Bitcoin Stock Exchange Security Standards

[ikonic]

Given that BitCoin is still in its infancy, many of the stock exchanges are being run by inexperienced coders or business types with no real online financial experience... and as such, putting the entire community at risk.

Therefore, what I am proposing is that the BitCoin community draft together a set of agreed security standards and best practices that all trusted exchanges should adhere to.

As an example of Web Standards, the basics would be

Web Application Requirements

• Website to be tested to ensure SQL injections (including truncation attacks) do not exist
• Website to be tested to ensure XSS injections do not exist
• Website to be tested to ensure XPATH injections do not exist
• Website to be tested to ensure CSRF vulnerabilities do not exist
• All transactional functionality should be undertaken with http post using CSRF nuonces
• Any and all interaction with the database should done using either Stored or Prepared Procedures

HTTP Response Header Requirements

• All cookies to have the "HttpOnly" and "Secure" attributes
• HTTP Headers should not include Server OS version
• HTTP Headers should not include Web Server version
• HTTP Headers must include an X-Frame-Options directive

Data Storage and Analysis Requirements

• All passwords should be stored using one way encryption with a unique salt per user (salt to be a minimum 128bits)
• Where the need for database analysis is required the data should be purged of all PII prior to be delivered to the auditor
• Users with permissions to the database should be limited to the web application only

Finally, this list isn't extensive but only a start so it would be good to get others feedback.

btw: Sorry about being stuck in the newb section but alas such is life.

Note: Not here for the MT Gox bashing, it will achieve nothing. Lets talk about the future instead.

Edit:
Another good idea to discuss it the limit that can be transfered daily/hourly.
For instance, setting a maximum dollar amount to transfer out is pointless as you can simply crash the price and pull out. Perhaps a better idea would be to set volume limits instead?

BitCoin Transfer Requirements

• Maximum Daily Transfer Limit - Currency $1000
• Maximum Daily Transfer Limit - BitCoins 1000

[1713859761]

1713859761

[1713859761]

1713859761

[1713859761]

1713859761

[1713859761]

1713859761

[1713859761]

1713859761

[1713859761]

1713859761

[muad_dib]

well 1000 bitcoins are a lot of money.

Moreover we need 2 levels of password:

1) An account password, sent via password-authenticated key agreement and not https

2) A Time-synchronized one-time passwords or a 2d key, to authorize movements, so that even if the password is stolen, it is impossible to authorize another transaction.


Users should not be allowed to choose passwords. A 25 characters long, strongly randomized password should be generated for the user, so he's forced to use something like keepassx.




I think we need an independent security committee to write a security standard and certify exchanges.

[piuk]

Exchange code should be open source like britcoin.

[hamdi]

no use of cookies at all.

[Superform]

if anyone wants to colaborate on a proper exchange I can help with supplying a domain bitcoin-market.com

I also have over 10 years of share trading experience

another suggestion is the exchange should issue a username which is a random string of numbers/letters instead of using your email name etc

[Epinnoia]

The BCSE is a great tool, but can get you into some serious trouble with the SEC if you do any sort of public offering through it.  I've spoken with a lawyer who specializes in this area (securities law) about it, and we came to the conclusion that it would be legitimate ONLY for non-public offerings -- for example, where you approached each person individually and got them to invest...  You could also put the offering/alert on a password-protected page, and be safe.  But if the offering is on an open page, viewable by the public, then you are making a public offering, and must register it with the SEC.

And those people who invest privately CANNOT SELL THOSE STOCKS publicly either.  

In other words, if I privately approached Jack, John, and Jeff for investments, and they agreed, then their stocks can only legally be traded among each other, or bought back by the company itself.

[Findeton]

Yes, we do need regulation. This kind of regulation.

[davout]

All passwords should be stored using one way encryption with a unique salt per user (salt to be a minimum 128bits) iterative hashing

Fixed that for you.

[ikonic]

well 1000 bitcoins are a lot of money.

Perhaps accounts should have daily transaction limits where the user can reduce online at any time but it requires admin intervention to raise.

Moreover we need 2 levels of password:
1) An account password, sent via password-authenticated key agreement and not https

2) A Time-synchronized one-time passwords or a 2d key, to authorize movements, so that even if the password is stolen, it is impossible to authorize another transaction.

I assume you're talking about a TAN? This is a good idea.

no use of cookies at all.

Not really a big fan of this, It means the URL requires a session identifier to be included or then entire site runs through POSTS?

All passwords should be stored using one way encryption with a unique salt per user (salt to be a minimum 128bits) iterative hashing

Fixed that for you.

thx

[DonnyCMU]

Users should not be allowed to choose passwords. A 25 characters long, strongly randomized password should be generated for the user, so he's forced to use something like keepassx.

Ridiculous. If I have 5 bitcoins in my account and want to use 'boobies' as my password, it should be my own rights, my own problem, at my own risk!

Most security-minded people never bother to see how usable these measures are.

Don't you hate it when you always use a simple password for non-important login, and then there's this silly site that demand the password for you to log-in and play flash games must contain 2 numbers, 3 signs, and 1 egyptian hieroglyph???

[Anonymous]

The BCSE is a great tool, but can get you into some serious trouble with the SEC if you do any sort of public offering through it.  I've spoken with a lawyer who specializes in this area (securities law) about it, and we came to the conclusion that it would be legitimate ONLY for non-public offerings -- for example, where you approached each person individually and got them to invest...  You could also put the offering/alert on a password-protected page, and be safe.  But if the offering is on an open page, viewable by the public, then you are making a public offering, and must register it with the SEC.

And those people who invest privately CANNOT SELL THOSE STOCKS publicly either.  

In other words, if I privately approached Jack, John, and Jeff for investments, and they agreed, then their stocks can only legally be traded among each other, or bought back by the company itself.

These pedantic laws have nothing on people who trade anonymously under the veil of the sovereign web. The SEC is irrelevant. Any regulation they try to throw at Bitcoin exchanges is irrelevant.

[Chick]

Given that BitCoin is still in its infancy, many of the stock exchanges are being run by inexperienced coders or business types with no real online financial experience... and as such, putting the entire community at risk.

Therefore, what I am proposing is that the BitCoin community draft together a set of agreed security standards and best practices that all trusted exchanges should adhere to.

As an example of Web Standards, the basics would be

Web Application Requirements

• Website to be tested to ensure SQL injections (including truncation attacks) do not exist
• Website to be tested to ensure XSS injections do not exist
• Website to be tested to ensure XPATH injections do not exist
• Website to be tested to ensure CSRF vulnerabilities do not exist
• All transactional functionality should be undertaken with http post using CSRF nuonces
• Any and all interaction with the database should done using either Stored or Prepared Procedures

HTTP Response Header Requirements

• All cookies to have the "HttpOnly" and "Secure" attributes
• HTTP Headers should not include Server OS version
• HTTP Headers should not include Web Server version
• HTTP Headers must include an X-Frame-Options directive

Data Storage and Analysis Requirements

• All passwords should be stored using one way encryption with a unique salt per user (salt to be a minimum 128bits)
• Where the need for database analysis is required the data should be purged of all PII prior to be delivered to the auditor
• Users with permissions to the database should be limited to the web application only

Finally, this list isn't extensive but only a start so it would be good to get others feedback.

btw: Sorry about being stuck in the newb section but alas such is life.

Note: Not here for the MT Gox bashing, it will achieve nothing. Lets talk about the future instead.

Edit:
Another good idea to discuss it the limit that can be transfered daily/hourly.
For instance, setting a maximum dollar amount to transfer out is pointless as you can simply crash the price and pull out. Perhaps a better idea would be to set volume limits instead?

BitCoin Transfer Requirements

• Maximum Daily Transfer Limit - Currency $1000
• Maximum Daily Transfer Limit - BitCoins 1000

To sum it all up, BANK LEVEL SECURITY. No bullshit "25 letter passwords".

Take my money and STFU.

[ikonic]

To sum it all up, BANK LEVEL SECURITY. No bullshit "25 letter passwords".
Take my money and STFU.

I am actually the senior developer/team leader for the online banking team which provide online services (mobile and internet banking/lending) to around 30 financial instituions. I also run a security forum and am familar with the nuoance of online transactions.

In saying that, I am not going to drop every single piece of information straight up unless others are interested in participating.

And BANK LEVEL SECURITY is shit. Just ask the CitiBank customers who card details have been nabbed...

What I am proposing is something far more secure and workable.

[Findeton]

To sum it all up, BANK LEVEL SECURITY. No bullshit "25 letter passwords".
Take my money and STFU.

I am actually the senior developer/team leader for the online banking team which provide online services (mobile and internet banking/lending) to around 30 financial instituions. I also run a security forum and am familar with the nuoance of online transactions.

In saying that, I am not going to drop every single piece of information straight up unless others are interested in participating.

And BANK LEVEL SECURITY is shit. Just ask the CitiBank customers who card details have been nabbed...

What I am proposing is something far more secure and workable.

What about using bcrypt?

[davout]

Any regulation they try to throw at Bitcoin exchanges is irrelevant.

Frozen bank accounts are relevant.

[Rassah]

A simple e-mail notification when BTC withdrawal address is changed, and lock on withdrawing funds for at least 24 hours after address change, would be nice too (BTCGuild's method)

[Piper67]

A simple e-mail notification when BTC withdrawal address is changed, and lock on withdrawing funds for at least 24 hours after address change, would be nice too (BTCGuild's method)

Agreed, Bitmarket.eu has this extremely simple function, whereby any changes (to your email address, BTC withdrawal address, etc) has to be confirmed through a two step process. Simple and effective.

[muad_dib]

Ridiculous. If I have 5 bitcoins in my account and want to use 'boobies' as my password, it should be my own rights, my own problem, at my own risk!

Most security-minded people never bother to see how usable these measures are.

Don't you hate it when you always use a simple password for non-important login, and then there's this silly site that demand the password for you to log-in and play flash games must contain 2 numbers, 3 signs, and 1 egyptian hieroglyph???

Just use KeepassX, so you are also safe from simple keyloggers.

[killer2021]

A simple e-mail notification when BTC withdrawal address is changed, and lock on withdrawing funds for at least 24 hours after address change, would be nice too (BTCGuild's method)

I'd like to have to have an option of having a code sent to my mobile with a code in it to activate the withdraw. Make the mobile number unchangeable after registration. Only way to change it is when the account has zero balances. Even if the account is hacked, good luck withdrawing.

[benjamindees]

Are we talking about stock exchange,like glbse, or currency exchange, like mt gox and tradehill?