Topic: Instawallet/Bitcoin-Central Security Breach - page 5. (Read 85276 times)

Thanks but you know how it is when your upset you read it but your brain did not register it.

Good point.
Little hints like that FAQ entry, the lack of a proper robots.txt, are instilling in my mind little particles of doubt about the technical abilities of our bitcoin-central friends.

Hi please fill in this claim form if you lost instawallet funds here.......



YOUR URL password .....


your bitcoin address....



YOUR BALANCE:   


Your Email address that you made your first complaint with......

Keep your calm and learn to read.

HOW DO YOU FILE A CLAIM!

I hate that the site says file a claim but provides no way to do so.

It's not like I lost a lot just under 2BTC but at todays price that's a nice dinner for 2 and I want it back!

I agree on most parts, but:

2) Actually "2" would be almost like "1". It wouldn't be time consuming at all, because you can just write a parser to parse the blockchain and sort by amount (change a bit here and there, and this source code + the blockchain, is all you need).

3) As I wrote earlier, then this is 100% without any doubt NOT the case.

I don't think the hot wallet was emptied.
If you look at the transaction history of their cold wallet, 1FrtkNXastDoMAaorowys27AKQERxgmZjY
you see that 6 transfers totalling 320BTC were made *to* this wallet, just prior to its subsequent
evacuation into 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy  (together with bitcoin-central funds).
You can also notice that this is a very unusual pattern for them to put money into cold storage: usually it's 1 transaction every few days; not several transactions in quick succession.

What is more, among these 6 transactions, is the address of my instawallet, to which I transferred
the funds about 6 hours before.  (I was  unlucky to try to tumble some coins through instawallet in the worst
possible moment.)


So from this it's quite clear  that not all hot-wallet money were stolen. Probably the hacker accessed
the database from where it was not supposed to be accessed, and that triggered the alarm.
How many URLs he got and how many he tried to empty we don't know.

And learn your lesson - use blockchain.info, bitcoin-qt, electrum, whatever.

Given how low the threshold was to start a wallet there, this could be spread over thousands of people. Judging by Phil's posts above, though, this is hardly the case 

It's probablye that instawallet's 'hot wallet' wasn't large enough to empty all the big ones.  Perhaps the hot wallet was drained and that's what tipped them off that there was a problem.  Perhaps they refilled it a few times before noticing what was going on.  We do know they had a 'cold wallet' which presumably held the majority of the coins.

I'm pretty sure that instawallet was a shared wallet, so blockchain analysis doesn't tell you the balance of any of its accounts.  You can find all the deposits to a given address, but can't tell anything about the withdrawals from it.[/list]

I think so.  It is conceivable that the URLs are stored encrypted using the dev's public key.  He would then be able to retrieve the URLs by downloading the database to his home machine and using his private key there, without them ever being stored in plain text on the database.

Anyone else having problems accessing the Instawallet site atm? Getting these errors in Firefox and Chrome...   

I would like to know the conceptual difference between bitcoin-central and instawallet. After an extensive discussion here in the topic, I learnt about the security gaps but why someone woudl prefer to keep the bitcoins in Instawallet rather than in bitcoin-central?

Looks like me and you are in the same boat Phinnaeus, nice to meet you. Shame it couldn't have been under better circumstances.

Ok, I have been doing some analysis/thinking about the situation and am feeling (relatively) positive. Ladies and gentlemen, if you would care to indulge me.

INSTAWALLET DEBACLE 2013

Firstly i have made some assumptions

1. The people behind Instawallet are honest and want to return the money to their rightful owners.

I have assumed this based on the fact that they have their public profiles on record, some of them have been directors of big multinational companies (Orange), they have other businesses which i believe they want to keep earning them money and finally they probably realise that a higher percentage of the bitcoin userbase compared to the general public might go after them personally if the money was not returned. (Based on the fact that the currency is underground and only recently surfacing to most people).

Besides this, if we assume they are dishonest then our money might as well be gone anyway. :/

2. Everybody who had money in instawallet now realises the error of their ways and will be using a paper wallet rolled up into a tube and inserted anally at all times.

Some of the people here have lost a fair bit of money and the I told you so's are a little annoying. I for one will invest a few bitcoins in awareness of this problem for newbies if i get my money back.

3. The hacker has some info

This is as far as i could go with this. I am not technically minded and can only guess from reading this thread the kind of data he could have. I have listed the possibilites from worst cast scenario to best.

• All 3.5 million URLS and public addresses in a list with balance attached to them in the list. - this would mean they have probably emptied all the big ones straight away
• All 3.5 million URLS and public addresses in a list with no balance attached. - this would mean having to search each address on the blockchain to find out what is on each one. Quite time consuming. 2 people doing that for 90 days, 14 hours a day, looking up 1 every ten seconds would be 907,200
• A portion of the URLS and public addresses, maybe gained from Google or Chrome as mentioned earlier in the thread - same as above but obviously some of us will not be affected
• All 3.5 million URLS but not the public address - this would mean that as soon as the website was closed they no longer had access to the site to search for bitcoins in the URLS they were holding
• A portion of the URLS but no public address - the same as above but again doesn't affect everyone

There may be more but that's all i could think of for now.

4. The hacker has already stolen something?

Now this i am not sure of. I feel that the wording of their agreement leads us to believe that some has gone but not all. If this is the case, when was it stolen? If it was only stolen in the last few days then maybe a date-stamped document in Time Machine (Mac recovery service) would be enough to prove that you have held the URLS for a while?

CONCLUSION

After all this we can conclude that if we claim back on an address and find that all large amounts are being double claimed we can be sure that the first option in section 3 is probably true.

If this is not the case then i think the chances of double claiming go down and we can hope to see our money again.

You never know, a 90 day force holding period might be a blessing in disguise.

What do you guys think?

14,000 total coins were stored in instawallet? Lost faith in humanity once again

I quote a part from an article appeared in "bitcoinmagazine" (http://bitcoinmagazine.com/instawallets/) regarding pros and cons about using instawallet:

Because of Instawallet’s “URL as password” mechanism it’s the least secure of all the options. Instawallet themselves recommend that users “please do not store more than some spare change here” for casual use.


Instawallet people themselves recommended their clients not to store large amount of bitcoins. This shows some honesty.

Maybe my post is a bit offtopic but could someone explain what is the difference between keeping bitcoins in Instawallet and in Bitcoin-central? I am not talking about security issues. Instawallet is a wallet. Bitcoin-central is an exchange market but one can also keep bitcoins there.

Interestingly, this FAQ item seems to tell us that URLs are stored in plain text in their database, and are not stored hashed : "I have to be strict about this, as I would otherwise open myself to social engineering attacks" would have been "it is physically impossible for me to do so since we do not store your URLs unencrypted, and are thus unable to recover them, whatever the circumstances".
Am I wrong ?

Would it be a good idea for victims to find out which address (or addresses) they used to transfer their BTC to Instawallet, and immediately sign a message, to prove that they control that bitcoin adddress, if possible?

This wouldn't prove that they own the funds at Instawallet (they might only be somebody who sent BTC to the real owner) but it would help Instawallet to more easily sort out claims into 'probably true' and 'probably false'.

That's because scammers won't be able to prove that they sent any bitcoins in to the Instawallet address that they claim to own. And somebody who really did send bitcoins into another person's address isn't likely to have the knowledge, or the desire, to scam them later (though it's not impossible, if a large sum is at stake, so Instawallet would still need to review the case and other evidence)

I don't have anything stored at Instawallet. I'm just thinking it would be best for victims to prove as soon as possible that they control any sending addresses, in case they're not able to do that later (for example, they could delete their wallet, or overwrite keys, accidentally or because they think it's not important any more)

Does this idea help?

I think they've done a lot wrong, but right now there is no evidence whatsoever that anyone's funds have been "stolen".