ASICMINER: Entering the Future of ASIC Mining by Inventing It

[lunarboy]

Here at Havelock we take security issues very seriously.

We have never had any issues with users that enabled 2FA on their account. We have contacted the person that has made the claim that is account has been compromised and are looking to resolve the matter has soon as possible.

Trying to balance ease of use and security is never easy, especially in the Bitcoin realm. We can always add additional security features but those will always slow down the user experience.

So we turn to you, our valued customers, what features would like us to add to our platform?

1. Confirmation email before any action is taken; some but not all actions.

2. Pending withdrawal of your Bitcoins; time lock?

3. Lock account by IP address?

We always value your opinions and we strive to serve the Bitcoin community to the best of our ability.

Also we can assure everyone that it was not an "inside rogue employee"

Thank you,

Support Team
Havelock Investments

This is the Asciminer thread so we should probably move this discussion over to havelock exchange, although if you remember Havelock suggestions have been made in the past, had these been implemented this sort of thing could not so easily happen
https://bitcointalk.org/index.php?topic=135035.msg3661143#msg3661143

withdrawals should be locked to a specific BTC address and multisig should be signed for share transfer. This would at least stop funds leaving the accounts. YOU WERE WARNED.

[minerpumpkin]

Some sort of address locking seems to be the sweet spot.
The other proposals are nice to have, but a compromised mail account won't help against mail confirmations and may not help against 2FA. Keep your 2FA separate (phone and unrelated email address)!

[noah1987]

A miner which use asicminer gen3 chip now on pre-sale, the poster is very famous in Chinese Bitcoin circle. This is the translation of the weibo post:

Miner presale Details:
Miner price :11000 RMB/T (1813 USD/T), full payment in advance.
Power consumption: 600W/T.
If a single miner's speed doesn't meet the design requirements, or beyond the design requirements, in accordance 11000RMB / T price, refund for any overpayment or a supplemental payment for any deficiency.
If you order more than 10T , it is 10000RMB/T.
April 20 is the deadline, if not shipped on time, we'll give you a full refund!
Tel: 13581816335 Zhao Dong's QQ group: 326548639

In the weibo below, one people replys:
So cheap, is it Asicminer's chip?
Zhao replys:"Yes"
Then he ask again:
Asicminer's gen3 haven't tapeout yet, can it mass production in April?
Zhao replys:"Almost"

Sorry for my poor English translation, the original weibo can be found here:
http://weibo.com/1658066713/AwIw85hLy

I have snapshoted the weibo and the chat.

[BuildTheFuture]

Interesting, anyone know if this first batch of Gen 3 hardware will be sold in the US as well? Or only to the Chinese?

[bitcoin.newsfeed]

2. Pending withdrawal of your Bitcoins; time lock?

How about allowing us to specify a withdrawal address that is then locked; coins can only be sent to this address. It can be unlocked, but upon doing so an email is sent notifying me that it's been unlocked and it takes a further 7 days or so before a new address can be entered?

^^ THIS. + yubikey

[ning]

If we take a look at the numbers, we can see that:

The power consumption of the new chips (3rd gen) is 0.2~0.35 J/GHash [1];
and the power consumption of the chips about to be sold is 600 W/THash = 0.6 J/GHash [2].

The numbers are different, so are the chips, seemingly.


[1] https://bitcointalk.org/index.php?topic=438359.msg4816701#msg4816701
[2] https://bitcointalk.org/index.php?topic=99497.msg5153058#msg5153058

[romerun]

sounds like another pump attempt from chinese again

[Lohoris]

How about allowing us to specify a withdrawal address that is then locked; coins can only be sent to this address. It can be unlocked, but upon doing so an email is sent notifying me that it's been unlocked and it takes a further 7 days or so before a new address can be entered?

It won't help if your email is compromised, since you might also easily miss the confirmation email (the attacker would delete it).

[Lohoris]

Here at Havelock we take security issues very seriously.

We have never had any issues with users that enabled 2FA on their account. We have contacted the person that has made the claim that is account has been compromised and are looking to resolve the matter has soon as possible.

Trying to balance ease of use and security is never easy, especially in the Bitcoin realm. We can always add additional security features but those will always slow down the user experience.

So we turn to you, our valued customers, what features would like us to add to our platform?

1. Confirmation email before any action is taken; some but not all actions.

2. Pending withdrawal of your Bitcoins; time lock?

3. Lock account by IP address?

We always value your opinions and we strive to serve the Bitcoin community to the best of our ability.

Also we can assure everyone that it was not an "inside rogue employee"

Thank you,

Support Team
Havelock Investments

Since apparently the email is the weak link, how about adding an optional extra layer via SMS?

[empoweoqwj]

That's pretty scary. Not sure what other attack vectors there might be except for some Havelock employee gone rogue or a security breach at their servers. Maybe your email account is compromised and they used it for some social engineering shenanigans (which would also be hard with you noticing).

Why would a rogue havelock employee sell his shares instead of just the bitcoins from one of the guys with a buy order?

Anyways I would try to contact havelock and see if they can dig up any further info. If it is a security breach on their end then that would be very serious.

Not sure about how 2fa can be breached along with your password. My guess would be an infected pc (keylogger or something).

I don't believe it was an employee. I have no reason to believe Havelock did this internally. But also, I don't believe it was a keylogger. All my other accounts are intact (banks, paypal etc) and not even been touched.

Would have been nice if havelock responded to my support email though !

[empoweoqwj]

Here at Havelock we take security issues very seriously.

We have never had any issues with users that enabled 2FA on their account. We have contacted the person that has made the claim that is account has been compromised and are looking to resolve the matter has soon as possible.

Trying to balance ease of use and security is never easy, especially in the Bitcoin realm. We can always add additional security features but those will always slow down the user experience.

So we turn to you, our valued customers, what features would like us to add to our platform?

1. Confirmation email before any action is taken; some but not all actions.

2. Pending withdrawal of your Bitcoins; time lock?

3. Lock account by IP address?

We always value your opinions and we strive to serve the Bitcoin community to the best of our ability.

Also we can assure everyone that it was not an "inside rogue employee"

Thank you,

Support Team
Havelock Investments

Yes to every one of those. (Instant bitcoin withdrawals worries me a bit)

Also maybe requiring a pin before placing orders/doing anything like btct.co would be nice.

The sad thing was someone took 80BTC or whatever ...... and there was no delay. He was just allowed to keep withdrawing. He must have withdrawn about 20 times in an hour.

[empoweoqwj]

Thank you for all of your quick replies,

We will start to work on the following security implementations:

1. The option to Lock your account to a specific IP

2. Required 2FA for withdrawal / optional for order execution

3. Once 2FA is enabled, you will be required to enter your 2FA to view the private key or to disable 2FA on your account.


Once again thank you for all of your support,

Havelock Investments

Good ideas. But I have lost everything. Too late for me. I knew the risks coming in. But I have just lost $50,000 + even though i had 2FA enabled

I won't bother posting again. You didn't reply to my support email so I will safely assume you aren't going to do anything to help me out.

Time to move on, out of bitcoins. The risk was always obvious. Its only when it hits you in the face your realise how real the risk is.

To repeat, I don't believe I was keylogged. Nothing else has been stolen such as other coins or paypal or bank stuff. No check I have run on my Mac suggest I have keylogging software installed. This was a very professional job from people that knew exactly how havelock worked. Not havelock employees, why would they do that? But hackers very intimate with how havelock worked.

I don't know what to  say now. Its been the worst 48 hrs of my life. I'll leave it at that. Peace.

[empoweoqwj]

Damn ... shit. This is sick. Did you have 2FA backup somewhere in the same PC?

2FA key was written down on paper as "backup".

I am just wondering how could that happened? it seems impossible if you have 2FA

Maybe 2FA on rooted/jailbroken device ... and attacker infected both devices pc and smartphone/tablet via same router.

EDIT : I assume you're in Thailand ... 90% of smartphones there are rooted.

EDIT2 : Damn, from today I'll login to Havelock only from TailsOS ... I feel sorry for your lose mate, its really devastating. I wish we could do something about it.

My iphone is not jailbroken. I bought it from UK direct from Apple. Never attempted to get it jailbroken.

[empoweoqwj]

Damn ... shit. This is sick. Did you have 2FA backup somewhere in the same PC?

2FA key was written down on paper as "backup".

I am just wondering how could that happened? it seems impossible if you have 2FA

Maybe 2FA on rooted/jailbroken device ... and attacker infected both devices pc and smartphone/tablet via same router.

EDIT : I assume you're in Thailand ... 90% of smartphones there are rooted.

EDIT2 : Damn, from today I'll login to Havelock only from TailsOS ...

Probably jailbroken at MBK?
I have to chime in, I'm also really sorry to hear that. I can only try and fathom how that feels. This makes me truly sad and angry!
Just to address other questions/vulnerabilities: When was the last time you changed your password? Is it unique? Did you at some point land on a phishing site, i.e. a Havelock-copy (I guess you may not have noticed it)?

I'd like a comment from Havelock. I guess you guys have already contacted them? I'm, just pointing them to this problem, as well.

In many of the cases it's actually a person close to the victim, probably living in your own house or a friend or someone with actual physical access to your computer and phone. There were many such cases. Might even be your wife or lover.

Also there might be another possibility no one here discussed and that is the possibility of this guy lying to prop up another exchange. I'm not saying it's the case but it's possible.

I live on my own. Nobody has access to my computer or phone. I don't have wife or lover. I understand the theory, no problem, but its not what happened in this case.

[BuildTheFuture]

If we take a look at the numbers, we can see that:

The power consumption of the new chips (3rd gen) is 0.2~0.35 J/GHash [1];
and the power consumption of the chips about to be sold is 600 W/THash = 0.6 J/GHash [2].

The numbers are different, so are the chips, seemingly.


[1] https://bitcointalk.org/index.php?topic=438359.msg4816701#msg4816701
[2] https://bitcointalk.org/index.php?topic=99497.msg5153058#msg5153058

Actually I think the lower power consumption Friedcat mentioned is internal to the chips. But the 600W advertised for this new device is how much it would use at the wall. There are voltage conversions from the wall at least twice before the electricity gets into the chips, this causes the at the wall usage to be higher. It's the same on any device, for example the Bitmain Antminers, they advertise in their thread title the power is as low as 0.7 J/GH, but the actual devices take 2 J/GH from the wall.

Well I'm still curious if anyone else knows anything about this Weibo offer/page/guy.

[bitcoin.newsfeed]

My iphone is not jailbroken. I bought it from UK direct from Apple. Never attempted to get it jailbroken.

Not compromised 2FA device, backup written offline on paper, nobody else has access to your pc ... antivirus check is nothing, nowadays viruses are 24/7 totally fud(undetectable in any AV) <<< but still ...  now i don't have an idea how is that possible, maybe mitm attack as someone suggested, but GA provides a one-time password. Professional job indeed. I would really like to know, how is that possible.

Btw the best security what i ever seen in bitcoinland has Kraken, Havelock should learn from them. Separate 2FA for login and for trades, withdrawals, change of settings has custom time-lock, encrypted mails. Just awesome.

[arousedrhino]

2fa on withdraw is a decent roadblock to mitm attacks that can circumvent the initial 2fa sign in. Additionally I think the 2fa email is also a decent idea but less robust for obvious reasons

I like 2FA via e-mail because my e-mail account is set up with 2FA via a text message to my cell phone.  With 2FA via e-mail, a hacker would have to hack my e-mail account in order to access my Havelock account.  In order to hack my e-mail account, he would also have to hack my cell phone.

That doesn't make sense all he has to do is hack your email account and get the email you had forwarded as a text message or disable the forwarding. He only needs to compromise the cell phone or email account.

[shawshankinmate37927]

I like 2FA via e-mail because my e-mail account is set up with 2FA via a text message to my cell phone.  With 2FA via e-mail, a hacker would have to hack my e-mail account in order to access my Havelock account.  In order to hack my e-mail account, he would also have to hack my cell phone.

That doesn't make sense all he has to do is hack your email account and get the email you had forwarded as a text message or disable the forwarding. He only needs to compromise the cell phone or email account.

In order to access my e-mail account the hacker would have to provide the code that is sent as a text message to my cell phone.  (https://support.google.com/accounts/answer/180744?hl=en)  I'm not sure what you mean by e-mail that I "had forwarded as a text message".  My e-mails aren't forwarded as text messages to my cell phone.

[robix]

Sorry guys, I don't get it. What has my GMail account to do with the GAuth app on my smartphone. Even if the GMail account is hacked, I don't see how to get control over the GAuth 2FA (particularly th secret keys) on the phone. Can someone explain?

Edit: typo

[shawshankinmate37927]

Sorry guys, I don't get it. What has my GMail account to do with the GAuth app on my smartphone.

Nothing.  They're two different things.  I'm just saying that I prefer 2FA via an e-mail instead of Google Authenticator.