Pages:
Author

Topic: I suspect GPUMax was compromised and passwords stolen (Read 6422 times)

hero member
Activity: 756
Merit: 522
Question: when is someone going to invent a be-all, end-all service that is totally full of awesome and win, and then decide to force all users to use a proper 2-factor authentication system?

This has happened, except it forces users to use gpg not worthless 2fa. And the users complain about the

ease-of-use, customer service, and personality of exchange manager.
donator
Activity: 2772
Merit: 1019
You cannot withdraw using the API.

thanks for clarifying.
hero member
Activity: 602
Merit: 513
GLBSE Support support@glbse.com
You cannot withdraw using the API.
donator
Activity: 2772
Merit: 1019
I've been proposing the following:

Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist.

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.

https://bitcointalksearch.org/topic/m.937236

Please, exchanges, implement this SOON. You cannot implement it soon enough.

+1. Nefario it would be great if you could get this put on glbse.

you can already activate 2-factor withdrawal on glbse... oh, via API, hmm, didn't check that. Is it possible to withdraw without 2-factor-auth using the api even if it's activated for withdrawals?
sr. member
Activity: 250
Merit: 250
I've been proposing the following:

Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist.

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.

https://bitcointalksearch.org/topic/m.937236

Please, exchanges, implement this SOON. You cannot implement it soon enough.

+1. Nefario it would be great if you could get this put on glbse.
legendary
Activity: 1246
Merit: 1016
Strength in numbers
There is no perfect way. As soon as you make one someone else wind find a way to break it or work around it. If its accessible in any form. Someone can break in.

Give up human!
hero member
Activity: 658
Merit: 500
There is no perfect way. As soon as you make one someone else wind find a way to break it or work around it. If its accessible in any form. Someone can break in.
donator
Activity: 2772
Merit: 1019
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Do you know if you can use the same yubikey for several different services, or do you need to get a separate one for each account?


The Yubikey from Mt. Gox can only be used with Mt. Gox (and BlockChain.info wallet, apparently, which I'm guessing has permission to auth through Mt. Gox API or something)

It doesn't work on other services where a Yubikay is used.

The Yubikey from Yubico works at Mt. Gox and elsewhere where Yubikeys are supported.
Slight correction - only keys programmed by MtGox can be used with MtGox - you can't use one that you got direct from Yubico. The reason is that MtGox runs their own authentication server with their own keypairs, instead of using Yubico's free cloud authentication system.

However, any website that uses the free service provided by Yubico for authentication will support a generic device ordered from Yubico.
legendary
Activity: 2506
Merit: 1010
Do you know if you can use the same yubikey for several different services, or do you need to get a separate one for each account?


The Yubikey from Mt. Gox can only be used with Mt. Gox (and BlockChain.info wallet, apparently, which I'm guessing has permission to auth through Mt. Gox API or something)

It doesn't work on other services where a Yubikey is used.

The Yubikey from Yubico works at Mt. Gox and [Edit: see rjk's correction below] elsewhere where Yubikeys are supported.
sr. member
Activity: 344
Merit: 250
Several ways. Yubikey is my personal favorite, but here is a bunch of links:

http://yubico.com/ <-- The makers of the Yubikey
http://www.symantec.com/verisign/vip-authentication-service <-- paid service that PayPal and many others use for authentication. Yubico makes a credential that is compatible with this service as well.
http://onlinenoram.gemalto.com/ <-- TOTP token that AWS uses for authentication, made by Gemalto. This is a dedicated device that can do the same thing as Google Auth, without the phone.
http://motp.sourceforge.net/#7 <-- links to lots of tokens and related software.
https://lastpass.com/ <-- password storage software that works on almost any platform and almost any browser, and that can use 2-factor auth for logging in.

Do you know if you can use the same yubikey for several different services, or do you need to get a separate one for each account?
legendary
Activity: 1246
Merit: 1016
Strength in numbers
The title needs to be changed imo.
full member
Activity: 150
Merit: 100
I think this thread belongs in the "speculation" sub-category.  Better yet, create a "wild speculation" sub-category.  It would fit better there.
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
TT
member
Activity: 77
Merit: 10
I've been proposing the following:

Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist.

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.

https://bitcointalksearch.org/topic/m.937236

Please, exchanges, implement this SOON. You cannot implement it soon enough.
legendary
Activity: 1246
Merit: 1016
Strength in numbers
How many of those users had bitcoinica accounts?
legendary
Activity: 2506
Merit: 1010
Probably unrelated, but just wanted to bring it up in case it is relevant:

"My mtgox account got compromised, what can I do?" [June 1, 2012]
 - https://bitcointalksearch.org/topic/my-mtgox-account-got-compromised-what-can-i-do-84585
sr. member
Activity: 462
Merit: 250
I heart thebaron
How many of those users had bitcoinica accounts?

Please stay on topic. This is clearly GPUMAX's fault (as stated in the first post).
It couldn't possibly have anything to do with another service  Roll Eyes

...I mean, just look at GPUMAX's (and Pirate's....in general) track record when it comes to security and loss.

Please re-apply tunnel vision and/or add blinders to continue this conversation Wink
Pages:
Jump to: