Pages:
Author

Topic: ICBIT Derivatives Market (USD/BTC futures trading) - LIVE - page 7. (Read 97687 times)

legendary
Activity: 2506
Merit: 1010
There's conversation in another thread that is more appropriate here, so I'm quoting a part of it here for discussion.

when you are holding positions that compete with people who can create unlimited contracts and who can see the details of your positions, including available bitcoin.

Is it possible to run an exchange where the exchange operator would not have the ability to enter fabricated orders or to know the positions held in customer accounts?
legendary
Activity: 2506
Merit: 1010
so withdrawal requests which would normally be processed are pending now (because otherwise they may not be able to sustain payout requirements of a BTC/USD-4.13 contract due to settle in a couple of days.

The amount displayed as being available for withdrawal shouldn't be a soft number.  What conditions would cause a withdrawal request to hang as pending, and for how long would the duration be of that status on a withdrawal request? 
legendary
Activity: 2506
Merit: 1010
Feature request:

Ability for me to cause a new deposit address to be generated for my account.  

Currently, the blockchain shows all my deposits to a single Bitcoin address that get credited to my wallet at ICBIT.

The whole concept of there being a new Bitcoin address for each transaction is so that privacy is maximized.    Because the wallet is a hosted (shared) EWallet, the funds I deposit will likely be withdrawn by someone else, thus there are clues out there that the address is associated with ICBIT deposits and those addresses might get scrutinized further to try to determine the identity or other clues about who is the party responsible.

bump on this feature request.
legendary
Activity: 938
Merit: 1000
chaos is fun...…damental :)
are you considering adding other instruments? synthetic index, options, warrants, turbo-warrants

Yes, if traders actually want to trade them. You can make a proposal.
a start can be something similar to dollar index
hero member
Activity: 674
Merit: 500
are you considering adding other instruments? synthetic index, options, warrants, turbo-warrants

Yes, if traders actually want to trade them. You can make a proposal.
legendary
Activity: 938
Merit: 1000
chaos is fun...…damental :)
are you considering adding other instruments? synthetic index, options, warrants, turbo-warrants
hero member
Activity: 742
Merit: 500
Honestly, I don't actually think that altcoins and forks are important. Bitcoin is the power. The only potentially useful altcoin was NMC, but the project is dead now.
legendary
Activity: 938
Merit: 1000
chaos is fun...…damental :)
Settlement in BTC would be natural, as for all other ICBIT instruments.

if i have to chose i pick ltc

hero member
Activity: 547
Merit: 500
Decor in numeris
If ICBIT starts settlement in Litecoins, i leave Tongue
and for BTCLTC contracts how the settlements should be done ? settlements in fiat are problematic but LTC solve that problem
Settlement in BTC would be natural, as for all other ICBIT instruments.
legendary
Activity: 938
Merit: 1000
chaos is fun...…damental :)
If ICBIT starts settlement in Litecoins, i leave Tongue
and for BTCLTC contracts how the settlements should be done ? settlements in fiat are problematic but LTC solve that problem
full member
Activity: 131
Merit: 100
If ICBIT starts settlement in Litecoins, i leave Tongue
legendary
Activity: 938
Merit: 1000
chaos is fun...…damental :)
Hey OP +Tycho did you guys considered LTC(BTCLTC) and doing the settlements in LTC and BTC ?
hero member
Activity: 547
Merit: 500
Decor in numeris
I performed testing, and could not reproduce this vulnerability. Password reset does not touch the 2FA settings.

Stephen, could you check and let me know exact steps to reproduce? Maybe I missed something. Thank you!

Just to clarify, what I'm asserting is that if my e-mail account is compromised an attacker can reset my password and withdraw my funds.

Steps:

From a browser instance after clearing cache, cookies, etc:

Step 1: Confirm 2FA is active (Attempt to login to account in which 2FA is activated, using just username and password).  Response: "Your code isn't valid."
Step 2: Click "Request new password" button.
Step 3: Login using single use login sent via e-mail
Step 4: Once authenticated, click GA_Login tab [Edit: and click "Create code" button.]
"Google Authenticator is enabled for your account. If you want to create a new key - please click on the button below. The old key will be dropped."
Step 5: Add TOTP secret to Google Authenticator, mark "I have successfully scanned the current code" checkbox, and click "Code scanned" button.
Step 6: Withdraw funds using new TOTP secret from Google Authenticator


Of course the really difficult thing is to stop vulnerabilities like this, and still have a recovery path in case somebody loose their GA secret.  I just to my horror realized that on an iPhone the GA secrets are backed up in a way that they can only be restored on the same device.  Secure, but troublesome if I loose the device.

hero member
Activity: 674
Merit: 500
I performed testing, and could not reproduce this vulnerability. Password reset does not touch the 2FA settings.

Stephen, could you check and let me know exact steps to reproduce? Maybe I missed something. Thank you!

Just to clarify, what I'm asserting is that if my e-mail account is compromised an attacker can reset my password and withdraw my funds.

Steps:

From a browser instance after clearing cache, cookies, etc:

Step 1: Confirm 2FA is active (Attempt to login to account in which 2FA is activated, using just username and password).  Response: "Your code isn't valid."
Step 2: Click "Request new password" button.
Step 3: Login using single use login sent via e-mail
Step 4: Once authenticated, click GA_Login tab [Edit: and click "Create code" button.]
"Google Authenticator is enabled for your account. If you want to create a new key - please click on the button below. The old key will be dropped."
Step 5: Add TOTP secret to Google Authenticator, mark "I have successfully scanned the current code" checkbox, and click "Code scanned" button.
Step 6: Withdraw funds using new TOTP secret from Google Authenticator


Thanks a lot. We are in the process of fixing this by updating and improving the GA login code. I will publish results here ASAP.
hero member
Activity: 609
Merit: 505
I have to log in with the "reset password" email link every time. I reset my password, log out, then I can't log in again.

I have done this many times, I'm sure I'm not messing up the password.

Do you have Google Auth enabled for your account?

No.
legendary
Activity: 2506
Merit: 1010
I performed testing, and could not reproduce this vulnerability. Password reset does not touch the 2FA settings.

Stephen, could you check and let me know exact steps to reproduce? Maybe I missed something. Thank you!

Just to clarify, what I'm asserting is that if my e-mail account is compromised an attacker can reset my password and withdraw my funds.

Steps:

From a browser instance after clearing cache, cookies, etc:

Step 1: Confirm 2FA is active (Attempt to login to account in which 2FA is activated, using just username and password).  Response: "Your code isn't valid."
Step 2: Click "Request new password" button.
Step 3: Login using single use login sent via e-mail
Step 4: Once authenticated, click GA_Login tab [Edit: and click "Create code" button.]
"Google Authenticator is enabled for your account. If you want to create a new key - please click on the button below. The old key will be dropped."
Step 5: Add TOTP secret to Google Authenticator, mark "I have successfully scanned the current code" checkbox, and click "Code scanned" button.
Step 6: Withdraw funds using new TOTP secret from Google Authenticator
hero member
Activity: 674
Merit: 500
I notice that simply doing a password reset through e-mail can successfully bypass two-factor authentication (2FA) protection as I can withdraw funds without 2FA after resetting the password.

Shouldn't the 2FA code be required to request a password reset (when 2FA is enabled)?
This is serious.  That means that 2FA protection for withdrawal is nonexistent.  I hope this bug get fixed soon, password reset should not reset 2FA, forgetting the password and loosing access to your phone are two different problems.

No, it's not.

I performed testing, and could not reproduce this vulnerability. Password reset does not touch the 2FA settings.

Stephen, could you check and let me know exact steps to reproduce? Maybe I missed something. Thank you!
hero member
Activity: 547
Merit: 500
Decor in numeris
I notice that simply doing a password reset through e-mail can successfully bypass two-factor authentication (2FA) protection as I can withdraw funds without 2FA after resetting the password.

Shouldn't the 2FA code be required to request a password reset (when 2FA is enabled)?
This is serious.  That means that 2FA protection for withdrawal is nonexistent.  I hope this bug get fixed soon, password reset should not reset 2FA, forgetting the password and loosing access to your phone are two different problems.

hero member
Activity: 674
Merit: 500
I have to log in with the "reset password" email link every time. I reset my password, log out, then I can't log in again.

I have done this many times, I'm sure I'm not messing up the password.

Do you have Google Auth enabled for your account?
hero member
Activity: 609
Merit: 505
I have to log in with the "reset password" email link every time. I reset my password, log out, then I can't log in again.

I have done this many times, I'm sure I'm not messing up the password.
Pages:
Jump to: