Bitcoin Forum
December 08, 2016, 08:11:10 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Just got hacked and lost 65 bitcoins on bitdaytrade.com  (Read 2226 times)
dopamine
Sr. Member
****
Offline Offline

Activity: 471



View Profile
July 10, 2012, 02:00:27 AM
 #1

Looks like my account got compromised and I lost 65 bitcoins, I'm waiting for a reply. It was strange when I seen a request for a reset for a password, when I didn't even request that, knowing that something is up and I go home and look @ email and it says that a request for a withdrawal has occured 24 mins ago, when I never request any withdrawals. Now what?

Bitcoinica still has not given me 50% of my claim of 600 BTC
INTERSANGO can go down with bitcoinica for abandoning customers
Alberto Armandi is a SCAMMER
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
July 10, 2012, 02:03:26 AM
 #2

Change your e-mail password for starters...

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
dopamine
Sr. Member
****
Offline Offline

Activity: 471



View Profile
July 10, 2012, 02:34:31 AM
 #3

I changed my password on my email that is associated with that account, but whoa I'm amazed how this happen thank god it wasn't more than 100 bitcoins and I will take more precaution and maybe format my PC change all passwords. You can tell that bitcoins will be worth alot more than 30 bucks just for fact that people are out there trying to hijack accounts. Security of accounts and wallet needs to be in check specially if  the price of bitcoins is worth more than it is now....

Bitcoinica still has not given me 50% of my claim of 600 BTC
INTERSANGO can go down with bitcoinica for abandoning customers
Alberto Armandi is a SCAMMER
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
July 10, 2012, 02:40:09 AM
 #4

Did it have 2 factor authentication?

dopamine
Sr. Member
****
Offline Offline

Activity: 471



View Profile
July 10, 2012, 02:43:19 AM
 #5

yes it did but I never enable that feature, and I sad that I never used it Sad

Bitcoinica still has not given me 50% of my claim of 600 BTC
INTERSANGO can go down with bitcoinica for abandoning customers
Alberto Armandi is a SCAMMER
pekv2
Hero Member
*****
Offline Offline

Activity: 770



View Profile
July 10, 2012, 04:12:36 AM
 #6

https://lastpass.com/
http://keepass.info/

And as always, I recommend use a strong password and never use the same password for 2 or more accounts.

Lastpass encrypts all your data on your pc or mobile device before lastpast sends off it off to their servers and you only hold the key "master password" to all your saved passwords, notes and etc. I find this addon - application the best imo.

Keepass, is all saved encrypted with one master password on you pc. No cloud servers or nothing. If you use keepass, backup your file in a truecrypt container file on a cloud server like dropbox or as wuala encrypts data on your pc before it gets sent to wuala servers.

These are technique everyone should exercise.
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
July 10, 2012, 04:17:49 AM
 #7

yes it did but I never enable that feature, and I sad that I never used it Sad

You should!

Stephen Gornick
Legendary
*
Offline Offline

Activity: 2002



View Profile
July 10, 2012, 06:05:11 AM
 #8

I'm starting to wonder if instead of people's systems or e-mail accounts getting compromised that actually what is happening is that there is sniffing on the wire occurring.  

Presumably you received an e-mail previously from BitDayTrade (e.g., the initial confirm your account).

So let's say an evil admin at the hosting company where BitDayTrade sends e-mail from simply sniffs for email traffic (SMTP is sent clear text) and harvests the account e-mail addresses.

Then, after giving sufficient time for the account to become funded, fires off a "recover password" action which sends out an e-mail.

The admin sniffs the SMTP traffic and gets a link to reset the password.  Login, witdhraw, and done.

The sniffing is passive, so there would be little in the way of footprints.

The revcover password action and eventual login can be done from Tor, so there's no trail.

Plausible?

Or better, why are Bitcoin business architects creating this security vulnerability or allowing it to persist?  These links for regaining access to an account are like bearer instruments.  Whomever has access to the link has access to the account and all funds it contains.  Restricting withdrawal for at least a day after a password change should be standard practice, for one thing.

pekv2
Hero Member
*****
Offline Offline

Activity: 770



View Profile
July 10, 2012, 06:10:53 AM
 #9

I'm starting to wonder if instead of people's systems or e-mail accounts getting compromised that actually what is happening is that there is sniffing on the wire occurring.  

Presumably you received an e-mail previously from BitDayTrade (e.g., the initial confirm your account).

So let's say an evil admin at the hosting company where BitDayTrade sends e-mail from simply sniffs for email traffic (SMTP is sent clear text) and harvests the account e-mail addresses.

Then, after giving sufficient time for the account to become funded, fires off a "recover password" action which sends out an e-mail.

The admin sniffs the SMTP traffic and gets a link to reset the password.  Login, witdhraw, and done.

The sniffing is passive, so there would be little in the way of footprints.

The revcover password action and eventual login can be done from Tor, so there's no trail.

Plausible?

Or better, why are Bitcoin businesses architects creating this security vulnerability or allowing it to persist?  These links for regaining access to an account are like bearer instruments.  Whomever has access to the link has access to the account and all funds it contains.  Restricting withdrawal for at least a day after a password change should be standard practice, for one thing.


That is crazy if it is plausible. Quite frankly, it scares me when I read this.
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1092


Will read PM's. Have more time lately


View Profile
July 10, 2012, 06:55:57 AM
 #10

Always use a multifactor login, and NEVER reuse passwords.

My BTC Tip Jar: 1Pgvfy19uwtYe5o9dg3zZsAjgCPt3XZqz9 , GPG ID: B3AAEEB0 ,OTC ID: johnthedong
Escrow service is available on a case by case basis! (PM Me to verify I'm the escrow!)

markm
Legendary
*
Offline Offline

Activity: 1792



View Profile WWW
July 10, 2012, 07:47:19 AM
 #11

Financial sites don't actually send your password in cleartext in email, do they?

It seems pretty obvious that email is insecure, even if people ran their own mailservers in their own homes it would still need to be encrypted while in transit to be useable for things like passwords.

Even for things like sending you a one-time change-your-password session code that will expire five minutes after being sent it is insecure since anyone who sniffs it along the way can also quite likely slow it down to prevent you from even receiving it until the five minutes have already expired.

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
bitdaytrade
Full Member
***
Offline Offline

Activity: 226



View Profile
July 10, 2012, 12:20:43 PM
 #12

After a first audit, the server doesn't look under attack. Some users experienced password changes and most likely, they are victim of individual attacks. As a security measure, double check your computer with an updated antivirus,enable double factor authentication and choose a different password for each site you use. We sent you a mail regarding the issue mentioned in this thread.

davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
July 10, 2012, 12:30:35 PM
 #13

After a first audit, the server doesn't look under attack. Some users experienced password changes and most likely, they are victim of individual attacks. As a security measure, double check your computer with an updated antivirus,enable double factor authentication and choose a different password for each site you use. We sent you a mail regarding the issue mentioned in this thread.
While you're at it you may want to fix your e-mail validation, it thinks my username+filter@gmail.com address isn't valid.

kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
July 10, 2012, 12:55:06 PM
 #14

I just recently enable 2-key factor authentication on all my online balance bearing account. Big exception is operationfabulous since they don't support 2 factor authentication.

pekv2
Hero Member
*****
Offline Offline

Activity: 770



View Profile
July 10, 2012, 02:15:02 PM
 #15

I just recently enable 2-key factor authentication on all my online balance bearing account. Big exception is operationfabulous since they don't support 2 factor authentication.

I think in a few hours I will look into the 2-key factor for glbse.
unclemantis
Member
**
Offline Offline

Activity: 98


(:firstbits => "1mantis")


View Profile
July 10, 2012, 02:56:19 PM
 #16

https://lastpass.com/index.php
Use passwords with letters, numbers and special symbols. Generate passwords as long as the website you are signing up for can handle. I use generated passwords between the size of 30 characters and 50. Be sure to choose a master password that is easy for you to remember but hard to guess and brute force.

http://portableapps.com/apps/internet/google_chrome_portable/
Install this on a usb drive and install the chrome plugin for lastpass. ONLY visit websites that are bitcoin related using this. This will minimize contamination of the host computer by leaving your browsing information and history on the usb drive.

https://store.yubico.com/store/catalog/product_info.php?products_id=25&osCsid=973cdb9a5d62ca6b5618b6408c1f9e2b
Get a 2 factor authentaction device from above. This one works with LastPass. You get the Yubikey and a 1 year premium account with LastPass which allows you a lot more features than the free version.

http://www.sandisk.com/products/usb-flash-drives/cruzer-glide-usb-flash-drive
Get an 8 gig stick. Walmart sells them for 10 bucks.

http://www.sandisk.com/misc/secure-access
Install and activate encryption on your usb drive. Use the software that comes with the usb drive or find one that suits you. Make sure it is PORTABLE and doesn't rely on the host computer.

https://www.bitaddress.org
Generate a paper wallet and store your savings there. Find more information on this forum regarding paper wallets. Create a brain wallet if you want but store your bulk of coins you are not trading or spending offline. A SAVINGS IS A MUST. The value of Bitcoin is only going to go up so be sure to save!

http://ecdsa.org/electrum/
Use a thin client on your usb drive and use a password to encrypt the private keys. Use this as your spending address. Do NOT use web wallets. Your private keys are stored on some servers.

These are all the tools I use and what i have learned over the past year. And above all....

TRUST NO ONE! There is SOME trust you have to give but be cautious, use your brain, do not assume.

READ READ READ.

Good luck in the future! What is your payment address? I don't have a lot of coin but I can shoot some your way. Someone was nice to toss me coin when I lost some of mine in a scam. I know how it feels!!!!!

GOOD LUCK!

PHP, Ruby, Rails, ASP, JavaScript, SQL
20+ years experience w/ Internet Technologies
Bitcoin OTC | GPG Public Key                                                                               thoughts?
KajiMaster
Member
**
Offline Offline

Activity: 76


View Profile
July 10, 2012, 03:02:59 PM
 #17

I think most business owners should add a pin number for withdrawing balances.  Would be easy to add and give extra security for the user.

-Kaji

If you like my post please donate! Me love you long time Smiley
1Nnc1eJkDpJV6HsSBJV2F4eAZoDJoKq5re

Be one of us and -=Join The Pyramid=-
http://bitcoinpyramid.com/r/2717

Buying & Selling Bitcoin For CA$H in the Kansas City area!
Buy: https://localbitcoins.com/ad/4023/
Sell: https://localbitcoins.com/ad/4025/
bitdaytrade
Full Member
***
Offline Offline

Activity: 226



View Profile
July 10, 2012, 03:13:22 PM
 #18

I'm starting to wonder if instead of people's systems or e-mail accounts getting compromised that actually what is happening is that there is sniffing on the wire occurring.  

Presumably you received an e-mail previously from BitDayTrade (e.g., the initial confirm your account).

So let's say an evil admin at the hosting company where BitDayTrade sends e-mail from simply sniffs for email traffic (SMTP is sent clear text) and harvests the account e-mail addresses.

Then, after giving sufficient time for the account to become funded, fires off a "recover password" action which sends out an e-mail.

The admin sniffs the SMTP traffic and gets a link to reset the password.  Login, witdhraw, and done.

The sniffing is passive, so there would be little in the way of footprints.

The revcover password action and eventual login can be done from Tor, so there's no trail.

Plausible?

Or better, why are Bitcoin businesses architects creating this security vulnerability or allowing it to persist?  These links for regaining access to an account are like bearer instruments.  Whomever has access to the link has access to the account and all funds it contains.  Restricting withdrawal for at least a day after a password change should be standard practice, for one thing.


We've just deployed email notifications when a withdrawal is requested, the execution is not real time and postponed by default, this should give time to react to an unauthorized account access.

dopamine
Sr. Member
****
Offline Offline

Activity: 471



View Profile
July 10, 2012, 03:33:22 PM
 #19

Ya still in shock that the site had a double login factor and I didn't use it, and my account got compromised and lost everything. Now I need to learn to backup a wallet for hardware failure and keep it offline and need to buy more bitcoin Smiley. Password reset request should raise some questions.

What is best practice to make sure your system is secure? currently using CrunchBang for my laptop and Ubuntu on main computer.

14T6m9frPvpSUNTRRNB8AVoJcxsqT8w5ae
Thanks in advance if you feel like sending me some bitcoins cheers Smiley

Bitcoinica still has not given me 50% of my claim of 600 BTC
INTERSANGO can go down with bitcoinica for abandoning customers
Alberto Armandi is a SCAMMER
bitdaytrade
Full Member
***
Offline Offline

Activity: 226



View Profile
July 10, 2012, 05:21:22 PM
 #20

Ya still in shock that the site had a double login factor and I didn't use it, and my account got compromised and lost everything. Now I need to learn to backup a wallet for hardware failure and keep it offline and need to buy more bitcoin Smiley. Password reset request should raise some questions.

What is best practice to make sure your system is secure? currently using CrunchBang for my laptop and Ubuntu on main computer.

14T6m9frPvpSUNTRRNB8AVoJcxsqT8w5ae
Thanks in advance if you feel like sending me some bitcoins cheers Smiley

Password reset alone is not a mean to obtain unauthorized access to an account. Chances are that your email account was compromised.
Our best practices encompass many security aspects. You can read more about it on our website. Email us for further questions. Thank you

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!