Topic: my MTGOX accoun frozen, can not withdraw, I have yubikey. (Read 4054 times)

I cannot agree with you on this one. Essentially, you are trying to pressure other bitcoin users to keep quiet about fishy business practises they encounter with bitcoin companies (in this case, MtGox). Now, while I would love to live in a world where I can say to my customers that bitcoin is zero-risk, the current situation is that someone adopting bitcoin is normally well aware that he is adopting a relatively new technology which is yet in the process of becoming mature. Still, it is a highly promising technology, so there is growth in the user base. But if you were successful in your attempts to shut down the open discussion about problems with certain companies, in the end bitcoin would become much more risky for new adopters because they would all risk to run into problems like those with MtGox without being warned.

If the people at MtGox are smart, they will learn from these incidents and create a new policy which allows more people to trust them. Yes, they are in a position where they can be approached by law enforcement when there is a problem, but it is still their own business decision how to handle these situations. I saw similar problems with internet access providers when governments started to approach them in order to get information about relations between IP addresses and the people behind the addresses. Some access providers were happy because they saw this as a great excuse to collect more data about their users than before. Yet others acted more diplomatically and only gave out the information for which they were clearly obligated to do so. And guess what? The latter made great business because people do care about privacy. Ideally, be it an internet access provider, a bitcoin exchange, or something else, a company in that position should act as a thin layer between customers and inquiries about customers. And more importantly, the rights of both sides should be honoured equally. There may be valid reasons for someone outside to ask for information about customers' identity or activity on a platform, maybe because there was some crime involved which needs to be prosecuted and where the customer may have some relation to. But crime accusations can also be wrong, and the customer should have the equally effective opportunity to file a lawsuit against someone who wrongly accused him of misbehaviour. Hopefully, MtGox will learn from what happened. But if not, it will not hurt the bitcoin community for long because other exchanges will do, and provide a better service.

It would hurt the bitcoin community much more if we lose bitcointalk.org as a platform where problems are freely discussed and where people have the opportunity to decide by themselves about which risks they are willing to take. Myself, I provide development services to companies doing BTC-USD-EUR day trading, so it is important for me to keep track of what happens on the exchange company market. I wouldn't like to see a bitcoin community where information about bitcoin exchange trustworthiness is kept secret.

Something I forgot to mention, in regard to the comment that a photo id is not accepted in the financial world, but is not true and false.

In Chile a government issued photo id is a valid form of ID at any Bank, a driver license it is not, since it is a proof that you are allowed to drive and nothing else, and it is not a form of ID, I never had problems with the official photo ID at any bank in Chile, to name a few, Banco del Estado, Banco de Santiago, Banco de Credito e Inversiones, etc.
If the Banks accept it, MTGOX should also accept it.

In the USA the driver license it is an ID, but not in other countries.

And it is a lot better to have the driver license and ID separate documents, because they each have a clear purpose.

Problems I have with the verification process at MTGOX, banks have no problems accepting photo Id, but it is a problem at MTGOX.

You required photo ID, and passport, and that is precisely what I have requested at the consulate, no government will give you out a passport immediately, you get a temporary document, and that is the document that I have sent you, because that is what I got, and it is based on your request for passport and photo id, my photo id is a photo id, which you do not list under photo id, which it should be listed, if a banks accepts it, you should too.

Within 3 to 4 weeks I will have the official "goverment issued" not "gym issued" photo id valid at financial institutions, banks, and "financieras (small banks)" and the passport, but the temporary documents should be acceptable for the time being, after all that is what the temporary documents are for.

There is an official photo ID that is given by the  government in many countries like in Chile it is the official ID, how can a document that is created by the government with the only purpose of being an ID, not be accepted as an ID is beyond me.

You require photo ID and passport and that is precisely what I did when I went to the Chilean consulate, and the documents that I provided you are official proof that those documents have been requested.

Now those documents take 4 weeks to get delivered, do you expect me to have too wait those 4 weeks and not honor the temporary documents.

Your example of a gym ID does not apply since we are talking about official government documents, it would be nice that the governments had gyms for us, but in our lifetime that most likely will never be a reality.

As far as the items on number 2, I do not have those bills, and I do not plan to engage in expenses with the only purpose of complying with, furthermore I could not engage in any more expenses since you have my money, I have bills but are not listed under item number 2.

And I am pretty sure you will not accept documents which are expired.

So that leaves me with birth certificate not on the list, and the other 2 documents are being proceed by the Chilean government, and I already provided official proof of that.

And in regard to the AML flag, you are being clear, is it MTGOX written policy or it is not MTGOX written policy not to tell customers why the AML flag is triggered.

What you are basically telling me is that the security model of MTgox is based on security by obscurity, and if you ask any cryptographer or security expert, they will tell you "no", that security by obscurity does not work, it is not only my opinion, but of any professional in the security industry.
Security is supposed to be based on solid algorithms, and not by hiding some fact, otherwise it is a time bomb, someone discovers the fact that it is being hidden and the whole security model collapses.

If you think using a non traditional browser or a special network like a vpn is a reason to trigger the AML flag, I can tell you that AML flag is broken, and it is easy to bypass just proxy the internet connection through ssh, though a "friendly network", and use a friendly OS, and browser such as "explorer and windows 7".
Based on my experience with banks, that is what is most likely triggering the flag, but you rather keep it secret, and put in jeopardy all your customers of having a frozen account. Some guy triggered a flag at a bank just by using lynks.

I am sure tor would also trigger that flag.
Being a tourist in different countries could more than likely trigger that flag, or worse yet being in certain countries.

The reason I ask is that I do not like to trigger the AML flag, and if you tell me I can avoid triggering it in future.

For those of you that believe in security by obscurity, you should read lists like bugtraq, in which many companies instead of protecting their products with sound security they use lawyers as their security team to cover for the security holes, but it is well known that does not work well as far as security is concerned.

Well my money is at stake here, even if I wait the 4 weeks, you will not recognize my photo ID given by the Chilean government as an ID because is not on your list of valid photo ID, anyone with common sense will accept a photo id if a photo id is requested, so that only leaves me with a passport of valid for of ID.

What do you suggest?, I have done everything that MTgox has required with no success.

I saw the document you sent, and while we appreciate the effort they are NOT what we are asking you to submit. Please understand that if you cannot send us the document we need to verify you as a person it will be impossible for us to do our work and un-flag your account. You have to understand that we need to restrict the number of document we accept and Photo ID could mean literally anything ranging from a gym club card to library card, these could be "legal" in some countries but no viable in the financial world.

Please kindly submit your document when you have them.

What I was trying to say was : If we explain in clear how people are flagged for AML, it will give the opportunity for "bad" people to make sure that their behavior and documents match what we are expecting diffiting the whole AML (Anti Money Laundering) system, resulting ultimately by having more banks or authorities checking what we are doing and evaluating the risk.

Hypothetically, if someone was able to bypass your security features how would this affect me?

I am having an extremely difficult time getting verified:

The 2 documents in jpegs not in a zip file have been rejected because there are not in the official mtgox list of approve documents.

The 2 documents I have submitted are official documents issued by the government with picture, one is proof of passport request, and the other one is a photo id request (Cedula).

It seems that a photo ID document is required but the actual photo ID document is not accepted, which makes no sense, under Chilean law a photo ID document called (carnet or cedula) is a valid form of ID, but you request passport, driver license, and permanent recidence, but Photo ID is not listed under photo ID that is really wrong.

You have to know that not in all countries a driver license is the photo ID, in Chile a driver license is a driver license, not a photo id, for photo id, there is another document called photo id, which is the official document for identification, I am sure that is the case in many countries, so why ignore the official photo ID issued by governments.

In 3 to 4 weeks I will be getting the final version of the documents, but for now these temporary government issued documents should be sufficient, but it looks like the photo id document will not be accepted because it is not listed under photo id, which is wrong.

My only phone bills are voip, which is not accepted by mtgox based on the email I got.

Getting verified really sucks, basically they are telling how I have to live, to meet their requirements, not even the banks do this, due to the lack of money I have eliminated all bills, and mtgox wants to see bills.

Mtgox, bills cost money, I have no money therefore no bills, my mexican phone is a voip number that I am losing due to a problem with my provider and the Telmex beyond my control, my usa number is voip, and I have no other bills and I am very happy not having bills, that is something I am not planing on changing.

If you are having difficulty getting verified, please feel free to contact our Support by opening a ticket. We would gladly assist you and hope to resolve this issue quickly.

MTgox froze my account too. My money has been tied up for 2 months. I provided 2 forms of photo ID and they still will not allow me to withdraw. I am not happy.

-1 rep

By not telling me how I raised the AML flag I could raise it again not knowingly, and I would have to go though all this trouble again.

Any good security expert will tell you that security by obscurity is not good and it does not work, all the good security protocols are based on openness IDEA, RSA, blowfish, TRIPLE DES, etc, many closed source programs they use security protocols such as rot13, substitution cipher, vigenere  cipher of course the close source programs will not say what cipher they are using, but any good security expert can find out and break the code.

So by not saying what raises the AML flag you do a disservice to your customers, since it can be trigger again by doing whatever they were doing, otherwise they would try to avoid raising the flag.

Security has to be based on openness like pgp, gpg, truecrypt, etc, it does not work by secrets such as a back door that sooner than later someone finds out.

Whenever some company keeps secrets in the name of security, that tells me right away they have absolutely no understanding  of security.

If it is an mtgox policy to keep it secret, on what triggered the flag you could simply say "it is our policy", but do not say it is because of security because that does not make sense.
At this point you have not told me it is an mtgox policy, only that you feel it is a security risk, and I feel it is a problem for us customers to trigger that flag and not know why.

But at least you seem to have answered one question indirectly, and it was mtgox who put that flag, not any government or authority, at least I got a little bit of information from you.

Base on my experience Bank security is not based on what a cryptographer would call security, what rather on norms based on sociological behavior, I remember a guy a while back that was arrested and accused on being a hacker simply because his choice of browser was lynks, I can only speculate why a red flag was put on my account, most people use windows and internet explorer, I most of the time use linux  and different browsers like iceweasel, firefox, opera, etc that alone puts me out of the norm, and sometimes I use a VPN that makes me very special, so using iceweasel and a VPN could make one a tarjet for this flag,  using the account from a different country is something out of the norm so that could also raise a flag, but this is all nonsense since if someone was trying to avoid the flag they could easily use windows 7 internet explorer, and avoid being out of the country, and if they are out of the country route the connection over ssh though a server that is located in the same country of residence.
As you can see security by obscurity does not work.
Think of it this way, by using bitcoin alone I am out of the norm.

If I trigger the AML flag because my browser choice or OS choice, and you do not tell me I will continue to trigger that flag, I would rather know and that way I will know what I am allowed to do or what I am not allowed to do.

I have absolutely no respect to security by obscurity, it does not work, and it is always used as an excuse to hide information.

As far as the files, I will send you the naked jpeg  files, and hope that you can expedite, this it has been a while, with very poor communication from mtgox.

And as far as triggering the AML flag, unless you have a policy not to tell me and there is some law that prevents you to tell me this information, I would really like to know, it is my right as a customer, if you do have such a policy I would like you to make it clear that it is the case, otherwise tell me.

Dear Sergio.

I cannot comment on how you raised an AML Flag, since it will also help other people to by pass some of our security features and will put everyone here at risk. But after that I personally check this matter with my colleagues and the person who's in charge of your account, that something unusual has been indeed made and trigger an AML request and this regardless of you having a Yubikey.

Just re-submit the document (not on a Zip file), like everybody-else and we will take care of this.

Thank you

MTGOX, you fail to answer why you will not provide any information at all of why the red flag was put in the account, and by whom, it is not against the law to provide this information.

By whom it could be you, some government authority of some country, or someone else, I do not know, but would like to know, as far as I am concerned it could be you, since you are hiding that information.

I have no problem sending the jpgs, but I do have a problem of you not having a method to verify its integrity at delivery, why do you oppose of using md5sums with the jpegs files, it is beyond me how using md5sums could be less secure, since it seems that the answer is in the name of security all the time. For an md5sum all it is required it is a single line of text, nothing else.

MTgox you failed to warn me when the account was locked, I had no exit window, when I did send the jpegs you complained because they were in a zip file, a zip file is just a container nothing else, it is like asking for a birth certificate, and getting it rejected because it was delivered in an envelope, a zip file does not carry information, only files, and in my case the files are jpegs. Treating a zip file like if it carried information by itself is plain ignorance it does not it is only a file container, think of it as a box where you put things in it.

My biggest concern is not the zip or jpeg files, is your lack of communication, at this point in time I have no clue who or why a red flag was put in my account, when in fact I did nothing out of the ordinary.

Also it is not fair for the users that you change the rules of the game after the game starts, what is going to happen to your customers that had anonymous account, will you confiscate and keep the money? Can you assure that will not happen? I have a feeling based on your behavior that could very well happen.

Please answer this questions, to me they are very important:
1. Why the red flag in my account, considering I have a yubikey.?
2. Who put the red flag?  MTGOX? FBI? CIA? US GOV? JAPAN GOV? WHO?
3. What is the worst case scenario, since the documents I have sent you are temporary but official, the official documents take to be processed by the government 3 to 4 weeks.

When I requested some my funds for compliance you failed me, now I am flat broke since the little money I had it was all spent on compliance, I have spend over $200 on compliance, and I am not sure what else you will want.
I am very tired of all this nonsense, once my money it is freed it is going to my personal wallet and intersango which they seem to understand security, not just claim security.

Answering those 3 questions does not violate any laws, MTGOX  why can you not give an straight answer.

It is very true I made some mistakes, like having the money on an exchange it is a very bad idea, the proper way to use an exchange is trade and then remove the money, have small amount to minimize the risk, and no use a single exchange, but use many exchanges, with more money on the ones providing better service.

Well, it seems that this is slightly going out of proportions.

You are all aware of the AML requirement by now and you are also aware of what we are asking for. Also we have very strict rules when it comes the list of documents we need and how we need them. This is of course in order to better protect everyone of us, by this I mean both client assets and Mt.Gox.

Now, as it is stipulated on our AML page that all documents that must be sent to us must be sent in the following format : JPG, PNG and PDF (See screenshot http://imageshack.us/photo/my-images/195/screenshot20120217at103.png/). There is no mention at anytime of ZIP files or any other format including but not only BMP, TIFF, JPEG 2000, GIF... We hoped that this was clear enough for everyone, but apparently not.

While we are going to “rephrase” this part to make it “clearer” for everyone, we cannot and we will not accept any document sent in a ZIP file. The reason behind this request is simple : Company RULE. All files are stored on our servers and are not allowed to be stored on anyone’s computer here at Mt.Gox for obvious reasons.

We go even further in not working with ZIP files at an internal level. No ones here at Mt.Gox is allowed to transfer, use or work with ZIP files and this level of security is also applied for every documents coming form AML that will be hosted on our servers.

Sergio, please kindly send us the appropriate documents in either JPG, PNG of PDF and you will see that if your documents are indeed the appropriates ones and that everything is in order, the overall AML process will go smoothly.

mtgox is only so anonymous. If being anonymous is your number one concern I'd find a cash dealer because nothing other than cash is completely anonymous. Places like dwolla and mtgox are for people who aren't trying to stay anonymous. They are not made to be that way, therefore getting upset for it is a little silly.

I thought it was funny people with bank accounts on dwolla are flipping out because dwolla needs an ID now lol. If you're elaborate enough to walk into a bank and open up an account with a fake ID, SS and extravagant disguising abilities or somehow open an account dwolla accepts that is build on fraudulent information, than I'd understand but most people don't do this and personally, I'd offer my photo ID before my bank information in a heart beat. They have your account, what's the difference?

Cash in the mail is the way to go. Somewhat risky, but true anonymity (or as close to it as you can possible get) comes at a price.

so to clarify the situation, you have sent to them the documents in jpg format?

if you aren't aware how to do that, open a ticket and attach:
 - https://support.mtgox.com/anonymous_requests/new

if you haven't done that then please take your bruised ego elsewhere.

This is another case of "don't put all your eggs in one basket."  That's user error; not the error of the exchange. You should be ready and able to handle an investigation of this nature given the new nature of bitcoins.

I wouldn't be surprised if the gov't takes over mtgox.com for a short period of time pending investigation.

Please diversify your investments and don't put all of your trust in one entity.

"the zip file thing is probably for their security, not yours.
I am no expert, but phishy things seem to be compiled in zips sometimes."

That is not true, you can not compile things into zip files, a zip file only contains files, nothing else, it is the equivalent of an envelope when sending a letter or postcard, which is more secure a postcard with an envelope or one without an envelope?
If you have any file with an md5sum provided by someone that person is giving you a guarantee of the integrity of the file, how could a file without any guarantee of integrity be more secure.
And the problem is not the zip file, is the luck of trust, and compliance is about increasing security not decreasing it, if you send me a file with an md5sum that is much safer than one without, claiming otherwise is nonsense.
It happens that they have hidden so much information from me that I have no reason to trust them anymore, and I rather play it safe, added security does not go against compliance, and claiming otherwise is bogus.
For example proving an md5sum in what way whatsoever can be less secure is beyond me.

Also the law does not require them to hide the facts of by whom or why the account was frozen, remember the law is not anonymous, and I am sure mtgox is not required to hide those fact from the customer.

Also security by obscurity does not work, in the software world it has been proven that openness provides much greater security, than obscurity.

It could be an scam to confiscate accounts, or simply they do not care about their customers anymore.

I will follow the advice of giving intersango a try, and maybe a few other ones.

I have done everything mtgox has asked me, and no results so far, I am very disappointed in them.
I do not think it is the Japan goverment that put the red flag, I have a strong feeling it is mtgox themselves, the reason is simple, when someone is truly trying to help you out the communication is usually good, and when someone is stabbing you in the back there is usually very bad communication, and this applies just about anywhere.

In the meantime I will concentrate on getting my money out of mtgox, I hope Mark Karpeles read this and does something, mtgox already has 2 jpegs that I sent, ID, and Passport not in final version since that takes 3 to 4 weeks for the consulate to deliver, but the temporary paperwork I got from the consulate with my picture in both documents.

the zip file thing is probably for their security, not yours.
I am no expert, but phishy things seem to be compiled in zips sometimes.

Japan, HSBC rules maybe? I would imagine they must follow some rules to stay in business with their bank.
There is improvement to be done and these recommendations need to be supplied to MTGOX as I believe they do wish to serve the customer.

At this point, it doesn't make sense for them to release money under your pressure. That would be a precedent undermining the whole process.
I am sure they have quite a share of pressure themselves in order not to get shut down completely.

Caution should be used with bitcoinica as there is no verifications now and Zhou tells not to worry either.

Time has come to develop relationships with individual people to handle your transactions in and out of bitcoin and/or mtgox. It is quicker and safer in my opinion.

Any exchange that does not freeze accounts for any reason is in risk of being shut down, all trustworthy exchanges will suspend accounts that appear to have fraudulent activity on them. Or is not trustworthy themselves.

This is because exchanges must co-operate with banks and they have not choice if they want to keep using the bank account.

The difference between a great exchange and a rubbish one is the customer service in dealing with your frozen account. MtGox are terrible at this, customer service is not something they seem to care about.

If you want an exchange that don't mess you around and actually answer your support issues then use Intersango, they're #2 now after TradeHill was shutdown.

Well if it is a AML thing by a goverment, why does not mtgox say that instead of hiding that information, and what goverment?

If it was the government and they had some reason, why hide it, and I could deal with the government directly, governments are made up by people, and there is usually a way to communicate to them if that was the case, but that information is not being provided by mtgox, also as being a customer that information would be of great value, but it simply is not being provided by mtgox.

I would like Mark Karpeles Magitux to tell me all the unanswered questions in regards my account on mtgox, what government put the red flag, and why, or if it was them, and why is it that they can not open a simple zip file containing only jpegs, or why the do not allow md5sum when sending files and they claim it is in the name of security, how is that? it makes no sence.

It is not a problem with the files zip vs jpeg, it is a matter of trust, at this point I do not trust them for anything, and I would prefer to have a method to make sure they get a good file, the way they have been behaving they could reject the files I sent and not tell me why, I would like the communication to be interactive which is not, it is a one way communication, nothing I ask gets answered, that is not the proper way to treat a customer.
years ago I used to download a lot of gifs, and then jpgs, and once a while one was corrupted, and it was not possible to tell if it was due to the download or if the file was actually damaged without downloading it again, for example when you download firmware it is critical that the file is not corrupted otherwise your hardware would get damaged, and for that reason usually you have some form to verify the file md5sum, crc, etc, in this case my money is at stake I have no problem sending them the jpegs together with md5sums, but they will not accept the md5sums, so they have no proper way to know if the file was received correctly and I have no proper way to know that either and since I do not trust them, that would be one less excuse for them to reject the files. So it is not the files it is a matter of trust, that is why I prefer to have extra security on my side, they claim the files without the md5sums is more secure, which is completely bogus.

Right now I am completely out of cash, not bitcoins, bitcoin itself is very secure, and I a strong believer in the bitcoin economy, I have invested a lot in mining, the only week point in the bitcoin economy are the exchanges.

All I want at this point from mtgox is to release my money.
I wrongly had a false sense of security because I had a yubikey.

It is also not right for them to change the rules of the game without an advance warning, so that you have a chance to get out in time.

I will keep mining, and will keep supporting the bitcoin economy, but not mtgox.