Stolen fund alert system?

[Agent86]

With a larger market cap we have a bigger target on our backs so to speak.  A few bad stories of hacks and it will start to get hard to convince people that it's safe to hold bitUSD or use BTSX as a "bank."  If early adopter tech nerds are getting their funds stolen why should others bother?

Seasoned funds is an important concept.  There could even be an advanced option to select a fund seasoning length for an account with a few options.  The default could be one week with a warning if you make it shorter.

I know it sounds a little complex but it's very useful and it will give people way more confidence to hold funds in bitUSD when they see that people don't get hacked and taken advantage of on BitShares.

BTW… If we don't restrict the internal marketplace to only seasoned funds, than any talk of a rollback or hardfork to deal with theft would be a cluster; it's just too easy for the thief to liquidate quickly and affect lots of people.

[Agent86]

The reality is that exchanges shouldn't keep more than 10% of their funds in a hot wallet.

I3 should probably get in contact with exchanges to make sure they are following this type of advice and that they are using good security practices, and if they are not we can warn people.

As far as I can tell the wallet is not super user friendly for cold storage, there should probably be a built in instruction guide in the wallet for cold storage.  Some posts about cold storage don't get too much response:

https://bitsharestalk.org/index.php?topic=6232

[bitbro]

Seasoned funds is a nice idea but makes the system clunky.  Freezing could become a malicious way of doing business. What happened to Keyhottee? Reputation verification before transactions


Sent from my iPhone using Tapatalk

[Agent86]

I think the protection needs to be done "off chain" rather than adding a bunch complex stuff that disrupts the on chain behavior.

In my opinion... the type of numerous large thefts that have happened in NXT are unacceptable.  It is irresponsible and unfair for us go out and convince people to be a part of BitShares or hold shares or BitUSD in an online wallet if our security policy is "thefts will happen... shrug".

I think this proposal adds a very significant amount of additional security/safety and in the absence of a compelling other plan it is worth additional complexity.  I don't think this specific functionality can be done "off chain."

My feeling is that this is well worth implementing and is important.

Security is sooooo important...  all this talk about people not voting enough is more related to peoples' fear of losing their stake than anything else.

It is CRITICAL that we can explain to users and shareholders how to safely protect their stake from loss.  We need to be able to explain this in a succinct and honest way that does not sugarcoat any risks.  We should really have a comprehensive security guide for BTS holders. This is only fair.  If we want this to catch on we need to give people the tools to be able to sleep comfortably and hopefully without a huge amount of technical expertise required.

[Riverhead]

I think the protection needs to be done "off chain" rather than adding a bunch complex stuff that disrupts the on chain behavior.

[bytemaster]

The reality is that exchanges shouldn't keep more than 10% of their funds in a hot wallet.

[Agent86]

Ok, I see where you're coming from now.  I was looking at your proposal from the perspective of being tricked into sending funds, rather than a key compromise.  2 of 2 multisig escrow does work for the scenario of a merchant failing to deliver goods, since the funds will be frozen until both parties are in agreement.

How I would attack a system that allowed freezing as you suggest (if I were into that sort of thing) is by only taking half of the funds from a compromised account.  Then if you freeze my half, I'll freeze your half when you try to salvage it.  This decreases the profit of compromising keys, but adds a level of uncertainty to the system that I find unpleasant.  I think it could be a good idea as on optional alternative account type, but I'm attached to the reliability of the irreversible payment account.

I don't think your method of "attack" is realistic.  First you have to somehow contact me and tell me your demands before I notice the theft and freeze the funds.  Then you have to somehow convince me to trust you in this deal...  You have to voluntarily take less than you could and then voluntarily go out of your way to alert me to the theft and to the process of freezing funds and then hope I don't freeze your funds anyway.  I don't think it's smart behavior.  Secondly, if there is community consensus that it is a theft like the bter NXT hack it could be rolled back after the funds are frozen so no need to negotiate.

[bytemaster]

I think the protection needs to be done "off chain" rather than adding a bunch complex stuff that disrupts the on chain behavior.

[Troglodactyl]

What's the advantage of this over holding funds in multisig escrow for the week in question, or for however long the specific related business is ongoing?

A multisig escrow does not accomplish the same thing.  For multisig escrow you first need to find a trusted third party entity to use as an escrow and even still there is a chance that your password to access the escrow can be compromised at the same time as your priv key.  2FA with a very good responsible trusted escrow service is certainly helpful and I support it, but it's not the same thing and we don't have any trusted 2FA escrow service for bitshares yet.

With my proposal you can generally go about business as normal unless you are dealing with large sums of recently moved money and people you don't know well.  Only if there's a problem (your priv key is stolen and you are robbed) you have a week to mark the transaction as a theft/fraudulent and freeze the funds.  You then deny the thief any benefit and if you are fortunate you may even be able to convince the community to take some corrective action.  This idea can help when a problem happens even if you were a little careless in planning and protecting your key.  I think this system will rob thieves of profit so they are much less likely to go to any effort to try.

For the record, I support multisig escrow services, offline transaction signing, all of the above in addition to my proposal.

Ok, I see where you're coming from now.  I was looking at your proposal from the perspective of being tricked into sending funds, rather than a key compromise.  2 of 2 multisig escrow does work for the scenario of a merchant failing to deliver goods, since the funds will be frozen until both parties are in agreement.

How I would attack a system that allowed freezing as you suggest (if I were into that sort of thing) is by only taking half of the funds from a compromised account.  Then if you freeze my half, I'll freeze your half when you try to salvage it.  This decreases the profit of compromising keys, but adds a level of uncertainty to the system that I find unpleasant.  I think it could be a good idea as on optional alternative account type, but I'm attached to the reliability of the irreversible payment account.

[Agent86]

What's the advantage of this over holding funds in multisig escrow for the week in question, or for however long the specific related business is ongoing?

A multisig escrow does not accomplish the same thing.  For multisig escrow you first need to find a trusted third party entity to use as an escrow and even still there is a chance that your password to access the escrow can be compromised at the same time as your priv key.  2FA with a very good responsible trusted escrow service is certainly helpful and I support it, but it's not the same thing and we don't have any trusted 2FA escrow service for bitshares yet.

With my proposal you can generally go about business as normal unless you are dealing with large sums of recently moved money and people you don't know well.  Only if there's a problem (your priv key is stolen and you are robbed) you have a week to mark the transaction as a theft/fraudulent and freeze the funds.  You then deny the thief any benefit and if you are fortunate you may even be able to convince the community to take some corrective action.  This idea can help when a problem happens even if you were a little careless in planning and protecting your key.  I think this system will rob thieves of profit so they are much less likely to go to any effort to try.

For the record, I support multisig escrow services, offline transaction signing, all of the above in addition to my proposal.

[Troglodactyl]

I would go further than my original proposal.  I would say for any funds transferred out of your account you have up to a week to permanently freeze the funds.

People need to understand the concept of "seasoned" funds.  It is critical that you cannot participate in any internal BitShares market (such as buying and selling BitUSD) unless your funds have been seasoned for one week.  You must have kept the balance without moving it for one week before you can use it to participate in the market to buy/sell assets.

There is really no reason for anyone to permanently freeze funds that left their account unless it is a legit fraudulent transaction.  Also people can protect themselves by demanding seasoned funds when doing business with people they don't know well or for large sums of money.

As far as what to do with "permanently" frozen funds... I think this is a secondary issue and can be addressed in many ways that take advantage of community consensus.

The most important thing is to give people the power to freeze fraudulent funds.  DO NOT let people participate in the internal marketplace without seasoned funds.  And educate exchanges on the concept of seasoned funds.  This will be a BIG deterrent to hackers and fraudsters.

What's the advantage of this over holding funds in multisig escrow for the week in question, or for however long the specific related business is ongoing?

[Agent86]

I would go further than my original proposal.  I would say for any funds transferred out of your account you have up to a week to permanently freeze the funds.

People need to understand the concept of "seasoned" funds.  It is critical that you cannot participate in any internal BitShares market (such as buying and selling BitUSD) unless your funds have been seasoned for one week.  You must have kept the balance without moving it for one week before you can use it to participate in the market to buy/sell assets.

There is really no reason for anyone to permanently freeze funds that left their account unless it is a legit fraudulent transaction.  Also people can protect themselves by demanding seasoned funds when doing business with people they don't know well or for large sums of money.

As far as what to do with "permanently" frozen funds... I think this is a secondary issue and can be addressed in many ways that take advantage of community consensus.

The most important thing is to give people the power to freeze fraudulent funds.  DO NOT let people participate in the internal marketplace without seasoned funds.  And educate exchanges on the concept of seasoned funds.  This will be a BIG deterrent to hackers and fraudsters.

[liondani]

First of all when we make a transfer with the win gui, the wallet should ask as for the password again!
Hope it was temporary disabled because of the Dry Runs...

Why not write a github issue on that?

ok

[xeroc]

First of all when we make a transfer with the win gui, the wallet should ask as for the password again!
Hope it was temporary disabled because of the Dry Runs...

Why not write a github issue on that?

[xeroc]

The only way I think 2FA makes sense in this context is by using multisig.  TOTP/HOTP is useless for wallet security, as you might as well just store a 2nd key instead of a TOTP/HOTP token and eliminate the need for a trusted third party verifying your OTP.

AFAIR Bytemaster has stated that multisig is possible and on the todo list

[liondani]

First of all when we make a transfer with the win gui, the wallet should ask as for the password again!
Hope it was temporary disabled because of the Dry Runs...

[Troglodactyl]

The only way I think 2FA makes sense in this context is by using multisig.  TOTP/HOTP is useless for wallet security, as you might as well just store a 2nd key instead of a TOTP/HOTP token and eliminate the need for a trusted third party verifying your OTP.

I'm very much in favor of making things like multisig, paper wallets/cold storage, and offline signing easy and accessible through the UIs in order to give each user strong personal control more easily.  I'm against any system that puts the community in the position of taking shares from a supposed thief and transferring them to a supposed rightful owner, or allowing payer initiated chargebacks.  Such things invite more fraud than they prevent, and the new fraud is more arbitrary and less preventable than the previous.  Just look at the forum exchange scams relying on Paypal.  If I lose my shares or have them stolen, I want it to be because I was lazy or careless and didn't maintain control of my keys properly, not because a weakness designed into the system motivated a con artist to paint me as a thief so he could play the victim.

[merockstar]

No sir, I don't like it.

Too much he said she said involved. We'd have to set up a BitShares justice system.

Hey maybe that could somehow be a DAC?

I think security concerns and horror stories are a huge reason for lack of adoption.  We should put together a BitShares common sense security best practices guide.  Will BTSX wallets allow for watching only wallets and offline transaction signing?

I do like this. Maybe I'll adopt this as my next writing project.

[gamey]

I think everyone in the crypto world except hacker-thieves wants better protection of wallets.   I'm just not sure if there is a really good system.  I did see this from the thread referenced above.  https://nxtforum.org/cryptopapers/(feature)-local-two-factor-authentication-for-cryptopapers-and-any-client-app/ 

It is very difficult to have 2 factor authentication because it always relies on a central point.  Whatever out of band method to authenticate the 2nd factor requires some degree of trust in a centralized entity.  This disturbs me, but I suspect it is better than the alternative.  The beauty of the system above is it apparently forces you to print out your private key.  So worst case you can start over with wallet access via the printed paper.  The key is to force people to do it, so that the 2nd authentication mechanism can never be used as a way to permanently revoke access. 

In the NXT example the guy had his passwords in an unencrypted file on dropbox. 

[Agent86]

Maybe not such a crazy idea...
Someone in NXT community "klee" just lost over $1,000,000 having their NXT stolen.  There have been a few big recent horror stories in that community with scams etc. https://nxtforum.org/general-discussion/price-speculation/5440/

We have a duty to do whatever we can to protect our shareholders and not make the BitShares story riddled with heartbreak and loss.  Not everyone that we reach will be super knowledgeable and security conscious.  I think we are pretty far ahead of any competition and there is a risk in pushing things out too fast.  We don't really need to release a buggy or dangerous code just to rush it.

I would probably support upgrading PTS to DPOS before releasing BTSX.  It could give us a feel for DPOS without worrying about complicated hard forks and potential issues upgrading to Polymorphic BitAssets.

Maybe with DACs that have the ability of self-governance we could do more if disasters strike.

[Troglodactyl]

I think security concerns and horror stories are a huge reason for lack of adoption.  We should put together a BitShares common sense security best practices guide.  Will BTSX wallets allow for watching only wallets and offline transaction signing?

 

Making offline transaction signing and multisig accessible to newcomers I think should be an early priority once the basics are done.  I don't remember enough detail to be sure if TITAN would cause problems for watch only wallets with no private key access.

[Agent86]

I think security concerns and horror stories are a huge reason for lack of adoption.  We should put together a BitShares common sense security best practices guide.  Will BTSX wallets allow for watching only wallets and offline transaction signing?

[Troglodactyl]

It seems like if the transaction is reversible until a certain point, you might as well just wait until that point and then send it irreversibly.  Reversible transactions just seem to invite fraud.  An escrow system that allows destruction in the case of failure to agree makes more sense to me.

The difficulty with this concept is that once a key is compromised (barring pre-established multisig), the attacker is on even footing with the victim, and there's no way to tell them apart.  The attacker can just take half, and if you report his half as stolen, he'll report your half as stolen.

It would be interesting to have a class of account that could only send to multisig accounts requiring confirmation from a designated guardian address.  That way no one who compromised the key could get the funds, but sending still makes an irreversible commitment.

[Agent86]

Is this relevant?
http://wiki.mastercoin.org/index.php/Saving_address

Yes, it seems to be an attempt to address similar problems.  I would have to try to understand it better to have an opinion.
I like the idea of savings addresses vs. "checking" addresses.  I'm not sure if blends into other type of account rules... I still think we need to enable you to set up a future auto-send to a different address if there is no activity for some period to leave funds to relatives when you die.

[gamey]

In crypto world businesses do not know people they transact with.  I'm quite sure that most cryptocurrency people prefer to keep it this way.  Your system would like help a lot of situations, but it would also introduce distrust into relationships.  It is hard to say "do it this way for small transactions" when the % fees taken by exchanges are so small to begin with.  Part of the reason the %s are so small is due to the irreversiblity.

Toast - I like that approach.  2 types of accounts.  Exchanges don't have to deal with the savings accounts.  This allows both parties to agree to the rules beforehand. 

What happens when you go from savings -> regular account -> regular account.  How do you know the transaction is reversible ?

[toast]

Is this relevant?
http://wiki.mastercoin.org/index.php/Saving_address

[Agent86]

Ok, as long as the funds are not recoverable to the original owner.   So you remove a lot of the incentive for theft.

The system could still be abused.  If I wanted to cause your business a loss, I do our transaction then mark the transfer as stolen.  What does the receiver do to protect themselves once this is introduced ?

I'd love to see something like this in general, I just do not know if there is an adequate system.  It could be used to attack exchanges who support this feature and thus force them to withdraw support for the currency.

If you transact with a business and then mark the money that you sent them as stolen, first off they know who you are and that you tried to rob them of money for no reason even though you didn't gain anything.  So they could probably take appropriate action against you.  And again you didn't gain anything from doing this.  You could also walk into their business and just break something and probably accomplish about as much.  For a very big transaction where they don't trust you they have the option to wait 24hrs.  Even still as long as they come forward to the community and say they did not take the funds and are willing to identify themselves they will almost certainly get the alert tag removed by community.

[gamey]

The problem I see is that once someone has acquired the private key, can't they do the same thing in reverse to the legitimate owner ?

I'm not following what you mean by "do the same thing in reverse to the legitimate owner"

-The thief xfers money out of your wallet
-Your wallet is now compromised and also empty
-You irreversibly mark the transaction as fraudulent
-You no longer use this wallet

What does the thief do?

Ok, as long as the funds are not recoverable to the original owner.   So you remove a lot of the incentive for theft.

The system could still be abused.  If I wanted to cause your business a loss, I do our transaction then mark the transfer as stolen.  What does the receiver do to protect themselves once this is introduced ?

I'd love to see something like this in general, I just do not know if there is an adequate system.  It could be used to attack exchanges who support this feature and thus force them to withdraw support for the currency. 

[Agent86]

The problem I see is that once someone has acquired the private key, can't they do the same thing in reverse to the legitimate owner ?

I'm not following what you mean by "do the same thing in reverse to the legitimate owner"

-The thief xfers money out of your wallet
-Your wallet is now compromised and also empty
-You irreversibly mark the transaction as fraudulent
-You no longer use this wallet

What does the thief do?

[gamey]

The problem I see is that once someone has acquired the private key, can't they do the same thing in reverse to the legitimate owner ? 

[bytemaster]

I imagine it could be a property of a balance that says transfers from this account are subject to self-destruction for 24 hours.  It would discourage thieves, but as a thief once you have the private key you might as well attempt it because you have already done the work to get the key in the first place.

[Agent86]

Ok, I'm well aware that this idea would be controversial.  I'm basically just throwing it out there.  I don't claim it's fully fleshed out or that we must do something like this, but I want to get people thinking and see any feedback.

Basically if you control a wallet, any transaction out of that wallet within the last 24hrs you can mark as a fraudulent transaction.  Everyone can distinguish funds that have been marked as fraudulent and most likely not accept them.  To make sure you are not doing business with someone trying to give you stolen funds for any large transaction you can demand that you only accept funds coming from an address that has held those funds at least 24hrs… these are "seasoned funds".  Exchanges can also demand that only funds that have been held in the sending address 24hrs prior to sending to the exchange are immediately available, otherwise they are quarantined 24hrs.

You could have a blockchain explorer app on your phone that alerts you anytime funds move out of any of your designated addresses.

Marking funds as stolen won't get you the funds back but will make it much more difficult for a thief to get a payday; so I would imagine there is little reason to do it unless it was a legitimate theft.  Anyone who is in control of funds that have been marked stolen can come forward to give an explanation and appeal to the community to have the designation removed.   There would be a process whereby the community can vote to remove the designation, otherwise after one year the stolen funds are burned as dividends (you could do without the auto burn while people get used to idea).  There's not necessarily a high burden of proof to have the designation removed but it forces someone to come forward and the party who marked them stolen has a chance to respond.

You could also have some kind of consensus community fund tagging.  For instance if Somali pirates or other demand BTSX for a ransom the community could vote to attach an alert to those funds even after 24hrs has expired but hopefully before there is a good chance for the criminal to liquidate.