BIPS, Payment Service Provider (PSP) for Merchants

[assortmentofsorts]

Statement from BIPS, November 19th 2013.
 
On November 15th BIPS was the target of a massive DDoS attack, which is now believed to have been the initial preparation for a subsequent attack on November 17th that overloaded our managed switches and disconnected the iSCSI connection to the SAN on BIPS servers.
Regrettably, despite several layers of protection, the attack caused vulnerability to the system, which has then enabled the attacker/s to gain access and compromise several wallets.
 
At this point all wallet functions have been disabled in order to conduct a full investigation and audit. BIPS will be contacting compromised wallet owners individually.

BIPS will also be contacting merchants who have not enabled automatic conversion of bitcoin.
 
Merchant processing functionality and buy/sell has been re-enabled.
 
BIPS help desk system is currently not accessible and will not be re-enabled until an alternative hosting solution has been arranged for this. In the mean time, support is reachable via email to support(at)bips(dot)me. Previously submitted tickets need to be resubmitted via email. Please be patient and allow 24-72 hours to receive a reply.

Hey Kris. I had 3.3+ BTC sitting in the wallet. Should I send you an email at support(at)bips(dot)me? How should those of us who had some BTC in the wallet proceed?

[assortmentofsorts]

Kris any updates??? Its unusually quiet on BIPS end.... getting me worried!

[Ikinoki]

So, just logged into my account and seen that all transactions are gone as well as invoices and some btc...
What is going on?

[assortmentofsorts]

So, just logged into my account and seen that all transactions are gone as well as invoices and some btc...
What is going on?

No idea. Sent a mail yester to the support address. No reply yet

[TookDk]

I would really like some information too - its ridiculous.   

[Kris]

We are working 24/7 to re-establish all core functionalities, including our support helpdesk, which will be available very soon to enable global communication.
So far updates are and have been available on https://bips.me/press
https://bitcointalk.org/index.php?topic=252308.msg3645043#msg3645043

[cubicdissection]

Kris, it's nice to hear you are working 24/7.  That said, it's been days since we have been able to access our balances, all during a period of great volatility. 

The information that some wallets were compromised is alarming.  Combined with the vague communications, I think you can see why we're worried.

Perhaps you could take a couple moments to comment on how many wallets were compromised (a handful? most of them?) and how your company plans to make whole those who lost what they entrusted you with.

[allincoin]

agreed very vague...  Now that I can post outside of the "Newbie Area"   I'll link in the thread I started over there...  

https://bitcointalk.org/index.php?topic=341682.0


Are BIPS Wallet Holders going to be TradeFortress'd?

[Kris]

System status as of 22 November 12:45pm - Help Desk Restored. https://helpdesk.bips.me/

[Kris]

It is imperative to understand that everything was wiped out from our servers and getting functionality back is priority #1.
The wallet part of BIPS was a free service to make payments easier for users.
Web Wallets are like a regular wallet that you carry cash in and not meant to keep large amounts in.
Hence we offered a paper wallet as a cold storage alternative for those who wanted a safe storage solution.
We will be contacting all affected users as already proclaimed.
We will need their consent to hand over information to the authorities for further investigation, which hopefully can assist in catching the thief.
Those who were not affected and have a bitcoin balance will also be contacted.
Most balances left are minuscule, but if you had more than a few satoshi’s in your wallet you are affected, and will be contacted.

Another priority is doing forensics data recovery to be able to investigate and assist authorities in finding the attacker.
Technical information will not be disclosed for security reasons.

Stolen coins have been isolated and server logs have been retrieved from data recovery:
https://blockchain.info/address/1LuG91tcSQxKj32BsCoRkX7yQLfj9LtkCs

Please be advised that attacks are not isolated to us and if you are storing larger amounts of coins with any third party you may want to find alternative storage solutions as soon as possible, preferably cold storage if you do not need immediate access to those coins:
www.coindesk.com/hacker-attack-polands-bitcoin-exchange/
www.coindesk.com/czech-bitcoin-exchange-bitcash-cz-hacked-4000-user-wallets-emptied/

[bernard75]

It is imperative to understand that everything was wiped out from our servers and getting functionality back is priority #1.
The wallet part of BIPS was a free service to make payments easier for users.
Web Wallets are like a regular wallet that you carry cash in and not meant to keep large amounts in.
Hence we offered a paper wallet as a cold storage alternative for those who wanted a safe storage solution.
We will be contacting all affected users as already proclaimed.
We will need their consent to hand over information to the authorities for further investigation, which hopefully can assist in catching the thief.
Those who were not affected and have a bitcoin balance will also be contacted.
Most balances left are minuscule, but if you had more than a few satoshi’s in your wallet you are affected, and will be contacted.

Another priority is doing forensics data recovery to be able to investigate and assist authorities in finding the attacker.
Technical information will not be disclosed for security reasons.

Stolen coins have been isolated and server logs have been retrieved from data recovery:
https://blockchain.info/address/1LuG91tcSQxKj32BsCoRkX7yQLfj9LtkCs

Please be advised that attacks are not isolated to us and if you are storing larger amounts of coins with any third party you may want to find alternative storage solutions as soon as possible, preferably cold storage if you do not need immediate access to those coins:
www.coindesk.com/hacker-attack-polands-bitcoin-exchange/
www.coindesk.com/czech-bitcoin-exchange-bitcash-cz-hacked-4000-user-wallets-emptied/

Those werent exactly well established players in the bitcoin industry...

[cubicdissection]

It is imperative to understand that everything was wiped out from our servers and getting functionality back is priority #1.

Maybe to YOU.  MY #1 priority is you getting my BTC back! 

The wallet part of BIPS was a free service to make payments easier for users.
Web Wallets are like a regular wallet that you carry cash in and not meant to keep large amounts in.

You never said that before you lost my BTC.  As someone who pursues and gets merchants to sign up for your service, you surely realize that many if not most of them are not well versed in Bitcoin.  At NO point did you EVER say hey you shouldn't keep your BTC with us.  In fact, your website said:
Your data is secure at BIPS
BIPS was built by passionate bitcoiners and talented developers. BIPS is hosted in our private server facilities. Passwords are stored with a double salted SHA-512 hashing algorithm. Our entire website is protected with AES RIJNDAEL 256 encryption and we have encryption of data traffic with 2048-bit, highest assurance Extended Validation SSL certificate, with 99.9% Browser Recognition.
Bitcoin Security
BIPS protects your payment information with industry-leading security and fraud protection.
On top of this, our server/database is regularly stored on tape backups. For added security you can also enable Secure Card and Google Authenticator at any time for up to 3 levels of authentication.

So yeah, I felt pretty goddamn secure leaving my BTC balance there.

Those who were not affected and have a bitcoin balance will also be contacted.
Most balances left are minuscule, but if you had more than a few satoshi’s in your wallet you are affected, and will be contacted.

So basically ALL balances are gone?  Why don't you speak in plain english and quit giving us the runaround?  Because it makes me think you're a liar and have something to hide.

Technical information will not be disclosed for security reasons.

Wrong.  You need to convince me and others you didn't simply transfer out the funds yourself.  Given the silence, poor communication, delays etc you are not looking very trustworthy.   If you think people are going to simply take your word for it and walk away from thousands of BTC you're dead wrong.

[Ikinoki]

I don't like this, you don't communicate.
This is not going to work, any processor we used tries to screw people over.

HOW on earth could everything be wiped out from servers with a secure system? What did you do to allow root access?
Seriously it's not that hard to make a secure system, get a grip on online security manuals, implement MAC or jails.
Holy crap, I'm seriously angry right now.

[TheRandomGuy]

Welp. I'm gonna start using software wallets again.

Nice using ya guys. 

[dantes]

This is terrible.  And all the comments here are on target.  Communication from BIPS is terrible. 

First priority is getting the BTC back. 

BIPS has no future unless the BTC come back so there is no point working 24/7 to re-establish anything else.

[allincoin]

Agreed with all the comments just made...

[ghengis34]

I think I lost more than anyone else -- 90 BTC.

Anyone else who lost a significant amount, please sign up here:

https://docs.google.com/forms/d/1v8AL3scMErzSLPRSOhGuGXn9pzHjWNTrSE2YWEQIpxs/viewform

If there are enough of us, it will be a negotiating block, to try to settle this on fair terms for everyone.

On one side, bitcoin is the wild west, and I really doubt this was intentional on the part of bips.me -- just probably overconfidence to run a wallet service without proper security.

But on the other side, I don't think anyone will be happy if bips.me continues on as a viable business without some kind of compensation for (former) wallet holders.

It's really important that - unless you have very good evidence - that nobody make wild accusations about fraud or internal theft or anything like that. If you do that, you will open yourself up to a lawsuit from bips.me for libel. (At least that's how it would work in the USA.) And it's just not fair or ethical to accuse anyone of something for which you have no evidence.

I do however think it's reasonable, fair, and legal for the affected individuals to get together and try to negotiate as a group for some kind of compensation.

Also -- I did finally hear back from the help desk, who asked for my phone number. But nothing concrete. My guess is that basically everything was stolen they are scrambling to see if they can come up with some kind of compensation package. But that's just a guess and I could be proven wrong.

[Dadio202]

Hi ghengis. I have signed up to your form. Your comments are spot on. Glad to hear you at least heard back from them, hope i do as well. I lost 4.8 btc and also sent them £500 to purchase more. They didn't use the £s so I presume they still have them, hope their bank wasn't compromised as well.

[Sztef89]

I lost about 0.9 BTC

[btcven]

Who the hell puts 90 BTC in a web wallet? I had ~0.13 BTC there and I'm waiting to get it back as I think BIPS is a little bit trustworthy. But I can also learn to finally switch out from web wallets, get an Android and install Electrum on it instead of using web wallet even for cents.