Bitcoin Forum

I got "You are authorizing with unknown device. Check your email for further instructions."
When I tried to log into it.

You need access to that email address to gain access to the account.

Well done! ;)

This will be fun to watch :)

Wow this is so cool and even not straight forward. So, since there is need for confirmation to log-in then I need to not hack the website but to hack the mail. Its that simple. The hackers its up to you to make that happen. For me, I will keep watch on the thread to see who will claim the prize...

That is good security planning but suppose a person leak the password of our email address then I think it will not be hard for him to login to our account because he will get the code sent to our email while login to bitdice account.

This is not something new, but many other sites have implemented but not in gambling sites. It is always important for users not to use same passwords for gambling sites or any other sites and email accounts because many people usually do it for easy to remember.

@dogdice..
First of all, great feature to add to a website. I have tried this and it's not easy to implement.. but what if the hacker has access to our e-mail too..? He can easily crack it o you have some more security in further steps like mobile otp authentication..?

That's a very nice features, most site often say it and lack when it comes to doing it. This security features is class and thumps up to the site for implementing it. This will help users use the site freely and without any hassles or fear of security being compromised. So will try the site and check the features. Good luck to the site.

Great job. Love to hear that your security is better than Bitfinex. Anyway, if we can able to hack that account, we can get 1BTC for free right ? I'll try to hack it LOL. And if i can not, i think I will deposit some money in order to try some games here :D

okay that's enough looks safe and well so that all people at least do not have to worry about their security, it is quite impressive pretty good security of your site, cheers  8)
 

You are authorizing with unknown device. Check your email for further instructions.

There is something extra security feature implemented on this account, it's fun to keep it on trying to get this amount but it not looking very easy to get access there, while we have login information too, that is good feature to ask for authorization when login attempt made from unknown device.

Tbh as a gambler i was impressed with your feature. Havent seen yet a site that offer such feature. A site saying they are safer than bitfinex. Seems real. Maybe gonna visit and play on your site soon.

yes that's why they were challenging everybody to hack them to ensure that their sites was very safe and i think the purpose behind all of this is all players accounts at BitDice is secure and nothing to worry because they use high-level security

Well for that matter players can trust that they are on safe site and it surely can make their betting life for less worries since bitdice itself shows how tight their security are, and that test mode can really impress gamblers to try this site in the future and im kinda looking for it now since im so choosy for playing at big and safe sites.

i am sure not many website have to apply this to secure their member account and i am glad that you are concern with your member in your site and this is what should the owner of the site to make their member feel safe while they playing gambling in that site.

Lol, of course you'll get that 1 btc for free, but really, It's very hard, the chance you could hack that account just only 0.00000...% (or maybe less than that). When you signed up, you need to authourization/confirm from contact@bitdice.me (of course you need to hack this email first)

Nice event and tried got same authorization error message like everyone else. Also I am not good at hacking/cracking so will wait and see does anybody else will find a way to get entry and take away that 1 bitcoin (If withdraw is instant  ;D).

If anybody got succeed to hack this email than it mean he could be eligible to hack the whole server, but it looking like with percentage 0.000000... so you are right there, I don't think it's easy to hack this one with ordinary knowledge about server security.

If anyone knows the email id and password for email id then only it is possible to withdraw the amount otherwise it is not possible to access the account. It is good feature only problem is if player change pc then need to go through with the verification process each time.

This is nice in bitdice to come up such event, to implement
this event in gambling site. The players will feel safe about
this, being secured is the key so many bitcoin users will
play in bitdice.

Welp!This grind my gears indeed!
I hope you would not have any rules on the kinds of hacks allowed.If somehow we manage to ssh into your servers and install payloads or retrieve databases,make sure that is still eligible for the bounty.

Usually the people that suffer from these hacks they either use the same password for everything OR they have some walmare on their computer installed and every site they use gets key logged. This isn't really called hacking, because we can't hack into your site and can't hack into the web server.

Wow nice bounty offer you got there but I wish I was a skilled programmer and I have read that NLNico is the one who help Baryom for his bitsler website for this security measures and Baryom vouch him for good work, maybe he can help you for this thing. As quoted below,

I think 1 btc is a nice offer. so whoever wants to get that 1 btc, they have to hack the whole site to get access to authorization email? it's worth posting on hackforums, if you want someone serious to try!

Will be funny if it does get hacked lol :D

Yeah, but if someone does manage to get in. They'll be able to increase the security and fix the issue to prevent future attacks :)

Umm kind of impossible I would say.They have whitelisted the Ip from which the login is done and it's saved in the database so if they discover a new login attempt not from the same IP,they will simply ask for 2fa which needs authy or google auth,nearly impossible to get the code.BUT if you can find out the whitelisted Ip's for that account and spoof yours accordingly,you might get through.

With that mindset, I admire you guys at BitDice. I know you can manage what's coming for your site. I hope everything goes well.

Improvement is the best way to happiness.

lol nice event. A good way to advertise your website, I am sure it is secure after this event. I think no one will be able to receive access to the account and get the 1 BTC lol. Good luck to those that do try and attempt to get it though.

I love how bitdice take this things seriously with security and 1 btc is definitely a good reward for those that could get inside it. This kind of approach is probably one of the first kind that i have seen around here

Actually i could able to see some websites do this contest regarding on hacking their site or system but its a first time thing for me such gambling site launch this particular event on which this is a really good thing for this site because they are showing to people that they cant be hacked  so easily which means people will really se and got interested to play on this site.

This ia truly rare and this is the best test for a site to introduce to the peoples here and surely it gather more attention and test by so they well know the system of bitdice work, and surely people can assured that they are safe and no bad guys can touch there balance while they are in bitdice, but one question i would to ask how does the real owner will withdraw their earnings or capital in their balances? Does it need more verification?

Reminds me of that time when some SAFE company put like $10,000 of cash in one of their safes, and if you could break-in under a certain length of time and steal the money, it was legally yours. And nobody was successful and promoted the product very well.

Those test get more success since people see's that site is surely safe and i surely says that people mostly goes in safer place since we are talking about money here and don't want to get compromised if some certain bad events happen, and this hack me test can get more eyes to watch wit and it is also a good advertising strategy for the owners since they are silently promoting the safetyness of their site.

this feature is very excellent but when i am away from the dice (not active chat and bet) suddenly dice going offline and need relogin again and asking the code via email again -_-" i dont do anything but why need relogin and when disconnect that also same happened .okay i understand this is good for user because making safe our balance/account but sometimes its annoying when i must relogin many times when i am away not focus on bitdice. maybe you can explained to me about this so i can know more about your new feature, thanks :)

Actually this question is not right asked on here, you should ask this on Bitdice official thread.
Alex has answered about these new feature and he already added a new setting, we can enable about that confirmation from our email

This be fun you are great security when it comes in hijacking accounts but not only 2fa password, How about in some vurnerable issues find in your website like bugs? This is really hard for those who want to try if someone log in your account they need to request from the device / smart phones by sending email notifcation.

wooaah sorry i dont know hehe, thanks for the information, you really help me :) once again thank you

So did anyone successful hack into the account? 1 Btc is alot to get and to spend all day and your holidays doing this would be well worth the reward if you able to do it. :D

We have no pw of your email, therefore we can't withdraw it, right? Maybe best hacker will bypass email auth. 

thats why alex asked for it, if you can hack you get 1btc

I predict that no one will be able to hack this site and get the 1 BTC for themselves. Many companies actually do this and sometimes the hackers are successful so, One can never know for sure, but I think this security system is solid for now.

yeah seems so, i think this is first dice site use email authenticator to login to bitdice account

Not the first, there is rollin which implemented this kind of security feature recently, around 2months ago if i remember correctly.

@bitdice, is there an option to unable that security check?

All casinos need to add smth like this..
Although good job for implementing this feature at first.Even I would use this instead of other sites cuz of security..

Eventhough they implant tough security , there will be another hole one day that can be hack (usually it's just a matter of time
For example Hufflepuff case

I think not always the site is safe and protected and i think sometimes there is some systems faults that can get some bugs in website..
That is why other people are asking to hack their site so that they can know some bugs and fix it too early before someone greedy can know that thing and get almost all balance of the site..

This could be the reason why they are offering bounty to hack this email to get access to their site and take withdraw, that is very attractive for some people to give try and they can test out their security measure for this new version, you are right there that is wonderful to let know what flaw they have right now.

Hufflepuff  had access to servers or say he had an idea about the loopholes.As they say,there are no known solutions,only precautions.The concept is quite simple here though,if you get your IP to spoof as the IP of the given login,you wouldn't be asked for any 2fa crap.

Yeah, an option was added recently that allows you to turn off that security check if you wish. I think it also isn't in effect if you use 2FA.

The feature is on by default, so you have to choose to make your account less secure in that case.

Not even going to bother. :D
With 2FA enabled it is next to impossible to crack into someone's account. ;)

The security feature which you are telling is used by so many exchanges and sites, even coinbase is also very strong exchange due to they also implemented the email authorization and sms authorization if you are using any other IP address which is not authorized.

So if you add one more security feature of sms authorization then your site will become more secure as if anyone hacks email account then they can access the site but hacker cannot hack the mobile number

Thanks :P I actually tried some basic things right after seeing this thread, but I am afraid I am unable to bypass this device/IP-check :(



SMS is actually really insecure way: http://blog.kraken.com/post/153209105847/security-advisory-mobile-phones non-SMS 2FA is much better.

Glad you didn't find any way to bypass it :P Means it's quite secure...

I also read that kraken blog a while ago and it immediately made me switch from Authy. Some good points made there...

That is one of the great way to secured every account or members who joined and i think there is no other way to hack the site unless if there is a bug happen.. not always the site is protected and i think there is always a bug happen for every site.

If there is a new ways to inject some script in the site that can destroy the website that can get bugs by some members.. but for now the security was updated and i think if they are doing this to post just to hack the website they are still not protected and they are still looking for other bugs that they can fix as soon as possible.. just like from other site that i heard like yobit before that someone found a bug but he gain almost 0.1 as reward by yobit..

Oh nice feature but if someone really wanted to get into someones account and got a hold of their account my guess is their computer was infected.
So they could just login remotely through the users profile and cash out, in most cases if you got their password they got keylogged which means they likely got that email pass.

Well this is that easy to get that 1 Bitcoin,
The only thing that you can claim this 1 bitcoin is to login or to know also the password of email that use in that account.
 This is waste of time instead.

I think the most common way to obtain someone's password is by a database leak and by using the same password on multiple sites. So: 1) hack some (more insecure) bitcoin site 2) get usernames/passwords 3) try on all gambling sites.

Another example: I could create a faucet site, "get some free bits by just signing up". Meanwhile I am obtaining all usernames/passwords from those users and try them on gambling sites (and exchanges etc.)

Also phishing sites are pretty common, but so far mostly for blockchain.info and bitcoin exchanges (haven't seen many for gambling sites yet.)

I think those situations are more common than some targeted keylogger. For those situations, this protection by BitDice works pretty well. Still if they use the same password for their email... obvious they can still be hacked :P

so what exactly do we have to do to get 1 btc?
login into hack_me account? disrupt the site's operation? manipulate a bet's outcome?
its rather vague to be honest

You only need to login with that account then you can withdraw the available balance on the account (1btc). Sounds simple, right? But the hard thing to do is to login because you need confirmation email to login.
Whoever able to acces the email of the account then he will get the 1btc easily.

It sounds really simple since admin do give already the log-in details but the authorization will really bet you down your make you itch on your head since you don't have the password on the particular email which means you would really need to bruteforce it but it would be a 1 in a million chance or 0% at all. We all know that emails is very hard to hack.

While I liked this but the problem is that when you provide a particular account you have better safety for it, no ?

I mean if my account is hacked then the hacker might also get the IP address and hence the system won't ask for a email confirmation while since you provided details directly we don't know the country and hence system asks email obviously.

This iz just a joke really i can give my password @polo and let them get 2fa to get in it doesnt work like that hackers are much smarter 90% of all hacks is user related not site

I can't see the simplicity of that hack test program but as i've see its near to impossible to get that bounty since surely the admin put some tighten security to that accounts aswell as in his site so he can make sure and assure that theyre storing system is truly safe, this test would be a great example for that, and brute force cannot truly guarantee that we can hack the gmail used by the said account since passwords given by it is not truly accurate.

It is actually very nice idea of showing people that your security is more robust than competition. So if someone successfully get access to that hack_me account he can withdraw the money freely?
Because I have a feeling that he will be be greeted by "withdrawal denied" message. Also if you are a regular user you are not forced to confirm your log in attempts with an email every time?

We can not say that their site is high protected for hackers everything is possible they are monitoring it like recording cookies and use collected cookies to use for login.. so it is still not safe i just heard this thing about hackers in deepweb which is they are deeply study about penetrating and hacking.. and i am sure they can invented a new ways or software that can hack every website or this website..  because program is made only for human so it can be still possible to hack..

I can pretty much guarantee it can be withdrawn without problems if people get in the account. It probably won't be an easy task though xD

If you'll have the complete access to email account, then you would be able to withdraw 1 btc freely as advertised. you might even get rewarded more, if you explain in detail how were you able to bypass/hack.

I checked and found that you have a very good system for the security of accounts of the members but I have a question that will it have any effect on those members who have dynamic IP addresses? is that system affected by IPs or only on the device used for?

If you have a dynamic Ip like mine, you will get asked everytime to do that. It's a sort of 2fa via mail.

It's probably best to activate 2FA. Going through email every time will surely become a pain. Also time-based 2FA is the safer option...

Well if they can hack that well let them do that way but as far as i see there's no people yet breached to that account and pretty sure that they will take a hard time to snatch that bounty ahead, maybe we cannot say that they are unhackable but for the fact that devs are tighten up their securities will surely bitdice will surely gives best protection to their gamblers, and so far i doesn't read any bad issue against them so my reviews still positive as it is.

No one could really able to bypass it as long they dont have the access on the email since  authorization is really required. Bypassing it would be very very hard but i agree on some members said that theres still possibility to access it but i cant think of a thing on how they gonna do it.

This is true we can just give our password and try them to withdrew it hahaha if you set your 2fa password then you're good of hijacker if they going to dare hackers to hack there system much better rolf. BUt the bounty is really good but no one can really withdraw it.

wow new security feature you got there mate. Cool to see new security features. Users will be happy to see how secure accounts they got. :)

Comparing to the last version of the site and most other dice sites the difference is significant.

Take PD for example, they don't even have 2FA on withdrawal. That's one feature I'd prefer on every site.

Some sites might be easier to register on given they don't require email on registration but atleast by requiring email confirmation nobody can hack you easily even if you don't add 2FA right away.

I have also tried this and it says (You are authorizing with unknown device. Check your email for further instructions), i was sure that i will get this type of reply because no one can use such type of email for personal use and site will not show their account to users privately.

So did anyone manage to get the 1 BTC yet? I guess the person need to hack into the email too to authorize the device, just a matter of time till some expert hacker manage to get that  :)

or hack into BitDice and disable the email authorization?

well tbh if we can make research on a user's username it might be easier, but we have nth to research except login name XD

as long as someone pc is not infected with rat or any keylog software, bruteforcing a password can only break the first layer omy

Does anyone got the 1 btc bounty?

I think not yet. If someone already got that 1 btc, dogedice.me (alex) will update this thread ASAP. Like i said this is nearly impossible to do, Bitdice v4 has implemented white IP list, also you need to confirm from an email which you put when you're signed up.
Are you gonna trying to hack this site now?
Do it! Goodluck  ;D ;D

Some people tend to use the same password for every site so once you know the password of the site as well as email linked to the account, all you need to do is to use the same password for the email . No matter how advance a security of a site is, human's stupidity is still gonna kill it

Very nice pretty method admins chose to promote their website especially when this one deals with gambling. As always security belongs to first things a user must confirm before play assuming that he follows some basic steps of security too.

Only dumb owners would definitely use same passwords that are linked to their other site and i dont think that bitdice owner isnt aware on that and they surely used up very hard to crack password since they already know the possibilities of being careless on using common methods of setting password. Strengthen security is one of the main important thing should be prioritize.

That's true, but I don't think they, I mean BitDice, use same password for the e-mail account so it will be quite a challenge to hack that account. And as for the other users which accounts you might try to hack, they don't usually provide you with their password. So if you ask me, I have no idea how to hack that account and I will be checking this thread with interest to find out if someone has managed to do it.

You know what, most "dumb owners" = "majority of internet users". Most people I know who are non-geek and non-bitcoin they all use the exact same 5-6 letter password for every single website/service they use.

Generally most people don't care if their Twitter or facebook get hacked, no big loss for them. Same with banks and Paypal. Those are protected by the government.

So you need to understand that unless you were hacked before, you have a different mindset when it comes to computer security.

I cannot call them dumb but instead i think they are bit nw for this kind of matter and mostly newbie people are using the same words to their  pass and use it to another site to lessen the hassle upon signing up on different sites where they on, and i think theres nothing wrong with that since online people doesnt know wich site are we on, not unless they hack our gmail and check every sites whos been listed in the inbox.

I agree with this most people will use the same password on all websites that they are in to lessen the hassle or the risk of forgetting their passwords because of using multiple websites with different usernames/emails and passwords but we should really give importance on our accounts specially that contains our personal informations and stuffs,as a responsible  user we do keep in secured places.Regarding on bitdice security i could say that its impossible to get that 1btc since bypassing email is hard specially on authorization.

Its truly impossible if the admin of bitdice gives extraordinary security in that 1btc bounty and people will surely not get that not unless the admin will pull out that thing and choose to give it away to the community, and as far as i know many skilled people can bypass the emails of their victims and i see sone scenarios that it really happens,

This bounty can test those people who used to hack and bypass somethings online.

Hey guys,

Whole thing was to prove default settings. As I've mentioned it in the first post, I did not set any additional security settings. This is security by default, which each user gets after registration. You can lower it, if you feel comfortable, or increase. It's up to you. But by default you should be as safe as your email provider.

Regarding security problems with email, your account still can be safe even if your email has been compromised. Just set 2FA. You can also set IP address lock, or withdrawal address lock. We provide as many options as you can possibly use.

Regards,
Alex

I guess that's why he is giving out a bounty of 1 Bitcoin. So that hackers would try to hack the website to the best of their abilities. It may be impossible in your view but it might be plausible in another persons view. Especially if that person is a really good hacker. But I think if someone is a really good hacker he would just hack the damned banks. Just a thought.

This is one of the secured gambling site ever in bitcoin community I guess, this feature have blockchain.info also because the feature that make this secured is the authorization email sent to that address.

This is so fun, I will be watching this if someone can do something in that account :D

I doubt anyone will tell you they have hacked you for a small btc. But, good luck with your hack me. I hope it works out for you.

The admin/owner speak already that he didn't put any second security features on which you could able to access the email right away once you know the password. There are people could possibly get the bounty if they are good enough to get the bitcoin not only that im sure that admin will give bonus on finding the flaw regarding on its security.

if we don't know about how to cracking password, then i think its useless and its just to waste our time to trying this, but if we understand about this, then maybe its worth for us to trying because for cracking password, its surely need time not just 2-3 days but more. and if we succeeded then the prize is waiting for us.

Let the individual hack the email successfully first then post it here after that we will know if the bounty will be provided by OP which they know its the best thing to do or else that is the beginning of casting doubt on what they claim to represent. So, instead of knowing what will happen to the bounty, I suggest you just get to work and hack the dam email  ;)...

Here's 1 reason why this entire hackme thing is flawed.

The only way you could get "hacked" on that account is if the hacker used social engineering on your.
So, the main flaw here is: You know that this account belongs to -you- and not some other user.

Getting hacked isn't hard, but in terms of hacking, you're using 2FA, nothing new/unique to the world of the internet.

I don't mean to offend you. I'm a coder and I highly encourage everyone use 2FA everywhere.

There is no way to hack it unless you can login to the email which is impossible. So Im actually confident to say that this is unhackable unless you can login to the email . Nothing is really hack-proof even with 2FA as someone could monitor whatever you do , the best security is multiple layer of security

I just tried to login to the account so i could play with those 1 bitcoin even if i can't withdraw  ;D
But Holy crap. I can't even login. Got this warning


This is really some high level of security but i don't think 1 btc is enough to attract hackers to hack into such level of security

Not really... This is secure as long as your 2FA and email is secure, which I believe is the case with nearly every site that offers this protection. Considering not even NLNico, someone who has gotten more than 1 BTC at a time for a single bug and has been given a bounty for many other sites, can hack into it, I believe the system doesn't have many flaws

I said it is high level because the email which is used is under control of Bitdice and i am preety sure they must have kept in the most saftest way
So, even if someone tries to hack through the email then he might be wasting his time
He should try to look for vulnerabilities in the site to bypass that warning. And AFAIK dogedice said there is no 2FA set on the account
The account have a default level of security which every newly registered account gets automatically

If there is no 2fa to the account I think hacker just need to get comfirmation from this email to get his through. With the email confirmation then this 1 btc will sure be easily to hack though. Dodedice give everything right away right? Username and password, so the main problem here is just some email that hacker need to have to make sure they can login to this btc free account

Most likely scenario: there isn't any problem whatsoever.

This is just a PR thing to introduce their security implementations - that's all. I'm willing to bet that on the account, there isn't even 1 BTC anymore - likely given to the account solely for this post and then released - however it is an interesting way of marketing the site. What would be more interesting to see is perhaps authorization on withdrawals - allowing players to enter the account yet preventing them from withdrawing the 1 BTC funds.

Pretty sure that the account will have 1 BTC until it is claimed or the promotion is discontinued. I saw the account tipped 1 BTC in chat as well. It is unlikely that someone will access the account but if they do, they should be able to claim the 1 BTC.

How much are you willing to bet?

For sure, this is one legit product promo offer. The thing is, it is basically impossible for the account to be hacked. Not many websites have this type of security, but to hack the account you have to find out the email and then log in to that email. Now imagine if the email used is a tor email, good luck getting through that security buddy, tor was designed  to be fool-proof

Someone... like an admin? ::)

Just because the account was tipped doesn't mean the funds are static in there - they may have just as easily been transferred to a "safer" place. Though, if anyone did have enough luck to break into the email, they would probably be using their resources somewhere else - somewhere more profitable.


But we'll never know the result of the bet. And there's always the possibility of foul play ;)


What are you talking about?

Lots of sites (that are deserving of security, not your online farmville crapsites) have email authentication on foreign IPs. Lots of sites have 2FA, and some sites/programs offer their own authenticator service - there's LastPass and Microsoft programs for example.

If they actually do that then it will only harm themselves with all the negativity. That is an impossible thig for them to do and 1 btc is only a small amount for a site like bitdice. They have been in the gambling industry for far too long just to risk their reputation with only 1 btc so you can be assure of this one

Yep, there isn't any incentive for them to harm their reputation in this manner. This promo is obviously to show the strengths / security of their login system so it is unlikely someone will get in, but if they do I'm sure the 1 BTC will still be there waiting.

Impossible? You mean... 2FA is only possible with logins but not withdrawals? Where have you been, mate? It's not risking their reputation -- in fact, it would further establish it. If BitDice were in the position to be able to allow players to log into an account where they could see the balance but not do anything with it, then that would surely show off their security - more than this current thread.

Of course, such a demonstration would require the implementation of a few things: restriction on betting, restriction on tipping, restriction on withdrawals
Betting restrictions could be time-based or toggled with 2FA along with tipping, and withdrawals can require an authentication (via Google Authenticator or SMS)

[though if really necessary the server could just simply ignore all withdrawal/tip/bet requests from that specific account, acting as if it were secure]

---

Again, not harming if they do it correctly. And it's not really a "promo" per se since it's to show off their new "security" which is just a simple email authentication (from foreign ips or otherwise).

But what would be the point of keeping the 1 BTC there? Nobody would know if they removed it.

Yeah, I suppose its not really a "promo" per se and is designed to show off the security features of the site. However, the 1 BTC reward acts as a bounty if someone did manage to get in the account. Nobody would know if they removed it unless someone managed to get into the account. While unlikely, it is possible someone manages to find a bug or something. There is really no reason for them to prematurely remove the 1 BTC either. I'm sure after a certain length of time has passed, they will publicly state they are removing it if no one was successful in accessing it.

Even if they did remove it, all you need to do is to show the screenshot of yourself manage to get into the account and they will still credit your account with 1 btc given that they havent end this event yet however pretty sure that they wont end it , just showcassing this actually give the site some credibility

Big possibilities that they would not end up this event since it can be appealing to massive public to show their great security, and i also feel interested the way community speaks about the bitdice itself and i would surely try to play at them after the christmas party :)


That 1 btc is a though challenge for the intruders.

Yes it only seems they have email authentication system like few sites and specially blockchain and yobit have right now. However that simple process can add great security feature to any platform.

But there is also no point to remove it from that account, by keeping that 1 btc in that account and giving username password combo they are trying to attract more users to play in their platform which i have never seen done by any other gambling platform before.

As far as I checked, the only weak point of this is the email account.
I can't tell you why exactly, but an user I know instead of using secure mails uses exploitable mails even if he feels safe.
So yeah, all you need here is some social engineering.

But if a hacker had hacked the email and he has the password to the account can't he just reset the withdrawal address and the IP address? Or by 2FA you mean other thing than email? I'm sorry if my question was a stupid one, I'm new to this thing.

They also have a 2FA option to use your phone as 2FA with Google Authenticator or similar. This is probably an even more secure method than email as they would have to have access to your phone in order to get the 2FA code.

2FA is more secure way that's why you need to be carefull.
When and if you enable it, you MUST store somewhere your 16-digit code/key.
If you don't and you loose your devise, you are in a black hole... ::)

It's a sad truth far too few people back their 2FA code up. Then what we see is them crying here on BCT that they've lost their 2FA and need help...

Yeah, I had an issue one time with an upgrade on Google Authenticator that wiped all 2FA codes from my device. What a nightmare that was. I since switched to Authy which allows you to backup your 2FA codes. I do recommend that you backup your codes or save your recovery key in case something happens as it can be a pain to regain access to sites.

Yes I had this issue also, especially if you are on an iPhone.  You can backup almost everything, including the app however it will not backup the 2fa recovery codes for you. It was a big pain however there is an even bigger security risk because as long as someone has access to your email, they can easily reset the 2fa. Hence why its never a good idea to store large amounts of money in any online sites or exchanges.

It's really not to good to store large amounts of BTC in exchangers but it's not so easy to wothdraw every time and leave there a specific amount.
For me 2 are the best options : 2FA and safe keeping of the key and/or frequently changing passwords.
Imho these are the best options atm...

Changing the password frequently in my opinion is pointless unless you use the same password for all your sites. Normally with a keylogger or some trojan, they will just use the current password anyways so it doesn't make sense to keep changing it.

2FA is good however, many exchanges let you simply reset it when you confirm your email. And when your computer is hacked normally the hacker has access to your mail also.

Well, you just spoke the truth man. :)
I still don't know though any other way to be more secure than these 2 for online purposes...

Wtf. So you have 2FA? That's your big gimmick as to why I should gamble with you? This is poor at best. A lot of people use the same passwords everywhere even h they know they shouldn't, so this isn't saying you have good security, it's just that you have 2FA. It's good, but if the email password is the same it's useless.

The security should be a given. At the very least there should be email authentication.


Are you stupid? Who would even know the difference? This is just to advertise their security. Keeping a bitcoin in the account is completely pointless. Though, even if they did keep the bitcoin in there they could just simply block all withdrawal/tip requests from the account.

---

And you're rewarding someone that exploits security flaws? ::)
The only real reason you might want to keep funds in there is in case there /are/ flaws - someone who exploited them would probably withdraw the bitcoins and then you can close and investigate the site.

... but why go through the trouble of "purchasing" insurance when in reality you can just remove the 'reward' and monitor the account activity (with IP connections)? And it's also more likely that if someone found a security vulnerability, they would go after whales instead of a measly 1 BTC.

---

Why would they bother crediting someone?

... and in the case of screenshots as proof, I'll leave it at this: Photoshop has existed for a very long time.

---

And people would find out the email how exactly? Keep in mind that both email authentication and 2FA are possibilities for security reinforcement on the site - email is just on by default. And hey, if the email password is the same... then that's the user's fault.

---

---

But not all people are using this 2fa as their protection though because they think that they are not going to play on particular site for long enough. So why should they get 2fa then? It will just annoying to see a lot of 2fa numbers on many sites. For me I prefer to put 2fa on some specific sites that I visit often

2fa is just another security layer and with some extra security it wont be hurting yourself. Everyone is actually responsible for their own security so if you are using the same password all over anything you sign up to then thats your responsibility not that even the site with the best security will be able to help you

2FA is really a great way to secure your account. Indeed it won't hurt get another layer of protection into your account and having more would be better. A hacker though, if he really wanted to hack a gambling site, they would not go for an individuals account. Why target small fish if you can catch all the fish in it, right? So I guess accounts would be out of the questions if a hackers does go for a casino. He would for sure target the whole bankroll.

The account was made by default security settings and it was set up to show the basic security. To show that even if you do not want to set up max security you can still feel secure.

If someone wants to increase their security they can do so by: Adding mobile 2FA and Whitelist their IP(Meaning the user can log into the account ONLY with the whitelisted IP.
These additional features make it much harder for anyone to try hack into an account.

Having 2fa will surely break the head and the hopes of a hacker when he tend to bruteforce a certain account and we all know that setting 2fa would increase the security of the account but in the account of admin have been exposed it dont have 2fa as he mentioned but i think it would be still hard.

Until now,im sure that no one still could able to get the 1 btc bounty inside of the account given.

I will answer you directly, as you continue to say that I've removed 1BTC from the account. Just a rhetoric question, do you always think people are lying to you?

User hack_me has 1 BTC on a balance, I did not remove it, nor I will remove it. There are no locks on withdrawal or tips, or rain. Only DEFAULT settings for each and every other users on our website. If by anyway, you will be able to get in, you will be able to withdraw it instantly. The reason it is there because I said so and actually credited him 1BTC. I do not care anymore about that 1 BTC as it has been spent on marketing. So unless you want to say I'm lying, I'm asking you to stop spreading misleading comments.

Regarding general security on BitDice. As Steven already replied, it's more a marketing event, we show users that they are safe EVEN when they do not care about it. And no, email isn't a single point of failure as users can set actual 2FA, IP Lock, and Address Lock. You can not remove nor sign in without turning off 2FA or IP lock even if you have access to the email.

Regards,
Alex

while reading the title of the thread I though it was really all about the hack or trick to get 1btc by playng in bitdice but when I opened this thread it was like an epic fail for me ;D but still it's really great that you proved to your players that your platform is highly secured, safe and invulnerable for the hackers . keep up the good work and more power to your site .

It was just to show off a simple feature and getting more Unique visitors and page views.
Nice.

I would continue to state that since there is no need to keep the 1 BTC in the account, that you may have removed it.


You may assume they are misleading and you can consider me as someone who is senselessly spreading FUD -- though by stating that no one would know the difference if you removed it or not simply attests to the fact that your security would likely be sufficient to hold off anybody outside of staff.


I understand this, acknowledge the fact that this is for marketing, and have previously stated this:


and it's fine! I'm glad that you have email authentication (for foreign IP's, I assume) enabled by default. That shows good service in the case where your consumers care about convenience but you are still willing to implement some security to protect them. (** and also allows you to defend more easily against "hacked account" claims)

---

All I was proposing was the fact that you would have been able to do this marketing for free. I'm not saying your site isn't reputable -- just that this is simply a PR thing and could have just as easily been on an account with a balance of 0. Do you agree?

i have seen a similar system in other sites too...

Usually I don't remember to store the backup key for the 2FA autheticator, phone got destroyed/lost multiple times and was NOT a plesant experience.  The biggest problem was trying to remember every single site I was actively using 2FA on... Definetly recommend actually keeping the backup codes.

honestly any good person who is involved in security wouldn't waste their time with this for indian tier money lol..
I know a bypass, but there is literally no point, tip it 10+ btc if you want results.

sorry, i don't get out of bed for less then 5 thousand dollars.

1.4 million passwords attempted to gain access to your site...

Looks secure to me!

Few issues I did find will be submitted via email for security reasons.

Ps when posting something online saying come hack us.. that in my eyes sends the wrong signals.

You should of done this via bug crowd don't be surprised if you find hackers poking about your server.. seems you don't even use cloudflare to hide the IP.. and with multiple servers and ports open.. expect some people to try other tactics as you boast about "how secure" you are..

I was having the same thought about this, put a target on your site and you can't be to sure whats coming.

One wrong move, One xss vuln, some mis-configured backend DB or service including ssh and you could be regretting posting this and challenging people,

Further to this I would of specified the scope for people to attempt. From what I see you have not said anywhere about people attempting other ways to gain access to the site or specifically that account. I'm sure by now you must be seeing lots of traffic towards all points in the site, You should no doubt be able to see from the panel.

I would reword this to exclude types of hacking against your servers and processes.

I did find one or two issues but as I said these will be disclosed to the site only (nothing serious)

Yeah, especially if it's for your e-mail, which as the 2-FA keys for the rest of your account, who would do something like that?

*looks around*

But seriously, always print out/write down your backup keys. ALWAYS!

https://s27.postimg.org/6l13999f7/Lock.png

Found this big lock page while I was having a poke.

Thats one hell of a padlock!

Might want to remove the following from the source of that svg files

Generator: Adobe Illustrator 19.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)

Gives potential attackers clues Versions numbers ect.

Also visiting this link  https://www.bitdice.me/password/  shows a text box saying

So I attempted this

https://www.bitdice.me/password/email/

I was then presented with the Change password box.. Yet I was not logged in as user.....

"If we have this email in our database, you will receive information on how to reset your password within a minute."

Fuzzing the data between the browser and server I'm sure there could be some way of "editing" the  contact@bitdice.me email

Either way. I don't think that message should be showing for a non registered user by visiting that link.

I think you are inviting problems.. Give me 24 hr's I think I can get to that 1btc..

Either way.. U need to check the links.. that is not "good" admin having boxes popping up could lead to XSS.

Further to this you should obfuscate the code linking to Sentury.. :)   PS check your email contact@bitdice.com for the sentruy reset link I managed to send you....

Well the reason that they made this is for the user to find the exploit. The higher the bounty the more people will actually try to get it and finally someone made a solid achievement , atleast for now it sheds some light here and if you actually ended up getting the 1btc then they could be able to fix the hole that you made through

amazing. You truly got a skills of a hacker. What if there is no 1btc? what if they make this event to generate more traffic. For example they can collect people to play there game for its security, that's why they make this event. Yes, people will first find the security of the site. So that there profits will not be hacked or stolen. Anyways Good Luck on pentesting that site :) Wish you luck. Just reply in this thread for your progress. So that we can manage to follow how you hacked there site. :)

Finally there some member who made some move regarding on this event which is really great showing some excellent skills on hacking bitdice website. I would love to hear about the opinion of the owner regarding on this matter.Im sure that there is a 1btc bounty on the account and admin wont say a thing if he dont mean it.

Well, even without all the machinisms Ive been able myself to request the forgotten password stuff, I simply clicked on forgotten password.
What I'm saying is: if someone is able to access the actual email and get in, if you can then you are all set.

That sounds intriguing. I'm definitely going to visit this thread 24 hrs later. Although I'm far from being good at coding I hope I'm not wrong about general principles: no matter how good your security is, there's always a way to hack you, it just takes time and skills.

Thats the point of it and for now he might be the closest one that actually could get this "far" however if he doesnt then atleast he sheds sme light that the page shouldnt be accesable like that. Well we shall see how far he get through in 24 hours as he has stated however Im pretty convinced that it might take more than that

That because he needs to bypass the possible password he may find or security he may find once he's in.

Well its getting close to the 24 hrs since I posted, Being the holidays I have been partaking in the traditional whiskey & food and building toys that santa left for the kids!

So I will change my prediction to 7 days.

I have been running multiple scans on the site and there are a few admin errors that should be addressed which I will report back to the site once I have a full report for them.

I also am thinking there email is hosted else where down to the fact that there dose not seems to be any "mail" protocols running on the server which would mean that the mail is hosted elsewhere.

I shall keep you all informed and up to date as I progress through this task!

Merry Xmas!

Now a days i am much afraid to try the new websites like this with such offer as recently i have joined the site like this which was seems good but after joining all of my accounts data was stolen and the all money in my accounts have been gone. So i want to see users review regarding this to clear my mind.

Do you mean on some OTHER site your money was stolen or on this particular site? Can't seem to understand what you mean there. Please clarify it a bit :)

Nothing is "impossible" to hack!   Just look at some of the things that were hacked in 2016

The NSA - lost malware files to hackers.
Hacking Team - Massive malware company who made malware for governments (Pwnd! all source code and over 100,000 emails leaked on wikileaks)
TalkTalk - Lost 1000's of customers bank details and full contact info (UK telecoms company!)
World Anti-Doping Agency, whose break-in exposed medical records of U.S. Olympians Simone Biles and the Williams sisters.
Yahoo - Lost nearly a BIlLION email address and passwords..


And your telling me you think a dice game is "impossible to hack" :)

The Lulz are pouring out of me right now!

Lol. It is just impossible for normal person that don't have any programming/ hacking skills. All security on the web is hackable because there is always a loophole in every security that is why bitdice doing this security check just like google. Maybe if they increase their rate, some professional hacker will be interested because 1btc is just a penny for hacking job for security like this. Obviously it needs time to breach the security.  ::)

Famous last words. NOTHING is impossible to hack. If you can build it you can break it/hack it. Would I tell you for a tiny one btc, lol drip drip drip drip drip and booom is what most would do.

Seems they have some rather tight server side security!
I won't tell many details but lets just say its a lot like bitcoin - decentralized

Thats not to say a small "pivot" inside the network could be what is need.
I would say there account security is tight. Few java errors things not defined but apart from that its very secure!

I would give this site a hight 9.5 / 10 they have implimented a strong set of protocols to protect users and there backend servers!

Good work guys! 

I doubt anyone's getting that 1BTC anytime soon unless they use social engineering against the admin then its going to be a tough one and take a lot of time and research!

https://s24.postimg.org/5bohw5c8l/Site.png

From his post I understood that he is telling about any other site where he joined but lost his account due to hack attack. By the way from this thread everyone know that bitdice is more secure even if you give access to your account to anyone he will not be able to login from his device.

But after login attempt the site send the details for to get access to the site through the email so it means that if a person get access to the email address on which the owner is registered then the hacker will be able to hack the account easily. Can you tell who will be responsible for that?

Like I said in my mini report. Social engineering is about the only way you will get round this.

And if someone loses there email account then that is no fault of the site.

They do have good security on the site. And they have "decentralized" the site the users see from the back end of the running of the site.

everyone laughing at you
i have a bypass like i said, put 10 btc in the account and watch it disappear.  ;D

You have a bypasss? I highly doubt this!

But good luck anyway.. I don't suppose you have any proof?

If anyone had a way to get into this account, the real question is,
would they just take the 1 Bitcoin, or would they use the exploit to compromise other accounts?
I guess it depends on what color hat they wear.  ;)

Well, you'd still need the account passwords for other accounts in order to compromise them even if you could bypass it. I would think the 1 BTC would be taken if someone was able to.

Yes the request from this site is to try to get into one account that is holding these funds. Not hack the whole site to get everyone's account passwords. That would take along time to do just look at what happened to yahoo email service.
It is possible. If an email leak of a presidential candidate while running for the white house is possible so is doing it to this site. They don't have such security as the most defended nation in the world no matter how much your dice site holds. ;)

Nothing on this world cant be hacked because human do create those inventions and securities in any services here in online world. We should not derailed on the topic and we are just talking here about the 1 btc which is inside on that account.Leaking emails is possible but I don't think it would happen nowadays but well no one knows.Im still following this thread if someone could able to access.

I gave up on it after doing a full scan and lots of poking about on the site here is my conclusion.


1. They have a strong server setup that is well defended and there don't seem to be any "known" issues with the site at present.
2. The account security is tight with 2FA and also some kind of IP / Browser agent connection for additional "device" security.

I think they show good technical ability and good operation of the site..  I doubt for now anone is getting into that account, Unless they hack the admin.

If they could hack the "admin" then they could get anyone's funds on the site and not even just the 1 btc. Then it is safe to say that this site probably has the best security features among the others? Combined with 2FA then it is almost unpenetrable unless someone with some skills actually could get into it

Well 2fa can be bypassed by doing whats called a "Sim Swap" But you would need to know the number registered and the details of the mobile phone account (social engineering) contact the network tell them you have lost your phone but you have a new simcard for there network could they port the number over to the new sim (Not as hard as it sounds... 10 min later you have targets phone number ready for the 2FA code..

Yes hacking the admin would be a fairly easy way to go after the site as a whole

With the bitcoin price soaring for 2017 sites like this are going to need to keep a keen eye on security.. Look what happens to gox and others when the price went high. the attackers came out the wood work and hit hard.. with the massive explosion in casino's and dice games. it could be a nightmare waiting to happen for gamblers and exchange users.

Thanks for the wonderful participation in this UGMZ. I'm one of your follower since i read your replies here in hacking thing. But unfortunately their server is tight and got some really good security. I thought you were so close on hacking it, but I'm wrong on that.

I just don't have the free time to keep going I only did a standard testing for things like XSS vulns and Unicorn scan, Vega scan's + a few other of my own tests. and after speaking with the admin and "squeezing" some server info from him It became clear that they are taking customer security very seriously.

But from what I did try and test there "most what your average hacker" would try or have access too without trying to damage the site in anyway it was very secure.

So they get a thumbs up from me.

But did it not get hacked into and that guy stole 38 BTC from the site's wallet?
But that was using the bct talk account password to retrieve access to the casino bank wallet.
So that attempt didn't count am I correct? Or is that totally something different all together with doing something completely illegal?
I think it ended up with the owner paying out those funds out to people who's funds were lost in the hack.
It was all very confusing because it spilled over from an accusation thread against that use and into the campaign thread going back and forth. :-[

That isn't accurate. 38 btc was not stolen from the site's wallet in any hack. You'll need to re-read that accusation thread for more information regarding that but nothing was stolen from the site's wallet.

Ofc it's not accurate! This...HYIP-Ponzi admin/owner that want's back (?) 38BTC, hack somehing but this is not the BitDice account with the 1BTC on it.
He hacked the forum account of the owner of BitDice and still want back money that don't belong to him from the start of his "great" career as a scammer... ::)

Theres no connection between this challenge and those situation which happen on the past and also theres no need to bump this thread since its already 3 months passed and no one could able to do this challenge on hacking the site. If until now theres no one could able to get on the 1 btc on the account given then im sure security of this website is good enough and could increase more trust regarding on handling funds.

Great news. I believe that BitDice will be the best casino in the sphere of gambling.

You know what.

If you really want to spam your sig in the least amount of work possible. Due some work and try to avoid bumping a thread that was created over a year ago and its irrelevent.

Doing so mods will either remove your posts or contact your affiliate manager and have yourself get booted from the signature campaign.

This thread should be locked right now.

That is the best thing about 2FA security as it is an added layer of security for the user. I have done it in the past as passwords simply couldn't make me comfortable to sleep at night. However 2 factor authentication are kinda annoying sometimes as there are days that you just want to log-in into your account and play having 2fa always on will make you soend a few extra seconds in order to proceed to the site.

Nice additional security feature now everyone is curious how to hack the mail address provided then if 2fa is installed on email another work.

Hmm, why would you want to hack the email though? I don't think the 2fa code is stored in the email, though I do see that point of using the email to create a support ticket saying that it the owner lost the 2fa keys. Problem is I don't think this is part of the hack bounty of BitDice or any other site for that matter as if you are able to hack the email then that means the one that is unsecure is the email and no longer the site.

It has been over one year for this to be done.
I think it is safe to say that no one will be able to do it. Unless they have had a breach already and patched it up.
From what I remember reading of this thread before there was something with an email address getting hacked into but that was not an issue to the site's security one bit.

So best to call off this contest if it hasn't been in over a year now.
You guys are good! ;)

I have remembered in the past regarding this competition or challenge made by bitdice and now i have read it again and it seems no one did able to get in to get that 1 btc price. Im pretty sure that there still people who do tried out upto these days trying out again considering that 1 btc price is almost $17k usd as of moment which is a worthy bounty.

I don't know much about computer security but that is a great bounty for you

That is hard to believe that noone has been able to crack this and hack that bitcoin. I tried a few methods i could think of but i got nowhere. So i need to know just for my knowing if anyone was actually able to bypass their security measures. I am more curious to see if someone did beat this challenge but no one bothered to post the results or if this sites gamble paid off and no one has hacked them yet.

Even 2fa authorization is bounced with this kind of high level pro security in terms of unbackable account, which really proves that in order to hack an account you must access first the gmail for more information's and update,  well haven't try bitdice at all but same as what the others say from few pages. This is a good assurance of the site, challenging to hack an account revealing a password is so very risky but don't have to worry at all since the devs are confident with their security. Kudos.

Just a small update as requested...

No one was able to get that bitcoin. One year ago it was a mere 1000 USD, and it's almost 16.000 USD now and still sits on that account ;)

And again. An account does not have any special security settings. No 2FA, no nothing. That's a level of security you get just by creating an account. You can increase and tighten the security much more with white-list addresses, white-list IPs, and 2FA.

Regards,
Alex.

Giving away login details of an account worth 1BTCs
This definitely a very effective way to boast your security, not to mention it is strong enough to not be bypassed in almost a month now.
In my knowledge, the only way to claim those bitcoins is either by hacking the provided email
or
by identifying and hacking the people who've logged into that account with their browser to steal their browser cookies and signatures.
Both of above methods are extremely difficult, really great security.

Bullshit!