Jump to content
SASS Wire Forum

SASS Wire Forum: Email Scams, Spam (not the good kind) & your Login password


Recommended Posts

Hello fellow SASS members! 

 

I trust this all finds you well. As many of you know, we have had several battles here on the Wire over the years with scam emails, phishing, and the dreadful spammers. Most recently, there was a situation where it seemed as if a scam artist had gained access to PM's here on the wire. 

I have had a conversation with our partners over at PSP Inc, and he sent the following message. Please read it and educate yourself to better gain an understanding of how these scammers work. 

 

Based on the information below, and in an effort to provide a more secure environment for all of our users, the SASS Wire Forums will be implementing 2 factor authentication and a minimum password requirement within the SASS wire forums. This post is a heads up that you will need to change your password - and can also expect to see a 2 factor authentication in order to access the forum soon. The new requirement will go into effect on Monday, July 29, 2024. 

 

Trying to stay a few steps ahead of the jerks that scam and spam us,

Misty Moonshine

 

=========================

 

Getting scam emails is not indicative of private messages being read by hackers.  However it could point to someone having malware on their computer, or having a compromised account.  For example, SASS Member Joe messages SASS Member Jack, but SASS Member Jack may have malware on his computer which allows a hacker to read the emails coming through.  So then SASS Member Joe ends up getting a scam email as a result from the malware.

 

If your forum has been targeted by scammers, it's possible some of your users have mistakenly clicked on the scam and got their computers infected by malware.  This issue then spreads as those infected individuals receive emails, and more scam emails go out from the infected individuals to other users.

 

It's easy to infect other users because scam emails will be coming from infected users, therefore it already has established trust so people willingly click on anything sent by their friends & peers.  And this is how a virus gets spread to more and more users.  Best way to combat this issue is to send out an alert to all, telling them how this scam works, and to inform people to not click on just anything.

 

Also recently there was the biggest password leak in history, about 10 billion passwords were leaked on the dark web.  You can read more about it here (https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/)

 

Basically many users are unaware their password to their online accounts are leaked.  This means some of your users may have compromised forum and/or email accounts.  Since private messages are sent through the forum and emails, if someone's email account is compromised, scammers can easily obtain email addresses from other users.  The best recommendation is to ask your users to update their passwords to the forum and their email accounts, as well as run scans on their computers just to be safe.  Most people don't change their password ever, so when a password leak occurs, they don't even realize someone else is accessing their online accounts.

 

This isn't to rule the forum out completely, but there are just too many ways to allow scammers to obtain email addresses through various means. 

Please note that your forum is at the latest version, so there is no further updates I can apply to your forum.  There are security options you can enable to make it harder for hackers to access accounts however:

1. Your forum currently does not utilize 2 factor authentication.  Enabling 2FA will help secure your user accounts.  Right now, anybody who knows the password of an account can just login and gain access to all the private messages and personal details.  This also means if one of your moderators have their account compromised, since mods can read email addresses of users, this makes it easy for scammers to collect email address to send out further scam.

 

2. Your forum currently do not have a minimum strength password requirement.  This means users can pick the shortest, easier to hack passwords for their forum accounts.  Without 2FA, hackers can use bruteforce attacks to guess user passwords.  Basically any passwords shorter than 10 characters can be hacked in less than an hour with today's technology.  So enforcing strong passwords should be preferred.  

  • Like 2
  • Thanks 3
Link to comment
Share on other sites

I have 2 factor authentication on my bank account. Get a text message with a code to enter. No big deal, just part of the crazy world we live in.

  • Like 2
Link to comment
Share on other sites

It is a pain if you're in an area without cell service like most matches up here!

  • Like 2
Link to comment
Share on other sites

When is the 2FA going to be available? 

Link to comment
Share on other sites

2 hours ago, Larsen E. Pettifogger, SASS #32933 said:

No big deal if you only log into your bank once or twice a week.  If you look at the SASS wire multiple times a day it would be a PITA.

I see your point, however it looks like this is what we will have to do.

Link to comment
Share on other sites

To be clear I am glad SASS is taking steps to make the wire more secure.  I am an addict and even look at the wire during commercials on the TV.  If this makes logon more difficult this may help break me from my affliction.

  • Like 5
  • Haha 1
Link to comment
Share on other sites

It is an inconvenience, but necessary in these times. I just updated my password too.

Link to comment
Share on other sites

I hope the 2FA has an email field for the code. I don't get cell service where I live and can not get a text code.

  • Like 2
  • Thanks 1
Link to comment
Share on other sites

47 minutes ago, X Mark said:

I hope the 2FA has an email field for the code. I don't get cell service where I live and can not get a text code.

Same here, no cell service.

  • Like 1
Link to comment
Share on other sites

11 hours ago, Larsen E. Pettifogger, SASS #32933 said:

To be clear I am glad SASS is taking steps to make the wire more secure.  I am an addict and even look at the wire during commercials on the TV.  If this makes logon more difficult this may help break me from my affliction.

 Why not exit the site without logging out i.e. it's always logged in?

Link to comment
Share on other sites

On 7/23/2024 at 7:42 AM, Tex Jones, SASS 2263 said:

 Why not exit the site without logging out i.e. it's always logged in?

Thats the way I have done for at least 10 years. If I have to log out/log in/ log out/etc every time I look at the forum.....I'm gone. Been a member of this forum for over 20 years and have never had a problem with scams or spammers. There are several informational personal sites that I belong to(mostly medical & financial) that use a double entry system and I usually log into them about 5 or 6 times a year. I look at this forum (and several others) multiple times a day. The new system is going to be a PITA. I am sure I am not alone in my feelings and you will be losing members..

Edited by Big Sage, SASS #49891 Life
  • Like 3
  • Thanks 1
Link to comment
Share on other sites

If you have internet at home, install a wifi router and connect you phone to your wifi, viola, text msgs!  I think...

Edited by Griff
  • Like 2
Link to comment
Share on other sites

Well-went to change my password-could not remember it as it's been 25 years-requested a password change email twice-never got one. Finally remembered it. No, I did not write the old one down-did write the new one down as it's 27 characters long. Kinda sorta.

Link to comment
Share on other sites

On 7/24/2024 at 1:59 AM, Griff said:

If you have internet at home, install a wifi router and connect you phone to your wifi, viola, text msgs!  I think...

That's exactly right.  If you have a computer and use this website at home, then you can receive text messages and even cellphone calls on your phone.  It is called WiFi calling, and it is simply a feature that you enable on your phone.  (On an Android phone, go to Settings, then Connections, and you'll see it -- switch it ON.  I have no idea what to do on an Apple product.)  I have no cell service inside my Houston apartment in a concrete and steel building, but I can talk all day long and can (and do) send and receive text messages over the same WiFi router that supplies my internet service.  Stop complaining and wise up, folks.  2FA is here -- everywhere -- it is just a fact of modern life, and it works.  It adds 5 seconds to the start of your browsing session; if your time is so valuable that you cannot afford the extra 5 seconds, so be it.

Edited by Nostrum Damus SASS #110702
  • Like 1
Link to comment
Share on other sites

Just hope we get a warning to update and add the 2FA and not just get dumped!!

  • Like 1
Link to comment
Share on other sites

14 minutes ago, Cypress Sun said:

It adds 5 seconds to the start of your browsing session; if your time is so valuable that you cannot afford the extra 5 seconds, so be it.

 

My browsing session is 30 seconds during commercials many times a day.  Right now once logged in I stay logged in.  My question was is this going to change?  I have numerous sites I visit.  The only ones that have two factor authentication are generally those having to do with money.  Banks, IRA, retirement accounts, etc.  I have never run into an enthusisst or hobby site with 2FA.  How valuable my time is is no one's business but my own.

  • Like 2
  • Confused 1
Link to comment
Share on other sites

4 minutes ago, The Original Lumpy Gritz said:

I don't remember my current password. 

What do I do?:huh:

You will have to sign up for the optional 4 factor authentication.  Do you remember your first dog's name?

  • Haha 2
  • Confused 1
Link to comment
Share on other sites

5 hours ago, The Original Lumpy Gritz said:

I don't remember my current password. 

What do I do?:huh:

Same here, I've probably been logged in for 15 years!

  • Like 1
  • Thanks 2
Link to comment
Share on other sites

There are two-different types of 2-Factor ID log-ins.   

 

One is used by banks, brokerages, online pharmacies, etc.  Where you log in and then they send you a message by phone or e-mail. whichever you chose, and you reply to that message.

 

The other is used by Facebook, G-Mail, Paypal and Amazon.  Where if you are logging in from a location or a device other than your usual one, only then do they require the 2nd-step of the log in.   So, if you are looking at FB from the same location and device, you'd never know it was 2 Factor.   I would bet that this is the type the Wire is going to go to.   Log-in with the 2 step process once, and you'll not have to do it again from that device and location.  But others will not be able to get into your account without you knowing.

 

In the meantime, your e-mail addresses are hidden by default.  But, many of you have added your email address again to your public profile.  Don't do that!!

 

We will continue to delete, without notice, private phone numbers and email addresses that folks STILL add in their posts, when we see them.

 

Eli

  • Like 1
  • Thanks 5
Link to comment
Share on other sites

I find it almost funny that security is so strongly emphasized but we are generally not allowed the more secure methods ourselves - one of which is a VPN.  Many websites want to look into my computer for their protection, thus decreasing my protection.

So 2 factor is sorta helpful but it reminds me of "duck and cover" during the 1950's to some extent.  :D

What about those without a cell phone!  (I know, I can usually use my email.)

Link to comment
Share on other sites

1 hour ago, Marauder SASS #13056 said:

I find it almost funny that security is so strongly emphasized but we are generally not allowed the more secure methods ourselves - one of which is a VPN.  Many websites want to look into my computer for their protection, thus decreasing my protection.

So 2 factor is sorta helpful but it reminds me of "duck and cover" during the 1950's to some extent.  :D

What about those without a cell phone!  (I know, I can usually use my email.)

 

No problem using a VPN, I use one myself, for both this log-in, my regular log-in, FB and whatever.  I have to use 2Factor if I use a VPN with G-Mail, my Credit Union, or Amazon.   

Link to comment
Share on other sites

I just signed out and signed back in with no problem…

Unless the new system isn’t activated yet, it was seamless to me. 

  • Like 1
Link to comment
Share on other sites

Hi everyone!! 

 

Sorry for the delay in my getting back to you all on this. 

 

We've decided to delay the 2 factor authorization for now; but have implemented the new minimum password requirement. 

 

We'll give it a little time and see if we need to proceed with the 2FA down the road. 

 

Misty

  • Like 2
  • Thanks 7
Link to comment
Share on other sites

  • 5 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.