TradeHill – Security Update – Round 1 PCI Compliance / Business Verification etc

[bitcoinTrader]

Jered,

Is there any way for me to change the email address in tradehill account?
I have been trading on tradehill without any issues till now.
So good work!

[1713575342]

1713575342

[1713575342]

1713575342

[1713575342]

1713575342

[Jered Kenna (TradeHill)]

Jered,

Is there any way for me to change the email address in tradehill account?
I have been trading on tradehill without any issues till now.
So good work!

We're working on that one, it's a little more complicated.
If you are only holding Bitcoins you could transfer them to a new account you create and request us to delete (or just leave  the old one).
Ideally you will be able to move BTC and currencies internally soon.
I'd suggest that if you were on the Gox list. I was and unfortunately had to do that as well with one account. I used a complex unique password but it's not worth the risk.

It's on the list but not at the top, we have other features / security issues that we think would benefit more people. Until we have a room full of programmers we're going to have to prioritize unfortunately.

Lamentably that's the best answer I can give you now but we'll give you the truth every time.

[KingFisher9]

You have significantly raised my confidence in Trade Hill. I'm glad I chose Trade Hill over Mt Gox and I will continue to do so

I have a suggestion that could help prevent theft. I think it would be a good idea to have a feature that will give users an option delay every withdrawal for 24 hours and to automatically send an email/sms every time a withdrawal is made. If the withdrawal is fraudulent then the account owner will be able to call a 24/7 fraud hotline and temporarily lock the account until the owner of the account is verified via a registered telephone number or a copy of a drivers license.

OR

How about an automated system that calls or sends an sms to verify a withdrawal. That way in order for an account to be hacked the hacker would also need to steal the account owners phone...which to me seems like an extremely unlikely scenario. 

[TheAlchemist]

Thanks for the info!  I definitely feel better now. My MtGox password was cracked (I thought it was pretty good--11 characters, including punctuation, numbers, and upper-/lower-case letters), so I'm pretty with how you store your passwords.
I hope to God it's not good. Hopefully something like.  Can you speak toward this?  I know it's a fairly technical question, but hey, this is Bitcoin land.

[Jered Kenna (TradeHill)]

You have significantly raised my confidence in Trade Hill. I'm glad I chose Trade Hill over Mt Gox and I will continue to do so

I have a suggestion that could help prevent theft. I think it would be a good idea to have a feature that will give users an option delay every withdrawal for 24 hours and to automatically send an email/sms every time a withdrawal is made. If the withdrawal is fraudulent then the account owner will be able to call a 24/7 fraud hotline and temporarily lock the account until the owner of the account is verified via a registered telephone number or a copy of a drivers license.

OR

How about an automated system that calls or sends an sms to verify a withdrawal. That way in order for an account to be hacked the hacker would also need to steal the account owners phone...which to me seems like an extremely unlikely scenario. 

We're actually working out the details on something like that which would be required to log in.
Obviously theft is the most likely reason someone would try to hack in but if we can prevent them from getting in then
we also prevent them from using someone else's funds to manipulate the market or just selling them all off.

[Jered Kenna (TradeHill)]

@Jered Kenna: Thanks for the info!  I definitely feel better now.

My MtGox password was cracked (I thought it was pretty good--11 characters, including punctuation, numbers, and upper-/lower-case letters), so I'm pretty concerned with how you store your passwords.

I hope to God it's not MD5-based. Hopefully something like http://en.wikipedia.org/wiki/PBKDF2.  Can you speak toward this?  I know it's a fairly technical question, but hey, this is Bitcoin land.

I will have to talk to the coders to get a more specific response but I know they are encrypted with something better than MD5 and salted.
I honestly believe we were secure before the Mt Gox hack but are more secure now and will continue to improve.

[Frank White]

good jobs guys!

[JohnDoe]

10 minutes of inactivity now causes a logout.

You should make it optional to not get logged out. That way both groups are happy.

[Jered Kenna (TradeHill)]

10 minutes of inactivity now causes a logout.

You should make it optional to not get logged out. That way both groups are happy.

That's the plan. When we've got more time to things like that we will.

For now the coders are working on things like
the API that's about to launch (I want to say tomorrow, it's working fine)
and focused on high priority items.

[bitsalame]

I was wondering how much safety would work this:
1) Cascade ciphering.
2) Dividing the final hash in two or more parts.
3) Storing the different parts of the hashes in different servers.

Such an exotic configuration would confuse any low level attacker who simply thinks about dumping databases.
There is some security through obscurity here, but tactically obscurity is always an ally.

And even if the attacker manages to match the hashes, brute forcing would be painfully slow.

[Jered Kenna (TradeHill)]

I was wondering how much safety would work this:
1) Cascade ciphering.
2) Dividing the final hash in two or more parts.
3) Storing the different parts of the hashes in different servers.

Such an exotic configuration would confuse any low level attacker who simply thinks about dumping databases.
There is some security through obscurity here, but tactically obscurity is always an ally.

And even if the attacker manages to match the hashes, brute forcing would be painfully slow.

We're exploring all reasonable options.
Splitting hashes up would make it extremely secure.
I'm not an expert on security though so we've hired someone who is.

If you have a long complex password and we hash / salt it that should be sufficient.
If your password is short / common words etc it's not even safe from more basic attacks.
A lot depends on the end user and their habits. We can always require longer / more complex passwords
but some users are going to be upset if they can't use "boobookitty" for their password.

[Jered Kenna (TradeHill)]

Based on feedback over the last several hours we've increased the time out from 10 minutes to 30 minutes.
It should also start over every time you visit a new page.

[KeyserSoze]

Next seal to get, both TH and CBX is the BBB seal. I know some dont like that seal and I can see some things about I dont like aswell. But its yet another seal of approval from a respected institution. The BBB seal is not easy to get.

BBB might not be the best seal to have...
http://today.msnbc.msn.com/id/43528394
http://abcnews.go.com/Blotter/business-bureau-best-ratings-money-buy/story?id=12123843
http://www.ketv.com/r/25776787/detail.html

[DrYe5]

How does Tradehill feel about the fact that people are spamming the general message board with ads for their service?

[Jered Kenna (TradeHill)]

How does Tradehill feel about the fact that people are spamming the general message board with ads for their service?

We've removed all the email spammers referral codes.
We don't think you should spam the boards with codes either and I believe the mods are putting a stop to that.
I could be wrong there. If you have it in your sig and you're happy with TradeHill and you want to talk about it that's fine.

If the mods want to ban referral codes in sigs that's fine and I can understand it.
I believe the bulk of the people would continue to say good things without referral codes.
I have an inbox full of positive feedback and they haven't tried to slip me a referral code.

I just ask if the mods are going to take an aggressive stance on anything they do so fairly.
There were a lot of posts claiming TradeHill was hacked after the Gox data was leaked and they were based on absolutely nothing.
We dealt with this by answering questions and being available for our users.

To sum it up, no one likes spam, be respectful. If you spam it all over the forums we'll take it away like we do on email.

-Jered

[TheAlchemist]

If you have a long complex password and we hash / salt it that should be sufficient.

Well's just the thing: MtGox did salt (AFAIK) and I -did- have a good password and it still bombed, mostly because I believe they only used 1 iteration of MD5. I lost some of my money. Sorry to be such a pain!

[Trader Steve]

TradeHill – Security Update – Round 1 (PCI Compliance)

Immediately after the Mt Gox hack and database leak was announced we shut down our site to provide adequate time for users to reset their passwords. We noticed there were considerable attempts to brute force accounts that had the same user name on Mt Gox and TradeHill. In response we installed a captcha system and auto locked out accounts with too many failed login attempts. To the best of our knowledge this was 100% effective and have not received one email concerning a compromised account on TradeHill.com   

TradeHill is proud to announce that our first round of security upgrades is complete.
We will be continuing to release updates regarding our security and upgrades to TradeHill.com

TradeHill is now PCI Compliant.

We have completed and passed a security audit by Trust Guard the leading online 3rd party website verification service. Trust Guard has searched our site for over 43,000 known vulnerabilities including SQL injection, XSS and many more and performed an ASV certified scan.  This can be verified with the Trust Guard seal on our main page before you log in (when logged in it goes away to avoid clutter).

Our site will be scanned daily for new vulnerabilities and if detected they will be taken care of immediately.

Additionally we have had our corporate contact information (US address and phone numbers) verified to confirm that we are operating in the United States as well as Chile.

User privacy is a very serious issue.
We have updated our privacy policy and are now compliant with:


The Federal Trade Commission Fair Information Practices.

The California Online Privacy Protection Act.

The Childrens Online Privacy Protection Act.

The Privacy Alliance guidelines.

The CAN-SPAM Act.



We believe that this is the bare minimum that an exchange should be operating at.

PCI scanning and putting a seal on your website from Trust Guard, Verisign or McAffe doesn't make you immune to all attacks but it is one step towards a safer exchange and something we should have done a long time ago. 

We are continuing to improve our security and will release updates as information becomes available. At the moment our source code and procedures are being verified by a 3rd party as well and we are working with top names in the security business. We will be happy to release their findings when they are complete.

We are also implementing dual authentication and other security features which will be  announced soon.

+1

[airdata]

I currently can't login to tradehill.

Not sure what my password is, and there's no password recovery feature. 

[Jered Kenna (TradeHill)]

If you have a long complex password and we hash / salt it that should be sufficient.

Well's just the thing: MtGox did salt (AFAIK) and I -did- have a good password and it still bombed, mostly because I believe they only used 1 iteration of MD5.

That's why I mention PBKDF2 (http://en.wikipedia.org/wiki/PBKDF2, RFC 2898--http://tools.ietf.org/html/rfc2898).  Hell, you couldn't rely on BlackBerry encryption for a while, as ElcomSoft found out that RIM only used one iteration of AES256.  (Apple's iOS uses 10,000 iterations, IIRC).

I'm no security / crypto expect by any means, but I think I got most of that right.  I'm more worried about my BitCoins at TradeHill than I am, say, about my regular bank and USD because of the pseudo-anonymous nature of BTC.

Sorry to be such a pain!

I should have said "properly hashed". MD5 won't cut it.
I agree with you on being more concerned with your Bitcoins than your USD. Not only is it pseudo-anonymous it's non reversible.
The USD we hold is a lot easier to take care of. The Bitcoins get a lot more time put in to securely managing them.

-Jered

[Jered Kenna (TradeHill)]

I currently can't login to tradehill.

Not sure what my password is, and there's no password recovery feature. 

Send us an email

info@tradehill.com

We'll get it taken care of right now.

-Jered