Security improvements this weekend

[tmopar]

I will read this, it only confirms what i am saying about the data collection and privacy, taken straight from the link you gave me first line.


When you use our app we collect:

Your phone number, device type, and email address.
If you use an application that integrates our 2-factor authentication API, they will send us your phone number and email address so we can validate who you are on their behalf.
We keep a record of your log-ins to accounts for which you use Authy for 2-factor authentication.

[tmopar]

since they dont know about the nature of our business they dont know we have this awesome facility of signing messages ... most applications dont have that... and thats what makes cryptocurrency unique.

This would be fine if we were dispatching plumbers, but theres a lot of bread on this table and I would trust nothing but myself, my own servers, my own code and my own business model. The wallets themselves provide the answer.

[GregoryGHarding]

since they dont know about the nature of our business they dont know we have this awesome facility of signing messages ... most applications dont have that... and thats what makes cryptocurrency unique.

This would be fine if we were dispatching plumbers, but theres a lot of bread on this table and I would trust nothing but myself, my own servers, my own code and my own business model. The wallets themselves provide the answer.

your view will change when your hacked and the one thing that couldve prevented it all is 2FA. read the medium article from the person who lost 8K in crypto

[tmopar]

Additional stuff from that link about privacy concerns:

We also share your data with our third party service providers as necessary for them to provide their services to us. We may also have to share your data with third parties if required to do so by law.
Your data will be transferred to the U.S.

[tmopar]

I wonder if the guy who lost 8k employed the suggestion i am describing? or if he had his wallet on his phone? We are talking about our situation here, and for my money, I say trust the encryption that provides the backbone for the currency more than any third party.

[GregoryGHarding]

now see youre picking and choosing. i said read the detailed section

[tmopar]

Greg, let me ask you a question, can you be sure about twilio? Like REALLY sure? Can you be certain they personally will never suffer a hack/attack, a rogue operative/employee or an exploit which uses their authentication? You have put all your eggs in a basket that someone else is holding. Say it cant happen to a big company who touts itself as being secure?

https://www.theregister.co.uk/2017/02/2 ... onal_data/


Now consider, if you had an old laptop or a tablet or something which normally was never hardly turned on and on it was your wallet information. Assuming your daily device gets hacked (especially a phone with texing and email) how are you safe using only 2factor ? You would need two redundant devices and it is still conceivable since you use these devices they are both compromised.

Its safe to say we already agree and trust the wallets otherwise none of us would be involved with the site for long.

We are not watching videos here or selling pushmower whom 2fa would be more directly suited, this is a special kind of Bank. You need some secret data which is non personally identifiable and these sites cannot or will not intrinsically offer this, they must identify you and this is why its not proper for what we are doing. The nature and great strength of cryptocurrency is to a certain degree anonymity and we would be completely giving that all away by letting a 3rd party know every single time you login and then be able to sell that data to third parties (partners).

I read the whole thing, its scary as hell to me for the points I outlined above and before. You basically trust them completely outsourcing the frontal layer of security. Its the big red easy button, and I get that, but its not always wise to press it.

To the point of "everyone else is using it", do not forget your recent history:

https://www.theregister.co.uk/2014/04/1 ... eartbleed/

During the heartbleed bugexploit a lot of people were using openssl, because it was the big red easy button and you can see via a google search what happened with it. Apple had decided to do something differently the hard way and were not vulnerable. It just takes one point of failure and thats why I am advocating removing as many common points of failure with the outside unrelated world that we can.

Every customer should have a wallet and we can have videos or a series of screenshots showing how to do the encrypted message. They just need to specify their "main wallet" for security purposes. This could be totally automated and be far more certain about it than any other method while still retaining all privacy in comparison.

This same system can pull double duty for password resets and for wallet unlocks. You just have to specify a primary account and then the password reset will only respond to the cold storage wallet's encrypted message asking for its unlocking. Again all automated and without relying on any third party technology.

If you read somewhere on the site here, Steve said Chris was already doing it this way just manually. Logically it must have worked up until this time securely just not efficiently due to the manpower required. I am simply advocating automating and making official that process.



Thank you,
Tmopar

[GregoryGHarding]

Tl;Dr

[FRISKIE]

@ Tmopar - mate I share the security concerns and am equally averse to sharing/exposing my personal data. Security in a solution though comes down to a compromise between many factors,

on the one side we want total security and privacy, which in a system like Prohashing with a diverse user base, with varying levels of technical skills, wide range of platforms, OS etc. is of course impractical.

So the compromise in this case comes down to security vs "usability" vs support efficiency (less attention from Chris needed) vs reasonable trade-off on privacy >>> solution decided on hopefully has 'real world" case studies of successful usage etc.

All in all a judgement call is needed that hopefully balances all factors and reaches the best compromise.

In this case I believe that Steve has done well and fully support his decision, while acknowledging that it will not be perfect but is in my opinion the best solution currently available for this specific set of requirements.

[JKDReaper]

We are not watching videos here or selling pushmower whom 2fa would be more directly suited, this is a special kind of Bank. You need some secret data which is non personally identifiable and these sites cannot or will not intrinsically offer this, they must identify you and this is why its not proper for what we are doing. The nature and great strength of cryptocurrency is to a certain degree anonymity and we would be completely giving that all away by letting a 3rd party know every single time you login and then be able to sell that data to third parties (partners).

While over all I support 2FA, I do agree with you on this...anonymity is one of, if not THE first, basis cryptocurrency was started. And without a doubt, the reason it grew in the early days.

And as previously stated...I agree that they are probably doing the best thing they can. I don't use 2FA personally unless absolutely forced to. Outside of government involvement, there's apps, programs, etc...that one can use that provide near flawless security, if you're willing to go to "deep" enough places to get them...and that's the route I personally take...but again, all sides of this have very valid points.

Just my 2 bits