Upcoming Change - Make Sure Your Email Address Is Valid, as Email-Based 2 Factor Authentication Will Be Enforced

scotty on 03/03/2022 - 07:57

Make sure your email address here on ChoiceCheapies is valid and you are able to receive emails, as we will enforce email-based 2 factor authentication on all accounts that do not have 2FA turned on.

Here is the original post on OzBargain. While the hacking attempts have not been extended to ChoiceCheapies, we will be implementing the same security measure later this month to protect accounts of our community members.

Over the last couple of weeks we have noticed an increasing number of OzBargain accounts got "hacked" by bots brute forcing username/password (that got leaked from other compromised sites). Here is an example of their operation:

  1. Bots trying to compromise OzBargain accounts by testing out username / password from VPN / random IP addresses
  2. Once an account has been compromised, someone will take over the account from an Australian VPN
  3. Spammer will use that compromised account to post spams

Those can be difficult to detect and block (as their breaching method kept on changing), until the spam has been posted.

In order to reduce old accounts getting compromised, we will be enforcing email-based two factor authentication, to all the accounts that do not have token-based 2FA turned on in their account security settings. This change will be rolled out later this month or early April. Basically, after you have put in correct username and password on the login form,

  • If your account has token-based two-factor authentication turned on, 6-digit token will be requested
  • Otherwise, an email may be sent to your registered email address in your profile. You will need to click on the link in the email to successfully log in.

This should hopefully reduce account getting brute forced, provided that your email inbox is valid and secure. Note that this does not apply to log in through Google or Facebook Sign-in, as we assume your accounts on those services are already secured.

If your email address is no longer valid, that means you will not be able to receive the 2FA email, which means you'll not be able to log into OzBargain.

Site Discussion

Comments

  • Wakrak on 03/03/2022 - 08:11
    +1

    Good idea. I've now turned on 2FA for my account.

    Scrimshaw had a good comment too.

    Suggested software / addons that you should be using to improve your security and to prevent yourself from becoming a victim to Credential stuffing

    Bitwarden. Open source password manager that helps to keep track of all your logins, and is a good way to make sure you're using unique passwords for every site. LastPass is a paid alternative and KeePass is a cloudless alternative that you must run locally on your machine.

    Google Authenticator, or Microsoft Authenticator to manage and create your 2FA's.

    My personal favourite though is Authy and it runs on either Android or IOS. It's much better than Google's.

    Use Have I been Pwned and enrol yourself using the "Notify me" link at the top. What does it do? Have I been Pwned scans various websites for mentions of your email that got leaked online (security breaches) and then it sends you an email letting you know the details of the security breach. What should you do? Change the password for the breached site and make sure no other sites you have logins to uses that same password.

    Know something else better? Let us know in the comments below.

    • TheDealMan on 03/03/2022 - 11:34

      +1 for both Bitwarden and Authy. Joined Bitwarden during the great exodus from LastPass and have never looked back. The backup and multi-device features within Authy are what lead me away from Google Authenticator. No longer do I have to worry about my phone dying and subsequently being locked out of all my 2FA enabled accounts. I still have the backup single use codes printed out and hidden away just in case!

      I would highly recommend to anyone reading this thread, if you haven't already, take the opportunity to get yourself set up with a vault like Bitwarden and a 2FA app like Authy. Once you set up the vault and get in the habit of adding all your accounts and changing all logins to individual secure passwords, your digital life will become a whole lot easier in no time.

      I have no idea what any of my passwords are and I don't need to - everything is autopopulated into apps and websites via the Bitwarden Firefox plugin and Android app (once I enter my master password or grant access via biometrics).

      • Alan6984 on 03/03/2022 - 11:49

        No matter what authenticator you are using, you should consider taking advantage of the backup codes that many websites provide (Google does, and so does CC). Record them somewhere secure (you have to decide for yourself what you regard as 'secure enough'). If you ever find yourself locked out due to not being able to access the authenticator, you can use them instead.

        Some people will regard this as 'destroying' the point of 2FA / MFA - you have turned something you have (your phone with the authenticator app installed and setup for whatever third party you want to authenticate to), for something you know (the backup codes).

        However, losing access to the app (if you have it on one phone only, and the phone dies or is lost for example) can prove a huge issue for some people, so you need to decide what is more important to you.

        The other thing to consider doing as well is to record the link (QR code for example) that is displayed when you first setup a site (such as CC) in your authenticator app. That way, if you need to, you can add the site to a new authenticator app down the track. This is NOT guaranteed to work, because some sites may expire the code after 24 hrs or some other period of time, but there is certainly no harm to having it as long as you can be sure to secure it from unauthorised access by anyone else (again, for whatever value of 'secure' you regard as being sufficient for you).

        Alan.

  • justaddwater on 03/03/2022 - 09:03
    +1

    Need sticky

  • bigcheese on 03/03/2022 - 09:22

    Sweet.
    I've now enabled 2FA as well.

  • Alan6984 on 03/03/2022 - 09:35

    I've turned on 2FA too, but if you use a (good) unique password, credential stuffing becomes irrelevant.

    Everyone has known this for twenty years.

  • Didntknowya on 05/03/2022 - 12:11
    +1

    surely brute force is easier to detect if you just limit login attempts?

    2FA is good but unless it's using an authenticator, email or text has been shown to be used for data collection or identification

    • Alan6984 on 05/03/2022 - 14:48

      Any 2FA is better than none from a security perspective.

      If you want, use a burner phone and / or a unique or hard-to-trace email address (not the crappy plus addresses from Gmail though).

      An authenticator is better, and more secure though.

      • Didntknowya on 05/03/2022 - 16:03

        yea i've change it have plenty of burners so not a problem for me- just throwing it out there that 2FA does not necessarily = security, as twitter proved recently

        • Alan6984 on 05/03/2022 - 22:07

          I completely disagree - 2FA / MFA is always better security than not having it, even if someone were to argue it is only marginal.

          I wonder if you are conflating two separate things - the concerns you are talking about, such as giving away an email address and / or phone number, are really privacy issues unless you are already giving one (or even both) of them to a site anyway, in which case, 2FA / MFA does not even add to any extant privacy issues.

          • Didntknowya on 05/03/2022 - 22:45

            @Alan6984: not here to argue. obviously 2 factors will increase security. if you're banking 2FA is the least you should use. but having to use it on anonymous accounts defeats the purpose as it also increases data collection points, unless you use an authenticator as i previously stated. see the whole twitter 2FA debacle.

            • Alan6984 on 05/03/2022 - 22:56

              @Didntknowya: I'm not sure what the 'Twitter Debacle' was - I gave up on social media around 2008 or so, but I believe you login to Twitter with your email address (or at least I believe you used to), so how does using 2FA via email add any data collection point - Twitter already has it anyway?

              An authenticator is better security as I advised above, but 2FA via email is better security than not using 2FA at all.

    • scotty on 07/03/2022 - 11:37

      Basically what Alan6984 say.

      2FA is are usually something you know plus something you have, and using password + token-generator on a device you have with you (i.e. Google Authenticator or authy) is obviously preferred and more secure. However email as 2nd factor is still more secure than having none, assuming the email inbox is secured.

      Please note that this upcoming change is not targeting people who already gave 2FA enabled on their account, but the majority of users that don't. If you have already have token-based 2FA enabled, we won't even send an email with the login link — and you are still free to use whatever email address you want. It's the users who picked bad password that we are trying to protect here.

  • richms on 15/09/2022 - 12:38

    Can you please do proper email login support? You email me a link, I open it on the device I check my email on to authorise it and I am logged in on that device, not the one that I was trying to login with.

Login or Join to leave a comment
Login Join