Bitcoin Forum
November 16, 2024, 03:52:02 AM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: 2013-03-07 WIRED.COM Hackers Pull Off $12,000 Bitcoin Heist  (Read 1428 times)
Maciek (OP)
Full Member
***
Offline Offline

Activity: 254
Merit: 100


View Profile
March 07, 2013, 10:42:13 PM
 #1

http://www.wired.com/wiredenterprise/2013/03/digital-thieves-pull-off-12000-bitcoin-heist/

Quote
A Bitcoin transaction services company says that hackers broke into one of its brokerage accounts last week, nabbing more than $12,000 worth of the digital currency.

That attack knocked Bitinstant offline over the weekend. The company says that while it lost Bitcoins, no customers were affected by the hack.

The criminals were able to take control of Bitinstant’s internet domains by convincing its domain registrar, Site5, to hand over control of the company’s Domain Name Service, or DNS. “Armed with knowledge of my place of birth and mother’s maiden name alone (both facts easy to locate on the public record) they convinced Site5 staff to add their email address to the account and make it the primary login,” the company said Monday in a blog post detailing the incident.

With control of the DNS, the bad guys also had control over Bitinstant’s email. They then did an online password reset at a Bitcoin exchange called VirWox and started emptying Bitinstant’s account. The total haul: $12,480.

The attack worked on the VirWox exchange because Bitinstant’s account didn’t have two-factor authentication.
zoinky
Hero Member
*****
Offline Offline

Activity: 811
Merit: 1000


Web Developer


View Profile
March 07, 2013, 10:56:44 PM
 #2

Wired just doesn't like us.  They on the look out for that bad press (they probably trying to stock up.)
Puppet
Legendary
*
Offline Offline

Activity: 980
Merit: 1040


View Profile
March 07, 2013, 11:01:16 PM
 #3

unbelievable in this day and age. I was going to argue against bitinstant, but by the looks of it, its virwex that doesnt even offer 2FA? And apparently the password reset procedure doesnt require a security question or anything else, withdrawls arent fixed to a specific address (or with time delay)...
Sheesh.

Is there really nobody who can do exchanges right?
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 3920
Merit: 2349


Eadem mutata resurgo


View Profile
March 07, 2013, 11:07:50 PM
 #4

Bitinstant (and any others) need to look at Namecoin to secure their DNS ... or stuff like this will keep happening.

If you are going to trust the blockchain with your commercial success you will need to secure other entry points to your business with similar level security, imho.

Maciek (OP)
Full Member
***
Offline Offline

Activity: 254
Merit: 100


View Profile
March 07, 2013, 11:10:49 PM
 #5

I guess 2-factor by email @ gmail.com may be still the smartest idea Cheesy
Lethn
Legendary
*
Offline Offline

Activity: 1540
Merit: 1000



View Profile WWW
March 08, 2013, 05:07:22 AM
 #6

Wasn't the amount hacked before with places like MTGOX a lot higher? If so it seems that the security must be improving if they only managed to get such a small amount.
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1010


View Profile
March 08, 2013, 10:02:32 AM
Last edit: March 08, 2013, 10:46:19 AM by Stephen Gornick
 #7

Wasn't the amount hacked before with places like MTGOX a lot higher? If so it seems that the security must be improving if they only managed to get such a small amount.

The attacker stole funds from BitInstant's account at VirWoX exchange.  VirWoX offers two-factor authentication (2FA) protection which BitInstant hadn't implemented (perhaps because VirWoX didn't offer 2FA at the time BitInstant first establish their account with VirWoX)..   Had BitInstant been using 2FA, the attacker would have gotten nada, zip, zilch ... just like was obtained from the other BitInstant's other exchange accounts the attacker tried to get at.

Now that doesn't mean with 2FA you are completely immune from risk, but the complexity of the attack just got exponentially more difficult -- the device where the 2FA (e.g., Google Authenticator) is used must be compromised as well.

Bitcoin users who store funds (either fiat like USD or bitcoins) should also be using two-factor authentication if they use an EWallet service.  Here's a list of EWallet providers who offer two-factor authentication:
 - http://bitcoin.stackexchange.com/questions/4113

[Edit: Apparently the domain registrar, Site5, doesn't appreciate the need for two-factor authentication:

Site5, and their insecure practices and questionable business ethics
 - http://joepie91.wordpress.com/2013/03/08/site5-and-their-insecure-practices-and-questionable-business-ethics ]

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


lophie
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1001

Unlimited Free Crypto


View Profile
March 08, 2013, 11:13:17 AM
 #8

OMG someone just mugged me and took my dollars because I was walking in a dark alley in a bad neighbourhood at 3AM, naked and screaming... I got money, I got money!

It must be a problem with the This dollar currency.... lets dump the dollar........

Epic logic!  Cheesy

Will take me a while to climb up again, But where is a will, there is a way...
Monster Tent
Full Member
***
Offline Offline

Activity: 238
Merit: 100



View Profile
March 08, 2013, 11:14:54 AM
 #9

How come it doesnt make world news when someone robs a local bank for $12 000 ?

codro
Member
**
Offline Offline

Activity: 91
Merit: 10


View Profile
March 08, 2013, 11:17:57 AM
 #10

unbelievable in this day and age. I was going to argue against bitinstant, but by the looks of it, its virwex that doesnt even offer 2FA? And apparently the password reset procedure doesnt require a security question or anything else, withdrawls arent fixed to a specific address (or with time delay)...
Sheesh.

Is there really nobody who can do exchanges right?

"Reached Thursday, a VirWox representative said that the exchange has had multi-factor authentication since September 2012. “Bitinstant was not using it (they learned and do now),” the representative said in an email message."
Oldsport
Full Member
***
Offline Offline

Activity: 252
Merit: 100



View Profile
March 08, 2013, 11:19:16 AM
 #11

How come it doesnt make world news when someone robs a local bank for $12 000 ?

Much worse happens more frequently. In the cyber currency world we have Bitcoin and the few that process it. With USD we have banks, card fraud, gas station robberies, druglords etc etc...

With USD this is the norm, with BTC it's some new big spectacle.

Monster Tent
Full Member
***
Offline Offline

Activity: 238
Merit: 100



View Profile
March 08, 2013, 11:29:48 AM
 #12

How come it doesnt make world news when someone robs a local bank for $12 000 ?

Much worse happens more frequently. In the cyber currency world we have Bitcoin and the few that process it. With USD we have banks, card fraud, gas station robberies, druglords etc etc...

With USD this is the norm, with BTC it's some new big spectacle.

The majority of bank theft goes unreported by banks. They cover it up usually.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!