Bitcoin Forum>Economy>Marketplace>Service Discussion
Author

Topic: An Open Security Challenge to Online Bitcoin Businesses (Read 904 times)

coastermonger
sr. member
Activity: 367
Merit: 250
Find me at Bitrated
An Open Security Challenge to Online Bitcoin Businesses
September 15, 2013, 11:14:14 PM
#4
Quote from: MPOE-PR on September 15, 2013, 08:13:49 PM
Your notions of security proceed from fundamentally flawed premises. This is why pronouncements on specialist topics by the random forumer are not particularly valuable.

You are correct that this is not the be-all, end-all for security. I am well aware of the limitations of such security measures because they are client side only.  The website owners still have to protect their end.  But if you concede these tools will help somewhat, then it's a step in the right direction.  If enabled, these would prevent some of the attacks that we commonly see.
mechs
full member
Activity: 210
Merit: 100
Re: An Open Security Challenge to Online Bitcoin Businesses
September 15, 2013, 08:16:08 PM
#3
Quote from: MPOE-PR on September 15, 2013, 08:13:49 PM
Your notions of security proceed from fundamentally flawed premises. This is why pronouncements on specialist topics by the random forumer are not particularly valuable.
Although none of these things will help if there a security vulnerability that allows root access, it does much to help from the script-kiddie trojan droppers.  Yubikey is an excellent method as well, arguably better than google auth.
MPOE-PR
hero member
Activity: 756
Merit: 522
Re: An Open Security Challenge to Online Bitcoin Businesses
September 15, 2013, 08:13:49 PM
#2
Your notions of security proceed from fundamentally flawed premises. This is why pronouncements on specialist topics by the random forumer are not particularly valuable.
coastermonger
sr. member
Activity: 367
Merit: 250
Find me at Bitrated
Re: An Open Security Challenge to Online Bitcoin Businesses
September 15, 2013, 03:12:01 PM
#1
If your website ever holds the Bitcoin of someone else, then this is your challenge to improve client-side security:

Hardware wallets are great, but sometimes it's necessary to do business online.  Exchanges, merchants, online wallets, and any site that stores users' bitcoin should give customers the OPTION to enable the following security measures.  They are not foolproof, but they will go a long way

1) Allow users to specify that a positive email confirmation is mandatory in order to withdraw funds
2) Allow users to lock bitcoin withdrawals so they can only be sent to a specific address (or handful of addresses) from your site
3) Allow users to specify a mandatory waiting period that must transpire before withdrawals are sent, allowing them time to intercept and report unauthorized access
4) Allow users the option to specify maximum limits on the amount of bitcoin that can be withdrawn in a given time frame
5) Allow users the option to specify specific computers that can interface with your site, so that no devices anywhere else may log in
6) Allow users the ability to mandate 2-factor authentication NOT just on log in, but for every transfer/buy/sell/security action on your site.

If you can enable all of these things, you will empower your userbase with powerful tools for their online bitcoin security.  You will make your site less of a target for bitcoin theft.  You will avoid having more awkward conversations with angry customers about why their funds were stolen from your site.  You will find people praising you for your forward thinking and progressive approach to bitcoin security.  NO it's not bulletproof.  They will still have to be careful you will still have to protect private keys.  But giving people these OPTIONS is a step in the right direction.

-Make it happen.


Bitcoin Forum>Economy>Marketplace>Service Discussion
Jump to: