Simple way to enhance Gatehub security

[Guest]

After reading recently about two people loosing Gatehub funds due to phishing sites I checked the security settings on my Gatehub account. 

After login with password and 2FA I need to re-enter my password again to unlock trading or to withdraw funds. What is the function of entering the password twice? If they already know your password and 2FA (which was the case with the phishing sites) it is easy to enter the same password twice to unlock trading and withdrawing. I don't see the added value of entering the same password twice tbh. 

What really would help is the option to ask confirmation by email when withdrawing. I have seen that on another exchange. Maybe I am mistaken but I cannot find this option on Gatehub. 

@enej maybe something to consider. 

[T8493]

Email is pretty pointless.

If attacker has your password and can log in to your GateHub account, the he/she can decrypt your Ripple secret keys and sign arbitrary transactions with them. If email is sent after this point, it can't prevent anything (unless GateHub completely changes their "workflow" for signing and retrieving secret keys).

Multisign with some external app is probably a better solution.

 

[Guest]

 

3 minutes ago, T8493 said:

Email is pretty pointless.

If attacker has your password and can log in to your GateHub account, the he/she can decrypt your Ripple secret keys and sign arbitrary transactions with them. If email is sent after this point, it can't prevent anything (unless GateHub completely changes their "workflow").

Multisign with some external app is probably a better solution.

 

 

You are right about disclosing the secret key. Also only protected by password. I don't understand how this adds to security. Once someone has your password to login they can use it for showing your secret key as well. Never really thought about it but this does not make any sense. 

Okay then we need the email confirmation option also for disclosing the secret key.  

[Rose]

i thought Gatehub has two passwords. the first one is a password uses to login Gatehub along with your Gatehub id. Then before you trade/send/ disclose a secret key functions , you will be required to enter a password. (the second password requirement does not have to be the same as the first ) So this is a second password  is different from the first password which adds some peace of mind. At least i have two passwords for my account plus the 2FA. 

[Rchopra]

29 minutes ago, Rose said:

i thought Gatehub has two passwords. the first one is a password uses to login Gatehub along with your Gatehub id. Then before you trade/send/ disclose a secret key functions , you will be required to enter a password. (the second password requirement does not have to be the same as the first ) So this is a second password  is different from the first password which adds some peace of mind. At least i have two passwords for my account plus the 2FA. 

How can u change the second password for trading etc on gatehub..??

[DarthTrader]

I think gatehub is very safe and not the problem -> The pishing sites are!

so why we don't generate an shortlink tab on this Forum? @karlos It's easy and safe.

example:

Gatehub <link>
Bitstamp <link>

etc.

 

Some security guys also can maybe make an topic with Infos in general like  (malware program, IP Change,
VPN....etc)

[Guest]

8 hours ago, Rose said:

i thought Gatehub has two passwords. the first one is a password uses to login Gatehub along with your Gatehub id. Then before you trade/send/ disclose a secret key functions , you will be required to enter a password. (the second password requirement does not have to be the same as the first ) So this is a second password  is different from the first password which adds some peace of mind. At least i have two passwords for my account plus the 2FA. 

Will look into the password thing. Cannot remember seeing an option for two password. I agree this would create an extra barrier. Still like the idea of  email confirmation option. 

[T8493]

11 hours ago, DarthTrader said:

Some security guys also can maybe make an topic with Infos in general like  (malware program, IP Change,
VPN....etc)

Don't promote VPNs and different IP addresses. If you always log in from the same IP address, then exchanges can "lock" your account to this IP address. However, if you use multiple IP addresses, their rules for rejecting logins from different IP addresses become less strict (and therefore all this makes the work of phishing sites potentially easier).

 

[DarthTrader]

@T8493 so it looks like you know something about security and how exchange works. Make an topic?

[enrique11]

Here's an example of a phishing attempt.  Just received it 1/2 hour ago.  I circled the phishy stuff ;P 

They sent me message via e-mail from what appears to be LBRY slack channel? The ICO (lol...initial coin offering) Security Team, letting me know that my tokens are in jeopardy if I don't go to their website (scammer's website) and take care of it.   Notice their misspelling of the myethereumwallet website with the letter 'n' at the end?  

I underlined the part where they  try to scare you into going into their scam website.  Anyway, if you ever get such an e-mail, don't blindly trust it and never click on any links. If you are concerned, just go to their official website and see if there is anything going on, and you can report to them what's going on...don't know if it will help.

What's ironic is that I do hold LBRY credits and do have tokens on MEW (myethereumwallet), so some people might be inclined to freak out after receiving such an e-mail, so watch out for such BS.  This probably isn't very common knowledge such phishing attempts now, but in the future as cryptos go mainstream, I'm afraid many people will "freak out" upon receiving such an e-mail in their inbox and make the huge mistake of clicking on the link and giving out their password to a scammer website.

 

 

Edited September 17, 2017 by enrique11