• QRZ.com Institutes Password Security, Seller Verification Programs

    From ARRL de WD1CKS@VERT/WLARB to QST on Thu Jun 13 00:01:19 2019
    06/12/2019

    In an effort to combat fraudsters and password phishers, the popular QRZ.com[1] Amateur Radio website is offering the option of establishing two-factor authentication (2FA) for its registered users. The site's founder and president, Fred Lloyd, AA7BQ, explains that 2FA secures a user's password on the site.

    "With 2FA, your actual password becomes nearly moot, and revealing it to a crook has no detrimental effect," Lloyd told ARRL. "With 2FA, you need the one-time code, and that's the only thing that will work. It's a solid technology that is rapidly gaining in popularity."

    Lloyd said that when a user logs into the site with 2FA, the validation for the session is stored in the user's browser as an encrypted cookie that can live for up to 30 days. "If your IP address changes or the browser is cleared, the cookie is invalidated," Lloyd said. "You will also have to sign in separately if you have multiple computers or if you use multiple browsers on the same machine." Lloyd said QRZ.com staffers have been using 2FA successfully for a couple of years now.

    A video has been posted[2] that demonstrates how to get started with 2FA without using a cell phone to receive codes.

    Although 2FA will not become a requirement in order to log onto QRZ.com, a separate seller verification system has been instituted for anyone marketing ham gear via the Swapmeet forum. As of July 1, only those enrolled in the Verified User program will be able to list in that forum. Users may opt out of the Verified User program for the rest of the site.

    "While verification is available to anyone on QRZ, it is required only in the Swapmeet section," Lloyd told ARRL. "Lately, there has been as many as a scam per day in the Swapmeet, and sometimes a popular radio model will be sold several times before it comes to our attention. One false listing can net any number of victims before it's discovered."

    Lloyd explained that these fake listings are being placed using the accounts of users who have been tricked into giving out their log-in passwords though elaborate phishing schemes. "There is virtually nothing that QRZ can do to prevent phishing attacks, as a great many users never even know that they've been hacked," Lloyd allowed. "Scammers find it relatively easy to trick the users into supplying their actual passwords."

    Setting up two-factor authentication is the first step to becoming a QRZ.com Verified User. Information on becoming a Verified User is available to those registered on the site via their Account[3] page, accessible from the QRZ main page. Once they've secured their accounts with 2FA, members will have to submit photographic identification to QRZ in order to complete the Verified User process. Lloyd said QRZ will also accept a Logbook of The World certificate in lieu of a photo ID.

    "A member can use 2FA without being verified, but, a Verified member must use 2FA," Lloyd told ARRL. "If a verified member removes 2FA from their account, their Verified status is lost and must be reset."

    The QRZ site notes that, with the introduction of the new Verified Seller program, some Swapmeet rules crafted specifically to combat theft and embezzlement are being amended and updated. Among the changes, QRZ is proposing to drop the requirement to include a call sign in photos of gear for sale, but QRZ continues to recommend doing so. Photos generally will still be required for every listing, because, Lloyd said, "unless a photograph is well marked with a call sign, scammers could lift the photo from your ad and use it to entice a new victim on another website, using a different call sign."


    [1] http://www.qrz.com/
    [2] https://forums.qrz.com/index.php?threads/how-to-setup-two-factor-authentication-w-o-cell-phone.661624/
    [3] http://www.qrz.com/manager

    ---
    ■ Synchronet ■ Whiskey Lover's Amateur Radio BBS