However, recently two-factor authentication (2FA/OTP) has been added, creating a new possibility for account traders, where account ownership can change by the new owner changing the OTP. The password and email can theoretically stay the same.
It may not play out like you imagine and the reason is quite simple. Now in order to make changes to your 2FA details for OTP generation you need your password to apply changes and as a result the account buyer wouldn't want to risk leaving the old password. Aside that, even if he did, how sure would he be that the seller isn't logged in still?
It may not play out like you imagine and the reason is quite simple. Now in order to make changes to your 2FA details for OTP generation you need your password to apply changes and as a result the account buyer wouldn't want to risk leaving the old password. Aside that, even if he did, how sure would he be that the seller isn't logged in still?
That's a valid point, but they might not mind for the time being if the seller grants access to the password to the new buyer and the buyer activates OTP on the account even with the old password not yet changed same goes for the email: the new buyer can log out the account from one device, and it will automatically get the old owner logged out and will be required to log in with password + OTP next time they want to log in, which gives the new owner an upper hand.
afaik changing OTP resets the session/logs out other sessions, which means once the OTP is changed, the old owner will not be able to login.
However, recently two-factor authentication (2FA/OTP) has been added, creating a new possibility for account traders, where account ownership can change by the new owner changing the OTP. The password and email can theoretically stay the same.
The truth is account traders will still get a way around it , they could choose to change just 2FA and later on change email address so it looks like a regular change an active user would do.
Using the assumption that account traders will find a way to get around it as a reason to not log the account change is like a retail store saying that people will still steal even if there is a security guard at the front of the store, or that there is no point in adding security cameras because thieves will still try to steal anyway.
It may not play out like you imagine and the reason is quite simple. Now in order to make changes to your 2FA details for OTP generation you need your password to apply changes and as a result the account buyer wouldn't want to risk leaving the old password. Aside that, even if he did, how sure would he be that the seller isn't logged in still?
But on a serious note, this email change, password change, and account being woken up after a long time of inactivity are just a primary way to suspect a sold account and the first step. The other suspicious thing comes in when the new owner can no longer keep up with the type of posting style the old owner used. Those who have interacted with the account before it changed hands will definitely identify that.
If the community wants to reduce account trading, logging 2FA/OTP changes will add details that will allow others to raise new red flags about potential account ownership changes. This information might not be direct proof of account trading, but it can raise a red flag that can then go on to analyzing changes in posting style/language and other information that can result in monitoring, which might eventually lead to proof (rather than it going undetected altogether).
I still don't know the criteria for recovering an account whose owner has lost access to the OTP code, but I believe it's the same old method of using the registered email address and signed message. Now that's where the seller could play the buyer.
Sell the account to the buyer with the email and password, and then later claim then they don't have access to the OTP and have the recoveries team help them get back the account.
Email address changes are also not displayed in the seclog where the data about changes is scraped from. I don't know why, but if the Admin has all along been reluctant to display email address changes, then I doubt he will display the OTP code change info even on request.
It may not play out like you imagine and the reason is quite simple. Now in order to make changes to your 2FA details for OTP generation you need your password to apply changes and as a result the account buyer wouldn't want to risk leaving the old password. Aside that, even if he did, how sure would he be that the seller isn't logged in still?
In another case, the seller can also just decide to sell together with the email attached to the account to save the new buyer the stress and suspicion changing it might cause in the future.
That same risk exists as current. It's not exactly a reason to not add the information.
I have seen "this users email has changed recently" on people's profile. That information isn't stored? I wasn't aware of that.