Bitcoin Forum

I've been working with a team of engineers for the last 6 months on a new exchange. We have acquired banking support for 10 different fiat currency.

Wanted to see what the community is looking for in a new exchange, currently we have the following:
- Mandatory 2FA
- Verifiable user funds
- User KYC documents encrypted and stored in Canada, backed-up offline
- On EC2 so that we can sustain DDOS attacks.
- Incorporated outside of the US, so that user privacy is protected.

see litecoin and bitcoin and no other crap coins.

How are the verifiable user funds demonstrated?

I want to see real pictures of the building and a real address on every page of the site.

High market cap coins only, max 10 coins.
Decreasing fees to incentive liquidity providers.
Very fast and reliable engine to support HFT. 
Fast support.
Proof of solvency.

Phone call enabled withdrawals.
Then enter a pin.


Obviously the calls will cost money, charge 10 cents.


24/7 support. If you're making $50,000 a day in profit, you can spend $1000 a day in staff, I'm almost 100% positive you will be able to afford it if you're making 50k a day.
Waiting 24-48-100 hours for a response is crazy.

Location activated withdrawals, if you register in the United States, there is zero reason for an IP to login to your account from China.
If you plan to travel to China, you can link it in your account to enable it, with a delay of course.

Thumbprint reader 2F, laptops are starting to have this feature, and they're cheap enough to buy if you're storing 100k in bitcoin, you can afford a $30 thumbprint reader.

Everything above but also store fronts. A place where you can actually physically go to trade and talk to staff.

This thread from two days ago help?


Let's design the ideal exchange

https://bitcointalk.org/index.php?topic=507433.0

This
Although i do support SOME(1 or 2) alt coins, this is needed.
The only place to go right now is BTC-E and i refuse to use their services after failed deposit attempts a few months back resulting in my CC getting disabled for 7 days.

Transparency.

How verifyable? is it sitting in the deposit address until sold?



Any servers running in the U.S.? Good business practice nowadays is to avoid U.S. completely, not just have some offshore paperwork and backup in Canada...

an ethical contract

if any of the terms are breached you agree to being sued by any persons with adequate evidence that they have lost funds. without attempting to hide behind bankrupcy protections

the terms saying: (i kept it as laymans as possible)
you will only take funds from the transaction fee's not from people funds themselves
you will not allow unauthorised people into th server room or access to your admin gateway
you will not refuse to repay anyone.
will will have security that will be adequate to prevent hacking
in the event of a hack, if funds are lost. you will reimburse customers
(feel free to add more..)

ummmmm i would love to see full transparency in and exchange and by saying that i mean everything their location phone number how much bitcoins they are holding currently everything possible and what i would love to see the most is payments being instant  ;)

ENCRYPTION, encryption is everything.

I know that some big companies have have their own algorithms developed for security reasons. This way even if data leaks uccur somehow the data will still be unaccesable.

TO ALL

You cant never have it all. Nothing can be perfect, there will always be compromise.... so pick what you want the most.


Just a friendly reminder ;)

Just my opinion (in order of importance):

• No non-free web elements; certainly no Flash.  No obfuscated javascript.  Open source server software would be a huge plus.
• Very good website security.  You're dealing with crypto-currency here so you certainly need something more secure than your average bank offers.
• As much financial transparency as you can reasonably offer.  This is important even if your bitcoin holdings are being regulated by some authority.
• Optional single-factor authentication.
• Good communication would be nice but is not essential.
• Volume sensitive trade fees.  They don't have to be particularly low.
• Support for crypto-currencies besides Bitcoin is not important.
• A fast interface is preferable to a pretty one.

EC2 is not intended to be reliable storage: Third Largest Bitcoin Exchange Bitomat Lost Their Wallet, Over 17,000 Bitcoins Missing (http://siliconangle.com/blog/2011/08/01/third-largest-bitcoin-exchange-bitomat-lost-their-wallet-over-17000-bitcoins-missing/)

I don't like the idea of mandatory 2FA. I may be under delusions that my machine does not have a keylogger. You should keep in mind that SMS 2FA may not actually be 2FA if the attacker has access to both the user's phone and PC like Facebook (https://www.facebook.com/help/210676372433246?_fb_noscript=1), Mircosoft (http://www.windowsphone.com/en-US/), or Google (http://www.chromium.org/chromium-os). Edit: If 2FA is used, you should KISS (https://www.grc.com/ppp.htm).


I stayed away from CaVirtex for the longest time because they claimed Bitcoins have no value in their TOS. If they have no value, why am I trading them for dollars? I have seen similar language on other exchanges. The crux of the matter is that they do not want to fall under securities regulations. However, Bitcoin is being increasingly classified as a "virtual commodity". Not sure if that makes it a security (doubt it).

Aside the mandatory stuff, in terms of security, encryptions, ergonomics...., I think the most important part is trust and total transparency especially when it comes to fonds,

So how to rise trust, I think one way is to apply everything in regards to lean management, and getting ISO Certifications which means getting audit of course, being it documents management ISO 9001 and co, or anything else, security, management, funds, technology ....ect ect of course not any exchange can do this, I believe this should be mandatory to the BIG guys, and medium exchanges should be encouraged to do so, as for small exchange, I think the trust factor will grow as the exchange grows.

Also one more things, Exchanges should explain to users that the majority or the big portion of their fonds should be left in their own wallet and in cold storage if possible, and to avoid any bad practice which can happen due to lack of knowledge (some believe that exchanges are synonymous to banks which is not the case at all)

You gotta have a trollbox!

I wouldn't have mandatory 2FA. It's not like that's a bulletproof answer. I've seen posts from people claiming to have lost coins with 2FA enabled. Security is always a balance between convenience and robustness. You could say mandatory colonoscopy too, but that may not fit well with some users.

What I would do is have 2FA in the flow by default, but give the option to opt-out, while making it very clear it's considered a big loss of a security protection layer. However, some users know what they're doing, or have other reasons they might opt out of 2FA.

The only thing which should be mandatory is a strong password.

There are a few other security measures which can be very effective, yet remain convenient too.

The first is simply requiring email link confirmation for every withdrawal request. BTC-e has been doing this for a while. It doesn't seem all that inconvenient, yet a hacker would need access to two different accounts.

The second is giving the user the option to set a permanent wallet withdrawal address, an address where no matter what it's the only one the site sends funds to. The only way to change that address requires a colonscopy phone call, or perhaps photo ID submission, etc. That way a hacker can only send funds to an address the user controls, unless they can prove they are authorized to change the withdrawal address.

The last simple yet highly effective security measure is delayed action. Again, give users the option to set a minimum 24/48/whatever hour delay before some action completes. This can be a withdrawal, or changing the permanent withdrawal address etc. This way a hacker in control of much of a user's info must hope the user does not become aware something is wrong before the changes go through, which is unlikely.

Last, in terms of website security, simply be sure the majority of funds are kept in cold storage and refill hot wallets as needed. It's better to possibly delay some customer withdrawals and deal with customer service than be forced to announce a severe loss of funds which can't be recovered.

sometimes the 2 things above cant work together. revealing all the code allows hackers to learn the layout. pretty much like revealing the blueprints to your house, where the safe is, and where all the security features are. allowing thieves to target a specific area as soon as they gain access to the secured outer doors. i know the open source wont reveal the owners access codes. but allowing hackers to easily find the weaknesses, even in the most secured systems should not be allowed.
opensource policy should be made for client downloads. not server scripts.

id say nothing can be truly hack proof, but ensuring you don't give hackers any advantage helps.

also to note that source code doesn't show what's happening to actual FIAT or actual bitcoins. all it shows are trades using a binary database.. not a block chain or bank account. so the benefits of opensource are not that big.

as for bitcoin being a virtal commodity.. OMG, facepalm... bitcoin has features of an asset, not comodity
asset: store of wealth (car, art, antiques)
commodity: something that is from natural background that is used to make or create other items/products (wheat, gold, beef, copper)

Looking for an exchange with fees which are not daylight robbery current BTC echanges use (0.5%). Use regular exchange fees on other markets, something at the 0.1% - 0.15% level. At todays fees you have to earn almost 6US$ price difference on one sell/buy cycle just to pay the exchange fee, it's ridiculous. Decent fees will bring you tons of customers.

decentralized exchange

Exchange cannot have exclusive control over users' BTC.

This is just an argument in favour of security through obscurity.

Proof of solvency or some other real-time auditing tool that can be used by customers.  Obviously, this is not possible with fiat but bitcoin has a publicly verifiable block chain.

Edit:  or at least have a page with a running total of all cold storage balances with addresses

If there is to be mandatory "strong" passwords, please don't use arbitrary password schemes such as "Must begin with a letter, contain at least 2 numbers and 2 symbols, and be between 7 and 15 characters long".  Instead use an entropy calculator (one that makes use of a comprehensive database of common passwords) and require passwords to reach a certain score.

Yes, requiring a number actually lowers the entropy of a password because there are only 10 to choose from. I get annoyed when supplying a high-entropy password, I have to go over 16 characters, because just sticking a number on the end would be cheating/lowering the entropy.

And it's very annoying to not be allowed to have the password that you want. I tried to use a system for creating strong passwords that were unique to specific domains. But there were always some annoying rules that would disallow the passwords on some sites. Sometimes too long, need to have number, special character required or forbidden etc.

BTC, LTC, PPC, XPM, everything else is more or less crap.

Licensed registered brokers only. Then a SR type exchange with Ripple to trade hookers and blow for Bitcoin. /S

The most important thing in an exchange?

Decentralisation.

Sounds like a double spend waiting to happen.

Explain how you think an exchange can accomplish this?

This just occurred to me: please have redeemable codes for exchange credit. BTC-e has these and Gox used to have them.

If enough exchanges do this it will allow a marketplace to spring up around these codes allowing users to convert various forms of currency easily. This is the problem Ripple purports to solve, but does it without being shady about it (https://bitcointalk.org/index.php?topic=510868.msg5644815#msg5644815).

For example, at some point users will be able to convert physical gold to cryptocurrency easily, if only one physical location accepts it and has a redeemable code.

- Mandatory 2FA
Check.

- Actually encouraging strong passwords
Check.

- Verifiable user funds
Check.

- User KYC documents encrypted and stored in Canada, backed-up offline
Stored in EU.

- Incorporated outside of the US, so that user privacy is protected.
Check (Germany).

Full disclosure about the company and owners/administrators
Check (https://bitalo.com/about_us).

No non-free web elements; certainly no Flash.  No obfuscated javascript.
Check.

Visit us at www.bitalo.com (https://bitalo.com/why_bitalo/) :)

I don't want my "KYC documents" stored anywhere. Not even encrypted.  There is absolutely no reason for an exchange to store this type of information. If you want to verify my identity, then ask for a letter from my lawyer (if you are old fashioned) or for my government-issued digital signature.

I want to see time-quantized trading, so I am certain I have no unfair disadvantage against bots with low latency connections.

Why would anybody want mandatory 2FA? That is an anti-feature.

Because sometimes you need to be forced to do something so you can do the right thing. Otherwise people tend to be lazy and pass on doing some things for their own protection. Wearing seatbelts in a car is mandatory as well and I don't think anybody says that is an "anti-feature". It's just common sense.

(optional) insurance for the funds.

vielleicht noch son TÜV zertifikat, auch wenn das nicht viel aussagt  ;)

Sounds to me like more and more a central bank isn't such a bad idea when I read what people discover they actually want...

I disagree with it of course but realize I give things up to break from bankers. Bitcoin becomes not a revolutionary moment but rather a banker controlled investment like anything else.

How do you mean? How do you expect this to be done in a non exploitable way?

Nearly every suggestion mentioned deals with a centralized exchange.  My question is why do you want a centralized exchange?  Decentralized exchanges would do away with nearly every suggestion mentioned.


Decentralized all the way.....!

I would like to see an independent audit schedule: hardware, software, network, financials, procedures etc, preferably by known/trusted members of this forum, with high-level results published in the open - no confidential details obviously, and a plan in place to fix any issues.

Not so sure I agree with the strong password requirements since most passwords are sniffed by keyloggers. 2FA is a way better option if it's implemented well imo.

Ability to setup withdrawal addresses and deadline for when auto-withdrawal triggers. Many things can go wrong and I don't like idea of letting you or
other exchanges just take all my coins. If I die I want my coins to be sent to people I know but do not trust enough to give them my login info right
now (mostly because they are not capable of protecting themselves from trojans and keyloggers), to some charity or whoever else.

Bonuses for adding or removing liquidity.

Ability to turn off trollbox.

High quality graphs.

Ability to generate a new deposit addresses, no forced reuse of always the same ones.

Withdraw coins to multiple addresses in one transaction.

http://gendal.wordpress.com/2014/03/02/bitcoin-exchanges-are-more-centralised-than-traditional-exchanges-we-can-do-so-much-better-than-this/

Lol....you got him! People are so clueless because they only know of the old centralized way.  M of N and digital signatures with smart contracts will allow people to exchange without risking their coins on an exchange.  You will not need 2FA on an exchange because the coins are encumbered in a multisig transaction you create and remain with you until the trade is successfully executed.  You do not send coins to a decentralized exchange.  You send a M of N digitally signed contract.  When the trade is executed it passes the digital signatures to the recipients and unlocks its m of n key. (Simplified way of explaining)

I hope people read this!!

"At no point does the clearing house or exchange have the ability to steal or lose your coins.  And the 2-of-3 address prevents you from running away with the coins."


I know this is a new an very difficult concept to understand, but it will be the way of the future.

I'd like to see speed and efficiency for fiat transfers in and out of accounts. It doesn't matter how fast Bitcoins can be transferred around the world if it takes longer to buy with fiat and sell for fiat than snail mailing a paper check. Oh, honesty too but if you can't work out honesty then speed and efficiency would be nice.

Is there such a thing as an certified independent KYC documents keeper?

Time quantized trading - definitely.  

It's a simple thing; you collect buy and sell orders for a period, then at the end of the period, execute all orders in one big transaction, at the same price - whichever price allows the greatest amount of trade.  No high-speed trading, no edge given to trading bots, no exploits against those whose system doesn't run as fast.  

The timing of the periods should not be constant or predictable; if you do that you get silly people trying to exploit the end of the period. So if, say, you want the trading periods to average ten minutes, just let the probability of the period closing during a particular second be one-in-six-hundred.  



Other than time quantized trading, the basic feature is that nobody should ever have to trust the exchange.  An exchange is not supposed to invest the customers' money other than on command, nor do a darn thing with it that the customer does not command them to do.  So there is no point in the exchange having the ability to lose the customers' money in the first place.  The customer who does entrust money to the exchange, ought to at the very least get a huge red security message if for any reason the exchange has moved his funds out of the deposit address.  And if it's not a movement the customer ordered, then it is strongly to be suspected that the exchange is cheating.

Ripple deposits for every traded currencies
Ripple withdrawals for every traded currencies

There is already one that meets all the criteria here already.  No bots, transparent, USD FINCEN License.   Atomic-Trade

https://www.atomic-trade.com/about

I like the fee structure, much better than the BTC-E and Bitstamp, but I don't like not being able to see the current prices and a volume before making an account. How's that transparent?

For security the trade page is not accessible without authentication (i'm a ltl crazy when it comes to security). However I do plan on making a non functioning clone page to solve that problem.

Access to my private keys or multisignature wallets.

I have two questions about this... How would any multisig contract be practical if it takes 10-40 mins to confirm anything on the blockchain?
Second, in any multisig system you still have to place trust in a third party. In the link above, you actually have to place your trust in *two* third parties. Both buyer and seller have to trust the arbiter to be honest. The buyer and seller both have to trust the clearing house--the seller has to trust that the clearing house will give them the buyer's cash after the seller signs the multisig transaction, while the buyer has to trust the clearing house not to take the cash and run.

Multisig seems like it would be too slow to be practical, and doesn't remove the need for trust between parties, just places the trust in others. Granted, those others (a long-standing clearing house, a long-standing professional arbiter) would be more trustworthy than an individual buyer/seller. But, the clearing house and arbiter aren't going to do this for free. So now you're back to the system we have now--CC companies are the trusted clearing house and play arbiter as well, that's what chargebacks are.
Way of the future?

 

Actually, the deal with the 2-of-3 multisig is that each person has to trust that *at least one* of the other parties is honest -- it takes two parties colluding to commit a fraud.  And the roles are carefully crafted such that no party has much of an incentive to cooperate with one of the others against the third. A single instance of such would not net very much money compared to the destruction of business it would entail.  

Also, nobody could simply claim incompetence and thereby profit; without collusion you couldn't get "oh we lost the keys" meaning "I just took all your money and I'm *claiming* I just lost your keys."  If somebody *actually* loses the keys, (a) he doesn't profit and (b) the coins aren't lost because the other two actors can still cooperate to spend them.  

It really is a much better system than what we've had going so far.

If I understand how this works (and maybe I don't), as buyer or seller you would only need to corrupt one of two of the parties, because it's not just the transaction we're talking about--there is the good that the transaction relates to. Corrupt the exchange (get the money/good they are holding in escrow), or corrupt the arbiter (2 of 3 of the keys). That's still having to trust 2 actors, isn't it?

And wouldn't multisig introduce a brand new problem: if a key is lost, and/or there is no evidence one way or the other for the arbiter to make a definitive judgement, the transaction is lost forever?
 

Nah.  If the key is lost, the guy who lost the key doesn't get a vote as to how it goes.  There may be laws about that later, but for now the consequences are no worse than losing your key in a regular bitcoin transaction -- you don't get paid. 

And yes, that is still two different agents having to collude to defraud the third, even if you are one of the two.  The arbiter's risk is reduced because if either you *or* the exchange is honest, he's okay.  The exchange's risk is reduced because if either you *or* the arbiter is honest, he's okay.  Your risk is reduced because if either the exchange *or* the arbiter is honest, you're okay.

I see now what you mean, good point. The risk of the exchange is checked and balanced by the arbiter. But, being honest, is this really different than the escrow services we have today? Purely digital transactions with objective arbitration rules = new, better, I can see that. Anytime there is a real world good = ?? I'm having trouble seeing where multi-sig actually helps whenever people are involved. I want to find a technical solution to this human problem, I just can't see that we have it yet.

Anyway, I think we've derailed the thread enough. I'll start another thread in a bit. Thanks Cryddit.