M4v3R
|
|
October 10, 2012, 01:00:39 PM Last edit: October 10, 2012, 01:15:12 PM by M4v3R |
|
Are you sure there were password breaches at all? My transactions were confirmed/cancelled, but the Bitcoins actually in my account were untouched. That's why it seems to me that the attacker merely has some method to confirm/cancel transactions, which sounds to me like SQL injection (perhaps not, if you have ORM and parametrized queries) or XSS. But I'm not a professional at that, xalex could probably describe/test more attack vectors.
Yes, I'm sure, because I have detailed access logs. There were no attempts of any SQL injection. All I saw in logs was just a user (behind TOR) logging into accounts like they usually do. He tried different accounts that he had login details to, and if given account was empty, he just left. After he logged in to a account with some money, he'd make a sell offer on it. Then, in logs I have URLs like these: http://bitmarket.eu/transactions/confirm/[transaction_id] Which are exactly the same URLs your browsers is directed to when you confirm a transaction. These only work from account that is a seller in given transaction, knowing TX ID wouldn't let to confirm transaction in which you're not the seller. Edit: Here you have an except from my logs (user info redacted): [2012-10-10, 14:58:01] Request /transactions from [IP ADDRESS HERE] -- GET params: ... -- POST params: ... -- SESSION params: [user_id] => [USER ID HERE] ... These logs can't be accessed via web, only via secure shell connection. Separate logs for SSH connections show no sign of logins that were not made my me. Edit 2: On Bitmarket.eu server, Bitcoin client lives on a separate user with no permissions to view anything else than the wallet. Apache (web) user also doesn't have permissions to read anything outside of site's main directory. So even if attacker could find an exploit to these, he couldn't get user passwords from it.
|
|
|
|
BTCurious
|
|
October 10, 2012, 01:04:50 PM |
|
That is quite weird then… But as I said, my password is unique, and can't be keylogged. It could be detected by a compromised browser or other software, in theory.
The people on the other side of the confirmed and cancelled transactions are all sockpuppets, I assume? Interestingly, there is one account that had 2 transactions with me, one of which was cancelled and one of which was confirmed.
|
|
|
|
M4v3R
|
|
October 10, 2012, 01:09:14 PM |
|
In your case, attacker hit the withdrawal security measure, and couldn't withdraw your funds, so he just left them. I have restored your funds and reverted the transactions, but because this was done "by hand", it could look a bit weird from your accounts perspective.
The accounts were created in the day of attack, so yes, they're just sockpuppets.
|
|
|
|
monstrs
|
|
October 10, 2012, 03:57:52 PM |
|
In your case, attacker hit the withdrawal security measure, and couldn't withdraw your funds, so he just left them. I have restored your funds and reverted the transactions, but because this was done "by hand", it could look a bit weird from your accounts perspective.
The accounts were created in the day of attack, so yes, they're just sockpuppets.
Maybe it is worth to new accounts (without positive trades) lock withdrawal or confirm withdrawals manualy?
|
|
|
|
hari
Newbie
Offline
Activity: 8
Merit: 0
|
|
October 10, 2012, 10:52:28 PM |
|
|
|
|
|
M4v3R
|
|
October 11, 2012, 07:55:17 PM Last edit: October 13, 2012, 02:12:59 PM by M4v3R |
|
BitMarket.eu now supports two-factor authenticationA long overdue security feature is now implemented on BitMarket.eu: two-factor authentication. This greatly enhances your account security, by letting you log in to your account only after entering time-based generated token, in addition to your account password. I encourage every user, especially everyone who use BitMarket.eu to store their Bitcoins to enable this feature. You can find it after loggin in, under Account section -> Security tab. To use two-factor authentication, you must have a compatible smartphone which runs Google Authenticator, a free application from Google that implements open TOTP (time-based one time passwords) standard. More information about how to get this application can be found on Google support site. This app is compatible with Android, iOS and Blackberry platforms. Alternatively, you can use open source HTML5 implementation of Google Authenticator. It has been packaged using Adobe PhoneGap framework and can be downloaded here. HTML5 version supports Android, Windows Phone, webOS and Symbian. Note that you will be asked for the token on every login, so you must your device with you every time you want to log in to your account. You will also be asked for the token if you want to disable two-factor authentication, and if you forget your password. What happens if you lose your device? When enabling this feature, you will be presented with a one-time, unique, 16-character recovery code. Please write it down on paper and store it somewhere safe. In a event of losing your smartphone this recovery code will enable you to access your account. If you have any questions, or suggestions regarding this feature, feel free to speak up.
|
|
|
|
ancow
|
|
October 11, 2012, 11:04:27 PM |
|
|
BTC: 1GAHTMdBN4Yw3PU66sAmUBKSXy2qaq2SF4
|
|
|
M4v3R
|
|
October 12, 2012, 06:23:11 AM |
|
Thanks for pointing this out .
|
|
|
|
foo
|
|
October 13, 2012, 05:35:27 AM |
|
This app is compatible with Android, iOS and Blackberry platforms.
There is also a web app implementation that works in Opera Mobile, which means that you can do Google Auth on Nokia (Symbian) phones. (May also work in IE on Windows Phone Nokias, haven't tried it.) See this thread: https://bitcointalk.org/index.php?topic=111943
|
I know this because Tyler knows this.
|
|
|
M4v3R
|
|
October 13, 2012, 02:13:24 PM |
|
This app is compatible with Android, iOS and Blackberry platforms.
There is also a web app implementation that works in Opera Mobile, which means that you can do Google Auth on Nokia (Symbian) phones. (May also work in IE on Windows Phone Nokias, haven't tried it.) See this thread: https://bitcointalk.org/index.php?topic=111943Thanks, I've added info about HTML5 version to the post.
|
|
|
|
ba1020
Newbie
Offline
Activity: 8
Merit: 0
|
|
October 17, 2012, 10:55:35 AM |
|
using Google as an Authenticator is like using the Russian Mafia as en Escrow
|
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
October 17, 2012, 05:59:22 PM Last edit: November 12, 2012, 02:13:04 AM by Stephen Gornick |
|
using Google as an Authenticator is like using the Russian Mafia as en Escrow
The Google Authenticator app (or any other common OTP method) doesn't communicate with Google. It has nothing to do with your Google account. The only external communications from these OTP methods are that they need to [edit: might] sync their time with a time server (nearly all of which are not hosted / controlled by Google). - http://www.quora.com/Cryptography/Does-Google-Authenticator-share-data-with-Google/answer/Steve-Weis
|
|
|
|
BTCurious
|
|
October 17, 2012, 11:20:45 PM |
|
You don't even need to sync your time with the server per se, although it's usually easier.
|
|
|
|
l3sny
|
|
November 11, 2012, 11:12:13 PM |
|
Hi
Has the customer service improved ? I almost never get any feedback.
Regards
|
▄▄▓▓█▓▓█▀▀▀▀█▓▓██▓▄▄ ▄▓█▓▀ ▀▓█▓█ ▄▓█▓ ▄▄▄▓▓▓▓▓▓▄▄▄ ▀█▓▄ ▄▓██ ▄▓▓██████████████▓▓▄ ██▓▄ ▓██ ▓▓████████▓▀▀██████████▓ ██▓ ▓█░ █▓█████▓▀ ▓██ ▓██ ▀▓▓█████▓ ▓▓ ▓█ ▓█████▀ ▄▓▓██████▓▓▓▄ ▓████▓ ██ ▓██ █████▓ ▄▓▓ ▄██░▐███▄ ▀▓▓ ░▓███▓ ██▓ ██ █████ █▓ ▓████░▐████▓█ █▓ ░█████ ██ ██ ▐████ ▐█ ▓█████░▐██████░ █▌ █████ ██░ ██ ▐████ ▐██ ▓█████░▐█████▓ █▓ ░█████ ██░ ██ ████▓ █▓█ ▀▓▓██░▐██▓▓ █▓ ▓████ ██ ▐█▓ ░████▓▄ ▀▓▓▄▄██░▐███▄▓▓ █▓████░ ██▌ ▐██ ▓████▓▄▄ ▀██░▐███ ▄▓▓████▓░ ██▓ ▐█▓ █▓██████▓▓██████▓▓████████ ▐█▓ ▐█▓▄ ▀▓██████████████████▓▀ ▄▓██ ▐█▓▄ ▀▀▓▓████████▓▓▀▀ ▄▓██ ▓██▄ ▄█▓▓▀ ▀▓█▓▓▄▄ ▄▄▓▓█▓▀ ▀▀▓▓██████▓▓▀▀ | | ██ ██ ██ ██ ██ ██ ██ | | ██ ██ ██ ██ ██ ██ ██ | .Social Media.
| . ,▄▄▄▄▄▄▄ ▄████▀▀▀▀████▄ ▄███` ,▄▄, ▀██▄ ▐██▀ ▄███████ ██▌ ,▄███ ████████▌ ▐██▄, ,▄███████▄ █▄▄██▄▄█ ▄███████▄▄ ██████████████████████████████████, ▐████▌ ██████████████████ ▐█████ ▀████▄▄████████▀ "████████▄▄████▀ `▀████████████▄▄████████████▀▀ '▀▀▀▀▀█████████▀▀▀▀ ▄▄ ▄▄ ███ ▄▄⌐ ███ ███ ██▌ ▀██ ███ ██▌ ▀██ ██▌ |
|
|
|
monstrs
|
|
November 21, 2012, 08:32:03 PM |
|
Is there some problem with bitmarket? The site is down today, any coments?
|
|
|
|
owowo
Newbie
Offline
Activity: 43
Merit: 0
|
|
November 22, 2012, 12:13:16 AM |
|
Yes, Site still dead! would be nice to know what's up and why it's down.
|
|
|
|
ancow
|
|
November 22, 2012, 08:31:47 AM |
|
How is it down? It seems to work for me.
|
BTC: 1GAHTMdBN4Yw3PU66sAmUBKSXy2qaq2SF4
|
|
|
koin
Legendary
Offline
Activity: 873
Merit: 1000
|
|
November 22, 2012, 09:37:54 AM |
|
How is it down? It seems to work for me.
see, there's this thing called time. at one point in time, when others were trying to access the site, the site was down. at a later point in time, when you tried to access the site, the site was operational again. things can change over time. this is an example of that.
|
|
|
|
monstrs
|
|
November 22, 2012, 03:03:43 PM |
|
I would like to report on fraud. His nick is Nikkidonna, email: paulevans607@yahoo.com23143 13.11.2012, 23:10:17 Nikkidonna 1.26 BTC 10.99 EUR 13.84 EUR Confirmed He payed for this transaction and in some way managed to get back money from my moneybookers account, and moneybookers even locked my account for this. Be aware from this shit.
|
|
|
|
disclaimer201
Legendary
Offline
Activity: 1526
Merit: 1001
|
|
November 22, 2012, 08:38:16 PM |
|
Stop using moneybookers once and for all.
|
|
|
|
|