Following on from yesterday's post about a scammer slipping through the cracks, another issue arose overnight.

This time, a genuine member's account, registered and active since 2009 and still in use up until around December 2022, was obviously hijacked.

 

This is typically the result of a data breach elsewhere, or the user's email being hacked, and the member using the same user/pass here on StereoNET. We have seen a few instances of this happening in the last couple of years.

 

Of course, when an account is hijacked it is near impossible to detect that it is being used fraudulently until it is too late!

 

Fortunately, thanks to the great detective skills from some members and the use of the Report feature, once again we caught this relatively early. One of the Volunteer Moderators that rises earlier than I took care of it swiftly, but not before one member had already contacted the "seller" clearly excited by the offer that was simply too good to be true. 

 

Having Two Factor Authentication (2FA) enabled for your account would prevent this from happening.

You can enable 2FA here: https://www.stereonet.com/forums/settings/account-security/

 

UPDATE

We have added an additional service for 2FA, called Verify. It will send you a text message to verify your account to your nominated number. This is a PAID service (on our end), so we are trialling it for the time being. If the costs are manageable, we will introduce this indefinitely.

@Marc Can you look at solutions other than Google Authenticator? I don't want to install another TOTP app just for SNA.

Apparently some people have used Authy too with SN? Can anyone confirm?

7 minutes ago, oldrose said:

@Marc Can you look at solutions other than Google Authenticator? I don't want to install another TOTP app just for SNA.

 

This is actually not in my control. That aspect of the forum software is directed by the software authors unfortunately.

I have had 2FA for some time and use it for other sites too - it is fantastic and easy to use, worth it for peace of mind. 

51 minutes ago, Marc said:

Apparently some people have used Authy too with SN? Can anyone confirm?

I was actually able to set this up with 1Password - As long as the preferred authenticator application can scan the QR code or allow the entry of the key the seed should work and the TOTP generated can be validated.

UPDATE

 

We have added an additional service for 2FA, called Verify. It will send you a text message to verify your account to your nominated number. This is a PAID service (on our end), so we are trialling it for the time being. If the costs are manageable, we will introduce this indefinitely.

 

You can enable it here: https://www.stereonet.com/forums/settings/account-security/

Headfi has recently enforced MFA for any account looking to post in the classifieds, is this something we could consider here?

 

Thankyou

13 minutes ago, barbz127 said:

Headfi has recently enforced MFA for any account looking to post in the classifieds, is this something we could consider here?

 

Thankyou

 

Already on it 🙂

As our Classifieds is custom written - we will need to code that in. 

Expect it to become compulsory soon to place ads, once we work it out and trial is successful.

On 14/06/2024 at 3:42 PM, Marc said:

UPDATE

 

We have added an additional service for 2FA, called Verify. It will send you a text message to verify your account to your nominated number. This is a PAID service (on our end), so we are trialling it for the time being. If the costs are manageable, we will introduce this indefinitely.

 

You can enable it here: https://www.stereonet.com/forums/settings/account-security/

Where is phone number kept, and is it safe? On SNA or Verify?

3 minutes ago, Snoopy8 said:

Where is phone number kept, and is it safe? On SNA or Verify?

 

All handled by Twilio Verify.

On 14/6/2024 at 3:42 PM, Marc said:

UPDATE

 

We have added an additional service for 2FA, called Verify. It will send you a text message to verify your account to your nominated number. This is a PAID service (on our end), so we are trialling it for the time being. If the costs are manageable, we will introduce this indefinitely.

 

You can enable it here: https://www.stereonet.com/forums/settings/account-security/

@Marc are you able to add TOTP support from Verify? Apparently the API supports it. SMS will not always work for some of us but a TOTP based method will.

Another account was hijacked this morning due to the member's email address being compromised (likely the result of a data breach elsewhere). The hacker immediately logged in here with the user's account details (2FA was NOT enabled on their account), changed their email, and proceeded to place a scam classifieds advertisement.

 

Thanks to the alerts built into our systems, along with the vigilance of the Volunteer Moderators, this was caught quickly - the account and IP suspended, and the ad removed. Thanks to the "Enquiry" feature on classifieds, we could also tell there was no need to quickly contact any unknowing members who may have expressed interest in purchasing.

 

The point is, if 2FA had been enabled on this account, this could not have happened.

 

The user also received an email (to their original email address) alerting them that their email address had been changed, as per standard practice. They immediately contacted us, and after going through some security processes, we have assisted them to restore and secure their email account, and regain access to StereoNET (along with enabling 2FA).

 

https://www.stereonet.com/forums/settings/account-security/

 

As mentioned previously, it will soon be a requirement for 2FA to be enabled in order to place a Classifieds Ad.

On 20/08/2024 at 8:33 PM, oldrose said:

@Marc are you able to add TOTP support from Verify? Apparently the API supports it. SMS will not always work for some of us but a TOTP based method will.

 

We will investigate this. For now, we have just managed the transition of ending support for Authenticator, to use Verify exclusively. This presented a lot of support issues for us by the majority of users who ignored our 3-4 weeks of warnings, then found they could not log in.

 

Once that settles, we will explore expanding the use of Verify.

Just wanted to confirm something. Since switching to sms verification it seems I'm only promoted to verify when posting on the classified but not when logging into the site, is this intended?

 

Thankyou

3 minutes ago, barbz127 said:

Just wanted to confirm something. Since switching to sms verification it seems I'm only promoted to verify when posting on the classified but not when logging into the site, is this intended?

 

 

There's a complex series of events that will lead to having to reauthenticate, all designed around making it convenient while ensuring the security of your account. It will only ask you to reauthenticate under certain conditions, or, when you place an Advertisement. For obvious reasons, we do not want to describe what those parameters or condition are.

I have to authenticate every time I log in, with SMS TFA.