Bitcoin Forum
December 09, 2016, 07:43:10 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Lock old user accounts  (Read 1507 times)
Bitsky
Hero Member
*****
Offline Offline

Activity: 542


View Profile
June 29, 2012, 08:23:38 AM
 #1

It looks like quite a few members here got scammed by people who managed to get access to abandoned accounts, most likely because they used the same password on multiple sites.
Especially if the accounts belong to users with more than 100-200 postings, others trust them more than newbie accounts, what makes the scam easier to pull off.

There should be a "max days between logins" limit, after which an account gets locked and need to be manually enabled again by a mod. Either by sending a new password to the registration mail (which could be hacked too however), or by having the member sign a message with the btc address in the sig (if available; perhaps make providing a btc address mandatory), or by giving hints about who they sent PM's to.

If someone doesn't log in at least once every 30-60 days, he hasn't much interest in Bitcoin at all.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
1481312590
Hero Member
*
Offline Offline

Posts: 1481312590

View Profile Personal Message (Offline)

Ignore
1481312590
Reply with quote  #2

1481312590
Report to moderator
1481312590
Hero Member
*
Offline Offline

Posts: 1481312590

View Profile Personal Message (Offline)

Ignore
1481312590
Reply with quote  #2

1481312590
Report to moderator
1481312590
Hero Member
*
Offline Offline

Posts: 1481312590

View Profile Personal Message (Offline)

Ignore
1481312590
Reply with quote  #2

1481312590
Report to moderator
There are several different types of Bitcoin clients. Server-assisted clients like blockchain.info rely on centralized servers to do their network verification for them. Although the server can't steal the client's bitcoins directly, it can easily execute double-spending-style attacks against the client.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481312590
Hero Member
*
Offline Offline

Posts: 1481312590

View Profile Personal Message (Offline)

Ignore
1481312590
Reply with quote  #2

1481312590
Report to moderator
1481312590
Hero Member
*
Offline Offline

Posts: 1481312590

View Profile Personal Message (Offline)

Ignore
1481312590
Reply with quote  #2

1481312590
Report to moderator
bulanula
Hero Member
*****
Offline Offline

Activity: 518



View Profile
June 29, 2012, 12:25:22 PM
 #2

It looks like quite a few members here got scammed by people who managed to get access to abandoned accounts, most likely because they used the same password on multiple sites.
Especially if the accounts belong to users with more than 100-200 postings, others trust them more than newbie accounts, what makes the scam easier to pull off.

There should be a "max days between logins" limit, after which an account gets locked and need to be manually enabled again by a mod. Either by sending a new password to the registration mail (which could be hacked too however), or by having the member sign a message with the btc address in the sig (if available; perhaps make providing a btc address mandatory), or by giving hints about who they sent PM's to.

If someone doesn't log in at least once every 30-60 days, he hasn't much interest in Bitcoin at all.

Does not mean that you should lock the account mate.

That is not nice for people that don't even have any idea why the account is locked nor can find out why.

-1 for this policy.
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218


Michael, send me some coins before I hitman you


View Profile
June 29, 2012, 12:38:48 PM
 #3

Going by past experience, it is indeed much more likely than an individual's computer/email being cracked that a server's db was accessed without authorization, as happened when MtGox was compromised, and a flood of old users who used the same credentials had their forum account compromised as a result. I would think it reasonable to have them simply sent a confirmation email before being allowed to log in if it has been over 30 days since they last logged in. Simple email verification, minimal headache. ... If it's not too much of a headache to implement.

Identity theft on this forum should be taken very seriously. It should be more stringent than the "typical" forum. She don't look like much, but is competent-enough to facilitate tens of thousands of dollars worth of transactions every week (I'm guessing). After the flood of ID thieves post-Gox-GOXing, I think most members have the sense to check post history to look specifically for when that user last made a post before entering into a transaction, though newbies probably aren't aware. Having one's first transaction be a scam may be enough to push them out of interest in Bitcoin forever.

Don't mix your coins someone said isn't legal
Bitsky
Hero Member
*****
Offline Offline

Activity: 542


View Profile
June 29, 2012, 12:48:35 PM
 #4

Does not mean that you should lock the account mate.

That is not nice for people that don't even have any idea why the account is locked nor can find out why.

-1 for this policy.
Well, with that tag below your username, I'm not really surprised that you don't like my suggestion.

Of course you can let people know why the account is locked. Just redirect them to a page explaining why and what to do about it when they try to log in.
An email verification or a signed message isn't really that much work if you can't be bothered to log in at least once every month or two.
With such a policy, threads like this one would not exist: https://bitcointalk.org/index.php?topic=86248.msg982776#msg982776
The lender would still have his 55btc.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
bulanula
Hero Member
*****
Offline Offline

Activity: 518



View Profile
June 29, 2012, 12:55:23 PM
 #5

Does not mean that you should lock the account mate.

That is not nice for people that don't even have any idea why the account is locked nor can find out why.

-1 for this policy.
Well, with that tag below your username, I'm not really surprised that you don't like my suggestion.

Of course you can let people know why the account is locked. Just redirect them to a page explaining why and what to do about it when they try to log in.
An email verification or a signed message isn't really that much work if you can't be bothered to log in at least once every month or two.
With such a policy, threads like this one would not exist: https://bitcointalk.org/index.php?topic=86248.msg982776#msg982776
The lender would still have his 55btc.


Very funny personal attack. Locking accounts at random because they did not have time to log in = genius policy.

How about being SMART and not getting scammed like a sheep for a start ?

Anybody not doing due diligence and handing over $$$ to strangers on the Net deserve to be scammed by me.

Use escrow and you are safe ... but some just want / beg to get scammed !
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2002



View Profile
June 29, 2012, 10:14:29 PM
 #6

It looks like quite a few members here got scammed by people who managed to get access to abandoned accounts, most likely because they used the same password on multiple sites.

If only there was some authentication method that could be used when doing over the counter trading like this.   Cheesy

 - http://webchat.freenode.net/?channels=#bitcoin-otc-foyer
 - http://bitcoin-otc.com/viewratings.php
 - http://wiki.bitcoin-otc.com/wiki/GPG_authentication

Bitsky
Hero Member
*****
Offline Offline

Activity: 542


View Profile
June 29, 2012, 10:45:40 PM
 #7

Very funny personal attack. Locking accounts at random because they did not have time to log in = genius policy.
You worked hard to get this tag, along with 22.5btc, so you've got to live with it.
Also the locks won't happen randomly, but after a defined time and with a redirect to an explanation.

Use escrow and you are safe ... but some just want / beg to get scammed !
So how does an escrow protect you from someone who just keeps the money lent to him?
Like in this case: https://bitcointalk.org/index.php?topic=86248.msg982776#msg982776


Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
mc_lovin
Legendary
*
Offline Offline

Activity: 1134


www.bitcointrading.com


View Profile WWW
July 02, 2012, 05:02:50 AM
 #8

I would say at the very worst, after an account hasn't been logged into in 3 months, reset it so that they need to do email activation to use the account again...  But even that would be tricky to set up, and I think it should be an opt-in feature instead of default.

TehZomB
Sr. Member
****
Offline Offline

Activity: 294


WTB NHL Expansion team in Baltimore


View Profile WWW
July 02, 2012, 05:52:54 AM
 #9

I respectfully disagree.
I was thrilled when I found that, after registering and not using my account here for eight or so months, I didn't have to get out of "newbie jail" (that wasn't a thing when I registered).

bulanula
Hero Member
*****
Offline Offline

Activity: 518



View Profile
July 02, 2012, 05:20:37 PM
 #10

I respectfully disagree.
I was thrilled when I found that, after registering and not using my account here for eight or so months, I didn't have to get out of "newbie jail" (that wasn't a thing when I registered).

Going by the SKEWED mentality of the "lock user account" supporters in this thread, I would say you are going to scam somebody in the next month.

You are not probably going to scam anyone. 

Don't lock any accounts.

How about locking satoshi's account too ?
Maged
Legendary
*
Offline Offline

Activity: 1260


View Profile
July 02, 2012, 05:50:02 PM
 #11

How about locking satoshi's account too ?
We already have, but for unrelated reasons.

bulanula
Hero Member
*****
Offline Offline

Activity: 518



View Profile
July 02, 2012, 05:57:18 PM
 #12

How about locking satoshi's account too ?
We already have, but for unrelated reasons.

What if he decides to come back ?

Seems a bit harsh ... not convinced he really died or something.
Maged
Legendary
*
Offline Offline

Activity: 1260


View Profile
July 02, 2012, 06:04:21 PM
 #13

How about locking satoshi's account too ?
We already have, but for unrelated reasons.

What if he decides to come back ?

Seems a bit harsh ... not convinced he really died or something.
He still has his GPG key, as well as at least Gavin's contact information.

malevolent
can into space
Staff
Legendary
*
Offline Offline

Activity: 1624



View Profile
July 02, 2012, 08:33:21 PM
 #14

How about locking satoshi's account too ?
We already have, but for unrelated reasons.

Are you afraid someone manages to hack into his account (0day exploit in SMF, gueesses pwd, whatevah) and impersonate him?
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
July 02, 2012, 11:26:46 PM
 #15

How about locking satoshi's account too ?
We already have, but for unrelated reasons.

Are you afraid someone manages to hack into his account (0day exploit in SMF, gueesses pwd, whatevah) and impersonate him?
That much should be obvious. If he comes back, he could use his GPG key to sign a message asking for his account to be unlocked.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
grue
Global Moderator
Legendary
*
Offline Offline

Activity: 1932



View Profile
July 06, 2012, 10:02:46 PM
 #16

+1 for email verification
-1 for manual mod reactivation, because it's too much of a hassle
-1 for the BTC address idea, because it links forum accounts to wallets, which may become corrupt, or lost. Not to mention the possible incompatibility with 3rd party clients.

I would say at the very worst, after an account hasn't been logged into in 3 months, reset it so that they need to do email activation to use the account again...  But even that would be tricky to set up, and I think it should be an opt-in feature instead of default.
that kills the whole point. the purpose is to ensure ignorant users' accounts can't be used by scammers. Do you think ignorant users are going to opt-in to any feature?

How about locking satoshi's account too ?
We already have, but for unrelated reasons.

Are you afraid someone manages to hack into his account (0day exploit in SMF, gueesses pwd, whatevah) and impersonate him?
this actually happened. that's how the db got leaked.

It is pitch black. You are likely to be eaten by a grue.

Tired of annoying signature ads? Ad block for signatures
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!