Bitcoin Forum

Bit-Bank (https://bit-bank.org) is a new online eWallet with a goal of providing a secure, convenient location for users to store their bitcoins.

By storing Bitcoins in our eWallet, they'll be accessible from any internet-enabled device, and may be withdraw to any BitCoin address or another Bit-Bank account (which is free and instantaneous).

Users can generate many BitCoin addresses, which can be assigned names such as public, donations, private, etc. Furthurmore, all users are given a unique URL (such as, for mine: https://bit-bank.org/user/seeARMS) which simply displays your public Bitcoin address.

We have also just released an API (http://forum.bitcoin.org/index.php?topic=31300.0), which will hopefully spark more mainstream interest in BitCoins. This API allows developers to query for balances, send bitcoins, query for your receiving addresses, etc.

The next thing we're working on is a shopping cart interface (SCI). This will allow merchants to easily accept BitCoin payments online. I hope to have this complete within the next week or so.

Visit us at: https://bit-bank.org.

If you have any questions/comments about the security, appearance or functionality of the site, please ask away.

What do you do for security?

Basic:
-Force all traffic through https
-Use a VPS for hosting

Databases:
-Store passwords using a secure hashing algorithm + a unique salt
-Store API keys and tokens using a secure 2-way encryption algorithm (with a private key)

Forms:
-Escape input and strip HTML tags to prevent MySQL injection
-Use sessions + tokens (which expire after a short while) to prevent cross-site request forgery
-Check input for proper values for current form

API:
-Escape parameters + strip tags to prevent MySQL injection
-Check parameters for proper values (ie 30-character API key, etc)

good work!

one thing i dont like is the design. i think the current design does not fit what the website is about, you need something more modern.

Thanks for the input - I'll definitely consider switching to a more Web-2.0 design in the future.
That'll be after all the core functionality (including the SCI) is finished, though.

The hardest part is reading black on a very dark brown background.

Your page states..

"A minimal fee of 0.01 BTC gets sent to Bit-Bank to allow the continued use of our services. Other than that, our services are entirely free."

Is this a one time fee, or??

Sign up didn't work for me:

"The requested URL /user/index.php was not found on this server."

It's great to have more of these e-wallet sites.  I like the colors and design.

Bit-Bank needs to build trust.  How do I know the site won't just run off with the funds?  I'd suggest at a minimum, contact info for the company and principals, and a pgp key.  Ideally BBB accreditation, gdcaonline.com accreditation, business registration info for whatever country it's based in.  Posts from long standing community members that they know you and can be trusted.  Optionally a bitcoin-otc.com or ebay rating.  WHOIS should not be privacy protected for this kind of business (but currently is).  Note that even with all this info, the site must build up a reputation over time. 

I should also note one of your main competitors is known for poor customer service (you know who I mean), if you do excel at responsiveness you should do well.

I already told the OP about that bug like 2 weeks ago... It seems he didn't fixed it ;P

I'll definitely consider increasing brightness of the background - it does seem a bit dark.

It's a fee which is applied to every withdrawal. Do you think it's a bit too much?
Ah, I've just fixed that error. @psy, I looked over the code when you first told me of the problem and couldn't find anything visibly wrong with it. However, I just tried registering on a /user page, and it didn't work. Figured out it's because that page is modified by Apache's URL rewriting and this messes with the redirect I set up. The user account did get registered, it just didn't redirect you correctly.

Thank you.
I've disabled the WHOIS guard. I'll add our contact info, PGP key and company principals in the next few days. I hope to establish a good reputation - I'm trying to be as transparent as possible in order to achieve this.

Site looks good.
Keep up the good work!

The number listed in the whois is from an Indian cell phone?

Very nice looking neighborhood though, according to Google Earth.

Really? It's my cell phone.
Area code 905 is for southern Ontario (http://en.wikipedia.org/wiki/Area_codes_905,_289_and_365), where I live.

I believe you, I just found it odd it was listed on (several) old Indian cell phone registries.

How old are you?

getting a little creepy there Jafm.

Sweet!  I'd rather trust a Canadian than.. anyone else!

What sort of insurance does our invested bitcoins have?  If you get hacked and lose all the coins, what says we ever get paid?

Nonsense.  In Canadian law, you cannot enter into an agreement with a minor.  If he is under 18 anything you are sending to him is his, and he has no legal liability to give it back.

I asked his age because I don't think he is the owner of the house at that address - meaning he is probably living with his parents.

Are you making up or have you just misread something? A minor, or anyone with diminished mental capacity,  can more easily get out of a contract if it becomes clear they were taken advantage of, but that doesn't mean you can't enter into an agreement with a minor. I'm just basing that on common sense though.

Not making it up, and I just verified.  In Canada (and the US) you need to have reached the age of majority to have competence to contract. 

Are you searching using Alta Vista?

First hit from google: http://www.duhaime.org/LegalResources/Contracts/LawArticle-651/Contracts-With-Children.aspx

I get your point about wanting assurance that a website is trustworthy, but discounting websites created by anyone 18 is the wrong filter for that.

Figuring out the right filter is a good idea though.

Nice Alta Vista reference, but I've probably been in computers longer than you.   ;)

A child under 18 cannot get a credit card, rent a VPS and become a director in a corporation, something this person would have had to do unless he was using his parent's resources and being dishonest with some terms of service.

It would be nice if Colin Armstrong would come back and tell us if he is an adult, so we could put this to rest.   But the phone number registered at that address is Terry Armstrong and that is probably his father.

I am an adult - I'm 22, currently living at home while attending University. Terry Armstrong is indeed my father.

There's currently no insurance. However, security is obviously a top priority, and we're doing everything we can to make the website as secure as possible to prevent getting hacked.

Cool beans.  I actually would have been shocked if you were just some teenager - your grammar is very good.   8)

Heh, thank you. :)

Seems pretty cool, emailed you about making a program using your API.

Thanks, I responded.

Inthe US a person of the majority should *never* conduct business with persons of the minority as the minor can claim s/he did not know what s/he was getting into and they get to keep the product/service and you *have* to give them *all* their money back.

Don do eet mon!

Thanks for the reply, and do you take any of the bitcoins when transfering?

I added the page to http://payco.in/wallets/

I'll try to get my guy J to implement this on my join up page. Nice!

Yep, currently a 0.01 btc fee is taken for every withdrawal to a bitcoin address (however, transferring to another Bit-Bank account is free).

Thanks a lot! :D

I suggest maybe finding a way to secure APIs. One API could be leaked and people could steal funds.

Currently, both the user token and API key (which is handed out to developers on an as-needed basis) are required before using the API.
Also, users must physically have API access enabled in their account - if they're not using the API they should keep it off.

I know. There probably isn't an easy way you could do it to prevent programs from spoofing and then stealing funds.

you need to totally rethink your server setup.

Care to elaborate?
If you'd prefer not to post here, a PM would be appreciated.

ill pm you later .. another 6hours of scans to go..

Ah, you were the one running Acunetix. I banned your IP because I was wondering who the hell was trying to hack the site.
I'll unban it, though, if you aren't actually trying to hack it.

(Also, I've previously run Acunetix - it came up clean).

By the way, according to Latvian Civil Code, any contract signed with person under 18 can be disputed in court and with some probability declared void (that mean refund of whole amount).

That's how it works here in the states too. And the minor gets to keep the product while the adult has to give them the money back.

Why are you guys still talking about that? Haven't we establish the owner is over 18?

No, we've only had the owner say he was over 18.

I'm not posting this because I don't believe him; I'm posting because we just had another identical service disappear with a  lot of people's coins.  This type of site asks that you deposit valuable commodities with them - surely it should be put under greater scrutiny than a mining pool or other service.  Maybe someone in the area could meet him for coffee, verify his ID, etc.  This way you would have a starting point for a lawsuit should anything happen to your assets.

As a community we need to learn from our mistakes.

I don't believe you are over 10 years of age, therefore I shouldn't take your advice.

I agree that eWallets should indeed be put under greater security than mining pools or similar websites, however I don't think arguing about my age would do us any good.

With MyBitcoin disappearing and all, I understand many users are reluctant to use another eWallet service. With the many signs of fraud the site exhibited (ie disappearing accounts, no response from the admins) I think this was eventually going to happen.

I'm trying to build trust by being as transparent as possible in all of the website's ongoings (unlike MyBitcoin). My partner and I are currently in the process of building a new design (which looks quite sexy, I must say :) ) and within the new website we'll be detailing the aspects of security, the backend infrastructure (including off-site backups, updating the ToS, etc), and any other pertinent information regarding Bit-Bank.

Ideally, by doing this, I'll begin building trust with the BitCoin community, and users such as Martin would have no reason to doubt the legitimacy of Bit-Bank. But, for now, his doubts are justified - it's better to be overly cautious in a situation like this (especially when a competing site ran off with an extremely large sum of Bitcoins.)

I would trust my btc with someone else! >:(

Go ahead - it's your bitcoins after all.

Bumping after nearly 2 months to say we've just released a new design and are working towards many more features.