重要保安建议更新 (2019 年 6 月)

概要:我们观察到,针对客户账户的未授权入侵行为在不断增加 我们再次提醒所有的客户和用户,请保护好您的 BitMEX 和个人账户,方式是:使用强而独特的密码;为您所有账户启用二步验证(2FA);并且使用密码管理器。 

安全性一直都是 BitMEX 所看重的。 所以我们成为首个采纳人工多重签名冷钱包配置的平台,以保护客户资金。 我们持续审查保安协议,不断提高我们的标准。 我们始终致力于不断改善我们平台的安全性和客户的安全性。

2016 年,在僵尸网络凭证资料被大量重复使用的攻击事件后,我们发布了博客文章,强调在 BitMEX 使用独特密码的重要性。 此外,我们还推荐启用 2FA。 2FA也被称为 “两步验证” 或 “多因子认证”,通过不仅要求在登录时提供用户名和密码,而且还要求输入独特而具时效的令牌,为您的账户增加一重安全保障。令牌可以存储在安装有软件认证器,如 Google Authenticator 或 Authy 的手机上。

这一信息不管是在过去还是现在都与你切实相关:为了保护您的账户,您应当经常使用强而独特密码,同时用多因子认证方案和密码管理器。

最近,我们发现尝试入侵或未经授权访问客户账户的情况日益增多。 启用您账户的 2FA 是保护您免受这些攻击的最好且最简便的方法。

此外,一些出于金钱目的的罪犯利用的手段和技巧也不断提高。 其中一个例子是:相比立即执行提现请求的黑客,我们发现有些黑客会故意通过一个账户和另一个同样是他们控制的账户交易时亏损来套取账户的交易资金。 我们已经主动发现了很多这样的攻击,并且一旦侦测到,会继续消除此类活动。

在账户入侵中经常出现的另一个手法是,在未授权访问账户之后,会禁用 BitMEX 电邮登录通知。 黑客还可能在一个被侵入的客户账户中试图启用 2FA,从而创建具提现权限的 API 密钥。 在几乎所有这些情况中,一个共同点是,客户可能无法看到提现通知或其他关于账户的电邮通知;例如登录通知。

一方面我们会审视强制执行 2FA 和其他登录访问功能的做法,同时我们也已经作出了下列调整:

  1. 客户无法再禁用登录通知电邮。 无论现有的通知偏好如何,我们都将向您发送登录通知电邮。
  2. 通过 API 发出的提现申请每次都必须通过电邮验证,以证实提现,除非 API 密钥是在北京时间 2019 年 6 月 11 日凌晨 4 点之前创建的。

虽然这些改变能增加客户账户的安全性,但需要注意的是,这还不是全部的解决方案。 我们强烈建议启用 2FA。

除了以上措施外,BitMEX 还会审查我们的客户经历的每一个账户入侵,我们已经发现被入侵账户都存在很多共同点:

  1. 密码重用,或在BitMEX平台和客户个人电子邮件账户上使用简单易猜测的密码。
  2. 被入侵的个人电邮账户会导致账户通过密码重置被盗。
  3. 客户电脑的恶意软件会导致密码被盗,及之后登录 bitmex.com 平台。

为了对抗这些袭击,采取灵活而有纪律的防范是关键。 在所有上述情况里,利用 2FA 都可以大大减少账户遭到入侵的风险。 最近谷歌的研究也指出,如果在 2FA 中使用了保安密钥,100% 的攻击可以被阻止。

虽然我们考虑在我们的客户当中强制执行 2FA,但我们再次强调采纳良好保安做法的重要性,概述如下。 

请注意,这些步骤不仅应当在您的 BitMEX 账户实施,还应该在您储存任何个人机密信息的个人账户中实施:

  1. 启用 2FA
    1. 我们建议您选择其中一个可用的选项,例如 Google Authenticator 或Authy
  2. 使用强而独特特的密码并利用密码管理器,例如 LastPass
    1. 强密码包括至少十个字符(字符越多,密码越强),包括字母、数字和符号(@, #, $, % 等)。 密码一般区分大小写,所以强密码包括大写和小写字母。
    2. 请不要使用 Facebook、Spotify 或 Instagram 等社交账户的密码作为您 BitMEX 交易账户或银行账户的密码。 每个账户都要用独特、不同的强密码!
  3. 评估现有风险
    1. 通过 HIBP 查看您的密码是否已经被第三方泄露
    2. 定期检查您的交易账户,确保您了解余额的多少和正确的数字。  
    3. 定期对账也是确保您账户的所有交易都经过您授权的有效方式。
  4. 在您的联系人名单中添加 support@bitmex.com 确保我们的 电子邮件不会放到垃圾邮箱里
    1. 确保您没有过滤 bitmex.com 的官方通信。 这些通信包括登录和提现通知。
  5. BitMEX 的客服绝不会要求您提供账户密码 
  1.  

BitMEX 极为重视保安问题。 一方面我们继续提升我们的内外部保安能力,另一方面保安最终是每个人自己的责任。 如果您的在线账户中有数字资金,您应当采取措施确保您的账户安全/获得上述保障,这一点十分重要。 

如果您观察到您的账户中存在任何异常的活动,请立即通过联系页面联系我们的客服团队。

 

欢迎转载,请注明文章来自

BitMEX (www.bitmex.com)

Important Security Advisory Update, June 2019

Summary: We have observed an increased number of unauthorised attempts to access customer accounts. We would like to remind all customers and users to please protect your BitMEX and personal accounts by: using strong and unique passwords; enabling Two-Factor Authentication (2FA) for all your accounts; and using a password manager.

Security has always been the number one priority at BitMEX. This is why we were the first platform to adopt a manual multi-signature cold wallet setup to protect customer funds. We are consistently reviewing our security protocols and improving our standards. We remain committed to continual improvement of our platform security and the security of our customers.

In 2016, following a large botnet credential reuse attack, we published a blog post highlighting the importance of using unique passwords on BitMEX. In addition, we recommended enabling 2FA. 2FA, sometimes referred to as ‘two-step verification’ or ‘multi-factor authentication’, adds an additional layer of security to your account by requiring not only your username and password at login, but also the input of a unique, time-based token. Tokens can be stored on a cell phone within a software-based authenticator app such as Google Authenticator or Authy.

This message was as true and relevant then as it is now: to protect your account, you should always use strong unique passwords, in combination with a multi-factor authentication solution and password manager.

More recently, we have witnessed an increased number of attempts to compromise or obtain unauthorised access to customer accounts. Enabling 2FA on your account is the best and easiest way to protect yourself from these attacks.

Furthermore, we have observed a continued increase in the sophistication and tactics utilised by financially motivated criminals. One example of this: rather than the attacker immediately executing a withdrawal request, we have observed attackers trading funds out of accounts by deliberately making losses against another account which they also control. We have proactively identified a number of these attacks, and continue to eliminate this activity as it is detected.

Another recurring tactic observed in account takeovers is the disabling of BitMEX email login notifications following unauthorised account access. An attacker may also attempt to enable 2FA on a compromised customer account in order to create an API key with withdrawal permissions. A common thread in almost all cases is that customers may not have seen a withdrawal notification or other account related email notification; for example, a login notification.

While we review practices such as enforcing 2FA and other login access features, we have made the following changes:

  1. Customers can no longer disable login notification emails. The login notification emails will now be sent regardless of existing notification preferences.
  2. Withdrawal requests issued via the API must always complete an email verification step to confirm a withdrawal, unless the API key used was created before 8:00PM June 10, 2019 (UTC).

These changes are a step toward increasing account security for our customers, however it is important to realise that this is not the full solution. Enabling 2FA remains our strongest recommendation.

In addition to the above, BitMEX has reviewed each and every account takeover experienced by our customers and we have identified several common factors among compromised accounts:

  1. Password reuse, or use of trivially guessed passwords on the BitMEX platform and on customer personal email accounts.
  2. Compromised personal email accounts leading to account theft via password recovery flows.
  3. Malware on customer computers leading to secure password theft and subsequent login to the bitmex.com platform.

In order to combat these attacks, adopting a vigilant, disciplined approach to security is key. In all of the above scenarios, utilising 2FA greatly decreases the risk of account compromise. This is further highlighted by recent research by Google that has shown that 100% of attacks can be blocked if a security key has been used for 2FA.

While we consider mandatory enforcement of 2FA across our customer base, we will again stress the importance of adopting good security practices as outlined below.

Note that these steps should be taken not only on your BitMEX account but on personal accounts where you store any confidential information:

  1. Enable 2FA
      1. We recommend utilising one of the many available options, such as Google Authenticator or Authy.
  2. Use a strong unique password and utilise a Password Manager such as LastPass
      1. A strong password consists of at least ten characters (and the more characters, the stronger the password) that are a combination of letters, numbers and symbols (@, #, $, %, etc.). Passwords are typically case-sensitive, so a strong password contains letters in both uppercase and lowercase.
      2. Do NOT use the same passwords for your social media accounts such as Facebook, Spotify or Instagram accounts as you would for your BitMEX trading accounts or bank accounts. Use strong, unique and different passwords for each and every account!
  3. Assess your existing risk
      1. Check to see if your password has been leaked in a third-party breach via services like HIBP.
      2. Check your trading accounts on a regular basis to ensure that you know what the balances are or should be.  
      3. Regular reconciliation of your accounts would be a useful way for you to ensure all transactions in your accounts are with your authorisation.
  4. Add support@bitmex.com to your contacts list and ensure our emails are not landing in your SPAM folder
      1. Ensure that you are not filtering official communications from bitmex.com. These communications include login and withdrawal notifications.
  5. BitMEX support will NEVER ask for your account password

At BitMEX, we take security very seriously. Whilst we continue to evolve our security capabilities both externally and internally, security is ultimately everyone’s responsibility. If you have digital funds on your online accounts, it is critical that you take steps to ensure your account safety/security as above.

If you observe any unusual activity on your account, please contact our Support team immediately via our contact page.