Bitcoin Forum

TradeHill – Security Update – Round 1 (PCI Compliance)

Immediately after the Mt Gox hack and database leak was announced we shut down our site to provide adequate time for users to reset their passwords. We noticed there were considerable attempts to brute force accounts that had the same user name on Mt Gox and TradeHill. In response we installed a captcha system and auto locked out accounts with too many failed login attempts. To the best of our knowledge this was 100% effective and have not received one email concerning a compromised account on TradeHill.com   

TradeHill is proud to announce that our first round of security upgrades is complete.
We will be continuing to release updates regarding our security and upgrades to TradeHill.com

TradeHill is now PCI Compliant.

We have completed and passed a security audit by Trust Guard the leading online 3rd party website verification service. Trust Guard has searched our site for over 43,000 known vulnerabilities including SQL injection, XSS and many more and performed an ASV certified scan.  This can be verified with the Trust Guard seal on our main page before you log in (when logged in it goes away to avoid clutter).

Our site will be scanned daily for new vulnerabilities and if detected they will be taken care of immediately.

Additionally we have had our corporate contact information (US address and phone numbers) verified to confirm that we are operating in the United States as well as Chile.

User privacy is a very serious issue.
We have updated our privacy policy and are now compliant with:


The Federal Trade Commission Fair Information Practices.

The California Online Privacy Protection Act.

The Childrens Online Privacy Protection Act.

The Privacy Alliance guidelines.

The CAN-SPAM Act.



We believe that this is the bare minimum that an exchange should be operating at.

PCI scanning and putting a seal on your website from Trust Guard, Verisign or McAffe doesn't make you immune to all attacks but it is one step towards a safer exchange and something we should have done a long time ago. 

We are continuing to improve our security and will release updates as information becomes available. At the moment our source code and procedures are being verified by a 3rd party as well and we are working with top names in the security business. We will be happy to release their findings when they are complete.

We are also implementing dual authentication and other security features which will be  announced soon.

I'd like to see the site log you out after x amount of time of inactivity.
I've rebooted my system several times and have yet to be prompted for a new password when I go to the site.

I LOVE TRADEHILL

*closing gox account now*

According to the 4 levels of PCI certification, which level are you guys currently following?

You said that you've done network vulnerability scans, what about an annual SaQ? When it asks you if you've secured 'credit card holder data', just replace that with our 'Bitcoins'. lol.

Nice, some much needed improvements.

Yeah - what he said ^^^

We've received feedback from users that love not being logged out and more that would prefer the additional security.
We've evaluated the situation and decided to implement logout due to inactivity. Security trumps laziness  ;D
We're coding it in as I write this and it should be live today after extensive testing.



Yankee: thanks for the feedback, more to come.

At least you acknowledge the uselessness of a seal. Really, it shouldn't be a selling point - every idiot can run nmap/nessus/acunetix <whatnot>..

Luckily (from Camp BX):

Means you're obviously 43x as secure as they are. ;)

In all seriousness, publishing a report of a manually performed pentest or source code audit (perhaps with selected individuals) would be useful - this is 99% marketing talk like TrustGuard/McAfee sells it to their customers. But it's good to see you're at least informing your clients...

Solution: make it configurable up to a certain extent, with a tight default session length.

Sounds awesome. It did pain me to make this request, but I'm in the school where security needs to trump laziness.

We acknowledge that this is far from a silver bullet. Regardless there are probably sites operating that would have or would currently fail these tests. This clears up the major vulnerabilities and I'm happy that we didn't have to make any corrections when we received the audit. Our existing security was sufficient.

As I said before this should be a bare minimum and we have more to come.

Well done :)

Agreed, so are we.
Of course you could always manually log out if there isn't a timer but this will cure forgetfulness as well as laziness.

Even though I dont have a tradehill account its good to see the community as a whole becoming more security aware.

Best of luck with your venture.

This is good news for the whole community. Although Ive never heard of the seal provider so I looked it up. The four seals I reviewed were Trust Guard, Verisign, McAffe and Comodo. I still favor McAffe. Any trust seal with dailly testing is better then nothing. Next seal to get, both TH and CBX is the BBB seal. I know some dont like that seal and I can see some things about I dont like aswell. But its yet another seal of approval from a respected institution. The BBB seal is not easy to get. You will have to show that you have been operating a website for at least a year.

MtGox now stands in the shadows of CBX and TH. Thank you TH and CBX for bringing conference back to the BTC community.

I have a couple of questions. The phone number, is that a VOIP/Vonage type of phone number where you can get any area code you choose? The mailing address, is that just a drop box/mail forwarding service?

I like that you now have a published mailing address. I can send you my public key fingerprint (CBDE CFB6 BB6A 2BB5 FDE1 01C5 3CF6 0C5E 1CFD A27B) out-of-band now.

Is trading possible with EMCA scripting disabled? I found I was not able to get your banking information without enabling scripting.

of course I obviously can manually log out, that isn't the point though.
I thought that is a standard on financial sites, it's been the standard with what finance sites I use currently.
I could also not use the site but that isn't the point either right?

10 minutes of inactivity now causes a logout.




Let me get back to you on this one, I'm not a coder, I've sent an email to them.



Trust Guard has a similar seal to the BBB which we have. Basically it verifies that we are a business.
I may get the BBB if running another website for more than a year qualifies us. I need to look in to that.

The phone number is VOIP and we can answer it in the US, Chile, our cell phones etc. We are handling the bulk of our communication via email though, it makes more sense when we need to look up accounts / send info with a link to block explorer etc.

The mailing address is an office we can use but most of us are in Chile at the moment so the mail gets forwarded.

I think some things standard on other sites are just security theater: Like "login seals" tied to browser cookies.
Or maybe, even CAPTCHAs you have to type in every time you log in.

Edit: 600 seconds is too short a time-out, IMO. It may not be too bad resetting every time you do something though. On this forum, the default 60 minute timeout logs you out, even if you are in the middle of browsing the forum.

Fantastic, they really are trying alot harder than gox i think

Jered,

Is there any way for me to change the email address in tradehill account?
I have been trading on tradehill without any issues till now.
So good work!

We're working on that one, it's a little more complicated.
If you are only holding Bitcoins you could transfer them to a new account you create and request us to delete (or just leave  the old one).
Ideally you will be able to move BTC and currencies internally soon.
I'd suggest that if you were on the Gox list. I was and unfortunately had to do that as well with one account. I used a complex unique password but it's not worth the risk.

It's on the list but not at the top, we have other features / security issues that we think would benefit more people. Until we have a room full of programmers we're going to have to prioritize unfortunately.

Lamentably that's the best answer I can give you now but we'll give you the truth every time.

You have significantly raised my confidence in Trade Hill. I'm glad I chose Trade Hill over Mt Gox and I will continue to do so

I have a suggestion that could help prevent theft. I think it would be a good idea to have a feature that will give users an option delay every withdrawal for 24 hours and to automatically send an email/sms every time a withdrawal is made. If the withdrawal is fraudulent then the account owner will be able to call a 24/7 fraud hotline and temporarily lock the account until the owner of the account is verified via a registered telephone number or a copy of a drivers license.

OR

How about an automated system that calls or sends an sms to verify a withdrawal. That way in order for an account to be hacked the hacker would also need to steal the account owners phone...which to me seems like an extremely unlikely scenario. 

Thanks for the info!  I definitely feel better now. My MtGox password was cracked (I thought it was pretty good--11 characters, including punctuation, numbers, and upper-/lower-case letters), so I'm pretty with how you store your passwords.
I hope to God it's not good. Hopefully something like.  Can you speak toward this?  I know it's a fairly technical question, but hey, this is Bitcoin land.

We're actually working out the details on something like that which would be required to log in.
Obviously theft is the most likely reason someone would try to hack in but if we can prevent them from getting in then
we also prevent them from using someone else's funds to manipulate the market or just selling them all off.

I will have to talk to the coders to get a more specific response but I know they are encrypted with something better than MD5 and salted.
I honestly believe we were secure before the Mt Gox hack but are more secure now and will continue to improve.

good jobs guys!

You should make it optional to not get logged out. That way both groups are happy.

That's the plan. When we've got more time to things like that we will.

For now the coders are working on things like
the API that's about to launch (I want to say tomorrow, it's working fine)
and focused on high priority items.

I was wondering how much safety would work this:
1) Cascade ciphering.
2) Dividing the final hash in two or more parts.
3) Storing the different parts of the hashes in different servers.

Such an exotic configuration would confuse any low level attacker who simply thinks about dumping databases.
There is some security through obscurity here, but tactically obscurity is always an ally.

And even if the attacker manages to match the hashes, brute forcing would be painfully slow.

We're exploring all reasonable options.
Splitting hashes up would make it extremely secure.
I'm not an expert on security though so we've hired someone who is.

If you have a long complex password and we hash / salt it that should be sufficient.
If your password is short / common words etc it's not even safe from more basic attacks.
A lot depends on the end user and their habits. We can always require longer / more complex passwords
but some users are going to be upset if they can't use "boobookitty" for their password.

Based on feedback over the last several hours we've increased the time out from 10 minutes to 30 minutes.
It should also start over every time you visit a new page.

BBB might not be the best seal to have...
http://today.msnbc.msn.com/id/43528394
http://abcnews.go.com/Blotter/business-bureau-best-ratings-money-buy/story?id=12123843
http://www.ketv.com/r/25776787/detail.html

How does Tradehill feel about the fact that people are spamming the general message board with ads for their service?

We've removed all the email spammers referral codes.
We don't think you should spam the boards with codes either and I believe the mods are putting a stop to that.
I could be wrong there. If you have it in your sig and you're happy with TradeHill and you want to talk about it that's fine.

If the mods want to ban referral codes in sigs that's fine and I can understand it.
I believe the bulk of the people would continue to say good things without referral codes.
I have an inbox full of positive feedback and they haven't tried to slip me a referral code.

I just ask if the mods are going to take an aggressive stance on anything they do so fairly.
There were a lot of posts claiming TradeHill was hacked after the Gox data was leaked and they were based on absolutely nothing.
We dealt with this by answering questions and being available for our users.

To sum it up, no one likes spam, be respectful. If you spam it all over the forums we'll take it away like we do on email.

-Jered

Well's just the thing: MtGox did salt (AFAIK) and I -did- have a good password and it still bombed, mostly because I believe they only used 1 iteration of MD5. I lost some of my money. Sorry to be such a pain!

+1

I currently can't login to tradehill.

Not sure what my password is, and there's no password recovery feature. 

I should have said "properly hashed". MD5 won't cut it.
I agree with you on being more concerned with your Bitcoins than your USD. Not only is it pseudo-anonymous it's non reversible.
The USD we hold is a lot easier to take care of. The Bitcoins get a lot more time put in to securely managing them.

-Jered

Send us an email

info@tradehill.com

We'll get it taken care of right now.

-Jered

Thanks Jared.

I sent an email just now to you.

You should have a new password in your inbox of the email account that you used.
We've responded by email but let me know if there is any confusion.

-Jered

MD5 hashes are no longer cryptographically secure (http://th.informatik.uni-mannheim.de/people/lucks/HashCollisions/). If you were indeed using an old password hashed with MD5, the attacker could have generated a collision without guessing your password. However, it is usually easier to guess the password. If you generated the password yourself without using a random number generator, your password may not be as strong as you think it is.

Edit: looks like you still have to have knowledge of both messages to generate a collision.

I think you actually have to be able to control both messages to generate a collision - that's actually the definition of one. In order to be able to generate a second message that gives the same hash as an existing message you need a preimage attack, and I don't think those are practical against MD5 yet.

Good man! 

I think both of you have gotten a bit off topic here and missed one of the finer points.

Collisions don't matter here since Tradehill will lock your account if you try to login too many times.

It is only off-topic because Tradehill does not use MD5 Hashing, I can't find what hashing they do at the moment.

However, if the database is compromised somehow, account locks after failed login attempts won't help much. That is why you need to choose a secure (likely hard to remember) password. It doesn't matter how convoluted the hash function is; attackers will have the time to do a dictionary attack on their own machines.

That said, (salted) hashing of the passwords is better than storing them in clear-text. It means that most users have time to change their passwords once they learn about the breach. Hopefully Tradehill won't have such a breach. :)