Topic: Dwolla Fraud - How it happened (Read 7959 times)

Right.  And I was asking about how those exchangers handle it.  Bitcoin itself takes the place of a Pecunix or Liberty Reserve currency, but still needs viable exchangers.

(All 3 currencies are non-revocable.)

Tradehill is correct that the Dwolla blog suggests transactions are free of chargeback concerns.

But unfortunately, Dwolla's (current at least) "Terms & Conditions" -- which includes clauses overruling anything they might say anywhere else -- states the following, in sharp conflict to the Dwolla blog entry:


Dwolla wants to depend on ACH (Automated Clearing House), which is inherently reversible.  MtGox & Tradehill want to depend on Dwolla.  And we want to depend on them for fast, convenient transactions.

There is a problem here which may ultimately force us to revert to bank wires, bank checks, money orders, and other cashlike transfers.  To buy a non revocable currency might take a non revocable transaction.

Does anyone know how exchanges for Pecunix, Liberty Reserve, etc. handle this issue?

One way might be to limit the size of transfers for new customers of exchanges ... while absorbing a certain amount of new-user fraud as inevitable.  I would be sad to see that happen, because it would raise exchange fees, reducing one of the great advantages BTC exchanges have over traditional markets.

As a compromise, higher fees could be assessed only on revocable deposits: users would pay more for convenience & speed.  Exchanges could thereby self-insure or obtain insurance against losses to fraud, without eliminating rapid transfers.



Sources:

Dwolla blog, http://www.dwolla.org/blog/retail-merchants-rejoice-web-kiosk-online/ which currently says "Remember, these are cash-based transactions! No credit card fees, chargeback concerns, or signing necessary!"

"Terms & Conditions" link on the registration page at https://www.dwolla.com/register.aspx#

Gotta love US banking standards...

Atleast here you can leave message with transfer, not sure if this is still in SEPA...

Still, it's Dwolla's problem and if TradeHills post are right they just deleted past records and not mark those reversed or anything like...

This is brilliant!

I think you guys are making it way too complicated... It's a common scam (in Europe) where you find somebody who sells something online, that only works with bank transfer (second hand stuff or a trader that does not take credit cards). You tell him you seriously want to buy his EUR 100 cucko clock but you have a new bank and as you are not in the same country, you want to do a test transfer first to see how much money the bank is keeping as a fee for a cross border transaction (IBAN is free but for example some French and Greek banks still charge a fee). You tell him to look for the two deposits and he will tell you.

No keylogger or dumpster diving required....

As the guy is happy to see money arrive onto his account, he is not suspicious that he will get scammed later.

(as seen on Dutch TV http://www.opgelicht.nl/dossiers/detail/paypal/ )

MAC addresses are changeable in most wireless ethernet drivers anyway;

the deposit size guessing 'sample size' might be even smaller, if they don't truly use a random number from 1-12 cents.  For all I know they use the same 2 numbers for everyone.  I mean that would be incredibly stupid but stupider things have happened.

I don't remember what mine were, but a friend just recently did a dwolla bank account verification and said the amounts were 1 and 2 cents, I remember because he instant messaged me saying he was pissed because he wanted 12+12 cents and said dwolla was being a cheapskate. 

Which proves only that the computer that made that transaction was using that MAC address at that time.

Or use a random MAC address.

I dont know how much data a router logs, but they might log the mac of all connected devices. so if they see that a specific ip was used in an attack, they simply go to the wifi hot spot and take their router and look up the logs.

even then, going back with a mac address to find the owner would be very difficult. so just buy a cheap laptop at a pawn shop with cash from change and you should be safe.

Psst. Changing the MAC doesn't help make you more anonymous. Once you go past the first router they can't see your MAC anyway, unless the protocol sends it itself (ie, some consoles/games/etc) and HTTP doesn't do that.

No need for that at all, all the customer has to do is claim that an ACH withdrawal from their account was unauthorized and the bank will reverse it.

No guessing is required. The legitimate bank account owner can simply log in on a different IP with a changed MAC address (say on an insecured wifi spot), pretend to check his statement, and then afterwards claim that his account was comprimised to reverse the ACH transaction he himself had initiated.

Or even 72 if the order in which you enter them doesn't matter...

It's much easier than you guys think.  Just keylog someone who uses online banking and you'll have full access to their account if you use Zeus or a similar rootkit.  You'll be able to simply log in to their online terminal and link their account without any guesses to Dwolla, since you'll be able to see the deposits coming into their account from Dwolla.

The verification process is so weak that really the 5-10% of Americans who don't set up their online banking passwords correctly are vulnerable to being linked and drained.

The silver lining to this bug is it doesn't matter if you have a bank account linked to a Dwolla account or not - victims will be people who receive money from other Dwolla users, and people who have their regular bank account credentials stolen.  If you use Dwolla as a one-way drain to convert money into a bitcoin exchange you'll be safe.

That all depends on the particular bank. You can't call or walk into most banks with a SSN (lacking SSN card and federal issued ID) and get any information unless you have secondary and tertiary identification methods.

In the online fraud community, if you can come across someones SS# along with bank info, you can easily gain access to their online banking and keep an eye on the deposits as well...

This may be turning into an easy way for thieves to get physical access to the money they're stealing.

Don't forget, if you have access to bank information, you may have stolen the person's password they use when logging in to their bank.. not to mention there are a multitude of VPNs, proxies, and other such things.. so it is almost never going to be from a real ip address.

as to rather.. steal money from these accounts.. they would rather hold onto them for days and go through the dwolla sign up crap?

Dont think dwolla would notice the same IP setting up hundreds of accounts and getting most of the answers wrong? yeah yeah vpns and proxies.. so a different one for every 5 accounts?


maybe you are correct, perhaps they have sloppy security, I just dont see them letting you try 1000 sites and guess 72000 times on bank deposits and failing most of the time.


IT also doesnt fit the claims of tradehill.

Tradehill got confirmations from dwolla that the money was sent to tradehill and only after the confirmation was the payments reversed. Even if everyone whose accounts were hacked for at least a week.. suddenly discovered it right after money started to disappear.. it isnt that easy to reverse those charges. I just dont see it.. it looked like all the charges were reversed zero questions asked.


This smells more of programming hole than social hole to me.,

Yes I am sure.  I tested it when verifying my own account.

As far as the possibility that someone had fake ids made, hacked their email and dug through their victims garbage it is very unlikely for no other reason than Occam's razor.

If that's true... Talk about amateur hour...  

Are you really sure about that?