Bitcoin Forum
December 05, 2016, 04:44:53 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 »  All
  Print  
Author Topic: TradeHill – Security Update – Round 1 PCI Compliance / Business Verification etc  (Read 4568 times)
Jered Kenna (TradeHill)
Sr. Member
****
Offline Offline

Activity: 420



View Profile WWW
June 30, 2011, 07:25:26 PM
 #1

TradeHill – Security Update – Round 1 (PCI Compliance)

Immediately after the Mt Gox hack and database leak was announced we shut down our site to provide adequate time for users to reset their passwords. We noticed there were considerable attempts to brute force accounts that had the same user name on Mt Gox and TradeHill. In response we installed a captcha system and auto locked out accounts with too many failed login attempts. To the best of our knowledge this was 100% effective and have not received one email concerning a compromised account on TradeHill.com   

TradeHill is proud to announce that our first round of security upgrades is complete.
We will be continuing to release updates regarding our security and upgrades to TradeHill.com

TradeHill is now PCI Compliant.

We have completed and passed a security audit by Trust Guard the leading online 3rd party website verification service. Trust Guard has searched our site for over 43,000 known vulnerabilities including SQL injection, XSS and many more and performed an ASV certified scan.  This can be verified with the Trust Guard seal on our main page before you log in (when logged in it goes away to avoid clutter).

Our site will be scanned daily for new vulnerabilities and if detected they will be taken care of immediately.

Additionally we have had our corporate contact information (US address and phone numbers) verified to confirm that we are operating in the United States as well as Chile.

User privacy is a very serious issue.
We have updated our privacy policy and are now compliant with:


The Federal Trade Commission Fair Information Practices.

The California Online Privacy Protection Act.

The Childrens Online Privacy Protection Act.

The Privacy Alliance guidelines.

The CAN-SPAM Act.



We believe that this is the bare minimum that an exchange should be operating at.

PCI scanning and putting a seal on your website from Trust Guard, Verisign or McAffe doesn't make you immune to all attacks but it is one step towards a safer exchange and something we should have done a long time ago. 

We are continuing to improve our security and will release updates as information becomes available. At the moment our source code and procedures are being verified by a 3rd party as well and we are working with top names in the security business. We will be happy to release their findings when they are complete.

We are also implementing dual authentication and other security features which will be  announced soon.

moneyandtech.com
@moneyandtech @jeredkenna
1480956293
Hero Member
*
Offline Offline

Posts: 1480956293

View Profile Personal Message (Offline)

Ignore
1480956293
Reply with quote  #2

1480956293
Report to moderator
1480956293
Hero Member
*
Offline Offline

Posts: 1480956293

View Profile Personal Message (Offline)

Ignore
1480956293
Reply with quote  #2

1480956293
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480956293
Hero Member
*
Offline Offline

Posts: 1480956293

View Profile Personal Message (Offline)

Ignore
1480956293
Reply with quote  #2

1480956293
Report to moderator
1480956293
Hero Member
*
Offline Offline

Posts: 1480956293

View Profile Personal Message (Offline)

Ignore
1480956293
Reply with quote  #2

1480956293
Report to moderator
BCwinning
Hero Member
*****
Offline Offline

Activity: 602


View Profile
June 30, 2011, 07:27:22 PM
 #2

I'd like to see the site log you out after x amount of time of inactivity.
I've rebooted my system several times and have yet to be prompted for a new password when I go to the site.

https://www.rixty.com?ref=1337507 sign up for rixty
privacy, it does the body good.
Official Bitcoin Foundation Secretariat
The New World Order thanks you for your support of Bitcoin and encourages your continuing support so that they may track your expenditures easier.
Yankee (BitInstant)
Legendary
*
Offline Offline

Activity: 1078


Charlie 'Van Bitcoin' Shrem


View Profile WWW
June 30, 2011, 07:34:20 PM
 #3

I LOVE TRADEHILL

*closing gox account now*

Bitcoin pioneer. An apostle of Satoshi Nakamoto. A crusader for a new, better, tech-driven society. A dreamer.

More about me: http://CharlieShrem.com
Chick
Member
**
Offline Offline

Activity: 70


View Profile
June 30, 2011, 07:38:13 PM
 #4

According to the 4 levels of PCI certification, which level are you guys currently following?

You said that you've done network vulnerability scans, what about an annual SaQ? When it asks you if you've secured 'credit card holder data', just replace that with our 'Bitcoins'. lol.

darkwon
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 30, 2011, 07:38:33 PM
 #5

Nice, some much needed improvements.

Sign up for new Bitcoin Exchanges:

|| TradeHill || or || Bitcoin7 ||

(Using these links will give you a lifetime rebate on all fees)
Bunghole
Member
**
Offline Offline

Activity: 64



View Profile
June 30, 2011, 07:40:41 PM
 #6

I'd like to see the site log you out after x amount of time of inactivity.

Yeah - what he said ^^^
Jered Kenna (TradeHill)
Sr. Member
****
Offline Offline

Activity: 420



View Profile WWW
June 30, 2011, 07:42:27 PM
 #7

I'd like to see the site log you out after x amount of time of inactivity.
I've rebooted my system several times and have yet to be prompted for a new password when I go to the site.


We've received feedback from users that love not being logged out and more that would prefer the additional security.
We've evaluated the situation and decided to implement logout due to inactivity. Security trumps laziness  Grin
We're coding it in as I write this and it should be live today after extensive testing.



Yankee: thanks for the feedback, more to come.

moneyandtech.com
@moneyandtech @jeredkenna
ius
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 30, 2011, 07:43:55 PM
 #8

PCI scanning and putting a seal on your website from Trust Guard, Verisign or McAffe doesn't make you immune to all attacks but it is one step towards a safer exchange and something we should have done a long time ago.

At least you acknowledge the uselessness of a seal. Really, it shouldn't be a selling point - every idiot can run nmap/nessus/acunetix <whatnot>..

Luckily (from Camp BX):
Quote
We were tested for >1,000 known vulnerabilities specific to our platform and services by McAfee Secure

Means you're obviously 43x as secure as they are. Wink

In all seriousness, publishing a report of a manually performed pentest or source code audit (perhaps with selected individuals) would be useful - this is 99% marketing talk like TrustGuard/McAfee sells it to their customers. But it's good to see you're at least informing your clients...

PGP: 0xCC06E446 Bitcoin: 19kdfgW1KXQgV7SCLEPAojtHxN9xotGkGH
ius
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 30, 2011, 07:46:24 PM
 #9

Quote
We've evaluated the situation and decided to implement logout due to inactivity. Security trumps laziness  Grin
We're coding it in as I write this and it should be live today after extensive testing.

Solution: make it configurable up to a certain extent, with a tight default session length.

PGP: 0xCC06E446 Bitcoin: 19kdfgW1KXQgV7SCLEPAojtHxN9xotGkGH
BCwinning
Hero Member
*****
Offline Offline

Activity: 602


View Profile
June 30, 2011, 07:47:00 PM
 #10

I'd like to see the site log you out after x amount of time of inactivity.
I've rebooted my system several times and have yet to be prompted for a new password when I go to the site.


We've received feedback from users that love not being logged out and more that would prefer the additional security.
We've evaluated the situation and decided to implement logout due to inactivity. Security trumps laziness  Grin
We're coding it in as I write this and it should be live today after extensive testing.



Yankee: thanks for the feedback, more to come.
Sounds awesome. It did pain me to make this request, but I'm in the school where security needs to trump laziness.

https://www.rixty.com?ref=1337507 sign up for rixty
privacy, it does the body good.
Official Bitcoin Foundation Secretariat
The New World Order thanks you for your support of Bitcoin and encourages your continuing support so that they may track your expenditures easier.
Jered Kenna (TradeHill)
Sr. Member
****
Offline Offline

Activity: 420



View Profile WWW
June 30, 2011, 07:53:45 PM
 #11

According to the 4 levels of PCI certification, which level are you guys currently following?

You said that you've done network vulnerability scans, what about an annual SaQ? When it asks you if you've secured 'credit card holder data', just replace that with our 'Bitcoins'. lol.

By volume we're 3 or 4 but we've only been live for 22 days. Also we're not taking credit cards but adhering to their standards regardless.
We've done the SaQ and treated the Bitcoins as credit info like you suggest. We're treating ourselves as level 2. The next step up is on site audits for level 1.
Obviously these are huge businesses like Amazon.com etc but we're willing to go through on site audits etc and would prefer to given some time.


PCI scanning and putting a seal on your website from Trust Guard, Verisign or McAffe doesn't make you immune to all attacks but it is one step towards a safer exchange and something we should have done a long time ago.

At least you acknowledge the uselessness of a seal. Really, it shouldn't be a selling point - every idiot can run nmap/nessus/acunetix <whatnot>..

Luckily (from Camp BX):
Quote
We were tested for >1,000 known vulnerabilities specific to our platform and services by McAfee Secure

Means you're obviously 43x as secure as they are. Wink

In all seriousness, publishing a report of a manually performed pentest or source code audit (perhaps with selected individuals) would be useful - this is 99% marketing talk like TrustGuard/McAfee sells it to their customers. But it's good to see you're at least informing your clients...

We acknowledge that this is far from a silver bullet. Regardless there are probably sites operating that would have or would currently fail these tests. This clears up the major vulnerabilities and I'm happy that we didn't have to make any corrections when we received the audit. Our existing security was sufficient.

As I said before this should be a bare minimum and we have more to come.

moneyandtech.com
@moneyandtech @jeredkenna
BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 560


Posts: 69


View Profile WWW
June 30, 2011, 07:55:25 PM
 #12

Well done Smiley

Jered Kenna (TradeHill)
Sr. Member
****
Offline Offline

Activity: 420



View Profile WWW
June 30, 2011, 07:56:22 PM
 #13


Sounds awesome. It did pain me to make this request, but I'm in the school where security needs to trump laziness.

Agreed, so are we.
Of course you could always manually log out if there isn't a timer but this will cure forgetfulness as well as laziness.


moneyandtech.com
@moneyandtech @jeredkenna
Oldminer
Legendary
*
Offline Offline

Activity: 1022



View Profile
June 30, 2011, 07:58:00 PM
 #14

Even though I dont have a tradehill account its good to see the community as a whole becoming more security aware.

Best of luck with your venture.

If you like my post please feel free to give me some positive rep https://bitcointalk.org/index.php?action=trust;u=18639
Tip me BTC: 1FBmoYijXVizfYk25CpiN8Eds9J6YiRDaX
MeSarah
Full Member
***
Offline Offline

Activity: 154


View Profile
June 30, 2011, 08:05:19 PM
 #15

This is good news for the whole community. Although Ive never heard of the seal provider so I looked it up. The four seals I reviewed were Trust Guard, Verisign, McAffe and Comodo. I still favor McAffe. Any trust seal with dailly testing is better then nothing. Next seal to get, both TH and CBX is the BBB seal. I know some dont like that seal and I can see some things about I dont like aswell. But its yet another seal of approval from a respected institution. The BBB seal is not easy to get. You will have to show that you have been operating a website for at least a year.

MtGox now stands in the shadows of CBX and TH. Thank you TH and CBX for bringing conference back to the BTC community.

I have a couple of questions. The phone number, is that a VOIP/Vonage type of phone number where you can get any area code you choose? The mailing address, is that just a drop box/mail forwarding service?


60 GH/s BFL Single SC - Pre-Order Yours Today!
`````` Only $1299.99 - butterflylabs.com ``````
phillipsjk
Legendary
*
Offline Offline

Activity: 1008

Let the chips fall where they may.


View Profile WWW
June 30, 2011, 08:11:10 PM
 #16

I like that you now have a published mailing address. I can send you my public key fingerprint (CBDE CFB6 BB6A 2BB5 FDE1 01C5 3CF6 0C5E 1CFD A27B) out-of-band now.

Is trading possible with EMCA scripting disabled? I found I was not able to get your banking information without enabling scripting.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
BCwinning
Hero Member
*****
Offline Offline

Activity: 602


View Profile
June 30, 2011, 08:11:30 PM
 #17

of course I obviously can manually log out, that isn't the point though.
I thought that is a standard on financial sites, it's been the standard with what finance sites I use currently.
I could also not use the site but that isn't the point either right?


https://www.rixty.com?ref=1337507 sign up for rixty
privacy, it does the body good.
Official Bitcoin Foundation Secretariat
The New World Order thanks you for your support of Bitcoin and encourages your continuing support so that they may track your expenditures easier.
Jered Kenna (TradeHill)
Sr. Member
****
Offline Offline

Activity: 420



View Profile WWW
June 30, 2011, 08:24:43 PM
 #18

of course I obviously can manually log out, that isn't the point though.
I thought that is a standard on financial sites, it's been the standard with what finance sites I use currently.
I could also not use the site but that isn't the point either right?




10 minutes of inactivity now causes a logout.



I like that you now have a published mailing address. I can send you my public key fingerprint (CBDE CFB6 BB6A 2BB5 FDE1 01C5 3CF6 0C5E 1CFD A27B) out-of-band now.

Is trading possible with EMCA scripting disabled? I found I was not able to get your banking information without enabling scripting.

Let me get back to you on this one, I'm not a coder, I've sent an email to them.


This is good news for the whole community. Although Ive never heard of the seal provider so I looked it up. The four seals I reviewed were Trust Guard, Verisign, McAffe and Comodo. I still favor McAffe. Any trust seal with dailly testing is better then nothing. Next seal to get, both TH and CBX is the BBB seal. I know some dont like that seal and I can see some things about I dont like aswell. But its yet another seal of approval from a respected institution. The BBB seal is not easy to get. You will have to show that you have been operating a website for at least a year.

MtGox now stands in the shadows of CBX and TH. Thank you TH and CBX for bringing conference back to the BTC community.

I have a couple of questions. The phone number, is that a VOIP/Vonage type of phone number where you can get any area code you choose? The mailing address, is that just a drop box/mail forwarding service?



Trust Guard has a similar seal to the BBB which we have. Basically it verifies that we are a business.
I may get the BBB if running another website for more than a year qualifies us. I need to look in to that.

The phone number is VOIP and we can answer it in the US, Chile, our cell phones etc. We are handling the bulk of our communication via email though, it makes more sense when we need to look up accounts / send info with a link to block explorer etc.

The mailing address is an office we can use but most of us are in Chile at the moment so the mail gets forwarded.



moneyandtech.com
@moneyandtech @jeredkenna
phillipsjk
Legendary
*
Offline Offline

Activity: 1008

Let the chips fall where they may.


View Profile WWW
June 30, 2011, 08:26:00 PM
 #19

I think some things standard on other sites are just security theater: Like "login seals" tied to browser cookies.
Or maybe, even CAPTCHAs you have to type in every time you log in.

Edit: 600 seconds is too short a time-out, IMO. It may not be too bad resetting every time you do something though. On this forum, the default 60 minute timeout logs you out, even if you are in the middle of browsing the forum.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
RandyMarsh
Full Member
***
Offline Offline

Activity: 237



View Profile
June 30, 2011, 08:29:02 PM
 #20

Fantastic, they really are trying alot harder than gox i think

Stan?! STAN?!?!
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!