It looks like Bitfinex could use some serious improvement in their routines regarding user security. And I think we should help them by brainstorming ideas for exactly how this should be done or just have a little public debate.
THE ISSUE:
I use 2FA on Bitfinex - but what is it worth if someone can just make a myname@whatever.tld e-mail account and send them an e-mail asking them to disable it?
Not sure if I should try making some random e-mail account and bug them to give me my password and disable my 2FA using that just to see what happens.. perhaps I should do it, but not right now due to this posting, perhaps in a week or month or two months...
As the above message shows: Attacking them just to see what happens is probably a good idea.
You would obviously need to have the Bitfinex username and password already to gain anything from disabling someone's 2FA - but even so, disabling 2FA should just not be simple. On the other hand, it could happen that someone does need them to disable their own 2FA for legitimate reasons - like .. your 2FA device is stolen/broken/flushed down the toilet (happened to a friend once) and you do not have a few encrypted USB sticks or a paper backup of the 2FA seed. There is also the question of "what would my family do if I die in a horrible car accident" (hint: make sure a family member you really trust, blood not "love", knows how to clear out your BFX account prior to this happening).
I for one would like Bitfinex to have the option of adding a GnuPG key. If a message comes from my e-mail signed by my GnuPG key then it is likely me. Weaknesses: a) Some customers will inevitably put all eggs in a very weak basket: Their mobile phone. b) your GnuPG key is probably on your computer and you type your password in on your computer so if that is owned..
A quick note on mobile phones here: They are CHEAP. As in get a $50 Android phone JUST for 2FA. Never bring it anywhere and never use it for anything else. If you have 1 Android phone and you a) use it for 2FA b) use it for e-mail and have your username and password permanently stored on it and c) have your secret GnuPG key on it and type your password into it all the time.. You're doing it wrong. If there is also a d) you use this device to login to Bitfinex.. then you are not using 2FA, you're using 1FA as in 1 device needs to be owned and you're screwed.
What I would like to see here is ideas on what the requirements should be for Bitfinex to accept "I forgot my password" and "Please disable my 2FA". My personal view is that the answer could be as strong as "Fly to our office and show us your ID" but I realize that many will not agree..
"Reddit"-style ID could also be a thing: Write the date and "please disable 2fa I screwed up" on a piece of paper and take a photo of yourself holding that and your ID (which they can verify against the verification documents they have in cold storage)? perhaps with shoe on head to top it off?
I know this idea may sound a bit silly but ANYTHING is better than "just send an e-mail saying disable my 2fa plz"
Some threat models to consider:
* The adversary has owned your mobile phone. Everything on it is accessible to the adversary (which could include e-mail account, 2FA, Bitfinex login details as you type them in)
* The adversary has owned your computer and everything on it and knows everything you type but not your mobile phone (or your main mobile phone but not your dedicated 2FA phone)
* The adversary has owned your e-mail but nothing else.
* The adversary has owned your Bitfinex username and password but nothing else (only 2FA stands in the way).
I know I've been ranting. I'd just like some input and attention to this issue and I would not like to find my Bitfinex account empty one morning because someone used social engineering and/or script-kiddie level "hacking" to fool them into handing out my password and disabling my 2FA.
THE ISSUE:
Quote
https://www.reddit.com/r/Bitcoin/comments/2mchko/is_the_security_on_bitfinex_and_kraken_really/
A user posted this in /r/bitcoinmarkets about losing his 2FA keys
https://www.reddit.com/r/BitcoinMarkets/comments/2m944k/daily_discussion_friday_november_14_2014/cm29ldw
For kraken there is an option to send a atemporary key to your email address to use in place of the 2FA key, which allows access to enable it again.
For bitfinex I emailed them and they temporarily disabled the 2FA key so I could reset it.
For bitstamp I emailed them and had to resend a new picture of my KYC docs, they then disabled 2FA and also virtual currency withdrawals, once you have re enabled it you then send another picture of your KYC docs with a message to them asking them to re enable BTc withdrawals.
In terms of security its probably stamp > kraken > finex but in terms of customer services its kraken > finex > stamp. Kraken got back to me within the hour, finex took a day, stamp took 4.
So if someone gets access to your email, your 2FA becomes worthless on kraken. On bitfinex it seems they don't even need to get access to your email.
Has anyone else here been through a similar situation with these exchanges? Is it really this poor?
A user posted this in /r/bitcoinmarkets about losing his 2FA keys
https://www.reddit.com/r/BitcoinMarkets/comments/2m944k/daily_discussion_friday_november_14_2014/cm29ldw
For kraken there is an option to send a atemporary key to your email address to use in place of the 2FA key, which allows access to enable it again.
For bitfinex I emailed them and they temporarily disabled the 2FA key so I could reset it.
For bitstamp I emailed them and had to resend a new picture of my KYC docs, they then disabled 2FA and also virtual currency withdrawals, once you have re enabled it you then send another picture of your KYC docs with a message to them asking them to re enable BTc withdrawals.
In terms of security its probably stamp > kraken > finex but in terms of customer services its kraken > finex > stamp. Kraken got back to me within the hour, finex took a day, stamp took 4.
So if someone gets access to your email, your 2FA becomes worthless on kraken. On bitfinex it seems they don't even need to get access to your email.
Has anyone else here been through a similar situation with these exchanges? Is it really this poor?
I use 2FA on Bitfinex - but what is it worth if someone can just make a myname@whatever.tld e-mail account and send them an e-mail asking them to disable it?
Not sure if I should try making some random e-mail account and bug them to give me my password and disable my 2FA using that just to see what happens.. perhaps I should do it, but not right now due to this posting, perhaps in a week or month or two months...
As the above message shows: Attacking them just to see what happens is probably a good idea.You would obviously need to have the Bitfinex username and password already to gain anything from disabling someone's 2FA - but even so, disabling 2FA should just not be simple. On the other hand, it could happen that someone does need them to disable their own 2FA for legitimate reasons - like .. your 2FA device is stolen/broken/flushed down the toilet (happened to a friend once) and you do not have a few encrypted USB sticks or a paper backup of the 2FA seed. There is also the question of "what would my family do if I die in a horrible car accident" (hint: make sure a family member you really trust, blood not "love", knows how to clear out your BFX account prior to this happening).
I for one would like Bitfinex to have the option of adding a GnuPG key. If a message comes from my e-mail signed by my GnuPG key then it is likely me. Weaknesses: a) Some customers will inevitably put all eggs in a very weak basket: Their mobile phone. b) your GnuPG key is probably on your computer and you type your password in on your computer so if that is owned..
A quick note on mobile phones here: They are CHEAP. As in get a $50 Android phone JUST for 2FA. Never bring it anywhere and never use it for anything else. If you have 1 Android phone and you a) use it for 2FA b) use it for e-mail and have your username and password permanently stored on it and c) have your secret GnuPG key on it and type your password into it all the time.. You're doing it wrong. If there is also a d) you use this device to login to Bitfinex.. then you are not using 2FA, you're using 1FA as in 1 device needs to be owned and you're screwed.
What I would like to see here is ideas on what the requirements should be for Bitfinex to accept "I forgot my password" and "Please disable my 2FA". My personal view is that the answer could be as strong as "Fly to our office and show us your ID" but I realize that many will not agree..
"Reddit"-style ID could also be a thing: Write the date and "please disable 2fa I screwed up" on a piece of paper and take a photo of yourself holding that and your ID (which they can verify against the verification documents they have in cold storage)? perhaps with shoe on head to top it off?
I know this idea may sound a bit silly but ANYTHING is better than "just send an e-mail saying disable my 2fa plz"Some threat models to consider:
* The adversary has owned your mobile phone. Everything on it is accessible to the adversary (which could include e-mail account, 2FA, Bitfinex login details as you type them in)
* The adversary has owned your computer and everything on it and knows everything you type but not your mobile phone (or your main mobile phone but not your dedicated 2FA phone)
* The adversary has owned your e-mail but nothing else.
* The adversary has owned your Bitfinex username and password but nothing else (only 2FA stands in the way).
I know I've been ranting. I'd just like some input and attention to this issue and I would not like to find my Bitfinex account empty one morning because someone used social engineering and/or script-kiddie level "hacking" to fool them into handing out my password and disabling my 2FA.
This is an interesting post, and I am looking into it. However, one thing off the bat, I can't just create any email account and then email from it. You have to email FROM THE EMAIL USED TO OPEN THE ACCOUNT. So, as long as you were the original user to open the account, you should
A) Know what email was used.
B) Be the only one to have access to it.
Of course, I am glad to look over the suggestions, and I think some of them might be useful as user requested additional settings. Security, from the user perspective, is a tradeoff between convenience and security. So, while making them fly to Hong Kong is super secure, it means that you could be locked out of your account for quite a long time. This is obviously just an extreme example. I, personally, hate when companies REQUIRE me to jump through hoops, and don't allow me to judge my personal preference for level of security. I think we struck a good balance, in that we allow you to lock your withdrawal address, offer automated withdrawals only if 2FA is enabled, and require 2FA for login. Obviously, this is heavily dependant on 2FA, and on a users own security measures. One thing I would highly recommend, again this isn't perfect security, but is have a passphrase on your phone, AND a separate one on your 2FA (in my case, you have to have my thumb to open Authy). Again, I stress that there is no perfect method that will make you unhackable, and if someone really wants it bad enough, there is always the $5 wrench. So, I think that doing a reasonable amount of preventative work, and getting into good security habits is effective for most accounts, while more extreme measures could be worthwhile for very large accounts, or for corporate accounts.
Really want to continue this conversation, so let me know your thoughts.