Author

Topic: Poloniex 2FA sucks (Read 4949 times)

sr. member
Activity: 364
Merit: 250
Owner of Poloniex
July 23, 2014, 11:59:38 AM
#6
I feel I should point out that signing messages is not proof of ownership of your account. It is proof of ownership of the address. People withdraw to addresses they don't own every day, and deposit from addresses they don't own as well (pools, other exchanges).
full member
Activity: 176
Merit: 100
July 20, 2014, 04:31:52 PM
#5
Hey Guys,

Poloniex just disabled 2FA for me.

Hopefully in the future they will have better security practices for disabling 2FA.

This thread can be closed if the mods want, my issue is resolved.

I think people with a large amount of money in Poloniex should be concerned however, because accepting TX ids for 6 deposits/withdrawals as enough proof to reset 2FA is scary unsecure.
full member
Activity: 176
Merit: 100
July 20, 2014, 02:34:08 PM
#4
Do you have a lot of funds stuck in there?
Around .2 btc I think. Not much Smiley I had 6 btc in Mintpal when my phone died... I'm glad they know how to verify signed messages Smiley


LOL, better way to prove our account is from signed message on withdrawal address
and poloniex refuse it? i think their staff doesn't know about signing message Grin
try to link your thread here : https://bitcointalksearch.org/topic/annexchange-poloniex-crypto-exchange-with-btcnxt-420836
maybe any of poloniex staff read it
Hi KimNam, yeah, thats what I figured. I asked them to re-assign the ticket to someone who knows how to verify digital signatures. Haven't heard back yet. Thanks for linking to this thread in the Poloniex thread.

Thanks for chiming in guys, maybe poloniex will listen up train their staff on how to verify signed messages!

Poloniex: Please specify which deposit address you'd like me to sign a message from. I can sign messages on coinbase, I just don't know which coinbase transactions are deposits. This is why I signed using a withdrawal address. So please reply to my ticket and assign it to someone who knows how to run bitcoind verify!
hero member
Activity: 644
Merit: 500
July 20, 2014, 02:02:56 AM
#3
LOL, better way to prove our account is from signed message on withdrawal address
and poloniex refuse it? i think their staff doesn't know about signing message Grin
try to link your thread here : https://bitcointalksearch.org/topic/annexchange-poloniex-crypto-exchange-with-btcnxt-420836
maybe any of poloniex staff read it
member
Activity: 98
Merit: 10
★☆★Bitin.io★☆★
July 19, 2014, 11:40:30 PM
#2
Wow something to keep in mind if you use Poloniex. Their site was really slow and clunky the last time I used it to sell doge coins. Do you have a lot of funds stuck in there?
full member
Activity: 176
Merit: 100
July 19, 2014, 04:53:26 PM
#1
TL;DR: Poloniex 2FA sucks. If someone knows your address they can have it turned off. But a signed message (legitimate proof) is ignored.

My story: Phone died, contacted support, requested 2FA be disabled and SIGNED THE MESSAGE with my withdrawal address private key.
Poloniex's refused. They want me to either (1) provide 6 TX IDs for deposits or (2) provide my entire transaction history (from coinbase) so they can find the deposit transactions themselves.

In other words, anyone who knows my deposit address can have them turn off 2FA simply by providing 6 tx IDs of recent deposits or withdrawals. How secure is that? Thats right on the blockchain if anyone knows my deposit/withdraw address. If you label your addresses in Bitcoin-Core no password is needed to see what address is labeled Poloniex. I don't think knowing someone's deposit/withdraw address should be enough to get 2FA turned off.

But the part that baffles me is that they don't accept the signed message and they think I should hand over my whole coinbase tx log.

Sure; I don't have my addresses labeled in Coinbase because you CAN'T label them in coinbase so I don't know which transactions are deposits into Poloniex. But why should I hand over all my private financial info? Just tell me what address I used to send deposits and I'll happily sign a message from my coinbase address.

In summary:
  • Letting someone with 6 TX ID's turn off 2FA is horribly insecure. You ought to be ashamed of considering this proof.
  • A signed message is the perfect proof, but Poloniex entirely ignored the fact that my message was signed. Maybe their staff doesn't know how to verify signed message, IDK, but this is crazy!
  • Requiring me to give them my entire coinbase transaction history is ridiculous considering I've offered to sign a message from any withdraw or deposit address they specify.

PS. Kuddos to Mintpal and Cryptsy. They know how to verify signed messages, so I'm happily logged back into my account.

To Poloniex: if you're reading this please check my support ticket, assign it to someone who knows how to verify signed messages, and get this issue resolved!
Jump to: