Although forcing all users to have it is a bit harsh, I think at the very least all trusted users with adjusted withdrawal limits needs to be forced to use 2FA. If they can't afford a Yubikey or a GA-capable smartphone, then why the hell are they trading such large amounts of $ and BTC?
Smartphone penetration in the US grown to 54.9%. At some point in the future, smartphone will be ubiquitous. A yubikey should be cheaper than a phone.
|
|
|
Kiba, while you are correct that EVERYONE should use 2 factor...this is not why Bitcoinica was hacked.
Bitcoinica was hacked (this time) because they had their mtgox API key on the server which the hacker was able to exploit.
I'm not sure if its possible to do 2 factor with the API.
I am told API key was already revoked. Information seems to be conflicting and confusing.
|
|
|
I don't like the idea of mandating action (it seems a bit opposite of Bitcoin free market theme),
MtGox is not the whole free markeet you know. They can do whatever they want and users can choose other providers that doesn't require 2 factor authentication. but I do like the idea of delayed withdrawals. That would be good if users could choose the option.
On second thought, this could be mandatory at mtgox too.
|
|
|
* kiba faceplams MemoryDealers: You should have known better than to risk such a large sum of money at a 3rd party site.
|
|
|
I think you're stretching it a bit.. If you truly want to blame anyone (the concept of blame is stupid anyway since I don't believe we have such a thing as free will) meaning you want to find the cause of the effect then you can't really ignore the actions of the victim. Like with a ponzi even here they must have seen ample red flags and warnings by other skeptics and yet decided to risk their money. And once you are in a risk vs reward scenario and the reward doesn't pan out and instead you experience the risk event you were expecting some of the time I don't see how you don't carry partial blame for losing your money.
On closer inspection, I don't like people's money going into a very large ponzi scheme that will impact the confidence and the economy at large. I can only say "I warn ya".
|
|
|
Given that people are extremely lazy about account security I propose that mtgox requires mandatory 2 factor authentication for all accounts.
Also, stop withdrawing coins and dollars immediately! There should be a 24 hours notice for withdrawal. This give the chance for users to review and stop an action if they deem suspicious. (For users who crys for immediate gratification, force them to use 2 method for 2factor authentication at once, charge them a high fee for added risks, etc)
Also, 40K bitcoin withdrawal limit is incredibly dumb. It doesn't match up with 40K USD for a long time now.
If my security suggestions are dumb, feel free to say why. I am not a security expert but I am very interested in NOT REPEATING the bitcoinica fiasco or the mtgox fiasco or any other fiasco ever again.
|
|
|
I meant people seem to think hot wallets are the reason bitcoins are vulnerable, but wallets are only one potential vulnerability. This latest theft was due to sloppy password handling, and 40K USD was stolen in addition to 40K BTC.
You're right, I guess. Even if the bitcoin were offline, the thief could have wait and wait until the balances were loaded into mtgox and use to pay customers or the site start operating.
|
|
|
Hey, being a hacker is the most profitable and stress-free job in Bitcoin world. And you almost never get caught.
That's how you get caught. Only paranoid men survive, while reasonable men becomes extinct.
|
|
|
It depends on amount of volume. A site like MtGox having the majority of bitcoin exchange probably does, because manually processing transactions would be labor intensive.
They just need automation. But remember it's possible to secure a hot wallet, and this latest theft had nothing to do with a hot wallet all.
It does. Having a balance with mtgox is effectively a hot wallet.
|
|
|
Can I ask you why you have such large amount of money in a third party site?
|
|
|
Does anybody if MtGox employs pentesters?
|
|
|
If you don't have a need to IMMEDIATELY do transactions with bitcoin:
Here how it would works:
1. Put all your bitcoin in a cold wallet and place it in a safe. 2. Open it once a day to process all the pending transactions. 3. Put the cold wallet back in the safe.
What it need:
1. Several USB drives. 2. Software to keep transactions request and query the blockchain and then write to USB drive. 3. Making sure you have enough public keys on hand. 4. At least one airgapped computer dedicated to processing the data in the USB drive.
Anybody who knows security, feel free to points out any flaw.
|
|
|
I updated today as promised.
This time, the popup will give you information about your last transaction as well.
|
|
|
Lawyers are going to be very expensive and what if the "investors" don't have any money to make you whole?
|
|
|
This case shows a pattern of premeditated security lapses resulting in significant "losses" to be born by the customers. I cannot see how this is not criminal.
Someone belongs in prison. Want to take a guess who that should be?
It doesn't matter if it is orchestrated or if the party involved were EXTREMELY incompetent, it is still...and have become criminal.
|
|
|
So basically bitcoinica was losing money paying back claims, can you explain how you loose money thats not even yours paying back claims?
Bitcoinica have to pay staff to deal with this. Anytime they're not operating, they're not making money. In short, they are losing money to eat, pay rent, keep server up because they didn't do due diligence at the beginning of time.
|
|
|
However, am I the only one getting the impression that the actual owners/managers of Bitcoinica are jumping from the sinking ship one after the other, not even caring to give any updates anymore, while leaving genjix as a scapegoat here?
Who the hell are the owners?
|
|
|
Think about it. genjix takes a very long time to pay people back.. taking time out to write an article bashing bitcoin for the first time ever (a comment to the article even states "i thought Amir was pro-Bitcoin?"). Then as soon as the price jumps to $7.50, oh we had another hacking and 1/3 of the BTC are gone.
Everyday he stays in the UK, another day goes by when the police can arrest him. He's a person and we know his face. If he's trying to run away with the money, he have nothing to gain from reaping scorn on him. Sometime, the simplest explanation is that people screwed up so massively that it looks like an inside job. Frankly, I am tired of people screwing up left and right. (Even I lost some coins...to mybitcoin)
|
|
|
My theory is that genjix sold the bitcoins short hoping to buy them back cheaper. That explains http://bitcoinmedia.com/bitcoin-euro-stories-are-exaggerated/. But, the price went up 50% and so 1/3 of the bitcoins were 'lost'. genjix is a poker player and gambler. Also this would explain the desperate sell walls of 40k btc of the last couple of days. I hope I am wrong.. This is all nonsense without facts to back it up.
|
|
|
PS I have nothing in bitcoinia, just observing with disbelief.
Me neither. Sorry for everyone that was involved. It must be a sucky day to be the owner of bitcoinica. But still..Bitcoin not in cold wallet? WTF MAN? This is basic bitcoin security 101.
|
|
|
|