ad: MyersEng-1

QRZ Security Update: 2FA and Verified Users

Discussion in 'Amateur Radio News' started by AA7BQ, Jun 12, 2019.

ad: L-HROutlet
ad: l-rl
ad: Left-2
ad: abrind-2
ad: Radclub22-2
ad: L-MFJ
ad: Left-3
  1. AA7BQ

    AA7BQ QRZ Founder QRZ HQ Staff QRZ Page

    In this thread, I'm going to talk about QRZ's implementation of Two Factor Authentication (2FA), who needs it, and how it's used. We'll also have a few words about our Verified User program as well.

    Authy_QRZ.jpg

    Two-Factor Authentication (2FA)

    A lot has changed since QRZ went online in 1993. Back then, people still used floppy discs and few had CDROM capability on their machines. Smartphones were a distant and hopeful dream. Few people used virus protection software and Google hadn't been invented yet. A lot has changed since those times.

    Today, it's been said that a new unprotected computer will become infected on the internet within 15 minutes of coming out of the box. We don't know that for a fact, but it does seem plausible, especially if you simply click on anything that is presented to you. It happens every day. We're all familiar with viruses now, and we've all heard the stories about banks, hospitals, and other large organizations falling victim to hackers.

    Two Factor Authentication or 2FA is a means by which your login password is protected by a constantly changing one-time code. The codes are six digits long, like 012345. When 2FA is in use, you must have your regular password to log in, PLUS the current secret numeric code for your account. That's why it's called "two factor". Since only you have the one-time secret code, a crook cannot log in to your account, even if they have your password.

    The secret code is obtained using one of two methods. The best and recommended method is to install a program (called an Authenticator) on your computer or smartphone that will give you the correct code when you need it. There are a number of compatible programs to choose from. Some require a cell phone to set up while others do not. Many users report that the cell phone solution is best, especially when you seek to login from different locations. Windows users: search the web for "Windows 10 Authenticator". For cell phones, we really like the app known as Authy. There are several other apps/programs available.

    The second method for obtaining codes is via Text Messaging, also known as SMS. With text messaging, the code is sent directly to your phone as you log in. While the Text Messaging method generally works well, it is the second choice because the timing of their delivery isn't guaranteed. We've seen text messages to some phones take a couple of minutes to arrive. This won't work with 2FA because the secret code expires within 30 seconds of having been issued. So, if your phone service is well served by 4G or LTE service, then it may work satisfactorily for you. Again, there are no guarantees so we will continue to recommend the APP approach.

    Now here's something to think about: While QRZ does not require to use 2FA (except for Verified users), you definitely should be using it. Some might even consider it your civic duty to do so. What? Civic Duty? How's that, you ask? Well, it's quite simple, actually. If your account gets compromised by a scammer, you may never know it and some other ham, somewhere in the world, will be scammed by a crook who pretends to be you. Your reputation will be trashed and some poor ham will have lost their money. So in effect, by failing to protect your password with 2FA, you're indirectly responsible for another ham getting ripped off.

    Many reading this are probably thinking "No crook is going to get my password", or, "My password is so difficult that no human could ever guess it". If that's your belief then you're wrong on both counts. Phishing scams are extraordinarily common and they can happen so fast that you don't realize what happened. A typical scam is one in which the user receives an email that appears to come from a trusted or well-known source. A link in the email suggests that the user should go to see something. Upon clicking the link, you are taken to a page that looks exactly like a QRZ login page. You input your password and suddenly you find yourself back on QRZ, but something isn't quite right. Even though you entered your username and password, QRZ indicates that you're NOT logged in. That's because the first page that asked for your password wasn't QRZ. The scammer now has your password. You probably don't even remember it happening. It does not help one bit if your password was super difficult, super complex, or a mile long, the scammer has it now and it might as well be "easy123".

    Verified Users

    We've been open about the fact that scammers do indeed troll the QRZ swapmeet. It is a serious problem and they show up here almost every day. Recently, the same radio was sold 4 times before the scam was uncovered, and in each case, the buyer lost ALL their money and had no recourse because they used the "free" Friends & Family payment feature of PayPal. The scammer logged in using a legitimate, established account and even altered the call sign page of the actual holder to reflect his scam email address. Note: the email address shown on QRZ call sign pages is NOT verified. We don't check these addresses whatsoever and so their utility as an informational cross-reference is minimal at best. The call sign page may or may not have an address matching the Sale listing, and a mismatch is NO indication of the deal being either good or bad. It just isn't useful for that.

    We're pretty sick of all these scammers and those of us at QRZ HQ are distraught every time someone gets cheated. We want it to stop even more than you do. Cynics will say that we're howling at the moon because the crooks will always be with us, and that's a true statement. That fact, however, does not dissuade us from declaring war on them and putting into place security measures that they will find intolerable. Security always comes at the cost of convenience and the Verified User program is no different. You have to demonstrate something unique about yourself to earn our approval. Presently, we accept two types of identity proof: a valid LoTW digital certificate, or, a government-issued photo ID. A QRZ HQ Staff member will review your submittal and approve your Verified status. Then, we discard the ID information for safety.

    Like 2FA, becoming a Verified QRZ user is optional, unless you wish to offer or sell gear in our online swapmeet. Starting July 1, 2019, the QRZ swapmeet will be read-only for all members other than those who have been Verified by QRZ. Only Verified members will be allowed to post gear for sale.

    2FA users don't have to be Verified, but Verified members must use 2FA. That's because, without 2FA, we have zero confidence that the person logging in with your credentials is you. That's the problem that 2FA solves, i.e., that the person presenting the login credentials is the same one that signed up for them. Therefore, once someone becomes Verified, that status depends upon 2FA and will be revoked if 2FA is removed from the account.

    Conclusion

    Should you use 2FA? Yes. Does it require extra work? Yes. Is it required? No, unless you want to be a seller in the swapmeet. When you use 2FA, you protect yourself and other people.

    Do I need to be Verified? No, unless you want to sell in the swapmeet. Many members elect to verify if for no other reason than to proudly show that they support the program.

    73, -fred AA7BQ
     
    Last edited by a moderator: Jun 12, 2019
    VA7UO, NN7W, W0BTU and 36 others like this.
  2. WM7X

    WM7X Ham Member QRZ Page

    Great security Fred and happy to see more aggressive steps being taken for the security of all subscribers and users of QRZ. Thank you friend.
     
    W0BTU, KL7SRC, N3GY and 3 others like this.
  3. KF1P

    KF1P Ham Member QRZ Page

    Thank You Fred and QRZ Staff for assisting on the War Against Criminals....
    When the "Verified" Program was placed in effect I immediately Jumped on the Bandwagon.
    When 2FA was put in place I jumped on that also.....
    BOTH of these are for MY Protection.....
    If you think your password cannot be "hacked" because you are using something ridiculous....
    Well that is NOT so....I know several people that work in Cyber-Security for HUGE Corporations.
    They say the Hackers know EVERY Scam and Back-Door....

    So if you do not understand What QRZ is doing for YOU then Re-Read Fred's Post...It is for US

    Again; Thank You Fred and QRZ Staff....Keep up the Great Work


    KF1P Bob
     
    KK5XX, EB1BSV, N3GY and 3 others like this.
  4. K9GLS

    K9GLS Guest

    "proudly show that they support the program"... or saddened to see how little security there is in this evil little world. Glass half full, glass half empty. I certainly wouldn't trust "an Authenticator app" I remember a day with a good password was all the authentication was needed... I digress.
     
    KY1FF, NE5U and WN1MB like this.
  5. KB2FMH

    KB2FMH Platinum Subscriber Platinum Subscriber QRZ Page

    I just tried the "verified" process Fred, after setting the 2 step operation, and it does not see my LoTW .p12 file after I follow the instructions, which are very clear and easy, explicitly. I am using Windows 10 Pro and Chrome browser. What can it be?
     
    N3GY, NE5U and WQ4G like this.
  6. N0XOH

    N0XOH Ham Member QRZ Page

    Great tip Fred! I took your advice and downloaded Authy on my phone. the app asks me to scan a QR code but I can't find one on QRZ, can you help?
     
  7. W7HTA

    W7HTA Ham Member QRZ Page

    I'm verified and use the 2FA and I don't sell gear online or plan to. I want to protect my account and prevent fraudulent use of my call by scammers. Just seems like a good idea to me.
     
    N1GKE, EB1BSV, N3GY and 7 others like this.
  8. K0GOV

    K0GOV Ham Member QRZ Page

    Absolutely agree with @W7HTA. I'm in the same boat.
     
    N1GKE, KL7SRC, EB1BSV and 2 others like this.
  9. K0DD

    K0DD Premium Subscriber QRZ Page

    A human at zed has to review your Info. If all is cool, you'll be notified tomorrow. That's all it takes, I did it right after they started...
    Erika DD
     
    KF1P, N3GY and N4GST like this.
  10. N0XOH

    N0XOH Ham Member QRZ Page

    Evidently, you don't need to use Authy. I signed up for 2FA and they did not require I use Authy. It allowed me to login and sent me a code via SMS, which I entered and it worked. Did I miss something here?
     
  11. K0GOV

    K0GOV Ham Member QRZ Page

    That's all I did also, I think Authy is just for people that don't want to receive a code via SMS every once in a while to log in. I have unlimited texting so it's no big deal for me.
     
  12. K9GLS

    K9GLS Guest

    I did the same thing and my account shows 2fa is enabled but I don't have that pretty VERIFIED banner that other people have. I'm not secure until I have that banner! :D Oh wait there is one more step. You have to verify through log book of the world OR if you don't use that attach a photo ID. Sorry that's where you lose me. I'm not giving QRZ who is obviously concerned about my security a picture of my drivers license. If you Google POC hack Authy you'll see this company has been hacked back in 2014. Once they get into Authy then they control your phone and have all your data not just QRZ stuff. I think I'll just wait for the dust to settle on this one. Amateur radio operators trying to play cyber-security engineers makes me nervous.
     
    Last edited by a moderator: Jun 12, 2019
    AG5CK, VK1MA, G3SEA and 2 others like this.
  13. WN1MB

    WN1MB Ham Member QRZ Page

    You answered your own question. ;)
     
    N4GST, N9RBE and N3FAA like this.
  14. KB2FMH

    KB2FMH Platinum Subscriber Platinum Subscriber QRZ Page

    So is it the combination or one or the other? I can use IE or Firefox if that works but cannot change my OS.
     
  15. WN1MB

    WN1MB Ham Member QRZ Page

    My quip was more tongue in cheek than anything else.

    Those of us who do not worship in the churches of Gates or Brin and Page view the use of a Microsoft OS, browser, or Google browser to be less than prudent. YMMV.

    Just for grins try Firefox and see if you have better luck. 73.
     

Share This Page

ad: Radclub22-1