers from gaining access to your account I don't see the usefulness of a notification when it might be too late before you can do anything about it.

   It appears that some scammers on Telegram are trying to gain confidence from people by telling them they are a bitcointalk member. It appears one scammer may have gotten access to a reputed members account and sent PMs under the member's nose. Unfortunately, for the reputed member, there is really no way to prove definitively that he was "hacked." Now he is being asked to potentially make up for the victim's loss. I just want to make it harder for scammer's to use another person's account on the down low. I realize that e-mail notification is not a fail-safe. However, offering as many tools as possible to give people notification that their account may be compromised is a good thing. I personally don't want to force additional security options on people though. I think it should be up to the person to use the extra tool or not.

[Joel_Jantsen]

It appears that some scammers on Telegram are trying to gain confidence from people by telling them they are a bitcointalk member. It appears one scammer may have gotten access to a reputed members account and sent PMs under the member's nose. Unfortunately, for the reputed member, there is really no way to prove definitively that he was "hacked."

One of the hackey ways I could think of is, checking the Last Active option of your account and verifying with your actual Last Active time. OF COURSE, you've to check it without logging in on the website and opening your profile.

Now he is being asked to potentially make up for the victim's loss. I just want to make it harder for scammer's to use another person's account on the down low. I realize that e-mail notification is not a fail-safe. However, offering as many tools as possible to give people notification that their account may be compromised is a good thing. I personally don't want to force additional security options on people though. I think it should be up to the person to use the extra tool or not.

2FA can potentially solve the above issue but we have it coming up in the new forum (hopefully). IP based verification should be used in connection with the login logic. Something what LBC does, if they find youe opening the site from a different IP that doesn't exist before, you're forced to do confirm a link sent in your email.

[o_e_l_e_o]

Perhaps add another alert for user agent then. I bet no hacker would guess that my browser is "NCSA_Mosaic/1.0 (Windows 3.1)".

They will now that you've told them! I'd recommend switching immediately - I use WorldWideWeb/0.18 (NeXTSTEP 3.3).

Some people constantly spoof their user agent, so again, wouldn't work for everyone, but it certainly could be offered alongside the IP option. Between the two of them, I suspect that would cover most people who are worried about it.

It appears that some scammers on Telegram are trying to gain confidence from people by telling them they are a bitcointalk member. It appears one scammer may have gotten access to a reputed members account and sent PMs under the member's nose.

I don't understand how this happened? Did the user in question just give out their password?

[bones261]

It appears that some scammers on Telegram are trying to gain confidence from people by telling them they are a bitcointalk member. It appears one scammer may have gotten access to a reputed members account and sent PMs under the member's nose.

I don't understand how this happened? Did the user in question just give out their password?

Here is the thread in question that I am talking about. https://bitcointalk.org/index.php?topic=5150479.0 I am leaning toward believing that the OP is telling the truth; however, it is possible that it is just an excuse. Unfortunately, no information from the OP on thread to indicate exactly how he may have gotten compromised.
Here is a similar described incident. But I don't think the telegram scammer actually had access to the bitcointalk account to confirm the credentials that he was giving. https://bitcointalk.org/index.php?topic=5148419.0

[o_e_l_e_o]

Wow. What a thread.

Unfortunately, no information from the OP on thread to indicate exactly how he may have gotten compromised.

He did say this:

I do logon from hotel wifis when abroad, I don't have much choice if I wanna get online.

If you look at the picture of theymos' PM, you can see he logs in from 5 different USA IPs in less than 12 hours. Assuming he was in New York for a few days, it seems he could well have logged in to dozens of different public WiFis, and then less than a week later, his account is used to scam. As most of us know, if you log in to a public WiFi without any sort of encryption it is entirely possible for that WiFi owner to see absolutely everything you send and receive, including usernames and passwords. I'm not saying this is definitely what happened, but it's a very obvious vector of attack.

[suchmoon]

~

Or a keylogger, or an XSS exploit to grab the cookie, or his password was password123, or a salty ex-girlfriend/boyfriend tried to screw him over...

WiFi MITM attack isn't that simple IMO. To extract a password from an HTTPS session you'd need to fool the user into accepting a fake cert, or plant a fake CA.

[mangoleaf]

They can't hold your hand, account security falls on you.  No one to blame but yourself.

[bones261]

They can't hold your hand, account security falls on you.  No one to blame but yourself.

     First of all, let's get something straight. When an account gets hacked, the main blame goes to the hacker. It's not like hackers are some wild predatory animals that just can't control their instincts. I'm not suggesting that Bitcointalk holds people's hands. I'm just suggesting an additional tool for users to implement.

[Joel_Jantsen]

WiFi MITM attack isn't that simple IMO. To extract a password from an HTTPS session you'd need to fool the user into accepting a fake cert, or plant a fake CA.

Depends on the type of authentication method used. You can extract session token/JWT's from request headers but again installing the fake cert on your own system and making sure the system accepts it is a very difficult task. Basically, your system will be already compromised if the MITM managed to install a fake cert on the system.

[theymos]

It's tricky to get email notifications right so that they're not too spammy. Maybe later.

For now, I added this page where you can see your IP logs for the past 30 days: https://bitcointalk.org/myips.php . You could pretty easily write a userscript to periodically check this and warn you if it's weird. (But don't scrape it on every pageload.)

I don't want to make older IP logs automatically accessible because that'd give a hacker a bunch of useful/sensitive information. But 30 days is probably not too harmful.

[jademaxsuy]

OP suggested like a 2 way factor authentication and yes it does sound good to use email rather than a smart phone with its number. A smartphone has disadvantage that whenever it will be stolen the the two way factor will be not be activated and it is the same as like you are also will not be able to access your btc precious account.

[Pmalek]

Can't the hacker delete the sent PMs from the user's account? When they can send PMs without the knowledge of the user, they can easily delete their own sent PMs as well as we can do now manually.

At the moment they could but in the 2nd part of his post CryptopreneurBrainboss says:

How about the option of making the "save a copy to my outbox" a default setting that can't be changed and message saved in outbox can only be deleted after certain number of days like 30 days period.

This could be useful for the current forum but once the forum switches to the new software, hopefully with a 2FA option, it would no longer be needed.

[lobcmt2]

This could be useful for the current forum but once the forum switches to the new software, hopefully with a 2FA option, it would no longer be needed.

Theymos stepped in and did hard for forum users. The switch from bitcointalk.org to Epochtalk might be a huge migration (or hugest) in history of crypto forums. Mainly because bitcointalk.org is the biggest and unique crypto forum, for years. I don't know which set of security methods for accounts will be applied in the new forum with 2-factor authentication, but I guess there are three methods: emails, signed message, and 2FA. It will be likely a tripple security method, that is hard for hackers to steal accounts.

[fillippone]

It's tricky to get email notifications right so that they're not too spammy. Maybe later.

For now, I added this page where you can see your IP logs for the past 30 days: https://bitcointalk.org/myips.php . You could pretty easily write a userscript to periodically check this and warn you if it's weird. (But don't scrape it on every pageload.)

I don't want to make older IP logs automatically accessible because that'd give a hacker a bunch of useful/sensitive information. But 30 days is probably not too harmful.

The log looks suspicious,
I have been logging from various locations, but some are definitely out of my recognised range.
Country is the same, but very strange IP locations popping out here and there.
I am going to change my password anyway.
This is the minimum required action.
But anyway this log need some double checking.