TradeHill - Captcha and lockout added to the site

[Jered Kenna (TradeHill)]

No one likes to use captchas but site security is paramount.
We've added one to our login and multiple failed attempts will now cause a lock out.
This should reduce the chances of an effective brute force attack.

If you have used the same password on Mt Gox and TradeHill you should change it as soon as possible.

We are scheduled to resume trading at 10am Monday morning EST.

We will be continually reevaluating and upgrading our security.

[nhodges]

Cool, I can go to sleep and not worry that the trading is going to resume while my eyes are closed. :] Great talk on OnlyOneTV about forthcoming security improvements, excited to see them implemented!

[ploum]

A simple but effective measure could be to force email confirmation for any withdraw.

In a longer term, I really hope to see GPG authentification required for big trades

[Jered Kenna (TradeHill)]

Thanks Nhodges

A simple but effective measure could be to force email confirmation for any withdraw.

In a longer term, I really hope to see GPG authentification required for big trades

We manually verify the big transfers. We held up a 2500btc transfer earlier and a few 500btc or so transfers.
Most likely legit but we prefer to take the time to send an email than risk someone logging in to find their Bitcoins missing.

We spent a lot of time tonight discussing different possibilities and will be implementing more features soon.

[willphase]

How about accepting openid them people could use google's two factor authentication?

Will

[kjj]

Your captcha is useless and annoying.  There are better ways to prevent oracle attacks.

If anyone is interested in breaking this style of captcha, the basic technique is: intensity histogram, contrast, despeckle, horizontal histogram, cut letters/find hulls, unrotate and rescale, build grid, lookup in database.  Building the database in advance is the hardest part, and it is really only hard if the site under protection isn't worth getting into.

Captchas were great 10 years ago, when not everyone knew how to break them.  By now, they have to be nearly unreadable to be effective.  Within a few years, I suspect that getting a correct answer for a difficult captcha will be taken as evidence against the humanness of the interpreter.

[rebuilder]

I second the call for two-factor authentication, though I'd prefer a list of numbers as banking sites use. Google's system uses SMS, as far as I know, and I'm not giving them my number. So, let the user print a list of one-time passcodes, a random one of which will be asked for when logging in, and when only 10 or so unused codes remain, tell the user to print a new set.

[mikegogulski]

Your captcha is useless and annoying.  There are better ways to prevent oracle attacks.

If anyone is interested in breaking this style of captcha, the basic technique is: intensity histogram, contrast, despeckle, horizontal histogram, cut letters/find hulls, unrotate and rescale, build grid, lookup in database.  Building the database in advance is the hardest part, and it is really only hard if the site under protection isn't worth getting into.

Captchas were great 10 years ago, when not everyone knew how to break them.  By now, they have to be nearly unreadable to be effective.  Within a few years, I suspect that getting a correct answer for a difficult captcha will be taken as evidence against the humanness of the interpreter.

Well, that's one way to do it. Much easier is paying a kid in China $0.01 to do it for you.

[dserrano5]

We are scheduled to resume trading at 10am Monday morning EST.

Where is EST relative to GMT? Not everyone lives there/knows that.

(Actual answer not needed, I know how to use google but it's annoying.)

[Sukrim]

Where is EST relative to GMT?

10 am EST = 3 pm GMT (they might have DST in EST though for example which I'm not 100% aware of - this is why you should use UTC!)

Edit:
Oh yes, and the Captcha is a joke!