Instawallet claim process

[twolifeinexile]

Ultimately, which information a true client could submit that the hacker could not for the claim?

A true client could potentially get third parties to vouch for their identity, those who had sent bitcoins into and received bitcoins from that address.

Mmm, but to collect that third party's vouch is big pain, may be ask that party to send back 1 satoshi?

[1714702157]

1714702157

[1714702157]

1714702157

[1714702157]

1714702157

[1714702157]

1714702157

[hous]

True wallet holders would of sent emails all ready asking for there coins are [the people that had a big amount anyway] and on the claim form they will have a area where you can put your email which the hacker would not have!  

[justusranvier]

Suppose you had used your Instawallet to pay for something via a vendor, and that vendor has some way to verify your identity (email address). If you asked nicely enough, the merchant who you bought should be able to look through their payment records to match up the address you paid from with your email address.

[mike938]

Is there any way to avoid the 90 day delay if, for instance, we had 5BTC in the instawallet and had sent the 5BTC elsewhere but the transaction did not broadcast?
Put in our claim the address/url and the amount and where we had sent it in order to get it more..immediately?
For instance, I had used the same instawallet 2-3x at least and sent to the same place each time as well as this last time that did not broadcast.

[twolifeinexile]

Is there any way to avoid the 90 day delay if, for instance, we had 5BTC in the instawallet and had sent the 5BTC elsewhere but the transaction did not broadcast?
Put in our claim the address/url and the amount and where we had sent it in order to get it more..immediately?
For instance, I had used the same instawallet 2-3x at least and sent to the same place each time as well as this last time that did not broadcast.

I think they should send fund as soon as the evidence is clear, or in your case, you decide to send the wallet to an address it has been sent to before.
But not sure how they want to proceed. They didn't say how much they got lost, maybe they are actually insolvent right now but hope the revenue from bitcoin-central/payprimum to provide the fund later and estimated 90days would be enough for all accounts under 50BTC.
(In any case, it is out of our hand now.)

[steelboy]

They have at least 42000BTC.

[tvbcof]

Why not more information?  You failed to answer some very basic questions that everyone is wondering:
- How much was stolen?
- How much will those with more than 50 BTC be missing when they attempt to make a claim?
- Why aren't you covering the stolen amounts out of your own coffers?  It was your site security that failed, not the fault of your users.
- Given that your company is insolvent (obviously, or you would be able to pay everyone back in full), are you not afraid of being sued for the remaining amounts and then being investigated for criminal activity as a result?  It is against the law (at least in the US, not sure about European countries) to display favoritism to one creditor vs another when you know the company is insolvent.  All account holders should be taking the same haircut and be repaid by the same percentage of their original balance.

FWIW, I have no stake in the game.  I am just disappointed in how this is being handled.

I do have a stake in the game, and I don't give two shits about how much was stolen or the internal details of the bookeeping.  I won't hold Paymium at fault for not making public any more info than they have to in order to come to the best outcome possible.  It's common sense to keep quite about extra info.

It was dumb to hold large sums on Instawallet (and, arguably, to use Instawallet at all), so if an attacker milked the high value accounts first, it would, by accident, impact those according to their level of ignorance/laziness.

I would say that it is not completely outside the balance of reason to issue full refunds to those who's accounts were left unmolested (when they've provided adequate proof of ownership) then try to pay back the hacked value holders as possible.  Indeed, doing otherwise might add extra difficulties from a legal perspective if the attacker accessed the stolen wallets via the stolen URL which seems likely.

edit: added missing 'not'

[repentance]

FWIW, I have no stake in the game.  I am just disappointed in how this is being handled.

Likewise.  If you can't afford to refund all user balances in full, how can you afford to redevelop the system and relaunch the service?  Perhaps you should consider offering users you can't repay equity in one of your other services.

[moni3z]

If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder.

lol hacker can just switch between RDP proxy and file claims to double his score. guess there really is no other way though when your online wallet has no other authentication, and at least there is a claim process and not a mybitcoin repeat

[tvbcof]

If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder.

lol hacker can just switch between RDP proxy and file claims to double his score. guess there really is no other way though when your online wallet has no other authentication, and at least there is a claim process and not a mybitcoin repeat

If someone were to send a message from a potentially trackable source with an indication of the secret URL (i.e., a PM from bitcointalk.org) then that would prove ownership to a fair degree.  Sending the same via e-mail would also do the trick, but to a lesser extent.

In both cases, especially the e-mail route, an attacker could try to use sock accounts, but it would probably be either labor intensive or prone to detection.

An attacker could also try to claim a number of accounts, but if there were a plethora of conflicts that could tip off Paytunia and they would probably lock up the whole batch.

[tvbcof]

If several claims have been filed for the same url, we will process those claims on a case by case basis, under the presumption that the claim we received first belongs to the legitimate balance holder.

lol hacker can just switch between RDP proxy and file claims to double his score. guess there really is no other way though when your online wallet has no other authentication, and at least there is a claim process and not a mybitcoin repeat

If someone were to send a message from a potentially trackable source with an indication of the secret URL (i.e., a PM from bitcointalk.org) then that would prove ownership to a fair degree.  Sending the same via e-mail would also do the trick, but to a lesser extent.

In both cases, especially the e-mail route, an attacker could try to use sock accounts, but it would probably be either labor intensive or prone to detection.

An attacker could also try to claim a number of accounts, but if there were a plethora of conflicts that could tip off Paytunia and they would probably lock up the whole batch.

Oh ya...it would also be useful to have an entry on the claims form stating that a message from 'username@whatever' or 'pm as whoever' (or even verified snail-mail from whoever) can be expected in order to verify account ownership.

This is why I wished to know what I should have gotten together prior to visiting the claim site when it comes on-line.

If Paytunia really has called in the police, it could be somewhat dangerous for the perps to attempt to mop up the accounts they didn't get to in the first go-around.

But for the lost BTC this thing should be relatively straightforward, if tedious, to clean up to a reasonably degree.  If there is a will to do so...and if there is not then Paytunia risks running into legal troubles themselves.

A smart crook would have raided the smaller account to make the mess harder to deal with (assuming they were halted by exhaustion of funds and expected that to be the failure mode.)

[ab8989]

Why not more information?  You failed to answer some very basic questions that everyone is wondering:
- How much was stolen?
- Why aren't you covering the stolen amounts out of your own coffers?  It was your site security that failed, not the fault of your users.
- Given that your company is insolvent (obviously, or you would be able to pay everyone back in full), are you not afraid of being sued for the remaining amounts and then being investigated for criminal activity as a result?  It is against the law (at least in the US, not sure about European countries) to display favoritism to one creditor vs another when you know the company is insolvent.
All account holders should be taking the same haircut and be repaid by the same percentage of their original balance.

It would also be interesting to know what happened to bitcoin-central and whether that bitcoin-central incident is somehow connected to Instawallet issue in both the technicalities of the attack but also the damage done and what is the company structure that is behind the issues to absorb and handle the losses.

There seems to be plans in place to open the bitcoin-central again soon having that set of customers suffer no losses I am wondering whether it is legal to favour bitcoin-central customers over Instawallet customers in this situation if there are same companies involved and if they are insolvent?

[repentance]

There seems to be plans in place to open the bitcoin-central again soon having that set of customers suffer no losses I am wondering whether it is legal to favour bitcoin-central customers over Instawallet customers in this situation if there are same companies involved and if they are insolvent?

If they're legally separate entities, then one generally has no responsibility for the financial obligations of another in the absence of improper dealings between them.

[Joost]

There seems to be plans in place to open the bitcoin-central again soon having that set of customers suffer no losses I am wondering whether it is legal to favour bitcoin-central customers over Instawallet customers in this situation if there are same companies involved and if they are insolvent?

There is a significant difference in the relationship between Bitcoin Central and its costumers as opposed to Instawallet and its costumers. Bitcoin Central did have an authentication system, which did provide their costumers with more protection. In the end Instawallet users lost their bitcoin to a database hack, BTCentral was just running on the same servers. Many users made a well-reasoned decision to stay away from Instawallet and still used BTCentral.

[ab8989]

There is a significant difference in the relationship between Bitcoin Central and its costumers as opposed to Instawallet and its costumers. Bitcoin Central did have an authentication system, which did provide their costumers with more protection. In the end Instawallet users lost their bitcoin to a database hack, BTCentral was just running on the same servers. Many users made a well-reasoned decision to stay away from Instawallet and still used BTCentral.

We do not know anything about how the hack was done. You do not know whether the authentication played any role in this hack. It is not like the lack of wallet authentication on Instawallet gave anybody instant and full access to the underlying database and server root.

Let me just write out one possible scenario out from millions of other possibilities. Maybe the flaw that the attackers used to get access to the shared server and instawallet database was originally on bitcoin-central side and it was bitcoin-central that was hacked first. It is also possible that hot-wallet funds and database from both services were lost, it just makes more sense for them to admit one loss of funds instead of two and pour everything on Instawallet users to bear.

If you see some entity running a service with glaring security holes, it does not make sense just to avoid that poor service, it makes equal sense to avoid all the services of this entity. If you are able to spot one glaring hole, there can reasonably be expected to be a hundred other holes you just have not noticed yet from the outside and those hundred holes can be assumed to be equally on all the services that this sloppy and uncaring entity is developing SW for.

[tvbcof]

There is a significant difference in the relationship between Bitcoin Central and its costumers as opposed to Instawallet and its costumers. Bitcoin Central did have an authentication system, which did provide their costumers with more protection. In the end Instawallet users lost their bitcoin to a database hack, BTCentral was just running on the same servers. Many users made a well-reasoned decision to stay away from Instawallet and still used BTCentral.

We do not know anything about how the hack was done. You do not know whether the authentication played any role in this hack. It is not like the lack of wallet authentication on Instawallet gave anybody instant and full access to the underlying database and server root.

Let me just write out one possible scenario out from millions of other possibilities. Maybe the flaw that the attackers used to get access to the shared server and instawallet database was originally on bitcoin-central side and it was bitcoin-central that was hacked first. It is also possible that hot-wallet funds and database from both services were lost, it just makes more sense for them to admit one loss of funds instead of two and pour everything on Instawallet users to bear.

If you see some entity running a service with glaring security holes, it does not make sense just to avoid that poor service, it makes equal sense to avoid all the services of this entity. If you are able to spot one glaring hole, there can reasonably be expected to be a hundred other holes you just have not noticed yet from the outside and those hundred holes can be assumed to be equally on all the services that this sloppy and uncaring entity is developing SW for. It is not likely to assume that some entity can generate perfect code for one site and then switch hats to develop pisspoor code for another one. They could all be assumed to be equally pisspoor quality.

As an Instawallet user and not a BC user I would love to agree with out, but I have to note that Instawallet was up-front about the modest security (even by the dismal standards I've come to expect from Bitcoin related enterprises) and they warned against keeping anything but spare change there.  At least it did when I created an account.  That should not give them license to steal from Instwallet users, of course, but it is as you say, only one possibility among millions that that is how things happened and there is no general understanding of the events at this point.

One of the more possible explanations is that it was an inside job by an employee of some sort (perhaps like the Mt. Gox deal.)  Again, if they really have involved law enforcement that stuff will probably come out in the wash.  It would be very interesting to get independent confirmation that law enforcement was or was not solicited to help with the issue(s).  That would be as meaningful as anything, and fairly legitimate given that the enterprise was bragging about working with a mainstream bank.

[Phinnaeus Gage]

I see this is going to be fun!

First off, I haven't a clue as to what the word 'key' is in reference to. I'm only aware of URL and Bitcoin address, of which I know for sure one of them, for the other two addresses weren't save, just the URL's via Chrome, and once clicked, I would then see my address. Of those two, I know the exact amount, but the other would only be a guess for, though I'm pretty sure I know the exact first three whole numbers before the decimal then ? digits. The account that I do know the URL and pretty sure I have the address, I don't know the exact coin amount. The other two I washed a couple times, but nixed doing to more after finding out the address were already obfuscated by IW during each exchange. A couple weeks ago, I couldn't even see who sent me coins and where I sent them via BlockChain, of which I thought was weird, but accepted it as being part of the process.

Now I read that it will be 90 days before we get our funds back, and that's if there's no other claims, and that's if it's not extended other 90 days. For that, I say thank you, and can I meet you guys in person so that I can suck all your dicks? Seriously, I want to suck your dicks. Please let me know where to meet you all. I promise no funny business just like I was assured less than two weeks ago that all in well in InstaWalletLand.

An issue was brought up then of which I was looking into but quit pursuing and quit worrying about my coins after being assure all was well. Just like we're all being assured that all is well over at BFLland. BULLSHIT!!!

What the fuck is really going on here? Fuck, another entity holding a massive amount of coins can't even decide the proper outcome of a well-written bet, yet awards and lets run less well-written bets. Ads are being displayed on this forum for products that don't exist. Mt. Gox lags when it's to their best interest. Christian devs... (don't ask me why I opted to hold my tongue on this one, but I did).

The only saving grace is that my mother fuckin' nest egg was all profit. So is 95% of all the barn wood I currently have in stock. Where would you like me to deliver it too for free, or would you guys enjoy it more if you steal it from me? I can easily start from scratch with nothing, and not feel any pain. But that's not the point.

What I have to do to be at peace with this situation is to currently accept it as a lost, yet hope for the best. Anything I get back would be considered a blessing. One thing for sure, after 90 days, mark, if this is not resolved, everybody associated with IW will have their names associated with the words scam, fraud, etc., for starters.

In closing, since your address supposedly is available online, I want one of you guys to state your address here on this forum. Since it's supposed to be the same address, you should have no problem provided such a request. If you don't, then there's something you're definitely hiding.

You have 24 hours to fulfill my simple request.

~Bruno K~

[Phinnaeus Gage]

I just fuckin' realized I potentially have another problem if a police report was truly issued. I'm sure that they now will have access to all your computers and they will start digging into the files which include Bitcoin addresses.

Let me just ask this to everybody here: How many of you made purchases via Bitcoin of which you rather not want some authority to learn about and had your coins stored on IW? This is so fucked up on so many levels!

[tvbcof]

...

Let me just ask this to everybody here: How many of you made purchases via Bitcoin of which you rather not want some authority to learn about and had your coins stored on IW? This is so fucked up on so many levels!

Personally it would not bother me in the slightest.  Naturally my real stash is much more secure and not amenable to cold or hot disk attacks even on my own systems.  Unbelievably it seems that as a lowly private user I have used much more advanced and paranoid security measures than most of the bozo's running 'businesses' in Bitcoin-land.  What a joke most of them are.  In fairness though, these guys did have a cold storage mechanism.  I know because it caused problems when the hot one ran out one time.

Anyway, I've watched enough Pink Panther to know what kind of results to expect from law enforcement over there

[mrbitbank]

What I would like to know is where is the proceeds of my withdrawal I made on the 29th Mar from Bitcoin-central. If this is an instawallet issue why am I affected?