Bitcoin Forum
December 08, 2016, 10:16:53 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: Bitcoin is a magnet for hackers and crooks  (Read 7218 times)
RSantana
Member
**
Offline Offline

Activity: 104


CoinedBits.com


View Profile WWW
August 01, 2011, 06:43:38 AM
 #1

I know various forms of this topic and have been discussed at length, but I thought it would be beneficial to hear another first hand account. After looking through 256 recent SQL injection attempts at my site I thought I'd share my experience thus far as a new bitcoin etailer.

I've been running various online retail websites for over 10 years. As many of you know, I recently started CoinedBits.com. I've been the receiver of more hack attempts in the last month at CoinedBits.com than the previous 10 years on all my other sites.

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.

This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.

Thanks for listening.

Check out the first physical bitcoin at http://CoinedBits.com
1481235413
Hero Member
*
Offline Offline

Posts: 1481235413

View Profile Personal Message (Offline)

Ignore
1481235413
Reply with quote  #2

1481235413
Report to moderator
1481235413
Hero Member
*
Offline Offline

Posts: 1481235413

View Profile Personal Message (Offline)

Ignore
1481235413
Reply with quote  #2

1481235413
Report to moderator
1481235413
Hero Member
*
Offline Offline

Posts: 1481235413

View Profile Personal Message (Offline)

Ignore
1481235413
Reply with quote  #2

1481235413
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481235413
Hero Member
*
Offline Offline

Posts: 1481235413

View Profile Personal Message (Offline)

Ignore
1481235413
Reply with quote  #2

1481235413
Report to moderator
1481235413
Hero Member
*
Offline Offline

Posts: 1481235413

View Profile Personal Message (Offline)

Ignore
1481235413
Reply with quote  #2

1481235413
Report to moderator
wumpus
Hero Member
*****
Offline Offline

Activity: 798

No Maps for These Territories


View Profile
August 01, 2011, 06:47:06 AM
 #2

Everyone, from crappy forums to e-tailer sites, gets SQL injection attempts, SSH scans, portscans, and other exploit testing crap... this has nothing to do with bitcoin.  A lot of it is automated, even.

If you don't protect your site well enough, you're screwed in this day and age. No matter what forms of payment that you accept.

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
RSantana
Member
**
Offline Offline

Activity: 104


CoinedBits.com


View Profile WWW
August 01, 2011, 06:52:52 AM
 #3

Everyone, from crappy forums to e-tailer sites, gets SQL injection attempts, SSH scans, portscans, and other exploit testing crap... this has nothing to do with bitcoin.  A lot of it is automated, even.

If you don't protect your site well enough, you're screwed in this day and age. No matter what forms of payment that you accept.

Yes, good point, it happens to everyone. My point is that the attacks seem to be much more frequent with bitcoin services. Can any other merchants back up my theory?

Check out the first physical bitcoin at http://CoinedBits.com
payb.tc
Hero Member
*****
Offline Offline

Activity: 812



View Profile
August 01, 2011, 07:15:40 AM
 #4

My point is that the attacks seem to be much more frequent with bitcoin services.

i would have guessed that to be true simply because bitcoin enthusiasts were already technically-minded (possibly 'hackers') before bitcoin even was invented.

if you invent a new soft fluffy toy and build a new community of soft fluffy toy lovers, you're probably going to get a different type of fan base and a far lower level of SQL injection attempts or other technical hacks perpetrated against merchants
JoelKatz
Legendary
*
Offline Offline

Activity: 1386


Democracy is vulnerable to a 51% attack.


View Profile WWW
August 01, 2011, 07:19:32 AM
 #5

What possible difference could the frequency of hack attempts make? Do you investigate every attempt?

I am an employee of Ripple.
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
djex
Full Member
***
Offline Offline

Activity: 196


View Profile
August 01, 2011, 07:26:37 AM
 #6

I'd say the thing that attracts the attackers to bitcoin sites is that its easy to get what their looking for (money). If they were to attack a bank for example they would face all sorts of variables that would cause them more work not to get caught. For example, first finding a hole, then getting in, then making sure you clear logs and are not caught. With many bitcoin sites they are not highly protected due to the fact they are coded by your average programmer that isn't a security specialist. Often many attack vectors are left wide open and it's only a matter of time that they get exploited. Also there is the concept of bitcoin it self. Once the attacker gets in or finds a way to exploit a vulnerability its easy to send the bitcoins to an anonymous address that is likely not going to be traced. With a bank on the other hand routing money in a way not to get caught isn't so easy.

In short bitcoins are easy to steal because 1. There 100% digital 2. There anonymous (to a point to discourage someone from tracing the transfers) 3. Bitcoins are new and the security knowledge of its supports is just beginning to catch up.

In time it will get better. It's like anything new really, to become stronger and better the weaknesses have to be found and exploited first.

Smiley  : 1LbvSEJwtQZKLSQQVYxQJes8YneQk2yhE3
NothinG
Hero Member
*****
Offline Offline

Activity: 560



View Profile
August 01, 2011, 07:32:53 AM
 #7

Because bitcoin is new, there are many reasons why people are trying to exploit it.
I wouldn't go around testing exploits on a sites that's been around for ~10-15 years (although PayPal did have a few exploits on the non-US site).

the founder
Sr. Member
****
Offline Offline

Activity: 448


Bitcoin


View Profile WWW
August 01, 2011, 02:21:52 PM
 #8

Yes, good point, it happens to everyone. My point is that the attacks seem to be much more frequent with bitcoin services. Can any other merchants back up my theory?

I can confirm that...  every bitcoin related site that we have is subjected to a much higher rate of hacking attempts.  

You can tell just from basic discussion on the forum...  it's always in this order as well... 

1 - security
2 - how it works
3 - security
4 - ease of use
5 - security

Everyone is worried about security...    and rightfully so.

look at the nature of bitcoins,  the average truck driver has no idea what they are...   only a small percentage of the average guys on the street know what they are...  only a small percentage of even programmers that work for ecommerce sites, etc know what they are....  but every self taught hacker on earth knows what they are...

 

Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
nmat
Hero Member
*****
Offline Offline

Activity: 602


View Profile
August 01, 2011, 02:38:57 PM
 #9

You can tell just from basic discussion on the forum...  it's always in this order as well... 

1 - security
2 - how it works
3 - security
4 - ease of use
5 - security

It's more like:

1 - OpenSource?
     No: Scam/Vírus/Trojan. I will never download it.
     Yes: Let me check the code and I will tell you.

2 - Got reputation on the forum?
      No: Nobody will use your service.
      Yes: Let's wait for feedback from someone respectable

3 - How do you save user's passwords? No salt? No HTTPS?! Are you kidding?!
(.....)


People interested in bitcoins are in general computer geeks with a great interest in security. Now tell me, what happens if you take a bunch of security experts and make them run sites to sell stuff to each other?
julz
Legendary
*
Offline Offline

Activity: 1092



View Profile
August 01, 2011, 02:51:08 PM
 #10

People interested in bitcoins are in general computer geeks with a great interest in security. Now tell me, what happens if you take a bunch of security experts and make them run sites to sell stuff to each other?

They'll each complain that the other is doing X wrong and it'd be better if the other guy used exactly what we're using..  and they'd all be afraid to do the slightest pragmatic tweak (which doesn't actually affect security much, but might actually let these systems talk to each other) for fear of being called out as insecure by the others.

I'm guessing their systems would be more secure than their egos so no one would back down to get things to actually work.

Ok - that's the cynical version..

If you can find a bunch of security experts who recognize that all security is a compromise and are able to gauge relative risks well  - maybe they'll even produce something with a user interface that doesn't suck.

(alright.. so it was still a slightly cynical version)


@electricwings   BM-GtyD5exuDJ2kvEbr41XchkC8x9hPxdFd
fennec
Member
**
Offline Offline

Activity: 76



View Profile WWW
August 01, 2011, 02:53:36 PM
 #11

i would have guessed that to be true simply because bitcoin enthusiasts were already technically-minded (possibly 'hackers') before bitcoin even was invented.

I've got to agree with this. A higher proportion of programmers must mean a higher proportion of hackers, all other things being equal.

Also, have you considered the high volume of attacks might be due to an Internet-wide increase in the volume of automated attacks (I have no idea if this is the case; just speculating).

Preev – simple Bitcoin converter with live exchange rates
Tasty Champa
Member
**
Offline Offline

Activity: 84


View Profile
August 01, 2011, 02:56:46 PM
 #12

mine bitcoins, buy bitcoins or steal bitcoins.

we have a place for 2 of the options but this forum is lacking on the third most popular way of obtaining bitcoins.
the founder
Sr. Member
****
Offline Offline

Activity: 448


Bitcoin


View Profile WWW
August 01, 2011, 03:00:44 PM
 #13

It's more like:

1 - OpenSource?
     No: Scam/Vírus/Trojan. I will never download it.
     Yes: Let me check the code and I will tell you.

2 - Got reputation on the forum?
      No: Nobody will use your service.
      Yes: Let's wait for feedback from someone respectable

3 - How do you save user's passwords? No salt? No HTTPS?! Are you kidding?!
(.....)


People interested in bitcoins are in general computer geeks with a great interest in security. Now tell me, what happens if you take a bunch of security experts and make them run sites to sell stuff to each other?


Perhaps the best way to phrase it is that it's 1994 ... and you're opening an eCommerce store...    I don't know how many of you guys were around during the 1990's dot com boom times...  and the early 2000's crash times..   but honestly there were some things that people tend to forget.

At one point Ebay banned Paypal.  

literally a business decision was made to lock paypal out of Ebay,  ebay looked at paypal and realized that at the current growth rate of paypal ebay would not be able to fuction without it.  So they banned it hoping someone else would show up.   they citied security concerns and that "some company is stealling usernames and passwords'   literally that is what they used as an excuse.

 eventually within a few weeks ebay unbanned paypal then subsequently bought them realizing that they couldn't grow without it.

The point is that yes a security concern is a MAJOR issue,  but at the same time, there's a bunch of reading between the lines going on.   Because from time to time I get these crazy "suggestions"  and in reality I find out the guy works for "bitcoin startup A or bitcoin startup B"  those suggestions may on the face look good.. but in reality aren't.

Example,  I got a PM that stated I needed to make the minimum password length 20 characters for 'security reasons' ...  now I am all for allowing 20 characters.. but minimum length 20?

I find out the suggestion came from a guy that worked at one the exchanges that is now considering an ewallet ...   hence my suspicion that perhaps it wasn't so sincere.  

20 character minimums would lock grandma out of every using the system.

Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
payb.tc
Hero Member
*****
Offline Offline

Activity: 812



View Profile
August 01, 2011, 03:02:41 PM
 #14

steal bitcoins.

1. set up llc in nevis
2. build community trust for your new wallet service over a period of many months
3. disappear
the founder
Sr. Member
****
Offline Offline

Activity: 448


Bitcoin


View Profile WWW
August 01, 2011, 03:04:22 PM
 #15

steal bitcoins.

1. set up llc in nevis
2. build community trust for your new wallet service over a period of many months
3. disappear


I honestly want to know what happened to that service.   I can't even ping the domain anymore.   I suspect something bad happened... and instead of owning up to it he just vanished.




Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
foggyb
Legendary
*
Offline Offline

Activity: 1302


View Profile
August 01, 2011, 03:18:59 PM
 #16


I've been the receiver of more hack attempts in the last month at CoinedBits.com than the previous 10 years on all my other sites.

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.



Not to diminish that better security is needed, but I'd like to point out that increased hacker/scammer interest is further affirmation of the bitcoin's high relevance and worth in today's world. In light of this, investors and retail startups should feel confident about moving a lot of funds towards beefing up bitcoin security for merchants and customers alike.
airdata
Sr. Member
****
Offline Offline

Activity: 406


View Profile
August 01, 2011, 03:24:49 PM
 #17




Not to diminish that better security is needed, but I'd like to point out that increased hacker/scammer interest is further affirmation of the bitcoin's high relevance and worth in today's world. In light of this, investors and retail startups should feel confident about moving a lot of funds towards beefing up bitcoin security for merchants and customers alike.
[/quote]

Hacking / Scamming has held bitcoin down and stunted it's growth.

Scamming bitcoins could be cool and all... but not when your activities drive their prices from 25-30 each to 13-14 each.
elggawf
Sr. Member
****
Offline Offline

Activity: 308



View Profile
August 01, 2011, 03:51:49 PM
 #18

I can confirm that...  every bitcoin related site that we have is subjected to a much higher rate of hacking attempts.

It's simply the nature of the beast... the pseudonymous and irreversible nature of Bitcoin simply means that there's a more attractive apple on the other side of the wall. Instead of hacking a site and using it to phish, or robbing bank accounts that can be reversed, or stealing credit card data which you can card physical goods at high risks...

... if you steal BTC, the victim stands almost no chance at getting it back and there's a pretty good chance you'll get away scot free.

Everyone who has half a working brain and was looking at starting up a Bitcoin-related business should realize this going in - the reward is much sweeter so people are going to try harder and therefore security has to be a higher priority.

That said I wouldn't panic at every scan, because that too is just the nature... of being on the internet. This isn't the 90s anymore, you'll go hoarse if you scream on IRC every time someone port-scans you.

^_^
kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
August 01, 2011, 06:43:15 PM
 #19

My main email address has been out there in the public eye for close to a dozen years now.  It has been posted on forums, websites, mailing lists, and even, God help me, USENET.

The throwaway address that leaked out of mtgox gets VASTLY more spam.


p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
August 01, 2011, 07:29:13 PM
 #20

Quote
Bitcoin is a magnet for hackers and crooks

So is cash. Does it come as a surprise?

-
Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!