Topic: TradeHill – Security Update – Round 1 PCI Compliance / Business Verification etc (Read 5118 times)

I think you actually have to be able to control both messages to generate a collision - that's actually the definition of one. In order to be able to generate a second message that gives the same hash as an existing message you need a preimage attack, and I don't think those are practical against MD5 yet.

We've received feedback from users that love not being logged out and more that would prefer the additional security.
We've evaluated the situation and decided to implement logout due to inactivity. Security trumps laziness  
We're coding it in as I write this and it should be live today after extensive testing.

Edit: looks like you still have to have knowledge of both messages to generate a collision.

Well's just the thing: MtGox did salt (AFAIK) and I -did- have a good password and it still bombed, mostly because I believe they only used 1 iteration of MD5.

Thanks Jared.

I sent an email just now to you.

I currently can't login to tradehill.

Not sure what my password is, and there's no password recovery feature. 

Well's just the thing: MtGox did salt (AFAIK) and I -did- have a good password and it still bombed, mostly because I believe they only used 1 iteration of MD5.

That's why I mention PBKDF2 (http://en.wikipedia.org/wiki/PBKDF2, RFC 2898--http://tools.ietf.org/html/rfc2898).  Hell, you couldn't rely on BlackBerry encryption for a while, as ElcomSoft found out that RIM only used one iteration of AES256.  (Apple's iOS uses 10,000 iterations, IIRC).

I'm no security / crypto expect by any means, but I think I got most of that right.  I'm more worried about my BitCoins at TradeHill than I am, say, about my regular bank and USD because of the pseudo-anonymous nature of BTC.

Sorry to be such a pain!

TradeHill – Security Update – Round 1 (PCI Compliance)

Immediately after the Mt Gox hack and database leak was announced we shut down our site to provide adequate time for users to reset their passwords. We noticed there were considerable attempts to brute force accounts that had the same user name on Mt Gox and TradeHill. In response we installed a captcha system and auto locked out accounts with too many failed login attempts. To the best of our knowledge this was 100% effective and have not received one email concerning a compromised account on TradeHill.com   

TradeHill is proud to announce that our first round of security upgrades is complete.
We will be continuing to release updates regarding our security and upgrades to TradeHill.com

TradeHill is now PCI Compliant.

We have completed and passed a security audit by Trust Guard the leading online 3rd party website verification service. Trust Guard has searched our site for over 43,000 known vulnerabilities including SQL injection, XSS and many more and performed an ASV certified scan.  This can be verified with the Trust Guard seal on our main page before you log in (when logged in it goes away to avoid clutter).

Our site will be scanned daily for new vulnerabilities and if detected they will be taken care of immediately.

Additionally we have had our corporate contact information (US address and phone numbers) verified to confirm that we are operating in the United States as well as Chile.

User privacy is a very serious issue.
We have updated our privacy policy and are now compliant with:


The Federal Trade Commission Fair Information Practices.

The California Online Privacy Protection Act.

The Childrens Online Privacy Protection Act.

The Privacy Alliance guidelines.

The CAN-SPAM Act.



We believe that this is the bare minimum that an exchange should be operating at.

PCI scanning and putting a seal on your website from Trust Guard, Verisign or McAffe doesn't make you immune to all attacks but it is one step towards a safer exchange and something we should have done a long time ago. 

We are continuing to improve our security and will release updates as information becomes available. At the moment our source code and procedures are being verified by a 3rd party as well and we are working with top names in the security business. We will be happy to release their findings when they are complete.

We are also implementing dual authentication and other security features which will be  announced soon.

If you have a long complex password and we hash / salt it that should be sufficient.

How does Tradehill feel about the fact that people are spamming the general message board with ads for their service?

Next seal to get, both TH and CBX is the BBB seal. I know some dont like that seal and I can see some things about I dont like aswell. But its yet another seal of approval from a respected institution. The BBB seal is not easy to get.

I was wondering how much safety would work this:
1) Cascade ciphering.
2) Dividing the final hash in two or more parts.
3) Storing the different parts of the hashes in different servers.

Such an exotic configuration would confuse any low level attacker who simply thinks about dumping databases.
There is some security through obscurity here, but tactically obscurity is always an ally.

And even if the attacker manages to match the hashes, brute forcing would be painfully slow.

You should make it optional to not get logged out. That way both groups are happy.

10 minutes of inactivity now causes a logout.