Bitcoin Forum

Bitcoin => Bitcoin Discussion => Topic started by: Jered Kenna (TradeHill) on July 13, 2011, 07:38:50 AM



Title: TradeHill - Security Update - 2 factor authentication is live
Post by: Jered Kenna (TradeHill) on July 13, 2011, 07:38:50 AM
Announcing the availability of Two Factor Authentication!
It's live, free and you can enable it in your profile (click your email address when logged in).

Security is always paramount on the web and even more important with Bitcoin.
The “ease of sending large funds globally” unfortunately has the potential to become the “ease of stealing large funds globally”.
With this in mind TradeHill set out to find well qualified security experts. Our search led us to Dug Song, Jon Oberheide and their  team at Duo Security.  

Regarding their qualifications and why we have decided to team up with them on this:

Dug Song, co-founder and CEO of Duo Security was most recently Chief Architect, Cloud Computing at Barracuda Networks, the worldwide
 leader in e-mail and web security appliances, and previously VP Engineering at Zattoo, a worldwide online cable operator
 which he helped grow 10x to 5 million European subscribers in 24 months. Dug spent 7 years as founding engineer and Chief
 Security Architect at Arbor Networks (over $120M annual revenue before acquisition by Tektronix in 2010),   capturing over
 70% of the world’s Tier-1 service providers, and the largest enterprise and defense networks. Prior to Arbor, Dug built the first
 commercial network anomaly detection system at Anzen Computing – acquired by   NFR Security, acquired by Check Point
 (CHKP). He is well-known for his contributions to the security / open-source community, including OpenBSD and OpenSSH.

Jon Oberheide, co-founder and CTO, was a previously security researcher and PhD candidate at the University of Michigan.
 His research has resulted in over 20 publications and talks, been featured in mainstream and international press (such as his
 recent break of the Chinese Green Dam censorware), resulted in multiple provisional and subsequent patent applications, and
 pioneered the development of cloud-based detection of malicious software. Jon has also held R&D positions at Merit
 Networks and Arbor Networks, and is a frequent speaker at academic and industry security conferences on topics related to
 malicious software, cloud/virtualization security, and mobile device security.


How this will work for our users:
For detailed information visit their site at http://www.duosecurity.com/docs/authentication (http://www.duosecurity.com/docs/authentication)
We are offering 5 ways to authenticate your TradeHill login. All are optional, if you do not  wish to activate 2 factor-authentication it won't be required.
 You can activate this in your profile (click your email address when logged in)

Phone callback
– You will receive a call, push a predesignated key to authenticate
Passcodes via SMS – Duo will send you a set of passcodes used to login
Passcodes via Duo Mobile - Your phone will generate a passcode (works offline)
Duo Push – Your phone will be sent a request when you try to log in
Hard tokens – We can ship you a physical token that will be used to login


The beauty of their system is how quick and simple it is to both implement and use. Within minutes you can be up and running.
Additionally there are even more advanced security features for Duo Push. Selecting Duo Push will "push" a login request to your phone.
You can review the specifics of the request (integration, location, etc.) and then approve or deny it instantly.
Click here for a quick 30 second video showcasing the various methods: http://www.youtube.com/watch?v=7N8pBVAWLwU (http://www.youtube.com/watch?v=7N8pBVAWLwU)

What will this enhanced security feature cost the user?

For the first month absolutely nothing. After we have evaluated the system in our live environment we will either continue to provide the service free of charge or deduct at most $0.99  (or BTC equivalent). If we can justify charging less we will. We feel confident that we can and the fee will most likely be lower. If we are able to pick up the tab completely ourselves then we will continue to offer the service for free. Regardless in the absolute worst case scenario this service will never cost the user more than $0.99 (or BTC equivalent)  per month. In the event we need to charge a fee for this service, we will announce it well ahead of time.

Your feedback is greatly  appreciated as always. I want to personally thank the community for everything you've given us and we would like to continue to provide you a safe and trusted place to exchange Bitcoins. We will be on onlyoneTV with Bruce today (July 13th) at 2PM EST and happy to speak more about upcoming changes to TradeHill and Bitcoin. If you have any questions please email us at info@tradehill.com


Regards,
Jered Kenna
TradeHill.com

www.facebook.com/tradehill (http://www.facebook.com/tradehill)
www.twitter.com/tradehill (http://www.twitter.com/tradehill)

Edit: I forgot to mention that at this point Duo Sec limits one user per mobile device but they have said this should change by the end of the month.






Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: whenhowwho on July 13, 2011, 07:57:13 AM
interesting news. I find your take on security and how it needs to evolve to be on the right track. I do not think a fee for better security would be warranted at this stage simply because it is very early in the game yet. If it were me i would leave the service free for more than a month. Perhaps think of it as a loss leader until you reach a larger share of the trading market and by that time your transaction fees will more than cover costs and yield a profit.

Being quick to address issues and perceived issues is a big step in the right direction. Now if only it didnt take so long to fund and withdraw funds  ;) . Keep up the good work!


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: GeniuSxBoY on July 13, 2011, 08:04:05 AM
I agree, make it "free"... you can make money through trades.






Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: Jered Kenna (TradeHill) on July 13, 2011, 08:19:30 AM
interesting news. I find your take on security and how it needs to evolve to be on the right track. I do not think a fee for better security would be warranted at this stage simply because it is very early in the game yet. If it were me i would leave the service free for more than a month. Perhaps think of it as a loss leader until you reach a larger share of the trading market and by that time your transaction fees will more than cover costs and yield a profit.

Being quick to address issues and perceived issues is a big step in the right direction. Now if only it didnt take so long to fund and withdraw funds  ;) . Keep up the good work!

Thanks for your feedback.
We would like to leave it free and I can promise we will never profit off enhancing security like this. If we charge in the future it will continue to be what we pay per user at most.
This is a top notch security solution and quality is never cheap. Our goal is to lower the cost and this month will serve as a trial.


In regards to transaction times we're working on it and balancing speed vs security. Today we caught a hacked Dwolla account that would have been missed without our manual verification.
We prevented a theft of somewhere around $500 that may have gotten out if we were fully automated. Ideally speed shouldn't  have to be sacrificed for security in most cases and we now have someone at the helm 24 hours a day to answer emails and review transfers. The speed and security should both be increasing simultaneously.

Regards,
Jered


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: whenhowwho on July 13, 2011, 08:22:24 AM
interesting news. I find your take on security and how it needs to evolve to be on the right track. I do not think a fee for better security would be warranted at this stage simply because it is very early in the game yet. If it were me i would leave the service free for more than a month. Perhaps think of it as a loss leader until you reach a larger share of the trading market and by that time your transaction fees will more than cover costs and yield a profit.

Being quick to address issues and perceived issues is a big step in the right direction. Now if only it didnt take so long to fund and withdraw funds  ;) . Keep up the good work!

Thanks for your feedback.
We would like to leave it free and I can promise we will never profit off enhancing security like this. If we charge in the future it will continue to be what we pay per user at most.
This is a top notch security solution and quality is never cheap. Our goal is to lower the cost and this month will serve as a trial.


In regards to transaction times we're working on it and balancing speed vs security. Today we caught a hacked Dwolla account that would have been missed without our manual verification.
We prevented a theft of somewhere around $500 that may have gotten out if we were fully automated. Ideally speed shouldn't  have to be sacrificed for security in most cases and we now have someone at the helm 24 hours a day to answer emails and review transfers. The speed and security should both be increasing simultaneously.

Regards,
Jered

This too is awesome news. Thanks for your quick reply. I have to send you a pm for something else that just popped into my head which may be very important.


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: haydent on July 13, 2011, 09:03:45 AM
TH can you do something about this ?? :

http://forum.bitcoin.org/index.php?topic=24988.msg349060#msg349060


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: ShaggyB (BitCoinWorldMarket) on July 13, 2011, 09:05:59 AM
Congrats guys! The more security focused we all are the better off the community will be.


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: haydent on July 13, 2011, 09:18:55 AM
push system works well, just set it up and logged in.

 but note in AU our phone number is generally written as 0435223227 but you must enter it as 435223227

 (this is not my number)


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: the joint on July 13, 2011, 09:23:33 AM
push system works well, just set it up and logged in.

 but note in AU our phone number is generally written as 0435223227 but you must enter it as 435223227

 (this is not my number)

New security works for me too.  Brownie points. 


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: haydent on July 13, 2011, 09:37:30 AM
also why the heck do all of a sudden have to be logged in to access this page that i could b4 ???

i want to be able to access this page and check market data without having to go through 2 factor auth !!

how come USD is open but not AUD

https://www.tradehill.com/MarketData/AUD


edit:

this works and loads default USD: https://www.tradehill.com/MarketData/

but any link on that page makes you have to login.... Lame'O


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: luv2drnkbr on July 13, 2011, 10:00:43 AM
omg awesome works amazing


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: Oldminer on July 13, 2011, 10:09:47 AM
omg awesome works amazing

+1

I think this together with the new site currently in production, once released, could see MtGox being left behind very quickly.


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: Isepick on July 13, 2011, 10:48:52 AM
Works great, thank you. I for one have no problem paying a $1/month to make sure that I am the only person that can log in to my account. People asking you to provide extra security for free that you are having to outsource are being unrealistic in their expectations. With the two-step authentication being optional on an account, anybody who doesn't want to pay a $1/month can simply elect to not use it.  Kudos to you for not trying to make a profit on the two-step fees, when you could have just as easily charged *everyone* a slightly higher commission fee and made a lot more in the long run.


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: tanerlorn on July 13, 2011, 10:58:51 AM
omg awesome works amazing

+1

I think this together with the new site currently in production, once released, could see MtGox being left behind very quickly.

Except mtgox sent the same thing to all their customers affected by the breach. And has it available for new users by request, I think.

Not to take anything away from Trade Hill, this is an outstanding business move. Everyone should get one of these (the physical token).

And the market seems to have possibly even reacted to this news. For the longest time it was slightly better to have mtgox usd, even after the hacking, btc prices would be like a few cents lower on mtgox, showing that the market valued mtgox usd more. However, looking at the market for the first time now I see Trade Hill usd is being valued higher than mtgox usd, as 14 Trade Hill usd will get you a bitcoin, as opposed to (the outrageous) 14.1 mtgox usd. I know where I'm trading if I need to sell some btc, at least at the current prices.


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: Isepick on July 13, 2011, 11:31:31 AM
Physical tokens are not for everyone. As someone who is always on the move and works in industrial environments regularly, it is not feasible for me carry around another usb stick everywhere I go. I would hate to be locked out of my account for a few days simply because I lost the physical token. On the other hand, I am never without my phone, so sms notifications work great for me. I don't see any other exchange providing that kind of service.


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: tanerlorn on July 13, 2011, 12:01:46 PM
Physical tokens are not for everyone. As someone who is always on the move and works in industrial environments regularly, it is not feasible for me carry around another usb stick everywhere I go. I would hate to be locked out of my account for a few days simply because I lost the physical token. On the other hand, I am never without my phone, so sms notifications work great for me. I don't see any other exchange providing that kind of service.

Good point, I think the vast majority of people the token is best for but the phone service for customers like you who do need it is a great move.


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: haydent on July 13, 2011, 12:21:51 PM
during TH auth setup a token option didn't appear as an option. i imagine its something you will have to order and pay for at a later date when they become available....


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: Jered Kenna (TradeHill) on July 13, 2011, 02:16:25 PM
also why the heck do all of a sudden have to be logged in to access this page that i could b4 ???

this works and loads default USD: https://www.tradehill.com/MarketData/

but any link on that page makes you have to login.... Lame'O

Thanks for pointing that out. It looks like they might have gotten a littler overzealous when they were locking pages down with the Duo Sec.
It should be an easy fix and I let them know. You shouldn't have to log in to look at market data.
Also they have raised (I believe it's in effect) the logout timer which was pretty short.


In regards to the Token, we haven't shipped any so we haven't enabled the feature.
We wanted to get a feel for how much demand there is and buy them in bulk so we can offer the lowest price possible.
When we determine a price we will enable it as a withdraw feature and you can pay directly from your TradeHill balance.

-Jered


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: bitfon on July 13, 2011, 04:24:10 PM
Am I the only one who had phone verification turned on without requesting it, and am now locked out of my account?


Title: Re: TradeHill - Security Update - 2 step authentication is live
Post by: Jered Kenna (TradeHill) on July 13, 2011, 04:39:04 PM
Am I the only one who had phone verification turned on without requesting it, and am now locked out of my account?

This is the only one that I've heard of. I'll  look in to it, send an email to info@tradehill.com
Send us your user name and we'll get this taken care of.

-Jered


Title: Re: TradeHill - Security Update - 2 factor authentication is live
Post by: Jered Kenna (TradeHill) on July 14, 2011, 02:17:44 AM
We're looking forward to hearing some feedback. Anyone have some experiences they would like to share with us about our 2 factor authentication?
Good? Bad? Like it? Hate it? Easy to use? Confusing? Can't make it work? Let us know.

-Jered


Title: Re: TradeHill - Security Update - 2 factor authentication is live
Post by: error on July 14, 2011, 02:26:30 AM
We're looking forward to hearing some feedback. Anyone have some experiences they would like to share with us about our 2 factor authentication?
Good? Bad? Like it? Hate it? Easy to use? Confusing? Can't make it work? Let us know.

-Jered

It works fine, but it seems Duo Security on my phone can't be associated with more than one service at a time. It completely disassociated my phone from the other service I was testing it with.


Title: Re: TradeHill - Security Update - 2 factor authentication is live
Post by: Jered Kenna (TradeHill) on July 14, 2011, 02:57:34 AM
We're looking forward to hearing some feedback. Anyone have some experiences they would like to share with us about our 2 factor authentication?
Good? Bad? Like it? Hate it? Easy to use? Confusing? Can't make it work? Let us know.

-Jered

It works fine, but it seems Duo Security on my phone can't be associated with more than one service at a time. It completely disassociated my phone from the other service I was testing it with.

I forgot to mention that. I'll go back and edit the post now. Thanks for reminding me. It's limited to one user per device but they've told us that should change before the month is over and they move fast.
-Jered


Title: Re: TradeHill - Security Update - 2 factor authentication is live
Post by: haydent on July 14, 2011, 03:00:02 AM
We're looking forward to hearing some feedback. Anyone have some experiences they would like to share with us about our 2 factor authentication?
Good? Bad? Like it? Hate it? Easy to use? Confusing? Can't make it work? Let us know.

-Jered

also the duo app code button on my htc wildfire (low rez) was almost invisible it was so far off the bottom of the screen, there was just the tiniest grey line at the bottum of the screen which i figured was the top of a button and i touched it which worked...


the other thing, it seems annoying to have to deal with captcha still even when when you have 2step on ...


Title: Re: TradeHill - Security Update - 2 factor authentication is live
Post by: Jered Kenna (TradeHill) on July 14, 2011, 03:55:25 AM
We're looking forward to hearing some feedback. Anyone have some experiences they would like to share with us about our 2 factor authentication?
Good? Bad? Like it? Hate it? Easy to use? Confusing? Can't make it work? Let us know.

-Jered

also the duo app code button on my htc wildfire (low rez) was almost invisible it was so far off the bottom of the screen, there was just the tiniest grey line at the bottum of the screen which i figured was the top of a button and i touched it which worked...


the other thing, it seems annoying to have to deal with captcha still even when when you have 2step on ...

I'll forward that feedback to duo sec, they'll appreciate it and knowing them probably act on it quickly if it's possible without changing everything.
We're putting a switch in for the captcha and may just make it default to off if you turn on 2 factor. I'm not a coder and don't want to speak for them before I ask. Maybe that isn't as simple as it seems in my mind.
Thanks for the feedback, it's really appreciated.
-Jered


Title: Re: TradeHill - Security Update - 2 factor authentication is live
Post by: haydent on July 14, 2011, 03:59:16 AM
great, just nice to know you're being heard.  :)