Author

Topic: 2013-03-07 WIRED.COM Hackers Pull Off $12,000 Bitcoin Heist (Read 1430 times)

full member
Activity: 238
Merit: 100
How come it doesnt make world news when someone robs a local bank for $12 000 ?

Much worse happens more frequently. In the cyber currency world we have Bitcoin and the few that process it. With USD we have banks, card fraud, gas station robberies, druglords etc etc...

With USD this is the norm, with BTC it's some new big spectacle.

The majority of bank theft goes unreported by banks. They cover it up usually.
full member
Activity: 252
Merit: 100
How come it doesnt make world news when someone robs a local bank for $12 000 ?

Much worse happens more frequently. In the cyber currency world we have Bitcoin and the few that process it. With USD we have banks, card fraud, gas station robberies, druglords etc etc...

With USD this is the norm, with BTC it's some new big spectacle.
member
Activity: 91
Merit: 10
unbelievable in this day and age. I was going to argue against bitinstant, but by the looks of it, its virwex that doesnt even offer 2FA? And apparently the password reset procedure doesnt require a security question or anything else, withdrawls arent fixed to a specific address (or with time delay)...
Sheesh.

Is there really nobody who can do exchanges right?

"Reached Thursday, a VirWox representative said that the exchange has had multi-factor authentication since September 2012. “Bitinstant was not using it (they learned and do now),” the representative said in an email message."
full member
Activity: 238
Merit: 100
How come it doesnt make world news when someone robs a local bank for $12 000 ?
hero member
Activity: 924
Merit: 1001
Unlimited Free Crypto
OMG someone just mugged me and took my dollars because I was walking in a dark alley in a bad neighbourhood at 3AM, naked and screaming... I got money, I got money!

It must be a problem with the This dollar currency.... lets dump the dollar........

Epic logic!  Cheesy
legendary
Activity: 2506
Merit: 1010
Wasn't the amount hacked before with places like MTGOX a lot higher? If so it seems that the security must be improving if they only managed to get such a small amount.

The attacker stole funds from BitInstant's account at VirWoX exchange.  VirWoX offers two-factor authentication (2FA) protection which BitInstant hadn't implemented (perhaps because VirWoX didn't offer 2FA at the time BitInstant first establish their account with VirWoX)..   Had BitInstant been using 2FA, the attacker would have gotten nada, zip, zilch ... just like was obtained from the other BitInstant's other exchange accounts the attacker tried to get at.

Now that doesn't mean with 2FA you are completely immune from risk, but the complexity of the attack just got exponentially more difficult -- the device where the 2FA (e.g., Google Authenticator) is used must be compromised as well.

Bitcoin users who store funds (either fiat like USD or bitcoins) should also be using two-factor authentication if they use an EWallet service.  Here's a list of EWallet providers who offer two-factor authentication:
 - http://bitcoin.stackexchange.com/questions/4113

[Edit: Apparently the domain registrar, Site5, doesn't appreciate the need for two-factor authentication:

Site5, and their insecure practices and questionable business ethics
 - http://joepie91.wordpress.com/2013/03/08/site5-and-their-insecure-practices-and-questionable-business-ethics ]
legendary
Activity: 1540
Merit: 1000
Wasn't the amount hacked before with places like MTGOX a lot higher? If so it seems that the security must be improving if they only managed to get such a small amount.
full member
Activity: 254
Merit: 100
I guess 2-factor by email @ gmail.com may be still the smartest idea Cheesy
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
Bitinstant (and any others) need to look at Namecoin to secure their DNS ... or stuff like this will keep happening.

If you are going to trust the blockchain with your commercial success you will need to secure other entry points to your business with similar level security, imho.
legendary
Activity: 980
Merit: 1040
unbelievable in this day and age. I was going to argue against bitinstant, but by the looks of it, its virwex that doesnt even offer 2FA? And apparently the password reset procedure doesnt require a security question or anything else, withdrawls arent fixed to a specific address (or with time delay)...
Sheesh.

Is there really nobody who can do exchanges right?
hero member
Activity: 811
Merit: 1000
Web Developer
Wired just doesn't like us.  They on the look out for that bad press (they probably trying to stock up.)
full member
Activity: 254
Merit: 100
http://www.wired.com/wiredenterprise/2013/03/digital-thieves-pull-off-12000-bitcoin-heist/

Quote
A Bitcoin transaction services company says that hackers broke into one of its brokerage accounts last week, nabbing more than $12,000 worth of the digital currency.

That attack knocked Bitinstant offline over the weekend. The company says that while it lost Bitcoins, no customers were affected by the hack.

The criminals were able to take control of Bitinstant’s internet domains by convincing its domain registrar, Site5, to hand over control of the company’s Domain Name Service, or DNS. “Armed with knowledge of my place of birth and mother’s maiden name alone (both facts easy to locate on the public record) they convinced Site5 staff to add their email address to the account and make it the primary login,” the company said Monday in a blog post detailing the incident.

With control of the DNS, the bad guys also had control over Bitinstant’s email. They then did an online password reset at a Bitcoin exchange called VirWox and started emptying Bitinstant’s account. The total haul: $12,480.

The attack worked on the VirWox exchange because Bitinstant’s account didn’t have two-factor authentication.
Jump to: