[BTC-TC] Virtual Community Exchange [CLOSED]

[burnside]

Quick note, we had a 30 minute outage just a little while ago.  There was a bug in our drip software that caused an infinite loop.  Took down the app server for a while.  It should be fixed now.

Cheers.

[burnside]

Big change tonight to the reset process for PINS, WITHDRAWAL ACCOUNT LOCKS, GOOGLE AUTH, and YUBIKEYS.

Please visit https://btct.co/resetRequest if you need to reset any of the above.

It will send you an email.
You confirm the request by clicking the link in the email.
The request then sits in our queue for 30 days.
During the 30 days the request detail and status appears at the top of the portfolio page, including a cancel button to cancel the request.
After 30 days we process the request.

We apologize for the long wait period on doing these resets, but it is important to give an owner of a compromised email account plenty of time to realize they are compromised and recover their account before we hand over their entire account contents.

Automating this process has the side benefit that we'll be able to make resets free of charge going forward.  (each reset used to be 0.5 BTC)

Cheers.

[burnside]

Hi all, my schedule is going to be very tight this week.  This is bound to slow down withdrawals, support requests, and ASICMINER transfers.  I apologize for any inconvenience in advance.

Cheers.

[runeks]

I was thinking about creating a python library to wrap the BTC-TC API.  Who would find such a thing useful?

Me!

Please do it.

[Greydon Isis]

++PM see mmm+++-[BRAND NEW]-*DON'T UNDERESTIMATE OUR/\SUPERCOMPUTERS' FRIENDS FRIEDCAT AND OTHER "PASSTHROUGH" MARKETS=MASSIVE FOREIGN FVNNY MONEY IMO!!!!!
 
 

[pascal257]

Big change tonight to the reset process for PINS, WITHDRAWAL ACCOUNT LOCKS, GOOGLE AUTH, and YUBIKEYS.

Please visit https://btct.co/resetRequest if you need to reset any of the above.

It will send you an email.
You confirm the request by clicking the link in the email.
The request then sits in our queue for 30 days.
During the 30 days the request detail and status appears at the top of the portfolio page, including a cancel button to cancel the request.
After 30 days we process the request.

We apologize for the long wait period on doing these resets, but it is important to give an owner of a compromised email account plenty of time to realize they are compromised and recover their account before we hand over their entire account contents.

Automating this process has the side benefit that we'll be able to make resets free of charge going forward.  (each reset used to be 0.5 BTC)

Cheers.

Well first of all its great that the process is now free and automated. But there has to be a better solution than having to wait 30 days. I guess just a few requests will be malicious and in this case there's still the possibility that I don't login within 30 days. Also the attacker needs to know the PIN or have 2FA in order to do anything serious.
In my opinion you buy little security with the waiting period with A LOT of inconvenience. What about asking for the PIN in case of lost 2FA and vice versa? Maybe together with a waiting period, but 30 days? Thats insane.

[TsuyokuNaritai]

+1. Mandatory 30 days is crazy.

Maybe have the time limit be settable by the user (pin/2FA required to change)? So if someone is normally on every day they can set it to say 5 days, but someone who hardly ever uses it could set it to 60 if they like. Then no complaints due to burnside whatever the outcome, because it was the user's decision what the wait should be.

[burnside]

+1. Mandatory 30 days is crazy.

Maybe have the time limit be settable by the user (pin/2FA required to change)? So if someone is normally on every day they can set it to say 5 days, but someone who hardly ever uses it could set it to 60 if they like. Then no complaints due to burnside whatever the outcome, because it was the user's decision what the wait should be.

 This seems sensible. Of course, an unauthorized access could then change it, so make (reduction) changes wait 30 days, in the same fashion. We can't have everything, but options are good, so long as the user is made blatantly aware that changing from the default carries an increased security risk.

You can easily avoid ever having to use this reset system:

If you use a PIN, write it down somewhere safe.

If you use Google Auth print the QR code or write down the secret somewhere safe.

If you use Yubikeys, setup Google Auth as a backup or have a second backup key.

Don't permanently lock your withdrawal address unless you really mean it to be permanent.  (2FA makes this feature overkill, just turn on 2FA.)


A little forethought/prevention goes a long way.  The reset requests are an absolute last resort and really shouldn't have been necessary at all.  The other thing to keep in mind is that eventually we'll be offering instant resets in exchange for escrow of 150% of the account value to be held 30 days.  Also, you can create alt accounts in the interim period if you really need to make a trade.

In summary, you can prevent ever needing this and when your email is compromised, you'll be glad it's like this.  (Just ask the couple of people that have lost everything...)

Cheers

[Lohoris]

What about asking for the PIN in case of lost 2FA and vice versa? Maybe together with a waiting period, but 30 days? Thats insane.

This is insane.

I think PIN is terrible and I use 2FA, and if people could reset my 2FA using my PIN would completely defeat the purpose of using 2FA in the first place!

[runeks]

Three questions:

1. Are the options on the exchange European style or American style? Meaning can I exercise them at any point in time up to the expiration date, or only on the expiration date?

2. Also, if I buy put options from someone, is it guaranteed that the user can fulfill his obligations in case the asset goes to 0 (worst case scenario for him)? Ie., for someone who writes put options, is the full amount of BTC required to fulfill the obligation locked in his account?

3. Is there a secondary market for options, or can I only buy options from issuers, and exercise them, but not sell them to someone else?

1) American

2) The exchange reserves all coins/shares required in the accounts of the options writers.

Great!

3) They can be resold at whatever premium you want to relist them for.

So can options that I own function as collateral for writing options myself?

If I, for example, buy a put option with a strike price of 1.0 BTC, the issuer will need 1.0 BTC in his account to be able to fulfill this promise under all circumstances. If I then write a put option for the same asset with a strike price of 1.0 BTC or less, will the put option that I already own then function as collateral for the put option that I write?

+1. Mandatory 30 days is crazy.

Maybe have the time limit be settable by the user (pin/2FA required to change)? So if someone is normally on every day they can set it to say 5 days, but someone who hardly ever uses it could set it to 60 if they like. Then no complaints due to burnside whatever the outcome, because it was the user's decision what the wait should be.

 This seems sensible. Of course, an unauthorized access could then change it, so make (reduction) changes wait 30 days, in the same fashion. We can't have everything, but options are good, so long as the user is made blatantly aware that changing from the default carries an increased security risk.

[...]

If you use Google Auth print the QR code or write down the secret somewhere safe.

[...]

As far as I remember I was only shown a QR code, and not the secret key. I would like to have written down the secret key, but as far as I remember I didn't have that option. Do I recall correctly?

I don't have a printer, so printing the QR code is not an option.

[pascal257]

What about asking for the PIN in case of lost 2FA and vice versa? Maybe together with a waiting period, but 30 days? Thats insane.

This is insane.

I think PIN is terrible and I use 2FA, and if people could reset my 2FA using my PIN would completely defeat the purpose of using 2FA in the first place!

That's why I suggested also using a waiting period. An attacker shouldn't know your PIN, so you could reduce the waiting period from lets say 30days to 7 days by authenticating yourself using your PIN/2FA.

[runeks]

What about asking for the PIN in case of lost 2FA and vice versa? Maybe together with a waiting period, but 30 days? Thats insane.

This is insane.

I think PIN is terrible and I use 2FA, and if people could reset my 2FA using my PIN would completely defeat the purpose of using 2FA in the first place!

That's why I suggested also using a waiting period. An attacker shouldn't know your PIN, so you could reduce the waiting period from lets say 30days to 7 days by authenticating yourself using your PIN/2FA.

I think 30 days is reasonable if you lose your 2FA. 7 days is not enough. 7 days means someone can compromise my account if I'm on vacation and don't read emails for a week.

[EskimoBob]

Why is the exchange running on London time and not UTC?

[dexX7]

Why is the exchange running on London time and not UTC?

You can edit the time zone under Account - Settings.

[burnside]

Three questions:

1. Are the options on the exchange European style or American style? Meaning can I exercise them at any point in time up to the expiration date, or only on the expiration date?

2. Also, if I buy put options from someone, is it guaranteed that the user can fulfill his obligations in case the asset goes to 0 (worst case scenario for him)? Ie., for someone who writes put options, is the full amount of BTC required to fulfill the obligation locked in his account?

3. Is there a secondary market for options, or can I only buy options from issuers, and exercise them, but not sell them to someone else?

1) American

2) The exchange reserves all coins/shares required in the accounts of the options writers.

Great!

3) They can be resold at whatever premium you want to relist them for.

So can options that I own function as collateral for writing options myself?

If I, for example, buy a put option with a strike price of 1.0 BTC, the issuer will need 1.0 BTC in his account to be able to fulfill this promise under all circumstances. If I then write a put option for the same asset with a strike price of 1.0 BTC or less, will the put option that I already own then function as collateral for the put option that I write?

+1. Mandatory 30 days is crazy.

Maybe have the time limit be settable by the user (pin/2FA required to change)? So if someone is normally on every day they can set it to say 5 days, but someone who hardly ever uses it could set it to 60 if they like. Then no complaints due to burnside whatever the outcome, because it was the user's decision what the wait should be.

 This seems sensible. Of course, an unauthorized access could then change it, so make (reduction) changes wait 30 days, in the same fashion. We can't have everything, but options are good, so long as the user is made blatantly aware that changing from the default carries an increased security risk.

[...]

If you use Google Auth print the QR code or write down the secret somewhere safe.

[...]

As far as I remember I was only shown a QR code, and not the secret key. I would like to have written down the secret key, but as far as I remember I didn't have that option. Do I recall correctly?

I don't have a printer, so printing the QR code is not an option.

Replying from my cell so can't really quote inline. 

The options can't currently be backed by other options because they do not yet auto-exercise.  Working on it...

The code should have been displayed below the QR code.  You can turn 2FA off and it should show it to you again.

Cheers.

[dadach]

whats going on? why am i getting acces denied message?
thanks for the info...

[Streets 2.0]

whats going on? why am i getting acces denied message?
thanks for the info...

I get the same, was worried for a second until I saw your post.  I am sure burnside will get it figured out

EDIT:  Few minutes later and it is fixed

[God9394]

Has anyone found their balance empty? Shall it be that btc-tc is a scam?

[Streets 2.0]

Has anyone found their balance empty? Shall it be that btc-tc is a scam?

No, I am intact... did you get cleaned out?

[God9394]

No balance back now. glitch ?

site hacked?