[PREVENT] Compromised Accounts

RE: [FIX] Compromised Accounts

skinhead said:
He scammed out, lmfao
he tryna cover his tracks but hes too stupid

If he had that 2step we'd for 100% sure it was him. Then the excuse "I WAS COMPROMISED" Would never again exist on forumkorner.
 
RE: [FIX] Compromised Accounts

@hassam = dum arab
nothing else to say wllah
 
RE: [FIX] Compromised Accounts

I believe this idea is already in the works, note this photo:
dK23Md8.png

Clicking that link currently takes you here but it's a blank page.

This idea should100% be implemented though because it would make deals on-site more secure and would stop the "I was compromised" in scams.
It's not FK's job to protect users from being compromised, but this idea would just make the whole site feel more secure overall.
 
RE: [FIX] Compromised Accounts

Totodile said:
I believe this idea is already in the works, note this photo:
dK23Md8.png

Clicking that link currently takes you here but it's a blank page.

This idea should100% be implemented though because it would make deals on-site more secure and would stop the "I was compromised" in scams.
It's not FK's job to protect users from being compromised, but this idea would just make the whole site feel more secure overall.

It's blank because I think it came with mybb
 
RE: [FIX] Compromised Accounts

Maybe make it so if you log in from a different iP your account gets locked for 24 hours, and if pass changes from a different ip it's 48 hours


*Sorry if my grammer is shit, I just got a new thinkpad couple hours ago :|
 
RE: [FIX] Compromised Accounts

Fedoras said:
Maybe make it so if you log in from a different iP your account gets locked for 24 hours, and if pass changes from a different ip it's 48 hours


*Sorry if my grammer is shit, I just got a new thinkpad couple hours ago :|

Don't see what that would accomplish personally.
 
RE: [FIX] Compromised Accounts

Fedoras said:
Maybe make it so if you log in from a different iP your account gets locked for 24 hours, and if pass changes from a different ip it's 48 hours
*Sorry if my grammer is shit, I just got a new thinkpad couple hours ago :|
That's just a very troublesome way of going about it and you have to think about socks5's and how close they can be (location wise) so the system soesmt detect it.


Hey, @Satan @Paladin could you guys voice your opinions on this? Like if you support the idea or not?
 
RE: [FIX] Compromised Accounts

Krish said:
That's just a very troublesome way of going about it and you have to think about socks.


Hey, @Satan @Paladin could you guys voice your opinions on this? Like if you support the idea or not?


I login on a different IP every time I use FK. Several people use the VPN service I use as well. I think the only time IP's of users are looked into is when they're suspected of multi / faking being compromised. 
Also, SOCKS5 usually die within 48-72 hours even when private/ VIP72. If a user has logged into FK from the same residential connection over weeks, it's probably not a socks.
 
RE: [FIX] Compromised Accounts

Satan said:
I login on a different IP every time I use FK. Several people use the VPN service I use as well. I think the only time IP's of users are looked into is when they're suspected of multi / faking being compromised. 

Also, SOCKS5 usually die within 48-72 hours even when private/ VIP72. If a user has logged into FK from the same residential connection over weeks, it's probably not a socks.

Are there Vpn gate servers that are up 24/7? As I know those emulate home connections. Question posed here is do you think the effort to put in 2FA on FK is worth it?
 
RE: [FIX] Compromised Accounts

Krish said:
Are there Vpn gate servers that are up 24/7? As I know those emulate home connections. Question posed here is do you think the effort to put in 2FA on FK is worth it?

2FA wont help if the person was stupid enough to get compromised in the first place. 2FA wont work if everything the person owns is jacked. 


I think a mandatory password change every 72 days or so would be pretty nice, as well as a required strong password.
There's still tons of people using uniform passwords throughout all their accounts. 

This is more of a problem with users, rather than the site. Stop using insecure email services, weak and common passwords, or sharing passes across sites.
Again, the only secure (imho) email services are https://www.autistici.org and https://www.riseup.net.

I use generated passwords from https://xkpasswd.net/s/  (WEB16)
 
RE: [FIX] Compromised Accounts

Satan said:
2FA wont help if the person was stupid enough to get compromised in the first place. 2FA wont work if everything the person owns is jacked. 
I think a mandatory password change every 72 days or so would be pretty nice, as well as a required strong password.
There's still tons of people using uniform passwords throughout all their accounts. 
This is more of a problem with users, rather than the site. Stop using insecure email services, weak and common passwords, or sharing passes across sites.
Again, the only secure (imho) email services are https://www.autistici.org and https://www.riseup.net.
I use generated passwords from https://xkpasswd.net/s/  (WEB16)
You said 2fa doesn't help if everything is jacked? You'd need the physical device the 2Step QR has been loaded onto to get the code to log in to fk in the first place. I use Riseup myself and you're right, I absolutely love the service but a lot of members would have a hard time getting thier hands on an invite code.

Ahh, I think you may have misunderstood, I'm talking about to PREVENT compromised accounts. I should change the title, sorry for not being clear @Satan

I agree that this is a user problem but due to how often it happens, it shouldn't be a problem for the site to help the users out by allowing an option for additional security.
 
RE: [FIX] Compromised Accounts

Krish said:
You said 2fa doesn't help if everything is jacked? You'd need the physical device the 2Step QR has been loaded onto to get the code to log in to fk in the first place. I use Riseup myself and you're right, I absolutely love the service but a lot of members would have a hard time getting thier hands on an invite code.

I offer free invites to anyone who asks me. I made a thread about it when I first signed up, but someone deleted that thread.
It really depends on the method for 2FA; 

SMS, Call, and email 2FA are obsolete and insecure.

A code being sent to the physical device is the only 2FA that I'd recommend. 

3/4 most common 2FA is enough for me to say most 2FA is pointless, but I didn't know FK had the potential for the last.
 
Satan said:
A code being sent to the physical device is the only 2FA that I'd recommend. 
Can I put you down as you supporting the idea of implementing Google Authentication?
 
Krish said:
Can I put you down as you supporting the idea of implementing Google Authentication?
Sure, I'm all for it so I don't have to see someone making a new post every 24 hours because their Yahoo had the same password as their Instagram and Facebook.
 
Satan said:
Sure, I'm all for it so I don't have to see someone making a new post every 24 hours because their Yahoo had the same password as their Instagram and Facebook.

Thanks, for the support on this. It would get rid of all the real occurrences of hijacking and all the "Fake" Occurrence excuses.


Added a list of people backing it up @Philly
 
Generally, the accounts that are vulnerable are those yet to be banned from pre-2013, when the database was leaked, that haven't signed in to secure their account. Aside from this, the rest are usually an issue on the users side. There is a two step authentication setting in the UCP, accessible to all who deem necessary. It's been made very clear that thisexcuse won't fly. Unfortunate for some, but a comfortable precaution.

This does bring a thought up for me, though. I'll run it by.
 
Color said:
Generally, the accounts that are vulnerable are those yet to be banned from pre-2013, when the database was leaked, that haven't signed in to secure their account.  Aside from this, the rest are usually an issue on the users side.  There is a two step authentication setting in the UCP, accessible to all who deem necessary.  It's been made very clear that thisexcuse won't fly.  Unfortunate for some, but a comfortable precaution.  

This does bring a thought up for me, though.  I'll run it by.

The UCP Link doesn't work for any of us as @Totodile stated.
 
Seems like a really thought-out idea. I agree with this being implemented, even though my opinion couldn't mean less at the moment.
 
this suggestion should not be accepted simply due to the fact that you got your own shit compromied.
 
Back
Top