Misty Moonshine Posted July 22 Share Posted July 22 Hello fellow SASS members! I trust this all finds you well. As many of you know, we have had several battles here on the Wire over the years with scam emails, phishing, and the dreadful spammers. Most recently, there was a situation where it seemed as if a scam artist had gained access to PM's here on the wire. I have had a conversation with our partners over at PSP Inc, and he sent the following message. Please read it and educate yourself to better gain an understanding of how these scammers work. Based on the information below, and in an effort to provide a more secure environment for all of our users, the SASS Wire Forums will be implementing 2 factor authentication and a minimum password requirement within the SASS wire forums. This post is a heads up that you will need to change your password - and can also expect to see a 2 factor authentication in order to access the forum soon. The new requirement will go into effect on Monday, July 29, 2024. Trying to stay a few steps ahead of the jerks that scam and spam us, Misty Moonshine ========================= Getting scam emails is not indicative of private messages being read by hackers. However it could point to someone having malware on their computer, or having a compromised account. For example, SASS Member Joe messages SASS Member Jack, but SASS Member Jack may have malware on his computer which allows a hacker to read the emails coming through. So then SASS Member Joe ends up getting a scam email as a result from the malware. If your forum has been targeted by scammers, it's possible some of your users have mistakenly clicked on the scam and got their computers infected by malware. This issue then spreads as those infected individuals receive emails, and more scam emails go out from the infected individuals to other users. It's easy to infect other users because scam emails will be coming from infected users, therefore it already has established trust so people willingly click on anything sent by their friends & peers. And this is how a virus gets spread to more and more users. Best way to combat this issue is to send out an alert to all, telling them how this scam works, and to inform people to not click on just anything. Also recently there was the biggest password leak in history, about 10 billion passwords were leaked on the dark web. You can read more about it here (https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/) Basically many users are unaware their password to their online accounts are leaked. This means some of your users may have compromised forum and/or email accounts. Since private messages are sent through the forum and emails, if someone's email account is compromised, scammers can easily obtain email addresses from other users. The best recommendation is to ask your users to update their passwords to the forum and their email accounts, as well as run scans on their computers just to be safe. Most people don't change their password ever, so when a password leak occurs, they don't even realize someone else is accessing their online accounts. This isn't to rule the forum out completely, but there are just too many ways to allow scammers to obtain email addresses through various means. Please note that your forum is at the latest version, so there is no further updates I can apply to your forum. There are security options you can enable to make it harder for hackers to access accounts however: 1. Your forum currently does not utilize 2 factor authentication. Enabling 2FA will help secure your user accounts. Right now, anybody who knows the password of an account can just login and gain access to all the private messages and personal details. This also means if one of your moderators have their account compromised, since mods can read email addresses of users, this makes it easy for scammers to collect email address to send out further scam. 2. Your forum currently do not have a minimum strength password requirement. This means users can pick the shortest, easier to hack passwords for their forum accounts. Without 2FA, hackers can use bruteforce attacks to guess user passwords. Basically any passwords shorter than 10 characters can be hacked in less than an hour with today's technology. So enforcing strong passwords should be preferred. 2 3 Quote Link to comment Share on other sites More sharing options...
Larsen E. Pettifogger, SASS #32933 Posted July 22 Share Posted July 22 Does this mean you can no longer stay logged in and will have to go through the two factor routine everytime you look at the SASS wire? Quote Link to comment Share on other sites More sharing options...
Uncle Ethan # 94321 Posted July 22 Share Posted July 22 I have 2 factor authentication on my bank account. Get a text message with a code to enter. No big deal, just part of the crazy world we live in. 2 Quote Link to comment Share on other sites More sharing options...
Larsen E. Pettifogger, SASS #32933 Posted July 22 Share Posted July 22 No big deal if you only log into your bank once or twice a week. If you look at the SASS wire multiple times a day it would be a PITA. 7 4 Quote Link to comment Share on other sites More sharing options...
Eyesa Horg Posted July 22 Share Posted July 22 It is a pain if you're in an area without cell service like most matches up here! 2 Quote Link to comment Share on other sites More sharing options...
Eyesa Horg Posted July 22 Share Posted July 22 When is the 2FA going to be available? Quote Link to comment Share on other sites More sharing options...
Uncle Ethan # 94321 Posted July 22 Share Posted July 22 2 hours ago, Larsen E. Pettifogger, SASS #32933 said: No big deal if you only log into your bank once or twice a week. If you look at the SASS wire multiple times a day it would be a PITA. I see your point, however it looks like this is what we will have to do. Quote Link to comment Share on other sites More sharing options...
Larsen E. Pettifogger, SASS #32933 Posted July 23 Share Posted July 23 To be clear I am glad SASS is taking steps to make the wire more secure. I am an addict and even look at the wire during commercials on the TV. If this makes logon more difficult this may help break me from my affliction. 5 1 Quote Link to comment Share on other sites More sharing options...
DeaconKC Posted July 23 Share Posted July 23 It is an inconvenience, but necessary in these times. I just updated my password too. Quote Link to comment Share on other sites More sharing options...
X Mark Posted July 23 Share Posted July 23 I hope the 2FA has an email field for the code. I don't get cell service where I live and can not get a text code. 2 1 Quote Link to comment Share on other sites More sharing options...
Yul Lose Posted July 23 Share Posted July 23 47 minutes ago, X Mark said: I hope the 2FA has an email field for the code. I don't get cell service where I live and can not get a text code. Same here, no cell service. 1 Quote Link to comment Share on other sites More sharing options...
Imis Twohofon,SASS # 46646 Posted July 23 Share Posted July 23 I just looked at Security, nowhere to add 2FA, lock me out and I am done. Imis 1 Quote Link to comment Share on other sites More sharing options...
Tex Jones, SASS 2263 Posted July 23 Share Posted July 23 11 hours ago, Larsen E. Pettifogger, SASS #32933 said: To be clear I am glad SASS is taking steps to make the wire more secure. I am an addict and even look at the wire during commercials on the TV. If this makes logon more difficult this may help break me from my affliction. Why not exit the site without logging out i.e. it's always logged in? Quote Link to comment Share on other sites More sharing options...
Idaho Gunslinger Posted July 23 Share Posted July 23 5 minutes ago, Tex Jones, SASS 2263 said: Why not exit the site without logging out i.e. it's always logged in? He was asking if the update is going to make it so you can no longer stay always logged in. Quote Link to comment Share on other sites More sharing options...
Big Sage, SASS #49891 Life Posted July 23 Share Posted July 23 (edited) On 7/23/2024 at 7:42 AM, Tex Jones, SASS 2263 said: Why not exit the site without logging out i.e. it's always logged in? Thats the way I have done for at least 10 years. If I have to log out/log in/ log out/etc every time I look at the forum.....I'm gone. Been a member of this forum for over 20 years and have never had a problem with scams or spammers. There are several informational personal sites that I belong to(mostly medical & financial) that use a double entry system and I usually log into them about 5 or 6 times a year. I look at this forum (and several others) multiple times a day. The new system is going to be a PITA. I am sure I am not alone in my feelings and you will be losing members.. Edited July 24 by Big Sage, SASS #49891 Life 3 1 Quote Link to comment Share on other sites More sharing options...
Griff Posted July 24 Share Posted July 24 (edited) If you have internet at home, install a wifi router and connect you phone to your wifi, viola, text msgs! I think... Edited July 24 by Griff 2 Quote Link to comment Share on other sites More sharing options...
Mad Dane, SASS#5536 Posted July 24 Share Posted July 24 Well-went to change my password-could not remember it as it's been 25 years-requested a password change email twice-never got one. Finally remembered it. No, I did not write the old one down-did write the new one down as it's 27 characters long. Kinda sorta. Quote Link to comment Share on other sites More sharing options...
Nostrum Damus SASS #110702 Posted July 25 Share Posted July 25 (edited) On 7/24/2024 at 1:59 AM, Griff said: If you have internet at home, install a wifi router and connect you phone to your wifi, viola, text msgs! I think... That's exactly right. If you have a computer and use this website at home, then you can receive text messages and even cellphone calls on your phone. It is called WiFi calling, and it is simply a feature that you enable on your phone. (On an Android phone, go to Settings, then Connections, and you'll see it -- switch it ON. I have no idea what to do on an Apple product.) I have no cell service inside my Houston apartment in a concrete and steel building, but I can talk all day long and can (and do) send and receive text messages over the same WiFi router that supplies my internet service. Stop complaining and wise up, folks. 2FA is here -- everywhere -- it is just a fact of modern life, and it works. It adds 5 seconds to the start of your browsing session; if your time is so valuable that you cannot afford the extra 5 seconds, so be it. Edited July 25 by Nostrum Damus SASS #110702 1 Quote Link to comment Share on other sites More sharing options...
Eyesa Horg Posted July 25 Share Posted July 25 Just hope we get a warning to update and add the 2FA and not just get dumped!! 1 Quote Link to comment Share on other sites More sharing options...
Larsen E. Pettifogger, SASS #32933 Posted July 25 Share Posted July 25 14 minutes ago, Cypress Sun said: It adds 5 seconds to the start of your browsing session; if your time is so valuable that you cannot afford the extra 5 seconds, so be it. My browsing session is 30 seconds during commercials many times a day. Right now once logged in I stay logged in. My question was is this going to change? I have numerous sites I visit. The only ones that have two factor authentication are generally those having to do with money. Banks, IRA, retirement accounts, etc. I have never run into an enthusisst or hobby site with 2FA. How valuable my time is is no one's business but my own. 2 1 Quote Link to comment Share on other sites More sharing options...
Larsen E. Pettifogger, SASS #32933 Posted July 25 Share Posted July 25 Yep, I clicked the wrong post for the quote. You are right and as innocent as the freshly fallen snow. 2 Quote Link to comment Share on other sites More sharing options...
The Original Lumpy Gritz Posted July 25 Share Posted July 25 I don't remember my current password. What do I do? 1 Quote Link to comment Share on other sites More sharing options...
Larsen E. Pettifogger, SASS #32933 Posted July 25 Share Posted July 25 4 minutes ago, The Original Lumpy Gritz said: I don't remember my current password. What do I do? You will have to sign up for the optional 4 factor authentication. Do you remember your first dog's name? 2 1 Quote Link to comment Share on other sites More sharing options...
Big Sage, SASS #49891 Life Posted July 25 Share Posted July 25 5 hours ago, The Original Lumpy Gritz said: I don't remember my current password. What do I do? Same here, I've probably been logged in for 15 years! 1 2 Quote Link to comment Share on other sites More sharing options...
Larsen E. Pettifogger, SASS #32933 Posted July 25 Share Posted July 25 PLUS, sometime in the past 15 years my computer started using thumbprints to enter the password. I have no idea what it is. Quote Link to comment Share on other sites More sharing options...
The Original Lumpy Gritz Posted July 26 Share Posted July 26 This is weird, I just had to re-sign in. Did reset my password..... Quote Link to comment Share on other sites More sharing options...
Chickasaw Bill SASS #70001 Posted July 26 Share Posted July 26 I will fool with it later tonite , MAYBE , IF I can NOT sort it out , reckon , I will just be GONE Chickasaw Bill 70001 Life 1 Quote Link to comment Share on other sites More sharing options...
Eliphalet R. Moderator Posted July 27 Share Posted July 27 There are two-different types of 2-Factor ID log-ins. One is used by banks, brokerages, online pharmacies, etc. Where you log in and then they send you a message by phone or e-mail. whichever you chose, and you reply to that message. The other is used by Facebook, G-Mail, Paypal and Amazon. Where if you are logging in from a location or a device other than your usual one, only then do they require the 2nd-step of the log in. So, if you are looking at FB from the same location and device, you'd never know it was 2 Factor. I would bet that this is the type the Wire is going to go to. Log-in with the 2 step process once, and you'll not have to do it again from that device and location. But others will not be able to get into your account without you knowing. In the meantime, your e-mail addresses are hidden by default. But, many of you have added your email address again to your public profile. Don't do that!! We will continue to delete, without notice, private phone numbers and email addresses that folks STILL add in their posts, when we see them. Eli 1 5 Quote Link to comment Share on other sites More sharing options...
Marauder SASS #13056 Posted July 28 Share Posted July 28 I find it almost funny that security is so strongly emphasized but we are generally not allowed the more secure methods ourselves - one of which is a VPN. Many websites want to look into my computer for their protection, thus decreasing my protection. So 2 factor is sorta helpful but it reminds me of "duck and cover" during the 1950's to some extent. What about those without a cell phone! (I know, I can usually use my email.) Quote Link to comment Share on other sites More sharing options...
Eliphalet R. Moderator Posted July 28 Share Posted July 28 1 hour ago, Marauder SASS #13056 said: I find it almost funny that security is so strongly emphasized but we are generally not allowed the more secure methods ourselves - one of which is a VPN. Many websites want to look into my computer for their protection, thus decreasing my protection. So 2 factor is sorta helpful but it reminds me of "duck and cover" during the 1950's to some extent. What about those without a cell phone! (I know, I can usually use my email.) No problem using a VPN, I use one myself, for both this log-in, my regular log-in, FB and whatever. I have to use 2Factor if I use a VPN with G-Mail, my Credit Union, or Amazon. Quote Link to comment Share on other sites More sharing options...
Pat Riot Posted July 29 Share Posted July 29 I just signed out and signed back in with no problem… Unless the new system isn’t activated yet, it was seamless to me. 1 Quote Link to comment Share on other sites More sharing options...
Misty Moonshine Posted July 31 Author Share Posted July 31 Hi everyone!! Sorry for the delay in my getting back to you all on this. We've decided to delay the 2 factor authorization for now; but have implemented the new minimum password requirement. We'll give it a little time and see if we need to proceed with the 2FA down the road. Misty 2 7 Quote Link to comment Share on other sites More sharing options...
H. K. Uriah, SASS #74619 Posted August 29 Share Posted August 29 (edited) I loathe Two Factor ID for many reasons. Please don't do it! Minimal password format is okay, but TFID, please, no.... Edited August 29 by H. K. Uriah, SASS #74619 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.