quote:

Originally posted by parabellum:
I don't think it's a weak password issue.

Maybe weak passwords aren’t the whole problem, but I suspect that they’re part of the problem.

Member architect might be able to help.

quote:

Originally posted by Pipe Smoker:

quote:

Originally posted by parabellum:
I don't think it's a weak password issue.

Maybe weak passwords aren’t the whole problem, but I suspect that they’re part of the problem.

Member architect might be able to help.

Thank you for mentioning my handle (in a thread that is sure to be closely monitored by those seeking to profit from our carelessness)

I also doubt that "weak" passwords are the issue, although I have no way to know for sure. For a password to fall due to "weakness" it has to be vulnerable to a specific attack such as a dictionary attack or a permutation of the public portion of an authentication credential (e.g. user name). I very much doubt that many people are still using passwords that would fall to such tactics. The only weakness that long-held passwords have is that it gives the attacker more time to guess, not really a significant vulnerability. Frequent password changes introduce their own vulnerabilities as the change mechanisms themselves are potentially less "secure" than the actual authentication mechanisms as a result of getting less scrutiny.

More likely, there is some vulnerability in the forum software, or the underlying support software (e.g. the HTTP server) that allows miscreants to fabricate a submission that spoofs the username by compromising the authentication mechanism. These forms of attack have been rampant since web browsing began.

The only real security available in digital communications is based on the use of strong encryption which has not been accepted by enough Internet users to gain traction. For example, it would be possible to require all postings in Classifieds, or wherever to be digitally signed by the poster. However, this would require that the forum install and enable appropriate software, and that anyone doing business in the Classifieds do likewise. It also would require that everyone zealously protect their private keys, and that the association between an identity and its public key be established and maintained in a non-spoofable way. Remember, these are the same folks who cannot remember not to post their e-mail addresses in a public forum.

Bottom line, this stuff is not that complicated, and it is well-understood in the security community. But it requires a level of rigor in practice that most people are not willing to exercise.

quote:

Originally posted by P220 Smudge:
Whatever other measures you take, I've been thinking it may not be a bad idea to start requiring timestamp pictures. Basically, a hand-written note with the forum member's handle and the date in a picture with the item. The issues with the passwords being hacked aside, this alone could help a lot. It's one thing to hack a forum, to hack passwords, but it's a lot more effort and skill required to photoshop handwriting worth a shit. This has massively cut down on scammer activity in a few other places I have done online business.

With AI it takes a couple seconds to edit that note etc to make it say whatever you want and it looks 100% legit. I was burned by it on FB marketplace - established account (500 'friends') over 100 seller reviews. Almost got me for $1400, but I used buyer protection - paying the difference and it saved me.

One of the best ways to determine if you're dealing w/ a scammer or not is to exchange phone numbers and have a conversation before sending nonrefundable money to a stranger. You could even do a video call over FB, Google Meet, Zoom, etc. This allows the seller to show the buyer in real time from different angles the item he's selling.

Most internet scammers I've encountered are overseas. None of them will do a video chat. The ones who will take calls do so reluctantly and use a throwaway number using VOIP. If the call sounds tinny like talking to someone using a walkie-talkie, it's VOIP. Anyone using VPN &/or VOIP is a no-go.

Since they're overseas, most of them aren't fluent in English and/or have heavy accents: Nigeria, Russia, Philippines, etc. An accent by itself isn't a disqualifier, but in combination w/ any other suspicious warning signs should shout to you, scammer! Many of them use translation software like Google Translate, which is another reason why they won't take calls.

SF is for firearm enthusiasts. Very, very few scammers are gun guys. Another reason why they are so reluctant to take calls is b/c they don't know how to answer questions about the guns & gun paraphernalia that they pretend to sell.

Ask a question that isn't covered in product literature, manuals, or someone else's ad or auction listing that they're reusing. Scammers are easily stumped, b/c again, they aren't gun guys, and they don't have the item in front of them.

If a scammer has hijacked the account of an established member who as a high post count (e.g., member since 2006 w/ 33,500+ posts), you could ask a few questions that any regular on here would know. For example:

Who [screen name/forum handle] owns & runs SF?
What is SF Karma?
What is 12131 known for on SF?
Who is Q?
Who is Dave T? What is his store known for on SF?

On a live call, scammers will squirm hard trying to avoid these types of questions. Granted, not everyone using the classifieds is a regular, in which case, you have to exercise caution & judgement if you want to deal w/ that person.

It’s also a good idea for members to check their Profile pages regularly for change in their email addresses, or for a new address that pops up when you never put one there in the first place. 100% proof right there that your account has been hacked. That’s stating the obvious, but if you don’t check, you wouldn’t know. That’s what happened with Black92LX recently and Sig2340 yesterday. They got in and changed the email addresses.

Then, there are members who haven’t posted in a long while suddenly pop up to sell in the Classifieds. Red flag should go up right away. Exactly what happened with BBMW’s hacked account yesterday. He hasn’t posted in over two years. That, and the cheaper-than-dirt price.

And their use of VPN to conduct business in the Classifieds caught para’s attention pronto.

Someone suggested an escrow service. I know there is at least one escrow service dedicated to transactions of firearms and ammunition, but I don't know if they accept transactions for parts, accessories and the like.

Just changed my password to a stronger length. I certainly don't want to be part of the problem.

And, it's closed! No more thieving scumbags.

Dang it

quote:

Originally posted by 12131:
And, it's closed! No more thieving scumbags.

Good!
And thanks to you and Para for watching out for us.

I've only bought one item from the Classifieds.
I just noticed that at 1:40 on a Thursday afternoon there are 150 members and only ten guests. Aren't there usually WAY more guests than that?

There were more guests. The forum has been closed to non-members for a minute now. Guests (which also includes members who are logged out) are not able to see past the login screen.

quote:

Originally posted by MacGyver:
There were more guests. The forum has been closed to non-members for a minute now. Guests (which also includes members who are logged out) are not able to see past the login screen.

Okay, I don't know what goes on. I just remember usually seeing way more Guests than members. Carry on.

Its sad to see the classifieds closed but I understand the need but it feels like the dirt bags are winning.

While I haven’t bought or sold in quite awhile it was fun times in the past buying, selling and trading with members.

Sadly for personal family reasons the need to sell was getting close. Was thinking of an option of local sales only might have been an option that would cut the scammers out of the picture.

For what it’s worth, I was one of those who logged in for the first time in many, many years to make a classifieds post. With GAFS getting shut down last week there’s fewer and fewer places to try to sell things. I war surprised my account still worked to be honest. But scammers gonna scam so understand the concerns as a whole. Probably even more so now with GAFS gone.

quote:

Originally posted by Schmelby:
Okay, I don't know what goes on. I just remember usually seeing way more Guests than members. Carry on.

I wasn’t trying to be rude. I was honestly just answering your question. You are correct that there used to generally be more guests online than members.

quote:

Originally posted by vt357:
With GAFS getting shut down last week there’s fewer and fewer places to try to sell things... Probably even more so now with GAFS gone.

I doubt most members here are familiar w/ GAFS. Gun Accessories For Sale was a popular forum on reddit that was shut down two weeks ago.

sorry to see it go.
there are a lot of people that will really miss it,
myself included.

hopefully we'll get it back sooner than later.

regards,
Bob

quote:

Originally posted by iron chef:
I doubt most members here are familiar w/ GAFS. Gun Accessories For Sale was a popular forum on reddit that was shut down two weeks ago.

There were definitely some good deals to be had there

quote:

Originally posted by Mustang-PaPa:
Its sad to see the classifieds closed but I understand the need but it feels like the dirt bags are winning.

Actually, it appears that all recent attempts were intercepted, to the point of frustrating this insect to reveal himself this morning.

I want you guys to take heart. Classifieds will return.

If anything discouraged me, it was the initially flat response to this thread. In years past our little marketplace was far busier, but that's when discussion forums such as this one were in vogue. Plus, the average age of forum members was lower then, but now we have members who are older and have for the most part completed their collections.

It seemed- after I started this thread- that it didn't really matter much if Classifieds remained or not. After a bit of reflection, though, I think it should remain, and it shall.

Take heart, have faith. We'll need to make some changes to how we do things, but I assure you that we shall reach a point before too long where members will once again feel comfortable engaging in commerce here. Your account will be secure with minimal care on your part, and with that care, hacked accounts will become a thing of the past.

This little island of sanity of ours shall remain in existence as long as two things keep happening: you guys keep wanting it to be here, and I keep breathing.