Localbitcoins recently behaving like middle aged colonial rulers. They want to throttle user's voice. Recently my 3 tier verified account with 3000+ trades was hacked and my 1.47+ bitcoin was stolen from their wallet. They still didn't return my account to me. I found the flaws in their system and post some suggestions. But they removed my post. what they want actually? They only count profit and not look at the user's security.submitted by traderforbtc to Bitcoin [link] [comments]
The original post is as follows, whats your say?
With reference from these post: https://www.reddit.com/Bitcoin/comments/i1qyn1/authy_cost_me_33k_usd_in_10_min/?sort=new
I want to ask localbitcoins to implement SMS based 2fa. As I scammed $33k usd for the vulnerability of Authy, people should have choice of avoid it. For login , bitcoin release and bitcoin send option, user should have choice of the type of 2fa they want. Someone might choose sms for login, auth for release, sms for sending btc or another combination.
For "forgot password" option localbitcoins or any wallet should verify the action with sms 2fa. they should send sms to the verified phone with the account. If this was in place, i could have saved 1.47 btc with them.
For "changing email" option sms based 2fa also must be used. This way none without the verified phone can change email.
For both option above, system also can check some personal details like Identity Documents no: or date of birth etc.
Localbitcoins should also maintain an emergency contacts, At least 1 person monitoring the support request during off hours and if anything urgent, he/she should take action. For my case, if someone blocked my account as soon as i emailed them, i could have saved this huge loss.
There should be a "lock my account" option. Localbitcoins can automate this process with a specific email or sms only phone number. If someone from his verified email or phone number email or sms to that specific email or number, the system should automatically block the respective account.
Localbitcoins should also detect proxy/vpn users. And should never let to send bitcoin or start trade with a new proxy/vpn. I always use my account from the real ip of my resident country. Suddenly someone login from proxy/vpn or from other location and localbitcoins let them to drain my account is not acceptable.
So, please all user of localbitcoins raise your voice for these security measures in localbitcons. We keep our hard earned money with them and they can't only sleep and count profit. I will soon write these to consumer authorities.
Dev meeting? Would say so, yes The people are still exhausted from the payment ID meeting :) Guess we could ping some people vtnerd, moneromooo, hyc, gingeropolous, TheCharlatan, sarang, suraeNoether, jtgrassie Anyone up for a meeting? Yep I'm here Here o/ Perhaps we should just start and people will eventually hop in? oof sorry guys, I'm working on the new FFS and I forgot all about this. Got a couple of new volunteers. This literally might be able to launch tomorrow. I know that. It's called "flow" :) I could run if you're out of time? go for it dEBRUYNE you guys are going to like this new FFS. We're like 99% done. Hi rehrar: someone else do the milestone thing already? All right, jtgrassie, perhaps you'd to start w/ briefly describing your most recent PR? https://github.com/monero-project/monero/pull/5091 oneiric, xiphon did everything like....everything As far as I can see, it allows the user to push his transaction over I2P, thereby masking the origin IP of the sendeuser great And it hooks into vtnerd's PR right? Sure. It basically just builds on vtnerds Tor stuff. sorry dEBRUYNE Really not much added. I have it running and tested. From the perspective of the user, what needs to be configured exactly? Nice Assuming the PR is included in the release binaries I'm using knacccs i2p-zero duirng testing but will of course work with any i2p setup sorry dEBRUYNE <= Np Looks a little like dams breaking, now that we have some dark clouds over Kovri and people take matters into their own hands ... User needs to run i2p, expose a socks service and and inbound tunnel. Basically same as Tor Okay, so should be reasonable as long as we write proper documentation for it (e.g. an elaborate guide) rbrunner, yes, knaccc credit for jumping on i2p-zero really dEBRUYNE: documentation monero side is kindof done. i2p side is very much implementation specific. I suppose we could write some guides for the most popular implementations? e.g. i2p-zero aims to be zero conf, but i2pd or Kovri would be differnet. I see, great vtnerd___: Do you want to add anything? could amend the current kovri guide for monero use from --exclusive-peer to the new proxy support Now I have i2p-zero running and tested with the #5091, I plan to jump back over to helping knaccc on getting that polished. I added support for socks proxy in the basic wallets ^ excellent Yes vtnerd___ I havent tested it yet but looks sweet. So connections to `monerod` over Toi2p are possible within wallet cli and wallet rpc Awesome This also implies auth+encryption even if ssl is not in use (when using an onion or i2p address) All right moneromooo: are you here? If so, could you perhaps share what you've been working on? I am. I revived the SSL PR, more stuff on multi sender txes, an implementation of ArticMine's new block size algorithm. I presume a multi sender tx works similar to multisig insofar as the senders have to exchange data before the transaction can be performed right? Yes. There are 2 SSL PRs. What's the diff? Theoretically this would also allow the sender to provide an output right? Which would be kind of similar to Bitcoin's P2EP The second one adds some things like selecting a cert by fingerprint. Yes. (for the first sentence) All right, awesome For anyone reading, this breaks the assumption of the inputs belonging to a single sender, which makes analysis more difficult Nice side-effect. Much work coming for the various wallets to support that rbrunner: Anything you'd like to share in the meeting btw? Yes, just a little info I have started to seriously investigate what it would mean to integrate Monero into OpenBazaar I have already talked with 2 of their devs, was very interesting In maybe 2 or 3 weeks I intend to write a report Too early to tell much more :) Soon^tm I guess :) Yep Currently wrestling with Go debugging whole new world moneromooo: Has pony recently shared any insights regarding the upcoming 0.14 release btw? No. All right I would love to see the tor & i2p PR's merged sooner rather than later so we can get more testing done. ^ +1 Isn't that famous early code freeze already on the horizon? fluffypony, luigi1111 ^ I suppose I could provide a little update regarding the GUI btw As always, lots of bug fixes and improvements :-P selsta has recently added a feature to support multi accounts dsc_ has revamped the wizard and will now start working on implementing the different modes and a white theme dsc_ is working fulltime on the GUI already? yes :) dsc_ is bae In light of the recent payment ID discussion, we've also, by default, disabled the option to add a payment ID unless the user explicitely activates the option on the settings page rehrar ^ nice I spoke about this yesterday at the coffee chat, this is not a good decision. How does it handle integrated addresses? The same way? rehrar ? For the next many months, we are still stuck with PAyment IDs in the ecosystem. Making it harder for people to access them will make Monero suck so hard to use for the average person for many months. i agree with rehrar Remove the option of Payment IDs when we remove Payment IDs rehrar: The new GUI release won't be live until probably mid march though Which is a few weeks in advance of the scheduled protocol upgrade Payment ID removal comes in October right, but Payment IDs are not removed in March Did we not have loose consensus on removing the old, unencrypted payment IDs in march? they are removed in October We had discussed a deprecation in March and a ban in October ok, then if we are going to do that, we have to commit to it and contact the exchanges like Binance that use them and get rid of them in the next few months (of unencrypted) Binance is huge, and if they still use them, then people will be very upset that they can't deposit or use Payment IDs easily I'm just speaking from a UX perspective. I thought it was unencrypted in April and possibly encrypted in October Yes I do agree Timeline and notes: https://github.com/monero-project/meta/issues/299 impossible to remove them for march, many exchanges still use them We can defer it to the 0.15 release if needed Well, that wasn't the impression for them log that I just read today This was all discussed in the earlier meeting linked above We have to force the ecosystem off of Payment IDs before we remove them from the UI, is all I'm saying Remove != make difficult to use ... or make them more difficult there, right? ping sgp_ sarang, I understand, and I agreed with you during that meeting. But then I started thinking of it as a UX person, which I am. And that huge massive problem leapt out at me i think making them difficult to generate is a good idea but making them difficult to consume and use is a bad idea well, maybe not a good idea, but a better idea ^ If we defer the decision to depriciate long payment IDs to october, won't we have the same issue then? The UI can gave an expandable payment ID field like MyMonero and we can still call it deprecated It is foolhardy to remove an option that the ecosystem uses. So I suggest we keep the Payment ID in the UI until October when they are completely banned. no dEBRYUNE, because they will be banned via consensus sgp_ imo it may be a misdirection of dev resources to add that since things are proceeding in the short term rather than long term but this is a relatively minor point Nothing matters til exchanges change All right The issue is that consensus will still have them in April, and exchanges won't upgrade because they are still allowed. Thus they must still be in the UI. endogenic these changes are already merged in the GUI to hide it like you do ok But when they are banned, exchanges are forced to upgrade or stop using Monero, so we can remove them safely because they won't be in use rehrar: that's a strong assumption sarang that they will upgrade? yes if they don't, then they can't use Monero If exchanges require pid, users need a way to set a pid. Making it hard for the user in the interim is just going to be a nightmare. we have decided to take our "stand" in October A way that is not too hard, then To be clear, we still intend to deprecate long encrypted payment IDs in April right? But no enforcement until October the term "deprecated" doesn't mean much if it's still allowed, and used in popular places yes, as far as I understand it jtgrassie, exactly True I suppose dEBRUYNE: we need to be more specific when talking about deprecation the person who suffers is the user There are two proposals for GUI deprecation: 1. Hide it in the send screen with a simple option to expand (currently merged iirc) 2. Hide it completely in the send screen unless users enable the field in advanced settings (PR'd but not merged yet iirc) What are the arguments for 2? Both are poor options, but 1 is better than 2 by a long shot Well the people who need to be made to "suffer" are the exchanges. And I don't see a way to make exchanges "suffer" other than by having their suffering customers complain to them constantly that they need to update. ^ CLI has something similar where users need to set a manual payment ID transfer mode. Not sure if it's merged yet the way to make the exchanges suffer is when we ban PIDs. They either upgrade or don't use Monero. exact;y Agree with rerahr here have exchanges been provided with clear, practical, sufficient technical upgrade plans for supporting what they're doing with PIDs but with subaddrs? Both are poor options, but 1 is better than 2 by a long shot <= I wouldn't call 1. a poor option. Have you actually checked how it looks? Because it states "Payment ID" and a user has to click on the + to expand the field endogenic: yes the email when out. Blog post coming soon, but contains the same info as the email also the exhcnages' users are often using wallets that don't support subaddresses ok great as well, it should be noted that the timeline for exchanges to upgrade is September, not October when the fork is. Which wallets are that? Rehrar: I don't see option 1. causing any issues/confusion i guess it doesnt matter too much if withdrawing as a personal user the main address should suffice Because September is when the new versions will be coming out without PIDs in the UI If there's opposition to 2, 1 is fine. We can still call it deprecated which is the optics we need anyway exchange users are often just using other exchanges lol. No wallets involved. dsc_ dEBRUYNE, ok, I trust you guys here then rbrunner: i was thinking mymonero last i heard Ok pigeons: rbrunner yes receiving on subaddresses won't be supported yet sending to them has been possible though and yes as learnandlurkin says often they withdraw to other systems like exhcnages that also dont yet support subaddresses I really can't come up with any good argument for 2. right now endogenic: seems not much of an issue then. Exchanges will typically support withdrawals to both subaddresses and plain addresses (especially if we are going to force them to use subaddresses) For deposits, MyMonero works properly if the user sends to a subaddress Actually the second solution was already merged: https://github.com/monero-project/monero-gui/pull/1866 Maybe not enough eyes watching :) The important thing is to have done something to justify having a big "DEPRECATED IN APRIL" stamp on PIDs to spook exchanges in the interim This was for solution 1: https://github.com/monero-project/monero-gui/pull/1855 The Monero Community Workgroup will start making noise everywhere we can to exchanges, and everywhere else that will listen. Try to get on those garbage news sites also. So everyone knows that deprecated in April, and banned in September Hey, for solution 1, write "Payment ID (optional, deprecated)" or similar there rbrunner: noted rehrar: probably wait until the blog post, but it should only be a few days Maybe a Reddit sticky post would be useful? With the blog post If people are over freaking out about the hashrate or terabyte blockchain :) sigh Any questions for the MRL side? Is someone checking ArticMine's block size changes for weird behaviour in some cases etc ? How would such testing work? Private blockchain?