Topic: [OFFICIAL]Bitfinex.com first Bitcoin P2P lending platform for leverage trading - page 117. (Read 723861 times)

lending offers that are taken slightly below FRR will still result in FRR increasing.

If Bitfinex has no clue who is the rightful owner of an account then they can't possibly verify who the rightful owner is.

Won't work for people only using cryptocurrencies (no ID required) AND people don't always look like their ID picture all the time. It would be not too hard for me to look like a lot of generic white males if I just know the hair colour and some basic facial features for a blurry, badly lit picture.

As I suggested: Write "Disable my 2FA, today is $DATE" on a piece of paper & take a photo holding that piece of paper and you now have something that is very hard to do for someone who is not you even if they have all the haxor skills in the world.

This is an interesting post, and I am looking into it. However, one thing off the bat, I can't just create any email account and then email from it. You have to email FROM THE EMAIL USED TO OPEN THE ACCOUNT. So, as long as you were the original user to open the account, you should
A) Know what email was used.
B) Be the only one to have access to it.

Of course, I am glad to look over the suggestions, and I think some of them might be useful as user requested additional settings. Security, from the user perspective, is a tradeoff between convenience and security. So, while making them fly to Hong Kong is super secure, it means that you could be locked out of your account for quite a long time. This is obviously just an extreme example. I, personally, hate when companies REQUIRE me to jump through hoops, and don't allow me to judge my personal preference for level of security. I think we struck a good balance, in that we allow you to lock your withdrawal address, offer automated withdrawals only if 2FA is enabled, and require 2FA for login. Obviously, this is heavily dependant on 2FA, and on a users own security measures. One thing I would highly recommend, again this isn't perfect security, but is have a passphrase on your phone, AND a separate one on your 2FA (in my case, you have to have my thumb to open Authy). Again, I stress that there is no perfect method that will make you unhackable, and if someone really wants it bad enough, there is always the $5 wrench. So, I think that doing a reasonable amount of preventative work, and getting into good security habits is effective for most accounts, while more extreme measures could be worthwhile for very large accounts, or for corporate accounts.

Really want to continue this conversation, so let me know your thoughts.

Pretty sure interested is compounded hourly so if someone returns a swap after 3 hours you only receive 3 hours of interest, not 1 whole day.  

This is an interesting post, and I am looking into it. However, one thing off the bat, I can't just create any email account and then email from it. You have to email FROM THE EMAIL USED TO OPEN THE ACCOUNT. So, as long as you were the original user to open the account, you should
A) Know what email was used.
B) Be the only one to have access to it.

It looks like Bitfinex could use some serious improvement in their routines regarding user security. And I think we should help them by brainstorming ideas for exactly how this should be done or just have a little public debate.

THE ISSUE:


I use 2FA on Bitfinex - but what is it worth if someone can just make a [email protected] e-mail account and send them an e-mail asking them to disable it?

Not sure if I should try making some random e-mail account and bug them to give me my password and disable my 2FA using that just to see what happens.. perhaps I should do it, but not right now due to this posting, perhaps in a week or month or two months... As the above message shows: Attacking them just to see what happens is probably a good idea.

You would obviously need to have the Bitfinex username and password already to gain anything from disabling someone's 2FA - but even so, disabling 2FA should just not be simple. On the other hand, it could happen that someone does need them to disable their own 2FA for legitimate reasons - like .. your 2FA device is stolen/broken/flushed down the toilet (happened to a friend once) and you do not have a few encrypted USB sticks or a paper backup of the 2FA seed. There is also the question of "what would my family do if I die in a horrible car accident" (hint: make sure a family member you really trust, blood not "love", knows how to clear out your BFX account prior to this happening).

I for one would like Bitfinex to have the option of adding a GnuPG key. If a message comes from my e-mail signed by my GnuPG key then it is likely me. Weaknesses: a) Some customers will inevitably put all eggs in a very weak basket: Their mobile phone. b) your GnuPG key is probably on your computer and you type your password in on your computer so if that is owned..

A quick note on mobile phones here: They are CHEAP. As in get a $50 Android phone JUST for 2FA. Never bring it anywhere and never use it for anything else. If you have 1 Android phone and you a) use it for 2FA b) use it for e-mail and have your username and password permanently stored on it and c) have your secret GnuPG key on it and type your password into it all the time..   You're doing it wrong. If there is also a d) you use this device to login to Bitfinex.. then you are not using 2FA, you're using 1FA as in 1 device needs to be owned and you're screwed.

What I would like to see here is ideas on what the requirements should be for Bitfinex to accept "I forgot my password" and "Please disable my 2FA". My personal view is that the answer could be as strong as "Fly to our office and show us your ID" but I realize that many will not agree..

"Reddit"-style ID could also be a thing: Write the date and "please disable 2fa I screwed up" on a piece of paper and take a photo of yourself holding that and your ID (which they can verify against the verification documents they have in cold storage)? perhaps with shoe on head to top it off? I know this idea may sound a bit silly but ANYTHING is better than "just send an e-mail saying disable my 2fa plz"

Some threat models to consider:

* The adversary has owned your mobile phone. Everything on it is accessible to the adversary (which could include e-mail account, 2FA, Bitfinex login details as you type them in)
* The adversary has owned your computer and everything on it and knows everything you type but not your mobile phone (or your main mobile phone but not your dedicated 2FA phone)
* The adversary has owned your e-mail but nothing else.
* The adversary has owned your Bitfinex username and password but nothing else (only 2FA stands in the way).

I know I've been ranting. I'd just like some input and attention to this issue and I would not like to find my Bitfinex account empty one morning because someone used social engineering and/or script-kiddie level "hacking" to fool them into handing out my password and disabling my 2FA.

People are talking about futures trading.  I really hate the existing futures at 796 / OKCoin / etc., not because of the counter-party risk, but that it is settled in BTC - if it's like real commodities futures, where it's settled by 'physical delivery', or paying the difference in fiat - I'm all for it.  Imagine you went short BTC, BTC fell which is great, but then you get paid by having more BTC in your account - o crap, now you have more of the thing that you wanted to short in the first place!

2586, much appreciate people giving thoughts to the issue - but I see this as a "big" change.  The (x=0, y=0) => lend at highest available swap demands will kill all the swap demand; I wouldn't be shocked if a lot of people leave it or make it x=0 , y =0.

• Place new swap offers at x%
• Reduce swap offer rate by y% for each hour(or minute?) that it remains unfilled
• Do not reduce swap offer rate below z%

This one also has the advantage that default values can be provided, since it will still create a range of offers even if everyone uses the same parameters.

I believe my idea of creating an 'effective FRR' by charging a markup over FRR (do not change the way FRR is calculated) involves less disruption to the way people react to it right now, it somewhat solves the wall issue as lending offers that are taken slightly below FRR will still result in FRR increasing.

Woah, what happened there?

BTC Swaps just halved from under 10k to 5. Was there any corresponding price action?

Here's an idea for replacing the FRR while still catering to lazy lenders.

When choosing variable rate autolending, lenders will have two parameters to set:

• Allow no more than $x of competing offers to be priced lower than or equal to mine
• Do not reduce my offer below y%

Do not provide default values.

The system should place the lenders offer as high as it can without violating the specified parameters. If two competing offers would end up in a race to the bottom (for example, x=0, y=0), just match them with the highest available swap demands.

This would break up the massive FRR wall while still allowing autolenders to benefit from increases in swap demand.

An alternative that might be simpler to implement:

• Place new swap offers at x%
• Reduce swap offer rate by y% for each hour(or minute?) that it remains unfilled
• Do not reduce swap offer rate below z%

This one also has the advantage that default values can be provided, since it will still create a range of offers even if everyone uses the same parameters.

Wouldn't the swap/FRR issues solve themselves if it was possibly to take (cheap) swap offers and lend them out at higher rates?

Nearly everyone wins here:
- the cheap lenders can set everything on auto-pilot
- those who care to micro-manage their swaps can use market inefficiencies to earn some more
- more commission for BFX

if i offer swap of btc for 2 days and some ppl take it only for 3 hours, do i receive interest of 1 day or  just 3 hours


thanks