Bitcoin Forum
January 18, 2019, 07:04:48 PM *
News: Latest Bitcoin Core release: 0.17.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 »
  Print  
Author Topic: [ANN] 1Broker.io - Trade forex, indices, stocks and commodities  (Read 84761 times)
exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
December 20, 2012, 07:14:12 PM
Last edit: December 21, 2012, 01:48:12 PM by exxe
 #21

Without wanting to offend someone but I think MPOE-PR is not the right guy for me. I often feel uncomfortable when I read his posts in this forum.

Edit: Sorry for assuming that you are male, MPOE-PR.
1547838288
Hero Member
*
Offline Offline

Posts: 1547838288

View Profile Personal Message (Offline)

Ignore
1547838288
Reply with quote  #2

1547838288
Report to moderator
1547838288
Hero Member
*
Offline Offline

Posts: 1547838288

View Profile Personal Message (Offline)

Ignore
1547838288
Reply with quote  #2

1547838288
Report to moderator
1547838288
Hero Member
*
Offline Offline

Posts: 1547838288

View Profile Personal Message (Offline)

Ignore
1547838288
Reply with quote  #2

1547838288
Report to moderator
You get merit points when someone likes your post enough to give you some. And for every 2 merit points you receive, you can send 1 merit point to someone else!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1547838288
Hero Member
*
Offline Offline

Posts: 1547838288

View Profile Personal Message (Offline)

Ignore
1547838288
Reply with quote  #2

1547838288
Report to moderator
1547838288
Hero Member
*
Offline Offline

Posts: 1547838288

View Profile Personal Message (Offline)

Ignore
1547838288
Reply with quote  #2

1547838288
Report to moderator
1547838288
Hero Member
*
Offline Offline

Posts: 1547838288

View Profile Personal Message (Offline)

Ignore
1547838288
Reply with quote  #2

1547838288
Report to moderator
rini17
Sr. Member
****
Offline Offline

Activity: 340
Merit: 250


GO http://bitcointa.lk !!! My new nick: jurov


View Profile WWW
December 20, 2012, 11:05:55 PM
 #22

Without wanting to offend someone but I think MPOE-PR is not the right guy for me. I often feel uncomfortable when I read his posts in this forum.
Someday you'll have to learn to do business with people who make you uncomfortable, too. Plus, devoting few of these thousands hours to doing deeper research about other market players (so at least you'll know the correct gender of people involved) instead of relying on bitcointalk drama won't hurt.

CoinBr.com: First online MPEx brokerage launched beta! Easy to use interface and reasonable fees. Charts for MPEx stocks: live.coinbr.com * My Blog *
exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
December 21, 2012, 01:01:53 PM
Last edit: December 21, 2012, 01:47:05 PM by exxe
 #23

Someday you'll have to learn to do business with people who make you uncomfortable, too.
I disagree.

Plus, devoting few of these thousands hours to doing deeper research about other market players (so at least you'll know the correct gender of people involved) instead of relying on bitcointalk drama won't hurt.
Well, the creator of MPEX is called Miracea right  Huh (Miracea is a male name I guess). And MPOE-PR is another person? However, this is really offtopic now.

Thanks for your critisism anyway.

Edit: I got it know I guess. Added an excuse to MPOE-PR to the post above.
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1001


View Profile
December 31, 2012, 07:10:07 AM
 #24

Regarding this "Master Key" business.

From Wikipedia:

Quote
Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is").
- http://en.wikipedia.org/wiki/Two-factor_authentication

A "Master Key" is simply an additional password.  Passwords are extremely vulnerable to a replay attack.

Please consider adding true 2FA such as OTP / Google Authenticator.

If you do add 2FA, please implement it properly -- i.e., always require the OTP for each and every withdrawal request.

A plea to exchanges ... lets do 2 factor right!
 - http://bitcointalk.org/index.php?topic=109424.0

Also, there mgiht be a better resolution than "oops, all your coins belong to us" in the case where the OTP is lost.   For instance, allowing me to specify an exit address would allow for withdrawal should something happen, like let's say my house burns down and both my phone and the backup copy of my OTP secret are lost.
 - http://en.bitcoin.it/wiki/Exit_Address

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
December 31, 2012, 12:27:19 PM
 #25

I have thought really long about the Master Key logic and also noticed that libertyreserve.com uses a similar thing.

The advantages of the current system are:
  • Every user is forced to use it when withdrawing. From my experience most people don't use 2FA if it's an opt-in.
  • It is easy to understand and you don't need (smart)phones, a Google Account or whatever.
  • You can login and trade on insecure systems without risking that someone can withdraw everything a few minutes later.
  • After 3 failed attempts to withdraw the account gets locked for one day and triggers an email notification.
  • Lost Master Keys can be resetted (but with a waiting period, email notifications and a big warning message when you log in).
  • An attacker cannot withdraw Bitcoins if he manages to steal a session.

Downsides are:
  • If an attacker has access to the email account, 1Broker account and the user does not log in during the waiting period the 2FA mechanism fails. (Could be solved by increasing the waiting period)
  • Lazy users may store their Master Key at insecure places.

The current system is not set in stone however. I'm always open for changes and ideas are welcome. IMHO it's currently more secure than an opt-in GAuth. (for the average user)

Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1001


View Profile
December 31, 2012, 01:34:45 PM
 #26

I'm always open for changes and ideas are welcome.

I guess I need to pull out some bigger ammo:

MtGox account got cleared out
 - http://bitcointalk.org/index.php?topic=85533.0

All BTC disappeared from my Mt. Gox account
 - http://bitcointalk.org/index.php?topic=88368.0

Another:
 - http://bitcointalk.org/index.php?topic=80562.msg941759#msg941759

And another: My mtgox account got compromised, what can I do?
 - http://bitcointalk.org/index.php?topic=84585.0

Yet more: MT.Gox account hacked - lost 2k USD - MT.GOX will not explain how.
 - http://bitcointalk.org/index.php?topic=89142.0

And more again: Bitcoins stolen from MtGox
 - http://www.reddit.com/r/Bitcoin/comments/x8lcv/bitcoins_stolen_from_mtgox

And yet more: Stolen from Mt.Gox coins. Help return the coins.
 - http://bitcointalk.org/index.php?topic=119816.0

Or more here: Email from Mt.Gox this morning.
 - http://www.reddit.com/r/Bitcoin/comments/z0na5/email_from_mtgox_this_morning

And even more here: I just had $715 stolen out of my Mt. Gox account.
 - http://www.reddit.com/r/Bitcoin/comments/12j9gi/i_just_had_715_stolen_out_of_my_mt_gox_account

And the biggie: Bitcoinica MtGox account compromised
 - http://bitcointalk.org/index.php?topic=93074.0

With more here: Unauthorized Account Activity on my Mt.Gox Account - Account Compromised/Hacked?
 - http://bitcointalk.org/index.php?topic=94140.0

And on other services as well. Here same thing happened to some GLBSE users:
 - http://bitcointalk.org/index.php?topic=84893.0

And elsewhere, BitMarket.eu in this instance:
 - http://bitcointalk.org/index.php?topic=5441.msg1259168#msg1259168

And now on bitcoin.de as well: Bitcoins stolen from bitcoin.de.
 - http://bitcointalk.org/index.php?topic=130264.0

In none of these was the person using multi-factor authentication. Mt. Gox has had Yubikey support for a while. Mt. Gox accounts now support Google Authenticator as well:
 - https://mtgox.com/press_release_20120605.html


This is advice you will see shared by many here:

If the exchange you are storing funds with doesn't provide OTP, consider using a different exchange:
 - http://bitcoin.stackexchange.com/questions/4113/which-two-factor-authentication-methods-are-available-at-which-exchanges

If you are storing funds in an EWallet, consider using a paper wallet.

Here is a fantastic guide: How to use 2-factor auth on mtgox, even without a smartphone (from a second device, of course, not from the same computer you log in on).
 - http://bitcointalk.org/index.php?topic=111943.0

it's currently more secure than an opt-in GAuth. (for the average user)

You could offer each user the choice -- Master Key or OTP.

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
December 31, 2012, 03:04:25 PM
 #27

You could offer each user the choice -- Master Key or OTP.
This sounds good. Added to the TODO list.
fimp
Sr. Member
****
Offline Offline

Activity: 304
Merit: 250



View Profile WWW
January 02, 2013, 09:24:45 PM
 #28

Hello exxe

A very interesting service that I could be interested in testing. However, for me to trust you, your business has to make sense to me - i.e. I need to understand how your business can be profitable so you have an incentive to keep running it instead of just stealing people's coins. Also because your spreads are very low.

So a question:

I assume you hedge the positions entered by your users by entering positions of your own on the regular markets. Assets and positions are denominated in BTC on 1Broker. How do you intend to pay back customers their full BTC amount if BTC rate goes up while they are in a market position - and your funds are used in hedging positions on the normal markets denominated in USD?

exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
January 02, 2013, 10:11:42 PM
 #29

Hello exxe

A very interesting service that I could be interested in testing. However, for me to trust you, your business has to make sense to me - i.e. I need to understand how your business can be profitable so you have an incentive to keep running it instead of just stealing people's coins. Also because your spreads are very low.

So a question:

I assume you hedge the positions entered by your users by entering positions of your own on the regular markets. Assets and positions are denominated in BTC on 1Broker. How do you intend to pay back customers their full BTC amount if BTC rate goes up while they are in a market position - and your funds are used in hedging positions on the normal markets denominated in USD?

Hi!
My real identity is known to theymos and some other members, so stealing funds wouldn't be so smart.

But I understand your concerns:
Currently most positions are not open longer than a few hours. For this type of positions hedging isn't necessary as the outcome is basically random. (at least for inexperienced traders) For longer term positions and small leverages we hedge on trusted European CFD platforms with EUR denominated accounts. This CFD platform has a bit smaller spreads too. The BTC/EUR volatility risks can be reduced by using the cost-average-effect (http://en.wikipedia.org/wiki/Dollar_cost_averaging).

Currently we are making small but stable profits. Parameters like spreads still need to be tested and could be increased, but it looks good right now.  Smiley
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1005


Gerald Davis


View Profile
January 02, 2013, 10:19:49 PM
 #30

You could offer each user the choice -- Master Key or OTP.

Stephen is being nice.  Master Key = idiotic. 
A second password is no real security and offering it to users is simply going to lead to a false sense of security.
exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
January 02, 2013, 10:35:55 PM
 #31

You could offer each user the choice -- Master Key or OTP.

Stephen is being nice.  Master Key = idiotic. 
A second password is no real security and offering it to users is simply going to lead to a false sense of security.

Theoretically yes. However, my experience is that most account hacks result from hacks on other services and users using the same password or simply email account hacks. A master key could save the user in these cases.
I have seen this type of system quite often and think it's better than nothing.

Implementing an opt-in GAuth is on the todo list, however.

I'm removing the the 'extremely secure' in the security page, too. The Master Key is not worth this phrase, you are right, but I disagree with calling it idiotic.

 
wuala
Full Member
***
Offline Offline

Activity: 163
Merit: 100


Luk, soy tu padreeee


View Profile
January 02, 2013, 10:40:52 PM
 #32

Another gambling site?

 Wink

Leave the force be with you...
exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
January 02, 2013, 10:52:20 PM
 #33

Another gambling site?

 Wink

With customizable leverages you can gamble or invest. This is the intention behind this service.
exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
January 08, 2013, 04:05:06 PM
 #34

I'm thinking about the way of implementing a "real" 2FA (at least on withdrawing) and I came to the conclusion that OAuth, Google Authenticator and others are not optimal. They require good technical skills/a Google Account/.. which will eventually lock out some people.
I'm now tending to a SMS TAN system which everyone knows from banks.

The advantages would be:
  • (Nearly) everyone can use it and understands it.
  • It is long-term tested and considered secure.

Anyone has concerns or feedback?
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1005


Gerald Davis


View Profile
January 11, 2013, 03:24:30 PM
 #35

Theoretically yes. However, my experience is that most account hacks result from hacks on other services and users using the same password or simply email account hacks. A master key could save the user in these cases.
I have seen this type of system quite often and think it's better than nothing.

Implementing an opt-in GAuth is on the todo list, however.

I'm removing the the 'extremely secure' in the security page, too. The Master Key is not worth this phrase, you are right, but I disagree with calling it idiotic.

Idiotic was harsh.  I am glad you are taking security seriously.  However compared to a true 2FA system the system is going to leave keylogged users vulnerable.  Even with just an email compromised user depending on how active the user is if the user's email is compromised an attacker could still pull off an attack.  Your right though it is better than nothing.  It does prevent pure password re-use attacks and session stealing attacks (which the way some exchanges have poorly implemented 2FA don't).

I'm thinking about the way of implementing a "real" 2FA (at least on withdrawing) and I came to the conclusion that OAuth, Google Authenticator and others are not optimal. They require good technical skills/a Google Account/.. which will eventually lock out some people.  I'm now tending to a SMS TAN system which everyone knows from banks.

The advantages would be:
  • (Nearly) everyone can use it and understands it.
  • It is long-term tested and considered secure.

Anyone has concerns or feedback?


I would rethink Google Authenticator.  It doesn't really require any technical skills.  A user with smartphone and the ability to install an app is all that is necessary.   Pretty much user proof at this point.   

1) User installs GA app.
2) USer clicks on new site (on the app)
3) Users is directed to scan GA barcode (displayed on your website) with the smartphone.
4) Done. 

All the hard work is done on your end (generating & recording the GA secret keys, providing user with barcode, calculating current code and comparing to user provided value.  For the user it is copy code on phone to web form.

Still if you want to go SMS that is a valid option IMHO.  Personally I don't see any security flaws (not for the amounts users are likely to be protecting).  I did some testing with this provider and it might meet your needs.  They can set you up with a trial account with some free SMS for development.

http://www.cdyne.com/api/phone/sms/
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1001


View Profile
January 11, 2013, 11:43:43 PM
 #36

A user with smartphone and the ability to install an app is all that is necessary.

Or a cheap Android tablet even.

Or even simply a second computer using an HTML5 version of OTP authentication:

How to use 2-factor auth on mtgox, even without a smartphone
 - http://bitcointalk.org/index.php?topic=111943.0

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
January 12, 2013, 12:04:50 AM
 #37

I would rethink Google Authenticator.  It doesn't really require any technical skills.  A user with smartphone and the ability to install an app is all that is necessary.   Pretty much user proof at this point.   

Or a cheap Android tablet even.

Or even simply a second computer using an HTML5 version of OTP authentication:
And for the SMS based 2FA even a NOKIA 3210 is enough.  Tongue  I'm going to implement the SMS 2FA, but this doesn't mean that Google Authenticator or OAuth can't be implemented in the future.

I hope it gets ready before February. Thanks for the suggestions!
fimp
Sr. Member
****
Offline Offline

Activity: 304
Merit: 250



View Profile WWW
January 12, 2013, 12:28:24 AM
 #38

The BTC/EUR volatility risks can be reduced by using the cost-average-effect (http://en.wikipedia.org/wiki/Dollar_cost_averaging).
This doesn't make sense, or maybe we're talking about different things.

The situation could look like this:

* User buys 100BTC worth of Apple with no leverage at a time when 1 BTC = $10.
* BTC price goes up 100% so 1 BTC = $20
* Apple price goes up 100%, so now you owe the user 200BTC
* You must now spend $2000 to get the user his 100BTC profit. But if you were hedging the position on the markets yourself you have only earned $1000 from the doubling of the original $1000 worth of Apple that the user bought.
* So you lose $1000

How do you avoid this?

exxe
Full Member
***
Offline Offline

Activity: 187
Merit: 100



View Profile
January 12, 2013, 01:08:35 AM
 #39

The BTC/EUR volatility risks can be reduced by using the cost-average-effect (http://en.wikipedia.org/wiki/Dollar_cost_averaging).
This doesn't make sense, or maybe we're talking about different things.

The situation could look like this:

* User buys 100BTC worth of Apple with no leverage at a time when 1 BTC = $10.
* BTC price goes up 100% so 1 BTC = $20
* Apple price goes up 100%, so now you owe the user 200BTC
* You must now spend $2000 to get the user his 100BTC profit. But if you were hedging the position on the markets yourself you have only earned $1000 from the doubling of the original $1000 worth of Apple that the user bought.
* So you lose $1000

How do you avoid this?
Imagine 50 people having open positions on Apple. (long and short, no leverage) Short positions have a total value of: 100 BTC, Long positions have a total value of 300 BTC. Let's assume that we already hedge the required amount of 200*14.2 USD. Every week for example, this is recalculated, and adjusted. There are now 23 possibilities of the outcome. (BTC/USD: up, Apple: up, Apple hedge amount: up | BTC/USD: down, Apple: up, Apple hedge amount: up, ...). In the end sometimes we profit and sometimes not, but this is a zero sum game minus some fees.

Even more important:
In reality this isn't a big problem. Most people are using high leverages which create good profits from spreads without the necessity of hedging.
Your example is a worst case: 1 user, high amount, no leverage, bad outcome. The masses make CFD brokers profitable.
evoorhees
Legendary
*
Offline Offline

Activity: 994
Merit: 1003


Democracy is the original 51% attack


View Profile
January 21, 2013, 08:10:45 PM
 #40

Wanted to post here that I deposited 100btc at 1Broker, and went long on USD/BTC at 5x leverage. I earned 40btc and the site payed out correctly (I have withdraw 140 btc). So at least from this anecdote it was smooth and legitimate. Looking forward to seeing this site develop further Smiley
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 »
  Print  
 
Jump to:  

Bitcointalk.org is not available or authorized for sale. Do not believe any fake listings.
Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!