New Scam?

As one who has used the UU Marketplace to buy and sell instruments in the past, I have now enabled two-factor authentication on my forum account and it seems to work fine. Hopefully, that will protect my account from being hacked, and also provide a little more security when selling ukes here in the future.

As for PayPal Goods & Services, Steedy will not be using it when selling ukes. I have no objection to the 3% fee and added protection, but I do not want the Infernal Revenue Service all up in my personal transactions!
As I shared with Pete, I felt violated and exploited. In addition to that I felt that my integrity was compromised. I hope you and the community will understand my feelings. This really hurtsI
I am so glad that we managed to rescue the situation but Tom, I am so sorry that you were out into this position in the first place. The thing that I love about UU forums is our community, and people looking out for people. It pisses me RIGHT OFF to have hackers scam our peeps. And it pisses me off that it happens too fast for us to catch.

So yeah, morals of the story: improve your own account security with a strong password and two factor authentication AND don't be in such a rush to get a deal, unfortunately.
Is it okay to jump through the big loophole that is F&F in order to avoiding giving PP their fees for the payment service they provide?

The question to me is less, are we scamming PayPal (although the answer to that is yeah), than, why are you giving up your ability to contest fraudulent charges to save a few dozen dollars or less in most cases? For example, on a $2500 sale, PayPal's 3% is $75. On a $1500 sale, it's $45, and on a $500 sale, it's $15. A small price for being able to thwart a scammer and keep your dough.

I get not wanting to spend money you don't have to, and if you've actually gotten on a phone call or a Zoom call to be SURE that you're dealing with a friend, that's one thing.

Coming back to the example of our friend Tom, though -- his friend Pete said, "Hey! It's my friend Tom! He's awesome!" -- but it wasn't Tom! If things had bounced a little differently, Pete might have been making the "buy" himself from his dear friend Tom...but it wasn't Tom!

Of course in a transaction ACTUALLY between Pete and Tom, F&F would be perfectly appropriate, but that implies that they were both certain who the other party in the transaction was.

If you're telling PayPal, "That's cool, man, no need to have my back, I know who I'm dealing with", well, that's fine. But that leaves 100% of the responsibility for protecting yourself on YOU, and if you haven't picked up the phone or gotten on Zoom, nobody can help you.

I hate this, and wish it wasn't true, but the last line of protection is always going to be buyers themselves. If you trust yourself to do the work of verification on your own, then carry on and godspeed my friend! But do yourself a favor and don't skip the fee to protect yourself AND skip the work of proper verification. :)
I wont be using 2FA on UU unless I have some transactions that involve money.
That's OK Bill. We'd probably all keel over backwards in shock if we saw a sale post from you on Marketplace and if someone hacked your account to sell something, we'd all probably be sus as 😉
The email and app options are built into the system, so they're good to go. We'd need to pay a developer to custom code the text option, so that's not on the horizon yet.

That said, the apps are faster than text and don't rely on your phone being connected to the mobile network. They work over wifi!

THAT said, my my my, do I have plans for text at UU! :ROFLMAO: Email is really no longer as helpful as it once was, so we're going to be adding as an option for people who prefer it to have your forum notifications sent via SMS, as well as Facebook and Whatsapp Messenger. I'm also looking into optional browser-based alerts for people who opt in, so that you can see your UU alerts even when you're not logged into UU if you want it.

When I get around to adding the forums to the "email" newsletter for the education side of the UU house, I'm also going to be offering SMS and Messenger as the subscription vehicle. (Not that the whole newsletter would be there, but an alert to go read it if you want to -- and obviously only to subscribers. All of what I'm talking about is strictly opt-in, just like we've always done, and always will.)

But here's why I do NOT recommend text as verification between buyers and sellers. Our scammer(s) -- I'm thinking that there are at least two so far, at least one of whom has hacked more than one account -- have been very fast to recommend text as the way to contact them!!! Why? Because you can spoof text super easily, including using throwaway accounts in Whatsapp, Skype, Google Voice, and a gazillion others that require NO credit cards or other rootedness in physical existence.

You don't have to MAKE the phone call or Zoom call to verify someone's existence -- although if they give you their number, why not? The real test is if they're WILLING to be flexible and transparent. If not, end the conversation.

I'm going to contrast these Goofus scammers with the oh-so-Gallant (a Highlights reference for you geezers!) @rhiggie, who doesn't do PayPal for reasons that I fully support, but who offers a BUNCH of ways to contact him, and to verify his identity, including his phone number, his work address, and the offer to play the instruments he's selling for you on Zoom, so that you can see HIM, see the actual instrument, and hear it for yourself -- including the fact that the instrument is currently in his possession.

Heck, that might be the way to smoke out a scammer FAST -- will you play the instrument for me over Zoom? Their response will tell you a LOT.

Anyway, I love text messages, and we'll be doing more with text here for the people who prefer it, but I'll never recommend it as a way to verify a seller's identity. :)

Back under the hood for me for now....
I am 36 and I had goofus and gallant in my highlights subscription as a child
If you click on your avatar in the upper right, you can click on “password and security” and you can enable 2 factor authentication on your account. Then nobody can hack anybody. You can set it up so a code is sent to your email.

View attachment 164122
I wasn't able to do it.
Was this for that Wunderkammer soprano that was for sale over the weekend? Can’t see that thread anymore. Did feel too good to be true for that price…
Was this for that Wunderkammer soprano that was for sale over the weekend? Can’t see that thread anymore. Did feel too good to be true for that price…
There were about three posted for sale on the hacked account. I've removed them.
This is why you should pay in ducks and rabbits instead of money. Scammers dont want to go through the trouble of accepting ducks and rabbits.
If you have to complete the buy of that stupid good deal on a uke right away and can't wait on it a bit, ask the seller if they will take ducks and rabbits for payment and see what their reaction is. This should slow the process down or send the scammer off.

In other words - don't be in such a hurry - vet that sale out before you part with your dough. There will always be another uke for sale.
Don't let the fear of missing out, or getting a supposed bargain cloud your judgment or do a buy too quickly.
I am 36 and I had goofus and gallant in my highlights subscription as a child

I'm 64, and same. I looked it up, and they were introduced in 1948, so you could be a dozen years older than me and still have encountered them as a child!!!! And they're apparently still around, but only as a legacy feature -- ie, re-running old strips, rather than creating new ones. That's a pretty remarkable run!
I don't have a television and I have never seen a reality TV show. The careers of Britney Spears and Taylor Swift have swept by me unnoticed except for when other people make allusions. And all this stuff you folks are speaking of is new and unknown and puzzling to me. Sometimes ignorance is truly bliss.
Hmm, every time I look at UU, (more than once/day), it needs me to provide a code. I appreciate the need for verification, but this is just too frequent. Is it telling me to stop looking at UU?
Hmm, every time I look at UU, (more than once/day), it needs me to provide a code. I appreciate the need for verification, but this is just too frequent. Is it telling me to stop looking at UU?

There's a checkbox that says "Trust this device for 30 days", at least if you're using the app to verify. I don't use email for 2FA myself, so I've never checked those settings, but do look for that checkbox right under where you enter your code. I bet it's there for email....but if it's not, all the more reason to use any of a gazillion free apps for this, all of which are faster and even more secure than email. :)
If I shut off whatever device I’m on, I have to verify again.
Definitely you shouldn't have to. I shut stuff off all the time, and I've been using 2FA for months (because admin). I did have to log on a few times at the beginning - but if you make sure to "trust this device for 30 days" checked on, it should be good?
If I shut off whatever device I’m on, I have to verify again.

Two things to note:

I did just verify that you have the option to turn on "Trust this device for 30 days" OR "Trust this device permanently". As you surmise, if you choose the former, you verify once every 30 days, and if the latter, you won't have to verify again on that device unless the device ID changes (an OS update will often create a new device ID, for example).


But here's the catch: the way we know that time is passing is with your cookies. If you're clearing your cookies, we have no way of knowing that you're verified.

Today's browsers are doing a pretty good job of bouncing invasive cookies, and I do highly recommend Privacy Badger from Electronic Freedom Foundation for blocking advertising cookies (which our new ad system will not be using in any form or fashion -- I don't believe in tracking for ad purposes as a bedrock ethical stance)....but we absolutely rely on our anonymous, never-shared-with-anyone account cookies to deliver you the experience you set in preferences, so please don't delete our cookies!

Does any of this ring any bells? Have you checked one of those boxes (and it probably would have made more sense if I'd only checked one for my screenshot LOL sorry) and the choice isn't sticking? Are you not seeing that option at all?

And are you clearing cookies?

I should note too that 2FA is only critical for SELLERS in the Marketplace. Those have been the ONLY accounts targeted, which makes sense -- these guys are trying to impersonate SELLERS. I should also note that the hacked accounts are FOUR in number. Out of 160,000 accounts in all, that's 0.000025%!!! That's safer than pretty much any community on the web of our size -- certainly safer than Facebook, Apple, Walmart, et al.

So if you've never sold, you don't need it. If you have, though, you definitely do, and I'll be getting in touch with all of our sellers to make sure that they've enabled 2FA, and requiring it going forward-- less to protect sellers themselves than to protect the rest of the community from someone pretending to be a verified seller!

I hope that helps, but please let me know if it doesn't! I'll happily hop on Zoom and screenshare with anyone who needs help setting this up! Or keep answering here, or via PM, whatever works for you! We're a full-service shop here!

Thanks again,


  • 1704926574605.png
    44.4 KB · Views: 0
Interesting topic about the SEC and Crypto Currency. Apparently their Twitter ( X ) account was hacked and a fake posting caused BitCoin to take a dive! The article explains that one cause, making it easy to hack (and assume the identity of the SEC) was that the account had failed to employ TWO FACTOR Authentication!

Found on Apple News:
Top Bottom