Bitcoin Forum
December 06, 2016, 04:09:29 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Dwolla Fraud - How it happened  (Read 7325 times)
CryptoCommodity
Member
**
Offline Offline

Activity: 80


View Profile
July 29, 2011, 05:27:22 PM
 #1

I have been on the fence as to if this should be posted or not.  Normally I think information like this should be kept from public view but being that it looks like the security hole is still open even after the Tradehill incident so Dwolla may need to be pushed to make their service more secure.  In the interim I would suggest that no one use Dwolla.

Tradehill has stated that Dwolla got defrauded by a "known scammer" and posted the persons name on their blog.  It is highly unlikely that the person whose name they posted was involved in the fraud at all.  In fact that person was probably a victim of identity theft where the perpetrator exploited a weakness in the Dwolla bank account verification process that makes it easy to verify a bank account that you don't actually have access to.

Here is how the fraud likely works

1. Perp has knowledge of Victims bank account information off of a paper check
2. Perp creates a Dwolla account in Victims name
3. Perp adds Victims bank account to the Dwolla account
4. Perp correctly guesses the two $.12 or less deposits that were made to the Victims bank account
5. Victims bank account is now linked to the Dwolla account.  Perp initiates a transfer from Victims bank account to Dwolla
6. Perp transfers from Dwolla to Bitcoin exchange of their choice
7. Perp buys Bitcoins and immediately removes them from account at chosen exchange
8. Victim notices money missing from bank account and has the unauthorized ACH reversed

The ability to execute this fraud is wholly dependent on the ability to randomly guess the verification deposits that Dwolla makes into a persons bank account with no regard to failed attempts.  The people who's bank accounts are getting linked to a Dwolla account in their name probably have no idea what Dwolla is. Seeing a deposit like "ACH Electronic Credit Jul 01 05:15 Dwolla Dwolla    $ 0.02" is going to go unnoticed by the victim most of the time.  It is not until money starts leaving the account that anything would be reported.

The reason the ACH transactions are being reversed is because Dwolla doesn't do enough to verify the customer and/or the transaction.  The good thing for Tradehill and other companies who are now having credited transactions reversed is that this liability is almost certainly 100% Dwolla's.

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481040569
Hero Member
*
Offline Offline

Posts: 1481040569

View Profile Personal Message (Offline)

Ignore
1481040569
Reply with quote  #2

1481040569
Report to moderator
1481040569
Hero Member
*
Offline Offline

Posts: 1481040569

View Profile Personal Message (Offline)

Ignore
1481040569
Reply with quote  #2

1481040569
Report to moderator
1481040569
Hero Member
*
Offline Offline

Posts: 1481040569

View Profile Personal Message (Offline)

Ignore
1481040569
Reply with quote  #2

1481040569
Report to moderator
Jr00t
Newbie
*
Offline Offline

Activity: 27


View Profile
July 29, 2011, 05:32:05 PM
 #2

In my opinion, dwolla has had long enough to address this issue and your post is absolutely necessary at this point.  thank you.
joulesbeef
Sr. Member
****
Offline Offline

Activity: 476


moOo


View Profile
July 29, 2011, 05:34:21 PM
 #3

hmmm I find it highly unlikely that dwolla would give you too many chances to guess the two under 12 cent numbers(which is how paypal does it and they dont seem to have the dwolla problem)

How about, perp gets POS bank account using fake id.. perp then knows the deposits...

I just dont see dwolla let you guess more than twice.... NOW I AM ASSUMING.. I DONT KNOW FOR SURE.. i just dont think this is how it went down.

mooo for rent
bitplane
Sr. Member
****
Offline Offline

Activity: 321

Firstbits: 1gyzhw


View Profile WWW
July 29, 2011, 05:40:42 PM
 #4

12*12 / two attempts = 72.

So potentially, for every 72 bank accounts you have access to, you can steal from Dwolla?
Jr00t
Newbie
*
Offline Offline

Activity: 27


View Profile
July 29, 2011, 05:41:41 PM
 #5

even if dwolla lets you guess only twice, with enough compromised accounts, eventually you are bound to be able to guess correctly.

But it is possible that the perp did have access to the persons online bank account, or dumpster dove for a statement to confirm, or hacked an email account, etc....

Jr00t
Newbie
*
Offline Offline

Activity: 27


View Profile
July 29, 2011, 05:43:17 PM
 #6

12*12 / two attempts = 72.

So potentially, for every 72 bank accounts you have access to, you can steal from Dwolla?

In the world of fraud and with a big enough list of bank accounts, those odds aren't that bad.....
CryptoCommodity
Member
**
Offline Offline

Activity: 80


View Profile
July 29, 2011, 05:43:35 PM
 #7

I am 99% sure I am correct.  I know that they allowed multiple guesses and know there were people verifying their own bank accounts by guessing the deposits so they could shorten the time period required to obtain BTC.
phillipsjk
Legendary
*
Offline Offline

Activity: 1008

Let the chips fall where they may.


View Profile WWW
July 29, 2011, 05:46:44 PM
 #8

Are $0.00 deposits allowed? The search space may be 11*11=121 ..So you only need to comprise 60.5 accounts (on average) Edit: Nevemind: "$0.12 or less" includes $.12.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
July 29, 2011, 05:49:23 PM
 #9

I am 99% sure I am correct.  I know that they allowed multiple guesses and know there were people verifying their own bank accounts by guessing the deposits so they could shorten the time period required to obtain BTC.

If that's true... Talk about amateur hour...  Roll Eyes

Are you really sure about that?

CryptoCommodity
Member
**
Offline Offline

Activity: 80


View Profile
July 29, 2011, 06:18:29 PM
 #10

Yes I am sure.  I tested it when verifying my own account.

As far as the possibility that someone had fake ids made, hacked their email and dug through their victims garbage it is very unlikely for no other reason than Occam's razor.
joulesbeef
Sr. Member
****
Offline Offline

Activity: 476


moOo


View Profile
July 29, 2011, 07:00:24 PM
 #11

Quote
It is highly likely that a scammer with access to hundreds of compromised accounts will get a successful hit on some of them and recycle the rest for other purposes.

as to rather.. steal money from these accounts.. they would rather hold onto them for days and go through the dwolla sign up crap?

Dont think dwolla would notice the same IP setting up hundreds of accounts and getting most of the answers wrong? yeah yeah vpns and proxies.. so a different one for every 5 accounts?


maybe you are correct, perhaps they have sloppy security, I just dont see them letting you try 1000 sites and guess 72000 times on bank deposits and failing most of the time.


IT also doesnt fit the claims of tradehill.

Tradehill got confirmations from dwolla that the money was sent to tradehill and only after the confirmation was the payments reversed. Even if everyone whose accounts were hacked for at least a week.. suddenly discovered it right after money started to disappear.. it isnt that easy to reverse those charges. I just dont see it.. it looked like all the charges were reversed zero questions asked.


This smells more of programming hole than social hole to me.,

mooo for rent
Nesetalis
Sr. Member
****
Offline Offline

Activity: 420



View Profile
July 29, 2011, 07:05:05 PM
 #12

Don't forget, if you have access to bank information, you may have stolen the person's password they use when logging in to their bank.. not to mention there are a multitude of VPNs, proxies, and other such things.. so it is almost never going to be from a real ip address.

ZOMG Moo!
nux
Newbie
*
Offline Offline

Activity: 24


View Profile
July 29, 2011, 07:56:46 PM
 #13

In the online fraud community, if you can come across someones SS# along with bank info, you can easily gain access to their online banking and keep an eye on the deposits as well...

This may be turning into an easy way for thieves to get physical access to the money they're stealing.
shotgun
Member
**
Offline Offline

Activity: 98



View Profile
July 29, 2011, 10:36:11 PM
 #14

In the online fraud community, if you can come across someones SS# along with bank info, you can easily gain access to their online banking and keep an eye on the deposits as well...

This may be turning into an easy way for thieves to get physical access to the money they're stealing.

That all depends on the particular bank. You can't call or walk into most banks with a SSN (lacking SSN card and federal issued ID) and get any information unless you have secondary and tertiary identification methods.

<luke-jr> Catholics do not believe in freedom of religion.
HappyFunnyFoo
Full Member
***
Offline Offline

Activity: 125


View Profile
July 30, 2011, 01:01:31 AM
 #15

It's much easier than you guys think.  Just keylog someone who uses online banking and you'll have full access to their account if you use Zeus or a similar rootkit.  You'll be able to simply log in to their online terminal and link their account without any guesses to Dwolla, since you'll be able to see the deposits coming into their account from Dwolla.

The verification process is so weak that really the 5-10% of Americans who don't set up their online banking passwords correctly are vulnerable to being linked and drained.

The silver lining to this bug is it doesn't matter if you have a bank account linked to a Dwolla account or not - victims will be people who receive money from other Dwolla users, and people who have their regular bank account credentials stolen.  If you use Dwolla as a one-way drain to convert money into a bitcoin exchange you'll be safe.
wumpus
Hero Member
*****
Offline Offline

Activity: 798

No Maps for These Territories


View Profile
July 30, 2011, 01:10:01 AM
 #16

There are only 144 possible combinations. It is highly likely that a scammer with access to hundreds of compromised accounts will get a successful hit on some of them and recycle the rest for other purposes.
Or even 72 if the order in which you enter them doesn't matter...

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
99Percent
Full Member
***
Offline Offline

Activity: 179



View Profile
July 30, 2011, 01:33:30 AM
 #17

No guessing is required. The legitimate bank account owner can simply log in on a different IP with a changed MAC address (say on an insecured wifi spot), pretend to check his statement, and then afterwards claim that his account was comprimised to reverse the ACH transaction he himself had initiated.
prolixus
Newbie
*
Offline Offline

Activity: 18


View Profile
July 30, 2011, 02:31:29 AM
 #18

No guessing is required. The legitimate bank account owner can simply log in on a different IP with a changed MAC address (say on an insecured wifi spot), pretend to check his statement, and then afterwards claim that his account was comprimised to reverse the ACH transaction he himself had initiated.

No need for that at all, all the customer has to do is claim that an ACH withdrawal from their account was unauthorized and the bank will reverse it.
elggawf
Sr. Member
****
Offline Offline

Activity: 308



View Profile
July 30, 2011, 02:48:08 AM
 #19

No guessing is required. The legitimate bank account owner can simply log in on a different IP with a changed MAC address (say on an insecured wifi spot), pretend to check his statement, and then afterwards claim that his account was comprimised to reverse the ACH transaction he himself had initiated.

Psst. Changing the MAC doesn't help make you more anonymous. Once you go past the first router they can't see your MAC anyway, unless the protocol sends it itself (ie, some consoles/games/etc) and HTTP doesn't do that.

^_^
ctoon6
Sr. Member
****
Offline Offline

Activity: 350



View Profile
July 30, 2011, 04:29:56 AM
 #20

No guessing is required. The legitimate bank account owner can simply log in on a different IP with a changed MAC address (say on an insecured wifi spot), pretend to check his statement, and then afterwards claim that his account was comprimised to reverse the ACH transaction he himself had initiated.

Psst. Changing the MAC doesn't help make you more anonymous. Once you go past the first router they can't see your MAC anyway, unless the protocol sends it itself (ie, some consoles/games/etc) and HTTP doesn't do that.

I dont know how much data a router logs, but they might log the mac of all connected devices. so if they see that a specific ip was used in an attack, they simply go to the wifi hot spot and take their router and look up the logs.

even then, going back with a mac address to find the owner would be very difficult. so just buy a cheap laptop at a pawn shop with cash from change and you should be safe.

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!