Pages:
Author

Topic: Dwolla Fraud - How it happened (Read 7980 times)

member
Activity: 60
Merit: 10
July 30, 2011, 02:35:00 PM
#28
As far as I know Pecunix, Liberty Reserve, etc. don't handle the issue. All deposits/withdrawals occur through intermediary exchangers, leaving a layer between them and the ACH system.

Right.  And I was asking about how those exchangers handle it.  Bitcoin itself takes the place of a Pecunix or Liberty Reserve currency, but still needs viable exchangers.

(All 3 currencies are non-revocable.)
member
Activity: 60
Merit: 10
July 30, 2011, 12:14:50 PM
#27
Tradehill is correct that the Dwolla blog suggests transactions are free of chargeback concerns.

But unfortunately, Dwolla's (current at least) "Terms & Conditions" -- which includes clauses overruling anything they might say anywhere else -- states the following, in sharp conflict to the Dwolla blog entry:

Quote
Returns -- The receiving party of a transaction may be subject to chargebacks occurring within the account if claims are made by the sending party or by the financial institution. In the event fraud occurs, funds may be reversed and arbitration will begin with both parties.

Abuse -- At any time Dwolla retains the right to close, suspend, or limit account activity. Dwolla may, in the event of excess returns, chargebacks, or suspected illegal activity revoke access to the account for 90 days.

Dwolla wants to depend on ACH (Automated Clearing House), which is inherently reversible.  MtGox & Tradehill want to depend on Dwolla.  And we want to depend on them for fast, convenient transactions.

There is a problem here which may ultimately force us to revert to bank wires, bank checks, money orders, and other cashlike transfers.  To buy a non revocable currency might take a non revocable transaction.

Does anyone know how exchanges for Pecunix, Liberty Reserve, etc. handle this issue?

One way might be to limit the size of transfers for new customers of exchanges ... while absorbing a certain amount of new-user fraud as inevitable.  I would be sad to see that happen, because it would raise exchange fees, reducing one of the great advantages BTC exchanges have over traditional markets.

As a compromise, higher fees could be assessed only on revocable deposits: users would pay more for convenience & speed.  Exchanges could thereby self-insure or obtain insurance against losses to fraud, without eliminating rapid transfers.



Sources:

Dwolla blog, http://www.dwolla.org/blog/retail-merchants-rejoice-web-kiosk-online/ which currently says "Remember, these are cash-based transactions! No credit card fees, chargeback concerns, or signing necessary!"

"Terms & Conditions" link on the registration page at https://www.dwolla.com/register.aspx#
hero member
Activity: 728
Merit: 500
July 30, 2011, 09:15:46 AM
#26
Gotta love US banking standards...

Atleast here you can leave message with transfer, not sure if this is still in SEPA...

Still, it's Dwolla's problem and if TradeHills post are right they just deleted past records and not mark those reversed or anything like...
sr. member
Activity: 321
Merit: 250
Firstbits: 1gyzhw
July 30, 2011, 09:00:02 AM
#25
I think you guys are making it way too complicated... It's a common scam (in Europe) where you find somebody who sells something online, that only works with bank transfer (second hand stuff or a trader that does not take credit cards). You tell him you seriously want to buy his EUR 100 cucko clock but you have a new bank and as you are not in the same country, you want to do a test transfer first to see how much money the bank is keeping as a fee for a cross border transaction (IBAN is free but for example some French and Greek banks still charge a fee). You tell him to look for the two deposits and he will tell you.
This is brilliant!
legendary
Activity: 1112
Merit: 1000
July 30, 2011, 07:03:30 AM
#24
12*12 / two attempts = 72.

So potentially, for every 72 bank accounts you have access to, you can steal from Dwolla?

I think you guys are making it way too complicated... It's a common scam (in Europe) where you find somebody who sells something online, that only works with bank transfer (second hand stuff or a trader that does not take credit cards). You tell him you seriously want to buy his EUR 100 cucko clock but you have a new bank and as you are not in the same country, you want to do a test transfer first to see how much money the bank is keeping as a fee for a cross border transaction (IBAN is free but for example some French and Greek banks still charge a fee). You tell him to look for the two deposits and he will tell you.

No keylogger or dumpster diving required....

As the guy is happy to see money arrive onto his account, he is not suspicious that he will get scammed later.

(as seen on Dutch TV http://www.opgelicht.nl/dossiers/detail/paypal/ )
sr. member
Activity: 321
Merit: 250
Firstbits: 1gyzhw
July 30, 2011, 12:32:01 AM
#23
I dont know how much data a router logs, but they might log the mac of all connected devices. so if they see that a specific ip was used in an attack, they simply go to the wifi hot spot and take their router and look up the logs.

even then, going back with a mac address to find the owner would be very difficult. so just buy a cheap laptop at a pawn shop with cash from change and you should be safe.
MAC addresses are changeable in most wireless ethernet drivers anyway;
Code:
ifconfig wlan0 hw ether ba:aa:ad:f0:00:0d
full member
Activity: 140
Merit: 100
BitVapes.com
July 30, 2011, 12:17:27 AM
#22
the deposit size guessing 'sample size' might be even smaller, if they don't truly use a random number from 1-12 cents.  For all I know they use the same 2 numbers for everyone.  I mean that would be incredibly stupid but stupider things have happened.

I don't remember what mine were, but a friend just recently did a dwolla bank account verification and said the amounts were 1 and 2 cents, I remember because he instant messaged me saying he was pissed because he wanted 12+12 cents and said dwolla was being a cheapskate.  Grin
legendary
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
July 29, 2011, 11:49:49 PM
#21
I dont know how much data a router logs, but they might log the mac of all connected devices. so if they see that a specific ip was used in an attack, they simply go to the wifi hot spot and take their router and look up the logs.
Which proves only that the computer that made that transaction was using that MAC address at that time.

Quote
even then, going back with a mac address to find the owner would be very difficult. so just buy a cheap laptop at a pawn shop with cash from change and you should be safe.
Or use a random MAC address.
sr. member
Activity: 350
Merit: 251
July 29, 2011, 11:29:56 PM
#20
No guessing is required. The legitimate bank account owner can simply log in on a different IP with a changed MAC address (say on an insecured wifi spot), pretend to check his statement, and then afterwards claim that his account was comprimised to reverse the ACH transaction he himself had initiated.

Psst. Changing the MAC doesn't help make you more anonymous. Once you go past the first router they can't see your MAC anyway, unless the protocol sends it itself (ie, some consoles/games/etc) and HTTP doesn't do that.

I dont know how much data a router logs, but they might log the mac of all connected devices. so if they see that a specific ip was used in an attack, they simply go to the wifi hot spot and take their router and look up the logs.

even then, going back with a mac address to find the owner would be very difficult. so just buy a cheap laptop at a pawn shop with cash from change and you should be safe.
sr. member
Activity: 308
Merit: 250
July 29, 2011, 09:48:08 PM
#19
No guessing is required. The legitimate bank account owner can simply log in on a different IP with a changed MAC address (say on an insecured wifi spot), pretend to check his statement, and then afterwards claim that his account was comprimised to reverse the ACH transaction he himself had initiated.

Psst. Changing the MAC doesn't help make you more anonymous. Once you go past the first router they can't see your MAC anyway, unless the protocol sends it itself (ie, some consoles/games/etc) and HTTP doesn't do that.
newbie
Activity: 18
Merit: 0
July 29, 2011, 09:31:29 PM
#18
No guessing is required. The legitimate bank account owner can simply log in on a different IP with a changed MAC address (say on an insecured wifi spot), pretend to check his statement, and then afterwards claim that his account was comprimised to reverse the ACH transaction he himself had initiated.

No need for that at all, all the customer has to do is claim that an ACH withdrawal from their account was unauthorized and the bank will reverse it.
full member
Activity: 411
Merit: 101
🦜| Save Smart & Win 🦜
July 29, 2011, 08:33:30 PM
#17
No guessing is required. The legitimate bank account owner can simply log in on a different IP with a changed MAC address (say on an insecured wifi spot), pretend to check his statement, and then afterwards claim that his account was comprimised to reverse the ACH transaction he himself had initiated.
hero member
Activity: 812
Merit: 1022
No Maps for These Territories
July 29, 2011, 08:10:01 PM
#16
There are only 144 possible combinations. It is highly likely that a scammer with access to hundreds of compromised accounts will get a successful hit on some of them and recycle the rest for other purposes.
Or even 72 if the order in which you enter them doesn't matter...
full member
Activity: 125
Merit: 100
July 29, 2011, 08:01:31 PM
#15
It's much easier than you guys think.  Just keylog someone who uses online banking and you'll have full access to their account if you use Zeus or a similar rootkit.  You'll be able to simply log in to their online terminal and link their account without any guesses to Dwolla, since you'll be able to see the deposits coming into their account from Dwolla.

The verification process is so weak that really the 5-10% of Americans who don't set up their online banking passwords correctly are vulnerable to being linked and drained.

The silver lining to this bug is it doesn't matter if you have a bank account linked to a Dwolla account or not - victims will be people who receive money from other Dwolla users, and people who have their regular bank account credentials stolen.  If you use Dwolla as a one-way drain to convert money into a bitcoin exchange you'll be safe.
member
Activity: 98
Merit: 11
July 29, 2011, 05:36:11 PM
#14
In the online fraud community, if you can come across someones SS# along with bank info, you can easily gain access to their online banking and keep an eye on the deposits as well...

This may be turning into an easy way for thieves to get physical access to the money they're stealing.

That all depends on the particular bank. You can't call or walk into most banks with a SSN (lacking SSN card and federal issued ID) and get any information unless you have secondary and tertiary identification methods.
nux
newbie
Activity: 24
Merit: 0
July 29, 2011, 02:56:46 PM
#13
In the online fraud community, if you can come across someones SS# along with bank info, you can easily gain access to their online banking and keep an eye on the deposits as well...

This may be turning into an easy way for thieves to get physical access to the money they're stealing.
sr. member
Activity: 420
Merit: 250
July 29, 2011, 02:05:05 PM
#12
Don't forget, if you have access to bank information, you may have stolen the person's password they use when logging in to their bank.. not to mention there are a multitude of VPNs, proxies, and other such things.. so it is almost never going to be from a real ip address.
sr. member
Activity: 476
Merit: 250
moOo
July 29, 2011, 02:00:24 PM
#11
Quote
It is highly likely that a scammer with access to hundreds of compromised accounts will get a successful hit on some of them and recycle the rest for other purposes.

as to rather.. steal money from these accounts.. they would rather hold onto them for days and go through the dwolla sign up crap?

Dont think dwolla would notice the same IP setting up hundreds of accounts and getting most of the answers wrong? yeah yeah vpns and proxies.. so a different one for every 5 accounts?


maybe you are correct, perhaps they have sloppy security, I just dont see them letting you try 1000 sites and guess 72000 times on bank deposits and failing most of the time.


IT also doesnt fit the claims of tradehill.

Tradehill got confirmations from dwolla that the money was sent to tradehill and only after the confirmation was the payments reversed. Even if everyone whose accounts were hacked for at least a week.. suddenly discovered it right after money started to disappear.. it isnt that easy to reverse those charges. I just dont see it.. it looked like all the charges were reversed zero questions asked.


This smells more of programming hole than social hole to me.,
member
Activity: 80
Merit: 10
July 29, 2011, 01:18:29 PM
#10
Yes I am sure.  I tested it when verifying my own account.

As far as the possibility that someone had fake ids made, hacked their email and dug through their victims garbage it is very unlikely for no other reason than Occam's razor.
legendary
Activity: 1358
Merit: 1002
July 29, 2011, 12:49:23 PM
#9
I am 99% sure I am correct.  I know that they allowed multiple guesses and know there were people verifying their own bank accounts by guessing the deposits so they could shorten the time period required to obtain BTC.

If that's true... Talk about amateur hour...  Roll Eyes

Are you really sure about that?
Pages:
Jump to: