ASICMINER shares are tied to addresses. Exchanges hold the shares themselves, they are passthroughs.
We use Google's 2FA security model - you can disable 2FA without entering the code in case you lost your phone - this requires you to have a signed in session. Sessions are both IP and user agent locked.
Our site is secure against XSS attacks, as well as CSRF attacks.
Thanks for your feedback! One of the directions we may be going into is a multicurrency wallet with a built in exchange. However, we also want to focus on the core for now.
I can accept 2FA being disabled without requiring the code. It is more concerning that the 2FA secret is shown on the account details page. I believe the best practice adopted by Google / Dropbox is to not reveal the secret once enabled, and to use a new secret if 2FA was disabled then reenabled.
Hey, thanks for answering my questions, and I certainly hope you support LTC in the future. You only have to read
this thread to see how the lack of a secure & trusted online wallet for LTC is an opportunity for scammers and hurts the cryptocurrency community.