Bitcoinica - Security?

[Mushoz]

Zhoutong, I was wondering if there are any plans in the making involving added security for your site? Looking at the average daily volume that Bitcoinica produces, there must be quite a lot of funds in that place. The thing is, if someone manages to access your account, he can easily run off with BTC, because it's not reversible. I think a lot of people would appreciate a bit of added security for their accounts. I know I would. Could you please implement one of these two solutions?

1) SMS-authentication
2) Yubikey authentication


Thank you very much!

[incraft3817]

He's too busy traveling and banging American girls to build security for his site. 

[Otoh]

yes agreed, as I'd already posted on his thread about this just a couple of hours ago

https://bitcointalk.org/index.php?topic=57291.msg687845#msg687845

even a 3 random chars drop down input for secondary verification from a long memorable phrase or paper hard copy of random chars would be good & easy enough to implement I'd imagine

because in order to get maximum protection from a zhoutonging it's tempting to park a large portion of one's BTC holdings there atm rather than say at Goxed or in one's own secure storage wallet/coded key in the cloud

...

PS I thought it was Australian girls atm btw

[Koekiemonster]

I totally agree with the OP. I would really like some extra security.

[incraft3817]

The only securities you need are chastity belt for your daughters. Because zhoutong is young and horny and he is going to be filthy rich in a couple years.

[teflone]

The only securities you need are chastity belt for your daughters. Because zhoutong is young and horny and he is going to be filthy rich in a couple years.

lmao.. 

[arepo]

The only securities you need are chastity belt for your daughters. Because zhoutong is young and horny and he is going to be filthy rich in a couple years.

lawl

[Eveofwar]

What about forcing http -> https ?  Just a suggestion.

[somestranger]

What about forcing http -> https ?  Just a suggestion.

It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

[Eveofwar]

What about forcing http -> https ?  Just a suggestion.

It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

Looks like you can browse on http all the way up to the login page, which is also http.  Once logged in, you're redirected to an https site.  This would mean that username/password is sent unencrypted.

[somestranger]

What about forcing http -> https ?  Just a suggestion.

It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

Looks like you can browse on http all the way up to the login page, which is also http.  Once logged in, you're redirected to an https site.  This would mean that username/password is sent unencrypted.

I tried in both Firefox and Chrome typing "bitcoinica.com" and both redirect to https. Not sure why it is different for you.

[sgbett]

What about forcing http -> https ?  Just a suggestion.

It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

Looks like you can browse on http all the way up to the login page, which is also http.  Once logged in, you're redirected to an https site.  This would mean that username/password is sent unencrypted.

[the joint]

Use the same two-factor authentication that TradeHill uses (Duo-Security).  I love it.  It's so 21st century.

[Eveofwar]

What about forcing http -> https ?  Just a suggestion.

It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

Looks like you can browse on http all the way up to the login page, which is also http.  Once logged in, you're redirected to an https site.  This would mean that username/password is sent unencrypted.

I tried in both Firefox and Chrome typing "bitcoinica.com" and both redirect to https. Not sure why it is different for you.

What about forcing http -> https ?  Just a suggestion.

It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

Looks like you can browse on http all the way up to the login page, which is also http.  Once logged in, you're redirected to an https site.  This would mean that username/password is sent unencrypted.

Firefox 3.6.25 and IE 8 on 3 different computers.

Type www.bitcoinica.com and press enter -> http://www.bitcoinica.com -> click Login -> http://www.bitcoinica.com/login -> enter email/pass and login -> https://www.bitcoinica.com/trading

From Wireshark:
21   1.613423   <myip>   50.56.4.62   HTTP   956   POST /sessions HTTP/1.1  (application/x-www-form-urlencoded)

Line-based text data: application/x-www-form-urlencoded
    utf8=%E2%9C%93&authenticity_token=<obscured>&login=email%40host.com&password=mycleartextpassword&commit=Log+in

Highly unlikely I'm the only one....anyone else care to try ?

[somestranger]

Firefox 3.6.25 and IE 8 on 3 different computers.

Type www.bitcoinica.com and press enter -> http://www.bitcoinica.com -> click Login -> http://www.bitcoinica.com/login -> enter email/pass and login -> https://www.bitcoinica.com/trading

From Wireshark:
21   1.613423   <myip>   50.56.4.62   HTTP   956   POST /sessions HTTP/1.1  (application/x-www-form-urlencoded)

Line-based text data: application/x-www-form-urlencoded
    utf8=%E2%9C%93&authenticity_token=<obscured>&login=email%40host.com&password=mycleartextpassword&commit=Log+in

Highly unlikely I'm the only one....anyone else care to try ?

Without the www it redirects to https. With it, it's http.

[Eveofwar]

let's just hope he's actually getting laid

Not sure how that's relevant in helping with Bitcoinica security flaws ?  Anyways...

Firefox 3.6.25 and IE 8 on 3 different computers.

Type www.bitcoinica.com and press enter -> http://www.bitcoinica.com -> click Login -> http://www.bitcoinica.com/login -> enter email/pass and login -> https://www.bitcoinica.com/trading

From Wireshark:
21   1.613423   <myip>   50.56.4.62   HTTP   956   POST /sessions HTTP/1.1  (application/x-www-form-urlencoded)

Line-based text data: application/x-www-form-urlencoded
    utf8=%E2%9C%93&authenticity_token=<obscured>&login=email%40host.com&password=mycleartextpassword&commit=Log+in

Highly unlikely I'm the only one....anyone else care to try ?

Without the www it redirects to https. With it, it's http.

With or without the www, still http

Sounds like it's time to bookmark the HTTPS login page lulz.

[M4v3R]

As for two-factor auth, I'd reccomend Google Two-factor auth mechanism. It's great, because it utilizes app on your phone as auth mechanism, which works offline, and it also provides fallback in case you lose your phone.

Link: http://code.google.com/p/google-authenticator/

[zhoutong]

As for two-factor auth, I'd reccomend Google Two-factor auth mechanism. It's great, because it utilizes app on your phone as auth mechanism, which works offline, and it also provides fallback in case you lose your phone.

Link: http://code.google.com/p/google-authenticator/

LOL. It's such a coincidence! I have started working on Google Authenticator two hours ago (1 hour earlier than your post).

It's going to be up in 10 minutes! Stay tuned!

[zhoutong]

As for two-factor auth, I'd reccomend Google Two-factor auth mechanism. It's great, because it utilizes app on your phone as auth mechanism, which works offline, and it also provides fallback in case you lose your phone.

Link: http://code.google.com/p/google-authenticator/

LOL. It's such a coincidence! I have started working on Google Authenticator two hours ago (1 hour earlier than your post).

It's going to be up in 10 minutes! Stay tuned!

It's LIVE! Two-factor authentication!

Announcement: https://bitcointalk.org/index.php?topic=58522.0

[sgbett]

You know what, if there was ever any doubt about zhoutongs age, it has to be a fact!

I remember when I was 17, and someone was like "oh you need your thing to do X" and you could just sit down and bang out code and have it done in hours. It's like your brain just ebbed code and your fingers just did the best they could to keep up!

Unfortunately I never had the fortune that my hero coding actually turned into much cold hard cash (still, what's a coder gonna do otherwise.. not code!? you just keep doing it cos you love coding!)

Oh yeah, course I am jealous, but I don't begrudge you anything Mr Z. I love the work you guys are doing.

I'm sure in 20 years time, as you pump out the code in a much more sedentary manner (or more likely stroll along a sunny beach) you'll look back on these good times and think, how the hell did I pull that off.

Those all-nighters just get harder and harder!