However, recently two-factor authentication (2FA/OTP) has been added, creating a new possibility for account traders, where account ownership can change by the new owner changing the OTP. The password and email can theoretically stay the same.
It may not play out like you imagine and the reason is quite simple. Now in order to make changes to your 2FA details for OTP generation you need your password to apply changes and as a result the account buyer wouldn't want to risk leaving the old password. Aside that, even if he did, how sure would he be that the seller isn't logged in still?
The truth is account traders will still get a way around it , they could choose to change just 2FA and later on change email address so it looks like a regular change an active user would do.
With your valid points, I don’t think there is away that account traders can get away successfully with selling an account and the buyer not get caught in the act. It is simply ideally that any buyer of an account will immediately change the password to the account and subsequently the email address attached to the account, they can’t risk buying an account without having full ownership of it. It may take a while for them to start posting on the account to avoid immediate suspicion in the pattern of post, but those changes they’ve made will raise an alarm and such accounts will be put on surveillance.
Many things will change from the way the account usually operates in the forum. This will range from; the pattern of post might change (knowledge of the forum and crypto in general), time of post and also their grammar too. If the user was an active user of a local community, they may not post there again because that’s a good way to catch them and they won’t also try to go into another local board to post unless the buyer is not wise. Even without BPIP not able to detect OTP changes, account traders can still be caught.
I strongly disagree with the first point, as I have noted many accounts that are not tagged and show signs of being traded, and are definitely not caught in the act as of yet. I do agree with the second point, that there are ways to detect them and that they still can be caught - however without the OTP flag, this presents a new way to evade detection for long (in my opinion).
While not illegal, people should know when accounts change hands and it shouldn't go undetected.
They don't go undetected to people who know what to look for. Such things might include:
- change in posting style
- change in posting subjects & areas of posts
- change in knowledge of Bitcoin / blockchain / cryptocurrency / etc.
- change in local board language (that's a big one, lol)
- change in time zone or general times of posts
Besides, people sometimes receive undue flak for changing their password or email address, and recording these changes in a resource like BPIP would just contribute to this problem of arousing unnecessary suspicion.
Sure, though you would you only start to look if you had an initial flag to go off of. If account traders are using 2FA to trade accounts without triggering password/email changes (or delaying changing this information past the wake up date or after a long period of time has passed), they might go undetected. My main point of adding the 2FA flag is that it would prompt those who are looking to go and do so/keep an eye on those accounts.
I've asked on several occasions if Vod has any way to be able to detect OTP changes, though so far there hasn't been any feedback.
If possible, theymos should grant the ability for bpip.org to detect changes to 2FA/OTP on an account, to eliminate this new possibility for account traders.
It even with the 2FA granting users account access by the OTP settings/recommendation, it will still go very dark to have significant program that is to tell when an account is being handed over to a third party to be a sold account because even the rightful owner could decide to change their contact informations to grip the OTP module.
Even when get to track the accounts IP, it is still unreliable to detect when someone else is in charge of someones account.
So, the only remedy to this is the need for Kyc verification during account registration and when logging on to a different device which I am believe it will be Impossible because the bitcointalk platform is embedded on keeping members reality identify secured and unrevelable.
So, the only means to catch this up is by having an efficient techniques of identifying when a posting model is changed from the previous posts.
This should as well be in the case of hacked accounts also and not just targeting on those dealing to sells of already built accounts .
The point isn't that OTP changes will show surely that an account has been traded, but that it will allow watchdogs to identify more
potential changes, and keep an eye on them thereafter.
KYC will never happen on the forum and nor should it.
However, recently two-factor authentication (2FA/OTP) has been added, creating a new possibility for account traders, where account ownership can change by the new owner changing the OTP. The password and email can theoretically stay the same.
This 2FA feature for accounts in Bitcoin forum has disadvantage that you did not know.
If you use the forgotten-password function, then there's an option to remove the 2FA. So 2FA does not provide any protection in case of a compromised email. Make sure that your email address is secure. If you don't want to set an email address, use something like yourUserName@invalid.bitcointalk.org; don't use a random nonsense email like y@x.com, since somebody might create that domain/email.
However if account sellers and buyers deal well, it's not big problem for account sellers to give buyers all necessary information of sold accounts: from email address, email password, account information and password as well as 2FA activation code. So if they did everything well, they won't have to use forgotten-password function and no need of removing 2FA.
I would consider it highly unlikely that any accounts being traded would be using a real email, to avoid triggering the change flag (if there is one). I also think that you misunderstood the post - it's not about account traders providing the 2FA code to the buyer, it's about simply changing the 2FA as a means of trading (password and email remain the same, though 2FA is changed).
However if account sellers and buyers deal well, it's not big problem for account sellers to give buyers all necessary information of sold accounts: from email address, email password, account information and password as well as 2FA activation code. So if they did everything well, they won't have to use forgotten-password function and no need of removing 2FA.
The high chance of this being possible is if the deal (selling and buying of the account) was done physically and both parties knows themselves but if it was not a one on one deal and was an online deal without both parties knowing themselves, there would be a limit of how they can trust themselves, so I doubt if all information about the bought account will be completely handed over to the buyer and even if the buyer gets all the information from the seller, they may fear that the seller can collect back the account from them and they would want to change the account information such as password or the email.
Assuming it's a one on one deal and all account information was handed to the buyer, the buyer can not have the same pattern of writing with the seller or the account owner, that's still a loophole which it can be detected that account have changed hands.
It wouldn't be possible for an account to be recovered if an invalid email is on the account, if the 2FA is changed, and the password isn't (with the exception of staked addresses, though even then there would be ways around that).
In a situation where the traders (or farmers) trust each other, may be of similar locale, writing style might not change, and they may be able to trade the account without detection by simply changing OTP.
It should be noted as well that it would be better to call these people "account farmers" than "account traders" as the main
hypothetical group of people would those who are farming accounts to take advantage of signature campaigns en-mass, as well as other benefits that come with ranked accounts.