Two-step verification (2FA) now required on all accounts (3 Viewers)

I work in I.T. for a financial institution and I appreciate that there might be a few less people to scam me. I have no common sense with 'too good to be true' chip deals. ;)
 
I hope so. Given the number of people that go after a popular item, though, they may just pass over you and go to the next buyer in the queue who is less demanding and/or more trusting. The buyer has to assume that they may lose out on the item if they make that request, and be willing to accept that. It's the price of diligence.
https://www.pokerchipforum.com/threads/fraud-and-the-dibs-system.83834/

... Nope, that's what dibs-based sales are for. If I post a dibs and I ask for a follow-up picture to authenticate the seller and they refuse and skip over me, then they are getting publicly outted.

Sellers have a right to sell to who they want (asshat clause, etc), but when they post a classifieds ad that doesn't have restrictions, then they are committing to respecting reasonable authentication requests.
 
https://www.pokerchipforum.com/threads/fraud-and-the-dibs-system.83834/

... Nope, that's what dibs-based sales are for. If I post a dibs and I ask for a follow-up picture to authenticate the seller and they refuse and skip over me, then they are getting publicly outted.

Sellers have a right to sell to who they want (asshat clause, etc), but when they post a classifieds ad that doesn't have restrictions, then they are committing to respecting reasonable authentication requests.
If the seller states that the sale is a dibs sale, I agree. If they post an ad without restrictions (including mentioning of dibs., as it restricts the seller), I believe that the seller remains free to sell to whomever they choose. Dibs means nothing in that case. Hence the risk.

I agree with reasonable authentication requests should be expected by the seller, but I also do not believe that anyone has to honour "dibs" if they do not explicitly state that the sale is a dibs sale in the ad.
 
I highly recommend that members use a 2FA app on their phone vs email just because there can be issues with getting the code via email. The codes via a 2FA app are instantly on your phone and refresh every 30 seconds.

2021-12-30_11-57-45.jpg


2021-12-30_11-59-49.jpg


Microsoft Authenticator
Android:
https://play.google.com/store/apps/details?id=com.azure.authenticator
iPhone: https://apps.apple.com/us/app/microsoft-authenticator/id983156458

Authy Authenticator
Android:
https://play.google.com/store/apps/details?id=com.authy.authy
iPhone: https://apps.apple.com/us/app/twilio-authy/id494168017

Google Authenticator
Android:
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
iPhone: https://apps.apple.com/us/app/google-authenticator/id388497605
 
I highly recommend that members use a 2FA app on their phone vs email just because there can be issues with getting the code via email. The codes via a 2FA app are instantly on your phone and refresh every 30 seconds.

View attachment 837783

View attachment 837784

Microsoft Authenticator
Android:
https://play.google.com/store/apps/details?id=com.azure.authenticator
iPhone: https://apps.apple.com/us/app/microsoft-authenticator/id983156458

Authy Authenticator
Android:
https://play.google.com/store/apps/details?id=com.authy.authy
iPhone: https://apps.apple.com/us/app/twilio-authy/id494168017

Google Authenticator
Android:
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
iPhone: https://apps.apple.com/us/app/google-authenticator/id388497605
I've used all three of these apps, and I currently use MS Authenticator for multiple accounts.

All of them are very easy to set up and very easy to use. If you aren't using one yet, invest a few minutes today and do it.

do-it-what-are-you-waiting-for.gif
 
And set it up on your coinbase accounts while you’re at it too!
 
I've had no problem with email code. Check your junk/spam folders. Also check if your email is typed correctly in here.

In addition to being more vigilant, people may want to consider changing their password, certainly if its the same as a password for something important, like email or PayPal.

When linkedin was hacked, two of the most common passwords among users were linkedin and abcd1234.

It is also ok to wait a 24 hours or so and not send payment immediately for deal of a lifetime. Community has been doing a good job catching things. But its all disposable income and so it goes.
 
Good way to get rid of the users who lurk 2-3 times a month like me ... I obviously managed to get through but only because I got lucky on my second guess at my password (and I don't even remember what I typed in even though it was only about 5 minutes ago). If I had to reset my password and then get a 2FA email and come back to the site to enter it, I'm probably going to move on and surf elsewhere. But I don't really spend much money here and don't contribute a ton, so it's not much of a loss for the site. Those of you who do contribute a lot are more likely to jump through all these extra hoops. But hey, I'm good for 30 days, so you might see me around every week or two through the end of the month.
 
Good way to get rid of the users who lurk 2-3 times a month like me ... I obviously managed to get through but only because I got lucky on my second guess at my password (and I don't even remember what I typed in even though it was only about 5 minutes ago). If I had to reset my password and then get a 2FA email and come back to the site to enter it, I'm probably going to move on and surf elsewhere. But I don't really spend much money here and don't contribute a ton, so it's not much of a loss for the site. Those of you who do contribute a lot are more likely to jump through all these extra hoops. But hey, I'm good for 30 days, so you might see me around every week or two through the end of the month.
aaa.gif

;)
 
2FA also tracks your location by your IMEI number on your phone. No amount of a VPN will allow you to be anonymous when you 2FA. What is PCF response as it pertains to tracking information and how all of that information gets disseminated?
 
2FA also tracks your location by your IMEI number on your phone. No amount of a VPN will allow you to be anonymous when you 2FA. What is PCF response as it pertains to tracking information and how all of that information gets disseminated?
I suppose that depends on what 2FA app or device you're using. The Google Authenticator app just uses a synced clock algorithm to generate a 6 digit code at the site and in the app. I'm not aware of it doing any location tracking.
 
2FA also tracks your location by your IMEI number on your phone. No amount of a VPN will allow you to be anonymous when you 2FA. What is PCF response as it pertains to tracking information and how all of that information gets disseminated?
Source?

My understanding is that all these 2FA apps just use a key pair and time-based SHA1 hashes to do authentication. I don't think IMEI has anything to do with it.
 
I suppose that depends on what 2FA app or device you're using. The Google Authenticator app just uses a synced clock algorithm to generate a 6 digit code at the site and in the app. I'm not aware of it doing any location tracking.
Almost all 2FA "require a phone number" for creating accounts including Authy. Currently i did 2FA through email which cannot as easily identify the person. Basically with 2FA your phone number IMEI is being recorded with each 2FA activation and easily track the person and where and when they were "authenticated". You are correct then that the app is responsible for that recorded info, but PCF should make that information that your Identity is/or could be recorded through 2FA since this has been the chosen method for verification on this forum, and update their terms of service when joining the forum.

It should be obvious that on a google android phone google apps are always authorized to access the imei and all other identifiers and obviously the same
applies to apple on their phones. Till now the tracking of ip addresses... phone numbers and locations can reveal a real identity but it is not 100 percent guarantee. They can assign a probability that an ip address that's been seen before is you or your family but with people now using vpns this is not guaranteed. Same with locations if people turn off location permissions on their devices then they can no longer get a high probability of accuracy with these tracking identities this prevents them from doing cross device tracking or tracking what you do over several devices. You can see this being pushed by google as now the only acceptable 2fa to them is your mobile phone so if you have two computers a tablet and a mobile phone they want all the devices to have 2fa using the mobile phone only.

Blah blah blah. Discussing all this here would hijack this thread i just wanted to let the forum Admin know the issues and they should update terms of service to let the users here know.
 
Last edited:
Almost all 2FA "require a phone number" for creating accounts including Authy. Currently i did 2FA through email which cannot as easily identify the person. Basically with 2FA your phone number IMEI is being recorded with each 2FA activation and easily track the person and where and when they were "authenticated". You are correct then that the app is responsible for that recorded info, but PCF should make that information that your Identity is/or could be recorded through 2FA since this has been the chosen method for verification on this forum, and update their terms of service when joining the forum.

It should be obvious that on a google android phone google apps are always authorized to access the imei and all other identifiers and obviously the same
applies to apple on their phones. Till now the tracking of ip addresses... phone numbers and locations can reveal a real identity but it is not 100 percent guarantee. They can assign a probability that an ip address that's been seen before is you or your family but with people now using vpns this is not guaranteed. Same with locations if people turn off location permissions on their devices then they can no longer get a high probability of accuracy with these tracking identities this prevents them from doing cross device tracking or tracking what you do over several devices. You can see this being pushed by google as now the only acceptable 2fa to them is your mobile phone so if you have two computers a tablet and a mobile phone they want all the devices to have 2fa using the mobile phone only.

Blah blah blah. Discussing all this here would hijack this thread i just wanted to let the forum Admin know the issues and they should update terms of service to let the users here know.
1Password (no subscription, no password) + iOS. Better than a kick to the groin.
 
Almost all 2FA "require a phone number" for creating accounts including Authy. Currently i did 2FA through email which cannot as easily identify the person. Basically with 2FA your phone number IMEI is being recorded with each 2FA activation and easily track the person and where and when they were "authenticated". You are correct then that the app is responsible for that recorded info, but PCF should make that information that your Identity is/or could be recorded through 2FA since this has been the chosen method for verification on this forum, and update their terms of service when joining the forum.

It should be obvious that on a google android phone google apps are always authorized to access the imei and all other identifiers and obviously the same
applies to apple on their phones. Till now the tracking of ip addresses... phone numbers and locations can reveal a real identity but it is not 100 percent guarantee. They can assign a probability that an ip address that's been seen before is you or your family but with people now using vpns this is not guaranteed. Same with locations if people turn off location permissions on their devices then they can no longer get a high probability of accuracy with these tracking identities this prevents them from doing cross device tracking or tracking what you do over several devices. You can see this being pushed by google as now the only acceptable 2fa to them is your mobile phone so if you have two computers a tablet and a mobile phone they want all the devices to have 2fa using the mobile phone only.

Blah blah blah. Discussing all this here would hijack this thread i just wanted to let the forum Admin know the issues and they should update terms of service to let the users here know.
The info in this post is largely false and/or outdated.

Android:
1) Modern versions of Android (10+) do not allow apps to access the IMEI, with the very limited exception of platform apps and specific carrier apps.
2) Older versions of Android only allow apps to access the IMEI if they have the "phone state" permission.
3) None of the 2FA apps mentioned here request the phone state permission, so they literally cannot get the IMEI from the phone.

iOS:
1) App Store applications cannot access the IMEI in any way short of requesting the user to type it in manually.

It is a good general practice, especially if you are running a phone with an older OS, to remove apps that you don't use and to only grant phone state permission to trusted apps that have a reason to need it. But you don't need to worry about 2FA apps "tracking you through IMEI" and PCF certainly does not need to change their TOS.
 
The info in this post is largely false and/or outdated.

Android:
1) Modern versions of Android (10+) do not allow apps to access the IMEI, with the very limited exception of platform apps and specific carrier apps.
2) Older versions of Android only allow apps to access the IMEI if they have the "phone state" permission.
3) None of the 2FA apps mentioned here request the phone state permission, so they literally cannot get the IMEI from the phone.

iOS:
1) App Store applications cannot access the IMEI in any way short of requesting the user to type it in manually.

It is a good general practice, especially if you are running a phone with an older OS, to remove apps that you don't use and to only grant phone state permission to trusted apps that have a reason to need it. But you don't need to worry about 2FA apps "tracking you through IMEI" and PCF certainly does not need to change their TOS.
I dont think that's correct even with Android 10+. If you can setup a 2FA without a Phone Number, then you would be correct. I will double check your points, but i'm pretty sure that even with Authy (which was suggested) you cannot setup an account to use it without a Phone Number and you have to verify your phone number, usually through a PUSH notification which is using a "platform app" or system app to generate the push - which you clearly specify as one of the "very limited exception" android will allow access to the IMEI.

I will confirm that you might be right on this or i might be wrong.
 
Last edited:
i can't imagine why they'd be related, but has anyone else noticed that PCF has been very slow lately? Posts and pictures are very slow loading for example. It seems to have started around the same time as the move to 2FA, at least for me.
 
I dont think that's correct even with Android 10+. If you can setup a 2FA without a Phone Number, then you would be correct. I will double check your points, but i'm pretty sure that even with Authy (which was suggested) you cannot setup an account to use it without a Phone Number and you have to verify your phone number, usually through a PUSH notification which is using a "platform app" or system app to generate the push - which you clearly specify as one of the "very limited exception" android will allow access to the IMEI.

I will confirm that you might be right on this or i might be wrong.
I don't recall if I had to give my phone number to set up MS Authenticator, but I probably did. But IMEI is not a phone number. It's a non-modifiable hardware identifier tied to a specific device.

And I don't see how a notification could give an app access to the IMEI if the app doesn't already have that permission. Notifications simply don't work this way.

https://developer.android.com/guide/topics/ui/notifiers/notifications
 
Your basically talking about Open Source Android platform, not the GAPS Google System that is installed on top of that. The point of the IMEI is its a unique identifier that is able to track a specific individual with which a phone number is associated to. Once you use your Google Account (which requires a phone number 99% of the time, you can jump through hoops to not) it can additionally be used to identify an individual with a fixed hardware id on the phone. So when you triangulate all that data.... well whatever. Here are some flow charts in some of the digital whitepapers detailing this.

1641359802246.png
1641359870509.png

Point was this is something our PCF should update their TOS when joining this forum, since they are requiring 2FA and at least telling a member that by using 2FA it could allow digital tracking and tracing regardless of using a VPN. When you "Authenticate" yourself, your basically overriding any measures you may have put in place to anonymize your digital footprint, and basically your telling Apple and Google you are who you say are at 12:29 EST i was 100% here and it was not someone else who hacked into my account and posted something or purchased something etc. No ones going to believe you if your 14 year old did something, they will point definitively to your IMEI and say you had to have done it its your phone that authenticated you. (now whether you were taking serious security measures in your own house is a different matter, and its not PCF job to police that)

I understand the uses for 2FA I just think that it should be made aware to people who have joined or are joining. Its not as simple as just email verification code.
 
Last edited:
I think we're just going to have to agree to disagree. We've already derailed this thread enough.

I do not believe that 2FA apps use IMEI directly, and I do not believe they are doing any kind of special, super-secret tracking that fifty other apps on your phone are not already doing.
 
There are many 2FA implementations out there, and surely some of them might actually tie to the hardware of the device you use.
The 2FA algorithm used here on this site does not.
It's called TOTP (Time-based One Time Password) and the input data to generate the current code is nothing but:

A) the secret key, which is included in that QR code you are supposed to scan but also is shown in plain text below it
B) the current time

There is no tracking possible on what device you generated a code.

If an authenticator app that you want to use for 2FA on here requests any more info from you or to sign into something or other BS, I recommend you to dump it and use a different one. The app doesn't need anything but the secret key in order to be able to generate codes for you.

I personally use FreeOTP, which is developed by a large company called Red Hat, but still open source. You can get it for Android and iOS. This app definitely does not ask any more info from you than it actually needs to work.
 
Last edited:
There are many 2FA implementations out there, and surely some of them might actually tie to the hardware of the device you use.
The 2FA algorithm used here on this site does not.
It's called TOTP (Time-based One Time Password) and the input data to generate the current code is nothing but:

A) the secret key, which is included in that QR code you are supposed to scan but also is shown in plain text below it
B) the current time

There is no tracking possible on what device you generated a code.

If an authenticator app that you want to use for 2FA on here requests any more info from you or to sign into something or other BS, I recommend you to dump it and use a different one. The app doesn't need anything but the secret key in order to be able to generate codes for you.

I personally use FreeOTP, which is developed by a large company called Red Hat, but still open source. You can get it for Android and iOS. This app definitely does not ask any more info from you than it actually needs to work.
FreeOTP adds a second layer of security for your online accounts identity, a QR-code which would be scanned by user’s mobile device can be used and weakness of traditional password based system can be improved by one time password (OTP) which can be calculated by user transaction information and data unique at user side like IMEI number of the user mobile device.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account and join our community. It's easy!

Log in

Already have an account? Log in here.

Back
Top Bottom