‘Why is My Bitcoin Transaction Taking So Long?’ Here’s Why My Bitcoin wallet has recently taken longer and longer to receive a Bitcoin payment. This wasn’t happening 2-3 months ago. Maybe you haven’t noticed it, but I know I have. My Bitcoin wallet has recently taken longer and longer to receive a Bitcoin payment, have […]
Bitcoin Currency Exchanges:
- Mt. Gox: OTP using YubiKey or Google Authenticator
- Options: [On Login] | [For WIthdrawals] | [For Switches To Security]
- Camp BX: OTP/Google Authenticator
- Bitstamp: OTP/Google Authenticator
- Bitcoin-24: OTP using Google Authenticator and for withdrawal SMS messaging
- Bitcoin-otc: GPG authentication with gribble bot
- BitMarket.eu: OTP/Google Authenticator
- Coinbase – OTP/Authy or OTP/Google Authenticator
- FYB-SG (Singapore) – OTP/Google Authenticator
- VirWoX – OTP/Google Authenticator
- WeExchange.co – OTP/Google Authenticator
- BTC-E – OTP/Google Authenticator
- Local Bitcoins – OTP/Google Authenticator
- bitcoin.de – OTP/Google Authenticator or Yubikey (but not Mt. Gox Yubikey)
- Blockchain.info/wallet – Google Authenticator, e-mail verification, SMS, and YubiKey (but not Mt. Gox YubiKey).
- WalletBit – SecureCard (or perhaps OTP/Google Auth has been added now?)
- Coinbase – SMS text messaging-based two-factor, Authy (Android/iOS app similar to Google’s)
- Paytunia – OTP/Google Authenticator or Yubikey (but not Mt. Gox Yubikey)
- bitZino – OTP/Google Authenticator
- Just-Dice – OTP/Google Authenticator
Disclaimer: I work for 2FA company CryptoPhoto
Google Authenticator does not save you from phishing or MitM/MitB or malware like NeverQuest, Hesperbot, Zeus, Ice IX, Bugat V2, Carberp, Citadel, Syscron, SpyEye, etc – or any APTs at all.
Google Authenticator (GA) is not open source (only same antique version no longer in use ever got released)
They store their bypass codes in plaintext on the server (any serverside break-in grants the attacker utter capability to authenticate as you)
Their bypass codes have insanely low entropy (7 numeric digits only – guessable in a mere five million attempts on average)
Their app provides QR code enrollment – and the QR codes are generated by putting your (supposed to be secret) private key into the HTTP GET parameter of a google-owned URL: or in other words – regardless of where you enroll with GA, they’re sending your private keys to google.
“HTTP GET” parameters get stored in log files (granting access to your secret keys to anyone who can get the logs – such as by hacking, or legal subpoenas, or intercept)
The GA app uses a 3rd party QR code scanner to read your secret keys. This 3rd party device is a supermarket barcode app, designed to send all scanned codes to their server. This is all “closed source”, so it’s unlikely to tell if they’re recording your secret keys. Even if they’re not, the author (which is not Google, and not under their control) merely has to make an update to grab GA keys if he wants.
GA uses TOTP, which works with “collective secrets”. This is a horrifying mistake. Again – anyone who can crack either end of the channel can forever impersonate the other end (read: a serverside breakin can own your client side auth). I am gobsmacked google were so stupid on this one. Asymmetric crypto was invented to stop that kind of problem – did they choose not to use it on purpose ?
In the limited source that’s available, there is a race-condition error in their brute-force-prevention code: you’re supposed to only be able to guess three codes, but if you open Two+ channels for guessing, only one of those channels gets blocked – all the other ones can keep on indefinitely guessing fresh codes without getting blocked.
And of course – to state the bleeding visible – most of the exchanges that have already been looted were also “protected” by GA, with many of the victim operators publicly announcing that the hackers just bypassed it.
It’s cool that GA costs nothing, but that’s pretty much all it’s worth!