Bitcoin Forum
December 10, 2016, 11:10:25 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: MtGox and 2 Factor Authentication  (Read 2006 times)
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
July 13, 2012, 08:34:07 PM
 #1

Given that people are extremely lazy about account security I propose that mtgox requires mandatory 2 factor authentication for all accounts.

Also, stop withdrawing coins and dollars immediately! There should be a 24 hours notice for withdrawal. This give the chance for users to review and stop an action if they deem suspicious. (For users who crys for immediate gratification, force them to use 2 method for 2factor authentication at once, charge them a high fee for added risks, etc)

Also, 40K bitcoin withdrawal limit is incredibly dumb. It doesn't match up with 40K USD for a long time now.


If my security suggestions are dumb, feel free to say why. I am not a security expert but I am very interested in NOT REPEATING the bitcoinica fiasco or the mtgox fiasco or any other fiasco ever again.

1481368225
Hero Member
*
Offline Offline

Posts: 1481368225

View Profile Personal Message (Offline)

Ignore
1481368225
Reply with quote  #2

1481368225
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481368225
Hero Member
*
Offline Offline

Posts: 1481368225

View Profile Personal Message (Offline)

Ignore
1481368225
Reply with quote  #2

1481368225
Report to moderator
acoindr
Legendary
*
Offline Offline

Activity: 1036


View Profile
July 13, 2012, 08:45:17 PM
 #2

If I'm not mistaken Mt.Gox lets users apply two factor authentication if they want it.

I don't like the idea of mandating actions (it seems a bit opposite of Bitcoin free market theme), but I do like the idea of delayed withdrawals. That would be good if users could choose the option.

Of course, Mt. Gox, or anybody else, is free to apply whatever procedures they wish. I think a recommended security setting notice and warning would be good too.
Yankee (BitInstant)
Legendary
*
Offline Offline

Activity: 1078


Charlie 'Van Bitcoin' Shrem


View Profile WWW
July 13, 2012, 08:47:22 PM
 #3

Given that people are extremely lazy about account security I propose that mtgox requires mandatory 2 factor authentication for all accounts.

Also, stop withdrawing coins and dollars immediately! There should be a 24 hours notice for withdrawal. This give the chance for users to review and stop an action if they deem suspicious. (For users who crys for immediate gratification, force them to use 2 method for 2factor authentication at once, charge them a high fee for added risks, etc)

Also, 40K bitcoin withdrawal limit is incredibly dumb. It doesn't match up with 40K USD for a long time now.


If my security suggestions are dumb, feel free to say why. I am not a security expert but I am very interested in NOT REPEATING the bitcoinica fiasco or the mtgox fiasco or any other fiasco ever again.

Kiba, while you are correct that EVERYONE should use 2 factor...this is not why Bitcoinica was hacked.

Bitcoinica was hacked (this time) because they had their mtgox API key on the server which the hacker was able to exploit.

I'm not sure if its possible to do 2 factor with the API.

Bitcoin pioneer. An apostle of Satoshi Nakamoto. A crusader for a new, better, tech-driven society. A dreamer.

More about me: http://CharlieShrem.com
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
July 13, 2012, 08:48:04 PM
 #4


I don't like the idea of mandating action (it seems a bit opposite of Bitcoin free market theme),

MtGox is not the whole free markeet you know. They can do whatever they want and users can choose other providers that doesn't require 2 factor authentication.

Quote
but I do like the idea of delayed withdrawals. That would be good if users could choose the option.

On second thought, this could be mandatory at mtgox too.

rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
July 13, 2012, 08:48:17 PM
 #5

Although forcing all users to have it is a bit harsh, I think at the very least all trusted users with adjusted withdrawal limits needs to be forced to use 2FA. If they can't afford a Yubikey or a GA-capable smartphone, then why the hell are they trading such large amounts of $ and BTC?

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
July 13, 2012, 08:49:38 PM
 #6

Kiba, while you are correct that EVERYONE should use 2 factor...this is not why Bitcoinica was hacked.

Bitcoinica was hacked (this time) because they had their mtgox API key on the server which the hacker was able to exploit.

I'm not sure if its possible to do 2 factor with the API.
My understanding is that the API key was the master password for LastPass, which allowed the hacker access to the mtgox account with a password. No 2FA was used on the mtgox account, because LastPass was considered secure. This is what I have gathered.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
July 13, 2012, 08:50:36 PM
 #7


Kiba, while you are correct that EVERYONE should use 2 factor...this is not why Bitcoinica was hacked.

Bitcoinica was hacked (this time) because they had their mtgox API key on the server which the hacker was able to exploit.

I'm not sure if its possible to do 2 factor with the API.

I am told API key was already revoked. Information seems to be conflicting and confusing.

kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
July 13, 2012, 08:53:32 PM
 #8

Although forcing all users to have it is a bit harsh, I think at the very least all trusted users with adjusted withdrawal limits needs to be forced to use 2FA. If they can't afford a Yubikey or a GA-capable smartphone, then why the hell are they trading such large amounts of $ and BTC?

Smartphone penetration in the US grown to 54.9%. At some point in the future, smartphone will be ubiquitous. A yubikey should be cheaper than a phone.

acoindr
Legendary
*
Offline Offline

Activity: 1036


View Profile
July 13, 2012, 08:58:24 PM
 #9

I am told API key was already revoked. Information seems to be conflicting and confusing.

The API key was used as a password to LastPass, which in turn had the password to log into Mt.Gox.
Yankee (BitInstant)
Legendary
*
Offline Offline

Activity: 1078


Charlie 'Van Bitcoin' Shrem


View Profile WWW
July 13, 2012, 09:05:33 PM
 #10

I am told API key was already revoked. Information seems to be conflicting and confusing.

The API key was used as a password to LastPass, which in turn had the password to log into Mt.Gox.

Is that a joke?

Oh wow. Thanks for bringing this to light.

Bitcoin pioneer. An apostle of Satoshi Nakamoto. A crusader for a new, better, tech-driven society. A dreamer.

More about me: http://CharlieShrem.com
acoindr
Legendary
*
Offline Offline

Activity: 1036


View Profile
July 13, 2012, 09:08:31 PM
 #11

I am told API key was already revoked. Information seems to be conflicting and confusing.

The API key was used as a password to LastPass, which in turn had the password to log into Mt.Gox.

Is that a joke?

Oh wow. Thanks for bringing this to light.

We regret to inform you that there has been another huge breach of Bitcoinica. While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged. The breach today occured because the password for LastPass was in fact a duplicate password which had been compromised during the hack.

Unbeknownst to us, Tihan was using the mtgox api key as the password for a website called LastPass.
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
July 13, 2012, 09:11:02 PM
 #12

Also, I would like to point out that mtgox appears to not have login attempt limitation. When I forgot my passwords, I tried more than 3 times to enter my password.(Probably at least ten time until I realize that I was using the wrong username). This should not have happened, methink.

Littleshop
Legendary
*
Offline Offline

Activity: 1316



View Profile WWW
July 13, 2012, 09:43:10 PM
 #13

As far as I know, MTGOX has not had any reported losses on accounts with ubikey only and no API access.  Is this correct?

Spekulatius
Legendary
*
Offline Offline

Activity: 1022



View Profile
July 13, 2012, 09:50:17 PM
 #14

mandatory delays on mtgox...

Arent withrawal delays mandatory on mtgox already?
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 700


Wat


View Profile WWW
July 13, 2012, 10:33:11 PM
 #15

How come 40 000 USD was instant whereas people with much smaller amounts it takes weeks ?

MagicalTux
VIP
Hero Member
*
Offline Offline

Activity: 617


Working on new MtGox features


View Profile WWW
July 13, 2012, 10:38:26 PM
 #16

We are preparing options to force delays on Bitcoins (rule set depending on aggregated 24 hours transfer amount - option configurable from the user) and emergency account lockout (that would automatically cancel any delayed transfer).

acoindr
Legendary
*
Offline Offline

Activity: 1036


View Profile
July 13, 2012, 10:57:58 PM
 #17

We are preparing options to force delays on Bitcoins (rule set depending on aggregated 24 hours transfer amount - option configurable from the user) and emergency account lockout (that would automatically cancel any delayed transfer).

Nice! Thanks for being proactive and remaining a positive Bitcoin force.

Please also make it unmistakably obvious to users what security practices and settings are recommended.
finway
Hero Member
*****
Offline Offline

Activity: 714


View Profile
July 14, 2012, 10:53:25 AM
 #18

We are preparing options to force delays on Bitcoins (rule set depending on aggregated 24 hours transfer amount - option configurable from the user) and emergency account lockout (that would automatically cancel any delayed transfer).

No!!  You can't do this.

This(Instant Bitcoins Withdraw)  is the only thing that keep you different from FRB banks.

If you do this, i will never trust you again.  Instant Withdraw should be the STANDARD of Bitcoin Banks.

dust
Hero Member
*****
Offline Offline

Activity: 840



View Profile WWW
July 14, 2012, 11:17:27 AM
 #19

We are preparing options to force delays on Bitcoins (rule set depending on aggregated 24 hours transfer amount - option configurable from the user) and emergency account lockout (that would automatically cancel any delayed transfer).

No!!  You can't do this.

This(Instant Bitcoins Withdraw)  is the only thing that keep you different from FRB banks.

If you do this, i will never trust you again.  Instant Withdraw should be the STANDARD of Bitcoin Banks.
Sounds like this would be a user configurable option.  Mandating some form of two factor authentication for "large" transactions would be reasonable.

Cryptocoin Mining Info | OTC | PGP | Twitter | freenode: dust-otc | BTC: 1F6fV4U2xnpAuKtmQD6BWpK3EuRosKzF8U
HorseRider
Donator
Legendary
*
Offline Offline

Activity: 1582


View Profile
July 14, 2012, 11:27:50 AM
 #20


Also, stop withdrawing coins and dollars immediately! There should be a 24 hours notice for withdrawal.

Yes, this should be an "option configurable from the user", and if the users once chose so and then they want to change, it will need another periods of time, say 3 days, to be effective.

16SvwJtQET7mkHZFFbJpgPaDA1Pxtmbm5P
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!