MarsMarket Security
How to lock down your account with PGP 2FA and stay safe while using the market.
Enabling PGP + 2FA (Step-by-Step)
Two-factor authentication on MarsMarket uses your own PGP key. No SMS, no authenticator apps — just good old asymmetric crypto.
- ✓ Have your PGP keypair ready (private key on a secure device)
- ✓ Know your mnemonic phrase (write it down, store offline)
- ✓ Be ready to decrypt a short message during verification
Step 1 — Open Security Settings
Log in, click your username in the top-right corner, then choose Settings → Security Settings.
Step 2 — Paste Your Public Key
In the PGP Public Key box, paste your full public key block. Also paste your mnemonic phrase in the field below it. Toggle the “Enable Two-Factor Authentication” switch to ON, then hit Update.
Step 3 — Verify the Key
A popup appears with an encrypted verification code. Copy that ciphertext, decrypt it with your private key (or your PGP client), paste the resulting code back into the box, and click Update again.
Step 4 — Done
Your account now requires a valid PGP signature for certain actions and staff messages. Keep a backup of both the key and the mnemonic — losing them means losing account recovery options.
Buyer Rules — Read These
Following these keeps the market running smoothly. Breaking them can get you banned without warning.
| # | Rule |
|---|---|
| 1 | All communication must stay inside the market. No Telegram, WhatsApp, Signal, or email sharing. |
| 2 | Be respectful to staff and vendors. Rudeness gets you nowhere. |
| 3 | Never finalize early unless the vendor has explicit FE permission. |
| 4 | Once an order is finalized (manually or auto), funds are gone. No disputes after that. |
| 5 | Don’t impersonate other users or staff — instant permanent ban. |
| 6 | No fake feedback or false reports. We can tell. |
| 7 | You’re responsible for your own phishing losses. The market won’t recover stolen funds. |
These rules live in the Help menu → Guides section inside the market. Read them once, save yourself headaches later.
Common Security Questions
What if I lose my PGP key?
Contact support from a fresh account with proof of prior purchases (order numbers, amounts, dates). Recovery isn’t guaranteed but the team tries to help long-term users.
Can I disable 2FA later?
Yes, but you’ll need to decrypt one final verification message to turn it off. This prevents attackers from disabling your protection after account takeover.
Is the market wallet safe?
Market wallets are hot wallets — withdraw regularly. Use walletless direct payments when possible to minimize exposure.
Threat Model & Common Attack Vectors
MarsMarket operates in an environment where phishing, social engineering, and exit-scam attempts are daily occurrences. Understanding the threat model helps users make safer decisions.
Phishing sites copy the exact layout and onion address except for one or two characters. They usually appear in search results or Telegram channels. Always verify the full onion string against this page or the official @marsmarket posts.
Staff impersonation happens via clearnet email or external messengers. Real staff never ask for your password, mnemonic, or private key. All official communication occurs inside the market messaging system and is signed with the market PGP key.
Session hijacking via malware on buyer devices remains the largest risk. Keep your operating system and Tor browser updated, avoid running random scripts, and consider a dedicated VM or live USB for market activity.
Phishing Prevention Checklist
- Never click links from Telegram, Discord, or forum signatures. Type the onion manually or use bookmarks.
- Check that the URL bar shows the exact primary onion or the clearnet mirror. Subtle character swaps (0 vs O, 1 vs l) are common.
- Confirm the PGP fingerprint displayed in the footer after login matches the one published here and on @marsmarket.
- Enable 2FA immediately after registration. A compromised password alone cannot bypass PGP verification.
- Never reuse passwords across markets. A breach on one platform should not expose others.
- Log out completely when finished, especially on shared or public machines.
Dispute Process Explained
When a package never arrives or arrives damaged, buyers can open a dispute from the Purchases page. The process typically unfolds as follows:
- Buyer opens dispute and provides shipping address (encrypted), order number, and any tracking or photo evidence.
- Staff contacts the vendor for proof of shipment or delivery confirmation.
- If the vendor responds with tracking, the buyer has 48 hours to confirm receipt or escalate.
- Staff reviews message history, feedback patterns, and previous disputes before issuing a ruling.
- Funds are either returned to the buyer’s market balance or released to the vendor within 5–7 days of the final decision.
Buyers who abuse the dispute system (false claims, repeated non-receipts) may receive warnings or temporary purchase restrictions. Vendors with excessive disputes are flagged and may lose FE privileges.
2FA Troubleshooting Table
| Symptom | Possible Cause | Resolution |
|---|---|---|
| Verification code rejected | Clock skew between device and server | Sync system time via NTP; re-decrypt the message |
| “PGP key not found” error | Key was rotated or deleted | Re-upload the current public key in Security Settings |
| Decryption fails | Wrong private key or corrupted keyring | Restore key from backup; test decryption outside the browser |
| 2FA toggle missing | Account already has 2FA enabled | Contact support with order proof to request reset |
Account Recovery Deep Dive
Losing access to both password and PGP key is the most common irreversible scenario. Prevention is straightforward: write the mnemonic on paper, store the private key on an encrypted USB kept in a safe location, and keep a printed copy of your username and a password hint.
When recovery is possible, support asks for at least three pieces of evidence: order numbers with dates, approximate amounts, and shipping origins. They may also request a signed message from a previously used PGP key. The process usually takes 3–7 business days and is not guaranteed for low-activity accounts.
Never attempt social engineering or multiple support tickets. Staff prioritize users who remain calm and provide clear documentation.
Buyer Safety Tips from Long-Term Users
- Start with small test orders from new vendors to verify reliability before scaling up.
- Always use the in-market messaging system. External contact requests are almost always scams.
- Keep screenshots of order pages and vendor profiles before checkout in case a listing disappears.
- Review the vendor’s last-seen timestamp and recent feedback volume. Sudden drops in activity can signal problems.
- Never share your mnemonic or private key with anyone, including people claiming to be staff or recovery specialists.
- During high-traffic periods, finalize orders promptly after receipt to free escrow funds for the vendor.