MtGox and 2 Factor Authentication

[kiba]

Given that people are extremely lazy about account security I propose that mtgox requires mandatory 2 factor authentication for all accounts.

Also, stop withdrawing coins and dollars immediately! There should be a 24 hours notice for withdrawal. This give the chance for users to review and stop an action if they deem suspicious. (For users who crys for immediate gratification, force them to use 2 method for 2factor authentication at once, charge them a high fee for added risks, etc)

Also, 40K bitcoin withdrawal limit is incredibly dumb. It doesn't match up with 40K USD for a long time now.


If my security suggestions are dumb, feel free to say why. I am not a security expert but I am very interested in NOT REPEATING the bitcoinica fiasco or the mtgox fiasco or any other fiasco ever again.

[1713506121]

1713506121

[1713506121]

1713506121

[1713506121]

1713506121

[acoindr]

If I'm not mistaken Mt.Gox lets users apply two factor authentication if they want it.

I don't like the idea of mandating actions (it seems a bit opposite of Bitcoin free market theme), but I do like the idea of delayed withdrawals. That would be good if users could choose the option.

Of course, Mt. Gox, or anybody else, is free to apply whatever procedures they wish. I think a recommended security setting notice and warning would be good too.

[Yankee (BitInstant)]

Given that people are extremely lazy about account security I propose that mtgox requires mandatory 2 factor authentication for all accounts.

Also, stop withdrawing coins and dollars immediately! There should be a 24 hours notice for withdrawal. This give the chance for users to review and stop an action if they deem suspicious. (For users who crys for immediate gratification, force them to use 2 method for 2factor authentication at once, charge them a high fee for added risks, etc)

Also, 40K bitcoin withdrawal limit is incredibly dumb. It doesn't match up with 40K USD for a long time now.


If my security suggestions are dumb, feel free to say why. I am not a security expert but I am very interested in NOT REPEATING the bitcoinica fiasco or the mtgox fiasco or any other fiasco ever again.

Kiba, while you are correct that EVERYONE should use 2 factor...this is not why Bitcoinica was hacked.

Bitcoinica was hacked (this time) because they had their mtgox API key on the server which the hacker was able to exploit.

I'm not sure if its possible to do 2 factor with the API.

[kiba]

I don't like the idea of mandating action (it seems a bit opposite of Bitcoin free market theme),

MtGox is not the whole free markeet you know. They can do whatever they want and users can choose other providers that doesn't require 2 factor authentication.

but I do like the idea of delayed withdrawals. That would be good if users could choose the option.

On second thought, this could be mandatory at mtgox too.

[rjk]

Although forcing all users to have it is a bit harsh, I think at the very least all trusted users with adjusted withdrawal limits needs to be forced to use 2FA. If they can't afford a Yubikey or a GA-capable smartphone, then why the hell are they trading such large amounts of $ and BTC?

[rjk]

Kiba, while you are correct that EVERYONE should use 2 factor...this is not why Bitcoinica was hacked.

Bitcoinica was hacked (this time) because they had their mtgox API key on the server which the hacker was able to exploit.

I'm not sure if its possible to do 2 factor with the API.

My understanding is that the API key was the master password for LastPass, which allowed the hacker access to the mtgox account with a password. No 2FA was used on the mtgox account, because LastPass was considered secure. This is what I have gathered.

[kiba]

Kiba, while you are correct that EVERYONE should use 2 factor...this is not why Bitcoinica was hacked.

Bitcoinica was hacked (this time) because they had their mtgox API key on the server which the hacker was able to exploit.

I'm not sure if its possible to do 2 factor with the API.

I am told API key was already revoked. Information seems to be conflicting and confusing.

[kiba]

Although forcing all users to have it is a bit harsh, I think at the very least all trusted users with adjusted withdrawal limits needs to be forced to use 2FA. If they can't afford a Yubikey or a GA-capable smartphone, then why the hell are they trading such large amounts of $ and BTC?

Smartphone penetration in the US grown to 54.9%. At some point in the future, smartphone will be ubiquitous. A yubikey should be cheaper than a phone.

[acoindr]

I am told API key was already revoked. Information seems to be conflicting and confusing.

The API key was used as a password to LastPass, which in turn had the password to log into Mt.Gox.

[Yankee (BitInstant)]

I am told API key was already revoked. Information seems to be conflicting and confusing.

The API key was used as a password to LastPass, which in turn had the password to log into Mt.Gox.

Is that a joke?

Oh wow. Thanks for bringing this to light.

[acoindr]

I am told API key was already revoked. Information seems to be conflicting and confusing.

The API key was used as a password to LastPass, which in turn had the password to log into Mt.Gox.

Is that a joke?

Oh wow. Thanks for bringing this to light.

We regret to inform you that there has been another huge breach of Bitcoinica. While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged. The breach today occured because the password for LastPass was in fact a duplicate password which had been compromised during the hack.

Unbeknownst to us, Tihan was using the mtgox api key as the password for a website called LastPass.

[kiba]

Also, I would like to point out that mtgox appears to not have login attempt limitation. When I forgot my passwords, I tried more than 3 times to enter my password.(Probably at least ten time until I realize that I was using the wrong username). This should not have happened, methink.

[Littleshop]

As far as I know, MTGOX has not had any reported losses on accounts with ubikey only and no API access.  Is this correct?

[Spekulatius]

mandatory delays on mtgox...

Arent withrawal delays mandatory on mtgox already?

[Bitcoin Oz]

How come 40 000 USD was instant whereas people with much smaller amounts it takes weeks ?

[MagicalTux]

We are preparing options to force delays on Bitcoins (rule set depending on aggregated 24 hours transfer amount - option configurable from the user) and emergency account lockout (that would automatically cancel any delayed transfer).

[acoindr]

We are preparing options to force delays on Bitcoins (rule set depending on aggregated 24 hours transfer amount - option configurable from the user) and emergency account lockout (that would automatically cancel any delayed transfer).

Nice! Thanks for being proactive and remaining a positive Bitcoin force.

Please also make it unmistakably obvious to users what security practices and settings are recommended.

[finway]

We are preparing options to force delays on Bitcoins (rule set depending on aggregated 24 hours transfer amount - option configurable from the user) and emergency account lockout (that would automatically cancel any delayed transfer).

No!!  You can't do this.

This(Instant Bitcoins Withdraw)  is the only thing that keep you different from FRB banks.

If you do this, i will never trust you again.  Instant Withdraw should be the STANDARD of Bitcoin Banks.

[dust]

We are preparing options to force delays on Bitcoins (rule set depending on aggregated 24 hours transfer amount - option configurable from the user) and emergency account lockout (that would automatically cancel any delayed transfer).

No!!  You can't do this.

This(Instant Bitcoins Withdraw)  is the only thing that keep you different from FRB banks.

If you do this, i will never trust you again.  Instant Withdraw should be the STANDARD of Bitcoin Banks.

Sounds like this would be a user configurable option.  Mandating some form of two factor authentication for "large" transactions would be reasonable.

[HorseRider]

Also, stop withdrawing coins and dollars immediately! There should be a 24 hours notice for withdrawal.

Yes, this should be an "option configurable from the user", and if the users once chose so and then they want to change, it will need another periods of time, say 3 days, to be effective.