Mt.Gox / exchanges should confirm bigger transactions by phone/SMS

wolftaur

member

Activity: 112

Merit: 10

Quote from: Rassah on August 05, 2011, 02:02:22 PM

Though on the downside, that will kill MtGox's service as a means of paying people in the go with their phone app.

Unless you combine that tactic with two-factor, the second factor being the cellphone. SMS on attempt to exceed limit, limit is waived if it's proven the person attempting to exceed the limit has the correct cellphone.

So you can withdraw without limit to either your confirmed-valid and locked address, or, to another address IF you have the second factor. Meaning lower SMS fees incurred for the lower-risk activity. Better still, let that 'lax behavior' be user-configurable.

Rassah

legendary

Activity: 1680

Merit: 1035

Quote from: TraderTimm on August 05, 2011, 01:24:39 PM

Quote from: Rassah on August 05, 2011, 11:13:48 AM

Quote from: hugolp on August 05, 2011, 10:04:24 AM

Im programming a web that will use bitcoins and what I have done is that the out address does not change until 24hours after the change request has been made. So the user sets an out address, and if someone gets hold of his/her password and tries to change the address it wont work for 24 hours. We also send an email to the user if it has set up an email.

That's actually how BTCGuild works, and you're right, that would remove the need to limit BTC transactions.

Nice, makes it harder to 'hijack' an account and push coins willy-nilly to a bazillion addresses. That combined with transfer limits should do the trick. Optional two-factor notifications would be nice, much like credit card companies do - sending an alert if your balance falls from 'x' amount.

Though on the downside, that will kill MtGox's service as a means of paying people in the go with their phone app.

TraderTimm

legendary

Activity: 2408

Merit: 1121

Quote from: Rassah on August 05, 2011, 11:13:48 AM

Quote from: hugolp on August 05, 2011, 10:04:24 AM

Im programming a web that will use bitcoins and what I have done is that the out address does not change until 24hours after the change request has been made. So the user sets an out address, and if someone gets hold of his/her password and tries to change the address it wont work for 24 hours. We also send an email to the user if it has set up an email.

That's actually how BTCGuild works, and you're right, that would remove the need to limit BTC transactions.

Nice, makes it harder to 'hijack' an account and push coins willy-nilly to a bazillion addresses. That combined with transfer limits should do the trick. Optional two-factor notifications would be nice, much like credit card companies do - sending an alert if your balance falls from 'x' amount.

Rassah

legendary

Activity: 1680

Merit: 1035

Quote from: hugolp on August 05, 2011, 10:04:24 AM

Im programming a web that will use bitcoins and what I have done is that the out address does not change until 24hours after the change request has been made. So the user sets an out address, and if someone gets hold of his/her password and tries to change the address it wont work for 24 hours. We also send an email to the user if it has set up an email.

That's actually how BTCGuild works, and you're right, that would remove the need to limit BTC transactions.

cepler

newbie

Activity: 46

Merit: 0

Quote from: hugolp on August 05, 2011, 10:04:24 AM

Quote from: Rassah on August 05, 2011, 09:57:29 AM

this way the user has some time to discover the "hack" and contact us.

Just make sure your support response times are fast enough to support those cases otherwise the delay is useless.

Piper67

legendary

Activity: 1106

Merit: 1001

Quote from: hugolp on August 05, 2011, 10:04:24 AM

Quote from: Rassah on August 05, 2011, 09:57:29 AM

Another option would be for users to change their own withdrawal limits (within the range already set up by MtGox), with the limit changes not going into effect for 24 to 48 hours after change, and an e-mail sent out warning about the change. That way, even if the daily withdrawal limit is $1000, I know that I don't ever need to withdraw more than maybe $50 a day and can limit all withdrawals to that, and if I need to withdraw a few $100's, I'm willing to wait a day for that to happen. Make a separate limit on Bitcoin, too. Limiting Bitcoin amount by its USD value can have problems if BTC market price drops.

Im programming a web that will use bitcoins and what I have done is that the out address does not change until 24hours after the change request has been made. So the user sets an out address, and if someone gets hold of his/her password and tries to change the address it wont work for 24 hours. We also send an email to the user if it has set up an email.

this way the user has some time to discover the "hack" and contact us.

This is a similar system to the one used by Bitmarket (except they send you an email and only change the address when they get your confirmation, not 24 hours later). I always thought it was a very simple and elegant solution.

hugolp

legendary

Activity: 1148

Merit: 1001

Radix-The Decentralized Finance Protocol

Quote from: Rassah on August 05, 2011, 09:57:29 AM

Another option would be for users to change their own withdrawal limits (within the range already set up by MtGox), with the limit changes not going into effect for 24 to 48 hours after change, and an e-mail sent out warning about the change. That way, even if the daily withdrawal limit is $1000, I know that I don't ever need to withdraw more than maybe $50 a day and can limit all withdrawals to that, and if I need to withdraw a few $100's, I'm willing to wait a day for that to happen. Make a separate limit on Bitcoin, too. Limiting Bitcoin amount by its USD value can have problems if BTC market price drops.

Im programming a web that will use bitcoins and what I have done is that the out address does not change until 24hours after the change request has been made. So the user sets an out address, and if someone gets hold of his/her password and tries to change the address it wont work for 24 hours. We also send an email to the user if it has set up an email.

this way the user has some time to discover the "hack" and contact us.

kjj

legendary

Activity: 1302

Merit: 1026

I would like to be able to limit logons for my account to just the two IPs I use in person, and the API to just the one IP I use that from. If all three change at once, I'd be screwed, but that seems unlikely.

Rassah

legendary

Activity: 1680

Merit: 1035

Another option would be for users to change their own withdrawal limits (within the range already set up by MtGox), with the limit changes not going into effect for 24 to 48 hours after change, and an e-mail sent out warning about the change. That way, even if the daily withdrawal limit is $1000, I know that I don't ever need to withdraw more than maybe $50 a day and can limit all withdrawals to that, and if I need to withdraw a few $100's, I'm willing to wait a day for that to happen. Make a separate limit on Bitcoin, too. Limiting Bitcoin amount by its USD value can have problems if BTC market price drops.

repentance

hero member

Activity: 868

Merit: 1000

The yubikey pretty much does the same thing as an SMS token would and it's probably more cost effective from MtGox's point of view. The international SMS thing can be a bit of a problem, with not all carriers supporting some types of SMS (this used to be an issue with Twitter), and phone calls would be both expensive and impractical.

fastandfurious

full member

Activity: 224

Merit: 100

For example:

Mt.Gox gets a request of a withdrawal of 100 bitcoins -> Mt.Gox sends a SMS with a unique code -> real account holder log in and writes it in -> bitcoins are released to the new address

fastandfurious

full member

Activity: 224

Merit: 100

Because we know that all Bitcoin transactions are not reversible, and that we know that many peoble have large amounts of USD money and Bitcoins at the exchanges. I think that as a customer, if I want to have a safety net where the exchange calls me up or even easier SMS me that we have gotten a order to withdraw, then I as a customer can just confirm this.

The mobile phone number shouldn't be possible to change easily, that way we know that the real account holder will get a notice. At the same time Mt.Gox / exchange waits 12 hours or so to get a confirmation from the real account holder. If someone has hacked the account, then they will not be able to withdraw the money.

Topic: Mt.Gox / exchanges should confirm bigger transactions by phone/SMS (Read 1081 times)