Topic: TradeHill – Security Update – Round 1 PCI Compliance / Business Verification etc - page 2. (Read 5158 times)
June 30, 2011, 05:09:09 PM
good jobs guys!
June 30, 2011, 05:03:44 PM
@Jered Kenna: Thanks for the info! I definitely feel better now.
My MtGox password was cracked (I thought it was pretty good--11 characters, including punctuation, numbers, and upper-/lower-case letters), so I'm pretty concerned with how you store your passwords.
I hope to God it's not MD5-based. Hopefully something like http://en.wikipedia.org/wiki/PBKDF2. Can you speak toward this? I know it's a fairly technical question, but hey, this is Bitcoin land.
My MtGox password was cracked (I thought it was pretty good--11 characters, including punctuation, numbers, and upper-/lower-case letters), so I'm pretty concerned with how you store your passwords.
I hope to God it's not MD5-based. Hopefully something like http://en.wikipedia.org/wiki/PBKDF2. Can you speak toward this? I know it's a fairly technical question, but hey, this is Bitcoin land.
I will have to talk to the coders to get a more specific response but I know they are encrypted with something better than MD5 and salted.
I honestly believe we were secure before the Mt Gox hack but are more secure now and will continue to improve.
June 30, 2011, 04:52:52 PM
You have significantly raised my confidence in Trade Hill. I'm glad I chose Trade Hill over Mt Gox and I will continue to do so
I have a suggestion that could help prevent theft. I think it would be a good idea to have a feature that will give users an option delay every withdrawal for 24 hours and to automatically send an email/sms every time a withdrawal is made. If the withdrawal is fraudulent then the account owner will be able to call a 24/7 fraud hotline and temporarily lock the account until the owner of the account is verified via a registered telephone number or a copy of a drivers license.
OR
How about an automated system that calls or sends an sms to verify a withdrawal. That way in order for an account to be hacked the hacker would also need to steal the account owners phone...which to me seems like an extremely unlikely scenario.
I have a suggestion that could help prevent theft. I think it would be a good idea to have a feature that will give users an option delay every withdrawal for 24 hours and to automatically send an email/sms every time a withdrawal is made. If the withdrawal is fraudulent then the account owner will be able to call a 24/7 fraud hotline and temporarily lock the account until the owner of the account is verified via a registered telephone number or a copy of a drivers license.
OR
How about an automated system that calls or sends an sms to verify a withdrawal. That way in order for an account to be hacked the hacker would also need to steal the account owners phone...which to me seems like an extremely unlikely scenario.
We're actually working out the details on something like that which would be required to log in.
Obviously theft is the most likely reason someone would try to hack in but if we can prevent them from getting in then
we also prevent them from using someone else's funds to manipulate the market or just selling them all off.
June 30, 2011, 04:06:22 PM
Thanks for the info! I definitely feel better now. My MtGox password was cracked (I thought it was pretty good--11 characters, including punctuation, numbers, and upper-/lower-case letters), so I'm pretty with how you store your passwords.
I hope to God it's not good. Hopefully something like. Can you speak toward this? I know it's a fairly technical question, but hey, this is Bitcoin land.
I hope to God it's not good. Hopefully something like. Can you speak toward this? I know it's a fairly technical question, but hey, this is Bitcoin land.
June 30, 2011, 03:51:49 PM
You have significantly raised my confidence in Trade Hill. I'm glad I chose Trade Hill over Mt Gox and I will continue to do so
I have a suggestion that could help prevent theft. I think it would be a good idea to have a feature that will give users an option delay every withdrawal for 24 hours and to automatically send an email/sms every time a withdrawal is made. If the withdrawal is fraudulent then the account owner will be able to call a 24/7 fraud hotline and temporarily lock the account until the owner of the account is verified via a registered telephone number or a copy of a drivers license.
OR
How about an automated system that calls or sends an sms to verify a withdrawal. That way in order for an account to be hacked the hacker would also need to steal the account owners phone...which to me seems like an extremely unlikely scenario.
I have a suggestion that could help prevent theft. I think it would be a good idea to have a feature that will give users an option delay every withdrawal for 24 hours and to automatically send an email/sms every time a withdrawal is made. If the withdrawal is fraudulent then the account owner will be able to call a 24/7 fraud hotline and temporarily lock the account until the owner of the account is verified via a registered telephone number or a copy of a drivers license.
OR
How about an automated system that calls or sends an sms to verify a withdrawal. That way in order for an account to be hacked the hacker would also need to steal the account owners phone...which to me seems like an extremely unlikely scenario.
June 30, 2011, 03:41:25 PM
Jered,
Is there any way for me to change the email address in tradehill account?
I have been trading on tradehill without any issues till now.
So good work!
Is there any way for me to change the email address in tradehill account?
I have been trading on tradehill without any issues till now.
So good work!
We're working on that one, it's a little more complicated.
If you are only holding Bitcoins you could transfer them to a new account you create and request us to delete (or just leave the old one).
Ideally you will be able to move BTC and currencies internally soon.
I'd suggest that if you were on the Gox list. I was and unfortunately had to do that as well with one account. I used a complex unique password but it's not worth the risk.
It's on the list but not at the top, we have other features / security issues that we think would benefit more people. Until we have a room full of programmers we're going to have to prioritize unfortunately.
Lamentably that's the best answer I can give you now but we'll give you the truth every time.
June 30, 2011, 03:30:38 PM
Jered,
Is there any way for me to change the email address in tradehill account?
I have been trading on tradehill without any issues till now.
So good work!
Is there any way for me to change the email address in tradehill account?
I have been trading on tradehill without any issues till now.
So good work!
June 30, 2011, 03:29:02 PM
Fantastic, they really are trying alot harder than gox i think
June 30, 2011, 03:26:00 PM
I think some things standard on other sites are just security theater: Like "login seals" tied to browser cookies.
Or maybe, even CAPTCHAs you have to type in every time you log in.
Edit: 600 seconds is too short a time-out, IMO. It may not be too bad resetting every time you do something though. On this forum, the default 60 minute timeout logs you out, even if you are in the middle of browsing the forum.
Or maybe, even CAPTCHAs you have to type in every time you log in.
Edit: 600 seconds is too short a time-out, IMO. It may not be too bad resetting every time you do something though. On this forum, the default 60 minute timeout logs you out, even if you are in the middle of browsing the forum.
June 30, 2011, 03:24:43 PM
of course I obviously can manually log out, that isn't the point though.
I thought that is a standard on financial sites, it's been the standard with what finance sites I use currently.
I could also not use the site but that isn't the point either right?
I thought that is a standard on financial sites, it's been the standard with what finance sites I use currently.
I could also not use the site but that isn't the point either right?
10 minutes of inactivity now causes a logout.
I like that you now have a published mailing address. I can send you my public key fingerprint (CBDE CFB6 BB6A 2BB5 FDE1 01C5 3CF6 0C5E 1CFD A27B) out-of-band now.
Is trading possible with EMCA scripting disabled? I found I was not able to get your banking information without enabling scripting.
Is trading possible with EMCA scripting disabled? I found I was not able to get your banking information without enabling scripting.
Let me get back to you on this one, I'm not a coder, I've sent an email to them.
This is good news for the whole community. Although Ive never heard of the seal provider so I looked it up. The four seals I reviewed were Trust Guard, Verisign, McAffe and Comodo. I still favor McAffe. Any trust seal with dailly testing is better then nothing. Next seal to get, both TH and CBX is the BBB seal. I know some dont like that seal and I can see some things about I dont like aswell. But its yet another seal of approval from a respected institution. The BBB seal is not easy to get. You will have to show that you have been operating a website for at least a year.
MtGox now stands in the shadows of CBX and TH. Thank you TH and CBX for bringing conference back to the BTC community.
I have a couple of questions. The phone number, is that a VOIP/Vonage type of phone number where you can get any area code you choose? The mailing address, is that just a drop box/mail forwarding service?
MtGox now stands in the shadows of CBX and TH. Thank you TH and CBX for bringing conference back to the BTC community.
I have a couple of questions. The phone number, is that a VOIP/Vonage type of phone number where you can get any area code you choose? The mailing address, is that just a drop box/mail forwarding service?
Trust Guard has a similar seal to the BBB which we have. Basically it verifies that we are a business.
I may get the BBB if running another website for more than a year qualifies us. I need to look in to that.
The phone number is VOIP and we can answer it in the US, Chile, our cell phones etc. We are handling the bulk of our communication via email though, it makes more sense when we need to look up accounts / send info with a link to block explorer etc.
The mailing address is an office we can use but most of us are in Chile at the moment so the mail gets forwarded.
June 30, 2011, 03:11:30 PM
of course I obviously can manually log out, that isn't the point though.
I thought that is a standard on financial sites, it's been the standard with what finance sites I use currently.
I could also not use the site but that isn't the point either right?
I thought that is a standard on financial sites, it's been the standard with what finance sites I use currently.
I could also not use the site but that isn't the point either right?
June 30, 2011, 03:11:10 PM
I like that you now have a published mailing address. I can send you my public key fingerprint (CBDE CFB6 BB6A 2BB5 FDE1 01C5 3CF6 0C5E 1CFD A27B) out-of-band now.
Is trading possible with EMCA scripting disabled? I found I was not able to get your banking information without enabling scripting.
Is trading possible with EMCA scripting disabled? I found I was not able to get your banking information without enabling scripting.
June 30, 2011, 03:05:19 PM
This is good news for the whole community. Although Ive never heard of the seal provider so I looked it up. The four seals I reviewed were Trust Guard, Verisign, McAffe and Comodo. I still favor McAffe. Any trust seal with dailly testing is better then nothing. Next seal to get, both TH and CBX is the BBB seal. I know some dont like that seal and I can see some things about I dont like aswell. But its yet another seal of approval from a respected institution. The BBB seal is not easy to get. You will have to show that you have been operating a website for at least a year.
MtGox now stands in the shadows of CBX and TH. Thank you TH and CBX for bringing conference back to the BTC community.
I have a couple of questions. The phone number, is that a VOIP/Vonage type of phone number where you can get any area code you choose? The mailing address, is that just a drop box/mail forwarding service?
MtGox now stands in the shadows of CBX and TH. Thank you TH and CBX for bringing conference back to the BTC community.
I have a couple of questions. The phone number, is that a VOIP/Vonage type of phone number where you can get any area code you choose? The mailing address, is that just a drop box/mail forwarding service?
June 30, 2011, 02:58:00 PM
Even though I dont have a tradehill account its good to see the community as a whole becoming more security aware.
Best of luck with your venture.
Best of luck with your venture.
June 30, 2011, 02:56:22 PM
Sounds awesome. It did pain me to make this request, but I'm in the school where security needs to trump laziness.
Agreed, so are we.
Of course you could always manually log out if there isn't a timer but this will cure forgetfulness as well as laziness.
June 30, 2011, 02:55:25 PM
Well done 
June 30, 2011, 02:53:45 PM
According to the 4 levels of PCI certification, which level are you guys currently following?
You said that you've done network vulnerability scans, what about an annual SaQ? When it asks you if you've secured 'credit card holder data', just replace that with our 'Bitcoins'. lol.
You said that you've done network vulnerability scans, what about an annual SaQ? When it asks you if you've secured 'credit card holder data', just replace that with our 'Bitcoins'. lol.
By volume we're 3 or 4 but we've only been live for 22 days. Also we're not taking credit cards but adhering to their standards regardless.
We've done the SaQ and treated the Bitcoins as credit info like you suggest. We're treating ourselves as level 2. The next step up is on site audits for level 1.
Obviously these are huge businesses like Amazon.com etc but we're willing to go through on site audits etc and would prefer to given some time.
PCI scanning and putting a seal on your website from Trust Guard, Verisign or McAffe doesn't make you immune to all attacks but it is one step towards a safer exchange and something we should have done a long time ago.
At least you acknowledge the uselessness of a seal. Really, it shouldn't be a selling point - every idiot can run nmap/nessus/acunetix
Luckily (from Camp BX):
Quote
We were tested for >1,000 known vulnerabilities specific to our platform and services by McAfee Secure
Means you're obviously 43x as secure as they are.
In all seriousness, publishing a report of a manually performed pentest or source code audit (perhaps with selected individuals) would be useful - this is 99% marketing talk like TrustGuard/McAfee sells it to their customers. But it's good to see you're at least informing your clients...
We acknowledge that this is far from a silver bullet. Regardless there are probably sites operating that would have or would currently fail these tests. This clears up the major vulnerabilities and I'm happy that we didn't have to make any corrections when we received the audit. Our existing security was sufficient.
As I said before this should be a bare minimum and we have more to come.
June 30, 2011, 02:47:00 PM
I'd like to see the site log you out after x amount of time of inactivity.
I've rebooted my system several times and have yet to be prompted for a new password when I go to the site.
I've rebooted my system several times and have yet to be prompted for a new password when I go to the site.
We've received feedback from users that love not being logged out and more that would prefer the additional security.
We've evaluated the situation and decided to implement logout due to inactivity. Security trumps laziness
We're coding it in as I write this and it should be live today after extensive testing.
Yankee: thanks for the feedback, more to come.
June 30, 2011, 02:46:24 PM
Quote
We've evaluated the situation and decided to implement logout due to inactivity. Security trumps laziness Grin
We're coding it in as I write this and it should be live today after extensive testing.
We're coding it in as I write this and it should be live today after extensive testing.
Solution: make it configurable up to a certain extent, with a tight default session length.
June 30, 2011, 02:43:55 PM
PCI scanning and putting a seal on your website from Trust Guard, Verisign or McAffe doesn't make you immune to all attacks but it is one step towards a safer exchange and something we should have done a long time ago.
At least you acknowledge the uselessness of a seal. Really, it shouldn't be a selling point - every idiot can run nmap/nessus/acunetix
Luckily (from Camp BX):
Quote
We were tested for >1,000 known vulnerabilities specific to our platform and services by McAfee Secure
Means you're obviously 43x as secure as they are.
In all seriousness, publishing a report of a manually performed pentest or source code audit (perhaps with selected individuals) would be useful - this is 99% marketing talk like TrustGuard/McAfee sells it to their customers. But it's good to see you're at least informing your clients...
Jump to: