Security Lock: User must contact Admin

Kirby

Well-known member
The recent wave of compromised accounts that are suspected to originate from compromised email accounts has brought up the question how to deal with them without potentially upsetting users that might return.

Right now there seem to be several options to handle compromised accounts:
  1. Ban the account
    Does stop spam activity, but might upset some human users
  2. Set security lock to "User must change password"
    Might work a bit, but as bots know the password they can easily change it
  3. Set security lock to "User must reset password"
    Pretty much the same as before, but requires a bit more processing for bots
  4. Set account state to "Awaiting email confirmation"
    Might also work to some extend but still leaves a breached password in place
  5. Set account state to "Rejected"
    Does stop spam activity but like 1) it might upset human users wo don't understand why the account is "Rejected" as the only message they get is "Your account was rejected"
  6. Set account state to "Disabled"
    Does stop spam activity but like 1) it might upset human users wo don't understand why the account is "Disabled" as the only message they get is "Your account has been disabled. If you would like to re-activate your account, please Contact us"
  7. Add the account to a usergroup that withdraws all permissions and display a notice (using notice criteria targeted for this usergoup) to show them a message that the account has been compromised and that they should contact the admin
Option 7) seems pretty appealing to me - but does require quite some setup.

So what I would like to suggest instead is to have a third security lock option: User must contact Admin.

If this option is selected, the user should be presented with a (per-user overridable) message telling them that the account has been administratively locked for security reasons and that the user should contact the admin.
 
Last edited:
Upvote 15
Agreed, stop the bots from abusing the system.
Hmm, how does "Stop the bots from abusing the system" (which still should be done of course) help those users who had their (email) accounts compromised?

They might not even know that this is the case, so this suggestion is about letting them know (in nice words) while putting a definitive lock on the account.

No automatic solution can guarantee a 100% stop of account abuse - unless it permanently sets the account to a state which can't be reset to active by user interaction (see drawbacks for various approaches for this in first post).
 
Last edited:
Upvoted. If you've been running a forum for 10+ years, you have a database full of users with compromised emails / passwords.

I've had to batch "User must reset password" to anyone who hasn't logged in for a year, which has helped, but hasn't solved the problem for reasons Kirby stated.
 
Be forewarned...there is NO means to target these users once you security lock their account....they can't even use the "contact us" form....


 
Why is this in the context of email accounts being compromised? Is that what is actually happening in the common case? How can we be certain that is the case?

Surely the more likely scenario is that email address and password combinations have been harvested from a data breach somewhere and bots are trying these in the hope that password reuse has happened.

It’s not impossible of course that users have reused their passwords across the board and the bots do have access to their email account too, but in my experience this is extremely unlikely.

In which case the most effective solution is security lock with reset, at least initially. If they come back then their email account has been compromised too, but I expect this to be a low proportion of users.

If that were to happen, one of the other solutions would need to be implemented but frankly there are, as demonstrated, plenty of ways to do handle that and this less likely scenario where a user has lost their email account doesn’t warrant further development IMO.
 
Why is this in the context of email accounts being compromised? Is that what is actually happening in the common case? How can we be certain that is the case?
At least in some cases we've seen forums being accessed through old URLs that would normally only be found in emails, eg. phBB / vBulletin account activation links.

This of course is no evidence that the email accounts have been compromised (as well), but at least to me this is a somewhat strong indicator.

If that were to happen, one of the other solutions would need to be implemented but frankly there are, as demonstrated, plenty of ways to do handle that and this less likely scenario where a user has lost their email account doesn’t warrant further development IMO.
Fair enough, it's just a suggestion that I think would be useful :)
 
  1. Set security lock to "User must change password"
    Might work a bit, but as bots know the password they can easily change it
  2. Set security lock to "User must reset password"
    Pretty much the same as before, but requires a bit more processing for bots
As Chris said the above should be fine unless an actual email account was also hijacked.

Ad a user I have been confronted with password resets. I’m OK with that but would be a bit annoyed about having to contact admin. And if you think about it, a human who took over the account plus email account could just as easily do that anyway. Or am I misunderstanding?

Having said that I can see a point in an option to force contact admin in order to continue.
 
One option: moderate inactive accounts, much like newly registered accounts might be moderated during their initial posts...

ie: a member hasn't logged in for 4 months, and gets placed into a "moderated" usergroup. When they log back in, any new post with a link or any post edit gets flagged for review. Add in Conversations too. Perhaps include the option for keyword flags, ie: Venmo, Paypal, etc.


I did a forced password reset on August 2 2021 for my ENTIRE member list. Somewhere around 31,000 members have successfully followed the automatic reset email and were "forced" to follow the stricter password requirements. Another 1500-2000ish had outdated emails on their account, and have contacted me to have those updated - I still get one or two of those requests a day. A bunch of those would email me their username, old email, new email, AND THEIR PASSWORD...I was shocked at how pathetic all of those passwords were...

It was a drastic and potentially forum-killing step to take, but proved successful.
 
My take on it is that having an automated way to deactivate accounts after a set period (one year? two years?) to force users to reset their passwords would be helpful.

It's possible some exploits might (and could, in the future) be trying to access email accounts but in this recent rash of spamming, I doubt spammers would bother. All they seem to do is a "hit and run" spam message--the spambot logs into the account if the email/password combination works, leaves the message, moves on. Why bother wasting time gaining access to one account when that time could be spent spamming dozens of others? It's like criminal behavior--pick the easy, low-hanging fruit.

And it seems they're attacking messaging platforms this time around--forums, WordPress installations (probably to add a spam post or comments), etc., anywhere they can leave their link to boost search engine rankings.

It's also an indication that they are using data from breaches a few years old, as they are hitting older accounts. And there are more chances that dormant accounts are targeted since currently active (yet older) accounts have likely had at least some updates in terms of email or password, or started using 2FA.

I don't want to say the spammers were clever to figure this out (it could be a lucky coincidence on their part), but they are using the age of the account in their favor. We have XenForo's spam checking set to 90 days, where we check for links in the post content. In this past, this has usually caught them. But using an established account well past that limit will let the spam right in.
 
And if you think about it, a human who took over the account plus email account could just as easily do that anyway. Or am I misunderstanding?
Yes, if the email account is compromised and this is the only thing that can be used to identify a user it would be impossible to tell if it is the acount holder or somebody else.

But there might be other data / communication channels that could be used (identities in profile, etc.), but if thea are also compromised ... it's turtles all the way down.

One option: moderate inactive accounts, much like newly registered accounts might be moderated during their initial posts...
Imposing restrictions on all accounts that have been inative for a longer time is overkill and most would have negative effects.

I'd much rather like to use a two step (automated) process only on accounts that do need action:
First anomaly detection -> Security lock: Must reset password
Second anomaly detection (eg. spam posted after password has been reset) -> Security lock: Must contact admin

And there are more chances that dormant accounts are targeted since currently active (yet older) accounts have likely had at least some updates in terms of email or password, or started using 2FA.
I somewhat fear that this is wishful thinking. How many of your (active) users do actually have 2FA setup?

Lets' face it - users are lazy and TOTP or E-Mail 2FA is too much hassle for the average user to setup and actually use for a forum account.
Things might change with easy to use 2FA options like using biometric identification (fingerprints, etc.) on smartphones though.
 
Last edited:
I somewhat fear that this is wishful thinking. How many of your (active) users do actually have 2FA setup?
Agreed. Email address changes are more likely, as some members change their home Internet providers every couple of years, and still don't trust the free email alternatives (our membership skews older). On top of it, most of the members don't understand 2FA. Many don't like it. Some are too lazy to care. Some are lazy and/or forgetful in terms of changing to a more secure password. After all, "it's just a forum." We did have a scare a couple of years ago, though, that had many in the forum change their passwords for something more secure.
 
I posted instructions on setting up and using 2FA a while ago and I swear that I am the only one using it. Maybe the other admins, too. Laziness trumps security unless you're in a corporate environment where you can enforce it.
 
I posted instructions on setting up and using 2FA a while ago and I swear that I am the only one using it. Maybe the other admins, too. Laziness trumps security unless you're in a corporate environment where you can enforce it.

I did the same, only half a dozen took it up. One member said he was leaving if I dared to make 2FA compulsory. :rolleyes: 😄
 
I posted instructions on setting up and using 2FA a while ago and I swear that I am the only one using it. Maybe the other admins, too. Laziness trumps security unless you're in a corporate environment where you can enforce it.
I made 2FA a requirement for staff on one busy forum, mainly due to access to the admin area and moderator tools. On another site, I'm also using Cloudflare to protect the admin and install areas (as I've had issues for many years over staff either forgetting an htaccess login or not understanding how it works, even after I've explained it multiple times) as I have it set up as another form of 2FA (if admin.php is accessed, Cloudflare asks for an email--which has to match an admin email on the forum--and sends an access code via email). So that is two steps of 2FA to get into the admin and install areas.
 
Cloudflare asks for an email--which has to match an admin email on the forum--and sends an access code via email). So that is two steps of 2FA to get into the admin and install areas.
I haven't looked recently.. but really... shouldn't they use 2FA or something like a YubiKey offering also? When I did look.. it was still an email function.
 
I haven't looked recently.. but really... shouldn't they use 2FA or something like a YubiKey offering also? When I did look.. it was still an email function.
I think it's because using authentication providers that are email based (you don't actually have to receive an email) is an easier way to define who can have access. For example you could require someone to use their Google Account to authenticate into the admin area, but they aren't actually receiving an email they need to check. The one time-pin option that emails you a pin is probably the least good option they have, but the others do require third-party accounts for secondary authentication.

That being said, I'm hoping they do add direct support for Passkeys/security keys at some point, but there are some technical complexities with that. Some things I can think of... you can't extract a public key (used for authentication) from a hardware key without going through the setup process on the hardware key itself. Additionally, that public key is bound to the hostname that it was setup on (you can't create public key credentials on your site and they pass them along to Cloudflare for authentication because the hostname would be different). So there would need to be some sort of on-boarding process where you send the user somewhere to register their security key for later authentication. The public key info that the security key generates has no useful info for determining who the user actually is (other than making a database that cross-references users to their keys). So Cloudflare would basically need to manage a database of users that correlates the security keys they use for Zero Trust Access authentication. All the while each end user would need to self-register their keys in order to use it. At that point it's probably just easier to require admins to use Passkeys/security keys to protect their account and then they are able to self-manage it.

So there are definitely some hurdles and added complexities, but nothing actually impossible. But from an "ease" standpoint, I can see why they rolled out authentication based on third-party accounts first. Some of the features that make security keys so powerful (like keys being bound to a specific hostname similar to how cookies work to prevent phishing attacks) also makes managing them for something like Zero Trust Access more cumbersome.

Yup, just had the same. Not going to post if he has to use 2fa
I'm working on a site that not only is 2FA required, but users uploading government issued IDs are required (the system parses the barcodes on them to extract the necessary info). But it's also not a forum. Dealing with situations where we need to be sure people are who they say they are as well and protect their accounts because users can withdraw real money as well.
 
Last edited:
Be forewarned...there is NO means to target these users once you security lock their account....they can't even use the "contact us" form....


How is it possible that if someone has the Security Lock: Password reset the forum software does not send them a notification or ask them to reset the password when they log in? Or am I incorrect in understanding how the feature works?
 
Top Bottom