Author Topic: An urgent need to increase the security of bts wallet login and payment  (Read 7697 times)

0 Members and 1 Guest are viewing this topic.

Offline smb8989

  • Newbie
  • *
  • Posts: 4
    • View Profile
  • BitShares: ShawnB
Thought I would chime in guys, Correct me if I'm wrong anyone,

I use the Trezor wallet both as a wallet and a password manager. So I lock my BTS wallet before I close it down and use the saved password on my Trezor every time I log in. (including 2fa if you choose) This way even if my PC or Mac is compromised, the hacker will have no way to obtain my password or login credentials, even with a keylogger.  I can still use the password manager to access my wallet even though the computer is infected or hacked. The Trezor is really a superb piece of technology.

Hope this helps
I use the Web Exchange BTS light wallet. Not sure if this makes a difference

https://trezor.io/passwords/
« Last Edit: October 04, 2017, 06:09:40 am by smb8989 »

Offline legacy

  • Newbie
  • *
  • Posts: 2
    • View Profile
I understand multisignature protection in different computers but I may have misunderstood something so please advise.

If one has a pc where all his bts wallets a are in this pc (hence all his bts accounts as well) an attacker who gains access to that pc can equally easily have access to all wallets and accounts right? 

So what is the point of multisignature as protection in this case? Would it be difficult to hack 2 different accounts with 2 different passwords as long both are on the same pc or since he gains access to the pc he can hack easily all passwords?

In this case what is the best way one can protect himself? Should we have for example 1 web wallet and 1 light wallet with i.e 1 account to each of this wallets that in order to take a transaction both have to sign 50-50 permissions? Or something else?

The point of multi-signature account is to have 3 different wallets on 3 different devices with 3 different private keys stored in each wallet which control the same account. Two devices may be yours and one belong to someone you trust, or all three may be yours, or one yours and two belong to different people you trust.  You could set up this account such that you need 2 signatures out of 3 to unlock it. This way, if someone hacks one of your devices, your funds are safe, because they can't unlock your account without the other device.  If you lose one of devices, your funds are also safe. You just use another two devices to replace the compromised or lost key.

I have a multi-signature byteball account on desktop, phone and tablet, which works really great for me. Never tried to set up one in bitshares, perhaps I should try this asap and recommend everybody to try.
Thanks for posting this.

Sent from my Nexus 6P using Tapatalk


Offline fav

  • Hero Member
  • *****
  • Posts: 4278
  • No Pain, No Gain
    • View Profile
    • Follow Me!
  • BitShares: fav
you can use 2fa from today https://steemit.com/bitshares/@ash/bitshares-openledger-to-add-airbitz-2fa-for-accounts

Nice!
Question though. Does this mean you need to make a new acct with this Airbitz security? Will it work with Airbitz if you don't login via OL?

Maybe is there a FAQ that answers basic questions like this?

you need to make a new account, you have to login via OL (for now)

One last point of confusion.. what if OL went away? How could you access your coins?

good question, better ask openledger. I guess they will opensource the login code, so it can be forked

Offline renkcub

  • Full Member
  • ***
  • Posts: 143
    • View Profile
you can use 2fa from today https://steemit.com/bitshares/@ash/bitshares-openledger-to-add-airbitz-2fa-for-accounts

Nice!
Question though. Does this mean you need to make a new acct with this Airbitz security? Will it work with Airbitz if you don't login via OL?

Maybe is there a FAQ that answers basic questions like this?

you need to make a new account, you have to login via OL (for now)

One last point of confusion.. what if OL went away? How could you access your coins?

Offline yvv

  • Hero Member
  • *****
  • Posts: 1186
    • View Profile
Quote from: bitcrab
firstly security base on good habits, I should not put so much assets in a bot account which is daily used in a laptop where everything is done.

But you want to keep a large amount of funds in bot account, because more funds you have, more volume you trade.

What bot do you use, your own, or third party like btsbots?

Offline bitcrab

  • Committee member
  • Hero Member
  • *
  • Posts: 1926
    • View Profile
  • BitShares: bitcrab
  • GitHub: bitcrab
I am not sure how my assets were stolen, but I believe it was not done by the ones beside me through my laptop, but by some hacker that got the private key from Internet.

firstly security base on good habits, I should not put so much assets in a bot account which is daily used in a laptop where everything is done.

I don't think the 2FA solution is helpful in this scenario, if hacker get your private key, you lose everything, nothing can help you.

maybe only multisig and even hard/cold wallet can really help to protect the accounts with huge amount of assets?

Email:bitcrab@qq.com

Offline fav

  • Hero Member
  • *****
  • Posts: 4278
  • No Pain, No Gain
    • View Profile
    • Follow Me!
  • BitShares: fav
you can use 2fa from today https://steemit.com/bitshares/@ash/bitshares-openledger-to-add-airbitz-2fa-for-accounts

Nice!
Question though. Does this mean you need to make a new acct with this Airbitz security? Will it work with Airbitz if you don't login via OL?

Maybe is there a FAQ that answers basic questions like this?

you need to make a new account, you have to login via OL (for now)

Offline renkcub

  • Full Member
  • ***
  • Posts: 143
    • View Profile
you can use 2fa from today https://steemit.com/bitshares/@ash/bitshares-openledger-to-add-airbitz-2fa-for-accounts

Nice!
Question though. Does this mean you need to make a new acct with this Airbitz security? Will it work with Airbitz if you don't login via OL?

Maybe is there a FAQ that answers basic questions like this?


Offline yvv

  • Hero Member
  • *****
  • Posts: 1186
    • View Profile
Accounts can be set up so that a robot can use it with a single key, while at the same time a desktop wallet with a different key can only use it together with a 2FA provider.


Then what prevents a hacker to use this account with the same single key as robot?

PRESUMABLY bitcrab's account was hacked through his desktop machine, which in the above setup would not have contained the single robot key. Robots typically run on servers, and servers are more easily locked down than desktop machines.

Ok, you would have one wallet file which is unlocked all the time on device which is difficult to access, and another wallet file which is locked and require 2FA to unlock which is stored on easily accessible device, right? This could work, I guess. What if the second wallet is encrypted with two (or three) different public keys, with private keys stored on different devices? Then you would have multi-FA with no third party involved. Would this be possible to implement?

P.S. In fact, this encryption of wallet with multiple keys is straight forward to implement with something like gnupg, but BTS would need to update GUI to make it convenient to use.
« Last Edit: September 29, 2017, 05:51:20 pm by yvv »

Offline pc

  • Hero Member
  • *****
  • Posts: 1530
    • View Profile
    • Bitcoin - Perspektive oder Risiko?
  • BitShares: cyrano
Accounts can be set up so that a robot can use it with a single key, while at the same time a desktop wallet with a different key can only use it together with a 2FA provider.


Then what prevents a hacker to use this account with the same single key as robot?

PRESUMABLY bitcrab's account was hacked through his desktop machine, which in the above setup would not have contained the single robot key. Robots typically run on servers, and servers are more easily locked down than desktop machines.
Bitcoin - Perspektive oder Risiko? ISBN 978-3-8442-6568-2 http://bitcoin.quisquis.de

Offline Frodo

  • Sr. Member
  • ****
  • Posts: 351
    • View Profile
  • BitShares: frodo
find a dev to finish and maintain trezor integration. Pretty sure we can get worker funds now

I believe that Bitshares Munich is currently working on Ledger integration, not sure how well that is going though...
http://steem.link/yS2Jj

Maybe they would be willing to finish that with worker funds.

Offline 麥可貓

  • Sr. Member
  • ****
  • Posts: 267
    • View Profile
Maybe the multiplesignature feature of bts can be packed into a decentralized 2-FA app, and, once paired, this app can be used  for bts wallet (login and transaction (of amount > threshold) ) and potentially for external usage. The 2FA scenario is familiar and easy enough for non-tech people to provide security.
PTS: PmRVDPymZqSAZEXauHZSewrUrE66af7epT
BTSX: michaelcat
Delegate Team: x1.sun  x2.sun

Offline yvv

  • Hero Member
  • *****
  • Posts: 1186
    • View Profile

It's not at all shitty. A centralized 2FA service may not be ideal, but it's much better than not having 2FA at all.

IIRC bitcrab said that he accessed the account on a windows machine through a web wallet and/or light wallet. Accounts can be set up so that a robot can use it with a single key, while at the same time a desktop wallet with a different key can only use it together with a 2FA provider.

I think @xeroc had plans to set up a 2FA provider for BTS, but AFAIK it doesn't exist yet.

But multi-key account is much better than 2FA through a third party, and it is already in BTS. If it is not user friendly, this should be fixed asap. Keys from multi-key account can be optionally kept by third parties, and it is still better than google style 2FA.

Offline yvv

  • Hero Member
  • *****
  • Posts: 1186
    • View Profile
Accounts can be set up so that a robot can use it with a single key, while at the same time a desktop wallet with a different key can only use it together with a 2FA provider.


Then what prevents a hacker to use this account with the same single key as robot?