TL;DR: Poloniex 2FA sucks. If someone knows your address they can have it turned off. But a signed message (legitimate proof) is ignored.
My story: Phone died, contacted support, requested 2FA be disabled and SIGNED THE MESSAGE with my withdrawal address private key.
Poloniex's refused. They want me to either (1) provide 6 TX IDs for deposits or (2) provide my entire transaction history (from coinbase) so they can find the deposit transactions themselves.
In other words, anyone who knows my deposit address can have them turn off 2FA simply by providing 6 tx IDs of recent deposits or withdrawals. How secure is that?
Thats right on the blockchain if anyone knows my deposit/withdraw address. If you label your addresses in Bitcoin-Core no password is needed to see what address is labeled Poloniex. I don't think knowing someone's deposit/withdraw address should be enough to get 2FA turned off.But the part that baffles me is that
they don't accept the signed message and they think I should hand over my whole coinbase tx log.Sure; I don't have my addresses labeled in Coinbase because you CAN'T label them in coinbase so I don't know which transactions are deposits into Poloniex. But why should I hand over all my private financial info? Just tell me what address I used to send deposits and I'll happily sign a message from my coinbase address.
In summary:
- Letting someone with 6 TX ID's turn off 2FA is horribly insecure. You ought to be ashamed of considering this proof.
- A signed message is the perfect proof, but Poloniex entirely ignored the fact that my message was signed. Maybe their staff doesn't know how to verify signed message, IDK, but this is crazy!
- Requiring me to give them my entire coinbase transaction history is ridiculous considering I've offered to sign a message from any withdraw or deposit address they specify.
PS. Kuddos to Mintpal and Cryptsy. They know how to verify signed messages, so I'm happily logged back into my account.
To Poloniex: if you're reading this please check my support ticket, assign it to someone who knows how to verify signed messages, and get this issue resolved!