(Topic ID: 312320)

Two-Factor Authentication (2FA)

By jp1985

2 years ago


Topic Heartbeat

Topic Stats

  • 108 posts
  • 43 Pinsiders participating
  • Latest reply 2 years ago by joetechbob
  • Topic is favorited by 5 Pinsiders

You

Linked Games

No games have been linked to this topic.

    Topic Gallery

    View topic image gallery

    pasted_image (resized).png
    pasted_image (resized).png
    oopsie.png
    6E0C6ECF-A4F8-4517-878A-C61D51628336.jpeg
    2fa-phone (resized).jpg
    Screenshot_168.png
    logincode (resized).png
    email (resized).png
    login (resized).png
    There are 108 posts in this topic. You are on page 1 of 3.
    #1 2 years ago

    I'm requesting Two-Factor Authentication (2FA) as a feature due to an incident on the marketplace where a long standing user was hacked and ads placed in his name. An API provider like Twilio would make integration pretty easy.

    An additional feature would be the ability, to verify phone numbers of members involved in a transaction.

    #2 2 years ago

    Or just secure your account and practice common sense safety protocols? I never liked giving my phone number away and spoofing numbers isn’t that hard.

    More personal info given to some cloud-based company hoping they don’t get hacked as well as putting up more PPI on the web

    #3 2 years ago
    Quoted from Isochronic_Frost:

    Or just secure your account and practice common sense safety protocols? I never liked giving my phone number away and spoofing numbers isn’t that hard.
    More personal info given to some cloud-based company hoping they don’t get hacked as well as putting up more PPI on the web

    Or we could just use basic security protocols.

    Another vote for 2FA, please.

    #4 2 years ago
    Quoted from smalltownguy22:

    Or we could just use basic security protocols.
    Another vote for 2FA, please.

    How did they “hack” your account? You think someone magically decides to just bruteforce and runs magically programs?

    Or did you give out too much info, login to public computers and click random emails? 2FA doesn’t help if you have terrible security practices.

    Pinside already implements basic security protocols and “hackers” go after low hanging fruit. They aren’t going out of their way to target people, they only go after people who make it easy.

    Do you know the statistics on burglaries? A lot of people leave their house unlocked, if the door is locked an overwhelming amount of thieves will move on to easier targets.

    #5 2 years ago
    Quoted from Isochronic_Frost:

    How did they “hack” your account? You think someone magically decides to just bruteforce and runs magically programs?
    Or did you give out too much info, login to public computers and click random emails? 2FA doesn’t help if you have terrible security practices.
    Pinside already implements basic security protocols and “hackers” go after low hanging fruit. They aren’t going out of their way to target people, they only go after people who make it easy.
    Do you know the statistics on burglaries? A lot of people leave their house unlocked, if the door is locked an overwhelming amount of thieves will move on to easier targets.

    Why are you so against 2FA?

    #6 2 years ago
    Quoted from smalltownguy22:

    Why are you so against 2FA?

    https://blog.malwarebytes.com/101/2018/09/two-factor-authentication-2fa-secure-seems/

    Malware bytes posted this 4 years ago. 2FA is security theatre. If you have bad security habits, 2FA just makes it easier to “hack” (social engineer) you.
    Did you change your email password and are you sure your email address is secure? That’s most likely how they got into your account.

    People using 2FA is like leaving the front doors unlocked and then install ring camera so you can know when you’re getting robbed

    #7 2 years ago
    Quoted from Isochronic_Frost:

    How did they “hack” your account? You think someone magically decides to just bruteforce and runs magically programs?

    Two common scenarios that I can think of:
    1) Someone was using one of the top 50 most common passwords
    2) Someone has an account on a website that was compromised, those login credentials were released into the wild, and the account holder made the mistake of using the same username and password on multiple websites.

    #8 2 years ago

    This thread has gone in a direction I didn't expect. I was just making a suggestion from my 20 years experience in the sector. Phone numbers are generally only spoofed for high value targets. They would need to know the phone number of the target, that is why phone numbers are usually masked during the "we sent you a text to 555-xxx-xxx" process.

    I do believe that many people probably use weak passwords here that are easily brute forced or used on other sites that were subject to a data breach.

    I'm not sure about the password complexity requirements of Pinside but that may be worth examining. Excluding pinside, pinball, silverball, flipper etc from being allowed in passwords is a good idea too.

    #9 2 years ago

    Yes, +1 for MFA from someone else in the industry as well. SMS 2FA is a lower level of secure but TOTP provides significant security benefits.

    #10 2 years ago
    Quoted from ForceFlow:

    Two common scenarios that I can think of:
    1) Someone was using one of the top 50 most common passwords
    2) Someone has an account on a website that was compromised, those login credentials were released into the wild, and the account holder made the mistake of using the same username and password on multiple websites.

    ForceFlow, rather than forcing me to wait the full 48 hours on this new account to rescue my frozen account, can we just work together on this now? I cannot PM you yet, so is there another way I can reach you?

    #11 2 years ago
    Quoted from ForceFlow:

    Two common scenarios that I can think of:
    1) Someone was using one of the top 50 most common passwords
    2) Someone has an account on a website that gets compromised, those login credentials get released into the wild, and the account holder made the mistake of using the same username and password on multiple websites.

    Exactly. I don’t trust 2FA to magically solve bad habits. It’s insecure enough and at that point a middleman already has some or all of that info to simply cut in and take control of an account.

    Quoted from jp1985:

    This thread has gone in a direction I didn't expect. I was just making a suggestion from my 20 years experience in the sector. Phone numbers are generally only spoofed for high value targets. They would need to know the phone number of the target, that is why phone numbers are usually masked during the "we sent you a text to 555-xxx-xxx" process.
    I do believe that many people probably use weak passwords here that are easily brute forced or used on other sites that were subject to a data breach.
    I'm not sure about the password complexity requirements of Pinside but that may be worth examining. Excluding pinside, pinball, silverball, flipper etc from being allowed in passwords is a good idea too.

    The issue being that in this hobby it’s extremely easy and people still blatantly post their phone numbers.
    A LOT of guys here swap phone numbers. It’s a more old-school culture in pinball. MFA is better but again, phishing and weak passwords defeat it.

    If you’re in the industry then you probably already follow very smart security habits that prevent these attacks. Yet keep in mind, not to be derisive, but plenty of folks on Pinside are older and many of them see no issue posting “Call me at xxx-xxx ask for Bobby” as well as posting their email and they probably have a sticky note on their desktop labeled: “PASSWORD FOR ALL WEBSITES”

    Let’s come up with ideas that solves the real world causes.

    #12 2 years ago
    Quoted from Isochronic_Frost:

    Let’s come up with ideas that solves the real world causes.

    Like MFA w/ an authenticator app.

    #13 2 years ago
    Quoted from smalltownguy22:

    ForceFlow, rather than forcing me to wait the full 48 hours on this new account to rescue my frozen account, can we just work together on this now? I cannot PM you yet, so is there another way I can reach you?

    Unfortunately, I can't do much with the frozen account. I already gave robin a heads up about the situation, but if you haven't already done so, I'd suggest reaching out to him as well.

    If you can't PM yet, try this instead: https://pinside.com/pinball/contact?o=other

    18
    #14 2 years ago

    MFA is overkill for a forum like this for 99.9% of us. I just want to browse pinball stuff and not worry about logging into multiple things all the time like I do at work.

    What is the real risk here? Except for the shops, you are not directly buying anything or providing any PII, and even those are secured through a payment portal.

    This is a very low risk site and should be treated that way.

    If it is implemented, make MFA optional.

    #15 2 years ago
    Quoted from Isochronic_Frost:

    Exactly. I don’t trust 2FA to magically solve bad habits. It’s insecure enough and at that point a middleman already has some or all of that info to simply cut in and take control of an account.

    That's not what MFA is.

    MFA/2FA is an additional security measure on top of a password.

    So, a user would need two things to log in--their password, and the timed auto-generated number in the authentication app.

    SMS 2FA is still used (but discouraged), and that's the method that's susceptible to MITM attacks or phone number spoofing/forwarding.

    The idea with MFA/2FA is that if the password is compromised, login attempts would be blocked without having access to the MFA numbers being generated in the authenticator app.

    Additionally, the numbers in the authentication app are a moving target since they expire every 30-60 seconds (known as TOTP: time-based, one-time passwords), so there's very little chance that it would be susceptible to a brute force attack.

    #16 2 years ago
    Quoted from ForceFlow:

    That's not what MFA is.

    MFA/2FA is an additional security measure on top of a password.

    So, a user would need two things to log in--their password, and the timed auto-generated number in the authentication app.

    SMS 2FA is still used (but discouraged), and that's the method that's susceptible to MITM attacks or phone number spoofing/forwarding.

    The idea with MFA/2FA is that if the password is compromised, login attempts would be blocked without having access to the MFA numbers being generated in the authenticator app.

    Additionally, the numbers in the authentication app are a moving target since they expire every 30-60 seconds (known as TOTP: time-based, one-time passwords), so there's very little chance that it would be susceptible to a brute force attack.

    Correct. MFA would have prevented these assholes from gaining access to my account. Unless you take my phone (AND MY thumbprints), you're not getting into any site that uses MFA correctly.

    #17 2 years ago
    Quoted from ForceFlow:

    That's not what MFA is.
    MFA/2FA is an additional security measure on top of a password.
    So, a user would need two things to log in--their password, and the timed auto-generated number in the authentication app.
    SMS 2FA is still used (but discouraged), and that's the method that's susceptible to MITM attacks or phone number spoofing/forwarding.
    The idea with MFA/2FA is that if the password is compromised, login attempts would be blocked without having access to the MFA numbers being generated in the authenticator app.
    Additionally, the numbers in the authentication app are a moving target since they expire every 30-60 seconds (known as TOTP: time-based, one-time passwords), so there's very little chance that it would be susceptible to a brute force attack.

    I wasn’t aware we were specifically talking about the whole app-based TOTP thing. I’m familiar with Multifactor authentication and that doesn’t automatically mean having a specific code/password generator app. I’ve used that before and what a gigantic pain in the ass, unless it’s banking info or money related.

    Pinside does not need some 30 second burn-after-reading encrypted password app for access just so one can complain about Popeye going for 5k. Outrageously overkill!

    #18 2 years ago

    I'm all for optional MFA. I use authenticator apps with a lot of the forums I'm on. They are a minor inconvenience, and they definitely decrease the chances of someone hacking your account.

    #19 2 years ago

    I work in cybersecurity and have a degree in cybersecurity

    MFA might not be perfect, but it is a LOT more secure that just a username and password. Would be nice to at least see it as an option here.
    I turn it on wherever possible. You can use the most complex/secure username and password in the world and still be more secure with an additional factor of authentication turned on.

    #20 2 years ago
    Quoted from Isochronic_Frost:

    I wasn’t aware we were specifically talking about the whole app-based TOTP thing. I’m familiar with Multifactor authentication and that doesn’t automatically mean having a specific code/password generator app. I’ve used that before and what a gigantic pain in the ass, unless it’s banking info or money related.
    Pinside does not need some 30 second burn-after-reading encrypted password app for access just so one can complain about Popeye going for 5k. Outrageously overkill!

    It doesn’t have to be for everyone, it could be a opt in feature of Pinside. I personally do not find it difficult or a pain to use 2fa and if it was a option here on Pinside I would definitely enable it.

    #21 2 years ago

    I like the idea of adding it as an OPTION for people and would prefer it use MFA with apps like Okta, Authy, Google Authenticator, etc.

    #22 2 years ago
    Quoted from smalltownguy22:

    take my phone (AND MY thumbprints)

    Biometrics is only a solution until biometric data is stored and compromised the same way other sources are now.
    There are terrabytes of compromised account information available for free if you know where to look. You should assume your 'private' information is available to any bad actor that wants it. Attacks today are often automated and not directed at a specific target. A list of vulnerable accounts will be generated and sold to the highest bidder.

    Hardware tokens are an option. I use Yubikeys - https://www.yubico.com/
    Onlykey is another hardware token - https://onlykey.io/

    Re-using credentials on multiple websites isn't good security practice but doesn't matter much if the account can't be tied to you in any other way and you have no financial exposure (which is almost never the case).
    Password managers are a big improvement over re-using credentials.

    #23 2 years ago
    Quoted from Isochronic_Frost:

    I wasn’t aware we were specifically talking about the whole app-based TOTP thing. I’m familiar with Multifactor authentication and that doesn’t automatically mean having a specific code/password generator app.

    I suppose I should step back and clarify since we were both making some assumptions.

    MFA (multifactor authentication) and 2FA (two-factor authentication) are more generalized terms for authentication methods that don't necessarily specify what technology is specifically being used. Just that it's something beyond simply a username and password. So, that could mean just SMS OTP (one-time password) or TOTP (timed one-time password). There are also a few other technologies, such as a physical security token or biometrics.

    The current security technology that has become standardized in the last few years is TOTP, so usually when the topic of MFA/2FA comes up, it's more often than not related to TOTP.

    #24 2 years ago

    Arguing against additional security is like arguing about who’s end of the boat the hole is in. Just shut up and fix the hole.

    -1
    #25 2 years ago
    Quoted from MaxIsDead:

    I work in cybersecurity and have a degree in cybersecurity
    MFA might not be perfect, but it is a LOT more secure that just a username and password. Would be nice to at least see it as an option here.
    I turn it on wherever possible. You can use the most complex/secure username and password in the world and still be more secure with an additional factor of authentication turned on.

    Good Lord, thank you for some sanity here. Some of the opinions being posted in this thread are at best ignorance cloaked in last-minute ego-stroking google searches, and at worst complete misinformation.

    #26 2 years ago

    +1 for MFA. It prevents remote account takeover even if an account password is compromised and is a basic tenet of online security. Period.

    #27 2 years ago
    Quoted from ForceFlow:

    I suppose I should step back and clarify since we were both making some assumptions.
    MFA (multifactor authentication) and 2FA (two-factor authentication) are more generalized terms for authentication methods that don't necessarily specify what technology is specifically being used. Just that it's something beyond simply a username and password. So, that could mean just SMS OTP (one-time password) or TOTP (timed one-time password). There are also a few other technologies, such as a physical security token or biometrics.
    The current security technology that has become standardized in the last few years is TOTP, so usually when the topic of MFA/2FA comes up, it's more often than not related to TOTP.

    Correct. As another IT leader chiming in, this is what I immediately thought the OP and you were talking about in the original post. I'm not sure why there was confusion. Regardless, I, for one, am all for 2FA/MFA here. I don't even think we need to go all the way to the point of an Authenticator App requirement. I think even SMS-based auth is sufficient for a site such as this, since the risk of a hacker 'spoofing/cloning' a SIM card to gain real-time access to your text messages just to hack into Pinside, is LOW. Regardless, in this day and age MFA isn't really a burden on users, especially if you give them options of delivery.

    I also second the idea of just make it optional to turn on...or at least flexible (i.e. text, app, or email). All of those can be set to expire within some period of time. If you don't turn it on and get hacked that's on you. No different than it being optional still for sites like eBay.

    11
    #28 2 years ago

    I’m actually smiling this morning, as I never expected to be reading a Pinside MFA thread. As a Cybersecurity guy who has rolled out MFA solutions a few times, I gotta say this thread is an almost verbatim script of every MFA kickoff meeting in the history of IT. Lol.
    The only thing missing is a software engineer demanding to keep local admin privileges because security slows him/her down.

    Cheers.

    #29 2 years ago

    I go through multiple NIST/ISO security audits a year. MFA… yes please.

    MFA should absolutely be implemented. I do not understand why there is any argument that “it’s not perfect enough”. It is a quantum leap forward in security versus not having it.

    The only issue is it can be a pain to roll out. You may want to start off with it being optional and incentivize users to move to it by giving them some sort of profile icon or achievement.

    IMO users find the click-to-login authenticator app approach is much less annoying then the SMS TOTP one.

    #30 2 years ago

    Thanks for the feature request and discussion.

    I have been looking into adding an extra layer of security to logins for years, and this is getting more and more relevant especially considering all our efforts to verify Pinside accounts and stop scammers from using Pinside to operate.

    So yes, I'm interested to implement this sooner rather than later!

    I guess the basic idea comes down to this:

    If you log in to Pinside with an IP address that we have not seen you previously using AND you have 2FA enabled for your account, we will require you to authenticate.

    The easiest authentication system I can think of, which is easy for me to implement and also easy to use/understand for most Pinsiders would probably be a simple SMS containing a short verification code, sent to a registered phone number.

    Downsides:
    - costs, although it looks like Twillio would only set me back $7.50 / 1000 sms codes
    - folks would need to add their phone # to their pinside account

    Other options are:
    - authentication via e-mail, which would be free and I already have Pinsiders' email addresses.
    - authentication via an authenticator app
    - via our new notifications system (for people who have notifications enabled and who have at least one 'push' device), this is also free and probably faster and more reliable than email.
    - Via a Pinside app (but we don't currently have this)

    While adding this as an option is nice and all, I think I need to be a bit more proactive here. I am considering automatically 'locking' accounts that have not been accessed for x months from login, and first require a simple email link click. So, for example, when you return to Pinside after being away for 8 months, we would send you an e-mail to authenticate/login. Quick and easy. And while absolutely not 100% watertight, it would stop random password brute force hackers and also avoid logins into dormant/forgotten accounts being hacked by password leaks and the likes (which is also the reason why we require usernames to log in in vs email addresses).

    Keep in mind that a great deal of trust is given to "old" accounts. So they're nice targets for the scammers we have seen using Pinside in the past.

    I welcome all thoughts while I investigate this subject some more!

    #31 2 years ago
    Quoted from Craiger:

    engineer demanding to keep local admin privileges because security slows him/her down.

    We just built out an entire Azure environment for a client that does FDA auditing and had been ransomwared for multiple millions of dollars (which they paid). They brought me back in a month later to do a bit more work and I noticed their lead IT guy has already given himself global administrator role despite us telling him multiple times to never do this. This is WITH compliance reporting enabled, so he must be ignoring that too.

    #32 2 years ago
    Quoted from radium:

    We just built out an entire Azure environment for a client that does FDA auditing and had been ransomwared for multiple millions of dollars (which they paid). They brought me back in a month later to do a bit more work and I noticed their lead IT guy has already given himself global administrator role despite us telling him multiple times to never do this. This is WITH compliance reporting enabled, so he must be ignoring that too.

    Lol, so easy to have dedicated and locked down admin accounts, right? If we’re ever in the same vicinity we gotta have a beverage and swap horror stories.

    This thread has also made me wonder how many of us Pinsiders are IT and/or Security folk and whether that particular discipline draws us to pinball? Or perhaps it was an early love of pinball to that drew us to that discipline. Or maybe there’s no correlation at all. Lol.

    #33 2 years ago
    Quoted from radium:

    We just built out an entire Azure environment for a client that does FDA auditing and had been ransomwared for multiple millions of dollars (which they paid). They brought me back in a month later to do a bit more work and I noticed their lead IT guy has already given himself global administrator role despite us telling him multiple times to never do this. This is WITH compliance reporting enabled, so he must be ignoring that too.

    And I do hope you mentioned to them that this puts them at significant risk at getting ransomewared a second time. I'm one of the "lead IT guys" for several of my customers and still try to maintain a balance between GSD and security. Unfortunately most places just don't put enough into their budget to actually accomplish anything once the security considerations are taken... so guess what's the first to go.

    One of my customers cut our budget in half last year *AND* lopped a bunch of additional security considerations on top of our regular work. Totally justified stuff in general, but they've adopted a "not even low risk findings" stance - at this point excessive for a small scale system. It's all so that they don't have to monitor anything beyond regular Qualys scans. 3 months in and I've spent almost the entire budget chasing down false positives and have gotten *no* development done for enhancements. They're pissed as hell there's no money left. Hello?! I'm not working for free. Anyway, I support optional MFA

    #34 2 years ago
    Quoted from robin:

    Thanks for the feature request and discussion.
    I have been looking into adding an extra layer of security to logins for years, and this is getting more and more relevant especially considering all our efforts to verify Pinside accounts and stop scammers from using Pinside to operate.
    So yes, I'm interested to implement this sooner rather than later!
    I guess the basic idea comes down to this:
    If you log in to Pinside with an IP address that we have not seen you previously using AND you have 2FA enabled for your account, we will require you to authenticate.
    The easiest authentication system I can think of, which is easy for me to implement and also easy to use/understand for most Pinsiders would probably be a simple SMS containing a short verification code, sent to a registered phone number.
    Downsides:
    - costs, although it looks like Twillio would only set me back $7.50 / 1000 sms codes
    - folks would need to add their phone # to their pinside account
    Other options are:
    - authentication via e-mail, which would be free and I already have Pinsiders' email addresses.
    - authentication via an authenticator app
    - via our new notifications system (for people who have notifications enabled and who have at least one 'push' device), this is also free and probably faster and more reliable than email.
    - Via a Pinside app (but we don't currently have this)
    While adding this as an option is nice and all, I think I need to be a bit more proactive here. I am considering automatically 'locking' accounts that have not been accessed for x months from login, and first require a simple email link click. So, for example, when you return to Pinside after being away for 8 months, we would send you an e-mail to authenticate/login. Quick and easy. And while absolutely not 100% watertight, it would stop random password brute force hackers and also avoid logins into dormant/forgotten accounts being hacked by password leaks and the likes (which is also the reason why we require usernames to log in in vs email addresses).
    Keep in mind that a great deal of trust is given to "old" accounts. So they're nice targets for the scammers we have seen using Pinside in the past.
    I welcome all thoughts while I investigate this subject some more!

    Yea, verily, to all those proactive steps, Robin!
    Gladly recognizing I have absolutely no say in the matter, since the sms verification would carry a monetary cost, the email route seems like the way to go at the outset. While It’s likely that any Pinsider re-using passwords across other sites would use that same password for their email account too, the complexity of using a compromised email account to coordinate the hijack the Pinside MFA process would be Blofeldian (although it does happen in other arenas sometimes)

    TLDR: The Security journey of a thousand miles begins with one step and even small measures are better than none.

    #35 2 years ago

    A secure environment good thing. Yet another place wanting my phone number not justified .
    Emails already in pinside address book. Would think that would be sufficient.

    Shane

    #36 2 years ago

    I was hacked this week also. Someone posted a marketplace ad with my account.

    #37 2 years ago

    No one would ever guess that my password is Spatula-king43$. I’m safe

    #38 2 years ago
    Quoted from robin:

    - Via a Pinside app (but we don't currently have this)

    I didn’t want to get ahead of myself but you already said it, so that’s a green light!

    This was obviously a very underground, guerrilla-marketing stunt, and the hacked accounts are paid actors!

    It’s an elaborate advertisement for the future Pinside app tie-in.

    (Joking obviously, but with today’s bizarre ads it made me think of it)

    #39 2 years ago

    It's worth considering that as Pinside grows in popularity more bad actors will figure out there are a lot of Pinsiders with lots of disposable income. The problem is likely to get worse.

    There is little benefit for MFA for Pinside users that just browse the forum. Marketplace is where most of your exposure lies.

    #40 2 years ago

    JFC - what an annoying 3 days that was. I have no less than 20 messages in my PM's from folks who were responding to fake listings I created. At least 1 person was given an email address to send a Paypal F&F payment to (which was NOT my address!!)

    Now I get to explain to a bunch of folks that it wasn't me.

    Can we please get MFA going on this site as soon as possible? kthanx

    #41 2 years ago

    I just got a message saying that they paid me for the fake ad that someone posted under my account.

    17
    #42 2 years ago

    First, an update which will hopefully make everyone understand the need for some beefed up security on Pinside.

    Today, two Pinside accounts got broken into (by the same scammer). It looks like the account passwords were either guessed or possibly obtained via a password leak elsewhere. Either way, the hacker took over these two accounts and placed ads on the marketplace in their name. The hacker also used the PM box to send responses to Pinsiders enquiring about these fake ads. He speaks poor English and wanted folks to pay via Paypal F&F or Zelle. As far as I know, no one actually fell for this and nobody got scammed. EDIT: Ugh, looks like someone fell for it after all.

    Fact of the matter is that long standing (but also dormant) Pinside accounts are at risk of getting broken into and then used to scam people out of hard earned dollars/euros/etc.

    And so... on to the topic at hand: We need safer logins!

    I create a quick first version today of a more secure login. This first version works by sending a one-time login code to your registered e-mail address. This is not entirely secure of course (and not really 2-factor) but it would have stopped that scammer today and is also the simplest and cheapest solution to implement. It also doesn't require Pinside asking for your phone number. That said, I'm still planning a real two factor option (sms or google authenticator/authy) for people who want their accounts really secure. Remember, getting your account broken into is also bad for your own rep!

    I'm considering this added security to be mandatory for everybody. It would only appear when logging in from a new IP address OR when logging in after a long hiatus (>3 months?).

    How does it work?

    Login works as usual:

    User log in as usual" width=50%User log in as usual" width=50%

    When a login from a new ip address is detected, you would be asked for a login code:

    Enter your login code and you're good to go" width=50%Enter your login code and you're good to go" width=50%

    Find the code in your email inbox

    Email with one-time login code" width=50%Email with one-time login code" width=50%

    Enter the code and you're logged in! Pretty simple, huh?

    The only concern I have with this system is that this might be a bit annoying. So I hear you say: "just make it optional". But the problem is that this is not just about your own account security. It's also about the safety of other Pinsiders who might get scammed through your well-established Pinside account, as the hacked accounts today demonstrate.

    On the other hand. How often do you log in? Most people don't log out and will always be signed in on their computer/phone.

    #43 2 years ago
    Quoted from Craiger:

    This thread has also made me wonder how many of us Pinsiders are IT and/or Security folk and whether that particular discipline draws us to pinball?

    Drawn to engineered/techy stuff, money to buy games, free time to sit on a forum all day. Perfect storm.

    #44 2 years ago
    Quoted from robin:

    First, an update which will hopefully make everyone understand the need for some beefed up security on Pinside.
    Today, two Pinside accounts got broken into (by the same scammer). It looks like the account passwords were either guessed or possibly obtained via a password leak elsewhere. Either way, the hacker took over these two accounts and placed ads on the marketplace in their name. The hacker also used the PM box to send responses to Pinsiders enquiring about these fake ads. He speaks poor English and wanted folks to pay via Paypal F&F or Zelle. As far as I know, no one actually fell for this and nobody got scammed. EDIT: Ugh, looks like someone fell for it after all.
    Fact of the matter is that long standing (but also dormant) Pinside accounts are at risk of getting broken into and then used to scam people out of hard earned dollars/euros/etc.
    And so... on to the topic at hand: We need safer logins!
    I create a quick first version today of a more secure login. This first version works by sending a one-time login code to your registered e-mail address. This is not entirely secure of course (and not really 2-factor) but it would have stopped that scammer today and is also the simplest and cheapest solution to implement. It also doesn't require Pinside asking for your phone number. That said, I'm still planning a real two factor option (sms or google authenticator/authy) for people who want their accounts really secure. Remember, getting your account broken into is also bad for your own rep!
    I'm considering this added security to be mandatory for everybody. It would only appear when logging in from a new IP address OR when logging in after a long hiatus (>3 months?).
    How does it work?
    Login works as usual:
    [quoted image]
    When a login from a new ip address is detected, you would be asked for a login code:
    [quoted image]
    Find the code in your email inbox
    [quoted image]
    Enter the code and you're logged in! Pretty simple, huh?
    The only concern I have with this system is that this might be a bit annoying. So I hear you say: "just make it optional". But the problem is that this is not just about your own account security. It's also about the safety of other Pinsiders who might get scammed through your well-established Pinside account, as the hacked accounts today demonstrate.
    On the other hand. How often do you log in? Most people don't log out and will always be signed in on their computer/phone.

    Is it possible to prohibit easy and simple passwords like previously mentioned?

    Quoted from jp1985:

    I do believe that many people probably use weak passwords here that are easily brute forced or used on other sites that were subject to a data breach.
    I'm not sure about the password complexity requirements of Pinside but that may be worth examining. Excluding pinside, pinball, silverball, flipper etc from being allowed in passwords is a good idea too.

    It appears this seems to be the most likely culprit at this point, and there is a big push by those affected and others to “just implement stronger security concerns”
    Is accountability no longer possible? Yes, scammers exist and will continue to attack those with a lot of disposable income and the gullible and naïve. But using common passwords, and reusing those passwords across multiple websites is just a big red target and that is a personal behavior that can be changed to afford oneself more protection.

    I really wish people would be proactive with their personal security versus just wanting someone to fix it for them and not take any responsibility.

    #45 2 years ago
    Quoted from MaxIsDead:

    You can use the most complex/secure username and password in the world and still be more secure with an additional factor of authentication turned on.

    I'd argue that a weak password backed up by 2FA is actually more secure than a super strong password without it. Obviously, it's better to have both. This is why I strongly recommend a password manager. It allows you to have super strong unique passwords for every site you visit. Heck, I don't even know what my Pinside password is. It's a randomly generated 20 digit password containing upper case, lower case, numbers and symbols.

    #46 2 years ago
    Quoted from gweempose:

    I strongly recommend a password manager.

    Manager is better than reusing credentials but you're just kicking the can down the road. Now your target is the password manager, to steal every login at once.
    Have you ever tried moving the passwords to a new device or different password manager? I have, and no one will want to go through that ever. They will abandon their password manager and go back to shit passwords unless they are forced.

    The password needs to die. It was fine when you only had a couple but it doesn't scale.

    #47 2 years ago
    Quoted from gweempose:

    I'd argue that a weak password backed up by 2FA is actually more secure than a super strong password without it. Obviously, it's better to have both. This is why I strongly recommend a password manager. It allows you to have super strong unique passwords for every site you visit. Heck, I don't even know what my Pinside password is. It's a randomly generated 20 digit password containing upper case, lower case, numbers and symbols.

    How does a password manager work if you access the same site through multiple ways, like home computer, phone, and potentially work computer? How do you transfer it from one to the other? Do you write it down?

    #48 2 years ago
    Quoted from unclerudy:

    How does a password manager work if you access the same site through multiple ways, like home computer, phone, and potentially work computer? How do you transfer it from one to the other? Do you write it down?

    I use 1password. I have about 1600 unique passwords (combinations of letters, numbers, and symbols) and I don't know a single one. It generates and saves it to my account which is accessible on my android phone, pc computer, ipad and wherever I want to access it.
    Do a search to see how secure it is.

    #49 2 years ago
    Quoted from unclerudy:

    How does a password manager work if you access the same site through multiple ways, like home computer, phone, and potentially work computer? How do you transfer it from one to the other? Do you write it down?

    Password managers can be hosted in the cloud. Then you basically use one master password for all your saved passwords. Which leads to this issue:

    Quoted from YeOldPinPlayer:

    Now your target is the password manager, to steal every login at once.

    #50 2 years ago
    Quoted from avspin:

    I use 1password. I have about 1600 unique passwords and I don't know a single one. It generates and saves it to my account which is accessible on my android phone, pc computer, ipad and wherever I want to access it. Do a search to see how secure it is.

    This is the way. I use BitWarden and do the same thing. I have zero shared passwords, and zero memorable passwords.

    If you share your passwords a lot, BitWarden has a report you can run to show which of your passwords have been exposed through data breaches elsewhere, weak passwords, etc. Great to help you clean things up.

    Their browser plugins are very good, see below...

    Screenshot_168.pngScreenshot_168.png

    There are 108 posts in this topic. You are on page 1 of 3.

    Reply

    Wanna join the discussion? Please sign in to reply to this topic.

    Hey there! Welcome to Pinside!

    Donate to Pinside

    Great to see you're enjoying Pinside! Did you know Pinside is able to run without any 3rd-party banners or ads, thanks to the support from our visitors? Please consider a donation to Pinside and get anext to your username to show for it! Or better yet, subscribe to Pinside+!


    This page was printed from and we tried optimising it for printing. Some page elements may have been deliberately hidden.

    Scan the QR code on the left to jump to the URL this document was printed from.