Ideas for increasing exchange security

[tymothy]

In light of the recent hackings and considering the value of sums being held in exchange accounts, it's obvious that exchanges need to start offering increased security measures to their users. Though no feature can ever make a partially open system completely secure, many measures can reduce the risk of accounts being compromised or damage done without significantly impacting user experience. I propose that the following options be made available to users, who can activate them if they wish. (Deactivation, obviously, would require a few extra hurdles). Not every feature is right for every user, but that's the beauty of choice.

1. Locking accounts to one withdrawal bitcoin address/limit withdrawal address changes: Users can lock an account to a single withdrawal address. Bitcoins can then only be withdrawn to that wallet. I think this would help mitigate damage done to a compromised account. If the hacker can only withdraw bitcoins to the users account, it's no help unless the wallet is also compromised. If a user wishes to change their address, a confirmation link would be emailed/texted/phoned to them and a 72 hour waiting period could apply. Also only the last 4 characters of an address could be shown, to help protect the user's identity.

2. Locking non-bitcoin currency withdrawal options. Same as above, except for Dwolla/Bank/other accounts.

3. Requiring email confirmation of especially large withdrawals. Confirmation by text/email/phone and/or a waiting period could be set by the user for all withdrawals over X amount.

4. A log of IP addresses which have accessed the account in the last week. Like the gmail feature. Useful for determining if a hacker has accessed the account.

5. A user imposed limit on the number of trades per day. If a hacker did compromise your account and found he couldn't withdraw money to his own accounts he could still be a real dick and constantly buy and sell your assets until they all got eaten up as exchange fees. Some users typically buy and hold they could decide to limit their account to say, 5 trades per day.

I think these options would significantly cut down on stolen exchange funds and most would be very easy to implement. Obviously more elaborate and extensive hacking could circumvent these measures, but I think they'd be a sufficient deterrent.


Thoughts and other ideas?

[1714194544]

1714194544

[1714194544]

1714194544

[relative]

Thoughts and other ideas?

isnt it obvious? what banks and brokers do.
ranging from transaction numbers, transaction cards that dont have to be replaced, to devices that generate a transaction-specific authorization code.

[helo]

Thoughts and other ideas?

Two concepts, "BTC secure" certification and operator identity verification.

This is unavoidable, and as soon as an exchange with both will appear they will become the de facto standard. Same goes for the online wallet concept as these are undoubtedly related. Currently everyone is semi-hiding in the trenches, why would you deposit $5K or same worth in BTC with MTGox - for God's sake they don't even have a mailing address on their website!!!!

BB

[S3052]

Thoughts and other ideas?

isnt it obvious? what banks and brokers do.
ranging from transaction numbers, transaction cards that dont have to be replaced, to devices that generate a transaction-specific authorization code.

+1 This is really needed.

[gene]

One thing that would help is using a well written, peer reviewed codebase. The only one that I know of is bitcoin-central. Of course, this has to run on top of a secure and well monitored infrastructure. No amount of transaction numbers, transaction cards or authorization codes will help if those requirements aren't met first.

[joepie91]

1. Always using POST requests for logging in (Mt. Gox apparently still uses GET requests, which is very dangerous)

2. *Always* an email/SMS verification for moving money out of an account, regardless of amount (you should not be able to turn this off, or people will go the "easy route"), like withdrawing to BTC address / bank account / sending to another exchange account.

3. Optionally a verification email/SMS for every action (trade, withdraw, deposit, etc).

4. For withdrawal forms etc, use CSRF tokens (Bitcoin7 has/had a CSRF vulnerability where you could steal bitcoins).

5. Blocking an IP from logging in after 3-5 failed attempts, freeze an account after 10 failed attempts regardless of IP (this will stop distributed bruteforcing), and only allow login after SMS(/email) verification.
You could even make an option to require SMS verification for every login.

6. Login captchas. This also helps in preventing "freezing attacks" where someone repeatedly makes failed attempts on purpose to freeze the victims account.

7. API keys for the API. Seriously, it is a REALLY bad idea to let someone send his main account login with every API request. API keys, API keys, API keys.


Also, an open codebase would definitely be a good idea - especially when the site itself encourages users to audit the code.

[[Coins!]]

I really like the ideas in the OP and joe's ideas above.

[helo]

Joe's ideas are good and there are many more to be implemented. Bottom line unless an outside authority can certify that a website follows secure programming practices then you are left with trusting the operator alone. Now this worked in the fall on 2010 when Bitcoin was a small community, but you can't expect to sustain the current flow of new interested users/providers without providing a trust central. Of course this goes against the decentralized concept, but let's be honest, people will get scammed if we don't do something. And if people get scammed that's what will transpire in the media. Today's BTC millionaires should step up and fund a central trust authority, if they don't do it no one else will. Oh and did we mention that Satoshi or whatever-his-name-is owns 10%+ of all bitcoins in circulation? He could finance this with his eyes closed, if he truly exists that is.

[joepie91]

Another one:

If an IP logs on to at least two or three different accounts that all had a different IP "linked" to it before, you can be 99,99% sure it's not the owner of the account, in which case it would be a good idea to freeze all accounts he logged in to, block the IP, and log it.

[markm]

If I ran an exchange I would want to do it at a physical space that I control, not some hosting place somewhere that people I do not know have physical access to.

If I started small this might limit my bandwidth significantly but if enough people used it to make bandwidth a problem presumably it would be feasible to increase the bandwidth.

I really do not like the idea of putting wallets on machines I do not physically control access to.

-MarkM-

[davout]

Lots of good ideas here, going to cherry pick a bunch for BCs todo-list.

4. For withdrawal forms etc, use CSRF tokens (Bitcoin7 has/had a CSRF vulnerability where you could steal bitcoins).

These should go on every single form actually.

Also, an open codebase would definitely be a good idea - especially when the site itself encourages users to audit the code.

Yes, it is

[hazek]

The answer to this question couldn't be simpler. Hire competent hackers to try and exploit any angle they can find and let you know of any holes the find?

Pretty straight forward..

[davout]

The answer to this question couldn't be simpler. Hire competent hackers to try and exploit any angle they can find and let you know of any holes the find?

Pretty straight forward..

That just doesn't work. Because not only do your hackers have to be competent, they also have to be honest. And that's a whole different story...

[Jered Kenna (TradeHill)]

Thank you for all the good suggestions.
TradeHill actually manually approves large transfers of funds (btc included) in and out of the exchange.
I currently have a 2500btc withdrawal that looked suspicious and I put on hold.
I've sent an email and believe that it may be a fraudulent transfer.

We're always looking for ways to improve and listening to feedback.