Topic: [OFFICIAL]Bitfinex.com first Bitcoin P2P lending platform for leverage trading - page 116. (Read 723861 times)

Most lenders will not use that bot, and will instead opt to use whatever on-site autolending facility Bitfinex provides.

That said, if everyone did start using that bot, it would be a great improvement over the FRR. MarginBot places a range of offers, rather than dumping everything at a single rate. You can configure a minimum rate to lend at, as well as an amount of your funds to reserve for lending at higher rates. Everyone using it would configure it with different parameters to suit their tastes. We would no longer have the massive, market-distorting wall of offers at a single point on the offer book.

As an example of what I meant, here is a post that someone just sent me...

https://github.com/HFenter/MarginBot

https://bitcointalksearch.org/topic/ann-marginbot-a-bitfinex-margin-lending-management-bot-865250

Here is a bot for the swaps market that prioritizes keeping it active, it doesn't care the rate, it would just prefer that its funds are always in use. With no FRR, this would be the norm. The simple fact remains, that as long as people can get something, rather than nothing, they will probably take it. That being said, I really want to update the FRR, and hopefully it makes it more responsive.

I love Facebook, Twitter and Television, and I couldn't live without my phone...LOL, they do the exact opposite of stress me out, they calm me, and make my life better. They connect me to people, they allow me to find answers quickly, they educate me, make me more efficient. It is too easy to label things "good" or "bad", they are just things, and how you use them defines their goodness when compared to your goals.

In regards to the other point, IF you only needed to get the email, I don't think it would be 2FA, but since you need the email, but will find it very difficult to change the password AND disable the 2FA, they still are 2 factors, IMO.

Or use something like this to check bitfinex for you every 10 minutes to maximize profits:

https://bitcointalksearch.org/topic/ann-marginbot-a-bitfinex-margin-lending-management-bot-865250

 

It is important to understand and remember that NONE of YOUR devices need to be compromised for your e-mail account to be compromised. There are numbers other attack vectors depending on which e-mail provider you have chosen. A dishonest employee, for example, could easily abuse or take over your e-mail account. This is why I insist that an e-mail account is just one factor regardless of how this factor is protected.


I stand by my statement. Your Gmail account is one factor which could be protected by two factors. A Google employee could take over your e-mail account regardless. Think of it this way: Your house is still just one house even if you put an extra lock on the front door.


I agree with this but I would like #4 to be a bit harder - but not so hard that it becomes impossible.



Thank you for your long response.

Actually, no, my phone and desktop would not need to be compromised. My complaint is that someone who gains access to my e-mail account, with or without hacking any device (which, if you consider the various threat models, is not required to gain control over someone's e-mail), could p0wn me.

As for your other points: I completely agree that the security of my Bitfinex account and the devices used to access it is my personal responsibility. This is why I do not like that the security can be compromised by a factor out of my control.

And I do see and agree that the human factor at Bitfinex would make an attack difficult (but not impossible?). I have e-mailed both the support@ and that better address quite a few times over the years and the average response time seems to be 5-10 minutes and it's always smart people who reply (perhaps Bitfinex requires that customer support people do not watch television?) so I assume it would not be totally strait-forward to fool them. I am also guessing that this means I could have my account locked down pretty fast if need be.


Now you are on the right track. You seem to have thought a bit about this, what would your suggestion be as to these "additional restrictions"? As I mentioned, a picture of me holding a note saying "disable 2FA" to get it disabled seems like a reasonable trade-off and I requirement I would personally like to have on _my_ Bitfinex account. It is hard to fake. This does not solve the "$5 wrench" problem but that one is a lot harder.

Oh, btw mjr, one last thing: Try leaving your phone at home when you go out to meet friends and loved ones. Consider making it a habit. I know many resist this idea but it can actually be a great thing - just like not having a television, not having facebook or a twitter account and so on. Many of these things that are supposed to make your life better .. just makes you stressed and continuously disrupt your harmony and give you bad karma.

Faster-moving is promising, although I'm a little worried that would just accelerate the current progress of "slow grind down until the wall is exhausted, then launch up". I'm not seeing how it would allow the wall to move up in the face of demand unless swaps from above the wall are being taken for some reason.

Kinda have to cut the cord and stop setting the variable rate by reference to the fixed rates; the presence of the variable rate offers has too much influence on which fixed rate swaps are taken for that to be effective and not effectively self-referential.

The best way to do it is to never reset the 2fa without an extremely long waiting period (30 days ~) because sometimes you get hacked when on vacation without internet.

Then you need to teach people, that they need to backup their masterkey for the autification. Most people don't do this, but most sites also don't tell you too.

I could lose my phone, my ipad and my computer and I'd still have access to my google authentificator codes somehow.

I totally agree with you. That is exactly what we are trying to accomplish. Right now, we are testing an exponential weighted average, so that the most recent active swaps will count a lot more towards the next FRR than the one from an hour ago. This should make it more sensitive, and allow it to wander more freely. Ideally, instead of a stairway, it should hopefully be more like a slope.

It is kind of a big change, and it is something that has pretty far reaching effects, which is why we are being cautious.

Yes, I have my entire google account set up with 2FA.

But, to be fair, let's say you use a specific phone just for 2FA. So there is a truly separate second factor, they take your main phone which has your email. They can then probably send emails as you, and find out which email you used to open the account (assuming this is a targeted attack), so they might be able to disable 2FA, BUT, if they also said that they needed to reset the password, I think that this would not work, as it is highly suspicious to lose your phone and forget your password. So, I think it is two factor, since they can't access your bitfinex account with ONLY the 2FA disabled.

Not correct, Gmail has 2FA if one wants to enable it.
I have it and recommend everyone to have it.

I can see that being possible... my instinct would be that it would be far more volatile - higher when we're on a bull run, lower when we're not, and more prone to jump about all crazy-like.

You'd have a steady stream of auto-lenders taking random pot-shots at whatever's available from the swap requests (hopefully not all of them - some would just take anything above zero but surely at least some would wise up and start at least picking a rate to auto-renew at once a day... and some would probably just leave), and that regular slow-trickle dump would indeed weaken the incentive for traders to take offers when they can just wait for a lowball 'market' offer... which might actually make the 'requests' side of the book relevant (and thicker at sensible rates) rather than just a queue of hopefuls waiting for someone to dump almost-free funding on them.

But even while full-auto lenders chew through the swap requests, without that giant anchoring wall on the offer-side, it'd also be that much easier for a rush of traders in a hurry to chew through the offers up to ~0.7%, as we've seen when the wall goes down before. That's why I'm thinking it would erode both sides and leave the going rate more freely wandering. Might be overall higher or lower, who knows, but that might well be more representative of the true supply/demand.

I can see the value in the FRR as a place to put all the lazy money so it can be stored up safely rather than unleashed all at once onto an unprepared set of 'requests', but I do still wish the wall would move when people start taking it; respond to the apparent demand by moving rates up a li'l bit to test whether there's still demand at that higher rate, then move back down if there isn't. I'm just going to keep saying that until either you're sick of hearing it or you become convinced.

Yes, we have been discussing it a while, and are working on a change to the FRR calculation. I think it could work a lot better, but in general...if you want rates to rise, don't lend. Constricting supply would raise rates, but you would have to forego any return for the meantime. Most people want something rather than nothing, and some posters even said, if the FRR wasn't there, I would just pick the lowest rate and do that. FRR is very similar to a market order, they don't request a specific return, and are basically willing to take whatever they get. I, personally, think that the FRR prob keeps rates higher, because they don't just go for the lowest possible.

True... I totally cant understand why anyone would lend bitcoins at such low rates. The risks of BFX having some sort of technical troubles might be low, but certainly not low enough for the potential rewards.

But:
The market cant really rise with that huge FRR wall. And I cannot lend BTC at FRR and then re-lend them out higher, so this severly limits price discovery.
Did you see this post, some criticism of it and a way to avoid these problems?

This is what I don't understand, this is exactly how a market works. If it isn't worth it for enough people, then there will be no supply, and people will have to offer higher rates. Again, we don't want to set rates, and we are not trying to guarantee any sort of return, it is simply an option that people can, if the rates are agreeable to them, choose.

So that is why I am always baffled by all the discussion about FRR. Your unwillingness to offer a swap is a signal to the market that the rates are too low for you. If enough people feel the same, rates will have to rise, or there will be no swaps available. It appears, given that there is plenty of supply, that a lot of people require much lower rates than you, and what is hardly worth it to you, is worth it to them. This is what I was talking about in an earlier post, markets are always a race to the bottom, that is actually the discovery of the price.

BTC swap rate is also terribly low even when the market was/is bearish.
Can we get a swap fee reduction from 15% to 10% maybe? Currently it's like 2.5% interest per year or less, hardly worth it.

It seems like USD loans aren't taken at FRR.

Dear Bitfinex

It's been an hour, but my BTC withdrawal still says, "Processing." Perhaps your hot wallet is empty?
I've sent an email to [email protected] containing transaction details. Would you please take a look?

Thanks.

--EDIT: This withdrawal processed within about an hour of my email to support. Many thanks--

I believe the actual complaint was that if your email account is compromised from one device, that's pretty much game over - a sufficiently motivated attacker can have a password reset sent to that email address, and have a conversation with your support people to have the 2FA turned off. So the security of your Bitfinex account reduces to the security of your email account, with the OTP device serving mostly as a small additional roadblock to make the process slightly inconvenient, rather than a true additional 'factor'.

Not that I can really complain... my phone isn't secure enough to really count as an extra factor regardless of your implementation of 2FA... it's just a harder single factor to compromise given I'd have to physically lose it rather than getting myself electronically/remotely pwned.

I don't think we disagree that things SHOULD be more secure, but in order to do that, as you suggest, people should buy another phone that they use ONLY for 2fa. That is probably not going to happen in 99% of cases. Therefore, due to the unwillingness to implement a hardware solution, it becomes 1fa. Here is the issue:

1. We need to know you are the person with the rights to access the account.
2. You do this by providing something you have.
3. If you lose that something, you still have the rights to access your account.
4. In order to remedy that, we have to be able to bypass the original security that you set up, due to the loss of your password, phone, email, etc

So, to be clear, if you maintain your security on your phone, and your email, you will never be able to be hacked. These issues affect people who have ALREADY been compromised. If we add gpg key as another method, what happens when you lose your gpg key? The simple fact remains, that google 2FA IS two factor authentication if you haven't lost one of the methods of authentication. We require the phone, which has the Google 2FA, and also the password, which you should be the only one to know. Obviously, since this system REQUIRES you to talk to someone in support, if you say that you lost your phone and forgot your password...the human who is talking to you will probe much more deeply and watch much more carefully. I agree that if I COULD just say "Hey, lost my phone and forgot my password, I sent you an email from the account used to open the account", and if this is all that is necessary, you could have a problem, but, you have to talk to someone in support, via email. They will respond to your request and await a response from you. I haven't seen the email spoofing successfully done, or reported here.

If you actually lose access to your phone, and you used an email which is on your phone, AND your phone isn't locked, the password can be guessed, or it doesn't use biometrics, THEN you have been pretty well compromised. For me, if I lost my phone, I would notice sometime within 24 hours. I usually touch my phone physically at least every hour, aside from sleep. Given that iPhones (and I believe Android?) can be remotely wiped, any access to the compromised phone should be able to be mitigated as soon as the loss is noticed. Since you cannot withdraw for a week, you should have more than enough time to work this out with support.

Long story, short, bitfinex uses a password authentication method, with optional 2FA, but we cannot guarantee your security in regards to YOUR phone, YOUR email address, and YOUR laptop. Basically, the complaint is, well, my phone and my laptop got hacked, how could they access my bitfinex account? I would say that if you were compromised in 2 other areas...your security procedures probably need some work.

I think that if someone wanted to REQUEST that we require more than simply emailing us and having a conversation, and place additional restrictions on their account, and agreeing to endure the higher inconvenience, that would be reasonable.

Upon further thoughts, I think it is what it is; not much one can do to eradicate the problem.