Bitcoin Forum

Hi,

We regret to inform you our bank account has been locked once again, due to what are likely stolen funds sent our way.

As our account is locked, I cannot transfer funds out nor see who has paid for orders, effectively putting a hold on buy/sell orders.

At this stage I was only able to talk to an operator at UBank (my bank) who could not tell me more details. As it is early morning in Australia, I have to wait until ~9am NSW time before I can talk to an actual account/security person.

I will keep you posted when I know more.

Cheers,
~Mat

Our bank account is supposedly unlocked now, but the actual bank's website is now down (UBank), so we're still unable to fulfil orders.

The site only say they'll "be back up and running soon".

We apologies for the ongoing delays.

Kind regards,
~Mat

Hope it all gets sorted soon Mat :)

Stolen funds or stolen btc ?

I don't think BP's bank would be too concerned about stolen bitcoins. Stolen fiat funds transferred through the banking system are of concern, since they can be reversed, leaving the receiving bank or the receivng bank customer out of pocket.

Hi all,

Our UBank account has been unlocked again, and we've successfully processed pending buy and sell orders (that have been paid).

For the moment I'll keep the site disabled, while I figure out how to prevent further attempts by hackers sending stolen funds our way.

Thanks for your support,
~Mat

Its interesting how can this happen in Australia (and happens so often to all exchanges), that stolen funds are sent with bank transfers?

Is it funds from accounts accessed with passwords grabbed by keylogger/phishing?

If so, how does this happen? Are there banks in Australia which allow transfers to be sent online without one-time code two-factor authentication (like SMS-code, hardware token, one-time codes on paper list)? Because in Europe I haven't yet seen a bank which allows transfers to third-party account sent without one of these one-time code authentication methods for the transfer, or at least once for the account number to transfer to.

Can you shed some light on this how Australian banking works?

And what are the liability/burden-of-proof rules?

Because for example in Poland, if a transfer is being made online from a customers bank account, it is deemed to be made by the account owner, because only he has the authentication codes, and it is his deed to protect them. If he unwillingly discloses them to someone,  its is HIS fault, and the bank will NOT reverse his transfers if he then goes to the bank and says "I didn't do these, someone must have hacked to my account". Such explanation is not valid, banks reject such claims. I know from press reports of the (very few) cases when the account owner disclosed his one-time codes to the hacker. The bank did not believe him and did not give back his money. If from a customers bank account a transfer was made authorized with a one-time code - that's proof that the customer did it (or someone authorized by him, even if unwillingly - he is still liable). That's how it is in Poland. Maybe that's why the two largest exchanges (MtGox and Intersango) both have their accounts in Poland, and keep them without problems, without a single case of account being locked since ever they started using these accounts last year.

Does authentication and liability work differently in Australia?

Thanks for the support. Mostly sorted now.

As what was stolen, someone else's bank account was hacked. BitPiggy was not hacked.

~Mat

My bank unfortunately has not given me any details, but that could be because they themselves don't know- in both this case and the previous case, I believe a user account from another bank was hacked.

As for how the hacker did it, I assume it was an account with no 2nd level of authentication. I have several bank accounts, and two of them don't require a 2nd level of authentication for sending small amounts (e.g. up to $500 AUD).

As for how they got past the 1st level of authentication, the NAB (one of the largest banks in Australia) has terrible level 1 authentication- the 'username' for logging in is a "customer code" that is printed on each debit/credit card they give to a customer (so anyone would holds the card for a few seconds could remember it if they wanted - they are only about ~8 digits long) while the password must be a 6-8 alphanumeric.  You cannot make your password longer, or use characters besides alphanumeric.

That said, I suppose it is more likely the hacker used a keylogger or engaged in phishing.


I suspect banks in Australia would be more lenient, and I think banks are liable for lost funds due to hacking. I'm not sure though, and I'm not sure what proof you would have to show.

Poland's attitude sounds more mature- bank's put the responsibility on the users, who it turn would be motivated to seek out banks that have good security.  In Australia I believe the law is such that banks are required to cover user's losses due to hacking, which I think makes users complacent about security.

You can do it quite easily: for each bank account the user wants to fund BitPiggy FROM, the user would have to authenticate it first. Authentication would happen in such a way: you will send a very small transfer TO that account, with such a thing in the "reference" field:

"Use this code on www.bitpiggy.com to allow funding the account of user miernik on BitPiggy.com from this bank account: KJ1TH78Z"

And then make a delay of how long do you think it takes for a person to discover his bank account was hacked (a week, a month), only after passing this amount of time, that bank account will be authenticated to send funds to BitPiggy (forever). To the account of that user on the site.

You could also ask trusted people, friends, etc having accounts at different banks in Australia how is the authentication, and only allow the first transfer from a given bank account to be such that it must have gone through 2-nd factor authentication. If some bank allows <500$ transfers without it, then the first transfer from an account in that bank must be >500$. If the user does not want to deposit that much, he can withdraw the remaining amount right away. Simple.

Hello again,

We have been informed that several other instances of stolen funds being sent our way have been discovered.  Our account has once again been locked (third time), and we've been informed that we should be prepared for the possibility of our bank (UBank) shutting down our account.  At the very least, we want to move away from UBank as the account we are using is not a proper business account.

Any pending orders are thus currently held up. At this stage I do not have an ETA for when we will be able to get access to our account to process these orders.

As for opening up another, proper business account, that will likely be at least several days away at the earliest.

My apologies for the delays.
~Mat

I've used BitPiggy a few times over the past year and always found the site to be reliable.  I hope it comes back soon.

Does UBank know your account is associated with bitcoin?  I wonder if they would suspend anyone's account if it received stolen funds, or whether UBank was more keen here simply because of the associated money laundering risks with bitcoin?

same here!

More ideas: don't show you account number to the customer in the system. Require the customer to enter HIS account number in the system first. And then you send a small sum (0.01 or something) to that account with the message about BitPiggy in the reference, and then the customer will find out your bank acount number only from his bank transactions history.

And don't just enable customers to deposit from any bank. Enable banks one-by-one after analyzing that bank's security of outgoing transfers (does it have 2-nd factor authentication). So make an exclusive list of banks you accept transfers from (after checking their security). If someone doesn't have an account at one of these banks on your list, then he can just open one there - simple.

What about two bank accounts.. one for customers who have been using the site for > 6 months and one for newbs.. that way when the newb account gets frozen the regulars are not inconvenienced.

That your account can be frozen (twice) because people claim that their accounts have been hacked and money sent to you is ridiculous.  If that happened to me I'd be absolutely stuffed - every single payment I send and receive, from rent to insurance to school fees, not to mention receiving my salary, goes through my account. 

I hope you get back up and running ASAP.

Will BPay solve the problem?

I'm not experienced with Australian banking system but my business banker says domestic bank transfers have less chargeback problems than international wire transfers. Well, I don't seem to agree with that.

Perhaps cheque via mail is a good solution too, if online banking is that unsafe. It will take longer time though.

Hi all,

Just an update. UBank has still not unlocked our account. I have been calling them every day to get an update, and all they say is they can see its being reviewed by management.

As before, all pending orders are still on hold until our account is unlocked.

Thanks for your continuing patience.

~Mat

Another update- we just got off the phone to the NAB's efraud department (they handle the efraud for NAB and UBank), and they have instructed UBank to unlock the BitPiggy account. They said it should happen some time today, though they indicated it may take until near the close of business, Australia time.

Once we gain access, we will process any pending orders.

Creating new orders however will still be on hold for the time being.

FYI, we are currently in the process of setting up other, more appropriate bank accounts (we had been using a high-interest personal savings account vs a normal business account). The efraud department of the NAB has told me their policy regarding business accounts that receive stolen funds is generally they do not lock the account, but the business may have to bare the cost of accepting the stolen funds. Hence BitPiggy will stil need to change its operations.

At the moment I am considering:

1) Accepting cash deposits (with proof of cash deposit, a.k.a. SpendBitcoins style of submitting photo of receipt).
2) Accepting bank-to-bank transfers as per normal, but with added measure to deter hackers sending stolen funds. Obviously the experience should be unobtrusive as possible, and yet it needs to change. Methods I have thought of boil down to 2 distinct types of deterrence:

A. Prevent thief receiving bitcoins in the first place.
B. Punish thief after they have received bitcoins.

For A
i) Delay sending of bitcoins, to give banks enough time to report stolen funds. Considering it took ~10 days for UBank to tell me stolen funds had been sent my way, this doesn't sound feasible.
ii) Only serve people who have successfully made orders in the past. This works for old users, but doesn't help legitimate new people.

For B
To punish a hacker, knowing their identify (or some link to it) is useful, as can either destroy their reputation, or hand over identity details to police. Note BitPiggy doesn't want to know people's details, yet identification is a common tool to deter crime.
iii) Require proof of reputation. The Bitcoin-OTC looks interesting, but it doesn't look like many people use it. Other things? Maybe people could vouch for other people, give invites.
iv) Require some form of online identification.  E.g. facebook/twitter/linkedin/google/ebay/etc account. Would need to check the account used looks legitimate.
v) Require some form of offline identification. E.g. passport/driver's license/utility bills. Not particularly interested in doing this.

One other thing could do:
vi) Report the bitcoins as tainted. I suspect this wouldn't have much impact, for the moment anyway.

Anyways, that's what I'm think for the moment. Suggestions/comments welcomed.

Cheers,
~Mat

I would suggest using more than one of the options you listed to varying degrees. Put new users into different categories based on what information they are willing to provide.

Best - If they don't mind providing offline documentation to verify their identity and are vouched for by an existing user, allow large deposits and withdrawals ASAP.

Next Best - Vouched for by another but want to remain somewhat anonymous, allow only limited deposits/withdrawals for a probationary period.

Riskiest - No referrals and no ID, mandatory waiting period for any withdrawals.

Good stuff, hope to see you back to BAU soon :)

Have you considered one of the things I proposed in this thread?
For example https://bitcointalk.org/index.php?topic=82045.msg906946#msg906946

Shortly again:
1) any new bank account from which a user wants to deposit must be validated
2) user validates the account by posting the account number in a form in his account on BitPiggy, and they YOU send him a small (like 0.17 AUD) transfer to this account with text in the description: "Use this code: PJ9D43ZR to allow funding your account on BitPiggy.com from this bank account"
3) when user receives the transfer from you he enters the code on your website
4) then you wait 30 days to give time for the real account owner to notice the transaction on his bank statement in case it was done by a cracker
5) after 30 days it becomes validated and the user can deposit from that account later on instantly

Please do not use any "B" methods - it creates uncertainty for legitimate users, and will inevitably lead to becoming another Paypal-like nightmare, where you can first deposit funds, and then are locked, with many false positives.

Once funds are credited to the exchange they should be deemed clean, and if you are not sure a deposit is legitimate (i.e. has been done by the real account owner, just return it to where it came from.

Our bank account has been unlocked.

Pending orders have been processed. Again, thank you for your patience. As mentioned previously on this thread, creating new orders is still on hold until we make new arrangements.

Cheers,
~Mat

Yep, I got some of my ideas from your earlier suggestion. The waiting 30 days would certainly ensure the person was legitimate.  The other stuff of the person checking a deposit I make in their account a.k.a. PayPal style, doesn't get much- previous hackers clearly had access to the person's bank account, and over several days if not longer. 


I understand the concern. I should point out BitPiggy functions more like a shop than a bank. Hence there's no funds to lock. Rather, users would be prevented from making orders (or at least the amounts + timing would be restrictive) in the first place if the use was not trusted enough.

All that needs to done is devise a way to whitelist customers, without it becoming too much hassle because that is Bitpiggy's strength, that is easy and simple to do.

What I would do first is whitelist all customers that have used the Bitpiggy service and open backup.

Next I would get bank accounts at all four major banks and suggest people transfer money to the same bank as their own, then maybe same day transfer of btc could be possible instead of 24 hour wait. (overcoming a shortcoming of bitpiggy)

Next is growing the whitelist of good customers, maybe simple things like allowing them to buy 1 btc, then they must wait a week and after that if there is no fruad problem move them to the whitelist. Sure they could still scam a single btc but they risk losing a bank account they have access to for $5.

Goodluck with whatever you do. I have only had very good experiences with Bitpiggy and look forward to them returning.

Bitpiggy can't come back soon enough.
The prices at the competition are no longer "competitive"!

OVER $6 NOW!

MrBitcoins still selling for under $6

If you're talking about us, our prices have not changed. They have always been Mt Gox 24h high + 10%. The problem is that it seems higher as the value of bitcoin rises but in reality it is exactly the same. If bitcoins were selling on Mt Gox for $1 each, our rate would be $1.10, which means that $100 worth of bitcoins would cost you $110. If bitcoins were selling on Mt Gox for $100 each, our rate would be $110, which means $100 worth of bitcoins would cost you $110.

Psychologically it seems more to pay $10 per bitcoin commision that $0.10 per bitcoin commission, but in reality it is exactly the same. I'm thinking about changing the display rate to x +10% so that, for example, at this very moment it would say "5.69 + +10%" instead of "6.31". Would that be psychologically more satisfying for people, especially as prices are rising?

We would love to have lower prices, but unfortunately with wire fees, foreign exchange fees, and exchange rate risk, we have found this rate necessary to stay profitable.

MtBitcoins http://www.mrbitcoins.com/  6.20 AUD
SpendBitcoins https://www.spendbitcoins.com/buy/  6.314 AUD

I can underbid both of you a bit, PM me with volume (min 20 BTC, max depends on your rating) and your offer if interested.

AU bank wire transfers only to AU bank account, no cash deposits!

Trusted users only (some OTC rating or old users on this forum).

Great suggestions, I to am eagerly awaiting "The return of bitpiggy" (sounds like a cool comedy movie).

BitPiggy is back up and running!

Our new bank account finally got unlocked yesterday, and then this morning I had to do some last minute fixes (bank details were still set to the old bank account!).

For users who have made past orders, you can gain access to your account by choosing to 'reset password' (https://bitpiggy.herokuapp.com/password_resets/new (https://bitpiggy.herokuapp.com/password_resets/new)). This will mean the site will recognise your past orders and you'll immediately be able to jump into making large orders.

Things that have changed:

• All users require a log in (email + password). This should hopefully be more convenient then the old style of email verification.
• Limits have been changed + new orders must be 7 days apart. The 7 day limit is a new restriction as a direct result of previous attacks wherein stolen funds were sent to us.

Going forward
From appearances not a lot has changed besides the new log in process. However behind the scenes a lot has changed to make future changes easier.  Those future changes include:

• Adding additional authentication methods, e.g. Facebook/twitter/OTC.
• Reduce the delay between orders + increase limits for users that are authenticated in ways that are more trust worthy.
• Adding additional payment methods.

So yes, we are back!

Please let me know if you experience any issues.
Cheers,
~Mat

Edit: I've moved this post into a new thread, https://bitcointalk.org/index.php?topic=90152.0