Bitcoin Forum
December 05, 2016, 02:39:54 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3]  All
  Print  
Author Topic: I suspect GPUMax was compromised and passwords stolen  (Read 5733 times)
BlackBison
Sr. Member
****
Offline Offline

Activity: 253



View Profile
June 06, 2012, 09:01:23 AM
 #41

I've been proposing the following:

Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist.

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.

https://bitcointalk.org/index.php?topic=84585.msg937236#msg937236

Please, exchanges, implement this SOON. You cannot implement it soon enough.

+1. Nefario it would be great if you could get this put on glbse.

1480905594
Hero Member
*
Offline Offline

Posts: 1480905594

View Profile Personal Message (Offline)

Ignore
1480905594
Reply with quote  #2

1480905594
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480905594
Hero Member
*
Offline Offline

Posts: 1480905594

View Profile Personal Message (Offline)

Ignore
1480905594
Reply with quote  #2

1480905594
Report to moderator
1480905594
Hero Member
*
Offline Offline

Posts: 1480905594

View Profile Personal Message (Offline)

Ignore
1480905594
Reply with quote  #2

1480905594
Report to moderator
molecular
Donator
Legendary
*
Offline Offline

Activity: 2128



View Profile
June 06, 2012, 02:51:54 PM
 #42

I've been proposing the following:

Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist.

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.

https://bitcointalk.org/index.php?topic=84585.msg937236#msg937236

Please, exchanges, implement this SOON. You cannot implement it soon enough.

+1. Nefario it would be great if you could get this put on glbse.

you can already activate 2-factor withdrawal on glbse... oh, via API, hmm, didn't check that. Is it possible to withdraw without 2-factor-auth using the api even if it's activated for withdrawals?

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
June 06, 2012, 10:04:12 PM
 #43

You cannot withdraw using the API.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
molecular
Donator
Legendary
*
Offline Offline

Activity: 2128



View Profile
June 08, 2012, 12:58:40 PM
 #44

You cannot withdraw using the API.

thanks for clarifying.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756



View Profile
October 02, 2012, 01:08:09 PM
 #45

Question: when is someone going to invent a be-all, end-all service that is totally full of awesome and win, and then decide to force all users to use a proper 2-factor authentication system?

This has happened, except it forces users to use gpg not worthless 2fa. And the users complain about the

ease-of-use, customer service, and personality of exchange manager.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!