TradeHill – Security Update – Round 1 PCI Compliance / Business Verification etc

[Jered Kenna (TradeHill)]

TradeHill – Security Update – Round 1 (PCI Compliance)

Immediately after the Mt Gox hack and database leak was announced we shut down our site to provide adequate time for users to reset their passwords. We noticed there were considerable attempts to brute force accounts that had the same user name on Mt Gox and TradeHill. In response we installed a captcha system and auto locked out accounts with too many failed login attempts. To the best of our knowledge this was 100% effective and have not received one email concerning a compromised account on TradeHill.com   

TradeHill is proud to announce that our first round of security upgrades is complete.
We will be continuing to release updates regarding our security and upgrades to TradeHill.com

TradeHill is now PCI Compliant.

We have completed and passed a security audit by Trust Guard the leading online 3rd party website verification service. Trust Guard has searched our site for over 43,000 known vulnerabilities including SQL injection, XSS and many more and performed an ASV certified scan.  This can be verified with the Trust Guard seal on our main page before you log in (when logged in it goes away to avoid clutter).

Our site will be scanned daily for new vulnerabilities and if detected they will be taken care of immediately.

Additionally we have had our corporate contact information (US address and phone numbers) verified to confirm that we are operating in the United States as well as Chile.

User privacy is a very serious issue.
We have updated our privacy policy and are now compliant with:


The Federal Trade Commission Fair Information Practices.

The California Online Privacy Protection Act.

The Childrens Online Privacy Protection Act.

The Privacy Alliance guidelines.

The CAN-SPAM Act.



We believe that this is the bare minimum that an exchange should be operating at.

PCI scanning and putting a seal on your website from Trust Guard, Verisign or McAffe doesn't make you immune to all attacks but it is one step towards a safer exchange and something we should have done a long time ago. 

We are continuing to improve our security and will release updates as information becomes available. At the moment our source code and procedures are being verified by a 3rd party as well and we are working with top names in the security business. We will be happy to release their findings when they are complete.

We are also implementing dual authentication and other security features which will be  announced soon.

[1713932098]

1713932098

[1713932098]

1713932098

[BCwinning]

I'd like to see the site log you out after x amount of time of inactivity.
I've rebooted my system several times and have yet to be prompted for a new password when I go to the site.

[Yankee (BitInstant)]

I LOVE TRADEHILL

*closing gox account now*

[Chick]

According to the 4 levels of PCI certification, which level are you guys currently following?

You said that you've done network vulnerability scans, what about an annual SaQ? When it asks you if you've secured 'credit card holder data', just replace that with our 'Bitcoins'. lol.

[darkwon]

Nice, some much needed improvements.

[Bunghole]

I'd like to see the site log you out after x amount of time of inactivity.

Yeah - what he said ^^^

[Jered Kenna (TradeHill)]

I'd like to see the site log you out after x amount of time of inactivity.
I've rebooted my system several times and have yet to be prompted for a new password when I go to the site.

We've received feedback from users that love not being logged out and more that would prefer the additional security.
We've evaluated the situation and decided to implement logout due to inactivity. Security trumps laziness  
We're coding it in as I write this and it should be live today after extensive testing.



Yankee: thanks for the feedback, more to come.

[ius]

PCI scanning and putting a seal on your website from Trust Guard, Verisign or McAffe doesn't make you immune to all attacks but it is one step towards a safer exchange and something we should have done a long time ago.

At least you acknowledge the uselessness of a seal. Really, it shouldn't be a selling point - every idiot can run nmap/nessus/acunetix <whatnot>..

Luckily (from Camp BX):

We were tested for >1,000 known vulnerabilities specific to our platform and services by McAfee Secure

Means you're obviously 43x as secure as they are.

In all seriousness, publishing a report of a manually performed pentest or source code audit (perhaps with selected individuals) would be useful - this is 99% marketing talk like TrustGuard/McAfee sells it to their customers. But it's good to see you're at least informing your clients...

[ius]

We've evaluated the situation and decided to implement logout due to inactivity. Security trumps laziness  Grin
We're coding it in as I write this and it should be live today after extensive testing.

Solution: make it configurable up to a certain extent, with a tight default session length.

[BCwinning]

I'd like to see the site log you out after x amount of time of inactivity.
I've rebooted my system several times and have yet to be prompted for a new password when I go to the site.

We've received feedback from users that love not being logged out and more that would prefer the additional security.
We've evaluated the situation and decided to implement logout due to inactivity. Security trumps laziness  
We're coding it in as I write this and it should be live today after extensive testing.



Yankee: thanks for the feedback, more to come.

Sounds awesome. It did pain me to make this request, but I'm in the school where security needs to trump laziness.

[Jered Kenna (TradeHill)]

According to the 4 levels of PCI certification, which level are you guys currently following?

You said that you've done network vulnerability scans, what about an annual SaQ? When it asks you if you've secured 'credit card holder data', just replace that with our 'Bitcoins'. lol.

By volume we're 3 or 4 but we've only been live for 22 days. Also we're not taking credit cards but adhering to their standards regardless.
We've done the SaQ and treated the Bitcoins as credit info like you suggest. We're treating ourselves as level 2. The next step up is on site audits for level 1.
Obviously these are huge businesses like Amazon.com etc but we're willing to go through on site audits etc and would prefer to given some time.

PCI scanning and putting a seal on your website from Trust Guard, Verisign or McAffe doesn't make you immune to all attacks but it is one step towards a safer exchange and something we should have done a long time ago.

At least you acknowledge the uselessness of a seal. Really, it shouldn't be a selling point - every idiot can run nmap/nessus/acunetix <whatnot>..

Luckily (from Camp BX):

We were tested for >1,000 known vulnerabilities specific to our platform and services by McAfee Secure

Means you're obviously 43x as secure as they are.

In all seriousness, publishing a report of a manually performed pentest or source code audit (perhaps with selected individuals) would be useful - this is 99% marketing talk like TrustGuard/McAfee sells it to their customers. But it's good to see you're at least informing your clients...

We acknowledge that this is far from a silver bullet. Regardless there are probably sites operating that would have or would currently fail these tests. This clears up the major vulnerabilities and I'm happy that we didn't have to make any corrections when we received the audit. Our existing security was sufficient.

As I said before this should be a bare minimum and we have more to come.

[BitcoinPorn]

Well done

[Jered Kenna (TradeHill)]

Sounds awesome. It did pain me to make this request, but I'm in the school where security needs to trump laziness.

Agreed, so are we.
Of course you could always manually log out if there isn't a timer but this will cure forgetfulness as well as laziness.

[Oldminer]

Even though I dont have a tradehill account its good to see the community as a whole becoming more security aware.

Best of luck with your venture.

[MeSarah]

This is good news for the whole community. Although Ive never heard of the seal provider so I looked it up. The four seals I reviewed were Trust Guard, Verisign, McAffe and Comodo. I still favor McAffe. Any trust seal with dailly testing is better then nothing. Next seal to get, both TH and CBX is the BBB seal. I know some dont like that seal and I can see some things about I dont like aswell. But its yet another seal of approval from a respected institution. The BBB seal is not easy to get. You will have to show that you have been operating a website for at least a year.

MtGox now stands in the shadows of CBX and TH. Thank you TH and CBX for bringing conference back to the BTC community.

I have a couple of questions. The phone number, is that a VOIP/Vonage type of phone number where you can get any area code you choose? The mailing address, is that just a drop box/mail forwarding service?

[phillipsjk]

I like that you now have a published mailing address. I can send you my public key fingerprint (CBDE CFB6 BB6A 2BB5 FDE1 01C5 3CF6 0C5E 1CFD A27B) out-of-band now.

Is trading possible with EMCA scripting disabled? I found I was not able to get your banking information without enabling scripting.

[BCwinning]

of course I obviously can manually log out, that isn't the point though.
I thought that is a standard on financial sites, it's been the standard with what finance sites I use currently.
I could also not use the site but that isn't the point either right?

[Jered Kenna (TradeHill)]

of course I obviously can manually log out, that isn't the point though.
I thought that is a standard on financial sites, it's been the standard with what finance sites I use currently.
I could also not use the site but that isn't the point either right?

10 minutes of inactivity now causes a logout.

I like that you now have a published mailing address. I can send you my public key fingerprint (CBDE CFB6 BB6A 2BB5 FDE1 01C5 3CF6 0C5E 1CFD A27B) out-of-band now.

Is trading possible with EMCA scripting disabled? I found I was not able to get your banking information without enabling scripting.

Let me get back to you on this one, I'm not a coder, I've sent an email to them.

This is good news for the whole community. Although Ive never heard of the seal provider so I looked it up. The four seals I reviewed were Trust Guard, Verisign, McAffe and Comodo. I still favor McAffe. Any trust seal with dailly testing is better then nothing. Next seal to get, both TH and CBX is the BBB seal. I know some dont like that seal and I can see some things about I dont like aswell. But its yet another seal of approval from a respected institution. The BBB seal is not easy to get. You will have to show that you have been operating a website for at least a year.

MtGox now stands in the shadows of CBX and TH. Thank you TH and CBX for bringing conference back to the BTC community.

I have a couple of questions. The phone number, is that a VOIP/Vonage type of phone number where you can get any area code you choose? The mailing address, is that just a drop box/mail forwarding service?

Trust Guard has a similar seal to the BBB which we have. Basically it verifies that we are a business.
I may get the BBB if running another website for more than a year qualifies us. I need to look in to that.

The phone number is VOIP and we can answer it in the US, Chile, our cell phones etc. We are handling the bulk of our communication via email though, it makes more sense when we need to look up accounts / send info with a link to block explorer etc.

The mailing address is an office we can use but most of us are in Chile at the moment so the mail gets forwarded.

[phillipsjk]

I think some things standard on other sites are just security theater: Like "login seals" tied to browser cookies.
Or maybe, even CAPTCHAs you have to type in every time you log in.

Edit: 600 seconds is too short a time-out, IMO. It may not be too bad resetting every time you do something though. On this forum, the default 60 minute timeout logs you out, even if you are in the middle of browsing the forum.

[RandyMarsh]

Fantastic, they really are trying alot harder than gox i think