Bitcoin Forum

Bitcoin => Bitcoin Discussion => Topic started by: Chick on June 23, 2011, 05:45:32 AM



Title: WTF @ Mt.Gox?!
Post by: Chick on June 23, 2011, 05:45:32 AM
So the advanced security measures are part of a subscription? So I'll be paying you guys to prevent my account from getting hacked? LMAOROFLZOMBOCOMOMGWTFBBQ

https://i.imgur.com/t0qIc.png


Title: Re: WTF @ Mt.Gox?!
Post by: mjsbuddha on June 23, 2011, 05:50:40 AM
I pointed that out on the other tread. that, my friends, is called extortion. you cant say your product is less secure unless the users pay more money. this isn't the fucking mafia. these clowns really are clueless. shit got real way to fast for these kids. but they have been thrown into the pool now. they will either learn to swim or sink.


Title: Re: WTF @ Mt.Gox?!
Post by: Clipse on June 23, 2011, 05:53:01 AM
You do know that is just if you want it.

The initial security default upgrade which afaik should be plenty for normal people wont cost you money of course.


Title: Re: WTF @ Mt.Gox?!
Post by: geek-trader on June 23, 2011, 05:54:31 AM
well, it looks like I'll be getting it for free, so, yay!

"Users who's trades were effectively cancelled during the the sell-off will be able to trade for free for 1 month following the reopening, and will also receive a free subscription to our upcoming 2-Step security authentication feature for as long as they hold their account."


Title: Re: WTF @ Mt.Gox?!
Post by: dust on June 23, 2011, 05:55:15 AM
If it costs money and is "two factor authentication" it could be one of those RSA tokens.  The hardware costs money per unit, they aren't just going to give them out to free to every account.  Poker sites charge for them, but offer them free/discounted to high-volume players.  I suspect mtgox will do something similar.


Title: Re: WTF @ Mt.Gox?!
Post by: Bit_Happy on June 23, 2011, 05:55:32 AM
Paypal has a little thing you can pay $5 to make your account much more secure, but that is not like a monthly payment.


Title: Re: WTF @ Mt.Gox?!
Post by: wolftaur on June 23, 2011, 06:04:31 AM
Two factor authentication is based on something you know (your password) and something you have (usually a dongle that spits out one-time passwords you have to type in) and the dongles cost money. It's almost universal to have to pay extra for them.

This isn't extortion. This is, "Ok, we're improving our password encryption, and we won't give out the database, passwords and all, to some accountant again. But if you STILL want more..."

Now, if they start charging a monthly fee for the dongle, or a higher trade rate, or something... I'll consider them to be extremely dishonest and greedy.

As to extortion -- Well, a company I used to work for -- a finance company -- had the brilliant idea of actually charging an extra $29.95 a month to let you have a password more than 8 characters long. I managed to talk them out of it but it took me almost a month to convince them it was a really shitty thing to do and might actually be illegal.


Title: Re: WTF @ Mt.Gox?!
Post by: Rodyland on June 23, 2011, 06:08:07 AM
Wouldn't it be more likely to be an SMS 2-factor like Google does?


Title: Re: WTF @ Mt.Gox?!
Post by: Tasty Champa on June 23, 2011, 06:10:54 AM
has anyone gotten the email yet?


Title: Re: WTF @ Mt.Gox?!
Post by: wolftaur on June 23, 2011, 06:13:32 AM
Wouldn't it be more likely to be an SMS 2-factor like Google does?

That's certainly possible, in which case a fee is still reasonable -- it generally costs money to send SMS, especially if you need to send a large number a month.


Title: Re: WTF @ Mt.Gox?!
Post by: Bit_Happy on June 23, 2011, 06:34:51 AM
has anyone gotten the email yet?

Between now and tomorrow at 3:00 GMT you should receive an email with instructions on how to access your account, provided you have successfully completed the reclaim process at claim.mtgox.com.

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback


Title: Re: WTF @ Mt.Gox?!
Post by: Tasty Champa on June 23, 2011, 06:45:04 AM
has anyone gotten the email yet?

Between now and tomorrow at 3:00 GMT you should receive an email with instructions on how to access your account, provided you have successfully completed the reclaim process at claim.mtgox.com.

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

Thanks a bunch!


Title: Re: WTF @ Mt.Gox?!
Post by: d.james on June 23, 2011, 08:53:46 AM
This just in: Kevin Day is a partner of mtGox, this whole Flash Crash / Rollback Stunt is just to sell more security subscriptions! >:(


Title: Re: WTF @ Mt.Gox?!
Post by: relative on June 23, 2011, 09:38:44 AM
there seem to be no details yet, but if they plan on using a physical security device like brokers do this is a huge improvement and charging for it is entirely reasonable.


Title: Re: WTF @ Mt.Gox?!
Post by: sebdude420 on June 23, 2011, 09:49:02 AM

 LMAOROFLZOMBOCOMOMGWTFBBQ


Title: Re: WTF @ Mt.Gox?!
Post by: hamdi on June 23, 2011, 09:55:24 AM
i hope they find back in the market and prove to be better than before

meanwhile i stay with http://tradehill.com


Title: Re: WTF @ Mt.Gox?!
Post by: Archatos on June 23, 2011, 10:38:56 AM
I pointed that out on the other tread. that, my friends, is called extortion. you cant say your product is less secure unless the users pay more money. this isn't the fucking mafia. these clowns really are clueless. shit got real way to fast for these kids. but they have been thrown into the pool now. they will either learn to swim or sink.
Of course you can say that your product is more secure for those who pay. Why shouldn't you be able to say so in a free market? This is completely normal in the grown-up world.


Title: Re: WTF @ Mt.Gox?!
Post by: MtGox_Adam on June 23, 2011, 11:17:41 AM
Hi Everyone,

We are evaluating 2 methods at this time. SMS, and Yubikey.

The "free subscription" we're referring to is SMS verification. Unfortunately we're a prime target for SMS flooding if we make this a free service, as you can probably understand.

As for the Yubikey, you will pay for a key and the service itself would of course be offered free of charge, making it effectively a one time fee.


Title: Re: WTF @ Mt.Gox?!
Post by: relative on June 23, 2011, 11:23:49 AM
you also might want to evaluate a security card like the ones interactivebrokers.com uses, which you could generate on signup for the user to print.

this would be pretty effective security at no cost.
the hacker would have to eavesdrop on hundreds of logins until he can successfully login once himself.


Title: Re: WTF @ Mt.Gox?!
Post by: Piper67 on June 23, 2011, 11:26:07 AM
and while you're here... email confirmation of things like BTC address change for withdrawals, transactions beyond certain limits, etc... simple, but very effective


Title: Re: WTF @ Mt.Gox?!
Post by: Grant on June 23, 2011, 11:27:58 AM

As for the Yubikey, you will pay for a key and the service itself would of course be offered free of charge, making it effectively a one time fee.

Sounds perfect to me.  :)


Title: Re: WTF @ Mt.Gox?!
Post by: klaus on June 23, 2011, 11:29:22 AM
- will the SMS method work for Customers outside USA? e.g. Germany?

Thanks


Title: Re: WTF @ Mt.Gox?!
Post by: Mobius on June 23, 2011, 11:49:54 AM
Hi Everyone,

We are evaluating 2 methods at this time. SMS, and Yubikey.

The "free subscription" we're referring to is SMS verification. Unfortunately we're a prime target for SMS flooding if we make this a free service, as you can probably understand.

As for the Yubikey, you will pay for a key and the service itself would of course be offered free of charge, making it effectively a one time fee.

So there would be no monthly fee? Please verify.


Title: Re: WTF @ Mt.Gox?!
Post by: bitbot on June 23, 2011, 12:35:03 PM
i want my free subscription upgrade and trading or my 100 btc back


Title: Re: WTF @ Mt.Gox?!
Post by: Astro on June 23, 2011, 02:44:54 PM
Yubikey is a good solution.  +1


Title: Re: WTF @ Mt.Gox?!
Post by: RchGrav on June 23, 2011, 03:15:04 PM
Hi Everyone,

We are evaluating 2 methods at this time. SMS, and Yubikey.

The "free subscription" we're referring to is SMS verification. Unfortunately we're a prime target for SMS flooding if we make this a free service, as you can probably understand.

As for the Yubikey, you will pay for a key and the service itself would of course be offered free of charge, making it effectively a one time fee.

I don't want to be in a situation where I can't get into my account if I forgot or lose my second factor...  I'm hoping you allow some flexibility in this new system for us to decide which methods we would like to select during login.  If I need to get into my account, without my second factor, it would be nice to have the ability to choose one of the other 2nd factors during the logon process...  If I don't have my Yubikey, but I do have my cell phone configured, I would like to be able to still access my account.  If I don't have either of my 2nd factors.. Answering a short series of "Security Questions" should be allowed to be used to gain access. Something like the way that Paypal does it.. During the logon process a user can say "I don't have my Key right now" and still answer a couple of security questions only that user would know, as a backup method, to gain access to their account.

Of course each user could decide which factors are available for them...  This would allow users to balance not only the increased security of the new system, but also how convenient they wish it to be for themselves.

Maybe you can implement the SMS 2-Factor in house.. and find a way to avoid the "SMS flooding" scenario... like sending the SMS AFTER the correct password has been entered on the site.

Here is a list of the majority of International SMS carrier gateways.. It could be used as a starting point should you decide to roll your own solution..

att=<number>@txt.att.net
at&t=<number>@txt.att.net
bell=<number>@txt.bell.ca
beeline=<number>@sms.beemail.ru
bouygues=<number>@mms.bouyguestelecom.fr
cricket=<number>@sms.mycricket.com
d1=<number>@t-d1-sms.de
eplus=<number>@smsmail.eplus.de
etisalat=<number>@email2sms.ae
fido=<number>@fido.ca
lmt=<number>@smsmail.lmt.lv
metropcs=<number>@mymetropcs.com
mobistar=<number>@mobistar.be
optus=0<number>@optusmobile.com.au
orange=<number>@orange.net
o2uk=<number>@o2imail.co.uk
o2germany=0<number>@o2online.de
rogers=<number>@pcs.rogers.com
sfr=<number>@sfr.fr
softbank=<number>@softbank.ne.jp
sprint=<number>@messaging.sprintpcs.com
starhub=<number>@starhub-enterprisemessaing.com
sunrise=<number>@mysunrise.ch
swisscom=<number>@bluewin.ch
tdc=<number>@sms.tdk.dk
telecom=<number>@etxt.co.nz
telenor=<number>@mobilpost.no
tele2=<number>@sms.tele2.lv
telia=<number>@gsm1800.telia.dk
telstra=<number>@tim.telstra.com
telus=<number>@msg.telus.com
three=<number>@three.co.uk
tmobile=<number>@tmomail.net
tmobileczech=<number>@sms.paegas.cz
uscellular=<number>@email.uscc.net
verizon=<number>@vtext.com
virginmobile=<number>@vmobl.com
virginmobilecanada<number>@vmobile.ca
vivo=<number>@torpedoemail.com.br
vodafonegermany=0<number>@vodafone-sms.de
vodafonegreece=<number>@sms.vodafone.gr
vodafoneitaly=<number>@sms.vodafone.it
vodafoneuk=<number>@vodafone.net


Title: Re: WTF @ Mt.Gox?!
Post by: bitsalame on June 23, 2011, 03:42:16 PM
One problem with SMS is that telephone numers for SMS also can be anonymously created.
At the end SMS will end up becoming like email, not more nor, less secure.
Also I don't know if I would be comfortable with having my phone number in your databases.

The leaked emails contained both my "public" and "private" emails, the private was a secretly guarded one only used for banking only.
Now I receive spam in BOTH accounts. I definitely don't feel comfortable sharing my real phone number.
I might use a fake phone number solely for the SMS authetication, but that defeats its purpose.

I would suggest going ahead with Yubico.
Also I think it would be nice gesture if all users who were registered up to the day of the crash would get a free Yubico key.
To the newly registered users (who weren't neither directly nor indirectly affected by the attack) would have to pay a fee to get it.

Well, that's my 0,00001 BTC ;)


Title: Re: WTF @ Mt.Gox?!
Post by: Webengers on June 23, 2011, 03:48:26 PM
Hi Everyone,

We are evaluating 2 methods at this time. SMS, and Yubikey.

The "free subscription" we're referring to is SMS verification. Unfortunately we're a prime target for SMS flooding if we make this a free service, as you can probably understand.

As for the Yubikey, you will pay for a key and the service itself would of course be offered free of charge, making it effectively a one time fee.

I'd like to get your thoughts on this

http://forum.bitcoin.org/index.php?topic=21026.0

Was it really your account that got hacked?


Title: Re: WTF @ Mt.Gox?!
Post by: RchGrav on June 23, 2011, 04:01:10 PM
One problem with SMS is that telephone numers for SMS also can be anonymously created.
At the end SMS will end up becoming like email, not more nor, less secure.
Also I don't know if I would be comfortable with having my phone number in your databases.


What does this matter?  It would seem to be a benefit, not a problem.

You will be configuring the mobile number to receive your second factor login key, and deciding if it is a method that makes sense for you.

By allowing the users which factors to utilize, whether it be a single method, or multiple methods as a failsafe to not get locked out of their account.

Personally I would probably enable multiple secondary factors... because you will still always need to provide the password as well.


I do like the Yubikey solution.. especially since I have a number of fresh / unused Yubikeys at my disposal.

I would also enable the SMS feature, in case I didnt have my Yubikey handy..  It would be important for me to still have a method to get into my account... so I wouldn't miss an important trading opportunity, or need to go through another time consuming process to reclaim my account. Which could be time consuming.. and cause missed opportunities.

My password was already strong... so anything else is just an extra layer of security, even with the ability to add some flexibility and convienience.

Rich


Title: Re: WTF @ Mt.Gox?!
Post by: Dude65535 on June 23, 2011, 05:39:11 PM
I would think the most secure way to handle a lost second factor would be to only allow that user to withdraw the funds on account to a previously setup destination. Once all the funds have been moved out they can remove the second factor and resume trading once the new funds are added.


Title: Re: WTF @ Mt.Gox?!
Post by: ius on June 23, 2011, 07:10:37 PM
As for the Yubikey, you will pay for a key and the service itself would of course be offered free of charge, making it effectively a one time fee.

HOTP clients are available for most smartphones. No SMS needed then, and free for the end-user. An alternative would be HOTP hardware tokens (Yubikey supports HOTP too, in one of it's two configuration slots).

Still doesn't improve your database security though