Topic: TradeHill - False emails claiming to be from us or Mt Gox (Read 1056 times)

Ahem. OK, you didn't give a login link, just a URL to a blog (which I still had trouble believing was actually associated with Tradehill, because I'd never seen it before). However as pointed out, training customers to click on URL's in emails sent by a financial institution is irresponsible.

Much better would be to show me that message after I logged into the site.

For what it's worth, this is a good idea and these are good points.  I'd sort them out as follows:

FOR BANKS/EXCHANGES:

1) Send no email that contains URLs in the message body.
2) Use SSL for all Web pages that contain web forms or solicit input from users.
3) Provide no logins or access from any site other than the specified site.

FOR USERS:

1) Assume that emails that contain links or ask for information are scams and report them to [email protected], which forwards them to the proper location.
2) Report web URLs that begin with anything other than "https" to [email protected].
3) Do NOT EVER click a link in an email, or hit reply, and provide any private information to what you think is a request from your bank or financial institution.  It isn't.  It's a scam.

I also recommend that Mt. Gox, Tradehill, CampBX, Flexcoin, and any other Bitcoin bank or exchange designate a specific person responsible for security in their system, and that this person keep on top of security issues.  For example, I would hope that the people responsible for these sites are aware of a major hack/compromise in the SSL security system that was reported a couple of weeks ago -- the DigiNotar hack.  To summarize, one of the links in the security chain that ensures SSL connections are secure was hacked and extremely good forged certificates were issued for several heavily used web sites, such as Google, Yahoo, the Tor Project, and others. That allowed the hackers to intercept secure SSL communications between these sites and users. It appears that the Iranian government, not cyberthieves, was responsible -- THIS time.  But a group of cyberthieves could just as easily have issued certificates for Bank of America, CitiBank, Wells Fargo, or somewhere else where people keep money, snooped THOSE communications, and... You get the idea.

If you want the details on this hack, PM me or email me and I'll fill you in.  (It's highly technical and off-topic here.)  But Bitcoin isn't immune from this sort of thing.  Somebody at each Bitcoin bank and financial site needs to keep on top of this and be responsible for taking active security measures to fend off the bad guys.

I like the idea and was going that direction. Shoot me an email to my personal address and if you don't have it PM me yours and we can talk. We all worked together really well and recently there has been more movement apart. This community is what brought us to where we are today and we need to stick together.

Jered

P.S. agreed nothing is bullet proof but everything that can help without being too much of a pain to the user is welcome.

nothing is every really bullet proof...  but at least it's another roadblock...  The idea is just to try to protect the end users.

it works..  the vast majority of flexcoin clients know the policy...  you know perhaps we should formalize some sort of standard for bitcoin companies that accept that policy (you, mtgox, campbx, flexcoin) ...  literally a jointly owned site that has some basic security initiatives that apply directly to our clients.  Just basic things that individuals can do to ensure they are not getting phished for example.

1 . Such as no links in e-mails.
2 . If you see an e-mail that has a link or is suspicious please report it to [email protected]
3 . Do not enter your credentials on a site that looks suspicious.
4 . If you come to the website and it's missing an HTTPS (secure) then do not provide any information and report it to [email protected]
5 . XXXX company does not provide login forms on any other site other than XXXX proper.
 
If the site is signed by all companies involved it would at least give a comfort level for both us and our clients knowing that individuals have a clearly labeled security policy to protect themselves.

We've only sent one mass email (I don't believe it had a link in it) and I like your policy we may do the same.

The problem is if the user isn't well aware of this policy and can't tell the difference between phishing and real emails it doesn't help as much. For example AOL would put "never give out your login info over IM" on every IM window and people were handing them over right and left.

Thanks for the good feedback.

Jered

It would help, but most people tend to forget that. Just saying that there won't be any emails with links is not a bullet proof technique.

Honestly I think you guys and Mt.Gox should follow flexcoin on this this policy,  no links in e-mails.

It will help stop crap like this happening to our clients.

Blog post here: http://wp.me/p1H2Vt-3b


We have been receiving reports of emails claiming to be TradeHill.  These emails contain a link to a site which also claims to be TradeHill and will steal your login. Security is paramount at TradeHill and we take this very seriously.

It appears that these emails are being sent to users who had an email address stored at Mt Gox when they were hacked.

We encourage you to use a completely different login at every site. We also provide 2 factor authentication to help protect against this type of attack. You can read about our 2 factor authentication here http://wp.me/p1H2Vt-d.

You should never follow a link claiming to be from TradeHill or any other Bitcoin service unless you are absolutely sure of the origin. TradeHill rarely sends emails and will not send unsolicited emails requiring you to follow a link.

Below is an example of the type of emails being sent out. Do not follow or respond to these emails.

------------------------------------------------------------------------------------------------------------------------

Dear TradeHill user,

Your account will be blocked for violating the rules of exchange.
Details: https://www.tradehill.com/User/Blocked

Thanks,
The TradeHill team"

------------------------------------------------------------------------------------------------------------------------


Once again, please do not click on these emails they are not from TradeHill.

Jered