Topic: [ANN] 1Broker.com - Trade forex, indices, stocks and commodities - page 39. (Read 103059 times)

Is there some way a third party can verify you indeed limit ALL accounts, and verify your total exposure on the markets? Is there some way a third party can verify you do indeed have the capital you're lending on margin?

Thank you very much for your clear and honest answers.  I am not too worried about getting scammed, I am more worried about you guys folding when everybody goes long on BTC and the price skyrockets.  This will not keep me away, but it will certainly limit the how much I am willing to gamble on your site.  I would be very worried if I were you, you could end up loosing a huge amount of money very quickly.

From us. Most CFD Brokers take a small interest every day for leveraged positions. We do not take this interest currently, but maybe this changes in the future. (Without affecting old positions of course)

Yes it's basically the MtGox Bid and Ask and only adjusted if the spread < 0.05 BTC. We profit from the spreads, yes.

An example: Investing 10 BTC in Apple Inc. (with leverage 1; long) means that you buy Apple contracts worth of 10 BTC. Currently this would be 10/453.82 = 0.0220546072 contracts. When you close your position you sell your 0.0220546072 contracts to the bid price. It's like buying a stock share.
A leverage of 2 would mean in this example that you buy contracts for 20 BTC with 10 BTC borrowed from us.

No problem. By your (and en.wikipedia's) definition we are partly a bucket shop because we only hedge when it's necessary. However, the German Wikipedia defines Bucket Shops as a scam which manipulate live prices to their advantage.

I fully understand your worries of trusting us. I was scammed myself in 2011: https://bitcointalksearch.org/topic/m.467674

I am a latecomer trying out the site with a trivial amount, and have a number of worries and questions, that I hope you can address.

My main worry is this text in the FAQ:
I am mainly worried about what you do not write: You do not write that you actually back our positions 100% automatically (or manually, although that is more risky).  If you do not, then that introduces a significant counter-party risk to your users.  If a lot of users go long, and prices go up, you may not be able to honor their winning and all users' funds are in peril.  I guess that is what is normally meant by a "bucket shop" (*).  On the BTC/USD market, you can easily back your users' positions, on the other markets that seems a lot harder.  This is different in a futures market like icbit.se, where the number of short and long positions are always balanced (by the market price changing to make the popular choice more expensive).

A related question: When I trade on margin, I am essentially borrowing money to trade for.  From whom do I borrow?

The rate that is displayed on the BTC/USD market, is that the instantaneous MtGox rate, or is it somehow adjusted to balance the positions? (if so, how?)

How do you profit without fees?  Is that from the spread, and is that spread fixed by you or is it the MtGox spread (possibly plus a bit)?  Note that there is nothing wrong with you guys making a profit, in fact that is your only motivation to keep the site running and thus in our interest too - I just like to know what my expenses are :-)

Finally, how is profit and loss treated: If I open a 10 BTC position, and the market moves my way so it becomes worth 11 BTC, do I then have a position equivalent to a newly opened 11 BTC position, or do I still have a 10 BTC position but now with a 1 BTC profit?  And in the latter case, what happens to the profit; is it paid out daily at a "clearing time" or only when the position is closed?

I hope you do not feel that I accuse you of being scammers by mentioning "bucket shops".  If I did not think that you are legit, I would not bother writing.  But margin trading and trusting bitcoins to websites are both risky - and I need to try to assess the risks before going in.


(*) Note that "bucket shop" does not mean scam, just that trades go "into the bucket" (i.e. are not backed by real market trades),  http://en.wikipedia.org/wiki/Bucket_shop_(stock_market).  This is forbidden in the US as it induces high counterparty risk and opportunities to scam the customers.  I think you site is sufficiently transparent to eliminate the latter risk.  "Bucket shop" appears to be a US term, where it is forbidden.  Incidentally, CFDs are forbidden in the US too, but I do not know if is because of the bucket shop law.  CFDs are legal in many other places.

Some updates:
The last weeks I worked hard on improving stability.

In general the server had a good uptime of >99.9% but the market data had only an uptime of about 98.8%.
Starting this weekend we now have a redundant system which can provide market data and should improve the situation a lot.

There is also a new status page available at https://1broker.com/status/
If there are problems with the platform you'll find information there.

The next milestone is the SMS 2FA which should be ready in 1-2 weeks.

-exxe

Wanted to post here that I deposited 100btc at 1Broker, and went long on USD/BTC at 5x leverage. I earned 40btc and the site payed out correctly (I have withdraw 140 btc). So at least from this anecdote it was smooth and legitimate. Looking forward to seeing this site develop further

Imagine 50 people having open positions on Apple. (long and short, no leverage) Short positions have a total value of: 100 BTC, Long positions have a total value of 300 BTC. Let's assume that we already hedge the required amount of 200*14.2 USD. Every week for example, this is recalculated, and adjusted. There are now 2³ possibilities of the outcome. (BTC/USD: up, Apple: up, Apple hedge amount: up | BTC/USD: down, Apple: up, Apple hedge amount: up, ...). In the end sometimes we profit and sometimes not, but this is a zero sum game minus some fees.

Even more important:
In reality this isn't a big problem. Most people are using high leverages which create good profits from spreads without the necessity of hedging.
Your example is a worst case: 1 user, high amount, no leverage, bad outcome. The masses make CFD brokers profitable.

This doesn't make sense, or maybe we're talking about different things.

The situation could look like this:

* User buys 100BTC worth of Apple with no leverage at a time when 1 BTC = $10.
* BTC price goes up 100% so 1 BTC = $20
* Apple price goes up 100%, so now you owe the user 200BTC
* You must now spend $2000 to get the user his 100BTC profit. But if you were hedging the position on the markets yourself you have only earned $1000 from the doubling of the original $1000 worth of Apple that the user bought.
* So you lose $1000

How do you avoid this?

And for the SMS based 2FA even a NOKIA 3210 is enough.    I'm going to implement the SMS 2FA, but this doesn't mean that Google Authenticator or OAuth can't be implemented in the future.

I hope it gets ready before February. Thanks for the suggestions!

Or a cheap Android tablet even.

Or even simply a second computer using an HTML5 version of OTP authentication:

How to use 2-factor auth on mtgox, even without a smartphone
 - https://bitcointalksearch.org/topic/how-to-use-2-factor-auth-on-mtgox-even-without-a-smartphone-111943

Idiotic was harsh.  I am glad you are taking security seriously.  However compared to a true 2FA system the system is going to leave keylogged users vulnerable.  Even with just an email compromised user depending on how active the user is if the user's email is compromised an attacker could still pull off an attack.  Your right though it is better than nothing.  It does prevent pure password re-use attacks and session stealing attacks (which the way some exchanges have poorly implemented 2FA don't).


I would rethink Google Authenticator.  It doesn't really require any technical skills.  A user with smartphone and the ability to install an app is all that is necessary.   Pretty much user proof at this point.   

1) User installs GA app.
2) USer clicks on new site (on the app)
3) Users is directed to scan GA barcode (displayed on your website) with the smartphone.
4) Done. 

All the hard work is done on your end (generating & recording the GA secret keys, providing user with barcode, calculating current code and comparing to user provided value.  For the user it is copy code on phone to web form.

Still if you want to go SMS that is a valid option IMHO.  Personally I don't see any security flaws (not for the amounts users are likely to be protecting).  I did some testing with this provider and it might meet your needs.  They can set you up with a trial account with some free SMS for development.

http://www.cdyne.com/api/phone/sms/

I'm thinking about the way of implementing a "real" 2FA (at least on withdrawing) and I came to the conclusion that OAuth, Google Authenticator and others are not optimal. They require good technical skills/a Google Account/.. which will eventually lock out some people.
I'm now tending to a SMS TAN system which everyone knows from banks.

The advantages would be:

• (Nearly) everyone can use it and understands it.
• It is long-term tested and considered secure.

Anyone has concerns or feedback?

With customizable leverages you can gamble or invest. This is the intention behind this service.

Another gambling site?

 

Theoretically yes. However, my experience is that most account hacks result from hacks on other services and users using the same password or simply email account hacks. A master key could save the user in these cases.
I have seen this type of system quite often and think it's better than nothing.

Implementing an opt-in GAuth is on the todo list, however.

I'm removing the the 'extremely secure' in the security page, too. The Master Key is not worth this phrase, you are right, but I disagree with calling it idiotic.

 

Stephen is being nice.  Master Key = idiotic. 
A second password is no real security and offering it to users is simply going to lead to a false sense of security.

Hi!
My real identity is known to theymos and some other members, so stealing funds wouldn't be so smart.

But I understand your concerns:
Currently most positions are not open longer than a few hours. For this type of positions hedging isn't necessary as the outcome is basically random. (at least for inexperienced traders) For longer term positions and small leverages we hedge on trusted European CFD platforms with EUR denominated accounts. This CFD platform has a bit smaller spreads too. The BTC/EUR volatility risks can be reduced by using the cost-average-effect (http://en.wikipedia.org/wiki/Dollar_cost_averaging).

Currently we are making small but stable profits. Parameters like spreads still need to be tested and could be increased, but it looks good right now. 

Hello exxe

A very interesting service that I could be interested in testing. However, for me to trust you, your business has to make sense to me - i.e. I need to understand how your business can be profitable so you have an incentive to keep running it instead of just stealing people's coins. Also because your spreads are very low.

So a question:

I assume you hedge the positions entered by your users by entering positions of your own on the regular markets. Assets and positions are denominated in BTC on 1Broker. How do you intend to pay back customers their full BTC amount if BTC rate goes up while they are in a market position - and your funds are used in hedging positions on the normal markets denominated in USD?

This sounds good. Added to the TODO list.

I guess I need to pull out some bigger ammo:

MtGox account got cleared out
 - https://bitcointalksearch.org/topic/mtgox-account-got-cleared-out-85533

All BTC disappeared from my Mt. Gox account
 - https://bitcointalksearch.org/topic/all-btc-disappeared-from-my-mt-gox-account-88368

Another:
 - https://bitcointalksearch.org/topic/m.941759

And another: My mtgox account got compromised, what can I do?
 - https://bitcointalksearch.org/topic/my-mtgox-account-got-compromised-what-can-i-do-84585

Yet more: MT.Gox account hacked - lost 2k USD - MT.GOX will not explain how.
 - https://bitcointalksearch.org/topic/mtgox-account-hacked-lost-2k-usd-mtgox-will-not-explain-how-89142

And more again: Bitcoins stolen from MtGox
 - http://www.reddit.com/r/Bitcoin/comments/x8lcv/bitcoins_stolen_from_mtgox

And yet more: Stolen from Mt.Gox coins. Help return the coins.
 - https://bitcointalksearch.org/topic/stolen-from-mtgox-coins-help-return-the-coins-119816

Or more here: Email from Mt.Gox this morning.
 - http://www.reddit.com/r/Bitcoin/comments/z0na5/email_from_mtgox_this_morning

And even more here: I just had $715 stolen out of my Mt. Gox account.
 - http://www.reddit.com/r/Bitcoin/comments/12j9gi/i_just_had_715_stolen_out_of_my_mt_gox_account

And the biggie: Bitcoinica MtGox account compromised
 - https://bitcointalksearch.org/topic/bitcoinica-mtgox-account-compromised-93074

With more here: Unauthorized Account Activity on my Mt.Gox Account - Account Compromised/Hacked?
 - https://bitcointalksearch.org/topic/unauthorized-account-activity-on-my-mtgox-account-account-compromisedhacked-94140

And on other services as well. Here same thing happened to some GLBSE users:
 - https://bitcointalksearch.org/topic/i-suspect-gpumax-was-compromised-and-passwords-stolen-84893

And elsewhere, BitMarket.eu in this instance:
 - https://bitcointalksearch.org/topic/m.1259168

And now on bitcoin.de as well: Bitcoins stolen from bitcoin.de.
 - https://bitcointalksearch.org/topic/bitcoins-stolen-from-bitcoinde-130264

In none of these was the person using multi-factor authentication. Mt. Gox has had Yubikey support for a while. Mt. Gox accounts now support Google Authenticator as well:
 - https://mtgox.com/press_release_20120605.html


This is advice you will see shared by many here:

If the exchange you are storing funds with doesn't provide OTP, consider using a different exchange:
 - http://bitcoin.stackexchange.com/questions/4113/which-two-factor-authentication-methods-are-available-at-which-exchanges

If you are storing funds in an EWallet, consider using a paper wallet.

Here is a fantastic guide: How to use 2-factor auth on mtgox, even without a smartphone (from a second device, of course, not from the same computer you log in on).
 - https://bitcointalksearch.org/topic/how-to-use-2-factor-auth-on-mtgox-even-without-a-smartphone-111943


You could offer each user the choice -- Master Key or OTP.