Why it's easier to hack BTT users account

[Badmanthought]

I've read through few meta thread and I saw lots of users complaining on how there account was compromised, then I begin to ask myself how is this possible?!

To clear my doubt, I had to go on person research on why this act is rampant in btt.

And here are my findings;

1) when you register on BTT you don't receive a confirmation email to verify your registration ( meaning you can use someone else email to register on BTT without there notice).

2) when there is a login attempt on your account you don't receive a notification ( maybe there's a place to set this in the setting/user dashboard but I've not come across it yet).

3) when someone have access to your account, he/she changed your email address ( this is a very bad practice)!
Once email address is changed, everything can be changed ease as well.

Your email address is supposed to be your greatest weapon and once that has been taking from you, it automatically means all right has been taking from you.

The BTT developers should change this practice, that email address can no longer be changed. With this, all these everyday complain of account been compromised will stop drastically.

And also 1 and 2 should be looked into as well

[1714153629]

1714153629

[1714153629]

1714153629

[1714153629]

1714153629

[icopress]

Losing access to e-mail does not mean losing your forum account at all ... Your most compelling argument when restoring your Bitcointalk account is PGP or Bitcoin signature. There is a special thread for such cases ^{[Stake your Bitcoin address here]} where you can publish a signed message that will be quoted and verified.

1. You need to show that the PGP key or Bitcoin address is associated with the account, for example by referencing an unedited post in which you posted the address.
2. You need to sign an appropriate message with that key/address.

[hilariousetc]

Well, you're mostly right and these sorts of measures should but available but they're largely not because a new forum software is in development that will have numerous security features including many of the things you suggested and various two-factor options etc: https://bitcointalk.org/index.php?board=167.0

Losing access to e-mail does not mean losing your forum account at all ... Your most compelling argument when restoring your Bitcointalk account is PGP or Bitcoin signature. There is a special thread for such cases ^{[Stake your Bitcoin address here]} where you can publish a signed message that will be quoted and verified.

Well it does if that's your only option of restoring it. Most people probably don't have a PGP key or aren't aware of how to secure their account effectively does it need to be restored.

[mk4]

It's been 3 years, so I really can't remember if Bitcointalk had a confirmation email or not. As an alternative to emails though, we use the bitcoin address staking method instead, which is also quite effective: https://bitcointalk.org/index.php?topic=996318.0

But anyway, the chances of your account getting hacked is really really slim as long as you follow basic security practices. Using long and complex passwords, not reusing passwords, and such.

[BIT-BENDER]

Sometimes, the owner of a hacked account asked for it, you mark your presence in every service,bounties,give-aways, fast ward that to you doing it on many occasion then you would land on the unlucky they you get hacked, in between Facebook account are hacked more, the commonly-shared thing is Insensitive and negligence of those hacked, however account can be hacked even those own by highly sensitive and secure owners, but like @Icopress said you can follow that for recovery.

[ranochigo]

1) when you register on BTT you don't receive a confirmation email to verify your registration ( meaning you can use someone else email to register on BTT without there notice).

Think the point of OP is that if you accidentally set the email to someone else's email address/an unused email, they can reset the password easily and gain access to your account. That's why having a confirmation/validation email sent to your account's email is important.

2) when there is a login attempt on your account you don't receive a notification ( maybe there's a place to set this in the setting/user dashboard but I've not come across it yet).

If you think about it, having log in attempts being sent to your Email would result in some form of privacy loss. Perhaps if you're less wary about the loss of privacy, it's okay but logging IP addresses and sending them over the email can be dangerous for some.

3) when someone have access to your account, he/she changed your email address ( this is a very bad practice)!
Once email address is changed, everything can be changed ease as well.

There is a warning email sent to you IIRC.

The BTT developers should change this practice, that email address can no longer be changed. With this, all these everyday complain of account been compromised will stop drastically.

Then the weak point would be with the Email addresses and if it gets compromised and with the emails being tied to the account permanently, it would be fairly dangerous.

If you want to ask why they are usually compromised, its usually due to password reuse due to multiple sites and that some can be crossmatched with previous database leaks of Bitcointalk. Bruteforce is out of the question as you can probably tell, Recaptcha is painful for bruteforcing.

[Charles-Tim]

Bitcointalk users need to take proper care of their account, if not, it can be compromised by hackers. This kind of issue has occured repeatedly before because not all users are careful online until their account are compromised. There is a link given by theymos about our IP log for 30 days, we need to check our IP log often in order to know if there is another IP login which is not from us, we can easily know our account has been compromised and need email change immediately and reporting the account. Also, some users that their account was compromised have their email not hidden on their profile which makes it evident that the accounts hacked are through email in which the hackers will first compromise the email, we need to make sure our email is hidden right from the time we have registered from the start. We need to be conscious of online privacy and safety and not clicking on links sent to us through personal messages as it can contain malware that can result to our account being hacked. If there are many users that their accounts are not yet compromised, this makes it indicate the carelessness of users many times before their bitcointalk account is compromise by hackers. If we maintain safety, how can account will not be compromised.

[Pffrt]

1) when you register on BTT you don't receive a confirmation email to verify your registration ( meaning you can use someone else email to register on BTT without there notice).

If someone doesn't use an email which they control, it means they either sure the address belong to none or they don't care about the account. So, problem is with the user who registered, not with forum. I think it's good not to require verification.

2) when there is a login attempt on your account you don't receive a notification ( maybe there's a place to set this in the setting/user dashboard but I've not come across it yet).

May be. That wouldn't prevent much but that would lower the ratio.

3) when someone have access to your account, he/she changed your email address ( this is a very bad practice)!
Once email address is changed, everything can be changed ease as well.

You can lock the account and you will have 14 days to do so and can recover later.

[decodx]

I don't think any of the points listed above would have any impact on the probability of compromising someone's BTT account.

1. What is the probability that you would use someone else's email address while registering? How is that person going to know that you used his details since there is no email confirmation for registration?

2. How does the notification help, exactly? If someone hacks into your account, they can change your contact details before you can respond.

3. How is the option of changing your own personal information a bad practice? What is the alternative? What if your email address is compromised?


The only option I would add when it comes to account security is 2-factor authentication.

[cabron]

The goal is that you going to be anonymous no matter how. You being anonymous to the admin nor to the developer of BTT is good which is why there will be no email asked otherwise users and perhaps satoshi would have been tracked already.

Anyone using someone else email is crazy. Whatever his reason is, its up to him.

[actmyname]

The only option I would add when it comes to account security is 2-factor authentication.

It's called a signed message. I would recommend you to set up your own 2FA by staking your address and PGP key somewhere solid.

[decodx]

The only option I would add when it comes to account security is 2-factor authentication.

It's called a signed message. I would recommend you to set up your own 2FA by staking your address and PGP key somewhere solid.

And it's a good way to recover a compromised account, but I was thinking about 2FA for the login system. As an extra security layer that many providers and websites have in addition to regular login systems.
With this, the very possibility of hacking someone's account is significantly reduced.

[notblox1]

I don't know if it is a good practice for user to change his bitcointalk account password periodically, like some people are doing for their email addresses, and are there any negative sides for doing that?

[LTU_btc]

You have good points, but Bitcointalk security questions where already discussed so many times. Unfortunately, not all security features can be implemented in current forum software.
But I think situation with hacked Bitcointalk improved a lot in few last years after few changes made by theymos and good work of account recovery team. I remember that maybe 2 years ago half of Meta topics were requests to recover hacked accounts. Now we can see very few such topics.

I don't know if it is a good practice for user to change his bitcointalk account password periodically, like some people are doing for their email addresses, and are there any negative sides for doing that?

I can't find any strong reasons why it would be bad idea..

[Insanerman]

I've read through few meta thread and I saw lots of users complaining on how there account was compromised, then I begin to ask myself how is this possible?!

You can have less security features but still can be secured. How? Simply use strong passwords. This forum never saves plain text passwords, nor can perform bruteforce at all. There were accounts that were hacked, yet there are also numerous reasons why it happened, and most likely those reasons are either their passwords was common and weak, or they've been phished. One way or the other, it is still a user's responsibility to keep himself secured at all times. There are no personal information stored in one's account that would be critical, and the anonymity itself is already a security feature, only the user must take a better precaution.

[notblox1]

I can't find any strong reasons why it would be bad idea..

Maybe some people would think that account changed hands, but I also think that most older members changed their passwords and maybe more than once like I did, especially after hack that happened few years ago, and I see that theymos changed his password few times also

[actmyname]

And it's a good way to recover a compromised account, but I was thinking about 2FA for the login system. As an extra security layer that many providers and websites have in addition to regular login systems.
With this, the very possibility of hacking someone's account is significantly reduced.

If you want to use optional 2FA, incorporate the use of a PGP or Bitcoin address signature. Anything that can be linked to something outside of your digital cryptographic identity should not be used.

After all, you're trying to secure your privacy since the concern isn't getting the account back eventually. Wouldn't make sense to expose something that would compromise it.

[OcTradism]

1) when you register on BTT you don't receive a confirmation email to verify your registration ( meaning you can use someone else email to register on BTT without there notice).

2) when there is a login attempt on your account you don't receive a notification ( maybe there's a place to set this in the setting/user dashboard but I've not come across it yet).

The forum allows people to use the throw-away or unreal email to register. It is a freedom for people's anonymity. Notifications for login attempts are not necessary because the forum is not a place for commercial things. It is built up for technical discussions of bitcoin as its main aim at beginning.

Sign a message, your PGP key are enough to protect your account and prove your account ownership.

3) when someone have access to your account, he/she changed your email address ( this is a very bad practice)!
Once email address is changed, everything can be changed ease as well.

The forum locks account when suspicious things are detected. I don't know how it is applied but email address change can be one of suspicious things than can cause account lock for security.

Your email address is supposed to be your greatest weapon and once that has been taking from you, it automatically means all right has been taking from you.

Protect your forum account and your email account is your responsibility. Some people turn on their email address publicly and they accept any email attacks so I believe they ignore all potential risks and don't need 2FA protection.

Forum account: security, privacy, and recovery