|
Maciek (OP)
|
 |
March 07, 2013, 10:42:13 PM |
|
http://www.wired.com/wiredenterprise/2013/03/digital-thieves-pull-off-12000-bitcoin-heist/A Bitcoin transaction services company says that hackers broke into one of its brokerage accounts last week, nabbing more than $12,000 worth of the digital currency.
That attack knocked Bitinstant offline over the weekend. The company says that while it lost Bitcoins, no customers were affected by the hack.
The criminals were able to take control of Bitinstant’s internet domains by convincing its domain registrar, Site5, to hand over control of the company’s Domain Name Service, or DNS. “Armed with knowledge of my place of birth and mother’s maiden name alone (both facts easy to locate on the public record) they convinced Site5 staff to add their email address to the account and make it the primary login,” the company said Monday in a blog post detailing the incident.
With control of the DNS, the bad guys also had control over Bitinstant’s email. They then did an online password reset at a Bitcoin exchange called VirWox and started emptying Bitinstant’s account. The total haul: $12,480.
The attack worked on the VirWox exchange because Bitinstant’s account didn’t have two-factor authentication.
|
|
|
|
|
|
|
|
|
|
|
|
"There should not be any signed int. If you've found a signed int
somewhere, please tell me (within the next 25 years please) and I'll
change it to unsigned int." -- Satoshi
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
|
zoinky
|
|
March 07, 2013, 10:56:44 PM |
|
Wired just doesn't like us. They on the look out for that bad press (they probably trying to stock up.)
|
|
|
|
|
Puppet
Legendary
 Offline
Activity: 980
Merit: 1040
|
|
March 07, 2013, 11:01:16 PM |
|
unbelievable in this day and age. I was going to argue against bitinstant, but by the looks of it, its virwex that doesnt even offer 2FA? And apparently the password reset procedure doesnt require a security question or anything else, withdrawls arent fixed to a specific address (or with time delay)...
Sheesh.
Is there really nobody who can do exchanges right?
|
|
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2348
Eadem mutata resurgo
|
|
March 07, 2013, 11:07:50 PM |
|
Bitinstant (and any others) need to look at Namecoin to secure their DNS ... or stuff like this will keep happening.
If you are going to trust the blockchain with your commercial success you will need to secure other entry points to your business with similar level security, imho.
|
|
|
|
|
Maciek (OP)
|
|
March 07, 2013, 11:10:49 PM |
|
I guess 2-factor by email @ gmail.com may be still the smartest idea  |
|
|
|
|
Lethn
Legendary
Offline
Activity: 1540
Merit: 1000
|
|
March 08, 2013, 05:07:22 AM |
|
Wasn't the amount hacked before with places like MTGOX a lot higher? If so it seems that the security must be improving if they only managed to get such a small amount.
|
|
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
March 08, 2013, 10:02:32 AM
Last edit: March 08, 2013, 10:46:19 AM by Stephen Gornick |
|
Wasn't the amount hacked before with places like MTGOX a lot higher? If so it seems that the security must be improving if they only managed to get such a small amount.
The attacker stole funds from BitInstant's account at VirWoX exchange. VirWoX offers two-factor authentication (2FA) protection which BitInstant hadn't implemented (perhaps because VirWoX didn't offer 2FA at the time BitInstant first establish their account with VirWoX).. Had BitInstant been using 2FA, the attacker would have gotten nada, zip, zilch ... just like was obtained from the other BitInstant's other exchange accounts the attacker tried to get at. Now that doesn't mean with 2FA you are completely immune from risk, but the complexity of the attack just got exponentially more difficult -- the device where the 2FA (e.g., Google Authenticator) is used must be compromised as well. Bitcoin users who store funds (either fiat like USD or bitcoins) should also be using two-factor authentication if they use an EWallet service. Here's a list of EWallet providers who offer two-factor authentication: - http://bitcoin.stackexchange.com/questions/4113[Edit: Apparently the domain registrar, Site5, doesn't appreciate the need for two-factor authentication: Site5, and their insecure practices and questionable business ethics - http://joepie91.wordpress.com/2013/03/08/site5-and-their-insecure-practices-and-questionable-business-ethics ] |
|
|
|
|
lophie
|
|
March 08, 2013, 11:13:17 AM |
|
OMG someone just mugged me and took my dollars because I was walking in a dark alley in a bad neighbourhood at 3AM, naked and screaming... I got money, I got money! It must be a problem with the This dollar currency.... lets dump the dollar........ Epic logic! |
Will take me a while to climb up again, But where is a will, there is a way...
|
|
|
|
Monster Tent
|
|
March 08, 2013, 11:14:54 AM |
|
How come it doesnt make world news when someone robs a local bank for $12 000 ?
|
|
|
|
codro
Member
Offline
Activity: 91
Merit: 10
|
|
March 08, 2013, 11:17:57 AM |
|
unbelievable in this day and age. I was going to argue against bitinstant, but by the looks of it, its virwex that doesnt even offer 2FA? And apparently the password reset procedure doesnt require a security question or anything else, withdrawls arent fixed to a specific address (or with time delay)...
Sheesh.
Is there really nobody who can do exchanges right?
"Reached Thursday, a VirWox representative said that the exchange has had multi-factor authentication since September 2012. “Bitinstant was not using it (they learned and do now),” the representative said in an email message." |
|
|
|
|
|
Oldsport
|
|
March 08, 2013, 11:19:16 AM |
|
How come it doesnt make world news when someone robs a local bank for $12 000 ?
Much worse happens more frequently. In the cyber currency world we have Bitcoin and the few that process it. With USD we have banks, card fraud, gas station robberies, druglords etc etc... With USD this is the norm, with BTC it's some new big spectacle. |
|
|
|
|
Monster Tent
|
|
March 08, 2013, 11:29:48 AM |
|
How come it doesnt make world news when someone robs a local bank for $12 000 ?
Much worse happens more frequently. In the cyber currency world we have Bitcoin and the few that process it. With USD we have banks, card fraud, gas station robberies, druglords etc etc... With USD this is the norm, with BTC it's some new big spectacle. The majority of bank theft goes unreported by banks. They cover it up usually. |
|
|
|
|
