zebedee
Donator
Hero Member
Offline
Activity: 668
Merit: 500
|
|
April 27, 2013, 09:10:44 AM |
|
In the light of recent mysterious stealing of coins despite having 2FA and double password, will it be possible to offer any more protection against withdrawal ? Few suggestions in addition to the existing ones (of course the user will have to enable these, and not default):
1. A email reconfirmation (with hotlink to be clicked) before withdrawal. No reconfirmation, no withdrawal processed. 2. Option to completely disable withdrawal with a radio button / option, for which enabling withdrawal is email hot link confirmation dependent (like #1) 3. A picture + phrase verification while logging in with (alike Bank of America etc.)
Any other suggestions welcome.
I doubt these help, as the attacker doesn't seem to be using blockchain.info software to attack. They seem to get the private keys somehow.
|
|
|
|
shibaji
|
|
April 27, 2013, 09:14:24 AM |
|
I doubt these help, as the attacker doesn't seem to be using blockchain.info software to attack. They seem to get the private keys somehow.
That's scary! May be piuk can say something - if this has any truth - any withdraw must get suspended until things are resolved. At least piuk should advise people to pull out coins till things get resolved
|
|
|
|
2_Thumbs_Up
|
|
April 27, 2013, 12:13:25 PM |
|
I tried to add a tag for donations to http://www.gimp.org/However, blockchain said that it can't find the adress in question at the website. You are not looking hard enough. It's in the bitcoin: URI format. Blockchain.info should preferably notice this.
|
|
|
|
Newar
Legendary
Offline
Activity: 1358
Merit: 1001
https://gliph.me/hUF
|
|
April 27, 2013, 02:01:29 PM |
|
I doubt these help, as the attacker doesn't seem to be using blockchain.info software to attack. They seem to get the private keys somehow.
That's scary! May be piuk can say something - if this has any truth - any withdraw must get suspended until things are resolved. At least piuk should advise people to pull out coins till things get resolved From what I understand the problem is with rooted phones. For me, I have uninstalled the app completely and setup another watch-only wallet on BCI. Installed the app again and will handle transactions from bitcoin-qt, I never had a lot in the BCI wallet to begin with, but a theft would be painful anyway, more so, if the reason is known.
|
|
|
|
|
jubalix
Legendary
Offline
Activity: 2660
Merit: 1023
|
|
April 27, 2013, 05:59:42 PM |
|
Changes to Alias ResolvingWhen a wallet is accessed using an alias if the browser does not already have the wallet identifier saved or have an authorised login session email authorisation will now be required. If the browser is perviously recognised by blockchain no authorisation is required. Wallets can still be accessed directly by identifier, which provides 128 bits of entropy and should always be kept secret. For example if you visit my personal wallet: https://blockchain.info/wallet/piuk if will appear as if no wallet exists however I will receive an authorisation email. A number of users have reported their wallet being compromised to me, the exact cause is unknown (I suspect malware) however in pretty much all cases the user has set a wallet alias which is the same as their bitcointalk username (and used on other sites). This is common practice, however it much more secure if the wallet identifier and alias are kept secret. The above changes are meant to address this problem. I will respond to the above posts shortly, apologies for the delay. so the question is why did this change all of a sudden...why are browsers that were reconised, now not, and identifiers not put in?? as they were before....this is how they are attacking you something here...
|
|
|
|
jubalix
Legendary
Offline
Activity: 2660
Merit: 1023
|
|
April 27, 2013, 06:08:25 PM |
|
In the light of recent mysterious stealing of coins despite having 2FA and double password, will it be possible to offer any more protection against withdrawal ? Few suggestions in addition to the existing ones (of course the user will have to enable these, and not default):
1. A email reconfirmation (with hotlink to be clicked) before withdrawal. No reconfirmation, no withdrawal processed. 2. Option to completely disable withdrawal with a radio button / option, for which enabling withdrawal is email hot link confirmation dependent (like #1) 3. A picture + phrase verification while logging in with (alike Bank of America etc.)
Any other suggestions welcome.
I doubt these help, as the attacker doesn't seem to be using blockchain.info software to attack. They seem to get the private keys somehow. must be cracking hashes, or injecting .js
|
|
|
|
JonSnow
Member
Offline
Activity: 112
Merit: 10
|
|
April 27, 2013, 07:54:44 PM |
|
HELP!!!
Everytime I go to my wallet page I get notified that an illegal imbedded object has been found and the popup states that I should not continue!!
WTF is going on with blockchain.info?
Apologies this was a problem cause by me. The error should be fixed now if you reload the page a few times. Also please remove the verifier and use one of the packaged browser extensions http://blockchain.info/wallet/chrome-extensionI had to reinstall my OS and everything from scratch, and when I set up my wallet as before using the firefox extension, it asks for my identifier, but when given then results in the page reloading, the identifier being blank, and an email sent to me. I click the link in the email, as instructed, but for whatever reason the firefox extension never seems to work or remember the identifier even after I've "allowed" the login attempt.
|
|
|
|
TheButterZone
Legendary
Offline
Activity: 3066
Merit: 1032
RIP Mommy
|
|
April 27, 2013, 11:20:12 PM Last edit: April 28, 2013, 08:31:21 AM by TheButterZone |
|
Is anybody else not getting SMS notifications on their watched addresses?
ETA: Just got one at 0820 UTC 4-28-13, yay.
|
Saying that you don't trust someone because of their behavior is completely valid.
|
|
|
Newar
Legendary
Offline
Activity: 1358
Merit: 1001
https://gliph.me/hUF
|
|
April 28, 2013, 03:48:36 AM |
|
Thanks for that link. Could it be two different attacks? The OP on reddit mentioned he had 2FA enabled and the app installed, whereas I don't see any mention of 2FA in the thread you linked to.
|
|
|
|
John (John K.)
Global Troll-buster and
Legendary
Offline
Activity: 1288
Merit: 1227
Away on an extended break
|
|
April 28, 2013, 04:32:46 AM |
|
Is anybody else not getting SMS notifications on their watched addresses?
I'm not getting email notifications on my watched addresses - strange.
|
|
|
|
piuk (OP)
|
|
April 28, 2013, 01:25:15 PM Last edit: April 28, 2013, 05:50:09 PM by piuk |
|
New Version of Android Apphttps://play.google.com/store/apps/details?id=piuk.blockchain.android&feature=nav_result#?t=W251bGwsMSwyLDNd- PIN Protection
- Improved Fee Handling - The Fee policy set in the web interface will now be honoured in the android app
- Second Password will be cleared after a transaction is sent
- Fix Pairing Issues
How PIN protection works1) When the PIN is created a unique secret is generated and stored on the server. 2) The users password is then encrypted with the new secret and saved on the device. 3) When restoring the wallet if the correct PIN is provided the server responds with the secret allowing the device to decrypt the password. 4) If the PIN is entered incorrectly 4 times the key is removed from the server and the main password will need to be re-entered. Prevents malicious app on rooted devices from reading the password directly from app data however more sophisticated malware that reads the app memory or keyloggers will still be possible.
|
|
|
|
hazek
Legendary
Offline
Activity: 1078
Merit: 1003
|
|
April 28, 2013, 01:39:54 PM |
|
Great job piuk.
|
My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)
If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
|
|
|
willphase
|
|
April 28, 2013, 01:49:10 PM Last edit: April 28, 2013, 03:41:53 PM by willphase |
|
Hey Piuk - good job on the new version. I looked briefly through the changes, but couldn't determine why the new version requires the new <uses-permission android:name="android.permission.GET_TASKS"/> can you explain this new permission? EDIT 15:41Z: I see this has now been removed. Cheers! Will
|
|
|
|
ingrownpocket
Legendary
Offline
Activity: 952
Merit: 1000
|
|
April 29, 2013, 07:31:55 AM |
|
Down? Cannot access my wallet.
|
|
|
|
ErebusBat
|
|
April 29, 2013, 03:32:24 PM |
|
New Version of Android App- PIN Protection
- Improved Fee Handling - The Fee policy set in the web interface will now be honoured in the android app
- Second Password will be cleared after a transaction is sent
- Fix Pairing Issues
Any plans to port this to the iOS version?
|
|
|
|
picobit
|
|
April 29, 2013, 06:19:11 PM |
|
Any plans to port this to the iOS version?
+1 I would really like to see the PIN and the fee policy being honored.
|
|
|
|
piuk (OP)
|
|
May 02, 2013, 04:02:46 PM Last edit: May 02, 2013, 04:16:47 PM by piuk |
|
New Android Version- New Send types (Quick, Custom & Shared) - Better transaction summary dialog - Transaction notes - Currency set in the web interface will now change the android app and visa versa - Ability to scan a private key and view the balance + optionally sweep. - Fix support for scanning watch only private keys - Compressed private key support - Better exchange rates view - Toggle between local currency and BTC by tapping account balance - Ability to generate a shared address in the request coins view - Ability to backup the wallet to external storage. - Ability to pair manually if the QR code is not working. https://blockchain.info/wallet/android-appGreat job piuk.
Thanks hazek. can you explain this new permission?
Was suggested here http://stackoverflow.com/questions/4414171/how-to-detect-when-an-android-app-goes-to-the-background-and-come-back-to-the-fo as a method to detect if the app is running in the background on older devices. Was not needed in the end though. Any plans to port this to the iOS version?
+1 I would really like to see the PIN and the fee policy being honored. Yep, the iphone app will be getting an update very soon.
|
|
|
|
hazek
Legendary
Offline
Activity: 1078
Merit: 1003
|
|
May 02, 2013, 04:23:45 PM |
|
New Android Version- New Send types (Quick, Custom & Shared) - Better transaction summary dialog - Transaction notes - Currency set in the web interface will now change the android app and visa versa - Ability to scan a private key and view the balance + optionally sweep. - Fix support for scanning watch only private keys - Compressed private key support - Better exchange rates view - Toggle between local currency and BTC by tapping account balance - Ability to generate a shared address in the request coins view - Ability to backup the wallet to external storage. - Ability to pair manually if the QR code is not working. https://blockchain.info/wallet/android-appGreat job piuk.
Thanks hazek. Man oh man, you are one hell of a dev, awesome job yet again!
|
My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)
If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
May 06, 2013, 05:54:14 AM |
|
hello,
I'm investigating building an escrow service using multisig.
Building the multisig address requires users of the escrow to supply the pubkey of their addresses.
I can't seem to find this feature in blockchain.info wallet.
piuk, are there plans to enable users to retrieve the pubkeys of addresses in their wallets?
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
|