Author

Topic: General Security - ie. Which Pools offer Security Locks for Wallet/Email etc ? (Read 1924 times)

legendary
Activity: 1078
Merit: 1005
mmpool doesn't allow changing of addresses at all. You have to re-register with new addresses. Registration is light weight in that you only need a username, no password or email address, so it's not too much of a burden. I did it this way to avoid the "hack account, change address" which seems to occur occasionally in places.
sr. member
Activity: 263
Merit: 250
Pool operator of Triplemining.com
triplemining locks payouts for 24h after wallet change. You will get an email too
legendary
Activity: 1260
Merit: 1000
EMC has a wallet lock feature and notification via email and SMS on account change.  Wallet locks for 24 hours after a change to the account if activated and can not be disabled.
full member
Activity: 210
Merit: 100
... which was the reason why I set top limit to (if I remember well) 20 BTC.

A prudent policy I wasn't aware of. Thumbs up.
Tripping the limit automatically sends the bitcoins to their rightful place I presume?

I noticed a valid bitcoin address isn't required to start mining at your pool.
Is there an automatic e-mail message to inform the forgetful souls who never provided you with their wallet id?
legendary
Activity: 1386
Merit: 1097
Do you have a 'No Transfer for, or 24hrs Wallet Lockdown, after Wallet Change' policy in place ?

No, because I really hate such "extra rules" on every site. I would be very upset when I realize that changing of address lead to one day lockup of payout, especially when I'm probably changing bitcoin address for some good reason.

Quote
In the confirmation email that is sent (triggered during a wallet change), does the wallet get locked until the email confirmation is processed ?

Yes. Pending email confirmation locks payouts until confirmed or cancelled.

[Deepbit]: No user reported me any issue with hacked email so far. Around 90% of hacks were related to MtGox issue, the rest was more about compromised computers.
donator
Activity: 532
Merit: 501
We have cookies
Actually I really think that the probability of hacking/hijacking pool account AND hacking also mailbox AND NOT hacking the receiving computer is negliable.
There are many ways to steal e-mail account - like guessing secret question, keylogging on a public PC, dictionary bruteforcing weak passwords, using ready-made keylogging trojans. Hacker gets an access to the e-mail, sees pool's messages there, finds out the pool and account then requests password recovery from the pool: task accomplished. E-mail hack usually leads to pool account hack, that's when wallet lock is useful.
I don't know about your statistics, but I received some messages from users whose e-mail was compromised somewhere and then wallet address changed.

Of course wallet backup is mandatory before locking and common sense is required.
A small number of users (AFAIR ~3-5) suffered from locking mybitcoin address, but no considerable amounts were on those accounts, just a couple of bitcoins.

I'm not saying that everyone should lock their address, but I think that it's very useful to ALLOW this because some users may know what they are doing. And yes, withdraw your rewards on time, it's not a bank :)
legendary
Activity: 1386
Merit: 1097
Also, why on Earth would anyone entrust any pool with a significant amount of bitcoins is beyond me.

Me too. However a lot of people stored tens of BTC on the pool, which was the reason why I set top limit to (if I remember well) 20 BTC.

My attitude is: secure your wallet, set "send threshold" to some value which will trigger payout once per day or two and you're done. In the worst way, you'll lose one day payout. Again, no one lost single bitcent on my pool unless he breaks very basic rules of security.
full member
Activity: 210
Merit: 100
I always prefer to bolt the wallet id down when I get a chance.
Anyone not doing their wallet backups is just asking for trouble anyhow, so I can't quite agree with Slush.
Also, why on Earth would anyone entrust any pool with a significant amount of bitcoins is beyond me.


ABCPool gives the user a chance to lock their wallet id. I also can't find any way of displaying/changing my saved e-mail address.
Eligius effectively does so in its idiosyncratic way (Trust No One, not even the pool).
BitcoinPool doesn't allow changing the wallet id or e-mail.

EDIT:: for those uninformed, Eligius keeps NO user data at all. You use the wallet ID as your worker username.
sr. member
Activity: 462
Merit: 250
I heart thebaron
My pool offers email confirmations + users cannot change registered email. However I don't see any benefits in locking payout wallets, it's more like security thru obscurity for me.

Do you have a 'No Transfer for, or 24hrs Wallet Lockdown, after Wallet Change' policy in place ?

In the confirmation email that is sent (triggered during a wallet change), does the wallet get locked until the email confirmation is processed ? could you explain how it works please ? thanks....

Sorry, it's been a while since I have mined at your pool and I am sure things may have changed.
sr. member
Activity: 462
Merit: 250
I heart thebaron
Locking of addresses have many side effects. As an example, I already solved many issues when people lost their wallet. Now imagine that their wallet will be locked to this lost wallet, with significant amount of the pool balance. Should I send bitcoins to black hole even when user ask me in advance (before automatic payout triggered)? Or should I break the rule and change wallet to new one?

Actually I really think that the probability of hacking/hijacking pool account AND hacking also mailbox AND NOT hacking the receiving computer is negliable. Because when user's computer is compromited (so attacker can have easy access to mailbox and pool account), wallet locking isn't any problem for the attacker anymore, because he can steal coins directly from the computer, after the payout.
If I loose my wallet, I can disable auto payout. To ask for Admin help, that does not constitute as BREAKING RULES, because obviously the ONLY one that can change credentials of any kind, would be the Admin.

Also, we are not talking about individual computer user's security - WE ARE TALKING POOL SECURITY, so an excuse to help one aspect of security (in this case user PC security), means nothing to me in this thread, as it is completely off topic. There will always be problems, Pool security, as most see it, is a bonus.

Please stay on topic.
legendary
Activity: 1386
Merit: 1097
Locking of addresses have many side effects. As an example, I already solved many issues when people lost their wallet. Now imagine that their wallet will be locked to this lost wallet, with significant amount of the pool balance. Should I send bitcoins to black hole even when user ask me in advance (before automatic payout triggered)? Or should I break the rule and change wallet to new one?

Actually I really think that the probability of hacking/hijacking pool account AND hacking also mailbox AND NOT hacking the receiving computer is negliable. Because when user's computer is compromited (so attacker can have easy access to mailbox and pool account), wallet locking isn't any problem for the attacker anymore, because he can steal coins directly from the computer, after the payout.
sr. member
Activity: 462
Merit: 250
I heart thebaron
Deepbit offers optional permanent bitcoin address lock.
E-mail address can't be changed too.
thanks, I will add it to the list.

However I don't see any benefits in locking payout wallets, it's more like security thru obscurity for me.
Well, opinions vary I guess. When my wallet ID is locked and auto-pay is set....the actual security of my mining account and the BTC that sits in that account in between payouts becomes less of a concern for me.
I think wallet locking is a great feature and others (who had accounts hijacked) would definitely agree with me.

My current BTCguild account as an example....can pretty much be accessed by whomever wants to access it, because once they are in there, the only thing they can do is SEND ME BTC or NMC, as they can't send it elsewhere, they can't disrupt my miners, as even deleted or removed miners can still receive work and payouts.


Other than creating a new miner and helping add to my BTC totals, they can't do anything else. I feel pretty happy about that.

No confirmations, no possibilities, nothing. You are welcome to my credentials, as they will not do you any good, other than being able to see what I am doing in that account.
legendary
Activity: 1386
Merit: 1097
My pool offers email confirmations + users cannot change registered email. However I don't see any benefits in locking payout wallets, it's more like security thru obscurity for me.
donator
Activity: 532
Merit: 501
We have cookies
Deepbit offers optional permanent bitcoin address lock.
E-mail address can't be changed too.
sr. member
Activity: 462
Merit: 250
I heart thebaron
Without signing up to each and every pool to see for myself, I figured I would simply ask here.....

Which Pools offer Security Locks for Wallet/Email etc ?

To clarify (in case it's not obvious enough), which pools allow users to permanently LOCK their Wallet IDs into their control panels or any other enhanced security features that might help new miners find a pool that they feel comfortable with?

Basic Pool Security Features:
- BTCGuild (wallet lock + email locks)
- Deepbit (wallet lock + email locks)
- Slush (wallet change email confirmation + email lock)
- ?
Jump to: