Quote from: midlandsmafia on January 04, 2013, 11:51 pmRemove your pgp from here. Your customers should have it in their keyring.You're just confusing people by posting it up, whether you're serious or not. When someone claims an account has been hijacked, my first inclination is to distrust BOTH parties. Quote from: midlandsmafia on January 04, 2013, 11:51 pmIf their is a previous customer of yours reading, they can encrypt a message to the PGP they have used to deal with you before.Exactly. If a vendor's PGP key is _only_ posted here on the Forums, and on the main site, then if a hijacker manages to gain control of both, it is very difficult for the vendor whose account has been hijacked to prove their identity as the true account holder. That is why I strongly recommend that vendors post their PGP keys to venues that cannot be hijacked, such as the various PGP keyservers, e.g. the IndyMedia keyserver: http://qtt2yl5jocgrk7nu.onion/I would also recommend that SR managment implement an anti-hijacking strategy; this would be easy to implement, consisting of one or more challenge strings shared by both vendor and SR management as shared secrets. Think of it as another password of sorts, long, complex. and not stored with the account, thus not available to a hijacker. . The vendor should store this information separately, so it can be verified by management in the event of an accusation of account hijacking. NC