Google authenticator is a good one to use for 2FA, especially if you use it on other sites, its a very easy setup.
I STRONGLY suggest Google Authenticator, or really any app, and NOT using email for 2FA. As Pete notes with Microsoft Authenticator, they're all good, and they all work dandily. He's using Microsoft, I have three sites that I use Google Authenticator for (including our server host), and I also use Authy for another site. All of these work on both Android and iOS, super simple, and genuinely secure. Really, truly, use whichever app you like!
There's nothing
wrong with email, but we have no way of knowing if you change your email account. An authenticator app doesn't know or care about your email account. In fact, you're perfectly fine continuing to use an email account that doesn't even exist anymore as your identifier to get in the site. The security is provided by the
app, which changes the passcode every 20-30 seconds. Email is easy enough to hack, but NOBODY (in practice) is going to both hack your email AND your phone (which presumably also has some kind of security on it).
I know that email SEEMS easier, because there's nothing to remember, but I swear, the app is FASTER than email, and again note, you only need to authenticate ONCE A MONTH.
I'll be writing up a tutorial for the apps, because really truly, that's the better way to go.
is there any issue with staying “permanently” signed in to the site on my PC and iPad? Does this affect security?
It's security neutral. Somebody can hack your account while you're logged in, unless you have 2FA. If you have 2FA, you'll be notified that somebody is trying to get in.
In which case, notify us.
We'll go block the IP that's probing your defenses.
There's the other issue, which we can't do anything about: these guys are using VPNs, so I'm playing whack-a-mole to block the IP addresses each time, but they just grab another. That's life, and that's also why 2FA is the only real security.
If a member is constantly posting and interacting on the forum, it is highly unlikely that they will be scamming us. It's the accounts that haven't been used in awhile, or new ones that might be up to no good, or have been compromised.
The thing is, you can't know that an account has been compromised until they tip their hand. The most recent scammer hacked an active account that had made a legit sale in late December! Nobody knew it was a scam until the scammer got profane, at which point somebody who knew the proper account holder and knew that this language and attitude was completely out of character, contacted both us and him to doublecheck. He confirmed that he was not the one behind that sale, and we proceeded accordingly...
...but the issue is that his account was accessible through whatever means (and I don't have any way of knowing the specifics -- a lucky guess? some sort of automated process?), and the account of an active, known seller
looks like the account of an active, known seller, because it is!
So there are two basic steps to closing this vulnerability:
- Strong passwords + 2FA
- Assume that if the deal is unusually good that it's a scam, and report it.
Because that's the other thing. These accounts were breached and the "sales" made within a matter of hours.
Sellers have a responsibility to secure their identities (we're working on it!), and
buyers have a responsibility to verify that the sellers are who they claim to be. You can't use their account history to do that! The identity of that account has been stolen!
So drag it out. LOL Make them talk to you. Text messages and emails are not good enough, unless you have some way of making SURE that the person on the other end of the line is who they claim to be. If they lose their temper when you're asking for transparency, report them. They're up to no good.
Jeez louise, I wish I didn't have to encourage people to think like this, but we've been identified as a site where the passwords are soft and the buyers will move quickly. I'm going to work on getting people to harden their passwords, require 2FA for sellers -- because, again, these are the ONLY accounts being hacked -- but buyers have their roles to play too! Drag these exchanges out.
Please note that I'm not blaming anyone but the scammers. Nobody can prevent EVERY scam. After all, Facebook, PayPal, the Pentagon, et al have more security resources than we do, and they get burned by scammers too. But we don't have to do much to make this an unappealing target for them, just a little bit, so let's do that, and we can go back to enjoying each other's company and playing our ukuleles.
Still working a few things on the back end, but I'll be back soon!
