Bitcoin Forum
April 19, 2024, 09:40:12 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Bitcoin Discussion > I suspect GPUMax was compromised and passwords stolen
Pages: « 1 2 [3]  All
« previous topic next topic »
  Print  
Author Topic: I suspect GPUMax was compromised and passwords stolen  (Read 6339 times)
BlackBison
Sr. Member
****
Offline Offline

Activity: 250
Merit: 250



View Profile
June 06, 2012, 09:01:23 AM
 #41
Quote from: TT on June 02, 2012, 07:51:12 PM
I've been proposing the following:

Quote from: TT on June 02, 2012, 07:46:30 PM
Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist.

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.

https://bitcointalk.org/index.php?topic=84585.msg937236#msg937236

Please, exchanges, implement this SOON. You cannot implement it soon enough.

+1. Nefario it would be great if you could get this put on glbse.
bitcoin-otc
1713519612
Hero Member
*
Offline Offline

Posts: 1713519612

View Profile Personal Message (Offline)

Ignore
1713519612
1713519612
Reply with quote  #2
1713519612
Report to moderator
Who are the least trusted users of Bitcointalk? ¯\_(ツ)_/¯ Who are the most trusted users of Bitcointalk?
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1713519612
Hero Member
*
Offline Offline

Posts: 1713519612

View Profile Personal Message (Offline)

Ignore
1713519612
1713519612
Reply with quote  #2
1713519612
Report to moderator
1713519612
Hero Member
*
Offline Offline

Posts: 1713519612

View Profile Personal Message (Offline)

Ignore
1713519612
1713519612
Reply with quote  #2
1713519612
Report to moderator
molecular
Donator
Legendary
*
Offline Offline

Activity: 2772
Merit: 1019



View Profile
June 06, 2012, 02:51:54 PM
 #42
Quote from: BlackBison on June 06, 2012, 09:01:23 AM
Quote from: TT on June 02, 2012, 07:51:12 PM
I've been proposing the following:

Quote from: TT on June 02, 2012, 07:46:30 PM
Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist.

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.

https://bitcointalk.org/index.php?topic=84585.msg937236#msg937236

Please, exchanges, implement this SOON. You cannot implement it soon enough.

+1. Nefario it would be great if you could get this put on glbse.

you can already activate 2-factor withdrawal on glbse... oh, via API, hmm, didn't check that. Is it possible to withdraw without 2-factor-auth using the api even if it's activated for withdrawals?
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
Nefario (OP)
Hero Member
*****
Offline Offline

Activity: 602
Merit: 512


GLBSE Support support@glbse.com


View Profile WWW
June 06, 2012, 10:04:12 PM
 #43
You cannot withdraw using the API.
PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
molecular
Donator
Legendary
*
Offline Offline

Activity: 2772
Merit: 1019



View Profile
June 08, 2012, 12:58:40 PM
 #44
Quote from: Nefario on June 06, 2012, 10:04:12 PM
You cannot withdraw using the API.

thanks for clarifying.
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756
Merit: 522



View Profile
October 02, 2012, 01:08:09 PM
 #45
Quote from: rjk on June 02, 2012, 03:44:37 PM
Question: when is someone going to invent a be-all, end-all service that is totally full of awesome and win, and then decide to force all users to use a proper 2-factor authentication system?

This has happened, except it forces users to use gpg not worthless 2fa. And the users complain about the

Quote from: stochastic on October 02, 2012, 02:15:41 AM
ease-of-use, customer service, and personality of exchange manager.
My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
Pages: « 1 2 [3]  All
  Print  
Bitcoin Forum > Bitcoin > Bitcoin Discussion > I suspect GPUMax was compromised and passwords stolen
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!