BitPiggy - bank account locked (again) 16th May 2012

[BitPiggy]

Hi,

We regret to inform you our bank account has been locked once again, due to what are likely stolen funds sent our way.

As our account is locked, I cannot transfer funds out nor see who has paid for orders, effectively putting a hold on buy/sell orders.

At this stage I was only able to talk to an operator at UBank (my bank) who could not tell me more details. As it is early morning in Australia, I have to wait until ~9am NSW time before I can talk to an actual account/security person.

I will keep you posted when I know more.

Cheers,
~Mat

[1713489434]

1713489434

[1713489434]

1713489434

[BitPiggy]

Our bank account is supposedly unlocked now, but the actual bank's website is now down (UBank), so we're still unable to fulfil orders.

The site only say they'll "be back up and running soon".

We apologies for the ongoing delays.

Kind regards,
~Mat

[mem]

Our bank account is supposedly unlocked now, but the actual bank's website is now down (UBank), so we're still unable to fulfil orders.

The site only say they'll "be back up and running soon".

We apologies for the ongoing delays.

Kind regards,
~Mat

Hope it all gets sorted soon Mat

Stolen funds or stolen btc ?

[brendio]

Stolen funds or stolen btc ?

I don't think BP's bank would be too concerned about stolen bitcoins. Stolen fiat funds transferred through the banking system are of concern, since they can be reversed, leaving the receiving bank or the receivng bank customer out of pocket.

[BitPiggy]

Hi all,

Our UBank account has been unlocked again, and we've successfully processed pending buy and sell orders (that have been paid).

For the moment I'll keep the site disabled, while I figure out how to prevent further attempts by hackers sending stolen funds our way.

Thanks for your support,
~Mat

[miernik]

Its interesting how can this happen in Australia (and happens so often to all exchanges), that stolen funds are sent with bank transfers?

Is it funds from accounts accessed with passwords grabbed by keylogger/phishing?

If so, how does this happen? Are there banks in Australia which allow transfers to be sent online without one-time code two-factor authentication (like SMS-code, hardware token, one-time codes on paper list)? Because in Europe I haven't yet seen a bank which allows transfers to third-party account sent without one of these one-time code authentication methods for the transfer, or at least once for the account number to transfer to.

Can you shed some light on this how Australian banking works?

And what are the liability/burden-of-proof rules?

Because for example in Poland, if a transfer is being made online from a customers bank account, it is deemed to be made by the account owner, because only he has the authentication codes, and it is his deed to protect them. If he unwillingly discloses them to someone,  its is HIS fault, and the bank will NOT reverse his transfers if he then goes to the bank and says "I didn't do these, someone must have hacked to my account". Such explanation is not valid, banks reject such claims. I know from press reports of the (very few) cases when the account owner disclosed his one-time codes to the hacker. The bank did not believe him and did not give back his money. If from a customers bank account a transfer was made authorized with a one-time code - that's proof that the customer did it (or someone authorized by him, even if unwillingly - he is still liable). That's how it is in Poland. Maybe that's why the two largest exchanges (MtGox and Intersango) both have their accounts in Poland, and keep them without problems, without a single case of account being locked since ever they started using these accounts last year.

Does authentication and liability work differently in Australia?

[BitPiggy]

Hope it all gets sorted soon Mat

Stolen funds or stolen btc ?

Thanks for the support. Mostly sorted now.

As what was stolen, someone else's bank account was hacked. BitPiggy was not hacked.

~Mat

[BitPiggy]

Its interesting how can this happen in Australia (and happens so often to all exchanges), that stolen funds are sent with bank transfers?

Is it funds from accounts accessed with passwords grabbed by keylogger/phishing?

If so, how does this happen? Are there banks in Australia which allow transfers to be sent online without one-time code two-factor authentication (like SMS-code, hardware token, one-time codes on paper list)? Because in Europe I haven't yet seen a bank which allows transfers to third-party account sent without one of these one-time code authentication methods for the transfer, or at least once for the account number to transfer to.

My bank unfortunately has not given me any details, but that could be because they themselves don't know- in both this case and the previous case, I believe a user account from another bank was hacked.

As for how the hacker did it, I assume it was an account with no 2nd level of authentication. I have several bank accounts, and two of them don't require a 2nd level of authentication for sending small amounts (e.g. up to $500 AUD).

As for how they got past the 1st level of authentication, the NAB (one of the largest banks in Australia) has terrible level 1 authentication- the 'username' for logging in is a "customer code" that is printed on each debit/credit card they give to a customer (so anyone would holds the card for a few seconds could remember it if they wanted - they are only about ~8 digits long) while the password must be a 6-8 alphanumeric.  You cannot make your password longer, or use characters besides alphanumeric.

That said, I suppose it is more likely the hacker used a keylogger or engaged in phishing.

Can you shed some light on this how Australian banking works?

And what are the liability/burden-of-proof rules?

Because for example in Poland, if a transfer is being made online from a customers bank account, it is deemed to be made by the account owner, because only he has the authentication codes, and it is his deed to protect them. If he unwillingly discloses them to someone,  its is HIS fault, and the bank will NOT reverse his transfers if he then goes to the bank and says "I didn't do these, someone must have hacked to my account". Such explanation is not valid, banks reject such claims. I know from press reports of the (very few) cases when the account owner disclosed his one-time codes to the hacker. The bank did not believe him and did not give back his money. If from a customers bank account a transfer was made authorized with a one-time code - that's proof that the customer did it (or someone authorized by him, even if unwillingly - he is still liable). That's how it is in Poland. Maybe that's why the two largest exchanges (MtGox and Intersango) both have their accounts in Poland, and keep them without problems, without a single case of account being locked since ever they started using these accounts last year.

Does authentication and liability work differently in Australia?

I suspect banks in Australia would be more lenient, and I think banks are liable for lost funds due to hacking. I'm not sure though, and I'm not sure what proof you would have to show.

Poland's attitude sounds more mature- bank's put the responsibility on the users, who it turn would be motivated to seek out banks that have good security.  In Australia I believe the law is such that banks are required to cover user's losses due to hacking, which I think makes users complacent about security.

[miernik]

For the moment I'll keep the site disabled, while I figure out how to prevent further attempts by hackers sending stolen funds our way.

You can do it quite easily: for each bank account the user wants to fund BitPiggy FROM, the user would have to authenticate it first. Authentication would happen in such a way: you will send a very small transfer TO that account, with such a thing in the "reference" field:

"Use this code on www.bitpiggy.com to allow funding the account of user miernik on BitPiggy.com from this bank account: KJ1TH78Z"

And then make a delay of how long do you think it takes for a person to discover his bank account was hacked (a week, a month), only after passing this amount of time, that bank account will be authenticated to send funds to BitPiggy (forever). To the account of that user on the site.

You could also ask trusted people, friends, etc having accounts at different banks in Australia how is the authentication, and only allow the first transfer from a given bank account to be such that it must have gone through 2-nd factor authentication. If some bank allows <500$ transfers without it, then the first transfer from an account in that bank must be >500$. If the user does not want to deposit that much, he can withdraw the remaining amount right away. Simple.

[BitPiggy]

Hello again,

We have been informed that several other instances of stolen funds being sent our way have been discovered.  Our account has once again been locked (third time), and we've been informed that we should be prepared for the possibility of our bank (UBank) shutting down our account.  At the very least, we want to move away from UBank as the account we are using is not a proper business account.

Any pending orders are thus currently held up. At this stage I do not have an ETA for when we will be able to get access to our account to process these orders.

As for opening up another, proper business account, that will likely be at least several days away at the earliest.

My apologies for the delays.
~Mat

[Cluster2k]

I've used BitPiggy a few times over the past year and always found the site to be reliable.  I hope it comes back soon.

Does UBank know your account is associated with bitcoin?  I wonder if they would suspend anyone's account if it received stolen funds, or whether UBank was more keen here simply because of the associated money laundering risks with bitcoin?

[frograven]

I've used BitPiggy a few times over the past year and always found the site to be reliable.  I hope it comes back soon.

same here!

[miernik]

More ideas: don't show you account number to the customer in the system. Require the customer to enter HIS account number in the system first. And then you send a small sum (0.01 or something) to that account with the message about BitPiggy in the reference, and then the customer will find out your bank acount number only from his bank transactions history.

And don't just enable customers to deposit from any bank. Enable banks one-by-one after analyzing that bank's security of outgoing transfers (does it have 2-nd factor authentication). So make an exclusive list of banks you accept transfers from (after checking their security). If someone doesn't have an account at one of these banks on your list, then he can just open one there - simple.

[slothbag]

What about two bank accounts.. one for customers who have been using the site for > 6 months and one for newbs.. that way when the newb account gets frozen the regulars are not inconvenienced.

[Rodyland]

That your account can be frozen (twice) because people claim that their accounts have been hacked and money sent to you is ridiculous.  If that happened to me I'd be absolutely stuffed - every single payment I send and receive, from rent to insurance to school fees, not to mention receiving my salary, goes through my account. 

I hope you get back up and running ASAP.

[zhoutong]

Will BPay solve the problem?

I'm not experienced with Australian banking system but my business banker says domestic bank transfers have less chargeback problems than international wire transfers. Well, I don't seem to agree with that.

Perhaps cheque via mail is a good solution too, if online banking is that unsafe. It will take longer time though.

[BitPiggy]

Hi all,

Just an update. UBank has still not unlocked our account. I have been calling them every day to get an update, and all they say is they can see its being reviewed by management.

As before, all pending orders are still on hold until our account is unlocked.

Thanks for your continuing patience.

~Mat

[BitPiggy]

Another update- we just got off the phone to the NAB's efraud department (they handle the efraud for NAB and UBank), and they have instructed UBank to unlock the BitPiggy account. They said it should happen some time today, though they indicated it may take until near the close of business, Australia time.

Once we gain access, we will process any pending orders.

Creating new orders however will still be on hold for the time being.

FYI, we are currently in the process of setting up other, more appropriate bank accounts (we had been using a high-interest personal savings account vs a normal business account). The efraud department of the NAB has told me their policy regarding business accounts that receive stolen funds is generally they do not lock the account, but the business may have to bare the cost of accepting the stolen funds. Hence BitPiggy will stil need to change its operations.

At the moment I am considering:

1) Accepting cash deposits (with proof of cash deposit, a.k.a. SpendBitcoins style of submitting photo of receipt).
2) Accepting bank-to-bank transfers as per normal, but with added measure to deter hackers sending stolen funds. Obviously the experience should be unobtrusive as possible, and yet it needs to change. Methods I have thought of boil down to 2 distinct types of deterrence:

A. Prevent thief receiving bitcoins in the first place.
B. Punish thief after they have received bitcoins.

For A
i) Delay sending of bitcoins, to give banks enough time to report stolen funds. Considering it took ~10 days for UBank to tell me stolen funds had been sent my way, this doesn't sound feasible.
ii) Only serve people who have successfully made orders in the past. This works for old users, but doesn't help legitimate new people.

For B
To punish a hacker, knowing their identify (or some link to it) is useful, as can either destroy their reputation, or hand over identity details to police. Note BitPiggy doesn't want to know people's details, yet identification is a common tool to deter crime.
iii) Require proof of reputation. The Bitcoin-OTC looks interesting, but it doesn't look like many people use it. Other things? Maybe people could vouch for other people, give invites.
iv) Require some form of online identification.  E.g. facebook/twitter/linkedin/google/ebay/etc account. Would need to check the account used looks legitimate.
v) Require some form of offline identification. E.g. passport/driver's license/utility bills. Not particularly interested in doing this.

One other thing could do:
vi) Report the bitcoins as tainted. I suspect this wouldn't have much impact, for the moment anyway.

Anyways, that's what I'm think for the moment. Suggestions/comments welcomed.

Cheers,
~Mat

[edd]

I would suggest using more than one of the options you listed to varying degrees. Put new users into different categories based on what information they are willing to provide.

Best - If they don't mind providing offline documentation to verify their identity and are vouched for by an existing user, allow large deposits and withdrawals ASAP.

Next Best - Vouched for by another but want to remain somewhat anonymous, allow only limited deposits/withdrawals for a probationary period.

Riskiest - No referrals and no ID, mandatory waiting period for any withdrawals.

[mem]

Good stuff, hope to see you back to BAU soon