Security Options: time delays, spending limits, and Safecoin security levels

I think the problem is that our online security rely on email providers. Email were never meant to have such an important role. With Safe we will be able to base our security on a private key that never gets to leave our computer. I’m no expert but this sounds much more robust.

1 Like

A good book to read that was mandatory in one of my security classes was No Tech Hacking by Johnny Long. It’s a great resource on social engineering. If anyone would like to borrow it I have it on kindle.

Social engineering only works with companies, if 2 of my friends hold the multisig key to recreate my account and if I explicitely told them, that if I lost my phone or my account is compremised. That I will call them, to speak on the phone. Then an attacker can try whatever they want but they won’t get those keys from a friend or family.

To sound paranoid an attacker could fake your voice, but to thwart even that, you can use something like “Facetime”/Google hangout/Firefox Hello.

So maybe we should think about having an app with videocalls to ask your family/friends to recreate your account. I don’t want to sound forcefull, but if the only way to recreate your account with your trusted parties is this way, you eliminate the possibility of an attacker doing an MITM attack through other methods. Obviously you run into problems with this idea when you got users with feature phones, but since SMS is not secured it’s not advisable to even consider it as an option.

2 Likes

In the safe net, for now, if an attacker have your credentials, he or she is you, so I don’t know how a time delay can save you.

Multisign, in the sense that you need the approbation of several different accounts, make extremely difficult spend your coin, especially if you never use the same computer in the different accounts or use a live USB to access one of this account.

In the crypto world you are your own bank so your security is your concern.

1 Like

For now, but we can improve it. The idea is to have more than one level of security to reduce the potential of damage an attack can make while keeping the usefulness of a simple account for your daily usage.

For example you could have a normal account with no delay in which you hold only a fraction of your coins. And another account with all security options in which you hold all your remaining coins.

If the first one gets compromised you don’t lose too much and you can get it back by using the second one. And if the second one gets compromised everything is delayed so you have the time to get it back by reseting your credentials using your list of trusted friends.

1 Like

I suppose MaidSafe could have a “delayed account” (say, choose one of fixed delays, 1, 2, 3, 5, 7, 30 days), but you’d still have to login regularly to see what the heck is going on inside of your wallet and whether you should reset your creds.
And when you want to send funds from that account to your normal account, you have to wait as well. (I presume that once set, this delay couldn’t be turned off.)
Seems quite inconvenient.

Here are my thoughts after reviewing the article linked by @happybeing.

  • The driver license image functioned like a cold storage recovery password
  • The 48hr time delay proved simple and effective.
  • The hacker used brute force on the weakest link (mail.com) and then peeled the onion from there.
  • Bitcoin is a public ledger, revealing his balance to everyone.

1st bullet point.
Perhaps we can use a cold storage keyfile or master password for the “root” account, suggested by @DavidMtl.

2nd bullet point.
A time delay for long term savings should not be changeable once it is set.

3rd bullet point.
There is no email recovery on the SAFE Network. It is more likely a keylogger or similar attack will be used to capture the password and pin. There is risk every time the user logs into their account, especially if they unknowingly use a hacked device. The fail-safe will be the 2nd layer above… and if that fails… the 1st layer is the last line of defense.

4th bullet point.
Because Safecoin is private, thieves have a hard time deciding who to attack. Believe it or not, this helps. Just don’t publicly advertise your wealth and account associations.

In Summary, I don’t think anything is 100%. But a balance of convenience with security gives the best user experience. The rest is up to the user. If possible, this would be my personal choice below.


  1. Recovery account using a “cold storage keyfile or master password” for resetting my regular password and pin. This is done in case I forget my password or my account is compromised. I really don’t want to wake up my friend at 2AM because I’m freaking out.

  2. Regular account with 2 pools: savings (requires 24 hours), spending (instant). This is the most likely account to be attacked because it has the highest exposure: constant logins, online activity, etc… Most of my Safecoin will be in the savings pool, while I allocate spending as needed.

The point of my setup above is to use #1 only in emergencies, keeping exposure to near zero, but fast reaction time.

Meanwhile the flexibility of #2 gives me enough breathing room to enjoy my Safecoin.

Some would say an attacker would target #1. How would they know #1 resets #2? If setup correctly, this would be similar to having a trusted friend reset your password, right?

4 Likes

Security vs convenience is a delicate balance, but it should be up to the user to determine their priorities.

3 Likes

Cyber cash system: to allow the ability to digitally trade resources anonymously on a network, by provision of a system of credits within a global network, which can be passed or transacted anonymously with users having a valid identity that constantly changes but which may be re-validated at any stage and allows purchasing from sources that have a known and public ID of credits and almost instantly transacting these to a private and ever changing private ID, assuring and protecting the identity of users

That’s the description of Safecoin in the patent…surely any proposal to ‘color’ coins, ‘assign security levels’ to coins is not going to fly?

Cash is Cash …better security features at the wallet level is great though.

Nice problem, we will solve it though - David Irvine :slight_smile:

After more thought, the (time delay) may not be as effective as I hope. If the attacker has access to my account, they could wait for me to transfer Safecoin from Savings to Spending. Once a large amount arrives in my spending pool they can snatch it quickly.

This is a vexing problem. Surprisingly, @janitor’s cold storage suggestion gave me an idea.

Maybe we could have Spending + Hidden pools?

  • A Spending pool balance is “seen”.
  • A Hidden pool is “unseen”. It’s account ID is created by the Network submitted via captcha. The owner writes down the account ID, preventing the keylogger from capturing it. When they want to spend the Safecoin, they enter in the account ID to summon the Safecoin, in a manner of speaking. It functions similar to a cold storage, and can be used like temporary accounts.

Example of how it works.
Let’s say a hacker manages to gain access to your regular account. The most they will “see” is the balance in your spending pool. They would need to “know” the account ID of the hidden pool in order to gain access to it.

Spending Pool Balance : 100 Safecoins
Enter Hidden pool ID [ ? ] = [ ? ] Safecoins

If the SAFE Network works the way I believe it works, this should be possible. I wouldn’t burden the core devs with this idea, but I think it has potential. If it does work, it would be similar to having multiple cold storage accounts.

Some would say why bother having a spending account? Because we need it for auto payments like Network PUT activity, and trusted APPS.

Thoughts?

2 Likes

Never mind, you got 3 likes there!

I imagined that any account (or pool, address) would be somehow associated with the user login (in the same way that any address from a deterministic wallet is derived from its pass phrase). But it seems you’re claiming otherwise. You may be right, but if that’s the case what happens if you lose the little paper with the hidden pool’s ID?
In the approach with another “wallet” (where you can count on your connections to help you reset your account) at least gives you a way to almost never lose access to your Savings “wallet”.
If all hidden pools can be derived from the pass phrase, then the thief would be able to load them all until he finds the one that’s loaded with SAFE.

If one spends X SAFE a week, he needs to send 2X SAFE to Spending account from his crypto exchange (where you fund your SAFE purchases with BTC).
Savings (cold wallet) shouldn’t need to be accessed more than once a month or quarter.

Sorry about the lazy use of terminology (wallet, address, pool) - it’s late and I’m tired :slight_smile:

Thanks for your feedback,

You’re right, the owner may lose their physical paper, which is just as bad. I remember James Howells lost hard drive. A piece of paper would be easier to misplace, unless you thought it was a winning lottery ticket!

It is best to prevent (password and pin) from being captured. Even without access to Safecoins, the hacker could still wreck havoc on the owner by stealing their SAFE identities, abusing their account, oh the horror!

I hope we do come up with a simple yet effective solution. Because the SAFE Network will be used for more than just monetary transactions.

Didn’t know about the poor chap. Nice one!

The reset feature would be very helpful in cases of identity theft and if one funded his Spending account from a crypto-exchange that would be a decent setup that could ensure that the risk of financial loss and permanent identity theft is very small.
If address balance can be looked up (‘watched’), on the crypto exchange one could have a setting that would auto-buy SAFE whenever the balance on the Savings account drops below $10. For me that would be enough.

We’ll see what the devs say, if the delay thing is doable/practical.

1 Like

Time delay is like a lock on a door. A determined thief could figure away around the lock. But, the idea of the time delay is not to be the perfect deterent. Instead it is designed to make a thief think twice about attacking the account and maybe moving on to an easier target.

I don’t have to out run the bear, I only have to out run the other guy. Lol :wink:

In the safe net, for now, if an attacker have your credentials, he or she is you, so I don’t know how a time delay can save you.

Here is a protocol that should make it very safe:

-Maintain a list of administrator login IP:s
-If the list is empty add the current login IP to the list.
-If the current login IP is not on the list, user can request administrator capabilities. (this action goes on a 48hr admin queue, shown at login and cancellable).
-admin can add exception to allow a subnet of ip:s to act as admin login ip:s (for dynamic ip use cases: 255:255:255:0 or 255:255:0:0 etc)

This way an attacker would not be able to capture an account if the owner is vigilant, because their request for admin access could be denied.

The owner could gain admin access even in special cases, but only after 48hrs. This same 48hr queue could be used to lock other important actions, like spending safecoin from savings account.

I don’t think this protocol work in the SAFE net. The Self authentication enables users to log in from any computer without the need or knowledge of third parties and this is made by the RUDP (or CRUX) and Routing. And for this log in you can use any node of the SAFE net. Even, in routers with symmetric NAT, you need a proxy node, who change each time, to establish connection.
So I don’t see how this IP blocking can work.

1 Like

Huh? The node that the user connects to is aware of the IP of the user. The network can therefore check the IP against a list of IP:s.

I am not saying this is how it is currently implemented, i am saying this should be possible.

Sigh…
Little by little, there goes our privacy.
A record of IP info for every MaidSafe user.
Haven’t we learnt anything?
:wink:

1 Like

How about requiring a passphrase on registration that forces a password reset? If the account is compromised, only the original registrant can force the reset which locks out the hacker. This could be combined with the time delay and notifications to make it hard for an attacker to retain control if an account.