Bitcoin Forum

I have been on the fence as to if this should be posted or not.  Normally I think information like this should be kept from public view but being that it looks like the security hole is still open even after the Tradehill incident so Dwolla may need to be pushed to make their service more secure.  In the interim I would suggest that no one use Dwolla.

Tradehill has stated that Dwolla got defrauded by a "known scammer" and posted the persons name on their blog.  It is highly unlikely that the person whose name they posted was involved in the fraud at all.  In fact that person was probably a victim of identity theft where the perpetrator exploited a weakness in the Dwolla bank account verification process that makes it easy to verify a bank account that you don't actually have access to.

Here is how the fraud likely works

1. Perp has knowledge of Victims bank account information off of a paper check
2. Perp creates a Dwolla account in Victims name
3. Perp adds Victims bank account to the Dwolla account
4. Perp correctly guesses the two $.12 or less deposits that were made to the Victims bank account
5. Victims bank account is now linked to the Dwolla account.  Perp initiates a transfer from Victims bank account to Dwolla
6. Perp transfers from Dwolla to Bitcoin exchange of their choice
7. Perp buys Bitcoins and immediately removes them from account at chosen exchange
8. Victim notices money missing from bank account and has the unauthorized ACH reversed

The ability to execute this fraud is wholly dependent on the ability to randomly guess the verification deposits that Dwolla makes into a persons bank account with no regard to failed attempts.  The people who's bank accounts are getting linked to a Dwolla account in their name probably have no idea what Dwolla is. Seeing a deposit like "ACH Electronic Credit Jul 01 05:15 Dwolla Dwolla    $ 0.02" is going to go unnoticed by the victim most of the time.  It is not until money starts leaving the account that anything would be reported.

The reason the ACH transactions are being reversed is because Dwolla doesn't do enough to verify the customer and/or the transaction.  The good thing for Tradehill and other companies who are now having credited transactions reversed is that this liability is almost certainly 100% Dwolla's.

In my opinion, dwolla has had long enough to address this issue and your post is absolutely necessary at this point.  thank you.

hmmm I find it highly unlikely that dwolla would give you too many chances to guess the two under 12 cent numbers(which is how paypal does it and they dont seem to have the dwolla problem)

How about, perp gets POS bank account using fake id.. perp then knows the deposits...

I just dont see dwolla let you guess more than twice.... NOW I AM ASSUMING.. I DONT KNOW FOR SURE.. i just dont think this is how it went down.

12*12 / two attempts = 72.

So potentially, for every 72 bank accounts you have access to, you can steal from Dwolla?

even if dwolla lets you guess only twice, with enough compromised accounts, eventually you are bound to be able to guess correctly.

But it is possible that the perp did have access to the persons online bank account, or dumpster dove for a statement to confirm, or hacked an email account, etc....

In the world of fraud and with a big enough list of bank accounts, those odds aren't that bad.....

I am 99% sure I am correct.  I know that they allowed multiple guesses and know there were people verifying their own bank accounts by guessing the deposits so they could shorten the time period required to obtain BTC.

Are $0.00 deposits allowed? The search space may be 11*11=121 ..So you only need to comprise 60.5 accounts (on average) Edit: Nevemind: "$0.12 or less" includes $.12.

If that's true... Talk about amateur hour...  ::)

Are you really sure about that?

Yes I am sure.  I tested it when verifying my own account.

As far as the possibility that someone had fake ids made, hacked their email and dug through their victims garbage it is very unlikely for no other reason than Occam's razor.

as to rather.. steal money from these accounts.. they would rather hold onto them for days and go through the dwolla sign up crap?

Dont think dwolla would notice the same IP setting up hundreds of accounts and getting most of the answers wrong? yeah yeah vpns and proxies.. so a different one for every 5 accounts?


maybe you are correct, perhaps they have sloppy security, I just dont see them letting you try 1000 sites and guess 72000 times on bank deposits and failing most of the time.


IT also doesnt fit the claims of tradehill.

Tradehill got confirmations from dwolla that the money was sent to tradehill and only after the confirmation was the payments reversed. Even if everyone whose accounts were hacked for at least a week.. suddenly discovered it right after money started to disappear.. it isnt that easy to reverse those charges. I just dont see it.. it looked like all the charges were reversed zero questions asked.


This smells more of programming hole than social hole to me.,

Don't forget, if you have access to bank information, you may have stolen the person's password they use when logging in to their bank.. not to mention there are a multitude of VPNs, proxies, and other such things.. so it is almost never going to be from a real ip address.

In the online fraud community, if you can come across someones SS# along with bank info, you can easily gain access to their online banking and keep an eye on the deposits as well...

This may be turning into an easy way for thieves to get physical access to the money they're stealing.

That all depends on the particular bank. You can't call or walk into most banks with a SSN (lacking SSN card and federal issued ID) and get any information unless you have secondary and tertiary identification methods.

It's much easier than you guys think.  Just keylog someone who uses online banking and you'll have full access to their account if you use Zeus or a similar rootkit.  You'll be able to simply log in to their online terminal and link their account without any guesses to Dwolla, since you'll be able to see the deposits coming into their account from Dwolla.

The verification process is so weak that really the 5-10% of Americans who don't set up their online banking passwords correctly are vulnerable to being linked and drained.

The silver lining to this bug is it doesn't matter if you have a bank account linked to a Dwolla account or not - victims will be people who receive money from other Dwolla users, and people who have their regular bank account credentials stolen.  If you use Dwolla as a one-way drain to convert money into a bitcoin exchange you'll be safe.

Or even 72 if the order in which you enter them doesn't matter...

No guessing is required. The legitimate bank account owner can simply log in on a different IP with a changed MAC address (say on an insecured wifi spot), pretend to check his statement, and then afterwards claim that his account was comprimised to reverse the ACH transaction he himself had initiated.

No need for that at all, all the customer has to do is claim that an ACH withdrawal from their account was unauthorized and the bank will reverse it.

Psst. Changing the MAC doesn't help make you more anonymous. Once you go past the first router they can't see your MAC anyway, unless the protocol sends it itself (ie, some consoles/games/etc) and HTTP doesn't do that.

I dont know how much data a router logs, but they might log the mac of all connected devices. so if they see that a specific ip was used in an attack, they simply go to the wifi hot spot and take their router and look up the logs.

even then, going back with a mac address to find the owner would be very difficult. so just buy a cheap laptop at a pawn shop with cash from change and you should be safe.

Which proves only that the computer that made that transaction was using that MAC address at that time.

Or use a random MAC address.

the deposit size guessing 'sample size' might be even smaller, if they don't truly use a random number from 1-12 cents.  For all I know they use the same 2 numbers for everyone.  I mean that would be incredibly stupid but stupider things have happened.

I don't remember what mine were, but a friend just recently did a dwolla bank account verification and said the amounts were 1 and 2 cents, I remember because he instant messaged me saying he was pissed because he wanted 12+12 cents and said dwolla was being a cheapskate.  ;D

MAC addresses are changeable in most wireless ethernet drivers anyway;

I think you guys are making it way too complicated... It's a common scam (in Europe) where you find somebody who sells something online, that only works with bank transfer (second hand stuff or a trader that does not take credit cards). You tell him you seriously want to buy his EUR 100 cucko clock but you have a new bank and as you are not in the same country, you want to do a test transfer first to see how much money the bank is keeping as a fee for a cross border transaction (IBAN is free but for example some French and Greek banks still charge a fee). You tell him to look for the two deposits and he will tell you.

No keylogger or dumpster diving required....

As the guy is happy to see money arrive onto his account, he is not suspicious that he will get scammed later.

(as seen on Dutch TV http://www.opgelicht.nl/dossiers/detail/paypal/ )

This is brilliant!

Gotta love US banking standards...

Atleast here you can leave message with transfer, not sure if this is still in SEPA...

Still, it's Dwolla's problem and if TradeHills post are right they just deleted past records and not mark those reversed or anything like...

Tradehill is correct that the Dwolla blog suggests transactions are free of chargeback concerns.

But unfortunately, Dwolla's (current at least) "Terms & Conditions" -- which includes clauses overruling anything they might say anywhere else -- states the following, in sharp conflict to the Dwolla blog entry:


Dwolla wants to depend on ACH (Automated Clearing House), which is inherently reversible.  MtGox & Tradehill want to depend on Dwolla.  And we want to depend on them for fast, convenient transactions.

There is a problem here which may ultimately force us to revert to bank wires, bank checks, money orders, and other cashlike transfers.  To buy a non revocable currency might take a non revocable transaction.

Does anyone know how exchanges for Pecunix, Liberty Reserve, etc. handle this issue?

One way might be to limit the size of transfers for new customers of exchanges ... while absorbing a certain amount of new-user fraud as inevitable.  I would be sad to see that happen, because it would raise exchange fees, reducing one of the great advantages BTC exchanges have over traditional markets.

As a compromise, higher fees could be assessed only on revocable deposits: users would pay more for convenience & speed.  Exchanges could thereby self-insure or obtain insurance against losses to fraud, without eliminating rapid transfers.



Sources:

Dwolla blog, http://www.dwolla.org/blog/retail-merchants-rejoice-web-kiosk-online/ which currently says "Remember, these are cash-based transactions! No credit card fees, chargeback concerns, or signing necessary!"

"Terms & Conditions" link on the registration page at https://www.dwolla.com/register.aspx#

Right.  And I was asking about how those exchangers handle it.  Bitcoin itself takes the place of a Pecunix or Liberty Reserve currency, but still needs viable exchangers.

(All 3 currencies are non-revocable.)