Bitcoin Forum
December 03, 2016, 11:52:37 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: TradeHill - Captcha and lockout added to the site  (Read 1890 times)
Jered Kenna (TradeHill)
Sr. Member
****
Offline Offline

Activity: 420



View Profile WWW
June 20, 2011, 07:40:15 AM
 #1

No one likes to use captchas but site security is paramount.
We've added one to our login and multiple failed attempts will now cause a lock out.
This should reduce the chances of an effective brute force attack.

If you have used the same password on Mt Gox and TradeHill you should change it as soon as possible.

We are scheduled to resume trading at 10am Monday morning EST.

We will be continually reevaluating and upgrading our security.

moneyandtech.com
@moneyandtech @jeredkenna
1480765957
Hero Member
*
Offline Offline

Posts: 1480765957

View Profile Personal Message (Offline)

Ignore
1480765957
Reply with quote  #2

1480765957
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480765957
Hero Member
*
Offline Offline

Posts: 1480765957

View Profile Personal Message (Offline)

Ignore
1480765957
Reply with quote  #2

1480765957
Report to moderator
1480765957
Hero Member
*
Offline Offline

Posts: 1480765957

View Profile Personal Message (Offline)

Ignore
1480765957
Reply with quote  #2

1480765957
Report to moderator
1480765957
Hero Member
*
Offline Offline

Posts: 1480765957

View Profile Personal Message (Offline)

Ignore
1480765957
Reply with quote  #2

1480765957
Report to moderator
nhodges
Sr. Member
****
Offline Offline

Activity: 308


View Profile
June 20, 2011, 07:51:26 AM
 #2

Cool, I can go to sleep and not worry that the trading is going to resume while my eyes are closed. :] Great talk on OnlyOneTV about forthcoming security improvements, excited to see them implemented!

ploum
Sr. Member
****
Offline Offline

Activity: 378



View Profile WWW
June 20, 2011, 07:57:14 AM
 #3

A simple but effective measure could be to force email confirmation for any withdraw.

In a longer term, I really hope to see GPG authentification required for big trades

Blog posts about Bitcoin - 1KdRBbhjo72CqKTrFsQed6s9NMrvwvrUkq
Jered Kenna (TradeHill)
Sr. Member
****
Offline Offline

Activity: 420



View Profile WWW
June 20, 2011, 08:12:20 AM
 #4

Thanks Nhodges

A simple but effective measure could be to force email confirmation for any withdraw.

In a longer term, I really hope to see GPG authentification required for big trades

We manually verify the big transfers. We held up a 2500btc transfer earlier and a few 500btc or so transfers.
Most likely legit but we prefer to take the time to send an email than risk someone logging in to find their Bitcoins missing.

We spent a lot of time tonight discussing different possibilities and will be implementing more features soon.

moneyandtech.com
@moneyandtech @jeredkenna
willphase
Hero Member
*****
Offline Offline

Activity: 770


View Profile
June 20, 2011, 08:23:12 AM
 #5

How about accepting openid them people could use google's two factor authentication?

Will

kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
June 20, 2011, 08:25:02 AM
 #6

Your captcha is useless and annoying.  There are better ways to prevent oracle attacks.

If anyone is interested in breaking this style of captcha, the basic technique is: intensity histogram, contrast, despeckle, horizontal histogram, cut letters/find hulls, unrotate and rescale, build grid, lookup in database.  Building the database in advance is the hardest part, and it is really only hard if the site under protection isn't worth getting into.

Captchas were great 10 years ago, when not everyone knew how to break them.  By now, they have to be nearly unreadable to be effective.  Within a few years, I suspect that getting a correct answer for a difficult captcha will be taken as evidence against the humanness of the interpreter.

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
rebuilder
Legendary
*
Offline Offline

Activity: 1618



View Profile
June 20, 2011, 08:29:07 AM
 #7

I second the call for two-factor authentication, though I'd prefer a list of numbers as banking sites use. Google's system uses SMS, as far as I know, and I'm not giving them my number. So, let the user print a list of one-time passcodes, a random one of which will be asked for when logging in, and when only 10 or so unused codes remain, tell the user to print a new set.

Selling out to advertisers shows you respect neither yourself nor the rest of us.
---------------------------------------------------------------
Too many low-quality posts? Mods not keeping things clean enough? Self-moderated threads let you keep signature spammers and trolls out!
mikegogulski
Sr. Member
****
Offline Offline

Activity: 360



View Profile WWW
June 20, 2011, 08:32:54 AM
 #8

Your captcha is useless and annoying.  There are better ways to prevent oracle attacks.

If anyone is interested in breaking this style of captcha, the basic technique is: intensity histogram, contrast, despeckle, horizontal histogram, cut letters/find hulls, unrotate and rescale, build grid, lookup in database.  Building the database in advance is the hardest part, and it is really only hard if the site under protection isn't worth getting into.

Captchas were great 10 years ago, when not everyone knew how to break them.  By now, they have to be nearly unreadable to be effective.  Within a few years, I suspect that getting a correct answer for a difficult captcha will be taken as evidence against the humanness of the interpreter.

Well, that's one way to do it. Much easier is paying a kid in China $0.01 to do it for you.

FREE ROSS ULBRICHT, allegedly one of the Dread Pirates Roberts of the Silk Road
dserrano5
Legendary
*
Offline Offline

Activity: 1638



View Profile
June 20, 2011, 09:33:56 AM
 #9

We are scheduled to resume trading at 10am Monday morning EST.

Where is EST relative to GMT? Not everyone lives there/knows that.

(Actual answer not needed, I know how to use google but it's annoying.)

Sukrim
Legendary
*
Offline Offline

Activity: 1848


View Profile
June 20, 2011, 09:38:41 AM
 #10

Where is EST relative to GMT?
10 am EST = 3 pm GMT (they might have DST in EST though for example which I'm not 100% aware of - this is why you should use UTC!)

Edit:
Oh yes, and the Captcha is a joke!

https://bitfinex.com <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with this refcode: x5K9YtL3Zb
Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!