This is not a flaw but a design (as it stands today). We must assume that the email address you are using with our site can be trusted, that is the very basic assumption that we must take. If someone has access your email then that person can also contact us from that email and ask us to do various activities to your account, e.g. we often get requests to reset the 2FA because the device is lost. We do so, based on the very same assumption, your email account is not compromised. Hence please implement some sort of 2FA on your email account. The email account is the weakest link in the chain and it needs to be protected accordingly.
In addition, we are planning to implement a 2FA reset function, and guess what it does? It sends you an email to confirm that action. Therefore, if an attacked has access to your email account he/she can request the 2FA reset as well.
Having said that, we are interested to further harden the security by implementing additional restrictions, e.g. delayed reset requests, withdrawal blocks for a period of time. But all these are not solving the root cause, weak or compromised email accounts.
Thanks! It wasn't my email that was accessed and according to the CEO he must have been hit by a keylogger |
|
|
|
|
And again, I am not fucking with anyone about anything. I operate honestly and if you'd like to talk to me, feel free to chat at altswap.com today, I am on chat all day.
|
|
|
|
|
He is not the owner but is helping a friend with the stock management. Again, it isn't my email but the CEO's, regardless, he would have just run with all the money if he wanted, all of this mess accounts for a bitcoin worth of theft that we will cover. We may issue stock certificates and manage the stocks outside of cryptostocks because they diluted the shares. We have a shareholder spreadsheet with those who bought at 0.000001 taken off.
|
|
|
|
For tl;dr crowd, what he's saying is this: 2FA was turned on, and the following occurred, bypassing 2FA completely. - Someone gained unauthorized access to an email address associated with a cryptostock account.
- They then requested a password reset, which sent a link to the email address.
- The link then allowed the password to be reset, and opened access to the cryptostock account.
To the Op - no, they are running a MtGox shop. Resetting your password should have required completion of the 2FA chain. I have said repeatedly, and will continue to say so. If you want to invest your money, put it in something real. Cryptostocks are nothing more than Venture Capital disguised as stocks. I have yet to see one worth more than a roll of toilet paper in the hands of a charismatic salesperson. |
|
|
|
THIS IS SERIOUS
If you have stocks at cryptostocks, please read. Long story short: Our companies stock was sold at pennies and we realized that someone gained access to the CEO account, lowered the price and sold all our remaining stock for pennies and cashed out about 1 bitcoin. We could not figure out how they gained access but I just tested it and it is, in my opinion a very serious flaw yet I just got the answer from cryptostocks.com and they say it is not a flaw.... (see email below) If someone has access to your email, despite you having 2fA set-up, they can click lost password, and then a new password link will be sent, when you click that link and make a new password, it logs you in and overrides or disables your 2FA!!!! To me, this is an issue as our CEO felt safe since he had 2fA on but someone got into his email and that's all they needed. SECURE YOUR EMAIL WITH LONG PASSWORDS IMMEDIATELY I emailed cryptostocks for 2 days trying to get a response about this.... first email I got was the following: Dear user, we are have quite a backlog of emails to answer and thus please bear
with us, we will surely come back to you but this might take a few days. We hope
to have completed the backlog by latest Monday next week.Finally the addressed my concern by saying this.... Dear user, assuming that you have protected your email account (e.g. with 2FA) then this is not a flaw, you can only reset the password if you have access to the email account.
It is the same process as when you request 2FA reset (currently being implemented). We have to contact you somehow and that is by email, hence an email is send and if you click the link the 2FA will be disabled. Therefore it does not make sense to have a different approach for email resets.
==================================
Best regards
Your Cryptostocks TeamTo me, there is no reason why if you click reset password, that it should not force you to re-sign in using 2FA?  Anyone?
|
|
|
|
THIS IS SERIOUS
If you have stocks at cryptostocks, please read. Long story short: Our companies stock was sold at pennies and we realized that someone gained access to the CEO account, lowered the price and sold all our remaining stock for pennies and cashed out about 1 bitcoin. We could not figure out how they gained access but I just tested it and it is, in my opinion a very serious flaw yet I just got the answer from cryptostocks.com and they say it is not a flaw.... (see email below) If someone has access to your email, despite you having 2fA set-up, they can click lost password, and then a new password link will be sent, when you click that link and make a new password, it logs you in and overrides or disables your 2FA!!!! To me, this is an issue as our CEO felt safe since he had 2fA on but someone got into his email and that's all they needed. SECURE YOUR EMAIL WITH LONG PASSWORDS IMMEDIATELY I emailed cryptostocks for 2 days trying to get a response about this.... first email I got was the following: Dear user, we are have quite a backlog of emails to answer and thus please bear
with us, we will surely come back to you but this might take a few days. We hope
to have completed the backlog by latest Monday next week.Finally the addressed my concern by saying this.... Dear user, assuming that you have protected your email account (e.g. with 2FA) then this is not a flaw, you can only reset the password if you have access to the email account.
It is the same process as when you request 2FA reset (currently being implemented). We have to contact you somehow and that is by email, hence an email is send and if you click the link the 2FA will be disabled. Therefore it does not make sense to have a different approach for email resets.
==================================
Best regards
Your Cryptostocks TeamTo me, there is no reason why if you click reset password, that it should not force you to re-sign in using 2FA? Anyone?
|
|
|
|
|
VERY IMPORTANT
There is a severe flaw that needs to be addressed. If you have any stocks there I'd pull it and fast... I don't want to say the exact security flaw but i just tried it and it indeed is a SERIOUS SECURITY ISSUE. If you have any stocks with Cryptostocks, you should take IMMEDIATE ACTION!!! I am trying to say this without giving the exact details but even your 2FA is not safe. There are lots of stocks being devalued and sold which is reducing the price of shares by 10000%. Don't know what else I can say.
PM me for details
|
|
|
|
True but I have phone info and address checks out but you could be right. Here is something interesting though... can someone see if they can send an email to.... customerservice@cryptostocks.comEvery email I send is immediately bounced |
|
|
|
|
I'm watching this closely.
I was hired by altswap recently to head customer service, and I too am a share holder and saw the crazy sell-off yesterday. I'm working with cryptostocks.com to find out who it was and ip addresses of those that changed the stock price to 0.000001 and also who cashed out the profits from that sale. Also will be looking into firemine.com to see who they are and why they are using our email address. I know the CEO of altswap, never met him, but know his info extensively as I did research before accepting the job. We will not allow theft and if that is what happened, we will find a way to repair this.
Any more info like the poster above would help me greatly.
|
|
|
|
|
I am not the issuer. I am no different than you when it comes to the stocks at cyrptostocks. Even the other poster said he could see all pages, but there is an issue that I do see as I see stocks were sold very cheap today. I am trying to reach Seth as we speak but he goes to school and is usually available a little later. I'm working on this right now and will get back with you soon.... I understand your frustration, but I am in the same boat. I bought shares and have no backroom access at the share site, I can only see what us shareholders can see.
|
|
|
|
|
Try again.... I'm looking into it but my pages all open up fine
|
|
|
|
Just to mention, ALTSWAP has apparently been locked on CryptoStocks...
The request for votes, expires tomorrow, and I still show a few shares in my share list (single digits, which I can easily write off), but unable to bring up any page relating to ALTSWAP, or even the request for votes page for them, even tho their vote still is listed on the news page.
Looking extremely scammy now... even more so than paying a dividend before the site even opened, was.
Just a heads-up to you all.
=squeak=
C'mon now guys, this is just misinformation. I just went to cyrptostocks and all my coins are present and all announcements are there.... Please explain what you mean locked out. What part of the bolded section above, is it, that you need to have explained to you? =squeak= EVERY BIT as it is totally untrue. I can bring up every page. |
|
|
|
Just to mention, ALTSWAP has apparently been locked on CryptoStocks...
The request for votes, expires tomorrow, and I still show a few shares in my share list (single digits, which I can easily write off), but unable to bring up any page relating to ALTSWAP, or even the request for votes page for them, even tho their vote still is listed on the news page.
Looking extremely scammy now... even more so than paying a dividend before the site even opened, was.
Just a heads-up to you all.
=squeak=
C'mon now guys, this is just misinformation. I just went to cyrptostocks and all my coins are present and all announcements are there.... Please explain what you mean locked out. |
|
|
|
|
I was thinking much less. Thanks for the waste of time.
|
|
|
|
|
I have a few bitcoin Domains that I'd love to sell for some btc or I can take PayPal too!
They are all owned by me, each should have a txt entry that says campycoin if you need to check my ownership.
Not looking for a lot... make me an offer I can't refuse - take one or all!
The domains are:
FirstBankOfBitcoin.com
BitcoinTrustBank.com
Bankofxbt.com
HalfBitcoin.com
HalfBTC.com
If you have any interest, message me
If you get a FREE godaddy account, transfer takes less than 24 hours.
Thanks
|
|
|
|
|
Anybody have interest in.....
firstbankofbitcoin.com
bankofxbt.com
bitcointrustbank.com
halfbtc.com or
halfbitcoin.com
PM me
|
|
|
|
Guys, I'm Jeran, and I have posted a few times here in this forum. I just wanted to let you know that I am the Head of Customer Support and keeping you guys happy is our number one goal. I came aboard after the launch date was announced and even though I have heavy experience in Customer Satisfaction Standards and Issue Management, I have very little in design so I have left that to Seth and the developers. I have mentioned to Seth that we need not say another date, as the last was missed and I know how frustrating that can be. So, please understand this is no scam. I know the CEO, and nobody is going anywhere. We will be having some test runs and a beta or soft opening to start to hammer out the final details. Please bear with us. The reason I joined Altswap is first, because I love bitcoin and some of the other emerging alt coins and second, because I wanted to be with a team that wanted to build something the right way and put our customers first. After conversations with other staff, Seth and Deevin... I knew this was the spot. We are coin users and traders and so we are making sure the site has the features we find important and have had to take great care in making sure you are safe. That being said, as a shareholder as well (purchased with my own btc at no discount) I'm as equally upset at the late open but at this point, what else can we do than give them time to work out the bugs. If I had a time machine I'd bet all I have on Seattle to win the Superbowl straight-up and parlay with over and there would be no need for me to have a job. Be patient and our rewards will be great. Feel free to email me at jeran@altswap.com or email info@altswap.com at anytime and I will work on your concern. I look forward to helping run the best exchange yet [/b] Please remember to sign up for an account at http://altswap.com and ensure your email is correct. Going forward we will be emailing updates as we have them. Shares are still available at www.cryptostocks.com. Jeran |
|
|
|
|
Thanks. I felt it a bit rude myself. But, when you have nothing to hide, nothing is hurt. Let A-Holes be A-Holes
|
|
|
|
|
I have a few bitcoin Domains that I'd love to sell for some btc or I can take PayPal too!
They are all owned by me, each should have a txt entry that says campycoin if you need to check my ownership.
Not looking for a lot... make me an offer I can't refuse - take one or all!
The domains are:
FirstBankOfBitcoin.com
BitcoinTrustBank.com
Bankofxbt.com
HalfBitcoin.com
HalfBTC.com
If you have any interest, message me
If you get a FREE godaddy account, transfer takes less than 24 hours.
Thanks
|
|
|
|
|
Sounds good. Launch is Friday. We have a dividend payout tonight so trying to gather the last investors. Looking forward to having you join us!
|
|
|
|
|
Show Posts
