Bitcoin Forum
March 19, 2024, 06:05:27 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 [25] 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 »
  Print  
Author Topic: BitMarket.Eu has closed down  (Read 203815 times)
M4v3R
Hero Member
*****
Offline Offline

Activity: 607
Merit: 500


View Profile
October 10, 2012, 01:00:39 PM
Last edit: October 10, 2012, 01:15:12 PM by M4v3R
 #481

Are you sure there were password breaches at all? My transactions were confirmed/cancelled, but the Bitcoins actually in my account were untouched. That's why it seems to me that the attacker merely has some method to confirm/cancel transactions, which sounds to me like SQL injection (perhaps not, if you have ORM and parametrized queries) or XSS. But I'm not a professional at that, xalex could probably describe/test more attack vectors.

Yes, I'm sure, because I have detailed access logs. There were no attempts of any SQL injection. All I saw in logs was just a user (behind TOR) logging into accounts like they usually do. He tried different accounts that he had login details to, and if given account was empty, he just left. After he logged in to a account with some money, he'd make a sell offer on it. Then, in logs I have URLs like these:

http://bitmarket.eu/transactions/confirm/[transaction_id]

Which are exactly the same URLs your browsers is directed to when you confirm a transaction. These only work from account that is a seller in given transaction, knowing TX ID wouldn't let to confirm transaction in which you're not the seller.

Edit: Here you have an except from my logs (user info redacted):

Code:
[2012-10-10, 14:58:01] Request /transactions from [IP ADDRESS HERE]
-- GET params: ...
-- POST params: ...
-- SESSION params:
    [user_id] => [USER ID HERE]
    ...

These logs can't be accessed via web, only via secure shell connection. Separate logs for SSH connections show no sign of logins that were not made my me.

Edit 2: On Bitmarket.eu server, Bitcoin client lives on a separate user with no permissions to view anything else than the wallet. Apache (web) user also doesn't have permissions to read anything outside of site's main directory. So even if attacker could find an exploit to these, he couldn't get user passwords from it.
1710828327
Hero Member
*
Offline Offline

Posts: 1710828327

View Profile Personal Message (Offline)

Ignore
1710828327
Reply with quote  #2

1710828327
Report to moderator
1710828327
Hero Member
*
Offline Offline

Posts: 1710828327

View Profile Personal Message (Offline)

Ignore
1710828327
Reply with quote  #2

1710828327
Report to moderator
1710828327
Hero Member
*
Offline Offline

Posts: 1710828327

View Profile Personal Message (Offline)

Ignore
1710828327
Reply with quote  #2

1710828327
Report to moderator
"There should not be any signed int. If you've found a signed int somewhere, please tell me (within the next 25 years please) and I'll change it to unsigned int." -- Satoshi
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1710828327
Hero Member
*
Offline Offline

Posts: 1710828327

View Profile Personal Message (Offline)

Ignore
1710828327
Reply with quote  #2

1710828327
Report to moderator
1710828327
Hero Member
*
Offline Offline

Posts: 1710828327

View Profile Personal Message (Offline)

Ignore
1710828327
Reply with quote  #2

1710828327
Report to moderator
BTCurious
Hero Member
*****
Offline Offline

Activity: 714
Merit: 503


^SEM img of Si wafer edge, scanned 2012-3-12.


View Profile
October 10, 2012, 01:04:50 PM
 #482

That is quite weird then… But as I said, my password is unique, and can't be keylogged. It could be detected by a compromised browser or other software, in theory.

The people on the other side of the confirmed and cancelled transactions are all sockpuppets, I assume?
Interestingly, there is one account that had 2 transactions with me, one of which was cancelled and one of which was confirmed.

M4v3R
Hero Member
*****
Offline Offline

Activity: 607
Merit: 500


View Profile
October 10, 2012, 01:09:14 PM
 #483

In your case, attacker hit the withdrawal security measure, and couldn't withdraw your funds, so he just left them. I have restored your funds and reverted the transactions, but because this was done "by hand", it could look a bit weird from your accounts perspective.

The accounts were created in the day of attack, so yes, they're just sockpuppets.
monstrs
Hero Member
*****
Offline Offline

Activity: 555
Merit: 504



View Profile
October 10, 2012, 03:57:52 PM
 #484

In your case, attacker hit the withdrawal security measure, and couldn't withdraw your funds, so he just left them. I have restored your funds and reverted the transactions, but because this was done "by hand", it could look a bit weird from your accounts perspective.

The accounts were created in the day of attack, so yes, they're just sockpuppets.

Maybe it is worth to new accounts (without positive trades) lock withdrawal or confirm withdrawals manualy?
hari
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
October 10, 2012, 10:52:28 PM
 #485

http://images2.fanpop.com/image/photos/9300000/Fry-Icon-philip-j-fry-9365666-190-190.jpg
M4v3R
Hero Member
*****
Offline Offline

Activity: 607
Merit: 500


View Profile
October 11, 2012, 07:55:17 PM
Last edit: October 13, 2012, 02:12:59 PM by M4v3R
 #486

BitMarket.eu now supports two-factor authentication

A long overdue security feature is now implemented on BitMarket.eu: two-factor authentication. This greatly enhances your account security, by letting you log in to your account only after entering time-based generated token, in addition to your account password. I encourage every user, especially everyone who use BitMarket.eu to store their Bitcoins to enable this feature. You can find it after loggin in, under Account section -> Security tab.

To use two-factor authentication, you must have a compatible smartphone which runs Google Authenticator, a free application from Google that implements open TOTP (time-based one time passwords) standard. More information about how to get this application can be found on Google support site. This app is compatible with Android, iOS and Blackberry platforms. Alternatively, you can use open source HTML5 implementation of Google Authenticator. It has been packaged using Adobe PhoneGap framework and can be downloaded here. HTML5 version supports Android, Windows Phone, webOS and Symbian.

Note that you will be asked for the token on every login, so you must your device with you every time you want to log in to your account. You will also be asked for the token if you want to disable two-factor authentication, and if you forget your password.

What happens if you lose your device? When enabling this feature, you will be presented with a one-time, unique, 16-character recovery code. Please write it down on paper and store it somewhere safe. In a event of losing your smartphone this recovery code will enable you to access your account.

If you have any questions, or suggestions regarding this feature, feel free to speak up.
ancow
Full Member
***
Offline Offline

Activity: 373
Merit: 100


View Profile WWW
October 11, 2012, 11:04:27 PM
 #487

More information about how to get this application can be found on Google support site.
Same page, just in English: http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447

BTC: 1GAHTMdBN4Yw3PU66sAmUBKSXy2qaq2SF4
M4v3R
Hero Member
*****
Offline Offline

Activity: 607
Merit: 500


View Profile
October 12, 2012, 06:23:11 AM
 #488


Thanks for pointing this out Smiley.
foo
Sr. Member
****
Offline Offline

Activity: 409
Merit: 250



View Profile
October 13, 2012, 05:35:27 AM
 #489

This app is compatible with Android, iOS and Blackberry platforms.
There is also a web app implementation that works in Opera Mobile, which means that you can do Google Auth on Nokia (Symbian) phones. (May also work in IE on Windows Phone Nokias, haven't tried it.)

See this thread: https://bitcointalk.org/index.php?topic=111943

I know this because Tyler knows this.
M4v3R
Hero Member
*****
Offline Offline

Activity: 607
Merit: 500


View Profile
October 13, 2012, 02:13:24 PM
 #490

This app is compatible with Android, iOS and Blackberry platforms.
There is also a web app implementation that works in Opera Mobile, which means that you can do Google Auth on Nokia (Symbian) phones. (May also work in IE on Windows Phone Nokias, haven't tried it.)

See this thread: https://bitcointalk.org/index.php?topic=111943

Thanks, I've added info about HTML5 version to the post.
ba1020
Newbie
*
Offline Offline

Activity: 8
Merit: 0



View Profile
October 17, 2012, 10:55:35 AM
 #491


using Google as an Authenticator is like using the Russian Mafia as en Escrow
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1010


View Profile
October 17, 2012, 05:59:22 PM
Last edit: November 12, 2012, 02:13:04 AM by Stephen Gornick
 #492

using Google as an Authenticator is like using the Russian Mafia as en Escrow

The Google Authenticator app (or any other common OTP method) doesn't communicate with Google.  It has nothing to do with your Google account.

The only external communications from these OTP methods are that they need to [edit: might] sync their time with a time server (nearly all of which are not hosted / controlled by Google).

 - http://www.quora.com/Cryptography/Does-Google-Authenticator-share-data-with-Google/answer/Steve-Weis

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


BTCurious
Hero Member
*****
Offline Offline

Activity: 714
Merit: 503


^SEM img of Si wafer edge, scanned 2012-3-12.


View Profile
October 17, 2012, 11:20:45 PM
 #493

using Google as an Authenticator is like using the Russian Mafia as en Escrow

The Google Authenticator app (or any other common OTP method) doesn't communicate with Google.  It has nothing to do with your Google account.

The only external communications from these OTP methods are that they need to sync their time with a time server (nearly all of which are not hosted / controlled by Google).

 - http://www.quora.com/Cryptography/Does-Google-Authenticator-share-data-with-Google/answer/Steve-Weis
You don't even need to sync your time with the server per se, although it's usually easier.

l3sny
Hero Member
*****
Offline Offline

Activity: 859
Merit: 1000



View Profile
November 11, 2012, 11:12:13 PM
 #494

Hi

Has the customer service improved ? I almost never get any feedback.

Regards

                ▄▄▓▓█▓▓█▀▀▀▀█▓▓██▓▄▄
             ▄▓█▓▀                ▀▓█▓█
          ▄▓█▓      ▄▄▄▓▓▓▓▓▓▄▄▄      ▀█▓▄
        ▄▓██    ▄▓▓██████████████▓▓▄    ██▓▄
       ▓██    ▓▓████████▓▀▀██████████▓    ██▓
      ▓█░   █▓█████▓▀ ▓██  ▓██ ▀▓▓█████▓    ▓▓
     ▓█    ▓█████▀  ▄▓▓██████▓▓▓▄  ▓████▓    ██
    ▓██   █████▓ ▄▓▓  ▄██░▐███▄ ▀▓▓ ░▓███▓   ██▓
    ██    █████ █▓  ▓████░▐████▓█ █▓ ░█████   ██
    ██   ▐████ ▐█  ▓█████░▐██████░ █▌ █████   ██░
    ██   ▐████ ▐██ ▓█████░▐█████▓ █▓ ░█████   ██░
    ██    ████▓ █▓█ ▀▓▓██░▐██▓▓  █▓  ▓████    ██
    ▐█▓  ░████▓▄  ▀▓▓▄▄██░▐███▄▓▓  █▓████░   ██▌
     ▐██   ▓████▓▄▄  ▀██░▐███  ▄▓▓████▓░   ██▓
      ▐█▓    █▓██████▓▓██████▓▓████████    ▐█▓
       ▐█▓▄    ▀▓██████████████████▓▀    ▄▓██
         ▐█▓▄     ▀▀▓▓████████▓▓▀▀     ▄▓██
            ▓██▄                    ▄█▓▓▀
              ▀▓█▓▓▄▄          ▄▄▓▓█▓▀
                   ▀▀▓▓██████▓▓▀▀
██
██
██
██
██
██
██
.Together we can change
❍ ❍ ❍........the internet........❍ ❍ ❍
██
██
██
██
██
██
██
.Social Media.
▄███████████████████▄
██████████████████████▌
██████████████████████▌
████████████     █▀███▌
███   █████        ▐██▌
███               ▐███▌
███               ████▌
████             █████▌
█████▄▄         ██████▌
████         ▄████████▌
██████████████████████▌
██████████████████████▌
▄▓█████████████████████▓▓▄
▓██████████████████████████▌
███████████████████▓▓▀  ▓██▌
██████████████▓▀▀       ▓██▌
████████▓▀▀      ▄█    ▐███▌
███▓▀        ▄▄▓▀      ▓███▌
███▓▄▄▄   ▄▓█▓         ████▌
████████▓ ▓▌          ▓████▌
█████████▓    ▄       █████▌
██████████▌ ▄▓██▓▄   ▐█████▌
███████████████████▓▓██████▌
▐██████████████████████████
  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.
                  ,▄▄▄▄▄▄▄
               ▄████▀▀▀▀████▄
             ▄███`  ,▄▄,   ▀██▄
            ▐██▀  ▄███████   ██▌
          ,▄███   ████████▌  ▐██▄,
      ,▄███████▄  █▄▄██▄▄█  ▄███████▄▄
     ██████████████████████████████████,
    ▐████▌   ██████████████████   ▐█████
     ▀████▄▄████████▀  "████████▄▄████▀
       `▀████████████▄▄████████████▀▀
            '▀▀▀▀▀█████████▀▀▀▀
         ▄▄                      ▄▄
        ███          ▄▄⌐         ███
       ███           ██▌          ▀██
      ███            ██▌           ▀██
                     ██▌
monstrs
Hero Member
*****
Offline Offline

Activity: 555
Merit: 504



View Profile
November 21, 2012, 08:32:03 PM
 #495

Is there some problem with bitmarket? The site is down today, any coments?
owowo
Newbie
*
Offline Offline

Activity: 43
Merit: 0


View Profile
November 22, 2012, 12:13:16 AM
 #496

Yes, Site still dead! would be nice to know what's up and why it's down.
ancow
Full Member
***
Offline Offline

Activity: 373
Merit: 100


View Profile WWW
November 22, 2012, 08:31:47 AM
 #497

How is it down? It seems to work for me.

BTC: 1GAHTMdBN4Yw3PU66sAmUBKSXy2qaq2SF4
koin
Legendary
*
Offline Offline

Activity: 873
Merit: 1000


View Profile
November 22, 2012, 09:37:54 AM
 #498

How is it down? It seems to work for me.

see, there's this thing called time. 

at one point in time, when others were trying to access the site, the site was down.

at a later point in time, when you tried to access the site, the site was operational again.

things can change over time.  this is an example of that.
monstrs
Hero Member
*****
Offline Offline

Activity: 555
Merit: 504



View Profile
November 22, 2012, 03:03:43 PM
 #499

I would like to report on fraud. His nick is Nikkidonna, email: paulevans607@yahoo.com

23143    13.11.2012, 23:10:17    Nikkidonna    1.26 BTC    10.99 EUR    13.84 EUR    Confirmed

He payed for this transaction and in some way managed to get back money from my moneybookers account, and moneybookers even locked my account for this. Be aware from this shit.
disclaimer201
Legendary
*
Offline Offline

Activity: 1526
Merit: 1001


View Profile
November 22, 2012, 08:38:16 PM
 #500

Stop using moneybookers once and for all.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 [25] 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!