[Controversial] Who's to blame when an account gets hacked?

[Chris!]

If someone you loved was raped, who's fault is it?

Let's say she was drunk and in a short skirt just got out of a club. Would that really be her fault if someone had sex with her without consent? NO! That's victim blaming which is completely not ok. Ever. It's the rapist's fault. They raped her. Victim blaming happens constantly on this forum. It's not ok.

I see hacked accounts every single day here. It sucks. I hate seeing people's reputations get ruined for a few bitcents. The hackers are to blame of course but assuming you ever find them, would you ever really sue them for the $100 in damages? Obviously not. So it sucks (I know I already said that) but someone needs to take responsibility. Who should it be?

No matter what security you use, whether you're using a very secure computer or you use the same password on every website there's one person to blame: the hacker. Yes you should protect yourself but that doesn't mean it's your fault if you get hacked.

I really hope I never get hacked. Ever since I've joined bitcointalk I've been so much more careful with security so I hope that means I never get hacked. The problem is I've seen people turn on each other like wild wolves here.

Maybe let's come up with some kind of consensus. Let me know if there is a better option that should be in the poll that I didn't think of.

[Lauda]

In the case that the lender did not check whether there were password / email changes and/or request a signed message, I would blame the lender as per option:

The lender. They should have asked for a signed message.

Otherwise I'm inclined to vote for:

Both should take responsibility and each pay half of the damages.

There is no way for someone to become 'unhackable' as there are differentiating and sophisticated (targeted) approaches. In case someone used a very weak password, it would be a nice gesture to admit this and pay the caused damages.

[BitcoinMarshal]

I Vote for Option no 3 because I am victim of hack and have very big lost but still believe its also my fault because I check Legendary and green trust not gone in full profile for any specific information about change of password and email if I check before sending then surely I am not going to send big amount to hacker but account holder is also guilty using very weak password and compromised computer without any protection 

[The Sceptical Chymist]

This is a question that gets very divided responses.  The sentiment on this forum seems to be that the person who gets hacked is responsible for whatever happens with that account during the hack.  I find that ludicrous.  No one here should have to babysit their account if they don't use it for a while, and I see the hacking victim as exactly that, a victim.

On the other hand, we've all seen the BS where people claim to have been hacked, and it's just a coverup for a scam.  And I don't think (correct me if I'm wrong) there's any great way to prove that you weren't hacked.  Therein lies the problem.  I get that people who've been scammed want to hold someone accountable, but I don't think if someone truly had their account compromised that they are responsible for repaying the scam victims.

[longbob72]

It depends.

You can't exactly prove that an account wasn't hacked when all the people involved are scattered all over the world. If anyone didn't lose money because of the "hack" then there should be no problem no matter who's at fault, but if the hacked account scammed or appears to be scamming then the account owner are responsible to some degree and the account should be "blamed". The one who didn't take precautions even though hacks are quite common here should also take responsibility.

So, #3.

Edited.

[jackg]

The lender/escrow/buyer should take more responsibility but every case is unique.
The lender/escrow/buyer should set a long enough password and should use a secure email address and get a signed message from the person they got it from.

[achow101]

IMO Both parties are responsible. The person who was hacked should have properly secured their account, and upon discovery of the hack, immediately inform everyone that their account has been hacked. The person who got scammed because of the hacked account should have done their due diligence and done as much as possible to ensure that the person contacting them was who they said they were.

The issue with not ascribing blame to the victim is that doing so essentially gives the victim of the hack a free pass. The victim certainly holds some blame as something they did compromised their system. While the hacker is most certainly at fault, the victim is partially to blame as well as they should have been more attentive and more careful about their security. Of course how they got compromised affects how much blame should be ascribed to the victim.

[botany]

The original owner shouldn't be let off free. We all have to stand behind the actions of our account,
Negative trust should be automatic in the case of default of a loan.
Theymos believed so as well.

think that marcotheminer should return the account now since it was probably hacked, but everyone should give yussuf89 negative feedback for being unable to stand behind his account's actions unless he pays 50-75% of the loan principle. (This is just my opinion -- I'm not going to try to enforce it.)

[shorena]

-snip-
was raped, who's fault is it?
-snip-

Lets not go there, its a bad analogy, see below.

-snip-
I see hacked accounts every single day here. It sucks. I hate seeing people's reputations get ruined for a few bitcents. The hackers are to blame of course but assuming you ever find them, would you ever really sue them for the $100 in damages? Obviously not. So it sucks (I know I already said that) but someone needs to take responsibility. Who should it be?

No matter what security you use, whether you're using a very secure computer or you use the same password on every website there's one person to blame: the hacker. Yes you should protect yourself but that doesn't mean it's your fault if you get hacked.

I really hope I never get hacked. Ever since I've joined bitcointalk I've been so much more careful with security so I hope that means I never get hacked. The problem is I've seen people turn on each other like wild wolves here.

Maybe let's come up with some kind of consensus. Let me know if there is a better option that should be in the poll that I didn't think of.

The attacker is always to blame, but the person attacked has to take responsibility for what happened. Its your account - same as its your body - if something happens to it, you have to live with the consequences of the attack regardless who did it. If your body was used to take out a loan, yeah the rape analogy starts to fall apart here. I doubt a rape victim has to deal with problems of damage done to others because they have been raped, at the very least I hope they dont. Lets put it aside.

If your account was hacked and used for nefarious reasons you are not to blame (unless maybe you have been careless about security), but you have to suffer through the repercussions same as you cant just put a rapist in jail (Im sorry I know I said Ill put it aside) and suspect the victim to be fine. Why is this so you might ask, its a digital thing, it should be easy to just revert everything. Well for one you cant just revert the feeling that someone was using your account. At least for me this is already a violation on an emotional level. More importantly IMHO though you can not proof you have been hacked and we tend to be very paranoid here. In order to avoid 'I didnt do it, was hacked' as a get out of jail free card, there has to be consequences if there was damage.

The original owner shouldn't be let off free. We all have to stand behind the actions of our account,
Negative trust should be automatic in the case of default of a loan.
Theymos believed so as well.

think that marcotheminer should return the account now since it was probably hacked, but everyone should give yussuf89 negative feedback for being unable to stand behind his account's actions unless he pays 50-75% of the loan principle. (This is just my opinion -- I'm not going to try to enforce it.)

I personally think the best way to go is if both victims agree on something they can live with. A 50-50 split might be in order in many cases though.


btw, thanks for the reminder to change my password. If anyone has doubt its still me, ask for a signed message (PGP or BTC you know the drill).

[Quickseller]

The answer to your question really depends on the specific situation.

If you maintain a reputation of signing all addresses you receive payment to,  then (assuming no signed message, I would place more blame on the lender. The same applies if you are someone like OgNasty who maintains a reputation of using the same address for all transactions. Otherwise I would place more responsibility on the person whose account was hacked.

 It is not unusual for someone to reset their password nor to change it. If you don't usually sign a message confirming payment addresses then why would a lender expect to receive one for a loan?

Regardless of the above if there are warnings that an account is hacked (with references that are reliable) and/or threads open in meta and/or scam accusations (that are reliable) as of when the lender agrees to make the loan then responsibility is squarely on the lender.


Edit: I don't approve of your rape analogy.

Also the hacker is obviously the true scammer however it is usually unlikely that any money will be recovered from the hacker and it is unlikely that their identity will even be discovered.

Edit2:  although I find this unlikely, if there's clear evidence that the hack was due to an undisclosed security issue with the forum then theymos should cover losses.

edit3: The above only applies to when I would believe that someone is a scammer. The legal threshold for who is responsible if/when litigation is pursued is likely different. 

[SaltySpitoon]

It sort of depends, each case is different. At the very least, before you deal with someone, check to see if their email/password has been changed recently, check to see if their language or posting habits have changed or any other suspicious behavior. If you are uncertain, ask for a signed Bitcoin message or some other type of identify that you can use as a 2FA check to make sure it is who you think you are dealing with.

Glancing past the rape analogy which I don't think was entirely necessary as a comparison of liability, and going with a still controversial topic, I'll use guns. Say you own a gun, and you leave it on your kitchen table. If someone breaks in, steals it, and uses it to hurt someone, are you at fault? Conversely, if you keep your gun in a safe, someone breaks in and spends an hour to break into your safe with an oxyacetylene torch and a sawzall, and then uses it to hurt someone, are you at fault?

If you made a good faith effort at protecting your account, and it was stolen at reasonably no fault of your own, I don't think its the account owner fault. If you are taking a picture of yourself to post on social media, and you have passwords.txt open on your computer and visible in the background, I think at the very least you should feel bad about damage done by the hacker and try and do something about it.

[Chris!]

The reason I used the tape analogy is because unfortunately rape victims have been blamed in the past. It's horrible and should never be ok in any situation. I couldn't really think of another instance when the victim would be blamed so that's what I went with.

I guess the main issues brought up are the fact that how can you really prove that your account was in fact hacked? I'll be sure to sign a message with every transaction from this point forward and I have a difficult password. The only possible way for me to be hacked would be to know the password to my encrypted computer, then the login password then my bitcointalk password. I hope that I never get hacked because it seems like people just naively trust that it's the original account owner too often. If I were a lender I wouldn't take an account for collateral if they couldn't sign a message from 6 months ago (give or take) just like I would never buy one of those cheap accounts you always see being sold by brand new accounts. Hero's for 0.04BTC and things like that. They obviously have to be hacked because no one would spend a year and a half of their life building up an account to sell it for $40 IMO. I know I wouldn't.

Anyways sorry about the rape analogy but if it's not breaking any rules I'll leave it to make a point. Here are a few instances where it's happened in the past:

http://huffpost.com/ca/entry/12538648
http://www.euronews.com/2017/01/06/canada-judge-fights-to-save-job-after-victim-blaming-rape-trial
http://jezebel.com/5855255/canadian-rape-case-is-a-celebration-of-victim-blaming

Another good article on the issue: https://inequalitygaps.org/first-takes/gender-roles-of-women-since-1945/rape-where-the-blame-lies/

[roslinpl]

(...) email/password has been changed recently (...).

Hey,

I recommend to change your passwords from time to time. It's a good habit.
Personally I'm going to change my password right now and it doesn't mean that account doesn't belongs to me anymore. We shouldn't exaggerate.

If password and email has been changed recently then it might mean something.

"Hey, his password has been changed! Scammer?"   


My password has been recently changed! xD
Best regards.

[SaltySpitoon]

(...) email/password has been changed recently (...).

Hey,

I recommend to change your passwords from time to time. It's a good habit.
Personally I'm going to change my password right now and it doesn't mean that account doesn't belongs to me anymore. We shouldn't exaggerate.

If password and email has been changed recently then it might mean something.

"Hey, his password has been changed! Scammer?"  


My password has been recently changed! xD
Best regards.

Having a recently changed password doesn't mean they have been hacked, it means its worth doing an extra layer of diligence to protect yourself. I could decide to start frequenting the Russian local section to practice my language skills. It doesn't mean I've been hacked, but it certainly would be suspicious enough that I'd recommend someone use escrow with me when trading.

The reason I used the tape analogy is because unfortunately rape victims have been blamed in the past. It's horrible and should never be ok in any situation. I couldn't really think of another instance when the victim would be blamed so that's what I went with.

I guess the main issues brought up are the fact that how can you really prove that your account was in fact hacked? I'll be sure to sign a message with every transaction from this point forward and I have a difficult password. The only possible way for me to be hacked would be to know the password to my encrypted computer, then the login password then my bitcointalk password. I hope that I never get hacked because it seems like people just naively trust that it's the original account owner too often. If I were a lender I wouldn't take an account for collateral if they couldn't sign a message from 6 months ago (give or take) just like I would never buy one of those cheap accounts you always see being sold by brand new accounts. Hero's for 0.04BTC and things like that. They obviously have to be hacked because no one would spend a year and a half of their life building up an account to sell it for $40 IMO. I know I wouldn't.

Anyways sorry about the rape analogy but if it's not breaking any rules I'll leave it to make a point. Here are a few instances where it's happened in the past:

http://huffpost.com/ca/entry/12538648
http://www.euronews.com/2017/01/06/canada-judge-fights-to-save-job-after-victim-blaming-rape-trial
http://jezebel.com/5855255/canadian-rape-case-is-a-celebration-of-victim-blaming

Another good article on the issue: https://inequalitygaps.org/first-takes/gender-roles-of-women-since-1945/rape-where-the-blame-lies/

Yeah, you are fine, its not against any rules, and I get your point. I thought you were making a comparison for shock value rather than to make a point.
 

[Zeroxal]

It's your fault to get drunk and wear a short skirt in the first place.
It's partly the users fault to not have a secure enough password. If the hacker is able to crack you password, you've done something wrong. Exploiting the "hacked" excuse is in no way acceptable for me.

[grtthegreat]

The best thing that can be done is that, a PGP key should be made mandatory for signing up on this forum. This does a lot of good.

1. It prevents account farming because I believe making a huge amount of PGP keys is definitely tough.
2. It increases security. As a person who is genuine usually holds only one key and hosts it on a public server.
3. On creating an account, the person should be staking his PGP Public Key on a thread and he would have to use only that PGP keys while he trades via that account.
4. Also, in a case an account gets hacked, a simple message from the account linked PGP key should be signed to verify the authenticity of the claim.


This would definitely make this forum a better place, but this is according to my knowledge. Maybe more knowledgeable people here might have something more substantial to say.

[moonpie45]

The best thing that can be done is that, a PGP key should be made mandatory for signing up on this forum. This does a lot of good.

1. It prevents account farming because I believe making a huge amount of PGP keys is definitely tough.
2. It increases security. As a person who is genuine usually holds only one key and hosts it on a public server.
3. On creating an account, the person should be staking his PGP Public Key on a thread and he would have to use only that PGP keys while he trades via that account.
4. Also, in a case an account gets hacked, a simple message from the account linked PGP key should be signed to verify the authenticity of the claim.


This would definitely make this forum a better place, but this is according to my knowledge. Maybe more knowledgeable people here might have something more substantial to say.

1 - in the time it took me to read your post, I could have generated many PGP keys.

2 - If I wanted to, I could store many PGP keys on my computer (and backups). I do not host my PGP key on any keyserver, I upload it to one keyserver and it will propagate to other keyservers over time.

3 - Just like bitcoin private keys, PGP private keys have the potential to get compromised, or lost. If a PGP key is compromised then the owner should revoke the key publicly, and will probably want to start using a new key.

4 - Just because someone signs a message that their account was hacked does not make it a true statement. All that a PGP signed message will mean is that the owner of the PGP key is making the statement. It would be possible to fake getting hacked if a lender fails to ask for/verify a signed message.   

[Vod]

Let's say she was drunk and in a short skirt just got out of a club. Would that really be her fault if someone had sex with her without consent? NO! That's victim blaming which is completely not ok. Ever. It's the rapist's fault. They raped her. Victim blaming happens constantly on this forum. It's not ok.

Not her fault, but she is partly to blame for inducing evolutionary reproduction hormones.  

But you can prove a rape happened.  Sure, a woman can fake it with some work, but it's not just as easy as saying "I was raped".

Anyone can scam then simply say "I was hacked" and you want us to believe them?

[ndnh]

It is the lender.

[0x0010]

If a hacker wants to scam, he will scam no matter what.

They'll go through pages of accounts and try to find one they can hack. From there, they'll most likely leave the info as is and turn email notifications off.

They prefer accounts that were inactive for a few weeks with no addresses posted.

If they can't hack one, move on to the next. It's only a matter of time before they strike.

[Dead Shot]

Well, at first i find your topic intriguing, understanding that the accounts here at bitcointalk forum are stored securely in a private database and hacking through these needs superb skill so the other known option to why your account is hacked is if you're phised or if you're scammed both are commonly owner's error. The forum already provided a warning to be careful and vigilant, its up to you to do what ever precaution necessary to prevent these from happening.

[ndnh]

Why is the lender at just 13% votes?

The lender is liable to hand over the ownership of the collateral to the original owner (on making certain the claim is really true and valid)
The lender is subsequently entitled to get back the lent money from the hacker. With interest.



I hack an account, lend myself and the owner pays me the 'lent' money (or half of that). Interesting.

[actmyname]

Why is the lender at just 13% votes?

The lender is liable to hand over the ownership of the collateral to the original owner (on making certain the claim is really true and valid)
The lender is subsequently entitled to get back the lent money from the hacker. With interest.



I hack an account, lend myself and the owner pays me the 'lent' money (or half of that). Interesting.

Or, alternatively, you pretend as if your account were hacked and then take out a loan, paying back only half of it. This is where I think the lender is to blame - a signed message is always essential.

In the end, they made the decision to lend to a user, carrying all the risks. Under no circumstances can you state that it is the fault of the account that was hacked, since the lender willingly chose to lend to the account which did not provide sufficient evidence of validation.


It's a shame that you can't prove that a user was hacked or wasn't hacked - I have a feeling that some "hacked" users attempted (and succeeded in) scamming via loan requests.

[KenR]

Why are people even voting for lenders ? If the hacked account is asking for a loan,it is completely the owner's fault that due to improper precautions taken the hacker managed to hack the account.Not only lending but also trading or anything general that happens with the hacked account is solely owners fault.

[actmyname]

Why are people even voting for lenders ? If the hacked account is asking for a loan,it is completely the owner's fault that due to improper precautions taken the hacker managed to hack the account.Not only lending but also trading or anything general that happens with the hacked account is solely owners fault.

So you're saying the owner of the hacked account should repay the loan in full?

Here's my question for you: do you think that the fault doesn't lie with the lender when they allow the loan without asking for a signed message or proof that the account-holder is the true owner?

Obviously not, so then the fault should lie with the lender. This is where it goes into a case-by-case basis because primarily I would expect that the account-holder would pay at least a significant amount of the funds but the lender shouldn't get a free pass, either.

This leads into the problem where people may claim to be hacked but rather simply defaulting on a loan and then paying back either nothing or an amount less than what they received.


I'm saying that at least for lower-status accounts, all of the blame is on the lender. They took the risk, knowing full well that the loan could be defaulted. Things are a bit more blurred when you get into BiPolar territory.

[Chris!]

Why are people even voting for lenders ? If the hacked account is asking for a loan,it is completely the owner's fault that due to improper precautions taken the hacker managed to hack the account.Not only lending but also trading or anything general that happens with the hacked account is solely owners fault.

If I go and buy a legendary account for 0.01BTC with no signed message and it turns out to be hacked, should I be allowed to keep that account? I can tell you what's going to happen. The original owner of the account signs a message in a  to Theymos and the account is stripped from me. Why did it happen to me? I didn't get the signed message.

[Deep In The Mines LLC]

Indeed, I hope those who victim-blame see how its really not helping, and more likely to drive away users from using Bitcoin itself, instead you should sympathize and provide them with tips on how to be secure and remove any vulnerabilty they may have.

It should be obvious that the blame should always be on the aggressor (hacker), rather than the defendant (victim), but when it comes to exchanges where a lot of money is being held, you should remember you are putting your trust into a entity that may go insolvent, and likely protected itself from any law-suites you may use against them should they get "hacked".

Overall, when it comes to exchanges it falls into more of a grey area, since we can't really know if they got hacked, or if they have an insider who took the money and made a coverup.

[shorena]

Indeed, I hope those who victim-blame see how its really not helping, and more likely to drive away users from using Bitcoin itself, instead you should sympathize and provide them with tips on how to be secure and remove any vulnerabilty they may have.

It should be obvious that the blame should always be on the aggressor (hacker), rather than the defendant (victim), but when it comes to exchanges where a lot of money is being held, you should remember you are putting your trust into a entity that may go insolvent, and likely protected itself from any law-suites you may use against them should they get "hacked".

Overall, when it comes to exchanges it falls into more of a grey area, since we can't really know if they got hacked, or if they have an insider who took the money and made a coverup.

*cough cough* you are posting in meta, it might help to read the entire thread instead of just the title.

[darklus123]

If the girl didnt went out that night, or didnt wears skirt? Or to lessen the volume that she take. Would it be possible for her not to get raped? Of course yes, She knew her responsibility as a woman. That would go the same for your responsibility of your account

[lordquanta]

If the girl didnt went out that night, or didnt wears skirt? Or to lessen the volume that she take. Would it be possible for her not to get raped? Of course yes, She knew her responsibility as a woman. That would go the same for your responsibility of your account

In the world of permutation combinations there is this possibility:  If the girl didn't went out that night, there is possibility of break-in and attacker/rapist cause the damage.

Proving account is hacked could be difficult? rather proving hack was unintentional is difficult. Once hacked activity is proved then something could be done. Personally didn't like the analogy of rape with hacking. Each person would have different perception. Lender was at fault because he did not verified the account details of person.  If lender is innocent then how verification process was conducted. Tomorrow lender could run a scam and claim you requested for loan.
Imagine same hacking and loan scenario happened with 100s of people. Would you still blame victims or lender or hacker? 

It is difficult to find real culprit and person who is responsible for it.  These kind of scenario are too intricate to deal with.

[lottery248]

for me, i carried out the other option:
if the lender lent to a hacked account, in which the address given was not identical to the original owner, that would be a failure to the lender. blame the hacker as soon as felt to be scammed, so you can indicate if it was a hacker or original, then blame theymos for not giving a warning on the accounts' reply which their passwords were recently changed.