Bitcoin Forum
December 05, 2016, 09:02:13 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: WTF @ Mt.Gox?!  (Read 6120 times)
Grant
Full Member
***
Offline Offline

Activity: 168



View Profile
June 23, 2011, 11:27:58 AM
 #21


As for the Yubikey, you will pay for a key and the service itself would of course be offered free of charge, making it effectively a one time fee.

Sounds perfect to me.  Smiley

1480971733
Hero Member
*
Offline Offline

Posts: 1480971733

View Profile Personal Message (Offline)

Ignore
1480971733
Reply with quote  #2

1480971733
Report to moderator
1480971733
Hero Member
*
Offline Offline

Posts: 1480971733

View Profile Personal Message (Offline)

Ignore
1480971733
Reply with quote  #2

1480971733
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
klaus
Legendary
*
Offline Offline

Activity: 1652



View Profile
June 23, 2011, 11:29:22 AM
 #22

- will the SMS method work for Customers outside USA? e.g. Germany?

Thanks

bitmessage:BM-2D9c1oAbkVo96zDhTZ2jV6RXzQ9VG3A6f1​
threema:HXUAMT96
Mobius
Hero Member
*****
Offline Offline

Activity: 957



View Profile
June 23, 2011, 11:49:54 AM
 #23

Hi Everyone,

We are evaluating 2 methods at this time. SMS, and Yubikey.

The "free subscription" we're referring to is SMS verification. Unfortunately we're a prime target for SMS flooding if we make this a free service, as you can probably understand.

As for the Yubikey, you will pay for a key and the service itself would of course be offered free of charge, making it effectively a one time fee.

So there would be no monthly fee? Please verify.
bitbot
Member
**
Offline Offline

Activity: 70



View Profile
June 23, 2011, 12:35:03 PM
 #24

i want my free subscription upgrade and trading or my 100 btc back

Anonymous BITCOIN Exchange: https://www.TRADEHILL.COM
Astro
Sr. Member
****
Offline Offline

Activity: 242



View Profile
June 23, 2011, 02:44:54 PM
 #25

Yubikey is a good solution.  +1
RchGrav
Full Member
***
Offline Offline

Activity: 149



View Profile
June 23, 2011, 03:15:04 PM
 #26

Hi Everyone,

We are evaluating 2 methods at this time. SMS, and Yubikey.

The "free subscription" we're referring to is SMS verification. Unfortunately we're a prime target for SMS flooding if we make this a free service, as you can probably understand.

As for the Yubikey, you will pay for a key and the service itself would of course be offered free of charge, making it effectively a one time fee.

I don't want to be in a situation where I can't get into my account if I forgot or lose my second factor...  I'm hoping you allow some flexibility in this new system for us to decide which methods we would like to select during login.  If I need to get into my account, without my second factor, it would be nice to have the ability to choose one of the other 2nd factors during the logon process...  If I don't have my Yubikey, but I do have my cell phone configured, I would like to be able to still access my account.  If I don't have either of my 2nd factors.. Answering a short series of "Security Questions" should be allowed to be used to gain access. Something like the way that Paypal does it.. During the logon process a user can say "I don't have my Key right now" and still answer a couple of security questions only that user would know, as a backup method, to gain access to their account.

Of course each user could decide which factors are available for them...  This would allow users to balance not only the increased security of the new system, but also how convenient they wish it to be for themselves.

Maybe you can implement the SMS 2-Factor in house.. and find a way to avoid the "SMS flooding" scenario... like sending the SMS AFTER the correct password has been entered on the site.

Here is a list of the majority of International SMS carrier gateways.. It could be used as a starting point should you decide to roll your own solution..

att=<number>@txt.att.net
at&t=<number>@txt.att.net
bell=<number>@txt.bell.ca
beeline=<number>@sms.beemail.ru
bouygues=<number>@mms.bouyguestelecom.fr
cricket=<number>@sms.mycricket.com
d1=<number>@t-d1-sms.de
eplus=<number>@smsmail.eplus.de
etisalat=<number>@email2sms.ae
fido=<number>@fido.ca
lmt=<number>@smsmail.lmt.lv
metropcs=<number>@mymetropcs.com
mobistar=<number>@mobistar.be
optus=0<number>@optusmobile.com.au
orange=<number>@orange.net
o2uk=<number>@o2imail.co.uk
o2germany=0<number>@o2online.de
rogers=<number>@pcs.rogers.com
sfr=<number>@sfr.fr
softbank=<number>@softbank.ne.jp
sprint=<number>@messaging.sprintpcs.com
starhub=<number>@starhub-enterprisemessaing.com
sunrise=<number>@mysunrise.ch
swisscom=<number>@bluewin.ch
tdc=<number>@sms.tdk.dk
telecom=<number>@etxt.co.nz
telenor=<number>@mobilpost.no
tele2=<number>@sms.tele2.lv
telia=<number>@gsm1800.telia.dk
telstra=<number>@tim.telstra.com
telus=<number>@msg.telus.com
three=<number>@three.co.uk
tmobile=<number>@tmomail.net
tmobileczech=<number>@sms.paegas.cz
uscellular=<number>@email.uscc.net
verizon=<number>@vtext.com
virginmobile=<number>@vmobl.com
virginmobilecanada<number>@vmobile.ca
vivo=<number>@torpedoemail.com.br
vodafonegermany=0<number>@vodafone-sms.de
vodafonegreece=<number>@sms.vodafone.gr
vodafoneitaly=<number>@sms.vodafone.it
vodafoneuk=<number>@vodafone.net

4C 6F 6E 67  4C 69 76 65  42 69 74 63 6F 69 6E
Qba'g lbh unir nalguvat orggre gb qb?
bitsalame
Donator
Hero Member
*
Offline Offline

Activity: 616


Preaching the gospel of Satoshi


View Profile
June 23, 2011, 03:42:16 PM
 #27

One problem with SMS is that telephone numers for SMS also can be anonymously created.
At the end SMS will end up becoming like email, not more nor, less secure.
Also I don't know if I would be comfortable with having my phone number in your databases.

The leaked emails contained both my "public" and "private" emails, the private was a secretly guarded one only used for banking only.
Now I receive spam in BOTH accounts. I definitely don't feel comfortable sharing my real phone number.
I might use a fake phone number solely for the SMS authetication, but that defeats its purpose.

I would suggest going ahead with Yubico.
Also I think it would be nice gesture if all users who were registered up to the day of the crash would get a free Yubico key.
To the newly registered users (who weren't neither directly nor indirectly affected by the attack) would have to pay a fee to get it.

Well, that's my 0,00001 BTC Wink
Webengers
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 23, 2011, 03:48:26 PM
 #28

Hi Everyone,

We are evaluating 2 methods at this time. SMS, and Yubikey.

The "free subscription" we're referring to is SMS verification. Unfortunately we're a prime target for SMS flooding if we make this a free service, as you can probably understand.

As for the Yubikey, you will pay for a key and the service itself would of course be offered free of charge, making it effectively a one time fee.

I'd like to get your thoughts on this

http://forum.bitcoin.org/index.php?topic=21026.0

Was it really your account that got hacked?
RchGrav
Full Member
***
Offline Offline

Activity: 149



View Profile
June 23, 2011, 04:01:10 PM
 #29

One problem with SMS is that telephone numers for SMS also can be anonymously created.
At the end SMS will end up becoming like email, not more nor, less secure.
Also I don't know if I would be comfortable with having my phone number in your databases.


What does this matter?  It would seem to be a benefit, not a problem.

You will be configuring the mobile number to receive your second factor login key, and deciding if it is a method that makes sense for you.

By allowing the users which factors to utilize, whether it be a single method, or multiple methods as a failsafe to not get locked out of their account.

Personally I would probably enable multiple secondary factors... because you will still always need to provide the password as well.


I do like the Yubikey solution.. especially since I have a number of fresh / unused Yubikeys at my disposal.

I would also enable the SMS feature, in case I didnt have my Yubikey handy..  It would be important for me to still have a method to get into my account... so I wouldn't miss an important trading opportunity, or need to go through another time consuming process to reclaim my account. Which could be time consuming.. and cause missed opportunities.

My password was already strong... so anything else is just an extra layer of security, even with the ability to add some flexibility and convienience.

Rich

4C 6F 6E 67  4C 69 76 65  42 69 74 63 6F 69 6E
Qba'g lbh unir nalguvat orggre gb qb?
Dude65535
Full Member
***
Offline Offline

Activity: 126


View Profile
June 23, 2011, 05:39:11 PM
 #30

I would think the most secure way to handle a lost second factor would be to only allow that user to withdraw the funds on account to a previously setup destination. Once all the funds have been moved out they can remove the second factor and resume trading once the new funds are added.

1DCj8ZwGZXQqQhgv6eUEnWgsxo8BTMj3mT
ius
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 23, 2011, 07:10:37 PM
 #31

As for the Yubikey, you will pay for a key and the service itself would of course be offered free of charge, making it effectively a one time fee.

HOTP clients are available for most smartphones. No SMS needed then, and free for the end-user. An alternative would be HOTP hardware tokens (Yubikey supports HOTP too, in one of it's two configuration slots).

Still doesn't improve your database security though

PGP: 0xCC06E446 Bitcoin: 19kdfgW1KXQgV7SCLEPAojtHxN9xotGkGH
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!