Author

Topic: TradeHill - Captcha and lockout added to the site (Read 2111 times)

legendary
Activity: 2618
Merit: 1007
Where is EST relative to GMT?
10 am EST = 3 pm GMT (they might have DST in EST though for example which I'm not 100% aware of - this is why you should use UTC!)

Edit:
Oh yes, and the Captcha is a joke!
legendary
Activity: 1974
Merit: 1029
We are scheduled to resume trading at 10am Monday morning EST.

Where is EST relative to GMT? Not everyone lives there/knows that.

(Actual answer not needed, I know how to use google but it's annoying.)
sr. member
Activity: 360
Merit: 250
Your captcha is useless and annoying.  There are better ways to prevent oracle attacks.

If anyone is interested in breaking this style of captcha, the basic technique is: intensity histogram, contrast, despeckle, horizontal histogram, cut letters/find hulls, unrotate and rescale, build grid, lookup in database.  Building the database in advance is the hardest part, and it is really only hard if the site under protection isn't worth getting into.

Captchas were great 10 years ago, when not everyone knew how to break them.  By now, they have to be nearly unreadable to be effective.  Within a few years, I suspect that getting a correct answer for a difficult captcha will be taken as evidence against the humanness of the interpreter.

Well, that's one way to do it. Much easier is paying a kid in China $0.01 to do it for you.
legendary
Activity: 1615
Merit: 1000
I second the call for two-factor authentication, though I'd prefer a list of numbers as banking sites use. Google's system uses SMS, as far as I know, and I'm not giving them my number. So, let the user print a list of one-time passcodes, a random one of which will be asked for when logging in, and when only 10 or so unused codes remain, tell the user to print a new set.
kjj
legendary
Activity: 1302
Merit: 1026
Your captcha is useless and annoying.  There are better ways to prevent oracle attacks.

If anyone is interested in breaking this style of captcha, the basic technique is: intensity histogram, contrast, despeckle, horizontal histogram, cut letters/find hulls, unrotate and rescale, build grid, lookup in database.  Building the database in advance is the hardest part, and it is really only hard if the site under protection isn't worth getting into.

Captchas were great 10 years ago, when not everyone knew how to break them.  By now, they have to be nearly unreadable to be effective.  Within a few years, I suspect that getting a correct answer for a difficult captcha will be taken as evidence against the humanness of the interpreter.
hero member
Activity: 767
Merit: 500
How about accepting openid them people could use google's two factor authentication?

Will
sr. member
Activity: 420
Merit: 250
Thanks Nhodges

A simple but effective measure could be to force email confirmation for any withdraw.

In a longer term, I really hope to see GPG authentification required for big trades

We manually verify the big transfers. We held up a 2500btc transfer earlier and a few 500btc or so transfers.
Most likely legit but we prefer to take the time to send an email than risk someone logging in to find their Bitcoins missing.

We spent a lot of time tonight discussing different possibilities and will be implementing more features soon.
sr. member
Activity: 428
Merit: 254
A simple but effective measure could be to force email confirmation for any withdraw.

In a longer term, I really hope to see GPG authentification required for big trades
sr. member
Activity: 322
Merit: 251
Cool, I can go to sleep and not worry that the trading is going to resume while my eyes are closed. :] Great talk on OnlyOneTV about forthcoming security improvements, excited to see them implemented!
sr. member
Activity: 420
Merit: 250
No one likes to use captchas but site security is paramount.
We've added one to our login and multiple failed attempts will now cause a lock out.
This should reduce the chances of an effective brute force attack.

If you have used the same password on Mt Gox and TradeHill you should change it as soon as possible.

We are scheduled to resume trading at 10am Monday morning EST.

We will be continually reevaluating and upgrading our security.
Jump to: