Stolen fund alert system?

[Agent86]

With a larger market cap we have a bigger target on our backs so to speak.  A few bad stories of hacks and it will start to get hard to convince people that it's safe to hold bitUSD or use BTSX as a "bank."  If early adopter tech nerds are getting their funds stolen why should others bother?

Seasoned funds is an important concept.  There could even be an advanced option to select a fund seasoning length for an account with a few options.  The default could be one week with a warning if you make it shorter.

I know it sounds a little complex but it's very useful and it will give people way more confidence to hold funds in bitUSD when they see that people don't get hacked and taken advantage of on BitShares.

BTW… If we don't restrict the internal marketplace to only seasoned funds, than any talk of a rollback or hardfork to deal with theft would be a cluster; it's just too easy for the thief to liquidate quickly and affect lots of people.

[Agent86]

The reality is that exchanges shouldn't keep more than 10% of their funds in a hot wallet.

I3 should probably get in contact with exchanges to make sure they are following this type of advice and that they are using good security practices, and if they are not we can warn people.

As far as I can tell the wallet is not super user friendly for cold storage, there should probably be a built in instruction guide in the wallet for cold storage.  Some posts about cold storage don't get too much response:

https://bitsharestalk.org/index.php?topic=6232

[bitbro]

Seasoned funds is a nice idea but makes the system clunky.  Freezing could become a malicious way of doing business. What happened to Keyhottee? Reputation verification before transactions


Sent from my iPhone using Tapatalk

[Agent86]

I think the protection needs to be done "off chain" rather than adding a bunch complex stuff that disrupts the on chain behavior.

In my opinion... the type of numerous large thefts that have happened in NXT are unacceptable.  It is irresponsible and unfair for us go out and convince people to be a part of BitShares or hold shares or BitUSD in an online wallet if our security policy is "thefts will happen... shrug".

I think this proposal adds a very significant amount of additional security/safety and in the absence of a compelling other plan it is worth additional complexity.  I don't think this specific functionality can be done "off chain."

My feeling is that this is well worth implementing and is important.

Security is sooooo important...  all this talk about people not voting enough is more related to peoples' fear of losing their stake than anything else.

It is CRITICAL that we can explain to users and shareholders how to safely protect their stake from loss.  We need to be able to explain this in a succinct and honest way that does not sugarcoat any risks.  We should really have a comprehensive security guide for BTS holders. This is only fair.  If we want this to catch on we need to give people the tools to be able to sleep comfortably and hopefully without a huge amount of technical expertise required.

[Riverhead]

I think the protection needs to be done "off chain" rather than adding a bunch complex stuff that disrupts the on chain behavior.

[bytemaster]

The reality is that exchanges shouldn't keep more than 10% of their funds in a hot wallet.

[Agent86]

Ok, I see where you're coming from now.  I was looking at your proposal from the perspective of being tricked into sending funds, rather than a key compromise.  2 of 2 multisig escrow does work for the scenario of a merchant failing to deliver goods, since the funds will be frozen until both parties are in agreement.

How I would attack a system that allowed freezing as you suggest (if I were into that sort of thing) is by only taking half of the funds from a compromised account.  Then if you freeze my half, I'll freeze your half when you try to salvage it.  This decreases the profit of compromising keys, but adds a level of uncertainty to the system that I find unpleasant.  I think it could be a good idea as on optional alternative account type, but I'm attached to the reliability of the irreversible payment account.

I don't think your method of "attack" is realistic.  First you have to somehow contact me and tell me your demands before I notice the theft and freeze the funds.  Then you have to somehow convince me to trust you in this deal...  You have to voluntarily take less than you could and then voluntarily go out of your way to alert me to the theft and to the process of freezing funds and then hope I don't freeze your funds anyway.  I don't think it's smart behavior.  Secondly, if there is community consensus that it is a theft like the bter NXT hack it could be rolled back after the funds are frozen so no need to negotiate.

[bytemaster]

I think the protection needs to be done "off chain" rather than adding a bunch complex stuff that disrupts the on chain behavior.

[Troglodactyl]

What's the advantage of this over holding funds in multisig escrow for the week in question, or for however long the specific related business is ongoing?

A multisig escrow does not accomplish the same thing.  For multisig escrow you first need to find a trusted third party entity to use as an escrow and even still there is a chance that your password to access the escrow can be compromised at the same time as your priv key.  2FA with a very good responsible trusted escrow service is certainly helpful and I support it, but it's not the same thing and we don't have any trusted 2FA escrow service for bitshares yet.

With my proposal you can generally go about business as normal unless you are dealing with large sums of recently moved money and people you don't know well.  Only if there's a problem (your priv key is stolen and you are robbed) you have a week to mark the transaction as a theft/fraudulent and freeze the funds.  You then deny the thief any benefit and if you are fortunate you may even be able to convince the community to take some corrective action.  This idea can help when a problem happens even if you were a little careless in planning and protecting your key.  I think this system will rob thieves of profit so they are much less likely to go to any effort to try.

For the record, I support multisig escrow services, offline transaction signing, all of the above in addition to my proposal.

Ok, I see where you're coming from now.  I was looking at your proposal from the perspective of being tricked into sending funds, rather than a key compromise.  2 of 2 multisig escrow does work for the scenario of a merchant failing to deliver goods, since the funds will be frozen until both parties are in agreement.

How I would attack a system that allowed freezing as you suggest (if I were into that sort of thing) is by only taking half of the funds from a compromised account.  Then if you freeze my half, I'll freeze your half when you try to salvage it.  This decreases the profit of compromising keys, but adds a level of uncertainty to the system that I find unpleasant.  I think it could be a good idea as on optional alternative account type, but I'm attached to the reliability of the irreversible payment account.

[Agent86]

What's the advantage of this over holding funds in multisig escrow for the week in question, or for however long the specific related business is ongoing?

A multisig escrow does not accomplish the same thing.  For multisig escrow you first need to find a trusted third party entity to use as an escrow and even still there is a chance that your password to access the escrow can be compromised at the same time as your priv key.  2FA with a very good responsible trusted escrow service is certainly helpful and I support it, but it's not the same thing and we don't have any trusted 2FA escrow service for bitshares yet.

With my proposal you can generally go about business as normal unless you are dealing with large sums of recently moved money and people you don't know well.  Only if there's a problem (your priv key is stolen and you are robbed) you have a week to mark the transaction as a theft/fraudulent and freeze the funds.  You then deny the thief any benefit and if you are fortunate you may even be able to convince the community to take some corrective action.  This idea can help when a problem happens even if you were a little careless in planning and protecting your key.  I think this system will rob thieves of profit so they are much less likely to go to any effort to try.

For the record, I support multisig escrow services, offline transaction signing, all of the above in addition to my proposal.

[Troglodactyl]

I would go further than my original proposal.  I would say for any funds transferred out of your account you have up to a week to permanently freeze the funds.

People need to understand the concept of "seasoned" funds.  It is critical that you cannot participate in any internal BitShares market (such as buying and selling BitUSD) unless your funds have been seasoned for one week.  You must have kept the balance without moving it for one week before you can use it to participate in the market to buy/sell assets.

There is really no reason for anyone to permanently freeze funds that left their account unless it is a legit fraudulent transaction.  Also people can protect themselves by demanding seasoned funds when doing business with people they don't know well or for large sums of money.

As far as what to do with "permanently" frozen funds... I think this is a secondary issue and can be addressed in many ways that take advantage of community consensus.

The most important thing is to give people the power to freeze fraudulent funds.  DO NOT let people participate in the internal marketplace without seasoned funds.  And educate exchanges on the concept of seasoned funds.  This will be a BIG deterrent to hackers and fraudsters.

What's the advantage of this over holding funds in multisig escrow for the week in question, or for however long the specific related business is ongoing?

[Agent86]

I would go further than my original proposal.  I would say for any funds transferred out of your account you have up to a week to permanently freeze the funds.

People need to understand the concept of "seasoned" funds.  It is critical that you cannot participate in any internal BitShares market (such as buying and selling BitUSD) unless your funds have been seasoned for one week.  You must have kept the balance without moving it for one week before you can use it to participate in the market to buy/sell assets.

There is really no reason for anyone to permanently freeze funds that left their account unless it is a legit fraudulent transaction.  Also people can protect themselves by demanding seasoned funds when doing business with people they don't know well or for large sums of money.

As far as what to do with "permanently" frozen funds... I think this is a secondary issue and can be addressed in many ways that take advantage of community consensus.

The most important thing is to give people the power to freeze fraudulent funds.  DO NOT let people participate in the internal marketplace without seasoned funds.  And educate exchanges on the concept of seasoned funds.  This will be a BIG deterrent to hackers and fraudsters.

[liondani]

First of all when we make a transfer with the win gui, the wallet should ask as for the password again!
Hope it was temporary disabled because of the Dry Runs...

Why not write a github issue on that?

ok

[xeroc]

First of all when we make a transfer with the win gui, the wallet should ask as for the password again!
Hope it was temporary disabled because of the Dry Runs...

Why not write a github issue on that?

[xeroc]

The only way I think 2FA makes sense in this context is by using multisig.  TOTP/HOTP is useless for wallet security, as you might as well just store a 2nd key instead of a TOTP/HOTP token and eliminate the need for a trusted third party verifying your OTP.

AFAIR Bytemaster has stated that multisig is possible and on the todo list