TradeHill - Security Update - 2 factor authentication is live

[Jered Kenna (TradeHill)]

Announcing the availability of Two Factor Authentication!
It's live, free and you can enable it in your profile (click your email address when logged in).

Security is always paramount on the web and even more important with Bitcoin.
The “ease of sending large funds globally” unfortunately has the potential to become the “ease of stealing large funds globally”.
With this in mind TradeHill set out to find well qualified security experts. Our search led us to Dug Song, Jon Oberheide and their  team at Duo Security.  

Regarding their qualifications and why we have decided to team up with them on this:
Dug Song, co-founder and CEO of Duo Security was most recently Chief Architect, Cloud Computing at Barracuda Networks, the worldwide
 leader in e-mail and web security appliances, and previously VP Engineering at Zattoo, a worldwide online cable operator
 which he helped grow 10x to 5 million European subscribers in 24 months. Dug spent 7 years as founding engineer and Chief
 Security Architect at Arbor Networks (over $120M annual revenue before acquisition by Tektronix in 2010),   capturing over
 70% of the world’s Tier-1 service providers, and the largest enterprise and defense networks. Prior to Arbor, Dug built the first
 commercial network anomaly detection system at Anzen Computing – acquired by   NFR Security, acquired by Check Point
 (CHKP). He is well-known for his contributions to the security / open-source community, including OpenBSD and OpenSSH.

Jon Oberheide, co-founder and CTO, was a previously security researcher and PhD candidate at the University of Michigan.
 His research has resulted in over 20 publications and talks, been featured in mainstream and international press (such as his
 recent break of the Chinese Green Dam censorware), resulted in multiple provisional and subsequent patent applications, and
 pioneered the development of cloud-based detection of malicious software. Jon has also held R&D positions at Merit
 Networks and Arbor Networks, and is a frequent speaker at academic and industry security conferences on topics related to
 malicious software, cloud/virtualization security, and mobile device security.


How this will work for our users:
For detailed information visit their site at http://www.duosecurity.com/docs/authentication
We are offering 5 ways to authenticate your TradeHill login. All are optional, if you do not  wish to activate 2 factor-authentication it won't be required.
 You can activate this in your profile (click your email address when logged in)

Phone callback – You will receive a call, push a predesignated key to authenticate
Passcodes via SMS – Duo will send you a set of passcodes used to login
Passcodes via Duo Mobile - Your phone will generate a passcode (works offline)
Duo Push – Your phone will be sent a request when you try to log in
Hard tokens – We can ship you a physical token that will be used to login


The beauty of their system is how quick and simple it is to both implement and use. Within minutes you can be up and running.
Additionally there are even more advanced security features for Duo Push. Selecting Duo Push will "push" a login request to your phone.
You can review the specifics of the request (integration, location, etc.) and then approve or deny it instantly.
Click here for a quick 30 second video showcasing the various methods: http://www.youtube.com/watch?v=7N8pBVAWLwU

What will this enhanced security feature cost the user?
For the first month absolutely nothing. After we have evaluated the system in our live environment we will either continue to provide the service free of charge or deduct at most $0.99  (or BTC equivalent). If we can justify charging less we will. We feel confident that we can and the fee will most likely be lower. If we are able to pick up the tab completely ourselves then we will continue to offer the service for free. Regardless in the absolute worst case scenario this service will never cost the user more than $0.99 (or BTC equivalent)  per month. In the event we need to charge a fee for this service, we will announce it well ahead of time.

Your feedback is greatly  appreciated as always. I want to personally thank the community for everything you've given us and we would like to continue to provide you a safe and trusted place to exchange Bitcoins. We will be on onlyoneTV with Bruce today (July 13th) at 2PM EST and happy to speak more about upcoming changes to TradeHill and Bitcoin. If you have any questions please email us at info@tradehill.com


Regards,
Jered Kenna
TradeHill.com

www.facebook.com/tradehill
www.twitter.com/tradehill

Edit: I forgot to mention that at this point Duo Sec limits one user per mobile device but they have said this should change by the end of the month.

[1714841025]

1714841025

[1714841025]

1714841025

[1714841025]

1714841025

[1714841025]

1714841025

[whenhowwho]

interesting news. I find your take on security and how it needs to evolve to be on the right track. I do not think a fee for better security would be warranted at this stage simply because it is very early in the game yet. If it were me i would leave the service free for more than a month. Perhaps think of it as a loss leader until you reach a larger share of the trading market and by that time your transaction fees will more than cover costs and yield a profit.

Being quick to address issues and perceived issues is a big step in the right direction. Now if only it didnt take so long to fund and withdraw funds  . Keep up the good work!

[GeniuSxBoY]

I agree, make it "free"... you can make money through trades.

[Jered Kenna (TradeHill)]

interesting news. I find your take on security and how it needs to evolve to be on the right track. I do not think a fee for better security would be warranted at this stage simply because it is very early in the game yet. If it were me i would leave the service free for more than a month. Perhaps think of it as a loss leader until you reach a larger share of the trading market and by that time your transaction fees will more than cover costs and yield a profit.

Being quick to address issues and perceived issues is a big step in the right direction. Now if only it didnt take so long to fund and withdraw funds  . Keep up the good work!

Thanks for your feedback.
We would like to leave it free and I can promise we will never profit off enhancing security like this. If we charge in the future it will continue to be what we pay per user at most.
This is a top notch security solution and quality is never cheap. Our goal is to lower the cost and this month will serve as a trial.


In regards to transaction times we're working on it and balancing speed vs security. Today we caught a hacked Dwolla account that would have been missed without our manual verification.
We prevented a theft of somewhere around $500 that may have gotten out if we were fully automated. Ideally speed shouldn't  have to be sacrificed for security in most cases and we now have someone at the helm 24 hours a day to answer emails and review transfers. The speed and security should both be increasing simultaneously.

Regards,
Jered

[whenhowwho]

interesting news. I find your take on security and how it needs to evolve to be on the right track. I do not think a fee for better security would be warranted at this stage simply because it is very early in the game yet. If it were me i would leave the service free for more than a month. Perhaps think of it as a loss leader until you reach a larger share of the trading market and by that time your transaction fees will more than cover costs and yield a profit.

Being quick to address issues and perceived issues is a big step in the right direction. Now if only it didnt take so long to fund and withdraw funds  . Keep up the good work!

Thanks for your feedback.
We would like to leave it free and I can promise we will never profit off enhancing security like this. If we charge in the future it will continue to be what we pay per user at most.
This is a top notch security solution and quality is never cheap. Our goal is to lower the cost and this month will serve as a trial.


In regards to transaction times we're working on it and balancing speed vs security. Today we caught a hacked Dwolla account that would have been missed without our manual verification.
We prevented a theft of somewhere around $500 that may have gotten out if we were fully automated. Ideally speed shouldn't  have to be sacrificed for security in most cases and we now have someone at the helm 24 hours a day to answer emails and review transfers. The speed and security should both be increasing simultaneously.

Regards,
Jered

This too is awesome news. Thanks for your quick reply. I have to send you a pm for something else that just popped into my head which may be very important.

[haydent]

TH can you do something about this ?? :

http://forum.bitcoin.org/index.php?topic=24988.msg349060#msg349060

[ShaggyB (BitCoinWorldMarket)]

Congrats guys! The more security focused we all are the better off the community will be.

[haydent]

push system works well, just set it up and logged in.

 but note in AU our phone number is generally written as 0435223227 but you must enter it as 435223227

 (this is not my number)

[the joint]

push system works well, just set it up and logged in.

 but note in AU our phone number is generally written as 0435223227 but you must enter it as 435223227

 (this is not my number)

New security works for me too.  Brownie points. 

[haydent]

also why the heck do all of a sudden have to be logged in to access this page that i could b4

i want to be able to access this page and check market data without having to go through 2 factor auth !!

how come USD is open but not AUD

https://www.tradehill.com/MarketData/AUD


edit:

this works and loads default USD: https://www.tradehill.com/MarketData/

but any link on that page makes you have to login.... Lame'O

[luv2drnkbr]

omg awesome works amazing

[Oldminer]

omg awesome works amazing

+1

I think this together with the new site currently in production, once released, could see MtGox being left behind very quickly.

[Isepick]

Works great, thank you. I for one have no problem paying a $1/month to make sure that I am the only person that can log in to my account. People asking you to provide extra security for free that you are having to outsource are being unrealistic in their expectations. With the two-step authentication being optional on an account, anybody who doesn't want to pay a $1/month can simply elect to not use it.  Kudos to you for not trying to make a profit on the two-step fees, when you could have just as easily charged *everyone* a slightly higher commission fee and made a lot more in the long run.

[tanerlorn]

omg awesome works amazing

+1

I think this together with the new site currently in production, once released, could see MtGox being left behind very quickly.

Except mtgox sent the same thing to all their customers affected by the breach. And has it available for new users by request, I think.

Not to take anything away from Trade Hill, this is an outstanding business move. Everyone should get one of these (the physical token).

And the market seems to have possibly even reacted to this news. For the longest time it was slightly better to have mtgox usd, even after the hacking, btc prices would be like a few cents lower on mtgox, showing that the market valued mtgox usd more. However, looking at the market for the first time now I see Trade Hill usd is being valued higher than mtgox usd, as 14 Trade Hill usd will get you a bitcoin, as opposed to (the outrageous) 14.1 mtgox usd. I know where I'm trading if I need to sell some btc, at least at the current prices.

[Isepick]

Physical tokens are not for everyone. As someone who is always on the move and works in industrial environments regularly, it is not feasible for me carry around another usb stick everywhere I go. I would hate to be locked out of my account for a few days simply because I lost the physical token. On the other hand, I am never without my phone, so sms notifications work great for me. I don't see any other exchange providing that kind of service.

[tanerlorn]

Physical tokens are not for everyone. As someone who is always on the move and works in industrial environments regularly, it is not feasible for me carry around another usb stick everywhere I go. I would hate to be locked out of my account for a few days simply because I lost the physical token. On the other hand, I am never without my phone, so sms notifications work great for me. I don't see any other exchange providing that kind of service.

Good point, I think the vast majority of people the token is best for but the phone service for customers like you who do need it is a great move.

[haydent]

during TH auth setup a token option didn't appear as an option. i imagine its something you will have to order and pay for at a later date when they become available....

[Jered Kenna (TradeHill)]

also why the heck do all of a sudden have to be logged in to access this page that i could b4

this works and loads default USD: https://www.tradehill.com/MarketData/

but any link on that page makes you have to login.... Lame'O

Thanks for pointing that out. It looks like they might have gotten a littler overzealous when they were locking pages down with the Duo Sec.
It should be an easy fix and I let them know. You shouldn't have to log in to look at market data.
Also they have raised (I believe it's in effect) the logout timer which was pretty short.


In regards to the Token, we haven't shipped any so we haven't enabled the feature.
We wanted to get a feel for how much demand there is and buy them in bulk so we can offer the lowest price possible.
When we determine a price we will enable it as a withdraw feature and you can pay directly from your TradeHill balance.

-Jered

[bitfon]

Am I the only one who had phone verification turned on without requesting it, and am now locked out of my account?

[Jered Kenna (TradeHill)]

Am I the only one who had phone verification turned on without requesting it, and am now locked out of my account?

This is the only one that I've heard of. I'll  look in to it, send an email to info@tradehill.com
Send us your user name and we'll get this taken care of.

-Jered