Bitcoin Forum
November 09, 2024, 08:28:24 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 »  All
  Print  
Author Topic: Beware, MtGox arbitrarily freezing verified accounts  (Read 40392 times)
davout (OP)
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
September 03, 2012, 03:39:53 PM
 #1

So here's what happened :
 - was minding my own business, playing around MtGox's API's
 - tried to withdraw some USD as an MtGox code,
 - failed and got answer "Your account is pending verification"

So apparently it's because Paymium and I both have MtGox accounts, and we're connecting from the same IP (wow, surprise surprise)

So because of that my account is now frozen and I'm required to get "verified" (even though they do have a scan of my passport and they do have a proof of address in the form of a Yubikey sent to my home)

And apparently MT has too much on his plate to even acknowledge an IRC message.

So beware, MtGox won't hesitate to arbitrarily prevent you from accessing your very own money, and a verified account won't help.

Quote
Thank you for your email. Please let us know if hold more that one account with Mt.Gox and our AML team have requested to verify your account as your IP is using more that one account. To get your account verified you will have to submit your photo ID and proof of residence. I have attached a list of documents that can be submitted and link to upload. Once uploaded please let us know so we can keep you updated on the verification process.

As per our new AML policy please provide us any one of both Photo ID and proof of Residence.
You already have those my friend.

Quote
If they have been done before september 2011, we have had the new aml system in place and you will have to upload your documents to verify them again.Please provide us any one of both Photo ID and Residence
If you migrate your system it is your responsibility to migrate customer data. Freezing accounts until people re-upload what they already have is not a professional way of doing things.

I'm quite pissed-off right now. Just because you guys hold my money doesn't mean you get to freeze it at will.

stepkrav
Full Member
***
Offline Offline

Activity: 188
Merit: 100



View Profile
September 03, 2012, 03:49:25 PM
 #2

so if two different accounts are accessed via the same IP, it is a reason to freeze them?  Undecided
Mushoz
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500


Bitbuy


View Profile WWW
September 03, 2012, 03:51:43 PM
 #3

Mtgox costumer service at it's finest Roll Eyes

www.bitbuy.nl - Koop eenvoudig, snel en goedkoop bitcoins bij Bitbuy!
davout (OP)
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
September 03, 2012, 04:07:20 PM
 #4

I think the customer service itself is ok they're nice and, in my experience, quite responsive.

It's the rule that's being applied that just doesn't make any sense.

Let's even say it's ok to auto-freeze accounts when you detect that the same IP connects to them. In this case the support should simply unlock the accounts when they get the full story : "Oh, you actually have accesses to multiple legitimately verified accounts from the same IP, one is the corporate account, the one is your personal one ? I understand, I'll unlock them for you right now. Have a beautiful day fine sir!"


Mt.Gox_Alex
Member
**
Offline Offline

Activity: 112
Merit: 10



View Profile WWW
September 04, 2012, 02:59:24 AM
Last edit: September 04, 2012, 05:22:59 AM by Mt.Gox_Alex
 #5

So here's what happened :
 - was minding my own business, playing around MtGox's API's
 - tried to withdraw some USD as an MtGox code,
 - failed and got answer "Your account is pending verification"

So apparently it's because Paymium and I both have MtGox accounts, and we're connecting from the same IP (wow, surprise surprise)

So because of that my account is now frozen and I'm required to get "verified" (even though they do have a scan of my passport and they do have a proof of address in the form of a Yubikey sent to my home)

And apparently MT has too much on his plate to even acknowledge an IRC message.

So beware, MtGox won't hesitate to arbitrarily prevent you from accessing your very own money, and a verified account won't help.

Quote
Thank you for your email. Please let us know if hold more that one account with Mt.Gox and our AML team have requested to verify your account as your IP is using more that one account. To get your account verified you will have to submit your photo ID and proof of residence. I have attached a list of documents that can be submitted and link to upload. Once uploaded please let us know so we can keep you updated on the verification process.

As per our new AML policy please provide us any one of both Photo ID and proof of Residence.
You already have those my friend.

Quote
If they have been done before september 2011, we have had the new aml system in place and you will have to upload your documents to verify them again.Please provide us any one of both Photo ID and Residence
If you migrate your system it is your responsibility to migrate customer data. Freezing accounts until people re-upload what they already have is not a professional way of doing things.

I'm quite pissed-off right now. Just because you guys hold my money doesn't mean you get to freeze it at will.

Hi

Sorry to hear about your problem and while I cannot comment on it at this time we will check this matter and hope to get a solution to your problem one way or another.

[EDIT]Oh and not, this is not "arbitrarily" at all, havind different account with one not being verified sharing the same IP will trigger such verification. This is simply a basic security feature.

Regards

Mt.Gox : The Leading International Bitcoin Exchange.
Mt.Gox Merchant Solutions :   Now Available!
thebaron
Sr. Member
****
Offline Offline

Activity: 434
Merit: 250



View Profile
September 04, 2012, 03:01:38 AM
 #6

so if two different accounts are accessed via the same IP, it is a reason to freeze them?  Undecided

I haven't had issues with a different person in my house also using MtGox on the same IP. He hasn't even had to verify his identity with them to trade, while I have had to. Our accounts were registered on different IP's, though.
davout (OP)
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
September 04, 2012, 06:41:49 AM
 #7

[EDIT]Oh and not, this is not "arbitrarily" at all, havind different account with one not being verified sharing the same IP will trigger such verification. This is simply a basic security feature.
Does that mean I'll have to get through this each time someone in my office building creates a mtgox account? That sounds like a really useful security feature :|

What is definitely is arbitrary is the bullying. Just because you can freeze my account doesn't mean it's ok to do so as an answer to everything that can happen. Especially when the account is verified, and is protected by a yubikey that you sent to my home address.

julz
Legendary
*
Offline Offline

Activity: 1092
Merit: 1001



View Profile
September 04, 2012, 07:35:00 AM
Last edit: September 04, 2012, 08:34:41 AM by julz
 #8

I suspect the only reason that this 'security feature' is even remotely practical at the moment is the sheer isolation of most bitcoin users.

Many offices/households share an IP and quite a few even share a particular machine for browsing.
I can see this being a major pain when I  get colleagues/family more interested in this thing.

@electricwings   BM-GtyD5exuDJ2kvEbr41XchkC8x9hPxdFd
Grinder
Legendary
*
Offline Offline

Activity: 1284
Merit: 1001


View Profile
September 04, 2012, 08:11:31 AM
 #9

Many offices/households share an IP and quite a few even share a particular machine for browsing.
I can see this being a major pain when I  get colleagues/families more interested in this thing.
I even know of entire companies that share one IP for several thousand employees. At the same time it's pretty easy to avoid using that IP if you want to, so this security feature will probably only stop the people that are doing nothing wrong.
Soros Shorts
Donator
Legendary
*
Offline Offline

Activity: 1617
Merit: 1012



View Profile
September 04, 2012, 08:17:16 AM
 #10

If anything it is the unverified account that should be made to verify. Accounts that are already verified should not be frozen just because the same IP address is used by another account.

Having said that, using the IP address as a sole criteria for this trigger is pretty stupid. I hope MtGox is using other criteria as well, such as type of IP address (residental, corporate) as well as browser/OS finger printing.
JoelKatz
Legendary
*
Offline Offline

Activity: 1596
Merit: 1012


Democracy is vulnerable to a 51% attack.


View Profile WWW
September 04, 2012, 08:23:32 AM
 #11

[EDIT]Oh and not, this is not "arbitrarily" at all, havind different account with one not being verified sharing the same IP will trigger such verification. This is simply a basic security feature.
I think a few moments reflection will show that freezing a verified account because an unverified account connected from the same IP address is a massive security fail. In my fantasy world where you always do the right thing, you'll audit all your security practices once you realize that you let one this boneheaded slip through.

I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
Endgame
Sr. Member
****
Offline Offline

Activity: 412
Merit: 250



View Profile
September 04, 2012, 08:37:27 AM
 #12

I suspect the only reason that this 'security feature' is even remotely practical at the moment is the sheer isolation of most bitcoin users.

Many offices/households share an IP and quite a few even share a particular machine for browsing.
I can see this being a major pain when I  get colleagues/families more interested in this thing.


+1
I can see very little justification for keeping this 'security feature'. If somebody was hacking accounts I doubt they would do it from one IP anyway. Unless the real reason for this feature is to prevent users from setting up multiple accounts?
Sant001
Full Member
***
Offline Offline

Activity: 182
Merit: 100


View Profile
September 04, 2012, 08:54:15 AM
 #13

Is this for the security of users? Or is it required by any regulations (directly or indirectly)?

If neither is true, Mtgox should consider removing this feature. Just my opinion  Lips sealed
EhVedadoOAnonimato
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500



View Profile
September 04, 2012, 08:58:09 AM
 #14

I can see very little justification for keeping this 'security feature'. If somebody was hacking accounts ...

This has nothing to do with security.
They have to be sure a given individual does not trade more than a small threshold, in order to catch tax evaders. It's not there to protect you or to catch actual criminals.
If multiples accounts access from the same IP, they can't know whether it's the same individual trying to trade more than the threshold, or if they're multiple individuals.

They could, though, sum the amounts transfered by all unverified accounts using the same IP and only block them when the total unverified amount passes the threshold. Verified accounts, as davout's, should not be frozen because an unverified account used the same IP.
EhVedadoOAnonimato
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500



View Profile
September 04, 2012, 09:04:57 AM
 #15

It's funny how often the expression "for your own security" is used as a justification for actually screwing you somehow. Even MtGox guys can't avoid using the rhetoric. (nothing personal, MtGox folks... but you could be more direct and frank about stuff, people here would understand Wink)
Severian
Sr. Member
****
Offline Offline

Activity: 476
Merit: 250



View Profile
September 04, 2012, 09:26:28 AM
 #16

Still getting the third party thing down...
JoelKatz
Legendary
*
Offline Offline

Activity: 1596
Merit: 1012


Democracy is vulnerable to a 51% attack.


View Profile WWW
September 04, 2012, 10:14:28 AM
 #17

If multiples accounts access from the same IP, they can't know whether it's the same individual trying to trade more than the threshold, or if they're multiple individuals.
If multiple accounts access from different IPs, they also can't know whether it's the same individual or not. So detecting account accesses from the same IP seems kind of pointless.

Quote
They could, though, sum the amounts transfered by all unverified accounts using the same IP and only block them when the total unverified amount passes the threshold. Verified accounts, as davout's, should not be frozen because an unverified account used the same IP.
I still think this is pretty boneheaded, but not as boneheaded as what they actually do. There are still many small ISPs whose clients *all* share a single public IP.

I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
davout (OP)
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
September 04, 2012, 11:33:48 AM
 #18

Last response from the support :
Quote
Gene, Sep 04 17:57 (JST):
Hello David,

We did check and your account requires verification and we are sorry that we will not be able to proceed without the verification as per our policy.We request you to submit the documents for verification so we can have the account verified by our AML team.Thank you for your cooperation and patience in the process.

Thanks,

MtGox.com Team

My answer :
 - My account is verified
 - You have a copy of my passport
 - You sent a Yubikey to my home address
 - My account didn't go to an "Unverified" state, it went to "Fully locked". Right now I can not withdraw even a single bitcent.

If you want to somehow unverify my account because the documenation I submitted isn't enough anymore then fine, but take me to "Unverified", not "Locked down".

Additionnaly if there are additional verification requirements since September 2011 you should have notified me in advance, let me decide whether I wanted to comply or take my business elsewhere. But CERTAINLY NOT freeze my account and lock my funds without any kind of police report or accountability.

I do not think it is bad to have stringent AML requirements, it's even necessary. But the way they are implemented in my particular case is not acceptable. I refuse to see my money frozen arbitrarily and instantly.

The minute my account becomes unlocked I will repost my documentation because I'm willing to comply with the AML requirements. What I do not accept is the "locked funds" way of bullying people.

See my withdrawal limits to check that my account was indeed verified :


phungus
Full Member
***
Offline Offline

Activity: 128
Merit: 100


I'm doin' fine on cloud 9


View Profile
September 04, 2012, 01:43:11 PM
 #19


09:38 < phungus> damn, fail... https://bitcointalk.org/index.php?topic=105638.0
09:38 < Title> [ Beware, MtGox arbitrarily freezing verified accounts ]
09:39 <@MagicalTux> phungus: just checked, his account is not verified, and was never verified


Davout, looks like they don't think you are verified.

-p

I can do stuff
MagicalTux
VIP
Hero Member
*
Offline Offline

Activity: 608
Merit: 501


-


View Profile
September 04, 2012, 01:45:34 PM
Last edit: September 04, 2012, 02:02:28 PM by MagicalTux
 #20

And apparently MT has too much on his plate to even acknowledge an IRC message.

Found the IRC message in the log, but could have been better by email.

Anyway your account shows no trace of ever being verified. This said if you "verified" using the very old method of sending docs by email to myself, it actually has no effect for two reasons:
  • We created the new process because sending documents by email is only secure if all relaying MX servers are trusted and support SSL, and because of the large volume of emails we received. However when creating the new system is was not practical to manually go through all those emails and transfer the data to the secure storage.
  • Because of AML requirements, we need an utility bill or any other proof of home address (having received a yubikey is not acceptable).
.
Also should be noted that the old MtGox system did not track users' verification status, causing all verified status to vanish when the switch was done in June 2011. Users were invited to re-verify at that time. If you didn't, then it means your account was not verified, and as such can end needing to be verified if specific conditions are met.

It should also be noted that we are actually required to require AML data from all customers, but allow use of the service anyway as long as we don't see anything that could be suspicious (in case of fraud we end paying if we don't have any aml data). "Suspicious" is defined as anything that has been known to be done by hackers. This includes accessing multiple accounts, using proxies, etc...


Also an extra note:
So apparently it's because Paymium and I both have MtGox accounts, and we're connecting from the same IP (wow, surprise surprise)

Paymium, I remember seeing that in my mailbox... Yep, the guys who registered a "bitcoin" trademark in France to steal the bitcoin.fr domain. Hope now they know that no, it's not "legit" to register a trademark for the purpose of taking over a domain name.
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!