Or just secure your account and practice common sense safety protocols? I never liked giving my phone number away and spoofing numbers isn’t that hard.

More personal info given to some cloud-based company hoping they don’t get hacked as well as putting up more PPI on the web

Or we could just use basic security protocols.

Another vote for 2FA, please.

How did they “hack” your account? You think someone magically decides to just bruteforce and runs magically programs?

Or did you give out too much info, login to public computers and click random emails? 2FA doesn’t help if you have terrible security practices.

Pinside already implements basic security protocols and “hackers” go after low hanging fruit. They aren’t going out of their way to target people, they only go after people who make it easy.

Do you know the statistics on burglaries? A lot of people leave their house unlocked, if the door is locked an overwhelming amount of thieves will move on to easier targets.

Why are you so against 2FA?

https://blog.malwarebytes.com/101/2018/09/two-factor-authentication-2fa-secure-seems/

Malware bytes posted this 4 years ago. 2FA is security theatre. If you have bad security habits, 2FA just makes it easier to “hack” (social engineer) you.
Did you change your email password and are you sure your email address is secure? That’s most likely how they got into your account.

People using 2FA is like leaving the front doors unlocked and then install ring camera so you can know when you’re getting robbed

Two common scenarios that I can think of:
1) Someone was using one of the top 50 most common passwords
2) Someone has an account on a website that was compromised, those login credentials were released into the wild, and the account holder made the mistake of using the same username and password on multiple websites.

Yes, +1 for MFA from someone else in the industry as well. SMS 2FA is a lower level of secure but TOTP provides significant security benefits.

ForceFlow, rather than forcing me to wait the full 48 hours on this new account to rescue my frozen account, can we just work together on this now? I cannot PM you yet, so is there another way I can reach you?

Exactly. I don’t trust 2FA to magically solve bad habits. It’s insecure enough and at that point a middleman already has some or all of that info to simply cut in and take control of an account.

The issue being that in this hobby it’s extremely easy and people still blatantly post their phone numbers.
A LOT of guys here swap phone numbers. It’s a more old-school culture in pinball. MFA is better but again, phishing and weak passwords defeat it.

If you’re in the industry then you probably already follow very smart security habits that prevent these attacks. Yet keep in mind, not to be derisive, but plenty of folks on Pinside are older and many of them see no issue posting “Call me at xxx-xxx ask for Bobby” as well as posting their email and they probably have a sticky note on their desktop labeled: “PASSWORD FOR ALL WEBSITES”

Let’s come up with ideas that solves the real world causes.

Like MFA w/ an authenticator app.

Unfortunately, I can't do much with the frozen account. I already gave robin a heads up about the situation, but if you haven't already done so, I'd suggest reaching out to him as well.

If you can't PM yet, try this instead: https://pinside.com/pinball/contact?o=other

MFA is overkill for a forum like this for 99.9% of us. I just want to browse pinball stuff and not worry about logging into multiple things all the time like I do at work.

What is the real risk here? Except for the shops, you are not directly buying anything or providing any PII, and even those are secured through a payment portal.

This is a very low risk site and should be treated that way.

If it is implemented, make MFA optional.

That's not what MFA is.

MFA/2FA is an additional security measure on top of a password.

So, a user would need two things to log in--their password, and the timed auto-generated number in the authentication app.

SMS 2FA is still used (but discouraged), and that's the method that's susceptible to MITM attacks or phone number spoofing/forwarding.

The idea with MFA/2FA is that if the password is compromised, login attempts would be blocked without having access to the MFA numbers being generated in the authenticator app.

Additionally, the numbers in the authentication app are a moving target since they expire every 30-60 seconds (known as TOTP: time-based, one-time passwords), so there's very little chance that it would be susceptible to a brute force attack.

Correct. MFA would have prevented these assholes from gaining access to my account. Unless you take my phone (AND MY thumbprints), you're not getting into any site that uses MFA correctly.

I wasn’t aware we were specifically talking about the whole app-based TOTP thing. I’m familiar with Multifactor authentication and that doesn’t automatically mean having a specific code/password generator app. I’ve used that before and what a gigantic pain in the ass, unless it’s banking info or money related.

Pinside does not need some 30 second burn-after-reading encrypted password app for access just so one can complain about Popeye going for 5k. Outrageously overkill!

I'm all for optional MFA. I use authenticator apps with a lot of the forums I'm on. They are a minor inconvenience, and they definitely decrease the chances of someone hacking your account.

I work in cybersecurity and have a degree in cybersecurity

MFA might not be perfect, but it is a LOT more secure that just a username and password. Would be nice to at least see it as an option here.
I turn it on wherever possible. You can use the most complex/secure username and password in the world and still be more secure with an additional factor of authentication turned on.

It doesn’t have to be for everyone, it could be a opt in feature of Pinside. I personally do not find it difficult or a pain to use 2fa and if it was a option here on Pinside I would definitely enable it.

I like the idea of adding it as an OPTION for people and would prefer it use MFA with apps like Okta, Authy, Google Authenticator, etc.

Biometrics is only a solution until biometric data is stored and compromised the same way other sources are now.
There are terrabytes of compromised account information available for free if you know where to look. You should assume your 'private' information is available to any bad actor that wants it. Attacks today are often automated and not directed at a specific target. A list of vulnerable accounts will be generated and sold to the highest bidder.

Hardware tokens are an option. I use Yubikeys - https://www.yubico.com/
Onlykey is another hardware token - https://onlykey.io/

Re-using credentials on multiple websites isn't good security practice but doesn't matter much if the account can't be tied to you in any other way and you have no financial exposure (which is almost never the case).
Password managers are a big improvement over re-using credentials.

I suppose I should step back and clarify since we were both making some assumptions.

MFA (multifactor authentication) and 2FA (two-factor authentication) are more generalized terms for authentication methods that don't necessarily specify what technology is specifically being used. Just that it's something beyond simply a username and password. So, that could mean just SMS OTP (one-time password) or TOTP (timed one-time password). There are also a few other technologies, such as a physical security token or biometrics.

The current security technology that has become standardized in the last few years is TOTP, so usually when the topic of MFA/2FA comes up, it's more often than not related to TOTP.

Arguing against additional security is like arguing about who’s end of the boat the hole is in. Just shut up and fix the hole.

Good Lord, thank you for some sanity here. Some of the opinions being posted in this thread are at best ignorance cloaked in last-minute ego-stroking google searches, and at worst complete misinformation.

+1 for MFA. It prevents remote account takeover even if an account password is compromised and is a basic tenet of online security. Period.

Correct. As another IT leader chiming in, this is what I immediately thought the OP and you were talking about in the original post. I'm not sure why there was confusion. Regardless, I, for one, am all for 2FA/MFA here. I don't even think we need to go all the way to the point of an Authenticator App requirement. I think even SMS-based auth is sufficient for a site such as this, since the risk of a hacker 'spoofing/cloning' a SIM card to gain real-time access to your text messages just to hack into Pinside, is LOW. Regardless, in this day and age MFA isn't really a burden on users, especially if you give them options of delivery.

I also second the idea of just make it optional to turn on...or at least flexible (i.e. text, app, or email). All of those can be set to expire within some period of time. If you don't turn it on and get hacked that's on you. No different than it being optional still for sites like eBay.

I’m actually smiling this morning, as I never expected to be reading a Pinside MFA thread. As a Cybersecurity guy who has rolled out MFA solutions a few times, I gotta say this thread is an almost verbatim script of every MFA kickoff meeting in the history of IT. Lol.
The only thing missing is a software engineer demanding to keep local admin privileges because security slows him/her down.

Cheers.

I go through multiple NIST/ISO security audits a year. MFA… yes please.

MFA should absolutely be implemented. I do not understand why there is any argument that “it’s not perfect enough”. It is a quantum leap forward in security versus not having it.

The only issue is it can be a pain to roll out. You may want to start off with it being optional and incentivize users to move to it by giving them some sort of profile icon or achievement.

IMO users find the click-to-login authenticator app approach is much less annoying then the SMS TOTP one.

Thanks for the feature request and discussion.

I have been looking into adding an extra layer of security to logins for years, and this is getting more and more relevant especially considering all our efforts to verify Pinside accounts and stop scammers from using Pinside to operate.

So yes, I'm interested to implement this sooner rather than later!

I guess the basic idea comes down to this:

If you log in to Pinside with an IP address that we have not seen you previously using AND you have 2FA enabled for your account, we will require you to authenticate.

The easiest authentication system I can think of, which is easy for me to implement and also easy to use/understand for most Pinsiders would probably be a simple SMS containing a short verification code, sent to a registered phone number.

Downsides:
- costs, although it looks like Twillio would only set me back $7.50 / 1000 sms codes
- folks would need to add their phone # to their pinside account

Other options are:
- authentication via e-mail, which would be free and I already have Pinsiders' email addresses.
- authentication via an authenticator app
- via our new notifications system (for people who have notifications enabled and who have at least one 'push' device), this is also free and probably faster and more reliable than email.
- Via a Pinside app (but we don't currently have this)

While adding this as an option is nice and all, I think I need to be a bit more proactive here. I am considering automatically 'locking' accounts that have not been accessed for x months from login, and first require a simple email link click. So, for example, when you return to Pinside after being away for 8 months, we would send you an e-mail to authenticate/login. Quick and easy. And while absolutely not 100% watertight, it would stop random password brute force hackers and also avoid logins into dormant/forgotten accounts being hacked by password leaks and the likes (which is also the reason why we require usernames to log in in vs email addresses).

Keep in mind that a great deal of trust is given to "old" accounts. So they're nice targets for the scammers we have seen using Pinside in the past.

I welcome all thoughts while I investigate this subject some more!

We just built out an entire Azure environment for a client that does FDA auditing and had been ransomwared for multiple millions of dollars (which they paid). They brought me back in a month later to do a bit more work and I noticed their lead IT guy has already given himself global administrator role despite us telling him multiple times to never do this. This is WITH compliance reporting enabled, so he must be ignoring that too.

Lol, so easy to have dedicated and locked down admin accounts, right? If we’re ever in the same vicinity we gotta have a beverage and swap horror stories.

This thread has also made me wonder how many of us Pinsiders are IT and/or Security folk and whether that particular discipline draws us to pinball? Or perhaps it was an early love of pinball to that drew us to that discipline. Or maybe there’s no correlation at all. Lol.

And I do hope you mentioned to them that this puts them at significant risk at getting ransomewared a second time. I'm one of the "lead IT guys" for several of my customers and still try to maintain a balance between GSD and security. Unfortunately most places just don't put enough into their budget to actually accomplish anything once the security considerations are taken... so guess what's the first to go.

One of my customers cut our budget in half last year *AND* lopped a bunch of additional security considerations on top of our regular work. Totally justified stuff in general, but they've adopted a "not even low risk findings" stance - at this point excessive for a small scale system. It's all so that they don't have to monitor anything beyond regular Qualys scans. 3 months in and I've spent almost the entire budget chasing down false positives and have gotten *no* development done for enhancements. They're pissed as hell there's no money left. Hello?! I'm not working for free. Anyway, I support optional MFA

Yea, verily, to all those proactive steps, Robin!
Gladly recognizing I have absolutely no say in the matter, since the sms verification would carry a monetary cost, the email route seems like the way to go at the outset. While It’s likely that any Pinsider re-using passwords across other sites would use that same password for their email account too, the complexity of using a compromised email account to coordinate the hijack the Pinside MFA process would be Blofeldian (although it does happen in other arenas sometimes)

TLDR: The Security journey of a thousand miles begins with one step and even small measures are better than none.

A secure environment good thing. Yet another place wanting my phone number not justified .
Emails already in pinside address book. Would think that would be sufficient.

Shane

I was hacked this week also. Someone posted a marketplace ad with my account.

No one would ever guess that my password is Spatula-king43$. I’m safe

I didn’t want to get ahead of myself but you already said it, so that’s a green light!

This was obviously a very underground, guerrilla-marketing stunt, and the hacked accounts are paid actors!

It’s an elaborate advertisement for the future Pinside app tie-in.

(Joking obviously, but with today’s bizarre ads it made me think of it)

It's worth considering that as Pinside grows in popularity more bad actors will figure out there are a lot of Pinsiders with lots of disposable income. The problem is likely to get worse.

There is little benefit for MFA for Pinside users that just browse the forum. Marketplace is where most of your exposure lies.

JFC - what an annoying 3 days that was. I have no less than 20 messages in my PM's from folks who were responding to fake listings I created. At least 1 person was given an email address to send a Paypal F&F payment to (which was NOT my address!!)

Now I get to explain to a bunch of folks that it wasn't me.

Can we please get MFA going on this site as soon as possible? kthanx

I just got a message saying that they paid me for the fake ad that someone posted under my account.

First, an update which will hopefully make everyone understand the need for some beefed up security on Pinside.

Today, two Pinside accounts got broken into (by the same scammer). It looks like the account passwords were either guessed or possibly obtained via a password leak elsewhere. Either way, the hacker took over these two accounts and placed ads on the marketplace in their name. The hacker also used the PM box to send responses to Pinsiders enquiring about these fake ads. He speaks poor English and wanted folks to pay via Paypal F&F or Zelle. As far as I know, no one actually fell for this and nobody got scammed. EDIT: Ugh, looks like someone fell for it after all.

Fact of the matter is that long standing (but also dormant) Pinside accounts are at risk of getting broken into and then used to scam people out of hard earned dollars/euros/etc.

And so... on to the topic at hand: We need safer logins!

I create a quick first version today of a more secure login. This first version works by sending a one-time login code to your registered e-mail address. This is not entirely secure of course (and not really 2-factor) but it would have stopped that scammer today and is also the simplest and cheapest solution to implement. It also doesn't require Pinside asking for your phone number. That said, I'm still planning a real two factor option (sms or google authenticator/authy) for people who want their accounts really secure. Remember, getting your account broken into is also bad for your own rep!

I'm considering this added security to be mandatory for everybody. It would only appear when logging in from a new IP address OR when logging in after a long hiatus (>3 months?).

How does it work?

Login works as usual:

User log in as usual" width=50%

When a login from a new ip address is detected, you would be asked for a login code:

Enter your login code and you're good to go" width=50%

Find the code in your email inbox

Email with one-time login code" width=50%

Enter the code and you're logged in! Pretty simple, huh?

The only concern I have with this system is that this might be a bit annoying. So I hear you say: "just make it optional". But the problem is that this is not just about your own account security. It's also about the safety of other Pinsiders who might get scammed through your well-established Pinside account, as the hacked accounts today demonstrate.

On the other hand. How often do you log in? Most people don't log out and will always be signed in on their computer/phone.

Drawn to engineered/techy stuff, money to buy games, free time to sit on a forum all day. Perfect storm.

Is it possible to prohibit easy and simple passwords like previously mentioned?

It appears this seems to be the most likely culprit at this point, and there is a big push by those affected and others to “just implement stronger security concerns”
Is accountability no longer possible? Yes, scammers exist and will continue to attack those with a lot of disposable income and the gullible and naïve. But using common passwords, and reusing those passwords across multiple websites is just a big red target and that is a personal behavior that can be changed to afford oneself more protection.

I really wish people would be proactive with their personal security versus just wanting someone to fix it for them and not take any responsibility.

I'd argue that a weak password backed up by 2FA is actually more secure than a super strong password without it. Obviously, it's better to have both. This is why I strongly recommend a password manager. It allows you to have super strong unique passwords for every site you visit. Heck, I don't even know what my Pinside password is. It's a randomly generated 20 digit password containing upper case, lower case, numbers and symbols.

Manager is better than reusing credentials but you're just kicking the can down the road. Now your target is the password manager, to steal every login at once.
Have you ever tried moving the passwords to a new device or different password manager? I have, and no one will want to go through that ever. They will abandon their password manager and go back to shit passwords unless they are forced.

The password needs to die. It was fine when you only had a couple but it doesn't scale.

How does a password manager work if you access the same site through multiple ways, like home computer, phone, and potentially work computer? How do you transfer it from one to the other? Do you write it down?

I use 1password. I have about 1600 unique passwords (combinations of letters, numbers, and symbols) and I don't know a single one. It generates and saves it to my account which is accessible on my android phone, pc computer, ipad and wherever I want to access it.
Do a search to see how secure it is.

Password managers can be hosted in the cloud. Then you basically use one master password for all your saved passwords. Which leads to this issue:

This is the way. I use BitWarden and do the same thing. I have zero shared passwords, and zero memorable passwords.

If you share your passwords a lot, BitWarden has a report you can run to show which of your passwords have been exposed through data breaches elsewhere, weak passwords, etc. Great to help you clean things up.

Their browser plugins are very good, see below...

Screenshot_168.png