• If you have bought, sold or gained information from our Classifieds, please donate to Kitchen Knife Forums and give back.

    You can become a Supporting Member which comes with a decal or just click here to donate.

WTS Red Flags on BST

Kitchen Knife Forums

Help Support Kitchen Knife Forums:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
the accounts getting hacked is becoming a bigger issue.

Recently a member reached out offering a knife from one of KKF favorite bladesmith. The price made sense and even disclosed scratches and imperfections when he/she described the knife. The seller was willing to take PayPal G&S. I asked for additional pictures on the imperfections and I got one. So far everything looks right, however, something didn’t smell right.

I decided to do a quick search on the forum for pictures and lo and behold I found then in a n old post from 2022. I asked the seller for additional pictures in case he used the old ones for reference and of course didn’t hear back. I made the report to the mods and I think the user is banned now.

after paying using PayPal G&S I am pretty sure the scammer was going to send me a cheap knife and hope that PayPal was going to side with him/her. The risk/reward ratio is pretty high.

Anyway, I thought about sharing this. Be careful out there.

TL;DR: be careful. Scammers are a**holes
Link to the FS post?
 
the accounts getting hacked is becoming a bigger issue.

Recently a member reached out offering a knife from one of KKF favorite bladesmith. The price made sense and even disclosed scratches and imperfections when he/she described the knife. The seller was willing to take PayPal G&S. I asked for additional pictures on the imperfections and I got one. So far everything looks right, however, something didn’t smell right.

I decided to do a quick search on the forum for pictures and lo and behold I found then in a n old post from 2022. I asked the seller for additional pictures in case he used the old ones for reference and of course didn’t hear back. I made the report to the mods and I think the user is banned now.

after paying using PayPal G&S I am pretty sure the scammer was going to send me a cheap knife and hope that PayPal was going to side with him/her. The risk/reward ratio is pretty high.

Anyway, I thought about sharing this. Be careful out there.

TL;DR: be careful. Scammers are a**holes
I'd be curious if there's a way with the forum software to enforce 2FA before granting any account privileges to post to the BST section or sending PMs.
 
Last edited:
If they've compromised the account, that's not likely to be effective.
Why not? They won't have access to the compromised member's email* to verify 2FA.

Alternatively, a mandatory password reset email for inactive accounts (no login for a certain time) or stale passwords (older than a certain age) would be a solution. I've experienced that on other sites – not sure whether it's possible with the forum software though.

* Unless that member's password hygiene was bad enough to have the same password for their email account too – in which case they have bigger problems to worry about...
 
Last edited:
It seems like a lot of the scams are also coming from random accounts targeting WTBs too and dm's are largely a wild west. So not too much that could be done there other than extra buyer precaution if someone has specifically reached out to you about a knife you want
 
For WTB's, I would stipulate that a post first be made in the open thread before DM's will be entertained. Not much but might help.

I personally think all WTS threads should have a requirement to have an "I'll take it" type post in the open thread.
 
Why not? They won't have access to the compromised member's email to verify 2FA.

Alternatively, a mandatory password reset email for inactive accounts (no login for a certain time) or stale passwords (older than a certain age) would be a solution. I've experienced that on other sites – not sure whether it's possible with the forum software though.
Well, for starters, because once you are logged into the account, you can just...change the email address. The software sends the confirmation of change to the NEW email address, where you have to click on "yep, that's a valid email address", and only sends a notification that a change was made to the old email address.

Put another way, it's a validation that the new email address is deliverable and accessible to the person in control of the account, NOT that the email address belongs to anyone specific.

Further, if you didn't have 2FA enabled before the account was compromised, and the bad actor enables 2FA, they have complete control over that process, thus making it useless for a defense against compromise.

The only effective measure would be to require 2FA on all accounts all the time.
 
Well, for starters, because once you are logged into the account, you can just...change the email address. The software sends the confirmation of change to the NEW email address, where you have to click on "yep, that's a valid email address", and only sends a notification that a change was made to the old email address.

Put another way, it's a validation that the new email address is deliverable and accessible to the person in control of the account, NOT that the email address belongs to anyone specific.

Further, if you didn't have 2FA enabled before the account was compromised, and the bad actor enables 2FA, they have complete control over that process, thus making it useless for a defense against compromise.

The only effective measure would be to require 2FA on all accounts all the time.
Ah, I thought there was validation in both instances to the existing email address.
 
Ah, I thought there was validation in both instances to the existing email address.
Nope. It's 100% useless as a security measure.

I also think that email based 2FA is deeply flawed in the context of account compromise. I suspect that email account compromise is a precursor to forum account compromise in a meaningful number of instances.

Requiring non-SMS, non-email 2FA (basically TOTP) would be a significant improvement in security, and would likely reduce the number of compromised accounts by a significant margin. But it would also likely engender a significant support burden.
 
There is an issue with this that is creates a first message gets the purchase environment, which is not the current standard. Buyer can choose who they sell to.

The buyer can retain that right. I state it right in my listing. You're not obligated to sell it to someone just because they were first in line any more than if they were the first to DM. It can, and I have elsewhere, seen it lead to some hurt feelings but it can also be transparent. Always going to be issues with online person-to-person selling I reckon.
 
Last edited:
I decided to do a quick search on the forum for pictures and lo and behold I found then in a n old post from 2022.
Chrome has built in image search, you can just right click on the picture and click on "search image with google", then in the panel that pops open click on find source. Works on *some* doctored pics too
Nope. It's 100% useless as a security measure.

I also think that email based 2FA is deeply flawed in the context of account compromise. I suspect that email account compromise is a precursor to forum account compromise in a meaningful number of instances.

Requiring non-SMS, non-email 2FA (basically TOTP) would be a significant improvement in security, and would likely reduce the number of compromised accounts by a significant margin. But it would also likely engender a significant support burden.
When yubikeys? :)
 
The buyer can retain that right. I state it right in my listing. You're not obligated to sell it to someone just because they were first in line any more than if they were the first to DM. It can, and I have elsewhere, seen it lead to some hurt feelings but it can also be transparent. Always going to be issues with online person-to-selling I reckon.
I 100% agree with this principle.
 
Nope. It's 100% useless as a security measure.

I also think that email based 2FA is deeply flawed in the context of account compromise. I suspect that email account compromise is a precursor to forum account compromise in a meaningful number of instances.

Requiring non-SMS, non-email 2FA (basically TOTP) would be a significant improvement in security, and would likely reduce the number of compromised accounts by a significant margin. But it would also likely engender a significant support burden.
Wouldn’t changing email require 2FA and a code sent to the original email?
 
Wouldn’t changing email require 2FA and a code sent to the original email?
No. I have app-based TOTP 2FA enabled, and I was able to change my email address without any barrier whatsoever. No 2FA prompt, no confirmation from the old email address required, nothing except that I needed to confirm the address was valid via a link sent to the new address.

Maybe it's a different workflow for email-based codes, but I doubt it.
 
the accounts getting hacked is becoming a bigger issue.

Recently a member reached out offering a knife from one of KKF favorite bladesmith. The price made sense and even disclosed scratches and imperfections when he/she described the knife. The seller was willing to take PayPal G&S. I asked for additional pictures on the imperfections and I got one. So far everything looks right, however, something didn’t smell right.

I decided to do a quick search on the forum for pictures and lo and behold I found then in a n old post from 2022. I asked the seller for additional pictures in case he used the old ones for reference and of course didn’t hear back. I made the report to the mods and I think the user is banned now.

after paying using PayPal G&S I am pretty sure the scammer was going to send me a cheap knife and hope that PayPal was going to side with him/her. The risk/reward ratio is pretty high.

Anyway, I thought about sharing this. Be careful out there.

TL;DR: be careful. Scammers are a**holes
Nice job sniffing it out. These scams seem significantly more sophisticated than most niche hobby goods sales scams ive come across. Most are just low effort scams done in volume looking for a sucker.

Thankfully KKF seems to be basically the sole marketplace for BST. Even the reddit bst is basically users reposting their kkf sales there. It's gonna be pretty chaotic once it becomes easy to manipulate pictures.
 
Even the reddit bst is basically users reposting their kkf sales there.

Funny Face Mood GIF by Tennis TV
 
Edit: I was dumb, Firefox password manager auto-fills the field. Correction issued below.
Dunno how I never noticed before, but it appears KKF stores user passwords in plain text. On my user "Password and security" page, there's an option to view my current password, meaning whatever vendor KKF is using for the website has a database somewhere with (likely) unsalted, unhashed or (at least) easily decoded passwords.

Unfortunately, this means that moderator advice to create more secure passwords is ultimately futile; the entire user password database can be compromised all at once.

More info on plaintext passwords and why it's troublesome: https://plaintextoffenders.com/faq/devs
 
Last edited:
Correction - it looks like certain browsers or extensions are pre-filling this password field. Intercepting the response body shows a blank field and no further requests with plaintext passwords.
 
Was just about to post that I can’t replicate your original report. Good to know it was a client side thing.
 
Correction - it looks like certain browsers or extensions are pre-filling this password field. Intercepting the response body shows a blank field and no further requests with plaintext passwords.
Just so you and everyone else is aware, we can check when a password was reset. We cannot see what the new or old password is.
 
Back
Top