I've used BitPiggy a few times over the past year and always found the site to be reliable. I hope it comes back soon.
Does UBank know your account is associated with bitcoin? I wonder if they would suspend anyone's account if it received stolen funds, or whether UBank was more keen here simply because of the associated money laundering risks with bitcoin?
Topic: BitPiggy - bank account locked (again) 16th May 2012 - page 2. (Read 4727 times)
Hello again,
We have been informed that several other instances of stolen funds being sent our way have been discovered. Our account has once again been locked (third time), and we've been informed that we should be prepared for the possibility of our bank (UBank) shutting down our account. At the very least, we want to move away from UBank as the account we are using is not a proper business account.
Any pending orders are thus currently held up. At this stage I do not have an ETA for when we will be able to get access to our account to process these orders.
As for opening up another, proper business account, that will likely be at least several days away at the earliest.
My apologies for the delays.
~Mat
We have been informed that several other instances of stolen funds being sent our way have been discovered. Our account has once again been locked (third time), and we've been informed that we should be prepared for the possibility of our bank (UBank) shutting down our account. At the very least, we want to move away from UBank as the account we are using is not a proper business account.
Any pending orders are thus currently held up. At this stage I do not have an ETA for when we will be able to get access to our account to process these orders.
As for opening up another, proper business account, that will likely be at least several days away at the earliest.
My apologies for the delays.
~Mat
For the moment I'll keep the site disabled, while I figure out how to prevent further attempts by hackers sending stolen funds our way.
You can do it quite easily: for each bank account the user wants to fund BitPiggy FROM, the user would have to authenticate it first. Authentication would happen in such a way: you will send a very small transfer TO that account, with such a thing in the "reference" field:
"Use this code on www.bitpiggy.com to allow funding the account of user miernik on BitPiggy.com from this bank account: KJ1TH78Z"
And then make a delay of how long do you think it takes for a person to discover his bank account was hacked (a week, a month), only after passing this amount of time, that bank account will be authenticated to send funds to BitPiggy (forever). To the account of that user on the site.
You could also ask trusted people, friends, etc having accounts at different banks in Australia how is the authentication, and only allow the first transfer from a given bank account to be such that it must have gone through 2-nd factor authentication. If some bank allows <500$ transfers without it, then the first transfer from an account in that bank must be >500$. If the user does not want to deposit that much, he can withdraw the remaining amount right away. Simple.
Its interesting how can this happen in Australia (and happens so often to all exchanges), that stolen funds are sent with bank transfers?
Is it funds from accounts accessed with passwords grabbed by keylogger/phishing?
If so, how does this happen? Are there banks in Australia which allow transfers to be sent online without one-time code two-factor authentication (like SMS-code, hardware token, one-time codes on paper list)? Because in Europe I haven't yet seen a bank which allows transfers to third-party account sent without one of these one-time code authentication methods for the transfer, or at least once for the account number to transfer to.
Is it funds from accounts accessed with passwords grabbed by keylogger/phishing?
If so, how does this happen? Are there banks in Australia which allow transfers to be sent online without one-time code two-factor authentication (like SMS-code, hardware token, one-time codes on paper list)? Because in Europe I haven't yet seen a bank which allows transfers to third-party account sent without one of these one-time code authentication methods for the transfer, or at least once for the account number to transfer to.
My bank unfortunately has not given me any details, but that could be because they themselves don't know- in both this case and the previous case, I believe a user account from another bank was hacked.
As for how the hacker did it, I assume it was an account with no 2nd level of authentication. I have several bank accounts, and two of them don't require a 2nd level of authentication for sending small amounts (e.g. up to $500 AUD).
As for how they got past the 1st level of authentication, the NAB (one of the largest banks in Australia) has terrible level 1 authentication- the 'username' for logging in is a "customer code" that is printed on each debit/credit card they give to a customer (so anyone would holds the card for a few seconds could remember it if they wanted - they are only about ~8 digits long) while the password must be a 6-8 alphanumeric. You cannot make your password longer, or use characters besides alphanumeric.
That said, I suppose it is more likely the hacker used a keylogger or engaged in phishing.
Can you shed some light on this how Australian banking works?
And what are the liability/burden-of-proof rules?
Because for example in Poland, if a transfer is being made online from a customers bank account, it is deemed to be made by the account owner, because only he has the authentication codes, and it is his deed to protect them. If he unwillingly discloses them to someone, its is HIS fault, and the bank will NOT reverse his transfers if he then goes to the bank and says "I didn't do these, someone must have hacked to my account". Such explanation is not valid, banks reject such claims. I know from press reports of the (very few) cases when the account owner disclosed his one-time codes to the hacker. The bank did not believe him and did not give back his money. If from a customers bank account a transfer was made authorized with a one-time code - that's proof that the customer did it (or someone authorized by him, even if unwillingly - he is still liable). That's how it is in Poland. Maybe that's why the two largest exchanges (MtGox and Intersango) both have their accounts in Poland, and keep them without problems, without a single case of account being locked since ever they started using these accounts last year.
Does authentication and liability work differently in Australia?
And what are the liability/burden-of-proof rules?
Because for example in Poland, if a transfer is being made online from a customers bank account, it is deemed to be made by the account owner, because only he has the authentication codes, and it is his deed to protect them. If he unwillingly discloses them to someone, its is HIS fault, and the bank will NOT reverse his transfers if he then goes to the bank and says "I didn't do these, someone must have hacked to my account". Such explanation is not valid, banks reject such claims. I know from press reports of the (very few) cases when the account owner disclosed his one-time codes to the hacker. The bank did not believe him and did not give back his money. If from a customers bank account a transfer was made authorized with a one-time code - that's proof that the customer did it (or someone authorized by him, even if unwillingly - he is still liable). That's how it is in Poland. Maybe that's why the two largest exchanges (MtGox and Intersango) both have their accounts in Poland, and keep them without problems, without a single case of account being locked since ever they started using these accounts last year.
Does authentication and liability work differently in Australia?
I suspect banks in Australia would be more lenient, and I think banks are liable for lost funds due to hacking. I'm not sure though, and I'm not sure what proof you would have to show.
Poland's attitude sounds more mature- bank's put the responsibility on the users, who it turn would be motivated to seek out banks that have good security. In Australia I believe the law is such that banks are required to cover user's losses due to hacking, which I think makes users complacent about security.
Hope it all gets sorted soon Mat 
Stolen funds or stolen btc ?
Stolen funds or stolen btc ?
Thanks for the support. Mostly sorted now.
As what was stolen, someone else's bank account was hacked. BitPiggy was not hacked.
~Mat
Its interesting how can this happen in Australia (and happens so often to all exchanges), that stolen funds are sent with bank transfers?
Is it funds from accounts accessed with passwords grabbed by keylogger/phishing?
If so, how does this happen? Are there banks in Australia which allow transfers to be sent online without one-time code two-factor authentication (like SMS-code, hardware token, one-time codes on paper list)? Because in Europe I haven't yet seen a bank which allows transfers to third-party account sent without one of these one-time code authentication methods for the transfer, or at least once for the account number to transfer to.
Can you shed some light on this how Australian banking works?
And what are the liability/burden-of-proof rules?
Because for example in Poland, if a transfer is being made online from a customers bank account, it is deemed to be made by the account owner, because only he has the authentication codes, and it is his deed to protect them. If he unwillingly discloses them to someone, its is HIS fault, and the bank will NOT reverse his transfers if he then goes to the bank and says "I didn't do these, someone must have hacked to my account". Such explanation is not valid, banks reject such claims. I know from press reports of the (very few) cases when the account owner disclosed his one-time codes to the hacker. The bank did not believe him and did not give back his money. If from a customers bank account a transfer was made authorized with a one-time code - that's proof that the customer did it (or someone authorized by him, even if unwillingly - he is still liable). That's how it is in Poland. Maybe that's why the two largest exchanges (MtGox and Intersango) both have their accounts in Poland, and keep them without problems, without a single case of account being locked since ever they started using these accounts last year.
Does authentication and liability work differently in Australia?
Is it funds from accounts accessed with passwords grabbed by keylogger/phishing?
If so, how does this happen? Are there banks in Australia which allow transfers to be sent online without one-time code two-factor authentication (like SMS-code, hardware token, one-time codes on paper list)? Because in Europe I haven't yet seen a bank which allows transfers to third-party account sent without one of these one-time code authentication methods for the transfer, or at least once for the account number to transfer to.
Can you shed some light on this how Australian banking works?
And what are the liability/burden-of-proof rules?
Because for example in Poland, if a transfer is being made online from a customers bank account, it is deemed to be made by the account owner, because only he has the authentication codes, and it is his deed to protect them. If he unwillingly discloses them to someone, its is HIS fault, and the bank will NOT reverse his transfers if he then goes to the bank and says "I didn't do these, someone must have hacked to my account". Such explanation is not valid, banks reject such claims. I know from press reports of the (very few) cases when the account owner disclosed his one-time codes to the hacker. The bank did not believe him and did not give back his money. If from a customers bank account a transfer was made authorized with a one-time code - that's proof that the customer did it (or someone authorized by him, even if unwillingly - he is still liable). That's how it is in Poland. Maybe that's why the two largest exchanges (MtGox and Intersango) both have their accounts in Poland, and keep them without problems, without a single case of account being locked since ever they started using these accounts last year.
Does authentication and liability work differently in Australia?
Hi all,
Our UBank account has been unlocked again, and we've successfully processed pending buy and sell orders (that have been paid).
For the moment I'll keep the site disabled, while I figure out how to prevent further attempts by hackers sending stolen funds our way.
Thanks for your support,
~Mat
Our UBank account has been unlocked again, and we've successfully processed pending buy and sell orders (that have been paid).
For the moment I'll keep the site disabled, while I figure out how to prevent further attempts by hackers sending stolen funds our way.
Thanks for your support,
~Mat
Stolen funds or stolen btc ?
I don't think BP's bank would be too concerned about stolen bitcoins. Stolen fiat funds transferred through the banking system are of concern, since they can be reversed, leaving the receiving bank or the receivng bank customer out of pocket. 
Our bank account is supposedly unlocked now, but the actual bank's website is now down (UBank), so we're still unable to fulfil orders.
The site only say they'll "be back up and running soon".
We apologies for the ongoing delays.
Kind regards,
~Mat
The site only say they'll "be back up and running soon".
We apologies for the ongoing delays.
Kind regards,
~Mat
Hope it all gets sorted soon Mat
Stolen funds or stolen btc ?
Our bank account is supposedly unlocked now, but the actual bank's website is now down (UBank), so we're still unable to fulfil orders.
The site only say they'll "be back up and running soon".
We apologies for the ongoing delays.
Kind regards,
~Mat
The site only say they'll "be back up and running soon".
We apologies for the ongoing delays.
Kind regards,
~Mat
Hi,
We regret to inform you our bank account has been locked once again, due to what are likely stolen funds sent our way.
As our account is locked, I cannot transfer funds out nor see who has paid for orders, effectively putting a hold on buy/sell orders.
At this stage I was only able to talk to an operator at UBank (my bank) who could not tell me more details. As it is early morning in Australia, I have to wait until ~9am NSW time before I can talk to an actual account/security person.
I will keep you posted when I know more.
Cheers,
~Mat
We regret to inform you our bank account has been locked once again, due to what are likely stolen funds sent our way.
As our account is locked, I cannot transfer funds out nor see who has paid for orders, effectively putting a hold on buy/sell orders.
At this stage I was only able to talk to an operator at UBank (my bank) who could not tell me more details. As it is early morning in Australia, I have to wait until ~9am NSW time before I can talk to an actual account/security person.
I will keep you posted when I know more.
Cheers,
~Mat
Jump to: