Bitcoin is a magnet for hackers and crooks

[RSantana]

I know various forms of this topic and have been discussed at length, but I thought it would be beneficial to hear another first hand account. After looking through 256 recent SQL injection attempts at my site I thought I'd share my experience thus far as a new bitcoin etailer.

I've been running various online retail websites for over 10 years. As many of you know, I recently started CoinedBits.com. I've been the receiver of more hack attempts in the last month at CoinedBits.com than the previous 10 years on all my other sites.

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.

This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.

Thanks for listening.

[1714029915]

1714029915

[1714029915]

1714029915

[1714029915]

1714029915

[wumpus]

Everyone, from crappy forums to e-tailer sites, gets SQL injection attempts, SSH scans, portscans, and other exploit testing crap... this has nothing to do with bitcoin.  A lot of it is automated, even.

If you don't protect your site well enough, you're screwed in this day and age. No matter what forms of payment that you accept.

[RSantana]

Everyone, from crappy forums to e-tailer sites, gets SQL injection attempts, SSH scans, portscans, and other exploit testing crap... this has nothing to do with bitcoin.  A lot of it is automated, even.

If you don't protect your site well enough, you're screwed in this day and age. No matter what forms of payment that you accept.

Yes, good point, it happens to everyone. My point is that the attacks seem to be much more frequent with bitcoin services. Can any other merchants back up my theory?

[payb.tc]

My point is that the attacks seem to be much more frequent with bitcoin services.

i would have guessed that to be true simply because bitcoin enthusiasts were already technically-minded (possibly 'hackers') before bitcoin even was invented.

if you invent a new soft fluffy toy and build a new community of soft fluffy toy lovers, you're probably going to get a different type of fan base and a far lower level of SQL injection attempts or other technical hacks perpetrated against merchants

[JoelKatz]

What possible difference could the frequency of hack attempts make? Do you investigate every attempt?

[djex]

I'd say the thing that attracts the attackers to bitcoin sites is that its easy to get what their looking for (money). If they were to attack a bank for example they would face all sorts of variables that would cause them more work not to get caught. For example, first finding a hole, then getting in, then making sure you clear logs and are not caught. With many bitcoin sites they are not highly protected due to the fact they are coded by your average programmer that isn't a security specialist. Often many attack vectors are left wide open and it's only a matter of time that they get exploited. Also there is the concept of bitcoin it self. Once the attacker gets in or finds a way to exploit a vulnerability its easy to send the bitcoins to an anonymous address that is likely not going to be traced. With a bank on the other hand routing money in a way not to get caught isn't so easy.

In short bitcoins are easy to steal because 1. There 100% digital 2. There anonymous (to a point to discourage someone from tracing the transfers) 3. Bitcoins are new and the security knowledge of its supports is just beginning to catch up.

In time it will get better. It's like anything new really, to become stronger and better the weaknesses have to be found and exploited first.

[NothinG]

Because bitcoin is new, there are many reasons why people are trying to exploit it.
I wouldn't go around testing exploits on a sites that's been around for ~10-15 years (although PayPal did have a few exploits on the non-US site).

[the founder]

Yes, good point, it happens to everyone. My point is that the attacks seem to be much more frequent with bitcoin services. Can any other merchants back up my theory?

I can confirm that...  every bitcoin related site that we have is subjected to a much higher rate of hacking attempts.  

You can tell just from basic discussion on the forum...  it's always in this order as well... 

1 - security
2 - how it works
3 - security
4 - ease of use
5 - security

Everyone is worried about security...    and rightfully so.

look at the nature of bitcoins,  the average truck driver has no idea what they are...   only a small percentage of the average guys on the street know what they are...  only a small percentage of even programmers that work for ecommerce sites, etc know what they are....  but every self taught hacker on earth knows what they are...

 

[nmat]

You can tell just from basic discussion on the forum...  it's always in this order as well... 

1 - security
2 - how it works
3 - security
4 - ease of use
5 - security

It's more like:

1 - OpenSource?
     No: Scam/Vírus/Trojan. I will never download it.
     Yes: Let me check the code and I will tell you.

2 - Got reputation on the forum?
      No: Nobody will use your service.
      Yes: Let's wait for feedback from someone respectable

3 - How do you save user's passwords? No salt? No HTTPS?! Are you kidding?!
(.....)


People interested in bitcoins are in general computer geeks with a great interest in security. Now tell me, what happens if you take a bunch of security experts and make them run sites to sell stuff to each other?

[julz]

People interested in bitcoins are in general computer geeks with a great interest in security. Now tell me, what happens if you take a bunch of security experts and make them run sites to sell stuff to each other?

They'll each complain that the other is doing X wrong and it'd be better if the other guy used exactly what we're using..  and they'd all be afraid to do the slightest pragmatic tweak (which doesn't actually affect security much, but might actually let these systems talk to each other) for fear of being called out as insecure by the others.

I'm guessing their systems would be more secure than their egos so no one would back down to get things to actually work.

Ok - that's the cynical version..

If you can find a bunch of security experts who recognize that all security is a compromise and are able to gauge relative risks well  - maybe they'll even produce something with a user interface that doesn't suck.

(alright.. so it was still a slightly cynical version)

[fennec]

i would have guessed that to be true simply because bitcoin enthusiasts were already technically-minded (possibly 'hackers') before bitcoin even was invented.

I've got to agree with this. A higher proportion of programmers must mean a higher proportion of hackers, all other things being equal.

Also, have you considered the high volume of attacks might be due to an Internet-wide increase in the volume of automated attacks (I have no idea if this is the case; just speculating).

[Tasty Champa]

mine bitcoins, buy bitcoins or steal bitcoins.

we have a place for 2 of the options but this forum is lacking on the third most popular way of obtaining bitcoins.

[the founder]

It's more like:

1 - OpenSource?
     No: Scam/Vírus/Trojan. I will never download it.
     Yes: Let me check the code and I will tell you.

2 - Got reputation on the forum?
      No: Nobody will use your service.
      Yes: Let's wait for feedback from someone respectable

3 - How do you save user's passwords? No salt? No HTTPS?! Are you kidding?!
(.....)


People interested in bitcoins are in general computer geeks with a great interest in security. Now tell me, what happens if you take a bunch of security experts and make them run sites to sell stuff to each other?

Perhaps the best way to phrase it is that it's 1994 ... and you're opening an eCommerce store...    I don't know how many of you guys were around during the 1990's dot com boom times...  and the early 2000's crash times..   but honestly there were some things that people tend to forget.

At one point Ebay banned Paypal.  

literally a business decision was made to lock paypal out of Ebay,  ebay looked at paypal and realized that at the current growth rate of paypal ebay would not be able to fuction without it.  So they banned it hoping someone else would show up.   they citied security concerns and that "some company is stealling usernames and passwords'   literally that is what they used as an excuse.

 eventually within a few weeks ebay unbanned paypal then subsequently bought them realizing that they couldn't grow without it.

The point is that yes a security concern is a MAJOR issue,  but at the same time, there's a bunch of reading between the lines going on.   Because from time to time I get these crazy "suggestions"  and in reality I find out the guy works for "bitcoin startup A or bitcoin startup B"  those suggestions may on the face look good.. but in reality aren't.

Example,  I got a PM that stated I needed to make the minimum password length 20 characters for 'security reasons' ...  now I am all for allowing 20 characters.. but minimum length 20?

I find out the suggestion came from a guy that worked at one the exchanges that is now considering an ewallet ...   hence my suspicion that perhaps it wasn't so sincere.  

20 character minimums would lock grandma out of every using the system.

[payb.tc]

steal bitcoins.

1. set up llc in nevis
2. build community trust for your new wallet service over a period of many months
3. disappear

[the founder]

steal bitcoins.

1. set up llc in nevis
2. build community trust for your new wallet service over a period of many months
3. disappear

I honestly want to know what happened to that service.   I can't even ping the domain anymore.   I suspect something bad happened... and instead of owning up to it he just vanished.

[foggyb]

I've been the receiver of more hack attempts in the last month at CoinedBits.com than the previous 10 years on all my other sites.

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.

Not to diminish that better security is needed, but I'd like to point out that increased hacker/scammer interest is further affirmation of the bitcoin's high relevance and worth in today's world. In light of this, investors and retail startups should feel confident about moving a lot of funds towards beefing up bitcoin security for merchants and customers alike.

[airdata]

Not to diminish that better security is needed, but I'd like to point out that increased hacker/scammer interest is further affirmation of the bitcoin's high relevance and worth in today's world. In light of this, investors and retail startups should feel confident about moving a lot of funds towards beefing up bitcoin security for merchants and customers alike.
[/quote]

Hacking / Scamming has held bitcoin down and stunted it's growth.

Scamming bitcoins could be cool and all... but not when your activities drive their prices from 25-30 each to 13-14 each.

[elggawf]

I can confirm that...  every bitcoin related site that we have is subjected to a much higher rate of hacking attempts.

It's simply the nature of the beast... the pseudonymous and irreversible nature of Bitcoin simply means that there's a more attractive apple on the other side of the wall. Instead of hacking a site and using it to phish, or robbing bank accounts that can be reversed, or stealing credit card data which you can card physical goods at high risks...

... if you steal BTC, the victim stands almost no chance at getting it back and there's a pretty good chance you'll get away scot free.

Everyone who has half a working brain and was looking at starting up a Bitcoin-related business should realize this going in - the reward is much sweeter so people are going to try harder and therefore security has to be a higher priority.

That said I wouldn't panic at every scan, because that too is just the nature... of being on the internet. This isn't the 90s anymore, you'll go hoarse if you scream on IRC every time someone port-scans you.

[kjj]

My main email address has been out there in the public eye for close to a dozen years now.  It has been posted on forums, websites, mailing lists, and even, God help me, USENET.

The throwaway address that leaked out of mtgox gets VASTLY more spam.

[Vladimir]

Bitcoin is a magnet for hackers and crooks

So is cash. Does it come as a surprise?