molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
June 02, 2012, 05:46:50 PM |
|
If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.
nefario. this is great, so your effort already payed off. congrats!
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
REF
|
|
June 02, 2012, 05:51:19 PM |
|
Im sure he also asked if they had other accounts besides GPUmax. From what I see he did nothing wrong. He even tried contacting pirate, when he got no response he gave a warning to the community. I'd love to use two factor auth, but I don't even have a cell phone. Are there other ways to do two factor auth? And are there any plans to implement them soon? I hope so.
I dont remember where I saw the link but recently nefario posted a link to google auth desktop version.
|
|
|
|
bitlane
Internet detective
Sr. Member
Offline
Activity: 462
Merit: 250
I heart thebaron
|
|
June 02, 2012, 05:58:54 PM |
|
Im sure he also asked if they had other accounts besides GPUmax. From what I see he did nothing wrong. He even tried contacting pirate, when he got no response he gave a warning to the community. I'd love to use two factor auth, but I don't even have a cell phone. Are there other ways to do two factor auth? And are there any plans to implement them soon? I hope so.
I dont remember where I saw the link but recently nefario posted a link to google auth desktop version. No, the right thing would have been to tell people to check their passwords and not blindly tell them (as I quoted above) that GPUMAX was to blame for this.
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
June 02, 2012, 06:12:21 PM |
|
I'd love to use two factor auth, but I don't even have a cell phone. Are there other ways to do two factor auth? And are there any plans to implement them soon? I hope so.
Several ways. Yubikey is my personal favorite, but here is a bunch of links: http://yubico.com/ <-- The makers of the Yubikey http://www.symantec.com/verisign/vip-authentication-service <-- paid service that PayPal and many others use for authentication. Yubico makes a credential that is compatible with this service as well. http://onlinenoram.gemalto.com/ <-- TOTP token that AWS uses for authentication, made by Gemalto. This is a dedicated device that can do the same thing as Google Auth, without the phone. http://motp.sourceforge.net/#7 <-- links to lots of tokens and related software. https://lastpass.com/ <-- password storage software that works on almost any platform and almost any browser, and that can use 2-factor auth for logging in.
|
|
|
|
imsaguy
General failure and former
VIP
Hero Member
Offline
Activity: 574
Merit: 500
Don't send me a pm unless you gpg encrypt it.
|
|
June 02, 2012, 06:23:22 PM |
|
How many of those users had bitcoinica accounts?
|
|
|
|
bitlane
Internet detective
Sr. Member
Offline
Activity: 462
Merit: 250
I heart thebaron
|
|
June 02, 2012, 06:48:08 PM |
|
How many of those users had bitcoinica accounts?
Please stay on topic. This is clearly GPUMAX's fault (as stated in the first post). It couldn't possibly have anything to do with another service ...I mean, just look at GPUMAX's ( and Pirate's....in general) track record when it comes to security and loss. Please re-apply tunnel vision and/or add blinders to continue this conversation
|
|
|
|
|
FreeMoney
Legendary
Offline
Activity: 1246
Merit: 1016
Strength in numbers
|
|
June 02, 2012, 07:44:58 PM |
|
How many of those users had bitcoinica accounts?
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
TT
Member
Offline
Activity: 77
Merit: 10
|
|
June 02, 2012, 07:51:12 PM Last edit: June 02, 2012, 08:03:21 PM by TT |
|
I've been proposing the following: Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft. Other withdrawal methods have at least some level of traceability and/or reversibility.
Therefore, I propose the following solution: 1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods. 2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API. 3) require two-factor authentication for adding or removing addresses to and from the whitelist.
This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys, the attacker will not be able to withdraw bitcoins to addresses of his choice.
Simple fix to a significant security risk.
https://bitcointalk.org/index.php?topic=84585.msg937236#msg937236Please, exchanges, implement this SOON. You cannot implement it soon enough.
|
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
June 02, 2012, 10:14:08 PM |
|
"cum hoc ergo propter hoc" <3 latin
|
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
June 03, 2012, 01:35:02 AM |
|
They always blame the pirate, don't they?
|
|
|
|
Math Man
|
|
June 03, 2012, 01:54:43 AM |
|
I think this thread belongs in the "speculation" sub-category. Better yet, create a "wild speculation" sub-category. It would fit better there.
|
|
|
|
FreeMoney
Legendary
Offline
Activity: 1246
Merit: 1016
Strength in numbers
|
|
June 03, 2012, 04:39:56 AM |
|
The title needs to be changed imo.
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
dave3
|
|
June 03, 2012, 06:40:30 AM |
|
Do you know if you can use the same yubikey for several different services, or do you need to get a separate one for each account?
|
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
June 03, 2012, 06:44:55 AM Last edit: June 03, 2012, 09:15:01 PM by Stephen Gornick |
|
Do you know if you can use the same yubikey for several different services, or do you need to get a separate one for each account?
The Yubikey from Mt. Gox can only be used with Mt. Gox (and BlockChain.info wallet, apparently, which I'm guessing has permission to auth through Mt. Gox API or something) It doesn't work on other services where a Yubikey is used. The Yubikey from Yubico works at Mt. Gox and [Edit: see rjk's correction below] elsewhere where Yubikeys are supported.
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
June 03, 2012, 11:03:55 AM |
|
Do you know if you can use the same yubikey for several different services, or do you need to get a separate one for each account?
The Yubikey from Mt. Gox can only be used with Mt. Gox (and BlockChain.info wallet, apparently, which I'm guessing has permission to auth through Mt. Gox API or something) It doesn't work on other services where a Yubikay is used. The Yubikey from Yubico works at Mt. Gox and elsewhere where Yubikeys are supported. Slight correction - only keys programmed by MtGox can be used with MtGox - you can't use one that you got direct from Yubico. The reason is that MtGox runs their own authentication server with their own keypairs, instead of using Yubico's free cloud authentication system. However, any website that uses the free service provided by Yubico for authentication will support a generic device ordered from Yubico.
|
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
June 03, 2012, 12:04:31 PM |
|
How many of those users had bitcoinica accounts?
+3 funny, FreeMoney
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
Aseras
|
|
June 03, 2012, 06:43:07 PM |
|
There is no perfect way. As soon as you make one someone else wind find a way to break it or work around it. If its accessible in any form. Someone can break in.
|
|
|
|
FreeMoney
Legendary
Offline
Activity: 1246
Merit: 1016
Strength in numbers
|
|
June 03, 2012, 09:34:51 PM |
|
There is no perfect way. As soon as you make one someone else wind find a way to break it or work around it. If its accessible in any form. Someone can break in.
Give up human!
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
|