CryptoCommodity (OP)
Member
 Offline
Activity: 80
Merit: 10
|
 |
July 29, 2011, 05:27:22 PM
Last edit: July 29, 2011, 06:47:04 PM by CryptoCommodity |
|
I have been on the fence as to if this should be posted or not. Normally I think information like this should be kept from public view but being that it looks like the security hole is still open even after the Tradehill incident so Dwolla may need to be pushed to make their service more secure. In the interim I would suggest that no one use Dwolla.
Tradehill has stated that Dwolla got defrauded by a "known scammer" and posted the persons name on their blog. It is highly unlikely that the person whose name they posted was involved in the fraud at all. In fact that person was probably a victim of identity theft where the perpetrator exploited a weakness in the Dwolla bank account verification process that makes it easy to verify a bank account that you don't actually have access to.
Here is how the fraud likely works
1. Perp has knowledge of Victims bank account information off of a paper check
2. Perp creates a Dwolla account in Victims name
3. Perp adds Victims bank account to the Dwolla account
4. Perp correctly guesses the two $.12 or less deposits that were made to the Victims bank account
5. Victims bank account is now linked to the Dwolla account. Perp initiates a transfer from Victims bank account to Dwolla
6. Perp transfers from Dwolla to Bitcoin exchange of their choice
7. Perp buys Bitcoins and immediately removes them from account at chosen exchange
8. Victim notices money missing from bank account and has the unauthorized ACH reversed
The ability to execute this fraud is wholly dependent on the ability to randomly guess the verification deposits that Dwolla makes into a persons bank account with no regard to failed attempts. The people who's bank accounts are getting linked to a Dwolla account in their name probably have no idea what Dwolla is. Seeing a deposit like "ACH Electronic Credit Jul 01 05:15 Dwolla Dwolla $ 0.02" is going to go unnoticed by the victim most of the time. It is not until money starts leaving the account that anything would be reported.
The reason the ACH transactions are being reversed is because Dwolla doesn't do enough to verify the customer and/or the transaction. The good thing for Tradehill and other companies who are now having credited transactions reversed is that this liability is almost certainly 100% Dwolla's.
|
|
|
|
|
|
|
|
|
|
|
|
Remember that Bitcoin is still beta software. Don't put all of your money into BTC!
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
Jr00t
Newbie
Offline
Activity: 27
Merit: 0
|
|
July 29, 2011, 05:32:05 PM |
|
In my opinion, dwolla has had long enough to address this issue and your post is absolutely necessary at this point. thank you.
|
|
|
|
|
joulesbeef
Sr. Member
Offline
Activity: 476
Merit: 250
moOo
|
|
July 29, 2011, 05:34:21 PM |
|
hmmm I find it highly unlikely that dwolla would give you too many chances to guess the two under 12 cent numbers(which is how paypal does it and they dont seem to have the dwolla problem)
How about, perp gets POS bank account using fake id.. perp then knows the deposits...
I just dont see dwolla let you guess more than twice.... NOW I AM ASSUMING.. I DONT KNOW FOR SURE.. i just dont think this is how it went down.
|
mooo for rent
|
|
|
|
bitplane
|
|
July 29, 2011, 05:40:42 PM |
|
12*12 / two attempts = 72.
So potentially, for every 72 bank accounts you have access to, you can steal from Dwolla?
|
|
|
|
|
Jr00t
Newbie
Offline
Activity: 27
Merit: 0
|
|
July 29, 2011, 05:41:41 PM |
|
even if dwolla lets you guess only twice, with enough compromised accounts, eventually you are bound to be able to guess correctly.
But it is possible that the perp did have access to the persons online bank account, or dumpster dove for a statement to confirm, or hacked an email account, etc....
|
|
|
|
|
Jr00t
Newbie
Offline
Activity: 27
Merit: 0
|
|
July 29, 2011, 05:43:17 PM |
|
12*12 / two attempts = 72.
So potentially, for every 72 bank accounts you have access to, you can steal from Dwolla?
In the world of fraud and with a big enough list of bank accounts, those odds aren't that bad..... |
|
|
|
|
CryptoCommodity (OP)
Member
Offline
Activity: 80
Merit: 10
|
|
July 29, 2011, 05:43:35 PM |
|
I am 99% sure I am correct. I know that they allowed multiple guesses and know there were people verifying their own bank accounts by guessing the deposits so they could shorten the time period required to obtain BTC.
|
|
|
|
|
phillipsjk
Legendary
Offline
Activity: 1008
Merit: 1001
Let the chips fall where they may.
|
|
July 29, 2011, 05:46:44 PM |
|
Are $0.00 deposits allowed? The search space may be 11*11=121 ..So you only need to comprise 60.5 accounts (on average) Edit: Nevemind: "$0.12 or less" includes $.12.
|
James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE 0A2F B3DE 81FF 7B9D 5160 |
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
July 29, 2011, 05:49:23 PM |
|
I am 99% sure I am correct. I know that they allowed multiple guesses and know there were people verifying their own bank accounts by guessing the deposits so they could shorten the time period required to obtain BTC.
If that's true... Talk about amateur hour...  Are you really sure about that? |
|
|
|
|
CryptoCommodity (OP)
Member
Offline
Activity: 80
Merit: 10
|
|
July 29, 2011, 06:18:29 PM |
|
Yes I am sure. I tested it when verifying my own account.
As far as the possibility that someone had fake ids made, hacked their email and dug through their victims garbage it is very unlikely for no other reason than Occam's razor.
|
|
|
|
|
joulesbeef
Sr. Member
Offline
Activity: 476
Merit: 250
moOo
|
|
July 29, 2011, 07:00:24 PM |
|
It is highly likely that a scammer with access to hundreds of compromised accounts will get a successful hit on some of them and recycle the rest for other purposes. as to rather.. steal money from these accounts.. they would rather hold onto them for days and go through the dwolla sign up crap? Dont think dwolla would notice the same IP setting up hundreds of accounts and getting most of the answers wrong? yeah yeah vpns and proxies.. so a different one for every 5 accounts? maybe you are correct, perhaps they have sloppy security, I just dont see them letting you try 1000 sites and guess 72000 times on bank deposits and failing most of the time. IT also doesnt fit the claims of tradehill. Tradehill got confirmations from dwolla that the money was sent to tradehill and only after the confirmation was the payments reversed. Even if everyone whose accounts were hacked for at least a week.. suddenly discovered it right after money started to disappear.. it isnt that easy to reverse those charges. I just dont see it.. it looked like all the charges were reversed zero questions asked. This smells more of programming hole than social hole to me., |
mooo for rent
|
|
|
|
Nesetalis
|
|
July 29, 2011, 07:05:05 PM |
|
Don't forget, if you have access to bank information, you may have stolen the person's password they use when logging in to their bank.. not to mention there are a multitude of VPNs, proxies, and other such things.. so it is almost never going to be from a real ip address.
|
ZOMG Moo!  |
|
|
nux
Newbie
Offline
Activity: 24
Merit: 0
|
|
July 29, 2011, 07:56:46 PM |
|
In the online fraud community, if you can come across someones SS# along with bank info, you can easily gain access to their online banking and keep an eye on the deposits as well...
This may be turning into an easy way for thieves to get physical access to the money they're stealing.
|
|
|
|
|
shotgun
Member
Offline
Activity: 98
Merit: 11
|
|
July 29, 2011, 10:36:11 PM |
|
In the online fraud community, if you can come across someones SS# along with bank info, you can easily gain access to their online banking and keep an eye on the deposits as well...
This may be turning into an easy way for thieves to get physical access to the money they're stealing.
That all depends on the particular bank. You can't call or walk into most banks with a SSN (lacking SSN card and federal issued ID) and get any information unless you have secondary and tertiary identification methods. |
<luke-jr> Catholics do not believe in freedom of religion.
|
|
|
|
HappyFunnyFoo
|
|
July 30, 2011, 01:01:31 AM |
|
It's much easier than you guys think. Just keylog someone who uses online banking and you'll have full access to their account if you use Zeus or a similar rootkit. You'll be able to simply log in to their online terminal and link their account without any guesses to Dwolla, since you'll be able to see the deposits coming into their account from Dwolla.
The verification process is so weak that really the 5-10% of Americans who don't set up their online banking passwords correctly are vulnerable to being linked and drained.
The silver lining to this bug is it doesn't matter if you have a bank account linked to a Dwolla account or not - victims will be people who receive money from other Dwolla users, and people who have their regular bank account credentials stolen. If you use Dwolla as a one-way drain to convert money into a bitcoin exchange you'll be safe.
|
|
|
|
|
|
wumpus
|
|
July 30, 2011, 01:10:01 AM |
|
There are only 144 possible combinations. It is highly likely that a scammer with access to hundreds of compromised accounts will get a successful hit on some of them and recycle the rest for other purposes.
Or even 72 if the order in which you enter them doesn't matter... |
Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through File → Backup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts. |
|
|
99Percent
Full Member
Offline
Activity: 402
Merit: 100
🦜| Save Smart & Win 🦜
|
|
July 30, 2011, 01:33:30 AM |
|
No guessing is required. The legitimate bank account owner can simply log in on a different IP with a changed MAC address (say on an insecured wifi spot), pretend to check his statement, and then afterwards claim that his account was comprimised to reverse the ACH transaction he himself had initiated.
|
|
|
|
prolixus
Newbie
Offline
Activity: 18
Merit: 0
|
|
July 30, 2011, 02:31:29 AM |
|
No guessing is required. The legitimate bank account owner can simply log in on a different IP with a changed MAC address (say on an insecured wifi spot), pretend to check his statement, and then afterwards claim that his account was comprimised to reverse the ACH transaction he himself had initiated.
No need for that at all, all the customer has to do is claim that an ACH withdrawal from their account was unauthorized and the bank will reverse it. |
|
|
|
|
|
elggawf
|
|
July 30, 2011, 02:48:08 AM |
|
No guessing is required. The legitimate bank account owner can simply log in on a different IP with a changed MAC address (say on an insecured wifi spot), pretend to check his statement, and then afterwards claim that his account was comprimised to reverse the ACH transaction he himself had initiated.
Psst. Changing the MAC doesn't help make you more anonymous. Once you go past the first router they can't see your MAC anyway, unless the protocol sends it itself (ie, some consoles/games/etc) and HTTP doesn't do that. |
^_^
|
|
|
|
ctoon6
|
|
July 30, 2011, 04:29:56 AM |
|
No guessing is required. The legitimate bank account owner can simply log in on a different IP with a changed MAC address (say on an insecured wifi spot), pretend to check his statement, and then afterwards claim that his account was comprimised to reverse the ACH transaction he himself had initiated.
Psst. Changing the MAC doesn't help make you more anonymous. Once you go past the first router they can't see your MAC anyway, unless the protocol sends it itself (ie, some consoles/games/etc) and HTTP doesn't do that. I dont know how much data a router logs, but they might log the mac of all connected devices. so if they see that a specific ip was used in an attack, they simply go to the wifi hot spot and take their router and look up the logs. even then, going back with a mac address to find the owner would be very difficult. so just buy a cheap laptop at a pawn shop with cash from change and you should be safe. |
|
|
|
|
