Upcoming Change - Make Sure Your Email Address Is Valid, as Email-Based 2 Factor Authentication Will Be Enforced

scotty on 02/03/2022 - 13:15
Last edited 12/08/2022 - 06:55 by 1 other user

All OzBargain users — make sure your email address here on OzBargain is valid and you are able to receive emails, as we will enforce email-based 2 factor authentication on all accounts that do not have 2FA turned on.

Over the last couple of weeks we have noticed an increasing number of OzBargain accounts got "hacked" by bots brute forcing username/password (that got leaked from other compromised sites). Here is an example of their operation:

  1. Bots trying to compromise OzBargain accounts by testing out username / password from VPN / random IP addresses
  2. Once an account has been compromised, someone will take over the account from an Australian VPN
  3. Spammer will use that compromised account to post spams

Those can be difficult to detect and block (as their breaching method kept on changing), until the spam has been posted.

In order to reduce old accounts getting compromised, we will be enforcing email-based two factor authentication, to all the accounts that do not have token-based 2FA turned on in their account security settings. This change will be rolled out later this month or early April. Basically, after you have put in correct username and password on the login form,

  • If your account has token-based two-factor authentication turned on, 6-digit token will be requested
  • Otherwise, an email may be sent to your registered email address in your profile. You will need to click on the link in the email or enter the 6 digit code to successfully log in.

This should hopefully reduce account getting brute forced, provided that your email inbox is valid and secure. Note that this does not apply to log in through Google or Facebook Sign-in, as we assume your accounts on those services are already secured.

If your email address is no longer valid, that means you will not be able to receive the 2FA email, which means you'll not be able to log into OzBargain.

Update 25 March 2022: E-mail based two factor authentication has now been rolled out.

Update 1 April 2022: Users can now opt-out of email-based 2FA confirmation under security settings. Note that the checkbox will only appear if app/token-based 2FA has not been enabled.

Update 12 Aug 2022: E-mail based 2FA can now be confirmed via link in the email or direct input of 6 digit code

Site Discussion

Comments

  • Miami Mall Alien on 02/03/2022 - 13:42
    +8

    I imagine this is more a consequence of people using ridiculously insecure passwords on their OzBargain accounts because they're considered expendable and don't contain much, if any, personal/confidential information; than there being any sort of dramatic increase in the volume or sophistication of brute-force botnet attacks.

    OzBargain probably flew under the radar of a lot of these bots until the site's popularity started growing dramatically in recent years.

    If people started being forced to use actual passwords/passphrases instead of Password123, that would solve the issue.

    I've had the same password on OzBargain for over 5 years now.
    But it's a 20+ character real password.

    If legitimate, non-sock puppet/throwaway accounts from users who've been members for years are getting brute-forced than their passwords must be absolute garbage.

    • SBOB on 02/03/2022 - 13:56
      +10

      instead of Password123

      man, you just going to go and tell everyone my password like that? :)

      • onetwothreefour on 02/03/2022 - 14:46
        +5

        Nah when you type your password in a comment it automatically gets censored by the OzB bots, my password is: **********

        • st1ng on 02/03/2022 - 21:19
          +1

          That's good to know. My password is ozbargin123 :P

          • Antikythera on 08/03/2022 - 11:02
            +1

            @st1ng: dude you gotta be more secure with your passwords and use a unique password on each site.

            mine is ANTIozbargain123, ANTIfacebook123, ANTIcommbank123 etc

        • Inzo on 03/03/2022 - 10:19
          +4

          bash.org in the house!!!

        • Mixhael on 08/03/2022 - 14:34
          +6

          hunter2

        • Mixhael on 08/03/2022 - 14:35
          +2

          doesnt look like stars to me

      • whyisave on 08/03/2022 - 18:07

        My password is hunter2

    • PrettyFly4WhiteGuy on 13/03/2022 - 00:16
      -1

      that's actually not how it works. email password lists are leaked from other websites which have been breached and the bots are set up to test these lists on ozbargain. it doesn't matter at all how secure the password is, if they used that password on another website which was compromised, and they also use it for ozbargain, their account will be breached. funnily enough I doubt that you have a different 20+ character real password for every different website you have an account with ;)

      • SBOB on 13/03/2022 - 08:15
        +4

        funnily enough I doubt that you have a different 20+ character real password for every different website you have an account with

        Why not? If they are a password manager user (eg LastPass, bitwarden etc) it's trivial to have unique 20+ char passwords for each site (except those stupid sites that have actual password limitations)

        • lancesta on 14/09/2022 - 17:27

          Find it frustrating when they don't tell you the upper limit for a password. Some of them will truncate the password you entered without telling you, so you've got no idea if your password is the first 100 characters or the first 10.

  • Crosscade on 02/03/2022 - 13:57
    +10

    Maybe everyone should be sent a PM, not sure if everyone will see this thread.

    • illumination on 08/03/2022 - 18:58

      There was a little banner just below the top section of the homepage displaying this which brought me here. Imo that's probably sufficient. The only benefit of a PM is that those who have email notifications for their PMs will get an email notification.

  • ChillBro on 02/03/2022 - 13:57
    +3

    Spammer will use that compromised account to post spams

    Oh damn. Guess jv must have been hacked years ago

    • orangetrain on 02/03/2022 - 14:47
      +14

      Oh damn. Guess jv must have been hacked years ago

      Fixed

    • DingoBlue on 09/03/2022 - 12:33

      I honestly think the current JV is not the original one. There was a marked point of change.

      • ChillBro on 09/03/2022 - 12:34

        That's an interesting theory! Say you're right, could you link to the two comments when you think they switched over?

        • DingoBlue on 09/03/2022 - 17:31
          +1

          Not sure but I seem to recall that he disappeared for at least a few months in between.

  • holdenmg on 02/03/2022 - 14:00

    I can't the 2FA thing to work on either the QR Code or the Six Digit Number which produces a long mix of Letters and Numbers.

    Anyone?

    • uzz30 on 02/03/2022 - 15:23
      +1

      Get a 2FA app like Authy, see @scrimshaw 's post below for a great summary

      • holdenmg on 02/03/2022 - 18:04
        +1

        Hi, went with Authy.

        Simples. Many thanks to you and @scrimshaw :+)

  • neil on 02/03/2022 - 14:08
    +4

    Just to expand on two important points.

    • Don't reuse the same password on any site. Use a password manager or at the very least write something different for each password so you can remember.
    • Check HaveIbeenpwned to see if your email address has been compromised in any data breaches.
    • SBOB on 02/03/2022 - 14:12
      +1

      Check HaveIbeenpwned(haveibeenpwned.com) to see if your email address has been compromised in any data breaches.

      if your email address isnt in haveibeenpwned.com, do you even really exist? (excluding those with own domain/unique per site email addresses)
      :)

      • Clear on 02/03/2022 - 16:56
        +2

        If it's not listed then you haven't used Shopback before September 2020 ;)

        • SBOB on 02/03/2022 - 17:25
          +1

          Or Sony, Dropbox, LinkedIn, Bunnings or many other countless breaches or data dumps.

          In the world of data breaches, shopback would be well down the list of customer numbers.

          • Clear on 02/03/2022 - 17:31

            @SBOB: I think Shopback would be the most likely one for OzBargainers out of what you just listed.

            • SBOB on 02/03/2022 - 17:51
              +1

              @Clear: Most likely, or just easiest to directly whinge at ;)

      • Inzo on 03/03/2022 - 10:21
        +2

        how good is own domain and thus unique per site email addresses !!!

  • scrimshaw on 02/03/2022 - 14:13
    +16

    Suggested software / addons that you should be using to improve your security and to prevent yourself from becoming a victim to Credential stuffing

    • Bitwarden. Open source password manager that helps to keep track of all your logins, and is a good way to make sure you're using unique passwords for every site. LastPass is a paid alternative and KeePass is a cloudless alternative that you must run locally on your machine.

    • Google Authenticator, or Microsoft Authenticator to manage and create your 2FA's.

    • My personal favourite though is Authy and it runs on either Android or IOS. It's much better than Google's.

    • Use Have I been Pwned and enrol yourself using the "Notify me" link at the top. What does it do? Have I been Pwned scans various websites for mentions of your email that got leaked online (security breaches) and then it sends you an email letting you know the details of the security breach. What should you do? Change the password for the breached site and make sure no other sites you have logins to uses that same password.

    Know something else better? Let us know in the comments below.

    • life is suffering on 02/03/2022 - 14:17
      +1

      You are gem sir a gem

    • psyren89 on 02/03/2022 - 14:20
      +1

      If you use an Android phone, I would recommend Aegis over Authy as they give you much greater control over your 2FA tokens.

      • illumination on 08/03/2022 - 19:09

        Could you elaborate a little bit?

        A disadvantage based on you specifying "if you use an Android phone" seems to imply Aegis doesn't work with iOS

        • illumination on 08/03/2022 - 19:12

          What does your app offer that other 2FA apps do not?
          Compared to other 2FA apps, we think Aegis stands out in terms of its simplicity and security. Most popular apps like Google Authenticator and FreeOTP don't bother with additional security measures. They allow access to your tokens right after opening the app. Aegis, on the other hand, encrypts all of your tokens at rest and requires a password or the touch of a finger to decrypt them.

          Another important feature is the ability to export your tokens and import them into another device. Google Authenticator doesn't have this, which has not only annoyed users for years, but has also resulted in loss of access to lots accounts.

          This is stated on the FAQ section of the website, but it's mainly a dig at Google Authenticator rather than Authy/Microsoft Authenticator hahaha

    • Twix on 02/03/2022 - 14:40
      +8

      Google Authenticator doesn't have a built-in backup. If your phone is lost, stolen or broken you will get locked out of your accounts. You can only transfer the accounts in Google Authenticator from your old phone to a new phone if your old phone is still in a working condition.

      Authy and Microsoft Authenticator have the option to turn on backups.

    • Antikythera on 08/03/2022 - 11:07

      how do you rate https://vip.symantec.com/ as a 2FA manager?

      one of my banks required it so I use it for everything rather than the Google or Microsoft alternatives.

      • scrimshaw on 08/03/2022 - 11:13

        They all do the same thing — generate 2FA codes. Really the only major difference is the UX / design and whether it supports cloud backups.

        The best 2FA authenticator is the one that you use most frequently.

  • uzz30 on 02/03/2022 - 15:29
    +6

    @Scotty, love that you guys have made token based 2FA available. Thank you, so easy!

    You guys can do it, but the big banks? Way too hard for them….. Time to for the team to launch ozbank.com.au ?

    • whyisave on 08/03/2022 - 18:09

      OzB crowd-sourced loans, with low(er) interest rates

  • Mokr on 02/03/2022 - 16:05

    how expensive is it to have a user from ip adresss xxx has attempted to login to your account

    • Moderatorscotty on 02/03/2022 - 17:05

      We are already throttling the login attempts (maximum x login attempts per y minutes from specific IP). However the bots are from random IP address all across the world.

  • burningrage on 02/03/2022 - 16:14

    Let me guess, probably same credentials from Shopback hack?

    • Moderatorscotty on 02/03/2022 - 17:06

      Have I Been Pwned have password leaks from a lot more sites than just ShopBack.

  • rektrading on 02/03/2022 - 17:07
    -2

    as we will enforce email-based 2 factor authentication on all accounts that do not have 2FA turned on.

    Email 2FA is not safe.

    • Moderatorscotty on 02/03/2022 - 18:13

      Email 2FA is as safe as your inbox, and often it's safer than the phone number attached to a SIM card. We will still recommend token based 2FA using Google Authenticator / Authy / etc. However it's an extra step that requires setup, but email has already been provided when you create an account on OzBargain.

  • MontyMacaw on 03/03/2022 - 08:11
    -4

    May be related but my VPN is almost useless now using an Australian IP address. Just using Google requires verification I am not a bot and many sites take forever to load a page. So I switched to a NZ IP address and fixed it. I use PrivateVPN. Australia definitely seems to be under attack. Should we thank our politicians for their verbal vote catching attacks on China or should we blame Putin?

    • Hoofee on 03/03/2022 - 09:28
      +3

      Or it could just be your VPN provider's Australian servers. Maybe contact their support?

      • MontyMacaw on 04/03/2022 - 07:27

        Good idea šŸ‘

    • scrimshaw on 03/03/2022 - 12:20
      +4

      When you're using a VPN, you are likely going to share IP addresses which a whole bunch of other users.

      That's including bots, so occasionally you will run into issues when you browse the internet and run into firewalls which have been configured to identify the IP address as a threat. And pretty much every popular website will have some kind of firewall and DDoS mitigation / anti-bot system.

  • notabank on 03/03/2022 - 23:08
    +1

    What about checking if a password is in this list before allowing a password change?

    https://haveibeenpwned.com/Passwords

  • gimli on 06/03/2022 - 07:44

    Early Happy April Fools mr Scotty.

    • gimli on 08/03/2022 - 19:35

      I guess not.

  • pharkurnell on 08/03/2022 - 10:03

    I dont have a problem with the new setup… Be thankful the site exists.

  • BarneyKB on 08/03/2022 - 11:51

    Will this affect 'sign in with x' accounts (using another platform's authentication service)

  • Moderatorscotty on 08/03/2022 - 12:33

    You'll not receive email for 2FA if you

    • Have 2FA turned on in your settings, OR
    • You are signing in with Google or Facebook

    We are assuming your Google or Facebook accounts are already secured.

  • furakoph on 08/03/2022 - 15:51

    Why not just enforce a tougher password

    • whyisave on 08/03/2022 - 18:10

      Agree to this,
      because I don't always have a 2FA device with me.

      • illumination on 08/03/2022 - 19:08
        +2

        This doesn't require an additional device. It's an email notification - so presuming you're not loading Ozbargain on your TV/microwave/fridge, you're almost guaranteed to have access to email as well.

    • jackary on 08/03/2022 - 18:43

      Seconded

    • Moderatorscotty on 08/03/2022 - 20:10

      It's not complexity of the password, but people reuse passwords from other sites that might have been compromised. We can't enforce a password that has not been used elsewhere.

  • Moderatormoocher on 25/03/2022 - 07:21

    E-mail based two factor authentication has now been rolled out this morning.

  • [Deactivated] on 25/03/2022 - 20:23

    Enforcing 2FA is quite unusual for non-financial website… Please, reconsider?

  • [Deactivated] on 25/03/2022 - 22:42

    Over the last couple of weeks we have noticed an increasing number of OzBargain accounts got "hacked" by bots brute forcing username/password

    You could add login attempts rate limiting, with exponential backoff, against brute forcing, not 2FA. I'm pissed, @scotty :)

    • Moderatorscotty on 26/03/2022 - 05:34

      We've had per-IP rate limiting on login for years. Doesn't work that well when the requests come from rotating proxies.

      • [Deactivated] on 26/03/2022 - 12:26

        What about rate limiting by login name? If someone tried nuker 3 times then disable login by 1 hour.

  • Moderatormoocher on 01/04/2022 - 06:46

    Users can now opt-out of email-based 2FA confirmation under security settings. Note that the checkbox will only appear if app/token-based 2FA has not been enabled.

    • gimli on 01/04/2022 - 21:57

      Knew it was april fools all along

    • scart on 12/04/2022 - 08:15

      The wording of this checkbox isn't great. I log in from the same IP on the same device with ozbargain cookies whitelisted, so according to the checkbox I should only get a 2FA if accessed from Timbuktu rather than every time I log in at my residence. I would rather be notified on the rare instance my account is accessed internationally than need to access my email for every login.

    • brisdaz on 09/08/2022 - 19:14

      Upcoming Change - Make Sure Your Email Address Is Valid, as Email-Based 2 Factor Authentication Will Be Enforced - OzBargain Forums

      Note that the checkbox will only appear if app/token-based 2FA has not been enabled.

      Is that a typo? Do you mean to type if "only if app/token-based 2FA has been enabled?"

      • Moderatormoocher on 10/08/2022 - 08:33

        It's not a typo - users either

        • opt-in for app-based 2FA, or
        • system sends 2FA confirmation email as necessary unless user opts out
        • brisdaz on 11/08/2022 - 15:13

          Ah k thanks for letting us know your balance.

          On the one hand it prevents most spam attacks as it's opt-out and most bots won't customize automation to this site. On the other hand as OzBargain gets more influential bots maybe customised to this site and thus less security for the internet versus user aquisition. I guess Ozbargain developers will cross that bridge when it becomes a problem.

  • BuskerMove on 16/04/2022 - 08:47

    I got a pop up this morning to verify if my email is the same. Made the update but complains is not a valid email address. It is a valid email so hope do i overcome this error?

    • Moderatorscotty on 16/04/2022 - 10:40

      It's possible that we've banned some disposable email address domains, because of issues we had with spammers or ghost accounts.

      If you want to stay anonymous, get a Gmail or Hotmail address just for OzBargain.

  • martin_henry on 08/08/2022 - 16:31
    -1
    Merged from How Disable Login Emails

    Ozbargain no longer lets me login from shared computers, phones, tablets, etc. Instead, when I enter username & password, ozbargain sends me a $&#ing massive URL via email, which is very hard to copy across to other devices.
    This wasn't happening until quite recently.

    Anyone found a fix, or a way disable this? Scrolling ozbargain on my mobile phone is painful, but so far it's the only way I can login

    Thank you

  • memeh on 05/09/2022 - 11:20

    Hi Mods. I've tried to change the email and click submit but it's not saving the changes. Is there anything I can do to change it as that mailbox is no longer in use. Thanks!

    • Moderatorscotty on 05/09/2022 - 12:10

      You should receive an email in your new email address stating that you have changed your email, and you need to click in the link to confirm the change.

      • memeh on 05/09/2022 - 12:42

        Hi Scotty, thanks so much for replying. I've got the email now and have updated and confirmed accordingly.

        Hope you have a great day!!

  • Guybrush57 on 06/09/2023 - 22:41

    I've only just been affected by this. I know why 2FA is used but it was so easy to log into OzB and now it's a burden.

    • Moderatorscotty on 07/09/2023 - 04:37

      You can disable the email 2FA in the security setting page — then the burden is on you to make sure you choose appropriate password so it doesn't get hacked.

  • CommuterPolluter on 16/11/2024 - 18:27

    No FIDO support?

Login or Join to leave a comment
Login Join