Bitcoinica MtGox account compromised

[rjk]

I recently had a debate with someone whose current job position is "security architect" (my own background is in crypto and security, but I don't work with it today) who didn't like our choice of 128 bit UUIDs as authentication tokens in URLs. He believed we should add a unique string for our specific service in front of the UUID, to lessen the risk for clashes with other services.

Oh derp, I just rolled my eyes out of my head. 
The UU in UUID stands for Universally Unique. And it is unique, unless some bonehead doesn't use any entropy.
"Security Architect" indeed.

[1714010114]

1714010114

[1714010114]

1714010114

[1714010114]

1714010114

[1714010114]

1714010114

[1714010114]

1714010114

[repentance]

The only reasonable crime you the authorities might possibly could charge them is extreme negligence, not theft. You don't have any evidence for theft except your suspicion that this is an inside job.

There should be a proper investigation before we can speak about charging somebody, or did you lose your rationality when you lost your money?

FTFY.

People can certainly file criminal complaints.  The extent to which those complaints are investigated and whether any investigations lead to criminal charges is another matter entirely and not determined by the complainants.  People's theories (including mine) about what happened are not evidence.

[MrTeal]

Storing passwords for all system components behind one password/access point is a most obvious and deliberate insecurity.

No. The easiest way to understand why that is so is to explore the alternatives. It's a lot easier to keep one password (which might include two factor auth) provably secure than several. I don't have to plan for my LastPass password getting broken since it's heat-death-of-the-universe-unfeasable for someone to break it. Thus the risk management is at an optimum.

You don't gain security if you split it up - only obscurity. Increasing the number of different passwords someone needs to remember also increases the risk for people to invent "password schemes", which all lessen security due to lowering entropy.

A lot of people who should know better fail at understanding entropy. I recently had a debate with someone whose current job position is "security architect" (my own background is in crypto and security, but I don't work with it today) who didn't like our choice of 128 bit UUIDs as authentication tokens in URLs. He believed we should add a unique string for our specific service in front of the UUID, to lessen the risk for clashes with other services.

Bitcoinica using LastPass wasn't a problem. Using a known string as master password was.

Until a hacker or LastPass employee changes the codebase and allows a backdoor that grants them access to everyone's unencrypted information as each user logs in.

[ErebusBat]

Until a hacker or LastPass employee changes the codebase and allows a backdoor that grants them access to everyone's unencrypted information as each user logs in.

This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.

[sadpandatech]

Until a hacker or LastPass employee changes the codebase and allows a backdoor that grants them access to everyone's unencrypted information as each user logs in.

This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.

Which brings me back to a question I had.  I should have just tested this by now but havn't had time. If you have lastpass installed on one computer and want to start using the same account on another. Does it load the passwords to the new computer when you validate there? (If so then the backdoor thing could work.) But what I was under the impression of, is if you want to use an account on another computer you had to export the saved passwords and physically place them on the new computer??  If that's the case it would have done our alleged hacker no good to just know the password..

[Sysrq]

Which brings me back to a question I had.  I should have just tested this by now but havn't had time. If you have lastpass installed on one computer and want to start using the same account on another. Does it load the passwords to the new computer when you validate there? (If so then the backdoor thing could work.) But what I was under the impression of, is if you want to use an account on another computer you had to export the saved passwords and physically place them on the new computer??  If that's the case it would have done our alleged hacker no good to just know the password..

You just need to install Lastpass on your new computer and enter your password. It will download your passwords from the encrypted server.

[MrTeal]

Until a hacker or LastPass employee changes the codebase and allows a backdoor that grants them access to everyone's unencrypted information as each user logs in.

This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.

I'm not sure I follow this, the master password or at least it's hash must be sent to LP in order to log in. If, when you log into the website using your master password the webpage hashes the password and then sends the password to the server for verification that still leaves the website as an attack vector where the login could be sent plaintext to the attackers website before being hashed and sent normally. Even if it's hashed normally, the attacker could just intercept the hash and then continue to use the same hash when accessing the site. Am I missing something on the way LastPass works?

[repentance]

Of course if the only place your passwords are recorded is on LastPass and LastPass itself suffers a catastrophic failure then things become interesting.

One problem is that it's often ridiculously easy to get new online credentials issued compared to how difficult it is to get new real world ID issued.  We need to stop believing that's a good thing.

[ErebusBat]

Of course if the only place your passwords are recorded is on LastPass and LastPass itself suffers a catastrophic failure then things become interesting.

One problem is that it's often ridiculously easy to get new online credentials issued compared to how difficult it is to get new real world ID issued.  We need to stop believing that's a good thing.

LastPass offers offline recovery tools you can use in that event, but you still need your password.

[ErebusBat]

Until a hacker or LastPass employee changes the codebase and allows a backdoor that grants them access to everyone's unencrypted information as each user logs in.

This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.

I'm not sure I follow this, the master password or at least it's hash must be sent to LP in order to log in. If, when you log into the website using your master password the webpage hashes the password and then sends the password to the server for verification that still leaves the website as an attack vector where the login could be sent plaintext to the attackers website before being hashed and sent normally. Even if it's hashed normally, the attacker could just intercept the hash and then continue to use the same hash when accessing the site. Am I missing something on the way LastPass works?

When you use the client I belive it downloads a nonce as part of the authentication rendering a replay attack improbable.

LastPass was not the weakness here.  The interesting point, which I have not seen anyone point out, would be:

Why on earth would anyone in their right mind select a UUID for a master password?  There are only two possibilities I can come up with:

1. They all knew it was the Mt.Gox key so they could copy/psate it anytime they needed.
2. They had the 'remember password' option selected in LP.

Why anyone that knows *anything* about security would think that either of those options was good is byond me.  They would have been worlds better by selecting a known phrase such as "We all live in a yellow submarine"  easily remembered and told over the phone, etc.

[Phinnaeus Gage]

2012-06-17 Claims Payments Specifics

Be sure to fillout the payment instructions section of the claim.
Failure to do so will significantly delay claims.

Once again, no update on Bitcoinica's website, the above being the latest. Are you telling me that everybody who was a client of Bitcoinica visits this forum to get the latest? That every single client of their's knows of the latest hack and that they are now looking at only a 66% refund or, worse, done?

Also, can somebody tell me why Intersango is a wise choice to store/invest hard-earned bitcoins. And before you go there, I feel that Intersango and Bitcoinica are not mutually exclusive.

~Bruno~

[sadpandatech]

Until a hacker or LastPass employee changes the codebase and allows a backdoor that grants them access to everyone's unencrypted information as each user logs in.

This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.

I'm not sure I follow this, the master password or at least it's hash must be sent to LP in order to log in. If, when you log into the website using your master password the webpage hashes the password and then sends the password to the server for verification that still leaves the website as an attack vector where the login could be sent plaintext to the attackers website before being hashed and sent normally. Even if it's hashed normally, the attacker could just intercept the hash and then continue to use the same hash when accessing the site. Am I missing something on the way LastPass works?

When you use the client I belive it downloads a nonce as part of the authentication rendering a replay attack improbable.

LastPass was not the weakness here.  The interesting point, which I have not seen anyone point out, would be:

Why on earth would anyone in their right mind select a UUID for a master password?  There are only two possibilities I can come up with:

1. They all knew it was the Mt.Gox key so they could copy/psate it anytime they needed.
2. They had the 'remember password' option selected in LP.

Why anyone that knows *anything* about security would think that either of those options was good is byond me.  They would have been worlds better by selecting a known phrase such as "We all live in a yellow submarine"  easily remembered and told over the phone, etc.

several of us have pointed out how minsguided it is to use any common indentifier as a password. I also find it hard to believe their big time fiancer Tihan, would not reconize it as being the API for their GOX acct. Them not changing it is no different thatn if the password had been one of their birthdays and not chaning it.

[dooglus]

Also, can somebody tell me why Intersango is a wise choice to store/invest hard-earned bitcoins. And before you go there, I feel that Intersango and Bitcoinica are not mutually exclusive.

They're currently having trouble with their bank account, leading to delayed deposits:

Metro Bank (UK)   2012-07-24 18:51 BST
While we were previously under the impression that the problems we were having with Metro bank were due to a technical issue on their end (as this has happened before), we have been told that our account activity is being reviewed and that we must be patient during this process. We have faith that our contact at Metro bank will properly investigate the matter. They have indicated that they do not require information from us at this time. The resolution time we were given was around 1 week, however this is just an approximation.

We apologise for the inconvenience this has caused our userbase. We are doing everything we can to resolve the problem as fast as possible. In the future, we may not be able to accept payments quite as fast anymore to prevent fraud however we will work hard to decrease our resolution times for issues and make the experience of purchasing and selling bitcoins as easy for the UK as possible.

We understand that many people have called Metro bank and Metro has told them that there is no issue. This is entirely incorrect. We believe it in not intentional it is simply that their support staff assumes that if there is not an issue affecting all accounts or a huge number of accounts at the bank that there is not an issue with our account.

[Phinnaeus Gage]

We understand that many people have called Metro bank and Metro has told them that there is no issue. This is entirely incorrect. We believe it in not intentional it is simply that their support staff assumes that if there is not an issue affecting all accounts or a huge number of accounts at the bank that there is not an issue with our account.

Does anybody here work closely with a bona fide banking representative that can call Metro Bank and directly inquire, semi-privately, the validity of the above?

Seems to me somebody is planning a vanishing act.

~Bruno~

[repentance]

We understand that many people have called Metro bank and Metro has told them that there is no issue. This is entirely incorrect. We believe it in not intentional it is simply that their support staff assumes that if there is not an issue affecting all accounts or a huge number of accounts at the bank that there is not an issue with our account.

Does anybody here work closely with a bona fide banking representative that can call Metro Bank and directly inquire, semi-privately, the validity of the above?

~Bruno~

There's not a legitimate bank on the planet which would confirm to outsiders that they're investigating activity on one of their customer's accounts.  Depending on the reason for the investigation, it could be seriously illegal to reveal that even to the customer concerned.

Intersango had previously posted that certain forms of withdrawal would be unavailable between 26 and 30 July.

It's not really clear whether their Metro bank account is now in a state of total limbo until the investigation into their account activity is completed.

Seems to me somebody is planning a vanishing act.

Or someone who's really pissed off over the Bitcoinica clusterfuck has decided to cause them as much grief as possible.

[LoupGaroux]

One can only speculate that one of the victims of their gross negligence (at the very least) might have threatened Metro Bank with action and forced them to hold funds until an investigation is undertaken. Certainly I would take that action, backed up with a proper legal notice that the funds they are holding in trust are being held criminally, and are currently the subject of a massive world-wide investigation of their enormous breach of their fiduciary responsibility to those they are holding the funds in trust for.

We seem to forget that these are not Bitcoinica's funds, or Intersango's funds, or Zhou's funds, or Tihan's funds. These were amounts, especially the US dollar deposits, that were being held in trust for the performance of certain promised exchange and transactional services. Violating that trust will pierce any veil of business obscurity, and if the company law of New Zealand is anything like the corporate laws in Nevada (the most pierce-proof jurisdiction on the planet) then there is no protection in place for these incompetents, and they will be found personally liable. Especially if someone undertakes to bring charges that can be investigated under US Law, which would include attempted criminal diversion, securities fraud, RICO, illegal operation of a gambling system online, tax evasion, confidence scheming, well the list gets ever longer.

And you can bet your last Satoshi that a bank would want to freeze assets involved in those kinds of charges. Hell, US banks held deposits belonging to the former Shah of Iran for 23 years on a simple memorandum sent to them by the State Department. Imagine how quick and high they will jump when presented with a subpoena?

Probably time to think about being the first kid on your block to file against these gangsters, and stop thinking about how you are going to double down and get rich when they just get past this one new speed bump. They are, quite simply, criminals by any definition of the word, and this will not end up happily for them, or their targeted victims.

[repentance]

One can only speculate that one of the victims of their gross negligence (at the very least) might have threatened Metro Bank with action and forced them to hold funds until an investigation is undertaken. Certainly I would take that action, backed up with a proper legal notice that the funds they are holding in trust are being held criminally, and are currently the subject of a massive world-wide investigation of their enormous breach of their fiduciary responsibility to those they are holding the funds in trust for.

More likely someone contacted the bank and told them that people were using it to launder funds, which immediately obligates the bank to investigate activity on the account. 

There's no "massive world-wide investigation" going on.  While it's possible that various international agencies will investigate some of the issues related to the Bitcoinica clusterfuck, it still won't be a "massive" investigation.  As businesses go, Bitcoinica is a piddly little one and it's total debts appear to be just over USD 1 million.  They may well end up being the first Bitcoin related business investigated for financial offences such as facilitating money laundering, facilitating tax evasion, etc but I can't think of any exchange which isn't at risk for that - let's face it, the Bitcoins which pass through Silk Road are being cashed out somewhere.  In fact, if the authorities choose to go down that route, they may do exactly what they did in regard to online gambling and hit everyone at once, shutting down the flow of funds.

[Phinnaeus Gage]

One can only speculate that one of the victims of their gross negligence (at the very least) might have threatened Metro Bank with action and forced them to hold funds until an investigation is undertaken. Certainly I would take that action, backed up with a proper legal notice that the funds they are holding in trust are being held criminally, and are currently the subject of a massive world-wide investigation of their enormous breach of their fiduciary responsibility to those they are holding the funds in trust for.

More likely someone contacted the bank and told them that people were using it to launder funds, which immediately obligates the bank to investigate activity on the account. 

There's no "massive world-wide investigation" going on.  While it's possible that various international agencies will investigate some of the issues related to the Bitcoinica clusterfuck, it still won't be a "massive" investigation.  As businesses go, Bitcoinica is a piddly little one and it's total debts appear to be just over USD 1 million.  They may well end up being the first Bitcoin related business investigated for financial offences such as facilitating money laundering, facilitating tax evasion, etc but I can't think of any exchange which isn't at risk for that - let's face it, the Bitcoins which pass through Silk Road are being cashed out somewhere.  In fact, if the authorities choose to go down that route, they may do exactly what they did in regard to online gambling and hit everyone at once, shutting down the flow of funds.

WOW! Simply, wow! It looks to me that if some regulatory body choose to do so, they can walk into any banking institute and demand to see the records of (I will use this example) Intersango. They can simply claim that a certain client of theirs with such-and-such Bitcoin address conducted some illegal transaction and that an investigation is warranted. This account is now closed until we finish our investigation. This could take a week. After a week goes by, they return with another concern of another address and the whole process starts anew, thus freezing the account indefinitely. Furthermore, during the interim, Intersango will not be allowed to open up another bank account in that country, and if incorporated there and choosing to open a bank account in some other country, their incorporation privileges will be revoked. I sure the hell would hate to be such a company in their shoes if such an event did occur.

~Bruno~

[repentance]

WOW! Simply, wow! It looks to me that if some regulatory body choose to do so, they can walk into any banking institute and demand to see the records of (I will use this example) Intersango. They can simply claim that a certain client of theirs with such-and-such Bitcoin address conducted some illegal transaction and that an investigation is warranted. This account is now closed until we finish our investigation. This could take a week. After a week goes by, they return with another concern of another address and the whole process starts anew, thus freezing the account indefinitely. Furthermore, during the interim, Intersango will not be allowed to open up another bank account in that country, and if incorporated there and choosing to open a bank account in some other country, their incorporation privileges will be revoked. I sure the hell would hate to be such a company in their shoes if such an event did occur.

~Bruno~

Sort of.  When the DoJ went after the online gambling providers, they went after the payment processors.  People's money was tied up for ages because the gambling providers didn't have enough reserves on hand to directly pay out people's balances (at least one of them had been co-mingling funds, but that's another story) - the money was in the bank accounts of the payment processors and those were frozen.  While many users did receive their deposits back, it demonstrated the extent to which payment processors are a weak link in the chain.

While it's possible that a regulator might choose to go after one particular exchange, it's just as likely that they'd do what they did with the online gambling drama and go after everyone at once.  There's no question that a sub-set of customers on every exchange are going to be using the exchange to launder money, evade taxes or commit other financial offences.  The offshore poker providers weren't actually breaking any laws in the jurisdictions in which they were licensed.  It pretty much came down to the DoJ having the power to disrupt their business indefinitely if they didn't play ball.  The Bitcoin exchanges are tiny compared to the online poker providers and its unlikely they'd win in a showdown with the US DoJ.

Loup is right that there are a number of US agencies which could really fuck up an exchange's shit pretty much regardless of where that exchange is located.  I just believe that once that particular can of worms is opened they are more likely to go after everyone than after just one exchange.

I'm not sure what the fines are for failure to comply with AML/KYC requirements in the US.  Here in Australia, the fine for either not reporting a transaction as required or reporting it late is up to $1.1 million for an individual and up to $22 million for a company.  A single transaction could have multiple reporting requirements attached to it, so you can get hit with more than one fine for a single transaction.  Big banks might be able to absorb those kinds of fines, but I doubt there's a Bitcoin exchange on the planet which can afford them at this time.

[proudhon]

When the DoJ went after the online gambling providers, they went after the payment processors.  People's money was tied up for ages because the gambling providers didn't have enough reserves on hand to directly pay out people's balances (at least one of them had been co-mingling funds, but that's another story) - the money was in the bank accounts of the payment processors and those were frozen.  While many users did receive their deposits back, it demonstrated the extent to which payment processors are a weak link in the chain.

This is a large part of why, despite my general bearishness, I've moved everything off the exchanges as bitcoins in offline wallets.  If MtGox, or any other exchange, is disrupted, at the very least I can get something OTC for the bitcoins or I can keep the value stored as bitcoins and use purchasing power that way.