First, an update which will hopefully make everyone understand the need for some beefed up security on Pinside.
Today, two Pinside accounts got broken into (by the same scammer). It looks like the account passwords were either guessed or possibly obtained via a password leak elsewhere. Either way, the hacker took over these two accounts and placed ads on the marketplace in their name. The hacker also used the PM box to send responses to Pinsiders enquiring about these fake ads. He speaks poor English and wanted folks to pay via Paypal F&F or Zelle. As far as I know, no one actually fell for this and nobody got scammed. EDIT: Ugh, looks like someone fell for it after all.
Fact of the matter is that long standing (but also dormant) Pinside accounts are at risk of getting broken into and then used to scam people out of hard earned dollars/euros/etc.
And so... on to the topic at hand: We need safer logins!
I create a quick first version today of a more secure login. This first version works by sending a one-time login code to your registered e-mail address. This is not entirely secure of course (and not really 2-factor) but it would have stopped that scammer today and is also the simplest and cheapest solution to implement. It also doesn't require Pinside asking for your phone number. That said, I'm still planning a real two factor option (sms or google authenticator/authy) for people who want their accounts really secure. Remember, getting your account broken into is also bad for your own rep!
I'm considering this added security to be mandatory for everybody. It would only appear when logging in from a new IP address OR when logging in after a long hiatus (>3 months?).
How does it work?
Login works as usual:
User log in as usual" width=50%
When a login from a new ip address is detected, you would be asked for a login code:
Enter your login code and you're good to go" width=50%
Find the code in your email inbox
Email with one-time login code" width=50%
Enter the code and you're logged in! Pretty simple, huh?
The only concern I have with this system is that this might be a bit annoying. So I hear you say: "just make it optional". But the problem is that this is not just about your own account security. It's also about the safety of other Pinsiders who might get scammed through your well-established Pinside account, as the hacked accounts today demonstrate.
On the other hand. How often do you log in? Most people don't log out and will always be signed in on their computer/phone.