Bitcoin Forum
November 11, 2024, 11:11:42 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Lock old user accounts  (Read 1716 times)
Bitsky (OP)
Hero Member
*****
Offline Offline

Activity: 576
Merit: 514


View Profile
June 29, 2012, 08:23:38 AM
 #1

It looks like quite a few members here got scammed by people who managed to get access to abandoned accounts, most likely because they used the same password on multiple sites.
Especially if the accounts belong to users with more than 100-200 postings, others trust them more than newbie accounts, what makes the scam easier to pull off.

There should be a "max days between logins" limit, after which an account gets locked and need to be manually enabled again by a mod. Either by sending a new password to the registration mail (which could be hacked too however), or by having the member sign a message with the btc address in the sig (if available; perhaps make providing a btc address mandatory), or by giving hints about who they sent PM's to.

If someone doesn't log in at least once every 30-60 days, he hasn't much interest in Bitcoin at all.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
bulanula
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500



View Profile
June 29, 2012, 12:25:22 PM
 #2

It looks like quite a few members here got scammed by people who managed to get access to abandoned accounts, most likely because they used the same password on multiple sites.
Especially if the accounts belong to users with more than 100-200 postings, others trust them more than newbie accounts, what makes the scam easier to pull off.

There should be a "max days between logins" limit, after which an account gets locked and need to be manually enabled again by a mod. Either by sending a new password to the registration mail (which could be hacked too however), or by having the member sign a message with the btc address in the sig (if available; perhaps make providing a btc address mandatory), or by giving hints about who they sent PM's to.

If someone doesn't log in at least once every 30-60 days, he hasn't much interest in Bitcoin at all.

Does not mean that you should lock the account mate.

That is not nice for people that don't even have any idea why the account is locked nor can find out why.

-1 for this policy.
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1015



View Profile
June 29, 2012, 12:38:48 PM
 #3

Going by past experience, it is indeed much more likely than an individual's computer/email being cracked that a server's db was accessed without authorization, as happened when MtGox was compromised, and a flood of old users who used the same credentials had their forum account compromised as a result. I would think it reasonable to have them simply sent a confirmation email before being allowed to log in if it has been over 30 days since they last logged in. Simple email verification, minimal headache. ... If it's not too much of a headache to implement.

Identity theft on this forum should be taken very seriously. It should be more stringent than the "typical" forum. She don't look like much, but is competent-enough to facilitate tens of thousands of dollars worth of transactions every week (I'm guessing). After the flood of ID thieves post-Gox-GOXing, I think most members have the sense to check post history to look specifically for when that user last made a post before entering into a transaction, though newbies probably aren't aware. Having one's first transaction be a scam may be enough to push them out of interest in Bitcoin forever.
Bitsky (OP)
Hero Member
*****
Offline Offline

Activity: 576
Merit: 514


View Profile
June 29, 2012, 12:48:35 PM
 #4

Does not mean that you should lock the account mate.

That is not nice for people that don't even have any idea why the account is locked nor can find out why.

-1 for this policy.
Well, with that tag below your username, I'm not really surprised that you don't like my suggestion.

Of course you can let people know why the account is locked. Just redirect them to a page explaining why and what to do about it when they try to log in.
An email verification or a signed message isn't really that much work if you can't be bothered to log in at least once every month or two.
With such a policy, threads like this one would not exist: https://bitcointalk.org/index.php?topic=86248.msg982776#msg982776
The lender would still have his 55btc.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
bulanula
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500



View Profile
June 29, 2012, 12:55:23 PM
 #5

Does not mean that you should lock the account mate.

That is not nice for people that don't even have any idea why the account is locked nor can find out why.

-1 for this policy.
Well, with that tag below your username, I'm not really surprised that you don't like my suggestion.

Of course you can let people know why the account is locked. Just redirect them to a page explaining why and what to do about it when they try to log in.
An email verification or a signed message isn't really that much work if you can't be bothered to log in at least once every month or two.
With such a policy, threads like this one would not exist: https://bitcointalk.org/index.php?topic=86248.msg982776#msg982776
The lender would still have his 55btc.


Very funny personal attack. Locking accounts at random because they did not have time to log in = genius policy.

How about being SMART and not getting scammed like a sheep for a start ?

Anybody not doing due diligence and handing over $$$ to strangers on the Net deserve to be scammed by me.

Use escrow and you are safe ... but some just want / beg to get scammed !
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1010


View Profile
June 29, 2012, 10:14:29 PM
 #6

It looks like quite a few members here got scammed by people who managed to get access to abandoned accounts, most likely because they used the same password on multiple sites.

If only there was some authentication method that could be used when doing over the counter trading like this.   Cheesy

 - http://webchat.freenode.net/?channels=#bitcoin-otc-foyer
 - http://bitcoin-otc.com/viewratings.php
 - http://wiki.bitcoin-otc.com/wiki/GPG_authentication

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


Bitsky (OP)
Hero Member
*****
Offline Offline

Activity: 576
Merit: 514


View Profile
June 29, 2012, 10:45:40 PM
 #7

Very funny personal attack. Locking accounts at random because they did not have time to log in = genius policy.
You worked hard to get this tag, along with 22.5btc, so you've got to live with it.
Also the locks won't happen randomly, but after a defined time and with a redirect to an explanation.

Use escrow and you are safe ... but some just want / beg to get scammed !
So how does an escrow protect you from someone who just keeps the money lent to him?
Like in this case: https://bitcointalk.org/index.php?topic=86248.msg982776#msg982776


Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
mc_lovin
Legendary
*
Offline Offline

Activity: 1190
Merit: 1000


www.bitcointrading.com


View Profile WWW
July 02, 2012, 05:02:50 AM
 #8

I would say at the very worst, after an account hasn't been logged into in 3 months, reset it so that they need to do email activation to use the account again...  But even that would be tricky to set up, and I think it should be an opt-in feature instead of default.
TehZomB
Sr. Member
****
Offline Offline

Activity: 294
Merit: 250



View Profile
July 02, 2012, 05:52:54 AM
 #9

I respectfully disagree.
I was thrilled when I found that, after registering and not using my account here for eight or so months, I didn't have to get out of "newbie jail" (that wasn't a thing when I registered).
bulanula
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500



View Profile
July 02, 2012, 05:20:37 PM
 #10

I respectfully disagree.
I was thrilled when I found that, after registering and not using my account here for eight or so months, I didn't have to get out of "newbie jail" (that wasn't a thing when I registered).

Going by the SKEWED mentality of the "lock user account" supporters in this thread, I would say you are going to scam somebody in the next month.

You are not probably going to scam anyone. 

Don't lock any accounts.

How about locking satoshi's account too ?
Maged
Legendary
*
Offline Offline

Activity: 1204
Merit: 1015


View Profile
July 02, 2012, 05:50:02 PM
 #11

How about locking satoshi's account too ?
We already have, but for unrelated reasons.

bulanula
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500



View Profile
July 02, 2012, 05:57:18 PM
 #12

How about locking satoshi's account too ?
We already have, but for unrelated reasons.

What if he decides to come back ?

Seems a bit harsh ... not convinced he really died or something.
Maged
Legendary
*
Offline Offline

Activity: 1204
Merit: 1015


View Profile
July 02, 2012, 06:04:21 PM
 #13

How about locking satoshi's account too ?
We already have, but for unrelated reasons.

What if he decides to come back ?

Seems a bit harsh ... not convinced he really died or something.
He still has his GPG key, as well as at least Gavin's contact information.

malevolent
can into space
Legendary
*
Offline Offline

Activity: 3472
Merit: 1724



View Profile
July 02, 2012, 08:33:21 PM
 #14

How about locking satoshi's account too ?
We already have, but for unrelated reasons.

Are you afraid someone manages to hack into his account (0day exploit in SMF, gueesses pwd, whatevah) and impersonate him?

Signature space available for rent.
rjk
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


1ngldh


View Profile
July 02, 2012, 11:26:46 PM
 #15

How about locking satoshi's account too ?
We already have, but for unrelated reasons.

Are you afraid someone manages to hack into his account (0day exploit in SMF, gueesses pwd, whatevah) and impersonate him?
That much should be obvious. If he comes back, he could use his GPG key to sign a message asking for his account to be unlocked.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
grue
Legendary
*
Offline Offline

Activity: 2058
Merit: 1452



View Profile
July 06, 2012, 10:02:46 PM
 #16

+1 for email verification
-1 for manual mod reactivation, because it's too much of a hassle
-1 for the BTC address idea, because it links forum accounts to wallets, which may become corrupt, or lost. Not to mention the possible incompatibility with 3rd party clients.

I would say at the very worst, after an account hasn't been logged into in 3 months, reset it so that they need to do email activation to use the account again...  But even that would be tricky to set up, and I think it should be an opt-in feature instead of default.
that kills the whole point. the purpose is to ensure ignorant users' accounts can't be used by scammers. Do you think ignorant users are going to opt-in to any feature?

How about locking satoshi's account too ?
We already have, but for unrelated reasons.

Are you afraid someone manages to hack into his account (0day exploit in SMF, gueesses pwd, whatevah) and impersonate him?
this actually happened. that's how the db got leaked.

It is pitch black. You are likely to be eaten by a grue.

Adblock for annoying signature ads | Enhanced Merit UI
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!