|
Title: 2013-03-07 WIRED.COM Hackers Pull Off $12,000 Bitcoin Heist Post by: Maciek on March 07, 2013, 10:42:13 PM http://www.wired.com/wiredenterprise/2013/03/digital-thieves-pull-off-12000-bitcoin-heist/
Quote A Bitcoin transaction services company says that hackers broke into one of its brokerage accounts last week, nabbing more than $12,000 worth of the digital currency. That attack knocked Bitinstant offline over the weekend. The company says that while it lost Bitcoins, no customers were affected by the hack. The criminals were able to take control of Bitinstant’s internet domains by convincing its domain registrar, Site5, to hand over control of the company’s Domain Name Service, or DNS. “Armed with knowledge of my place of birth and mother’s maiden name alone (both facts easy to locate on the public record) they convinced Site5 staff to add their email address to the account and make it the primary login,” the company said Monday in a blog post detailing the incident. With control of the DNS, the bad guys also had control over Bitinstant’s email. They then did an online password reset at a Bitcoin exchange called VirWox and started emptying Bitinstant’s account. The total haul: $12,480. The attack worked on the VirWox exchange because Bitinstant’s account didn’t have two-factor authentication. Title: Re: 2013-03-07 WIRED.COM Hackers Pull Off $12,000 Bitcoin Heist Post by: zoinky on March 07, 2013, 10:56:44 PM Wired just doesn't like us. They on the look out for that bad press (they probably trying to stock up.)
Title: Re: 2013-03-07 WIRED.COM Hackers Pull Off $12,000 Bitcoin Heist Post by: Puppet on March 07, 2013, 11:01:16 PM unbelievable in this day and age. I was going to argue against bitinstant, but by the looks of it, its virwex that doesnt even offer 2FA? And apparently the password reset procedure doesnt require a security question or anything else, withdrawls arent fixed to a specific address (or with time delay)...
Sheesh. Is there really nobody who can do exchanges right? Title: Re: 2013-03-07 WIRED.COM Hackers Pull Off $12,000 Bitcoin Heist Post by: marcus_of_augustus on March 07, 2013, 11:07:50 PM Bitinstant (and any others) need to look at Namecoin to secure their DNS ... or stuff like this will keep happening.
If you are going to trust the blockchain with your commercial success you will need to secure other entry points to your business with similar level security, imho. Title: Re: 2013-03-07 WIRED.COM Hackers Pull Off $12,000 Bitcoin Heist Post by: Maciek on March 07, 2013, 11:10:49 PM I guess 2-factor by email @ gmail.com may be still the smartest idea :D
Title: Re: 2013-03-07 WIRED.COM Hackers Pull Off $12,000 Bitcoin Heist Post by: Lethn on March 08, 2013, 05:07:22 AM Wasn't the amount hacked before with places like MTGOX a lot higher? If so it seems that the security must be improving if they only managed to get such a small amount.
Title: Re: 2013-03-07 WIRED.COM Hackers Pull Off $12,000 Bitcoin Heist Post by: Stephen Gornick on March 08, 2013, 10:02:32 AM Wasn't the amount hacked before with places like MTGOX a lot higher? If so it seems that the security must be improving if they only managed to get such a small amount. The attacker stole funds from BitInstant's account at VirWoX exchange. VirWoX offers two-factor authentication (2FA) protection which BitInstant hadn't implemented (perhaps because VirWoX didn't offer 2FA at the time BitInstant first establish their account with VirWoX).. Had BitInstant been using 2FA, the attacker would have gotten nada, zip, zilch ... just like was obtained from the other BitInstant's other exchange accounts the attacker tried to get at. Now that doesn't mean with 2FA you are completely immune from risk, but the complexity of the attack just got exponentially more difficult -- the device where the 2FA (e.g., Google Authenticator) is used must be compromised as well. Bitcoin users who store funds (either fiat like USD or bitcoins) should also be using two-factor authentication if they use an EWallet service. Here's a list of EWallet providers who offer two-factor authentication: - http://bitcoin.stackexchange.com/questions/4113 [Edit: Apparently the domain registrar, Site5, doesn't appreciate the need for two-factor authentication: Site5, and their insecure practices and questionable business ethics - http://joepie91.wordpress.com/2013/03/08/site5-and-their-insecure-practices-and-questionable-business-ethics ] Title: Re: 2013-03-07 WIRED.COM Hackers Pull Off $12,000 Bitcoin Heist Post by: lophie on March 08, 2013, 11:13:17 AM OMG someone just mugged me and took my dollars because I was walking in a dark alley in a bad neighbourhood at 3AM, naked and screaming... I got money, I got money!
It must be a problem with the This dollar currency.... lets dump the dollar........ Epic logic! :D Title: Re: 2013-03-07 WIRED.COM Hackers Pull Off $12,000 Bitcoin Heist Post by: Monster Tent on March 08, 2013, 11:14:54 AM How come it doesnt make world news when someone robs a local bank for $12 000 ?
Title: Re: 2013-03-07 WIRED.COM Hackers Pull Off $12,000 Bitcoin Heist Post by: codro on March 08, 2013, 11:17:57 AM unbelievable in this day and age. I was going to argue against bitinstant, but by the looks of it, its virwex that doesnt even offer 2FA? And apparently the password reset procedure doesnt require a security question or anything else, withdrawls arent fixed to a specific address (or with time delay)... Sheesh. Is there really nobody who can do exchanges right? "Reached Thursday, a VirWox representative said that the exchange has had multi-factor authentication since September 2012. “Bitinstant was not using it (they learned and do now),” the representative said in an email message." Title: Re: 2013-03-07 WIRED.COM Hackers Pull Off $12,000 Bitcoin Heist Post by: Oldsport on March 08, 2013, 11:19:16 AM How come it doesnt make world news when someone robs a local bank for $12 000 ? Much worse happens more frequently. In the cyber currency world we have Bitcoin and the few that process it. With USD we have banks, card fraud, gas station robberies, druglords etc etc... With USD this is the norm, with BTC it's some new big spectacle. Title: Re: 2013-03-07 WIRED.COM Hackers Pull Off $12,000 Bitcoin Heist Post by: Monster Tent on March 08, 2013, 11:29:48 AM How come it doesnt make world news when someone robs a local bank for $12 000 ? Much worse happens more frequently. In the cyber currency world we have Bitcoin and the few that process it. With USD we have banks, card fraud, gas station robberies, druglords etc etc... With USD this is the norm, with BTC it's some new big spectacle. The majority of bank theft goes unreported by banks. They cover it up usually. |