Started Getting Login Blocks Everytime!

It started yesterday. It says something security we sent a link to your email. Every time. W T F? Im on iCloud Private Relay and had no problems for half a year until yesterday.

Comments

  • Looks like this in email:

    We noticed an unusual login attempt for your account on OzBargain. If that was you, you may now log in to www.ozbargain.com.au by clicking on this link:

  • +1

    The email is legit. Install Microsoft Authenticator or Authy to stop the emails.

    Upcoming Change - Make Sure Your Email Address Is Valid, as Email-Based 2 Factor Authentication Will Be Enforced

    • -2

      but i don't want to, I use password manager and pretty long generated password…

      • You will keep getting emails to verify your OzBargain account. Some password managers have built-in 2FA. Does yours?

        • +3

          iOS Keychain does not, KeepassXC does, but i use Keychain for sites I login frequently.

          Enforcing 2FA for users without apparent financial risks is overkill.

          • +2

            @[Deactivated]: iOS keychain does have built-in 2FA with iOS 15.

            Too many bots were getting into OzBargain accounts posting spam so the change was made.

            • -5

              @Twix: I understand the reason, Im saying its too lazy solution. You put a burden on users instead of solving bots problem by other means.

              • +2

                @[Deactivated]: who tf doesn't have an email app on their smartphone

              • -4

                @[Deactivated]: right solution is not 2FA but rate limiting login attempts, duh

                • +1

                  @[Deactivated]: Since when did you get promoted to the Chief Information Security Officer of OzBargain?

          • +4

            @[Deactivated]:

            Enforcing 2FA for users without apparent financial risks is overkill.

            It's not just about you. The financial risk is to OzB. If OzB accounts keep getting hijacked and spam gets posted, it will cost OzB time, money, and reputation to fight the spam.

            If the site starts having more and more spam, people will be annoyed and legitimate content will be diluted, making the site less attractive to users and advertisers which will make them less money. Sites like this are free for you to use but costs a good amount of money to run.

            • @eug: The financial risk is mainly to our users, who risk trading with a scammer in the classifieds. This has happened by scammers gaining access to a user's older OzBargain account, as they used the same email and password on OzBargain, that got leaked from other compromised sites.

    • +2

      wasn't that prep for april fools?

  • +1

    Why don't you just stay logged in? I don't think I've logged in more than 4 times in the whole time I've had my account.

    • +2

      Why would I? I browse in incognito tabs by default, and with Keychain logging in is literally one touch. Have you hear about tracking cookies or online privacy in general?

      • +3

        Nope, just like you.

  • As explained by Twix, 2FA via email was implemented to protect users' accounts. It's far from lazy — we actually have to put in resource to have this implemented, so those lazy users who re-use passwords across websites won't get their accounts hacked easily.

    Moreover, if you are logging in from the IP address that you have used in the past (x months) then the email 2FA won't be required.

    • +1

      Thanks! What about rate limiting by login name? If someone tried nuker 3 times then disable login by 1 hour. Sirry for copying from other thread, lets keep this as main one.

      • +1

        What about rate limiting by login name? If someone tried nuker 3 times then disable login by 1 hour.

        If you reused your password they would get it on the first try.
        If there were a few passwords to try they could just automate it.

        Obn the other hand, if you forgot which password you used and tried 3 different ones and were locked out for an hour, you'd be cheesed off.

        • +1

          Weak or reused passwords is better solved by forcing password change with minimum new length/complexity than mandating 2FA. Won't you agree?

          • +1

            @[Deactivated]:

            Weak or reused passwords is better solved by forcing password change with minimum new length/complexity than mandating 2FA. Won't you agree?

            What's to stop someone from reusing the only 1 complex password that they remember?

            Having complex passwords make it harder for people to remember, so they'll more likely stick to one common complex password. Not everyone is tech-savvy enough to know about password managers, or don't trust putting all their eggs in one basket.

            • +1

              @eug: Right. I never said its easy, I said solution is lazy, lol

              Summary:

              • weak passwords —> force password change with minimum new length/complexity
              • bruteforcing —> rate limiting by login (keep allowing last known good IP)

              Mandatory 2FA is for banks a nd EvilCorps, not forums.

              • @[Deactivated]:

                weak passwords

                We do not store your passwords, but a hash. We could force password strength checking at the point of creating an account, but there's no way for us to know whether your existing password is strong or weak.

                bruteforcing

                As I've commented, we already have rate limiting by login. However the bots are usually trying thousands of username/password combinations across various IP addresses. They don't care about specific account. They just want any old trusted account.

                • +1

                  @scotty: Got it. I still disagree, but I rest my case now, I managed to add 2FA to my iCloud Keychain :))

              • +1

                @[Deactivated]: Weak passwords and brute forcing is not the problem. The problem is password reuse, which none of your suggestions address.

                i.e. I use "jGh6##%pp" as my password on Adobe.com and OzBargain. Adobe gets hacked, my password and email gets leaked to the web.

                Spammers buy the leaked database and perform credential stuffing. They have my legit email address and password so they try logging in everywhere with it. Sites without 2FA or methods to detect suspicious logins will allow the login on the first try as the password is correct.

                The solution is to try and detect suspicious logins, then check to make sure it really is you by sending you an email, or with an authenticator app in the first place.

                • @eug: You're right, you said it: "The solution is to try and detect suspicious logins, then check to make sure it really is you by sending you an email"

                  But not the second bit: "… or with an authenticator app in the first place." - this is identical to forcing password change, no need for 2FA here

                  Anyways, I'm out of this, or I'll miss all the bargainz lol

                  • +1

                    @[Deactivated]:

                    But not the second bit: "… or with an authenticator app in the first place." - this is identical to forcing password change, no need for 2FA here

                    Did you not read the announcement linked above that you replied to?

                    You are not being forced to use an authenticator app.

                    If you don't use an authenticator app, if your login is suspicious, OzB will send you an email with a link that you click on to complete the login.

      • Those bots don't brute force one specific account (which we also have throttling implemented). They are basically trying thousands of accounts/passwords from various IP address — they just want one aged account, anyone would do, to post spams or to engage fraud in classified or private messages.

  • Merged from Error When Logging into OzBargain

    Why is it that when I log in connected to my WiFi, I get straight in. Then if I log in using mobile data I get the error that I need to click on the link sent to my email.

    Then I go into my email and click the link just to get this error, bloody annoying.

    ‘You have tried used a login confirmation link that does not match the user recorded in this browser. Please try opening the link from the e-mail in the browser that you originally logged in from.’

    Only have one account, with one username and email???

    • what does the Batcomputer say? lol

      • +1

        It’s all encrypted, can’t tell!

    • God trying to save you some money.
      Please say thank you.

    • Enabling 2FA might fix it so it doesn't do the email verification.

      https://www.ozbargain.com.au/node/686104

    • +1

      Yeah same here, I can't login with one of my phone since yesterday.

      Browsing with the other phone that's still logged in and won't clear the cache otherwise I'm totally out :D

    • I never log out so cannot help you.

    • Had this issue while away this weekend, using the hotel's wifi. Turned off wifi and used phone data; all good.

    • Hi,

      When you log in via WiFi, since you have previously logged in using that IP address, we assume that the IP is "safe" and no email 2FA is needed. However when you are on mobile it might be using the telco's CGNAT IP range, and we are using emails to ensure you are who you claim.

      An extra security measure is that the browser that you login must be the same browser session that you use to click on the link. That means, if you are using a private browser to log into OzBargain, and you are opening your email from within your email app, you'll need to (1) copy that link (2) open the link from the same private browser to log into OzBargain.

      • That's quite a clever extra measure!

        I think you need to change the language of the error message though, as I had no idea what it meant until reading this reply. And from the sounds of it, it made no sense to OP, either.

        • Yeah that makes more sense than the email received, will give it a go next time I’m out and about.

  • -2

    2FA so over-rated. Is there a script or workaround for this? I login via different sessions for email and ozbargin. I may simply have to stop using ozbargin otherwise. Same goes for hotmail/yahoo/gmail. If someone wants to hack your account they will. Too me this is just more spam email. Why not just verify user accounts every 3 months or verify with sms and delete mobile number afterwards?

    If an account is compromised the user can just report it to get it back right?

    • The whole point is not verifying users' email addresses, however in order to login with just username / password, we now requires email to be valid as well, assuming that your email account has not been compromised by other people.

      If someone wants to hack your account they will.

      It's not able someone hacking a specific account, but someone trying to hack any account.

      If an account is compromised the user can just report it to get it back right?

      Most of the time people aren't aware that their account has been compromised. From the accounts that got compromised earlier this year, we've banned all the accounts but only one got back to us.

      Anyway. We'll push out a change to allow users opting out from email 2FA. Please also note that you don't need to use email 2FA if you

      • Use a token based 2FA (turn it on from your settings -> security page)
      • Login using Google or Facebook (as we assume their services are secure)
      • Login using Google or Facebook Apple plz

  • Users can now opt-out of email-based 2FA confirmation under security settings. Note that the checkbox will only appear if app/token-based 2FA has not been enabled.

    • Confirm, can un-check "require email for unusual logins" and it works!

      Btw, this is more correct: "Note that the checkbox will only appear if app/token-based 2FA has not been is not enabled."

    • Thanks ;) I don't suppose there is a page that shows your last few login times?

      • Sorry no there isn't one.

        If you suspect that your account has been accessed by someone else, feel free to reach out to us and we can have a look in the database.

        • Will do. Thanks

Login or Join to leave a comment