BitCoinDream (OP)
Legendary
 Offline
Activity: 2324
Merit: 1204
The revolution will be digital
|
 |
July 05, 2014, 11:29:17 AM |
|
Lately I'm seeing some problem in account recovery with signed message system. Most of the average bitcoiners are not aware of the process, doing mistake at first shot and thereby messing up the process. Can there be an alternative in place, where an address will be provided to the user and and an arbitrary small amount, say 0.00012345 BTC will be required to send to that address from one of the user's previously posted addresses for account recovery ?
|
|
|
|
|
|
|
It is a common myth that Bitcoin is ruled by a majority of miners. This is not true. Bitcoin miners "vote" on the ordering of transactions, but that's all they do. They can't vote to change the network rules.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
shorena
Copper Member
Legendary
Offline
Activity: 1498
Merit: 1520
No I dont escrow anymore.
|
|
July 05, 2014, 11:39:35 AM |
|
Lately I'm seeing some problem in account recovery with signed message system. Most of the average bitcoiners are not aware of the process, doing mistake at first shot and thereby messing up the process. Can there be an alternative in place, where an address will be provided to the user and and an arbitrary small amount, say 0.00012345 BTC will be required to send to that address from one of the user's previously posted addresses for account recovery ?
How would sending money somewhere prove that you are the rightfull owner of that account? |
Im not really here, its just your imagination.
|
|
|
dserrano5
Legendary
Offline
Activity: 1974
Merit: 1029
|
|
July 05, 2014, 12:44:29 PM |
|
Can there be an alternative in place, where an address will be provided to the user and and an arbitrary small amount, say 0.00012345 BTC will be required to send to that address from one of the user's previously posted addresses for account recovery ?
How would sending money somewhere prove that you are the rightfull owner of that account? If you send "from" an address, you prove that you have the privkey. It's more or less the same as signing a message. |
|
|
|
|
BadBear
v2.0
Legendary
Offline
Activity: 1652
Merit: 1127
|
|
July 05, 2014, 12:53:29 PM |
|
Can there be an alternative in place, where an address will be provided to the user and and an arbitrary small amount, say 0.00012345 BTC will be required to send to that address from one of the user's previously posted addresses for account recovery ?
How would sending money somewhere prove that you are the rightfull owner of that account? If you send "from" an address, you prove that you have the privkey. It's more or less the same as signing a message. Not necessarily. There are lots of ways to get people to send BTC to an address, owning the sending address is only one of several possible scenarios that could have that result. Bitcoins being sent from an address doesn't prove you own it. |
|
|
|
BitCoinDream (OP)
Legendary
Offline
Activity: 2324
Merit: 1204
The revolution will be digital
|
|
July 05, 2014, 01:24:40 PM |
|
Can there be an alternative in place, where an address will be provided to the user and and an arbitrary small amount, say 0.00012345 BTC will be required to send to that address from one of the user's previously posted addresses for account recovery ?
How would sending money somewhere prove that you are the rightfull owner of that account? If you send "from" an address, you prove that you have the privkey. It's more or less the same as signing a message. Not necessarily. There are lots of ways to get people to send BTC to an address, owning the sending address is only one of several possible scenarios that could have that result. Bitcoins being sent from an address doesn't prove you own it.The scenario I'm talking about has the following parameters... i. From address (which user has posted before in the forum) ii. To address (which Theymos or any other Global Mods may provide) iii. The amount (which Theymos or any other Global Mods will provide) How come all these be satisfied by someone who does not own the address ? p.s. Even if the attacker changes all pre-posted addresses, we can verify user's actual posted address from either Bitcointa.lk or Google cache or archive.org/web/ |
|
|
|
|
Farmer17
|
|
July 05, 2014, 02:22:46 PM |
|
The scenario I'm talking about has the following parameters...
i. From address (which user has posted before in the forum)
ii. To address (which Theymos or any other Global Mods may provide)
iii. The amount (which Theymos or any other Global Mods will provide)
How come all these be satisfied by someone who does not own the address ?
That could work IMO. Btw, it is not that hard to sign a message if there is a step by step tutorial. Maybe theymos could add a post demonstrating how to do so in https://bitcointalk.org/index.php?topic=497545.0. For example, if you are using bitcoin core, 1) ... 2) ... 3) ... If you are using multibit, 1) ... 2) ... 3) ... etc. |
|
|
|
mprep
Global Moderator
Legendary
Offline
Activity: 3766
Merit: 2610
In a world of peaches, don't ask for apple sauce
|
|
July 05, 2014, 03:01:51 PM |
|
Can there be an alternative in place, where an address will be provided to the user and and an arbitrary small amount, say 0.00012345 BTC will be required to send to that address from one of the user's previously posted addresses for account recovery ?
How would sending money somewhere prove that you are the rightfull owner of that account? If you send "from" an address, you prove that you have the privkey. It's more or less the same as signing a message. Not necessarily. There are lots of ways to get people to send BTC to an address, owning the sending address is only one of several possible scenarios that could have that result. Bitcoins being sent from an address doesn't prove you own it.The scenario I'm talking about has the following parameters... i. From address (which user has posted before in the forum) ii. To address (which Theymos or any other Global Mods may provide) iii. The amount (which Theymos or any other Global Mods will provide) How come all these be satisfied by someone who does not own the address ? p.s. Even if the attacker changes all pre-posted addresses, we can verify user's actual posted address from either Bitcointa.lk or Google cache or archive.org/web/ Many would still be prone to fake mail attacks when a hacker requests a password/email reset, gets the info to reset the account and sends to the legitimate user a mail, such as "your account was locked due to suspicion of it being compromised, send this much to [address] to confirm you are the owner" or similiar. The attacker then would gain the login info and could hijack the account. |
|
|
|
BitCoinDream (OP)
Legendary
Offline
Activity: 2324
Merit: 1204
The revolution will be digital
|
|
July 05, 2014, 05:43:18 PM |
|
The scenario I'm talking about has the following parameters...
i. From address (which user has posted before in the forum)
ii. To address (which Theymos or any other Global Mods may provide)
iii. The amount (which Theymos or any other Global Mods will provide)
How come all these be satisfied by someone who does not own the address ?
That could work IMO. Btw, it is not that hard to sign a message if there is a step by step tutorial. Maybe theymos could add a post demonstrating how to do so in https://bitcointalk.org/index.php?topic=497545.0. For example, if you are using bitcoin core, 1) ... 2) ... 3) ... If you are using multibit, 1) ... 2) ... 3) ... etc. With numerous wallet popping up everywhere, we dont know which one supports message signing and which one does not. Even I dont know how to sign a message from blockchain.info or coinbase wallet. SO, I think, it is better to have an alternative way. I'm not proposing to shut down the existing one. Can there be an alternative in place, where an address will be provided to the user and and an arbitrary small amount, say 0.00012345 BTC will be required to send to that address from one of the user's previously posted addresses for account recovery ?
How would sending money somewhere prove that you are the rightfull owner of that account? If you send "from" an address, you prove that you have the privkey. It's more or less the same as signing a message. Not necessarily. There are lots of ways to get people to send BTC to an address, owning the sending address is only one of several possible scenarios that could have that result. Bitcoins being sent from an address doesn't prove you own it.The scenario I'm talking about has the following parameters... i. From address (which user has posted before in the forum) ii. To address (which Theymos or any other Global Mods may provide) iii. The amount (which Theymos or any other Global Mods will provide) How come all these be satisfied by someone who does not own the address ? p.s. Even if the attacker changes all pre-posted addresses, we can verify user's actual posted address from either Bitcointa.lk or Google cache or archive.org/web/ Many would still be prone to fake mail attacks when a hacker requests a password/email reset, gets the info to reset the account and sends to the legitimate user a mail, such as "your account was locked due to suspicion of it being compromised, send this much to [address] to confirm you are the owner" or similiar. The attacker then would gain the login info and could hijack the account. Even if that happens, user may come later and recover his account. Because he's losing access to his account, not address. |
|
|
|
|
DannyElfman
|
|
July 10, 2014, 04:16:45 AM |
|
Can there be an alternative in place, where an address will be provided to the user and and an arbitrary small amount, say 0.00012345 BTC will be required to send to that address from one of the user's previously posted addresses for account recovery ?
How would sending money somewhere prove that you are the rightfull owner of that account? If you send "from" an address, you prove that you have the privkey. It's more or less the same as signing a message. Not necessarily. There are lots of ways to get people to send BTC to an address, owning the sending address is only one of several possible scenarios that could have that result. Bitcoins being sent from an address doesn't prove you own it.The scenario I'm talking about has the following parameters... i. From address (which user has posted before in the forum) ii. To address (which Theymos or any other Global Mods may provide) iii. The amount (which Theymos or any other Global Mods will provide) How come all these be satisfied by someone who does not own the address ? p.s. Even if the attacker changes all pre-posted addresses, we can verify user's actual posted address from either Bitcointa.lk or Google cache or archive.org/web/ In this situation, an attacker could enter in some kind of trade with a potential victim, the attacker would get the victim to send the amount of bitcoin in step "iii" above to the address in step "ii" above and send the difference to an address that the attacker controls. Remember that transactions can have multiple outputs, and although this would be an unusual request, it would still be plausible for a victim to do. |
This spot for rent.
|
|
|
BadBear
v2.0
Legendary
Offline
Activity: 1652
Merit: 1127
|
|
July 10, 2014, 05:36:59 AM |
|
Can there be an alternative in place, where an address will be provided to the user and and an arbitrary small amount, say 0.00012345 BTC will be required to send to that address from one of the user's previously posted addresses for account recovery ?
How would sending money somewhere prove that you are the rightfull owner of that account? If you send "from" an address, you prove that you have the privkey. It's more or less the same as signing a message. Not necessarily. There are lots of ways to get people to send BTC to an address, owning the sending address is only one of several possible scenarios that could have that result. Bitcoins being sent from an address doesn't prove you own it.The scenario I'm talking about has the following parameters... i. From address (which user has posted before in the forum) ii. To address (which Theymos or any other Global Mods may provide) iii. The amount (which Theymos or any other Global Mods will provide) How come all these be satisfied by someone who does not own the address ? p.s. Even if the attacker changes all pre-posted addresses, we can verify user's actual posted address from either Bitcointa.lk or Google cache or archive.org/web/ In this situation, an attacker could enter in some kind of trade with a potential victim, the attacker would get the victim to send the amount of bitcoin in step "iii" above to the address in step "ii" above and send the difference to an address that the attacker controls. Remember that transactions can have multiple outputs, and although this would be an unusual request, it would still be plausible for a victim to do. Yep. Likely for the average account? Nah. Possible? Most certainly, especially since the amount involved is trivial. There are many accounts that would be worth it, especially since the only investment would be time. There are groups of scammers operating here who make a living scamming various finance related forums. There should be alternatives to account security, and there will be, but this isn't it. |
|
|
|
|
