Topic: BREAKING: Atlanta based Bitcoin giant BitPay hacked for nearly $2,000,000! (Read 11101 times)

But if an employee deliberately leaks the key, then that is covered by the insurance under "employee theft".

Well i still dont believe that some hacked has entered into some email and asked the ceo to make the transfers... should have more then one thing to do to make such transaction i mean phone,email 1by one talk .

No the insiders will simply leak the key and with pgp, you'd trust much bigger requests

So, the lesson is to use PGP?

Police report- it's an active investigation involving multiple law enforcement agencies. I could answer most of these questions but at this point it is unwise considering the ongoing lawsuit. Look forward to sharing more later when the dust settles... as much as I enjoy the entertainment in this thread there is zero basis for any of it. This incident should be taken as a wake up call to all bitcoin startups that highly skilled groups of hackers are actively stalking you, and will go to extreme lengths, working for months around the clock, to exploit your systems. And to be clear, 2-factor is not good enough.

WoW  that hacker was very great and courageous
the money he stole so much, surely the government will pursue the hackers

My outline works when you include the secret handshake and wiggle your ears.

In case anybody missed it, a two- or multi-factor authentication and multi-signature wouldn't of worked to thwart the phishing attempt, especially the latter since all parties (not Alice and Bob) were already in agreement when sending the moneys.

Here's a question: Which one of the three (Tony, Stephen, or Bryan) wouldn't pick up the phone to make a call to verify after a loved one who just supposedly emailed them requested a mere $1,000 USD? I'll make it simple for you: All three would make the call. But, we're lead to believe that not a one of them had the same exact foresight to pick up a phone upon an ~$1.8M USD payment request spread out over two days in three payments.

Here's another question: How did SecondMarket know for sure that the request from BitPay was genuine? Either SecondMarket didn't have any defense mechanisms in place, or the person making the call from BitPay had to jump through hoops to get the requested moneys, but not once thought about using the same, or a similar procedure to verify what's requested of them, of which was of a higher BTC/$ amount.

If you've been boiling water for years sans a lid, but for the first time notice some dude using a lid whereupon his water boils faster, as a college grad you'll be inclined to start using a lid yourself from that moment forward oppose to ignoring what you just witnessed the competition doing.

One final question: Since a crime was committed, was a police report filed or just an insurance claim?

I like it phin. Perfect way to avoid a hack. Other variations exist but this is pretty comprehensive other than an actual token key each person could have to sign/verify they are who they are in the confirmation process.

Makes no sense a ceo send any ammount of money without to contact the boss,i mean why would i send money from a company without know or have direct orders.... nowadays we must read twice or more times the same thing to avoid these things to happen and well 2fa is on strenght tool to avoid get hacked and loose bitcoins.

Maybe BitPay uses Gmail white label servers which they offer.

In fact, this is an excellent case for multi-factor authentication and multi-signature, combined, to be implemented.

Example below as to how such could've been used to thwart the successful ~$1.8M phishing attempts if were in place:

MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 1,000 BTC transfer: Tony
Sign if you approve this 1,000 BTC transfer: Stephen
Sign if you approve this 1,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to the size of the above transaction, please wait at least one hour before playing again.

MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 1,000 BTC transfer: Tony
Sign if you approve this 1,000 BTC transfer: Stephen
Sign if you approve this 1,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to the size of the last two transactions, please wait an additional at-least twelve hours before playing again.



MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 3,000 BTC transfer: Tony
Sign if you approve this 3,000 BTC transfer: Stephen
Sign if you approve this 3,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to having the combined MFA and MS in place, a phishing attempt was almost halted in its tracks. Thanks for playing. Enjoy the rest of your Break-away Friday.

A good case for 2-factor authorization on your email as well as your bitcoin accounts, as well as a text/email alert system for activity on your account.  I'm a little surprised the heads of the company didn't have text messages being sent to them for any transfers over a certain amount. 

Now the cover ups begin! The krohns were simply puppets. They met the hacker at a conference. The scapegoats will either go down or disappear soon.

Dude, I was takin' a nap when the Newbie alert siren went off. 

Gleb... You really don't rest do you...

yeah, it makes you wonder if any insurance claim against a btc loss will or has ever been claimed.  Seems to me like it'd be very tough to prove you deserve to win a claim like this.  BUT, I have no doubt that insurers will continue to offer btc policies and take peoples money, without any intent to pay out.

I am inclined to agree. When these many BTC are at stake, Signing the messages/emails should be mandatory at the very least...

Even though the $1/yr salary for Vanessa is most likely not true, in context it was designed to make you guys think.

My intend was not to present Bryan and his wife as the culprits, for that would be too far-fetched, albeit not outside the realm of possibility. I merely presented facts in my own psychopathic way, facts, BTW, that had yet to be presented prior to my posts.

I'm pretty sure that FBI agents didn't think I was a psychopath when we spoke in-length on occasions about BFL's 1QAHVyRzkmD4j1pU5W89htZ3c6D6E7iWDs bitcoin wallet address, among other niceties, and how said wallet was once claimed to belong to HashTrade via an official press release penned by BitPay containing quotes from HashTrade and Jeff Ownby of BFL.

Sure is funny how the FTC found 1QAHVyRzkmD4j1pU5W89htZ3c6D6E7iWDs being used by BFL to store online sales of its hardware via BitPay and burn-in mining revenue, not to mention bitcoins moved there form BLF's Eclipse MC, formally owned by Josh Zerlan. Prior to the FTC came a callin' - just two days earlier - BFL used BitPay as an exchange via 1QAHV, oppose to ONLY as a third-party payment provider, to liquidate over ten million dollars worth of bitcoins to fiat, an act that would be impossible for you or I, although conversations of performing such took place during Bitcoin conferences which I was privy to, discussing how it could easily be achieved, all prior to the 1QAHV revelation.

Yep, I may be nut, but at least I'm not a whatnut (Joshua Zipkin-speak). 

Maybe you can clear things for us. What shouldn't we believe? That "Matthew Neal Wright is laughin' his ass off"? Because everything else are just true facts, not assumptions. He only shared some facts.