Hello nice people,

I’ve been using NiceHash app for some time 5-6 years ago. (It was a simple app for mining cryptocurrency and you get paid in bitcoin on their wallet, then you could transfer bitcoin to another wallet.) It was working fine until they got hacked (or fooled us) and lost all crypto. Luckily I didn’t loose much like some guys did. I decided not to use the service anymore and I’m still receiving stupid e-mail newsletters. I tried to unsubscribe and It asks me for login, I know password, but don’t have 2fa anymore. Also I don’t have backup 16 words.

Now support told me that this is the only way and I feel ridiculous about taking selfie just to unsubscribe. Am I protected against this somehow? I live in Europe and I think Nicehash is located in neighbourhood.

And of course I never wanted to subscribe…and I don’t think I ever verified account with a document.

What are my options other than just filtering that shitty domain as spam?

edit: typo

    • Astroturfed@lemmy.world
      link
      fedilink
      arrow-up
      40
      ·
      1 year ago

      Don’t point out how all their bullshit requires middlemen and accounts holding their currency to make it work. That makes it looks silly. Almost like it’s just more complicated harder to use money that people can more easily steal from you.

  • Eager Eagle@lemmy.world
    link
    fedilink
    English
    arrow-up
    66
    ·
    edit-2
    1 year ago

    That looks like a proper request to disable 2FA. Their problem is requiring login to unsubscribe from newsletter emails, which is total BS.

    If support won’t take your email out of their list, just block the address / domain and move on, I guess.

    I wouldn’t give them any extra personal info after what happened.

    • Amju Wolf@pawb.social
      link
      fedilink
      arrow-up
      22
      ·
      1 year ago

      Additionally use any report functionality at your disposal, which may cause some mail providers to block them or cause them to offer proper opt out in the future.

      All marketing emails are supposed to have a simple opt out without needing anything other than your email address.

    • Pseu@kbin.social
      link
      fedilink
      arrow-up
      14
      ·
      edit-2
      1 year ago

      This is what I do when I can’t unsubscribe in a minute. No reason to waste time on this, it is a solved problem.

    • pianoplant@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      1 year ago

      It’s probably not for marketing emails. They probably require login to disable account alerts. Imagine a threat actor gets access to your account, turns off transaction alerts so you aren’t notified, then transfers out all your crypto.

      I’m certain the marketing emails don’t require login to unsubscribe.

    • Blizzard@lemmy.zip
      link
      fedilink
      English
      arrow-up
      52
      ·
      1 year ago

      But if OP did not provide “selfie” during registration, providing it now doesn’t help confirming his identity so it doesn’t fall into that category. I would aks them how do they justify that and if they are trying to discouraged me from deleting the account.

    • rambos@lemm.eeOP
      link
      fedilink
      arrow-up
      18
      ·
      1 year ago

      Also, Im not trying to delete account (but that eould be ideal), Im just trying to unsubscribe. I guess it doesnt matter here FML 😂

      • Schlemmy@lemmy.ml
        link
        fedilink
        arrow-up
        11
        ·
        1 year ago

        They should unsubscribe you by simple request and only need your e-mail for that. You could verify by clicking a link in an unsubscribe email.

    • Schlemmy@lemmy.ml
      link
      fedilink
      arrow-up
      14
      ·
      1 year ago

      They can’t ask for more information than what they needed to create your account.

      But maybe they’re seen as a bank and then they have to confirm your identity with a copy of your id.

      • rambos@lemm.eeOP
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        Ive never heard of bank asking selfie. I wouldnt even provide ID, but that would make bit more sense

        • Kissaki@feddit.de
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          In Germany I’ve had multiple contracts that needed identification. They use trustworthy third party services for verification though.

          • rambos@lemm.eeOP
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            Ive used face scanning on some other crypto service, but didnt know its a thing in banking. Thanks for sharing, but it still doesnt explain why I need that just to unsubscribe. I could accept that they are trying to protect me, but they obviously have diferent plans. My experience and recent communication with support proved NiceHash is ran buy toxic garbage and not by people who run a bank or anything close to that.

            • Schlemmy@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              They need to be sure it’s you who’s unsubscribing, I suppose. There’s been enough social engineering to not rely on emails only.

              • rambos@lemm.eeOP
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                I see that selfie is the only solution to unsubscribe (if not involving lawyer or just spam filter).

                I understand what you are saying, but If I lost my email why would they send newsletter to a new owner? It just makes no sense since 99% can be unsubscribed with no login or whatever they ask.

                Sorry, its hard to accept any safety meassure as explanation due to bad reputation of NiceHash. Also after talking to human support I just feel even less safe tbh, but it doesnt surprise me at all, its company that took my crypto back in a day.

                Ill try fake pic when I get some time to burn

    • rambos@lemm.eeOP
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      Thanks for the link. Feels bad tho 😭 gdpr gave me Accept/Reject cookies and some more pain as a bonus it seems 😂

      • Schlecknits@feddit.de
        link
        fedilink
        arrow-up
        15
        ·
        1 year ago

        GDPR didn’t give you cookie banners, it’s shitty websites that do.

        If they were to just follow activated “Do not Track”-Preferences, they wouldn’t need to ask, instead they would deactived them by default. Or you could just not use cookies, it’s not like somebody forces you to give cookies out to your website’s users.

  • pianoplant@lemmy.world
    link
    fedilink
    arrow-up
    38
    ·
    1 year ago

    Probably an unpopular opinion - but I actually think requesting overriding 2fa is a big deal and companies shouldn’t do that lightly. If I had a lot of money in crypto I would sure hope the exchange would scrutinize a request to turn off 2fa. And if op had saved their backup words they wouldn’t have been in this situation.

    Now requiring that to change an email subscription is not great, but again - turning off 2fa without the proper backup options should be difficult and scrutinized.

    • Falmarri@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      ·
      1 year ago

      Requiring logging in to unsubscribe is absolutely bullshit. I mark all emails as spam that don’t automatically unregister with ONLY clicking a lick. I’m not providing my email, I’m not logging in.

      • pianoplant@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        It’s probably not for marketing emails. They probably require login to disable account alerts. Imagine a threat actor gets access to your account, turns of transaction alerts so you aren’t notified, then transfers out all your crypto.

        I’m certain the marketing emails don’t require login to unsubscribe.

    • kevincox@lemmy.ml
      link
      fedilink
      arrow-up
      12
      ·
      1 year ago

      For bypassing 2fa this does seem reasonable. But anyone who can access the email address should have the permission to unsubscribe from messages.

      For example on my service there is the concept of a “primary email” which is the only one that can be used to reset the password. But even if you have lost the password and access to your primary email you can still unsubscribe any other email from notifications as long as you can show access to that particular email. You won’t regain access to the account but you can turn off emails.

        • kevincox@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          This is a good point. Maybe you could have some sort of exit plan such as 3 emails confirming that you have been unsubscribed at 1d, 30d and 365d. This way if the email takeover is temporary then the user will eventually see a warning but there is still a finite amount of emails still to be received.

          It isn’t perfect, because an attacker could set up filters or something so that these aren’t noticed. But at this point the attacker could set up a filter to hide the regular account emails so it really isn’t any worse.

    • cordlesslamp@lemmy.today
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      I actually made enough each month to pay rent for almost 2 years during the Covid pandemic (subtracted the energy bill).

      • ExoMonk@beehaw.org
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        I made enough to pay for the 3080 I was mining on and heat my office in the winter at the same time.

    • rambos@lemm.eeOP
      link
      fedilink
      arrow-up
      7
      ·
      1 year ago

      Thanks. Im not gonna sue them, but I might report that if I find the right address. Ill first wait for their response to my last email. Thx for input

  • iamak@infosec.pub
    link
    fedilink
    arrow-up
    20
    ·
    edit-2
    1 year ago

    If you really want to be keep using the service, get a non watermarked random guy’s pic (he must be holding something) from the internet, write what they want on a paper and edit the pic so that the guy is holding what you wrote. This might not work because of the personal ID requirement but trying it doesn’t hurt.

    They usually have a face detection algorithm running along with ocr and rarely check if this is a stock photo. I need to use Instagram to be in the loop. They blocked my account for using Barinsta so I did this and they unblocked it.

    • rambos@lemm.eeOP
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      Hehe this made me laugh. Thank you!

      Your story is also about nicehash? I might do that if I manage to digure out that pic. I will try

  • wAkawAka@lemmy.world
    link
    fedilink
    English
    arrow-up
    19
    ·
    1 year ago

    Don’t send any data that you haven’t sent already! Just block 'em f out, feels so nice :D Or they’ll demand a nude selfie next time!

  • Extras@lemmy.today
    link
    fedilink
    arrow-up
    9
    ·
    edit-2
    1 year ago

    If its just to verify does that mean they already have the information on record, like their picture? If not whats stopping someone from using someone elses picture and photo editing in the requirements?

    • rambos@lemm.eeOP
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      They dont have a picture, but they have some information, probably a minimum that was required to create account. I dont remember exactly, it was long time ago. Photo editing requires skill and time. Maybe I can ask AI 😂

  • AnonTwo@kbin.social
    link
    fedilink
    arrow-up
    8
    ·
    edit-2
    1 year ago

    I mean, just mark as spam?

    It hurts them more if a bunch of people mark them as spam and it becomes a trend doesn’t it? Just seems like a design issue on their part.

    I always figured that companies generally wanted to avoid that.

    • kevincox@lemmy.ml
      link
      fedilink
      arrow-up
      7
      ·
      1 year ago

      Yup. I try to unsubscribe nicely once. If it isn’t honored they are going straight on my provider’s spam list.

  • glacier
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    You could block them and the emails will be sent to your spam folder.

    • rambos@lemm.eeOP
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      1 year ago

      It is in spam all the time, I just found some non-spam e-mails there. Trying to clean the folder a bit now