Bitcoin Forum
December 13, 2024, 10:22:05 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: An Open Security Challenge to Online Bitcoin Businesses  (Read 911 times)
coastermonger (OP)
Sr. Member
****
Offline Offline

Activity: 367
Merit: 250

Find me at Bitrated


View Profile
September 15, 2013, 07:12:01 PM
Last edit: September 16, 2013, 06:57:42 AM by coastermonger
 #1

If your website ever holds the Bitcoin of someone else, then this is your challenge to improve client-side security:

Hardware wallets are great, but sometimes it's necessary to do business online.  Exchanges, merchants, online wallets, and any site that stores users' bitcoin should give customers the OPTION to enable the following security measures.  They are not foolproof, but they will go a long way

1) Allow users to specify that a positive email confirmation is mandatory in order to withdraw funds
2) Allow users to lock bitcoin withdrawals so they can only be sent to a specific address (or handful of addresses) from your site
3) Allow users to specify a mandatory waiting period that must transpire before withdrawals are sent, allowing them time to intercept and report unauthorized access
4) Allow users the option to specify maximum limits on the amount of bitcoin that can be withdrawn in a given time frame
5) Allow users the option to specify specific computers that can interface with your site, so that no devices anywhere else may log in
6) Allow users the ability to mandate 2-factor authentication NOT just on log in, but for every transfer/buy/sell/security action on your site.


If you can enable all of these things, you will empower your userbase with powerful tools for their online bitcoin security.  You will make your site less of a target for bitcoin theft.  You will avoid having more awkward conversations with angry customers about why their funds were stolen from your site.  You will find people praising you for your forward thinking and progressive approach to bitcoin security.  NO it's not bulletproof.  They will still have to be careful you will still have to protect private keys.  But giving people these OPTIONS is a step in the right direction.

-Make it happen.



Bitrated user: Rees.
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756
Merit: 522



View Profile
September 16, 2013, 12:13:49 AM
 #2

Your notions of security proceed from fundamentally flawed premises. This is why pronouncements on specialist topics by the random forumer are not particularly valuable.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
mechs
Full Member
***
Offline Offline

Activity: 210
Merit: 100



View Profile
September 16, 2013, 12:16:08 AM
 #3

Your notions of security proceed from fundamentally flawed premises. This is why pronouncements on specialist topics by the random forumer are not particularly valuable.
Although none of these things will help if there a security vulnerability that allows root access, it does much to help from the script-kiddie trojan droppers.  Yubikey is an excellent method as well, arguably better than google auth.
coastermonger (OP)
Sr. Member
****
Offline Offline

Activity: 367
Merit: 250

Find me at Bitrated


View Profile
September 16, 2013, 03:14:14 AM
Last edit: September 16, 2013, 07:00:40 AM by coastermonger
 #4

Your notions of security proceed from fundamentally flawed premises. This is why pronouncements on specialist topics by the random forumer are not particularly valuable.

You are correct that this is not the be-all, end-all for security. I am well aware of the limitations of such security measures because they are client side only.  The website owners still have to protect their end.  But if you concede these tools will help somewhat, then it's a step in the right direction.  If enabled, these would prevent some of the attacks that we commonly see.

Bitrated user: Rees.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!