BIPS Wallet security breach

[Coiner99]

BIPS sucks big time, I lost 3 bitcoins 2 months back

[1714751827]

1714751827

[1714751827]

1714751827

[1714751827]

1714751827

[1714751827]

1714751827

[solesituation]

Well, this market is still very new, so you must treat the investment you make in BTC as something very risky.
I also owned BTC in my webwallet in BIPS. Sure, I lost it all, but high risk does not come with guarantees and I get that and will continue using the processor services of BIPS, as I find their system easy and cost efficient.

As far as I'm aware coinbase can do many of these same things and has a full payment API built in, also a better track-record thus far as well.

Coinbase are US based. Why would I deal with US based company if i am located in Europe.

[solesituation]

Well, this market is still very new, so you must treat the investment you make in BTC as something very risky.
I also owned BTC in my webwallet in BIPS. Sure, I lost it all, but high risk does not come with guarantees and I get that and will continue using the processor services of BIPS, as I find their system easy and cost efficient.

Why is it that i'm seeing too many newbie/junior accounts commenting similar stuff here?

So, you are saying unless I have a number of posts I cannot post in the thread that is about the company which had my bitcoins and which was a victim of security breach?
Or you prefer to read posts with opinions that you would like to hear?
Obviously your view is very limited on where this problem stands and how big this is.
It is not only you here.

[sjoland]

doesn't it supposed to mean a good start?
cooperating with the authorities and start the investigation further
they can't trace the money without a lot of help from higher places

Well, for Kris himself it might be a good idea to prepare his case and defense if some of us decides to try him legaly in court for our losses. But for us who lost the bitcoins it's really no point, since the coins are already transfered irreversable to somebody untraceable in an unknown jurisdiction. Pretty low chances of finding the crooks. Makes a hell of a more reasonable case to try Kris legaly and hold him accountable. Both for making this never happen again, and to ruin the BIPS brand, if Kris just continues operations as nothing happened (which looks like he is doing from where i'm sitting)...

[allincoin]

Do they have something simiar to a small claims court in Denmark?   Do the members seeking legal action even know if under Denmark law if there is a foot to stand on?   

[Roobotics]

Well, this market is still very new, so you must treat the investment you make in BTC as something very risky.
I also owned BTC in my webwallet in BIPS. Sure, I lost it all, but high risk does not come with guarantees and I get that and will continue using the processor services of BIPS, as I find their system easy and cost efficient.

Why is it that i'm seeing too many newbie/junior accounts commenting similar stuff here?

Because BTC is gaining traction and attracting new members. But I suppose I too would question if I saw something similar. A lot of us newbies had to learn the hard way that online wallets like BIPs are vulnerable. I was nearly one of them, bailed out a week before.

If anything though you should be happy to see a surge in growth, it's what makes the value rise. Supply/Demand.

[dark_kn1ght]

doesn't it supposed to mean a good start?
cooperating with the authorities and start the investigation further
they can't trace the money without a lot of help from higher places

Well, for Kris himself it might be a good idea to prepare his case and defense if some of us decides to try him legaly in court for our losses. But for us who lost the bitcoins it's really no point, since the coins are already transfered irreversable to somebody untraceable in an unknown jurisdiction. Pretty low chances of finding the crooks. Makes a hell of a more reasonable case to try Kris legaly and hold him accountable. Both for making this never happen again, and to ruin the BIPS brand, if Kris just continues operations as nothing happened (which looks like he is doing from where i'm sitting)...

so we are talking scapegoat here?
somebody has to pay for the losses even though they were also the victim, true?

lets put it in more plain words;
We don't give a damn about you Kris! you could rob a bank, hack others, screw anybody you knew just get our money back!!!

[nullfrog]

so we are talking scapegoat here?
somebody has to pay for the losses even though they were also the victim, true?

lets put it in more plain words;
We don't give a damn about you Kris! you could rob a bank, hack others, screw anybody you knew just get our money back!!!

I've only heard "I can't promise anything right now" from Kris, that doesn't exactly give me confidence I'd ever see my money again, nor is it sufficient information about what exactly happened.

I trusted BIPS with a sum that's very significant for me personally and damn right I'm going to hold them accountable if disappears, not let it slip.

The lack of communication and evidence makes this all seem really shady and it doesn't help there's a bunch of new accounts trying to shush the people who are upset with thousands of dollars vanishing in thin air.

Until I either receive proper evidence of what happened and information on how BIPS is going to handle it with authorities, I'm going to think Kris is a reasonable suspect and looking how to take both legal and social action on this.

"You shouldn't trust a web wallet" isn't a valid excuse to swipe this under the rug. It was entirely reasonable for people to think the service will keep their money safe and it failed to do so. In many countries of EU, including where I live, ticking a mandatory checkbox in TOS form can't remove the service provider's liability to keep user data safe, especially when it comes to money.

[sjoland]

so we are talking scapegoat here?
somebody has to pay for the losses even though they were also the victim, true?

lets put it in more plain words;
We don't give a damn about you Kris! you could rob a bank, hack others, screw anybody you knew just get our money back!!!

You are right on that this is not about Kris Henriksen personally. He's representing a commercial company that did and still market themself with "Your data is secure at BIPS", etc. Obviously this is not a true statement, and some of us found that out in a really bad way, with substantial loss of economic value.

BUT the worst part of this whole stinking story, is the lack of communication from BIPS and it's CEO, Kris Henriksen. They choose to handle this mess with a strategy that pretty much left us, their affected customers, out in the dark. He himself or through any proxy has not to date had the courtesy to tell me what the status is with my lost balance and if they have any plan on compensating me for any part of the lost coins. I mean, for god's sake, just let us know! And after that, good or bad news, everyone can go ahead in their own way of handling this (legal process or not).

[Bit_Joe]

Perhaps he could offer part of BIPs in the form of shares to the customers who lost Bitcoins in proportion to their lost Bitcoins. 

This would be one way to offer compensation, (may not ever catch up to the growing value of the actual bitcoins stolen but at least it would be some thing).

Also it would go a long way in protecting the Image and reputation of Bips.

[nullfrog]

Has anyone heard from BIPS/Kris recently?

Two days since last response, now BIPS site is barely loading. Lots of traffic or perhaps another DDOS?

At this point I'm assuming the money is gone and it'll be quite a fight with BIPS to get it compensated for, but any information would be welcome.

[PenAndPaper]

I mean, for god's sake, just let us know! And after that, good or bad news, everyone can go ahead in their own way of handling this (legal process or not).

For all i know after the attack there wasn't even an update or a warning on the front page about what happened.
I don't know if there is one now but it looks to me that someone pretends that nothing happened 

[sjoland]

Has anyone heard from BIPS/Kris recently?

Two days since last response, now BIPS site is barely loading. Lots of traffic or perhaps another DDOS?

At this point I'm assuming the money is gone and it'll be quite a fight with BIPS to get it compensated for, but any information would be welcome.

Nop, not a single word from Mr. Kris Henriksen or anyone else at BIPS. I'm resending a support ticket and e-mail everyday now until someone answer my two simple questions of 1) is the money gone forever, and 2) will BIPS compensate me for any part of the lost value.

But nothing yet. However Kris does of some reason have infinite time to talk to the press about what happened where he always denies the claim of running away himself with the bitcoins, so he obviously read the Bitcoin Forum and probably this message too (Hello Kris!, nice to see you here) =)

This mess starts to become a slapstick comedy from their part. I mean, it's not that I want Kris or anyone at BIPS to walk away from their house or not be able to feed their family because of this. I will survive even if my money is never returned.

Now it's all about standing up as a honest human being facing the consequenses of your actions and promises. If you as a individual or a company make a promise to your clients that their critical data is safe with you, and that promise is broken. Well then you can choose two ways to handle this; A) Say you're sorry and that you will try to make it up to them even if the data is gone forever, or B) Tell your clients in a fancy way that they are idiots that trusted you in the first place.

Anyone choosing route B, i.g rationalizing away their role of accountability by arrogance, can expect people to be pretty angry with them for a very very very long time. This individual or company has consumed their right to operate in a free market, and should be shut down in it's existing form as an example of unacceptable business ethics. Case closed.

If Kris make some leagal research himself, like my business lawyer did, he will soon find out that there are plenty similar situations in the old financial world. Multiple financial services will ask for your money to hold them for you for free, or even paying you a good interest rate. It's a free service/wallet/account BUT the receiver are fully responsible for your money while kept in their hands. If it was stolen, they would have to pay it back or close business.

So, for Kris as the CEO of BIPS to act like nothing has happened (choosing route B) he is simply asking for a legal/social backlash. Everyone in the bitcoin community have the right to know if this is a viable business strategy in the future of digital money, and we will use this case to find out (so we atleast get something positive out of this mess). If BIPS goes free, then that is the end of this story. If not, BIPS pays up or close business. Kris will survive, keep his house and feeding his family – but with another company and hopefully alot more humble...

[nullfrog]

Summed the situation and my thoughts in a very rational way, +1.

If Kris contacts you, please share an update here.

People are very upset and very hostile towards Kris, me included, but I hope he understands it's nothing personal and it's better to just come out and state how things are and what he is planning to do about this.

Prolonging this and remaining silent will only escalate things and make this a lot worse.

[phpgeek]

Kris was interviewed to a danish news site eailer today:
http://translate.google.com/translate?sl=da&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.version2.dk%2Fartikel%2Fny-forklaring-om-det-store-danske-bitcoin-roeveri-ddos-angreb-var-kun-et-roegsloer-55179&act=url

A short summary:
- The DDoS not the actually attack. Just a way to remove the focus from the sys admins so they could get through another security hole.
- There was a bug with the way their algorithm works with hot and cold wallets. ALL bitcoins were in the hot wallet and because of this they were easier to access by hackes.
- All funds are lost for the users. According to Kris he/BIPS are not responsible due to their TOS.
- Kris advice people NOT to use hot wallets anymore - only with very low amounts of Bitcoins.
- Kris tells BIPS will continue as a payment provider - but have closed down there wallets for good.

I think thats a pretty good summary of the article. Otherwise - try the above google translation

[assortmentofsorts]

Kris was interviewed to a danish news site eailer today:
http://translate.google.com/translate?sl=da&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.version2.dk%2Fartikel%2Fny-forklaring-om-det-store-danske-bitcoin-roeveri-ddos-angreb-var-kun-et-roegsloer-55179&act=url

A short summary:
- The DDoS not the actually attack. Just a way to remove the focus from the sys admins so they could get through another security hole.

Its BS. Kris was the only guy working on BIPS. Lemme share with you guys a bug I helped fix. The secret that you entered in your IPN page was generating wrong hashes for any word that was 8-16 characters in length (weird?). I had to literally beg Kris to understand that this is a serious bug and had to write various test cases to demonstrate it. When he realized that there was indeed a bug he chose to just publish a "Enter less than 8 characters and greater than 16 characters" or something like that instead of actually fixing it. When I questioned him, he told me that he wrote his own crypto lib functions. Which fool would try to rewrite crypto when there are so many well tested modules available? This kind of shit brings in all the security loop-holes.

- There was a bug with the way their algorithm works with hot and cold wallets. ALL bitcoins were in the hot wallet and because of this they were easier to access by hackes.

Tell the world the technical details of the bug. I bet Kris hasn't fixed it yet. If he couldn't find time to fix that buggy PHP hashing module I bet he is still using that same shitty hand written module (or many more like that) for everything inside BIPS.

- All funds are lost for the users. According to Kris he/BIPS are not responsible due to their TOS.

BS here as well. I can write whatever I like in my TOS. But when it comes to the courts the TOS is as good as shit. You need to make sure your TOS doesn't violate the law first. The very fact that he is saying that he isn't responsible for the funds lost is itself BS. I'll see you in court Kris... the deadline of 72 hours is ending soon.

- Kris advice people NOT to use hot wallets anymore - only with very low amounts of Bitcoins.

Thanks for the advice Saint Kris.

- Kris tells BIPS will continue as a payment provider - but have closed down there wallets for good.

I'll make sure you do not.

I think thats a pretty good summary of the article. Otherwise - try the above google translation

Thanks

[Missim]

BS here as well. I can write whatever I like in my TOS. But when it comes to the courts the TOS is as good as shit. You need to make sure your TOS doesn't violate the law first.

How does/did the TOS violate the law?  Which law does it violate?

You had to beg Kris to  realise there was a bug.  And, knowing there was a bug, you left your funds there.  OK....  I wish I was  as smart as you...

This kind of shit brings in all the security loop-holes.

This kind of statement makes you appear smart, but it is actually without any foundation.

As for your assertion I am Kris, or Kris's shill or  any derivation of that  - I am not.   I lost  btc in this hack.  Unlike you however, I am not looking for a scapegoat.

It's called being an adult and taking responsibility for one's own actions.  If you argue that Kris has to take  responsibility for  the hack, then you are, by implication, saying he did it. 

You yourself allegedly knew the code was not sound.  Yet you didn't tell anyone else, and  in fact kept your btc  stored in Bips.  If you are so good at finding bugs, why did you not start your own service instead of  using  what you saw as an inferior product..  However, such questions divert from the  topic, which is the breach.

It happened.  We lost our btc.  The lesson seems to be to not use hot wallets.

[assortmentofsorts]

This kind of shit brings in all the security loop-holes.

This kind of statement makes you appear smart, but it is actually without any foundation.

Oh yeah? I bet you haven't written a single line of code in your life.

As for your assertion I am Kris, or Kris's shill or  any derivation of that  - I am not.   I lost  btc in this hack.  Unlike you however, I am not looking for a scapegoat.

Obviously you aren't looking for a scapegoat. You stole our funds, why would you feel anything at all?

It's called being an adult and taking responsibility for one's own actions.

Nice try Kris. The first thing about being an adult is to man up and become transparent about the so called "hack". The very fact that there is absolutely zero information on the hack shows you are the thief. Period.

  If you argue that Kris has to take  responsibility for  the hack, then you are, by implication, saying he did it. 

Kris (or you) did not do the hack. The hack never happend. He (or you) just moved all the funds to a new address... in plain simple words Kris (or you) just stole our funds. If it was a hack I want all the technical details laid out in public domain. The onus is one you (Kris) to prove he (you) is innocent.

You yourself allegedly knew the code was not sound.  Yet you didn't tell anyone else, and  in fact kept your btc  stored in Bips.  If you are so good at finding bugs, why did you not start your own service instead of  using  what you saw as an inferior product..  However, such questions divert from the  topic, which is the breach.

It happened.  We lost our btc.  The lesson seems to be to not use hot wallets.

Okay Kris I'll answer your questions (wish you used your real name here instead). Firstly when I asked you to fix the bug you told me clearly that you will fix it asap (and that you were upgrading your systems and needed some time). Now I gave you that benefit of doubt. Now I never in my wildest dreams thought that upgrading your systems meant steal your customers funds.

Secondly, when I say violate law I did not mean the TOS violates law. I shouldn't have mixed two different things in the same sentence (was clearly pissed). What I'm trying to say is you can write whatever you want in your TOS. When it comes to legalities the TOS is used only by customers to demand their rights to a defaulting service. If you are the owner, you don't have any say as you can change the TOS at any time. Its like a rental agreement. The tenant has more legal rights compared to the owner. TOS gives the customers more legal ammunition to go after the owner of the defaulting service... not the other way round. So either you (Kris) have a really bad lawyer or are just talking shit to divert attention from the main issue: theft of our funds. By the way I have already consulted my lawyer and I'll be going ahead with legal proceedings.

[CrayzHackeR]

e aynen e evet e tabi

[dark_kn1ght]

Kris was interviewed to a danish news site eailer today:
http://translate.google.com/translate?sl=da&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.version2.dk%2Fartikel%2Fny-forklaring-om-det-store-danske-bitcoin-roeveri-ddos-angreb-var-kun-et-roegsloer-55179&act=url

A short summary:
- The DDoS not the actually attack. Just a way to remove the focus from the sys admins so they could get through another security hole.

Its BS. Kris was the only guy working on BIPS. Lemme share with you guys a bug I helped fix. The secret that you entered in your IPN page was generating wrong hashes for any word that was 8-16 characters in length (weird?). I had to literally beg Kris to understand that this is a serious bug and had to write various test cases to demonstrate it. When he realized that there was indeed a bug he chose to just publish a "Enter less than 8 characters and greater than 16 characters" or something like that instead of actually fixing it. When I questioned him, he told me that he wrote his own crypto lib functions. Which fool would try to rewrite crypto when there are so many well tested modules available? This kind of shit brings in all the security loop-holes.

- There was a bug with the way their algorithm works with hot and cold wallets. ALL bitcoins were in the hot wallet and because of this they were easier to access by hackes.

Tell the world the technical details of the bug. I bet Kris hasn't fixed it yet. If he couldn't find time to fix that buggy PHP hashing module I bet he is still using that same shitty hand written module (or many more like that) for everything inside BIPS.

- All funds are lost for the users. According to Kris he/BIPS are not responsible due to their TOS.

BS here as well. I can write whatever I like in my TOS. But when it comes to the courts the TOS is as good as shit. You need to make sure your TOS doesn't violate the law first. The very fact that he is saying that he isn't responsible for the funds lost is itself BS. I'll see you in court Kris... the deadline of 72 hours is ending soon.

- Kris advice people NOT to use hot wallets anymore - only with very low amounts of Bitcoins.

Thanks for the advice Saint Kris.

- Kris tells BIPS will continue as a payment provider - but have closed down there wallets for good.

I'll make sure you do not.

I think thats a pretty good summary of the article. Otherwise - try the above google translation

Thanks

do you have personal vendetta with Kris or what?
If you were that close with Kris that you knew so much of Bips operational,
and you knew there was weakness with Bips security config as you mentioned,
why didn't you do something before?
or you could have place your btc somewhere else instead of keeping it there??

stop embarrassing yourself mate