|
BitBits
|
 |
November 19, 2014, 11:18:42 AM |
|
...
* Your e-mail account is ONE factor. ONE. Period.
...
Not correct, Gmail has 2FA if one wants to enable it. I have it and recommend everyone to have it. |
Empty
|
|
|
|
mjr
|
|
November 19, 2014, 06:36:53 PM |
|
...
* Your e-mail account is ONE factor. ONE. Period.
...
Not correct, Gmail has 2FA if one wants to enable it. I have it and recommend everyone to have it. Yes, I have my entire google account set up with 2FA. But, to be fair, let's say you use a specific phone just for 2FA. So there is a truly separate second factor, they take your main phone which has your email. They can then probably send emails as you, and find out which email you used to open the account (assuming this is a targeted attack), so they might be able to disable 2FA, BUT, if they also said that they needed to reset the password, I think that this would not work, as it is highly suspicious to lose your phone and forget your password. So, I think it is two factor, since they can't access your bitfinex account with ONLY the 2FA disabled. |
|
|
|
|
|
mjr
|
|
November 19, 2014, 06:45:03 PM |
|
Most people want something rather than nothing, and some posters even said, if the FRR wasn't there, I would just pick the lowest rate and do that. FRR is very similar to a market order, they don't request a specific return, and are basically willing to take whatever they get. I, personally, think that the FRR prob keeps rates higher, because they don't just go for the lowest possible.
I can see that being possible... my instinct would be that it would be far more volatile - higher when we're on a bull run, lower when we're not, and more prone to jump about all crazy-like. You'd have a steady stream of auto-lenders taking random pot-shots at whatever's available from the swap requests (hopefully not all of them - some would just take anything above zero but surely at least some would wise up and start at least picking a rate to auto-renew at once a day... and some would probably just leave), and that regular slow-trickle dump would indeed weaken the incentive for traders to take offers when they can just wait for a lowball 'market' offer... which might actually make the 'requests' side of the book relevant (and thicker at sensible rates) rather than just a queue of hopefuls waiting for someone to dump almost-free funding on them. But even while full-auto lenders chew through the swap requests, without that giant anchoring wall on the offer-side, it'd also be that much easier for a rush of traders in a hurry to chew through the offers up to ~0.7%, as we've seen when the wall goes down before. That's why I'm thinking it would erode both sides and leave the going rate more freely wandering. Might be overall higher or lower, who knows, but that might well be more representative of the true supply/demand. I can see the value in the FRR as a place to put all the lazy money so it can be stored up safely rather than unleashed all at once onto an unprepared set of 'requests', but I do still wish the wall would move when people start taking it; respond to the apparent demand by moving rates up a li'l bit to test whether there's still demand at that higher rate, then move back down if there isn't. I'm just going to keep saying that until either you're sick of hearing it or you become convinced. I totally agree with you. That is exactly what we are trying to accomplish. Right now, we are testing an exponential weighted average, so that the most recent active swaps will count a lot more towards the next FRR than the one from an hour ago. This should make it more sensitive, and allow it to wander more freely. Ideally, instead of a stairway, it should hopefully be more like a slope. It is kind of a big change, and it is something that has pretty far reaching effects, which is why we are being cautious. |
|
|
|
|
TwinWinNerD
Legendary
 Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
November 19, 2014, 08:24:44 PM |
|
The best way to do it is to never reset the 2fa without an extremely long waiting period (30 days ~) because sometimes you get hacked when on vacation without internet.
Then you need to teach people, that they need to backup their masterkey for the autification. Most people don't do this, but most sites also don't tell you too.
I could lose my phone, my ipad and my computer and I'd still have access to my google authentificator codes somehow.
|
|
|
|
|
noggin-scratcher
|
|
November 20, 2014, 02:01:10 AM |
|
I totally agree with you. That is exactly what we are trying to accomplish. Right now, we are testing an exponential weighted average, so that the most recent active swaps will count a lot more towards the next FRR than the one from an hour ago. This should make it more sensitive, and allow it to wander more freely. Ideally, instead of a stairway, it should hopefully be more like a slope.
It is kind of a big change, and it is something that has pretty far reaching effects, which is why we are being cautious.
Faster-moving is promising, although I'm a little worried that would just accelerate the current progress of "slow grind down until the wall is exhausted, then launch up". I'm not seeing how it would allow the wall to move up in the face of demand unless swaps from above the wall are being taken for some reason. Kinda have to cut the cord and stop setting the variable rate by reference to the fixed rates; the presence of the variable rate offers has too much influence on which fixed rate swaps are taken for that to be effective and not effectively self-referential. |
|
|
|
oyvinds
Newbie
Offline
Activity: 48
Merit: 0
|
|
November 20, 2014, 01:17:14 PM
Last edit: November 20, 2014, 01:28:54 PM by oyvinds |
|
I believe the actual complaint was that if your email account is compromised from one device, that's pretty much game over - a sufficiently motivated attacker can have a password reset sent to that email address, and have a conversation with your support people to have the 2FA turned off. So the security of your Bitfinex account reduces to the security of your email account, with the OTP device serving mostly as a small additional roadblock to make the process slightly inconvenient, rather than a true additional 'factor'. It is important to understand and remember that NONE of YOUR devices need to be compromised for your e-mail account to be compromised. There are numbers other attack vectors depending on which e-mail provider you have chosen. A dishonest employee, for example, could easily abuse or take over your e-mail account. This is why I insist that an e-mail account is just one factor regardless of how this factor is protected. * Your e-mail account is ONE factor. ONE. Period.
Not correct, Gmail has 2FA if one wants to enable it. I have it and recommend everyone to have it. I stand by my statement. Your Gmail account is one factor which could be protected by two factors. A Google employee could take over your e-mail account regardless. Think of it this way: Your house is still just one house even if you put an extra lock on the front door. I don't think we disagree that things SHOULD be more secure, but in order to do that, as you suggest, people should buy another phone that they use ONLY for 2fa. That is probably not going to happen in 99% of cases. Therefore, due to the unwillingness to implement a hardware solution, it becomes 1fa. Here is the issue:
1. We need to know you are the person with the rights to access the account.
2. You do this by providing something you have.
3. If you lose that something, you still have the rights to access your account.
4. In order to remedy that, we have to be able to bypass the original security that you set up, due to the loss of your password, phone, email, etc
I agree with this but I would like #4 to be a bit harder - but not so hard that it becomes impossible. So, to be clear, if you maintain your security on your phone, and your email, you will never be able to be hacked. These issues affect people who have ALREADY been compromised. If we add gpg key as another method, what happens when you lose your gpg key? The simple fact remains, that google 2FA IS two factor authentication if you haven't lost one of the methods of authentication. We require the phone, which has the Google 2FA, and also the password, which you should be the only one to know.
Obviously, since this system REQUIRES you to talk to someone in support, if you say that you lost your phone and forgot your password...the human who is talking to you will probe much more deeply and watch much more carefully.
I agree that if I COULD just say "Hey, lost my phone and forgot my password, I sent you an email from the account used to open the account", and if this is all that is necessary, you could have a problem, but, you have to talk to someone in support, via email. They will respond to your request and await a response from you. I haven't seen the email spoofing successfully done, or reported here.
If you actually lose access to your phone, and you used an email which is on your phone, AND your phone isn't locked, the password can be guessed, or it doesn't use biometrics, THEN you have been pretty well compromised. For me, if I lost my phone, I would notice sometime within 24 hours. I usually touch my phone physically at least every hour, aside from sleep. Given that iPhones (and I believe Android?) can be remotely wiped, any access to the compromised phone should be able to be mitigated as soon as the loss is noticed. Since you cannot withdraw for a week, you should have more than enough time to work this out with support.
Long story, short, bitfinex uses a password authentication method, with optional 2FA, but we cannot guarantee your security in regards to YOUR phone, YOUR email address, and YOUR laptop. Basically, the complaint is, well, my phone and my laptop got hacked, how could they access my bitfinex account? I would say that if you were compromised in 2 other areas...your security procedures probably need some work.
Thank you for your long response. Actually, no, my phone and desktop would not need to be compromised. My complaint is that someone who gains access to my e-mail account, with or without hacking any device (which, if you consider the various threat models, is not required to gain control over someone's e-mail), could p0wn me. As for your other points: I completely agree that the security of my Bitfinex account and the devices used to access it is my personal responsibility. This is why I do not like that the security can be compromised by a factor out of my control. And I do see and agree that the human factor at Bitfinex would make an attack difficult (but not impossible?). I have e-mailed both the support@ and that better address quite a few times over the years and the average response time seems to be 5-10 minutes and it's always smart people who reply (perhaps Bitfinex requires that customer support people do not watch television?) so I assume it would not be totally strait-forward to fool them. I am also guessing that this means I could have my account locked down pretty fast if need be. I think that if someone wanted to REQUEST that we require more than simply emailing us and having a conversation, and place additional restrictions on their account, and agreeing to endure the higher inconvenience, that would be reasonable.
Now you are on the right track. You seem to have thought a bit about this, what would your suggestion be as to these "additional restrictions"? As I mentioned, a picture of me holding a note saying "disable 2FA" to get it disabled seems like a reasonable trade-off and I requirement I would personally like to have on _my_ Bitfinex account. It is hard to fake. This does not solve the "$5 wrench" problem but that one is a lot harder. Oh, btw mjr, one last thing: Try leaving your phone at home when you go out to meet friends and loved ones. Consider making it a habit. I know many resist this idea but it can actually be a great thing - just like not having a television, not having facebook or a twitter account and so on. Many of these things that are supposed to make your life better .. just makes you stressed and continuously disrupt your harmony and give you bad karma. |
|
|
|
|
HowardF
Full Member
Offline
Activity: 145
Merit: 100
I do Stuff, and stuff.....
|
|
November 20, 2014, 04:35:49 PM |
|
ok... thats great  i just got few btc swap offer returned before 1 hour which mean i got more interest in effect  Note to self: keep checking bitfinex every hours minute to maximize profit Or use something like this to check bitfinex for you every 10 minutes to maximize profits: https://bitcointalk.org/index.php?topic=865250.0 |
|
|
|
|
mjr
|
|
November 20, 2014, 06:36:18 PM |
|
I believe the actual complaint was that if your email account is compromised from one device, that's pretty much game over - a sufficiently motivated attacker can have a password reset sent to that email address, and have a conversation with your support people to have the 2FA turned off. So the security of your Bitfinex account reduces to the security of your email account, with the OTP device serving mostly as a small additional roadblock to make the process slightly inconvenient, rather than a true additional 'factor'. It is important to understand and remember that NONE of YOUR devices need to be compromised for your e-mail account to be compromised. There are numbers other attack vectors depending on which e-mail provider you have chosen. A dishonest employee, for example, could easily abuse or take over your e-mail account. This is why I insist that an e-mail account is just one factor regardless of how this factor is protected. * Your e-mail account is ONE factor. ONE. Period.
Not correct, Gmail has 2FA if one wants to enable it. I have it and recommend everyone to have it. I stand by my statement. Your Gmail account is one factor which could be protected by two factors. A Google employee could take over your e-mail account regardless. Think of it this way: Your house is still just one house even if you put an extra lock on the front door. I don't think we disagree that things SHOULD be more secure, but in order to do that, as you suggest, people should buy another phone that they use ONLY for 2fa. That is probably not going to happen in 99% of cases. Therefore, due to the unwillingness to implement a hardware solution, it becomes 1fa. Here is the issue:
1. We need to know you are the person with the rights to access the account.
2. You do this by providing something you have.
3. If you lose that something, you still have the rights to access your account.
4. In order to remedy that, we have to be able to bypass the original security that you set up, due to the loss of your password, phone, email, etc
I agree with this but I would like #4 to be a bit harder - but not so hard that it becomes impossible. So, to be clear, if you maintain your security on your phone, and your email, you will never be able to be hacked. These issues affect people who have ALREADY been compromised. If we add gpg key as another method, what happens when you lose your gpg key? The simple fact remains, that google 2FA IS two factor authentication if you haven't lost one of the methods of authentication. We require the phone, which has the Google 2FA, and also the password, which you should be the only one to know.
Obviously, since this system REQUIRES you to talk to someone in support, if you say that you lost your phone and forgot your password...the human who is talking to you will probe much more deeply and watch much more carefully.
I agree that if I COULD just say "Hey, lost my phone and forgot my password, I sent you an email from the account used to open the account", and if this is all that is necessary, you could have a problem, but, you have to talk to someone in support, via email. They will respond to your request and await a response from you. I haven't seen the email spoofing successfully done, or reported here.
If you actually lose access to your phone, and you used an email which is on your phone, AND your phone isn't locked, the password can be guessed, or it doesn't use biometrics, THEN you have been pretty well compromised. For me, if I lost my phone, I would notice sometime within 24 hours. I usually touch my phone physically at least every hour, aside from sleep. Given that iPhones (and I believe Android?) can be remotely wiped, any access to the compromised phone should be able to be mitigated as soon as the loss is noticed. Since you cannot withdraw for a week, you should have more than enough time to work this out with support.
Long story, short, bitfinex uses a password authentication method, with optional 2FA, but we cannot guarantee your security in regards to YOUR phone, YOUR email address, and YOUR laptop. Basically, the complaint is, well, my phone and my laptop got hacked, how could they access my bitfinex account? I would say that if you were compromised in 2 other areas...your security procedures probably need some work.
Thank you for your long response. Actually, no, my phone and desktop would not need to be compromised. My complaint is that someone who gains access to my e-mail account, with or without hacking any device (which, if you consider the various threat models, is not required to gain control over someone's e-mail), could p0wn me. As for your other points: I completely agree that the security of my Bitfinex account and the devices used to access it is my personal responsibility. This is why I do not like that the security can be compromised by a factor out of my control. And I do see and agree that the human factor at Bitfinex would make an attack difficult (but not impossible?). I have e-mailed both the support@ and that better address quite a few times over the years and the average response time seems to be 5-10 minutes and it's always smart people who reply (perhaps Bitfinex requires that customer support people do not watch television?) so I assume it would not be totally strait-forward to fool them. I am also guessing that this means I could have my account locked down pretty fast if need be. I think that if someone wanted to REQUEST that we require more than simply emailing us and having a conversation, and place additional restrictions on their account, and agreeing to endure the higher inconvenience, that would be reasonable.
Now you are on the right track. You seem to have thought a bit about this, what would your suggestion be as to these "additional restrictions"? As I mentioned, a picture of me holding a note saying "disable 2FA" to get it disabled seems like a reasonable trade-off and I requirement I would personally like to have on _my_ Bitfinex account. It is hard to fake. This does not solve the "$5 wrench" problem but that one is a lot harder. Oh, btw mjr, one last thing: Try leaving your phone at home when you go out to meet friends and loved ones. Consider making it a habit. I know many resist this idea but it can actually be a great thing - just like not having a television, not having facebook or a twitter account and so on. Many of these things that are supposed to make your life better .. just makes you stressed and continuously disrupt your harmony and give you bad karma. I love Facebook, Twitter and Television, and I couldn't live without my phone...LOL, they do the exact opposite of stress me out, they calm me, and make my life better. They connect me to people, they allow me to find answers quickly, they educate me, make me more efficient. It is too easy to label things "good" or "bad", they are just things, and how you use them defines their goodness when compared to your goals. In regards to the other point, IF you only needed to get the email, I don't think it would be 2FA, but since you need the email, but will find it very difficult to change the password AND disable the 2FA, they still are 2 factors, IMO. |
|
|
|
|
|
mjr
|
|
November 20, 2014, 08:15:16 PM |
|
As an example of what I meant, here is a post that someone just sent me... https://github.com/HFenter/MarginBothttps://bitcointalk.org/index.php?topic=865250.0Here is a bot for the swaps market that prioritizes keeping it active, it doesn't care the rate, it would just prefer that its funds are always in use. With no FRR, this would be the norm. The simple fact remains, that as long as people can get something, rather than nothing, they will probably take it. That being said, I really want to update the FRR, and hopefully it makes it more responsive. |
|
|
|
|
2586
Member
Offline
Activity: 77
Merit: 13
|
|
November 20, 2014, 10:16:26 PM
Last edit: November 20, 2014, 10:30:55 PM by 2586 |
|
As an example of what I meant, here is a post that someone just sent me... https://github.com/HFenter/MarginBothttps://bitcointalk.org/index.php?topic=865250.0Here is a bot for the swaps market that prioritizes keeping it active, it doesn't care the rate, it would just prefer that its funds are always in use. With no FRR, this would be the norm. The simple fact remains, that as long as people can get something, rather than nothing, they will probably take it. That being said, I really want to update the FRR, and hopefully it makes it more responsive. Most lenders will not use that bot, and will instead opt to use whatever on-site autolending facility Bitfinex provides. That said, if everyone did start using that bot, it would be a great improvement over the FRR. MarginBot places a range of offers, rather than dumping everything at a single rate. You can configure a minimum rate to lend at, as well as an amount of your funds to reserve for lending at higher rates. Everyone using it would configure it with different parameters to suit their tastes. We would no longer have the massive, market-distorting wall of offers at a single point on the offer book. |
|
|
|
|
2586
Member
Offline
Activity: 77
Merit: 13
|
|
November 20, 2014, 10:56:15 PM
Last edit: November 21, 2014, 04:30:07 AM by 2586 |
|
Speaking of bots, I'm testing one that I just wrote (to be released soon), and I'm getting "Max retries exceeded" way before hitting the 60 requests per minute limit specified in the API documentation. The strange thing is that the bot has been running fine all day, but choked twice in a row just now. Is there some other hidden limit that I'm running afoul of?
EDIT: Nevermind, it looks like it was just a regular connection error. Wording of the exception threw me off.
|
|
|
|
|
Sukrim
Legendary
Offline
Activity: 2618
Merit: 1006
|
|
November 20, 2014, 11:55:33 PM |
|
Since a mail by an address of the account owner seems to be enough to get rid of 2FA, please look into various ways to spoof this ( http://en.wikipedia.org/wiki/Email_spoofing) - hopefully you are aware that it is fairly trivial to send convincingly looking mail from any address... |
|
|
|
2586
Member
Offline
Activity: 77
Merit: 13
|
|
November 21, 2014, 05:38:59 AM |
|
Well, no time like the present: cascadebot: A simple (but effective) lending bot for BitfinexI've written a lending bot for Bitfinex that places lending offers at a high rate, then gradually lowers them until they're filled. You can specify starting rate, minimum rate, and how fast to lower your rates. This is intended as a proof of concept alternative to fractional reserve rate (FRR) loans. FRR lending heavily distorts the swap market on Bitfinex. My hope is that Bitfinex will remove the FRR, and implement an on-site version of this bot for lazy lenders (myself included) to use instead. Git repo: https://github.com/ah3dce/cascadebotBitcoin tips: 1Fk1G8yVtXQLC1Eft4r1kS8e3SZyRaFwbM Requires Python 3 and the requests library: https://pypi.python.org/pypi/requests/Edit cascadebot.py and fill in the parameters. API key and secret are required, but the others have reasonable defaults. Once that's done, run the bot with: |
|
|
|
|
HowardF
Full Member
Offline
Activity: 145
Merit: 100
I do Stuff, and stuff.....
|
|
November 21, 2014, 07:18:16 AM |
|
As an example of what I meant, here is a post that someone just sent me... https://github.com/HFenter/MarginBothttps://bitcointalk.org/index.php?topic=865250.0Here is a bot for the swaps market that prioritizes keeping it active, it doesn't care the rate, it would just prefer that its funds are always in use. With no FRR, this would be the norm. The simple fact remains, that as long as people can get something, rather than nothing, they will probably take it. That being said, I really want to update the FRR, and hopefully it makes it more responsive. As the author of this bot, I'd like to point out this bot was originally developed specifically because of how frustrating the FRR is. It's not a "something rather than nothing" philosophy so much as "FRR wall breaks realistic lending rates, and keeping my money lent 100% of the time at least improves my return a little bit". I do very much care about the rate, I just came to accept most investors are lazy and will dump everything into FRR auto renew and never think another thought about it, and I had to figure out a way to combat that as best I could... I would also point out the 30 day returns with this bot are almost always much higher than FRR set and forget lenders returns are... |
|
|
|
HowardF
Full Member
Offline
Activity: 145
Merit: 100
I do Stuff, and stuff.....
|
|
November 21, 2014, 07:21:13 AM |
|
As an example of what I meant, here is a post that someone just sent me... https://github.com/HFenter/MarginBothttps://bitcointalk.org/index.php?topic=865250.0Here is a bot for the swaps market that prioritizes keeping it active, it doesn't care the rate, it would just prefer that its funds are always in use. With no FRR, this would be the norm. The simple fact remains, that as long as people can get something, rather than nothing, they will probably take it. That being said, I really want to update the FRR, and hopefully it makes it more responsive. Most lenders will not use that bot, and will instead opt to use whatever on-site autolending facility Bitfinex provides. That said, if everyone did start using that bot, it would be a great improvement over the FRR. MarginBot places a range of offers, rather than dumping everything at a single rate. You can configure a minimum rate to lend at, as well as an amount of your funds to reserve for lending at higher rates. Everyone using it would configure it with different parameters to suit their tastes. We would no longer have the massive, market-distorting wall of offers at a single point on the offer book. Exactly. FRR encourages building a massive wall at a specific rate, rather than a natural rate competition over a range of loans... it is very much the opposite of finding an actual fair market value. |
|
|
|
HowardF
Full Member
Offline
Activity: 145
Merit: 100
I do Stuff, and stuff.....
|
|
November 21, 2014, 07:27:12 AM |
|
As an example of what I meant, here is a post that someone just sent me...
Also... my bot has already garnered enough attention to be forwarded to BFX people? Nifty! |
|
|
|
|
Bagpipe
|
|
November 21, 2014, 08:10:59 AM |
|
Word of advice: never use market order buy/sell options.
They are fairly buggy. For example: in the orderbook are orders available. So you put 1 btc market buy order. Nothing happens for a second or two, no change in the orderbook either.. So you put another market buy order. Another seconds pass with the result that BOTH your market buy orders were awarded TOP prices well above what was in the orderbook 8 seconds before when you placed the orders. It is as if this was a competition...
Or worse: click "market buy" for a smaller sum repeatedly. You will SOON find that your active orders are full of LIMIT buy orders and you have NO CLUE WHY.
So, this is my bug report for today.
|
|
|
|
|
whatthesith
Copper Member
Member
Offline
Activity: 301
Merit: 10
simply getting the job done
|
|
November 21, 2014, 01:35:43 PM |
|
As an example of what I meant, here is a post that someone just sent me... https://github.com/HFenter/MarginBothttps://bitcointalk.org/index.php?topic=865250.0Here is a bot for the swaps market that prioritizes keeping it active, it doesn't care the rate, it would just prefer that its funds are always in use. With no FRR, this would be the norm. The simple fact remains, that as long as people can get something, rather than nothing, they will probably take it. That being said, I really want to update the FRR, and hopefully it makes it more responsive. As the author of this bot, I'd like to point out this bot was originally developed specifically because of how frustrating the FRR is. It's not a "something rather than nothing" philosophy so much as "FRR wall breaks realistic lending rates, and keeping my money lent 100% of the time at least improves my return a little bit". I do very much care about the rate, I just came to accept most investors are lazy and will dump everything into FRR auto renew and never think another thought about it, and I had to figure out a way to combat that as best I could... I would also point out the 30 day returns with this bot are almost always much higher than FRR set and forget lenders returns are... Thanks for development efforts. Would you like to let us know your current 30 days return? I would like to compare the performance my own lending bot to decide whether to change the bot. |
|
|
|
HowardF
Full Member
Offline
Activity: 145
Merit: 100
I do Stuff, and stuff.....
|
|
November 21, 2014, 03:33:26 PM |
|
Thanks for development efforts. Would you like to let us know your current 30 days return? I would like to compare the performance my own lending bot to decide whether to change the bot.
yeah, if you go to the original thread at: https://bitcointalk.org/index.php?topic=865250.msg9608362#msg9608362I posted my daily return % After Fees, and you can see that Sukrim posted his daily returns from using the FRR 30 days on autorenew as well, for comparison. I will try to get together a more complete list of my returns over the last few months to post there later today, but one problem I have with returns is I still use my main account (which is where my stats come from ) for other things, like occasional day trading and paying bills, etc, so the stats before mid October aren't 100% pristine (i used to occasionally pull money in and out during the lending day basically, which would tweak the stats a bit). I can give pretty much pristine stats through about 15th of Oct though, so I will definitely post those. EDIT: I should point out Sukrim's post is on EU time, so his stats show the date one day off of mine, ie: My Nov 1 = his Nov 2.... |
|
|
|
|
leen93
|
|
November 21, 2014, 04:39:43 PM |
|
my withdrawal got stuck in the processing phase  |
|
|
|
|
|
