I suspect GPUMax was compromised and passwords stolen

[BlackBison]

I've been proposing the following:

Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist.

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.

https://asktom.cf/index.php?topic=84585.msg937236#msg937236

Please, exchanges, implement this SOON. You cannot implement it soon enough.

+1. Nefario it would be great if you could get this put on glbse.

[molecular]

I've been proposing the following:

Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist.

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.

https://asktom.cf/index.php?topic=84585.msg937236#msg937236

Please, exchanges, implement this SOON. You cannot implement it soon enough.

+1. Nefario it would be great if you could get this put on glbse.

you can already activate 2-factor withdrawal on glbse... oh, via API, hmm, didn't check that. Is it possible to withdraw without 2-factor-auth using the api even if it's activated for withdrawals?

[Nefario]

You cannot withdraw using the API.

[molecular]

You cannot withdraw using the API.

thanks for clarifying.

[MPOE-PR]

Question: when is someone going to invent a be-all, end-all service that is totally full of awesome and win, and then decide to force all users to use a proper 2-factor authentication system?

This has happened, except it forces users to use gpg not worthless 2fa. And the users complain about the

ease-of-use, customer service, and personality of exchange manager.