Bitcoin Forum
November 05, 2024, 12:25:40 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Why I am leaving MintPal  (Read 3090 times)
KaChingCoinDev (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
April 21, 2014, 01:39:51 AM
 #1

Hello,

I am sorry to say it, but I am leaving MintPal. I really liked there webpage and trading platform. But, I have to leave after this issue.

The issue:

I logged onto MintPal from a PC at a friends house. I was on multiple times throughout the afternoon. I was following WC, viewing the page every once and a while, but I was out in the morning, and was going to get back in around 1700 satoshis.  That evening, after I got back to my PC at home, I saw I owned 3000 WC. I was like, I never bought WC? The trade price was 2116 satoshis, a lot more than where I was gonna get in. Of course, I was not going to get in (I already owned coins). Looking into the trade records, I see the trade was placed a minute after I logged into the MintPal for that time. That is impossible, as it takes 30 seconds just to make a trade blindly, let alone look at the charts. So I messaged MintPal support. Here is dialog: (If you do not want to read the dialog skip to the end)


Me opening ticket:

Hello,

I logged into my account today, and I was following Whitecoin. I was out of it at the time, so I was not following it carefully. I saw it dropped to 1700ish. I did not think anything of it. Then, I saw my balance of WC as 3000, I was really confused. I think there was an Unauthorized Trade on my account. I have changed my password in case someone hacked my account. I would like to get my BTC back, the 0.063BTCish that was charged my account. I am down %20 right now, on 0.063, not much for you, but a bunch for me. Can you fix this?

Thanks,
Brandon

Them:


Hi Brandon,

I'm afraid once coins have been traded or withdrawn there is nothing we can do.

Thanks

My reply:

Jason,

I understand if I complete a trade there is no way to reverse it. But in this case, I did not do the trade. Somehow, your software completed a trade without me (a bug in your software???), or someone got into my account, whether on the front end (website) or back end (server). Either way, it is not my fault that this happened. Maybe you should require email confirmation to trade. This does not help my experience at MintPal.

Thanks,
Brandon

Them:

Hi Brandon,

You can check the login history on your account to see if someone else logged in and did it.

It would be best to set up 2FA on your account if you do not currently have it.

Regards,
Jay
MintPal

Me:

I can set up 2FA, but that still does not change the fact that I am still out my BTC.

I see the trade went through at 19:15 and 19:28 MintPal time.

 The closest login attempt was 19:14, and that was me. I did not put a trade in a minute after I logged in.

Thanks,
Brandon


Them

Hi Brandon,

It's simply impossible that the trades would happen by themselves, and we would have it the orders logged in our system being placed by your IP. Checking your order history in our database, we can see a buy order was placed at price 0.00002116 at 7:15pm (I don't believe it was ever this high, so it must have auto traded at the best price). Other trades would be from older orders you had placed in the markets.

Regards,
Jay
MintPal  

Note: The support person (Jay) closed the case, I had to reopen it.  Why did he close the case, it was not resolved?

Me:

Hello,

Can you tell me the IP the order was placed from?

Thanks,
Brandon

Them:

Hi Brandon,

The IP is (IP of my friends house), which does look like yours based on your other login history.

It might be worth scanning your computer for keyloggers/spyware if you're absolutely certain you didn't place that order.

Regards,
Jay
MintPal

Me:

Hello,

Yes, I was on that computer for a time. I will definitely check it for spyware. I am very sad that you cannot fix this, the total trade was only 0.06 BTC, MP makes 7.5 BTC a day right now. I only have 0.16 BTC in my balance, so this is huge to me. I am certain I did not place this order, I would not have opened this ticket.

Thanks,
Brandon

Them:

Hi Brandon,

Please let us know if you find any malware that could have been responsible for the trade

Thanks

Me:

Hello,

There is no malware on that PC. Note: I scanned with Malwarebytes. I have used malwarebytes before, and it is reliable and has always found malware.

Thanks,
Brandon

Me:

This is not closed. It has not been resolved, the BTC is not back in my account. Note: Here is another spot where they closed the case.

Them:

Hi Brandon,

Im afraid we have the proof that the order was done with your IP. We can't just credit you because then everyone could just start claiming they didn't make an order when they lose out.

There is nothing we can do regarding this I am afraid.

Regards,
Jay
MintPal

Me:

Can I have the proof it was done by our IP?

Them:

Brandon,

The proof can be seen by looking at your login history, somebody logged into your account from your IP address moments before the order was submitted. We also have the access logs from our webservers, looking through those it's quite clear the order was submitted from your IP. The first two entries are the login process, the third is the order submission.

69.249.134.181 - - [19/Apr/2014:19:14:16 +0000] "GET /login/market/WC/BTC HTTP/1.1" 200 20422 "https://www.mintpal.com/market/WC/BTC" "Mozilla/5.0 (Windows NT 6.0; rv:28.0) Gecko/20100101 Firefox/28.0"
69.249.134.181 - - [19/Apr/2014:19:14:27 +0000] "POST /action/authenticateUser HTTP/1.1" 200 56 "https://www.mintpal.com/login/market/WC/BTC" "Mozilla/5.0 (Windows NT 6.0; rv:28.0) Gecko/20100101 Firefox/28.0"
69.249.134.181 - - [19/Apr/2014:19:15:11 +0000] "POST /action/addOrder HTTP/1.1" 200 143 "https://www.mintpal.com/market/WC/BTC" "Mozilla/5.0 (Windows NT 6.0; rv:28.0) Gecko/20100101 Firefox/28.0"

Thanks

Me:

This is where I am confused. I placed an order 1 minute after I logged in? I tested it, and it takes 30 seconds to do it blindly, let alone have time to check charts. I NEVER trade without researching it, you can look at my past history. So, I see what you are saying, but I think the server records on your end were forged or glitched.

Them:

Brandon,

You are entitled to your opinion however we have stated the facts on several occasions. The odds are severely stacked against your argument, the fact is that the logs clearly show the order having been submitted from your IP address, the login history clearly shows you (or somebody from your IP address) logging into your account moments before the order was submitted.

Regardless of the above, as we have mentioned already, we will not be returning the BTC balance.

Thanks

Me:

I understand what you are saying.

I am a little disappointed about this, that MP will lose a customer over such a small amount. I will be moving my balance to Cryptsy. I really like MintPal's website, but oh well.

Me:

Also,

I am very suprised that such a big exchange, and a reputable one, would risk making a customer unhappy. But, I am not you, nor making MintPals decisions. I am just saying, If I would be running MintPal, that I would put more importance to keeping customers happy.


Me:

Also, I am a software developer, and I know that 1. records can be forged and 2. bugs/glitches do happen, expecially in complex trading software.

Them:

Brandon,

Sorry that you feel you have to leave. Enjoy Cryptsy.

Thanks Note: He closed the case here again. I did not reopen it.



In Summary

I am very dissapointed MP would lose a customer over this. I have withdrawn my balance to cryptsy already. Also, I feel that they are boasting "great support", and this was far from it. Reasons:

1.

Closed the case multiple times, acting like it was resolved.

2.

Repeatedly stating they will not refund the BTC, it seemed I was talking to a wall.


There are more you can catch if you read the dialog.

If you are MintPal:

If this gets resolved I will delete this post. Maybe there is a misunderstanding here, but right now I cannot see it.

Closing:

Whether you chose to believe me or not, please consider this message.

If you do not: My other account is thecryptodude01, it has been hacked.

Thank you for reading this!




dave111223
Legendary
*
Offline Offline

Activity: 1190
Merit: 1001


View Profile WWW
April 21, 2014, 02:27:41 AM
 #2

Logged in from a friends house and you don't use 2FA?

But it's their system that has a "bug"?
clownius
Sr. Member
****
Offline Offline

Activity: 448
Merit: 254


View Profile
April 21, 2014, 02:42:35 AM
 #3

Logged in from a friends house and you don't use 2FA?

But it's their system that has a "bug"?

Have to agree here.  Someone on that computer made a transaction that lost money.  Why would any exchange wear the loss?

If they decided to wear the loss every time someone claimed they didnt make a transaction that ended up loosing money they would go broke in days.

Seriously why log in on a computer you dont take responsibility for the security of in any case.
grifferz
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
April 21, 2014, 10:26:37 AM
 #4

You cost this company more than 0.06BTC in the time of their employees. I think they were very patient to go through this with you. To suggest this is some sort of inside job doesn't make sense on a risk/reward basis.

Absent any other evidence anyone would agree with MintPal, here.
KaChingCoinDev (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
April 21, 2014, 10:30:04 AM
 #5

I was the only one logged in on that computer. I always logged out right after I got in. I am saying there system has a bug because I cannot reasonably log in and then within 1 Minute and complete the trade. Bugs do happen. It is up to you to believe me about this. If you don't, I respect your opinion. But, I know that the computer there did NOT make a trade, so on my end I know it was a MintPal bug. It is hard to get you guys to believe me. Believe what you want. I am leaving MP before I get toasted on more money. Maybe they were patient to go through this with me, but I think not.

What more evidence do you need?
coiner8
Member
**
Offline Offline

Activity: 65
Merit: 10


View Profile
April 23, 2014, 05:31:25 PM
 #6

This is completely your fault and Mintpal's response was correct.  The order came from your computer.  Either you entered it accidentally (simplest and most likely explanation) or some other program on the computer caused the trade (very unlikely since there would be no benefit to a virus writer to make that trade).  It's the same as if your phone called a per-minute sex line or an expensive international call.  It doesn't matter if it was a butt dial or your friend or a virus on your phone that made the call.  Your equipment called the number, it's your responsibility not theirs.
Wolf_Pack
Sr. Member
****
Offline Offline

Activity: 386
Merit: 250



View Profile
April 23, 2014, 05:44:49 PM
 #7

I agree that Mintpal was correct in their decision.  I know you said that you ran Malwarebytes, but it sounds like you have some sort of security issue since your previous username on here was hacked.


                        ▄  ▄▄  ▄▄▄  ▄▄▄▄  ▄▄▄▄▄  ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄

   ▄▄▄▄▄▄    ▄▄     ▄▄ ▄▄▄▄▄▄▄      ▄▄▄▄▄        ▄       ▄▄       ▄▄ ▄▄▄▄▄▄▄
 ▄██▀▀▀▀██▄  ███▄   ██ ██▀▀▀▀▀    ▄██▀▀▀█▀      ███      ███     ███ ██▀▀▀▀▀
██▀      ▀██ ████▄  ██ ██        ██▀           ██▀██     ████   ████ ██
██        ██ ██ ▀██ ██ ██▄▄▄     ██    ████   ██▀ ▀██    ██▀██ ██▀██ ██▄▄▄
██▄      ▄██ ██  ▀████ ██▀▀▀     ██▄     ██  ██▀   ▀██   ██ ▀███▀ ██ ██▀▀▀
 ▀██▄▄▄▄██▀  ██    ▀██ ██▄▄▄▄▄    ▀██▄▄▄██▀ ████▄▄▄████  ██  ▀█▀  ██ ██▄▄▄▄▄
   ▀▀▀▀▀▀    ▀▀     ▀▀ ▀▀▀▀▀▀▀      ▀▀▀▀▀  ▀▀▀ ▀▀▀▀▀ ▀▀▀ ▀▀       ▀▀ ▀▀▀▀▀▀▀

                        ▀  ▀▀  ▀▀▀  ▀▀▀▀  ▀▀▀▀▀  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
A-Self Evolving Virtual World
Built on Top of Blockchain
▬ ▬▬ ▬▬▬   WHITEPAPER   ▬▬▬ ▬▬ ▬
TWITTER     TELEGRAM      MEDIUM
▬ ▬▬ ▬▬▬   ANN THREAD   ▬▬▬ ▬▬ ▬
Bit_Happy
Legendary
*
Offline Offline

Activity: 2114
Merit: 1040


A Great Time to Start Something!


View Profile
April 23, 2014, 06:06:23 PM
 #8

I'll be signing up for MintPal now.
Glad you helped verify how good their support is.  Smiley

MrWDunne
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


View Profile
April 23, 2014, 06:20:44 PM
 #9

This is insane. Even if you were hacked you shouldn't get any money back. This is ridiculous. This was either you or your friend. My bet is that this was you and you hoped that they would refund you after seeing this on bitcointalk.

Rulishix
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250


View Profile
April 23, 2014, 06:25:13 PM
 #10

Gotta go with the crowd on this one. MintPal has been amazing in terms of support and they are right in this case. I was hacked before and it is not pleasant but there are simple steps that we can take to prevent it. Make sure you secure your account if you're gonna put money in it. Sorry for your loss.
KaChingCoinDev (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
April 23, 2014, 08:31:29 PM
 #11

Hello all!

I understand what you are all saying. I know for a fact I am not lying, but I understand if you think I am. I am just looking to watch out for other people, and that is why I posted this. If you do not want to believe, suit yourself.

Personal answer to each of you:

coiner8:

Chose what you want to believe. I know for a fact that I was the only one on that computer, and I did not enter the trade.

Wolf_Pack:

Security issue? Look at the news at the top of this site.

Quote
♦ Due to the OpenSSL heartbleed bug, changing your forum password is recommended.

I got hit by that before I was able to change it.

Bit_Happy:

Suit yourself!

MrWDunne:

That is not true, but believe what you want.

Rulishix:

I believe this was a server error on there end, but yes, I agree.

MrWDunne
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


View Profile
April 23, 2014, 09:35:32 PM
 #12

Hello all!

I understand what you are all saying. I know for a fact I am not lying, but I understand if you think I am. I am just looking to watch out for other people, and that is why I posted this. If you do not want to believe, suit yourself.

Personal answer to each of you:

coiner8:

Chose what you want to believe. I know for a fact that I was the only one on that computer, and I did not enter the trade.

Wolf_Pack:

Security issue? Look at the news at the top of this site.

Quote
♦ Due to the OpenSSL heartbleed bug, changing your forum password is recommended.

I got hit by that before I was able to change it.

Bit_Happy:

Suit yourself!

MrWDunne:

That is not true, but believe what you want.

Rulishix:

I believe this was a server error on there end, but yes, I agree.



Why do you feel that yourself being hacked entitles you to a reimbursement of any sorts?

KaChingCoinDev (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
April 23, 2014, 09:36:28 PM
 #13

Hello all!

I understand what you are all saying. I know for a fact I am not lying, but I understand if you think I am. I am just looking to watch out for other people, and that is why I posted this. If you do not want to believe, suit yourself.

Personal answer to each of you:

coiner8:

Chose what you want to believe. I know for a fact that I was the only one on that computer, and I did not enter the trade.

Wolf_Pack:

Security issue? Look at the news at the top of this site.

Quote
♦ Due to the OpenSSL heartbleed bug, changing your forum password is recommended.

I got hit by that before I was able to change it.

Bit_Happy:

Suit yourself!

MrWDunne:

That is not true, but believe what you want.

Rulishix:

I believe this was a server error on there end, but yes, I agree.



Why do you feel that yourself being hacked entitles you to a reimbursement of any sorts?


I don't feel I was hacked. I think this was a server error on there end.
MrWDunne
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


View Profile
April 23, 2014, 09:39:08 PM
 #14

Hello all!

I understand what you are all saying. I know for a fact I am not lying, but I understand if you think I am. I am just looking to watch out for other people, and that is why I posted this. If you do not want to believe, suit yourself.

Personal answer to each of you:

coiner8:

Chose what you want to believe. I know for a fact that I was the only one on that computer, and I did not enter the trade.

Wolf_Pack:

Security issue? Look at the news at the top of this site.

Quote
♦ Due to the OpenSSL heartbleed bug, changing your forum password is recommended.

I got hit by that before I was able to change it.

Bit_Happy:

Suit yourself!

MrWDunne:

That is not true, but believe what you want.

Rulishix:

I believe this was a server error on there end, but yes, I agree.



Why do you feel that yourself being hacked entitles you to a reimbursement of any sorts?


I don't feel I was hacked. I think this was a server error on there end.

The support gave you session information, including the user agent and the exact data and time that the requests were sent. If this was serverside the requests would not have been sent.

KaChingCoinDev (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
April 23, 2014, 09:44:39 PM
 #15

Hello all!

I understand what you are all saying. I know for a fact I am not lying, but I understand if you think I am. I am just looking to watch out for other people, and that is why I posted this. If you do not want to believe, suit yourself.

Personal answer to each of you:

coiner8:

Chose what you want to believe. I know for a fact that I was the only one on that computer, and I did not enter the trade.

Wolf_Pack:

Security issue? Look at the news at the top of this site.

Quote
♦ Due to the OpenSSL heartbleed bug, changing your forum password is recommended.

I got hit by that before I was able to change it.

Bit_Happy:

Suit yourself!

MrWDunne:

That is not true, but believe what you want.

Rulishix:

I believe this was a server error on there end, but yes, I agree.



Why do you feel that yourself being hacked entitles you to a reimbursement of any sorts?


I don't feel I was hacked. I think this was a server error on there end.

The support gave you session information, including the user agent and the exact data and time that the requests were sent. If this was serverside the requests would not have been sent.

Records can malfunction, they can be forged.

I am not saying this is what happened, but the agent could have been lying.
Mk2vr6
Full Member
***
Offline Offline

Activity: 196
Merit: 100


View Profile
April 24, 2014, 03:01:44 AM
 #16

Just hold your WC.

Give it a few weeks, and be glad that you accidentally pressed the button.
grifferz
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
April 25, 2014, 06:54:50 PM
 #17

So you're saying that:

  • someone, either an attacker or insider at MintPal has come up with a way to do transactions on behalf of customers
  • it's sophisticated enough to tamper with their server logs to the point of inserting the same user agent that the customer normally uses
  • their attack happens only at the times when the customer is actually logged in
  • they used this tool to steal… 0.06BTC?

Assuming you and your friend are 100% honest then don't you think it is far more likely that your browser is infected with some sort of malware that automatically kicks off transactions and withdrawals?

Anything else implies a lot of effort or a conspiracy for very very little reward.

If more people start popping up with similar stories then it could be more likely that there's something wrong at MintPal, but until then in my opinion the balance of probability is something like this in order of decreasing likelihood:

  • You made a mistake and are now lying about it
  • Your friend did the trade
  • Your friend's computer is compromised with something that your antivirus doesn't detect
  • MintPal's software is buggy and they are inventing logs to cover this up
  • MintPal has an insider doing fraud and they are inventing logs to cover it up
  • MintPal was compromised by an outside attacker and they are inventing logs to cover it up

I appreciate that you say #1 and #2 are completely impossible and that you believe that #3 is not the case, but unless other people are also experiencing similar issues then anything but #1-#3 seems very unlikely.

It's good that you reported it here though as it's probably the only way that people experiencing similar issues will ever find out that they're not alone.
KaChingCoinDev (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
April 25, 2014, 09:26:02 PM
 #18




Quote
someone, either an attacker or insider at MintPal has come up with a way to do transactions on behalf of customers

Well, all they need is access to the database and the logs. They access the Database, find the password, log in, and complete the trade. They then log out, change the logs, and they are done.

Quote
it's sophisticated enough to tamper with their server logs to the point of inserting the same user agent that the customer normally uses

Copy and paste from the previous log. Not that hard.

Quote
their attack happens only at the times when the customer is actually logged in

Two things could of happened here:

I logged in, and they were watching and completed the trade
They logged in and then changed the records to show I logged in

I could of logged in, I was off and on at that time, but either way.
Quote
they used this tool to steal… 0.06BTC?

Yes, a small amount, but it could be:

They were testing it on a smaller amount
Proof of Concept


Quote
You made a mistake and are now lying about it

Well, I would of complained about my loss on BC that was almost double that. I take full responsibility for that, because I placed the trade.
Quote
Your friend did the trade
Possible, but my friend does not know anything about Cryptocurrencies.
Quote
Your friend's computer is compromised with something that your antivirus doesn't detect
Possible, but Bitcoin related malware, on a computer's first time use for Crypto related stuff?

Quote
MintPal's software is buggy and they are inventing logs to cover this up

Possible, but I think the logs were real and they were compromised.
Quote
MintPal has an insider doing fraud and they are inventing logs to cover it up

This is what I think, but that the logs exist and they were compromised.
Quote
MintPal was compromised by an outside attacker and they are inventing logs to cover it up
Possible, but I think the logs were real and they were compromised.
Quote
It's good that you reported it here though as it's probably the only way that people experiencing similar issues will ever find out that they're not alone.

Thanks  Wink Also, if it was a MintPal employee, if they see this it might scare them away from doing another "trade".


dave111223
Legendary
*
Offline Offline

Activity: 1190
Merit: 1001


View Profile WWW
April 26, 2014, 12:29:47 AM
 #19

Quote
someone, either an attacker or insider at MintPal has come up with a way to do transactions on behalf of customers

Well, all they need is access to the database and the logs. They access the Database, find the password, log in, and complete the trade. They then log out, change the logs, and they are done.


This is so dumb that didn't bother reading the rest; you have obviously never been near the backend of any kind of web application or you'd know that:

A) Passwords are never stored in plain text, especially in a high security situation such as a bitcoin exchange.

B) If "all they had" was direct access to the database...why would they need your password?  And why would they do a single trade on your account with amounted to losing you what like $20??

If the hackers had direct access to the database they could (or at least attempt to) clear out your entire balance and everyone else on the system.
They basically could do anything they want with your account without having to login or need your password.

I really hope such a thing as "KaChingCoin" does not actually exist if you are the "dev" for it.
KaChingCoinDev (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
April 26, 2014, 01:08:47 AM
 #20



Seriously, if this is so "dumb", why reply posting? Plus, I am a developer, and I have been near backends. Anybody with an IQ of over 100 and access to the database could do this. If you would of read the rest, maybe you could answer B
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!