Topic: Bitcoin is a magnet for hackers and crooks - page 4. (Read 7771 times)

They'll each complain that the other is doing X wrong and it'd be better if the other guy used exactly what we're using..  and they'd all be afraid to do the slightest pragmatic tweak (which doesn't actually affect security much, but might actually let these systems talk to each other) for fear of being called out as insecure by the others.

I'm guessing their systems would be more secure than their egos so no one would back down to get things to actually work.

Ok - that's the cynical version..

If you can find a bunch of security experts who recognize that all security is a compromise and are able to gauge relative risks well  - maybe they'll even produce something with a user interface that doesn't suck.

(alright.. so it was still a slightly cynical version)

It's more like:

1 - OpenSource?
     No: Scam/Vírus/Trojan. I will never download it.
     Yes: Let me check the code and I will tell you.

2 - Got reputation on the forum?
      No: Nobody will use your service.
      Yes: Let's wait for feedback from someone respectable

3 - How do you save user's passwords? No salt? No HTTPS?! Are you kidding?!
(.....)


People interested in bitcoins are in general computer geeks with a great interest in security. Now tell me, what happens if you take a bunch of security experts and make them run sites to sell stuff to each other?

I can confirm that...  every bitcoin related site that we have is subjected to a much higher rate of hacking attempts.  

You can tell just from basic discussion on the forum...  it's always in this order as well... 

1 - security
2 - how it works
3 - security
4 - ease of use
5 - security

Everyone is worried about security...    and rightfully so.

look at the nature of bitcoins,  the average truck driver has no idea what they are...   only a small percentage of the average guys on the street know what they are...  only a small percentage of even programmers that work for ecommerce sites, etc know what they are....  but every self taught hacker on earth knows what they are...

 

Because bitcoin is new, there are many reasons why people are trying to exploit it.
I wouldn't go around testing exploits on a sites that's been around for ~10-15 years (although PayPal did have a few exploits on the non-US site).

I'd say the thing that attracts the attackers to bitcoin sites is that its easy to get what their looking for (money). If they were to attack a bank for example they would face all sorts of variables that would cause them more work not to get caught. For example, first finding a hole, then getting in, then making sure you clear logs and are not caught. With many bitcoin sites they are not highly protected due to the fact they are coded by your average programmer that isn't a security specialist. Often many attack vectors are left wide open and it's only a matter of time that they get exploited. Also there is the concept of bitcoin it self. Once the attacker gets in or finds a way to exploit a vulnerability its easy to send the bitcoins to an anonymous address that is likely not going to be traced. With a bank on the other hand routing money in a way not to get caught isn't so easy.

In short bitcoins are easy to steal because 1. There 100% digital 2. There anonymous (to a point to discourage someone from tracing the transfers) 3. Bitcoins are new and the security knowledge of its supports is just beginning to catch up.

In time it will get better. It's like anything new really, to become stronger and better the weaknesses have to be found and exploited first.

What possible difference could the frequency of hack attempts make? Do you investigate every attempt?

i would have guessed that to be true simply because bitcoin enthusiasts were already technically-minded (possibly 'hackers') before bitcoin even was invented.

if you invent a new soft fluffy toy and build a new community of soft fluffy toy lovers, you're probably going to get a different type of fan base and a far lower level of SQL injection attempts or other technical hacks perpetrated against merchants

Yes, good point, it happens to everyone. My point is that the attacks seem to be much more frequent with bitcoin services. Can any other merchants back up my theory?

Everyone, from crappy forums to e-tailer sites, gets SQL injection attempts, SSH scans, portscans, and other exploit testing crap... this has nothing to do with bitcoin.  A lot of it is automated, even.

If you don't protect your site well enough, you're screwed in this day and age. No matter what forms of payment that you accept.

I know various forms of this topic and have been discussed at length, but I thought it would be beneficial to hear another first hand account. After looking through 256 recent SQL injection attempts at my site I thought I'd share my experience thus far as a new bitcoin etailer.

I've been running various online retail websites for over 10 years. As many of you know, I recently started CoinedBits.com. I've been the receiver of more hack attempts in the last month at CoinedBits.com than the previous 10 years on all my other sites.

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.

This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.

Thanks for listening.