Bitcoin Forum
December 08, 2016, 08:15:19 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Mt.Gox / exchanges should confirm bigger transactions by phone/SMS  (Read 831 times)
fastandfurious
Full Member
***
Offline Offline

Activity: 224


View Profile
August 05, 2011, 09:53:59 AM
 #1

Because we know that all Bitcoin transactions are not reversible, and that we know that many peoble have large amounts of USD money and Bitcoins at the exchanges. I think that as a customer, if I want to have a safety net where the exchange calls me up or even easier SMS me that we have gotten a order to withdraw, then I as a customer can just confirm this.

The mobile phone number shouldn't be possible to change easily, that way we know that the real account holder will get a notice. At the same time Mt.Gox / exchange waits 12 hours or so to get a confirmation from the real account holder. If someone has hacked the account, then they will not be able to withdraw the money.

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481184919
Hero Member
*
Offline Offline

Posts: 1481184919

View Profile Personal Message (Offline)

Ignore
1481184919
Reply with quote  #2

1481184919
Report to moderator
1481184919
Hero Member
*
Offline Offline

Posts: 1481184919

View Profile Personal Message (Offline)

Ignore
1481184919
Reply with quote  #2

1481184919
Report to moderator
1481184919
Hero Member
*
Offline Offline

Posts: 1481184919

View Profile Personal Message (Offline)

Ignore
1481184919
Reply with quote  #2

1481184919
Report to moderator
fastandfurious
Full Member
***
Offline Offline

Activity: 224


View Profile
August 05, 2011, 09:57:55 AM
 #2

For example:

Mt.Gox gets a request of a withdrawal of 100 bitcoins -> Mt.Gox sends a SMS with a unique code -> real account holder log in and writes it in -> bitcoins are released to the new address
repentance
Hero Member
*****
Offline Offline

Activity: 840


View Profile
August 05, 2011, 10:36:38 AM
 #3

The yubikey pretty much does the same thing as an SMS token would and it's probably more cost effective from MtGox's point of view.  The international SMS thing can be a bit of a problem, with not all carriers supporting some types of SMS (this used to be an issue with Twitter), and phone calls would be both expensive and impractical.

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
Rassah
Legendary
*
Offline Offline

Activity: 1624


Director of Bitcoin100


View Profile
August 05, 2011, 02:57:29 PM
 #4

Another option would be for users to change their own withdrawal limits (within the range already set up by MtGox), with the limit changes not going into effect for 24 to 48 hours after change, and an e-mail sent out warning about the change. That way, even if the daily withdrawal limit is $1000, I know that I don't ever need to withdraw more than maybe $50 a day and can limit all withdrawals to that, and if I need to withdraw a few $100's, I'm willing to wait a day for that to happen. Make a separate limit on Bitcoin, too. Limiting Bitcoin amount by its USD value can have problems if BTC market price drops.

kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
August 05, 2011, 03:03:06 PM
 #5

I would like to be able to limit logons for my account to just the two IPs I use in person, and the API to just the one IP I use that from.  If all three change at once, I'd be screwed, but that seems unlikely.

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
hugolp
Hero Member
*****
Offline Offline

Activity: 742



View Profile
August 05, 2011, 03:04:24 PM
 #6

Another option would be for users to change their own withdrawal limits (within the range already set up by MtGox), with the limit changes not going into effect for 24 to 48 hours after change, and an e-mail sent out warning about the change. That way, even if the daily withdrawal limit is $1000, I know that I don't ever need to withdraw more than maybe $50 a day and can limit all withdrawals to that, and if I need to withdraw a few $100's, I'm willing to wait a day for that to happen. Make a separate limit on Bitcoin, too. Limiting Bitcoin amount by its USD value can have problems if BTC market price drops.

Im programming a web that will use bitcoins and what I have done is that the out address does not change until 24hours after the change request has been made. So the user sets an out address, and if someone gets hold of his/her password and tries to change the address it wont work for 24 hours. We also send an email to the user if it has set up an email.

this way the user has some time to discover the "hack" and contact us.
Piper67
Legendary
*
Offline Offline

Activity: 1008



View Profile
August 05, 2011, 03:12:28 PM
 #7

Another option would be for users to change their own withdrawal limits (within the range already set up by MtGox), with the limit changes not going into effect for 24 to 48 hours after change, and an e-mail sent out warning about the change. That way, even if the daily withdrawal limit is $1000, I know that I don't ever need to withdraw more than maybe $50 a day and can limit all withdrawals to that, and if I need to withdraw a few $100's, I'm willing to wait a day for that to happen. Make a separate limit on Bitcoin, too. Limiting Bitcoin amount by its USD value can have problems if BTC market price drops.

Im programming a web that will use bitcoins and what I have done is that the out address does not change until 24hours after the change request has been made. So the user sets an out address, and if someone gets hold of his/her password and tries to change the address it wont work for 24 hours. We also send an email to the user if it has set up an email.

this way the user has some time to discover the "hack" and contact us.

This is a similar system to the one used by Bitmarket (except they send you an email and only change the address when they get your confirmation, not 24 hours later). I always thought it was a very simple and elegant solution.
cepler
Jr. Member
*
Offline Offline

Activity: 47


View Profile
August 05, 2011, 03:40:48 PM
 #8

this way the user has some time to discover the "hack" and contact us.

Just make sure your support response times are fast enough to support those cases otherwise the delay is useless.
Rassah
Legendary
*
Offline Offline

Activity: 1624


Director of Bitcoin100


View Profile
August 05, 2011, 04:13:48 PM
 #9

Im programming a web that will use bitcoins and what I have done is that the out address does not change until 24hours after the change request has been made. So the user sets an out address, and if someone gets hold of his/her password and tries to change the address it wont work for 24 hours. We also send an email to the user if it has set up an email.

That's actually how BTCGuild works, and you're right, that would remove the need to limit BTC transactions.

TraderTimm
Legendary
*
Offline Offline

Activity: 1652



View Profile
August 05, 2011, 06:24:39 PM
 #10

Im programming a web that will use bitcoins and what I have done is that the out address does not change until 24hours after the change request has been made. So the user sets an out address, and if someone gets hold of his/her password and tries to change the address it wont work for 24 hours. We also send an email to the user if it has set up an email.

That's actually how BTCGuild works, and you're right, that would remove the need to limit BTC transactions.

Nice, makes it harder to 'hijack' an account and push coins willy-nilly to a bazillion addresses. That combined with transfer limits should do the trick. Optional two-factor notifications would be nice, much like credit card companies do - sending an alert if your balance falls from 'x' amount.

fortitudinem multis - catenum regit omnia
Rassah
Legendary
*
Offline Offline

Activity: 1624


Director of Bitcoin100


View Profile
August 05, 2011, 07:02:22 PM
 #11

Im programming a web that will use bitcoins and what I have done is that the out address does not change until 24hours after the change request has been made. So the user sets an out address, and if someone gets hold of his/her password and tries to change the address it wont work for 24 hours. We also send an email to the user if it has set up an email.

That's actually how BTCGuild works, and you're right, that would remove the need to limit BTC transactions.

Nice, makes it harder to 'hijack' an account and push coins willy-nilly to a bazillion addresses. That combined with transfer limits should do the trick. Optional two-factor notifications would be nice, much like credit card companies do - sending an alert if your balance falls from 'x' amount.


Though on the downside, that will kill MtGox's service as a means of paying people in the go with their phone app.

wolftaur
Member
**
Offline Offline

Activity: 112


View Profile
August 05, 2011, 07:25:06 PM
 #12

Though on the downside, that will kill MtGox's service as a means of paying people in the go with their phone app.

Unless you combine that tactic with two-factor, the second factor being the cellphone. SMS on attempt to exceed limit, limit is waived if it's proven the person attempting to exceed the limit has the correct cellphone. Smiley

So you can withdraw without limit to either your confirmed-valid and locked address, or, to another address IF you have the second factor. Meaning lower SMS fees incurred for the lower-risk activity. Better still, let that 'lax behavior' be user-configurable.

"MOOOOOOOM! SOME MYTHICAL WOLFBEAST GUY IS MAKING FUN OF ME ON THE INTERNET!!!!"
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!