- It's not asking for the account password. Anyone who knows the usernames (and we can assume the attacker has a copy of the database) can submit a fake claim, and at the very least delay the real claim.
They don't know your password. They can't verify your password except by using the same hashing and salt again, which would be stupid since hackers could then replicate it.
So for all intents and purposes bitcoinica doesn't have your password any more.
What? They don't need my password literally. They have my password hash, which even someone with a copy of the database can't turn into the actual password. Therefore to verify I am who I say I am, I supply my password (just like when I logged in normally), it is then hashed and compared with what is in the database. This is the only
piece of information that the hacker with a copy of the database cannot supply. Therefore every other request on the claim form is validating only that I am either (a) the genuine owner or (b) someone who had access to the database. Since that (b) group is no longer limited to "Bitcoinica Staff", it should be considered untrustworthy.
- If the attacker had access to the database, how does any of the information asked for demonstrate my real identity?
This is why you have to verify your email. It's critical now. And that's why they need your phone and real name now without exception. And transfers would have to match it. Tough luck, they cannot reasonably go about it any other way.
Since I didn't give them my phone and real name, what are they going to compare it against? If I had given them, the hacker would have them too.
- It asks for real name and phone number. I never gave bitcoinica that information in the first place (that bit of paranoia has paid off). No advice is on the page for people in that position.
Well, they need it now. See above.
The hacker can supply anything he wants; since I didn't give them, there is no way to verify that anything supplied on the claim form really is from me. In fact, all this does is open up a hole for a hacker to put somebody else's name on my account.
I do accept that if my name and phone number were already in their database, then my providing ID would (probably) prove me the owner. Given that it isn't though, provision of an ID would not prove anything.
- EXACT balances are requested, but if you supply exact balances it rejects the request saying "give only two decimal places". It's not EXACT any more then is it?
- Rejecting EXACT balances of more than two decimal places is pretty bad; but no advice is given as to whether the two decimal places you supply should be rounded up or down from your exact balance. If I have 10.009 BTC is that "EXACT"ly 10.01 or 10.00?
Won't this be checked manually? just give your best guess man, and if you think it's accurate to the cent, choose "exact".
Obviously that's what I did. I'm not a moron. My complaint is that it's hardly "exact" is it? It also makes it harder for an automated system to compare the claim against the database. Meaning more manual work than is necessary. Without guidance, I don't know if the automated system is going to look for EXACTly the rounded version, or EXACTLY the truncated version. When that fails, that adds more manual work for them, and more delay to my access. Why couldn't they just say that, or better yet, make the computer do the computer work of rounding/truncating and simply accept whatever I enter in the field?
- Given that there was a complete database compromise -- exactly what is it that you're achieving with all this nonsense? Assuming you kept the passwords hashed, then the only bit of information that can be used to verify the owner that is possibly not compromised is the real owner's knowledge of the unhashed password.
If they really had them hashed, they don't have them unhashed anywhere. They better not, anyway.
As above, it's perfectly possible to verify that I know the password given they know just the hash. How do you think the login system has been working? The reason I added "possibly" is because there was nothing to stop the attacker altering the site code to store the unhashed password as well for everyone that subsequently logged in. We can only hope that the breach didn't last long enough for that to happen.
In your case, you didn't give them your info (good idea) but you did keep a quantity of money there (bad idea). How can they tell you apart from a hacker who has the same password info as they have? they can't. All they can do is a best effort and proof of email
You've raised this point again. I'm not sure you understand how a hashed password system works. The attacker only has the password hash, not the password. There is no way to go from that compromised hash to the password. Therefore the attacker cannot supply any phrase that, when hashed, produces the database hash. I can, because I know my password. That is how they can tell me apart from the hacker. That is the only
way they can tell me apart from the hacker -- so why ask for any of the other information?
As I said: the account email was already verified when I registered. Other than checking that I still own it (and they were happy I did a week ago), what purpose does verification serve? Either the email in the database is untouched, in which case it's still as valid as it was last week; or the hacker altered it, in which case the verification doesn't prove anything.
One would hope that the first thing they did was compare the database at time of compromise with a recent backup. That will tell them whether the emails have been tampered with. If they haven't then the emails are valid and don't need verifying.
ownership should be enough in many cases, together with the fact that a hacker won't try and give their real info to get money out of there using the claim procedure. The rest of the "nonsense" is not to tell you apart from one of the hackers, it's to tell you apart from some other person who might want your money, other than the hackers, using stolen identities.
Again: every other person who might want my money doesn't know my password. Just as when the site or any site is live: that is the only thing that stands between them and my money. Given that all the other information is most likely compromised, it proves my identity not one bit. Hence, it's "security theatre".
- My email was verified when I registered the account -- what possible purpose is there in verifying it again?
See above. Email ownership is now critical. If you have a significant amount in your account, it's probably a good moment to change your email password from a properly secured computer, before filing up the claim.
Email ownership was already proved. Proving it again has just given another chance at catching an unencrypted email to attackers.
Why would changing the email password help? If it's secure already, it's fine. Why would doing it before the claim help, is the claim process going to publicly release my email? Mindlessly changing passwords, is just more security theatre.