Topic: New Fast Bitcoin Exchange in the Netherlands (Read 6916 times)

Malware gang steals $1.4m and sets up bitcoin exchange to launder it
http://www.coindesk.com/malware-gang-steals-1-4m-bitcoin-exchange-launder/

Unfotunately it seems like I was right and it is a scam. The website has been down for several days already and today the following news came out:
http://tweakers.net/nieuws/92170/politie-pakt-4-mannen-op-wegens-plunderen-bankrekeningen-via-malware.html (in Dutch). What it basically says is that 4 men were arrested on monday for using TorRAT banking-malware to plunder bank accounts through phishing and that one of the suspects was managing a btc exchange. Although FBTC is not mentioned specifically, one of the suspects comes from Woubrugge where also the company (Larmit beheer BV) managing FBTC is registered. That coupled with the fact that the site has been down for a few days.......

So, if I read this correctly you're saying you can only send outbound transfers once every month ?


If you could please give me the dutch term I'll will look it up, my written dutch is quite terrible but I can read it just fine.


Sure, like I said if you give me the dutch terms I'll look it up, my pleasure.


Never heard of any such thing in France. On the other hand I have never heard of haring, paling, oliebollen and other dutch delicacies in France either.
If such is the way it works I assume that you have to be transparent in your ToS about it, so your customers know exactly know how their money is being handled. So far your transparency level is pretty much : "don't worry, I'm from the Internet". Anyway, that's an assumption, guess I'll make a more complete opinion about your setup when provided with something I can research against third-party sources.


Sure, if you reason like this you might as well do your exchange with pen and paper. Duh.
Also PSPs have something that's called "insurance" which is there precisely to cover such risks, making the overall setup much much safer.


Well, I actually can give you two pieces of advice to your, ahem, "security experts" :

• Don't use cloudflare, ever. Just because Bitstamp does it means it's a good thing.
• Don't hash your passwords with SHA2, ever. If I ever hear anyone say the word "salt" I'll stab him in the face (protip: it doesn't solve shit).

Let's pause for a minute and use our brain jointly by starting with nr. 1 shall we ?

What is an SSL certificate for ? It's to prevent MITM attacks and eavesdropping. Ok, so far so good.
What does Cloudflare do ? It sits between you and the Internet, essentially being a massive MITM in itself, you even give them your SSL cert.

So, why the fuck would you want any Cloudflare employee to be able to sniff the passwords of your users as they travel through their servers ?

Gosh, what were you thinking ? "Bitstamp does it, must be cool!". Guess what, it's not.

Now for the second thing : do not hash passwords with SHA2, MD5, SHA3 or any such function, and salting doesn't help, at all. Let us take a minute to examine why this is, and has notoriously been for a while a terrible, terrible security practice.

What is SHA2 ? It is a hash function. What is it designed for ? It is designed for hashing arbitrarily large chunks of data to a fixed-size fingerprint. And it is heavily optimized to be *fast*. Yes, fast. That means that of all the hash functions, you picked one that actually *helps* the bruteforce process by being heavily performance optimized. Gosh, it's even massively parallelizable! As in "the whole Bitcoin system is based on efficiently bruteforcing the shit out of it".

Once you use your brain the correct solution becomes quite obvious, it is to use something that is designed to be *slow*, and to adapt its slowness to the performance of common computers.

So look up bcrypt, get your stuff straight, and come thank me after your first pwnage, because I'll have avoided a lot of password leakage.

But either way, don't bother to change the SHA2 thing unless you also drop cloudflare, because if you don't, your passwords are already pretty much travelling in cleartext over the wire.


So I'm interested in reading more about your setup. But I encourage you to do something about your glaring security flaws. When you're done with that maybe we can talk security, maybe.

Be really careful. The statements of the Dutch government only apply to BTC2EUR and EUR2BTC transactions, as USD is highly regulated and controlled outside of Holland. Good luck with the site though

Hello Davout,



I do not know the exact legal terms they call it in other countries. In holland it is called a "third party quality bank account" It are accounts with a double or triple authority system. Non of the parties has direct authority to pull money. One party sets the transfers out of the system, and an other, (third) party checks the transfers and sends them out. So you always need two parties to authorize payments. One party is FBTC Exchange and the other is the registered account (RA).
If the company has trouble then a curator takes the place of FBTC Exchange and pays out the funds to the clients in the same way as explained above. The accountant can set the transfers and the curator sends them to the rightful owners.   

Maybe it would be best if you read the legal aspects of such a bank account and you will see that the regulations are set by law. 



Thanks for the heads up but we have investigated our legal business structure and regulations regarding the exchange thoroughly.


What is there to enlighten... We work legal and according Dutch laws and regulations. The use of a PSP sets an extra possible security breach because criminals can hack into their systems, and how do you know if the system from your PSP is secure enough for your customers.   



To get a "third party quality bank-account" in the Netherlands you need to registered it legal by a notary. (Do not know if this is possible in France)       
With the papers from the notary you can open a third party quality bank account and the bank provides you with the authorisation system.


Lets hope you and your hosting service provider has taken actions to prevent what happened to Bitcoin central a few months ago. I looked at your site and i can not find anything about your security. Is there a reason that you do not state it on your website?  I think people would like to know what you have done to prevent it.
Can you enlighten me, maybe there is something that our security experts can help to tighten security at FBTC Exchange.


I know how to do Business, been doing it for many years already. Do not see any issues in this section.


I have no comment on this.


greetings peter

FBTC Exchange

Thank you for your answer!

Since you do not seem to mind, and that being transparent about your setup is generally perceived as a positive thing let us dig a little further, shall we?


Ok, so does this particular kind of bank account have a name ?
Who exactly has authority to pull money from it ?


I understand. In the case of a notary he has an account and maintains an accounting system that is necessary to keep track of funds ownership. Obviously you have such a system too, otherwise you could not have a functioning exchange, my question is : "who has the authoritative accounting data ? Is it you ? Is it some third-party ?"


If a curator is needed to perform such a task it means that you're holding the funds directly and have full access to the bank account holding customer money. Is this correct ?


I'm not really talking about assumptions, but about factual information that I learned over time while doing what I do, and which you seem to have some knowledge about. I'm doing you the professionnal courtesy of sharing some of it with you, make the best out of it. Next time I won't be the one asking the questions, next time you'll be sitting in front of a few not-so-funny people wearing not-so-creative suits.


Let me pause for a minute here and re-read this. You are saying that because you use the same infrastructure you can ditch all the capital, reporting and compliance reporting requirements that a PSP has ? Maybe you could enlighten me regarding this particular point.


I'll interpret that as "we have a good relationship with our account manager". Might be wrong here though. It would seem extremely weird and unusual though that they open "the same bank-account structure" as a PSP for a regular corporate client that has no particular financial license whatsoever.


We actually are, we're wrapping up some details before relaunching though. If you actually come to get some experience in this field you'll very soon learn that there's where the devil is…


It's a little presumptuous to assume you could run not only one, but also help with a second exchange business at the same time, don't you think ? But hey, smart people are always welcome!


Absolutely, that's why I'm more than happy to challenge you on important issues. It is quite important that we have reliable exchanges. And if you don't do your legal background work probably you're up for a lot of pain down the road, not at the beginning, but when you'll start actually picking up some business. Which will make it even harder to handle.



Like I said, the important thing is reliability, not gadgets for speculators. If we want half-baked corporate structures that'll fall at the first nod we already have Mark Karpeles for that. I strongly encourage you to document yourself about his problems with French banks in court, because right now, I kinda feel you're walking right in his footsteps.


Looking forward to your answers !

Hello Davout,

Its no problem for me to let you know how we are legally setup. As i stated earlier we are building a solid and trustworthy exchange.

The bank accounts that are holding third party funds are legally set up for that purpose.
They are third-party bank accounts and are by law outside of the company. The Third party bank accounts have a monthly check by a register accountant (RA).

Its the same system as used by notaries in the Netherlands to held third party funds. (For example if you buy a house and you send money to the notary it is held in a similar bank account)
So by law, third party bank account can not be compromised if something happens to the company.

In the case something happens to the company a curator will be appointed by court and the curator will refund everybody's money that is on the bank account.
The funds for our operational costs are in an other, normal business bank account (at a different bank).

The things you assume... lets talk about that.

We legally do not need to have a payment service provider license or electronic money issuer license. We use the same bank-account structure for the same reasons as they do.
We have a good relationship with ING. We have discussed all aspects of the operational side of the exchange with ING. the security issues in money transfers, speed of transfers abroad, criminal attacks, etc etc. ING has extensive safety nets and in case of a breach of the bank-accounts ING will refund everything.

You can read that we know exactly what we are doing.  

I hope for you that you are soon finished rebuilding Bitcoin-central. If we can help you in any way let me know.
I think we can support each other in building a reliable set of exchanges to provide all Bitcoin users the service they deserve. Advanced bitcoin traders can earn more if they can quickly switch between multiple exchanges.   

Fast and reliable services are needed to get Bitcoin generally accepted and increase the value of Bitcoin.

greetings Peter

FBTC Exchange

Let me just re-state my question if you do not mind. (You don't mind, do you?)

Spell it out for a noob, that's how he'll thank you... Should've let you educate yourself.

   Thanks! That didn't hurt, did it?

The answer is : "they use another program than Google Authenticator, the same way they can use Firefox instead of Chrome".

My browser is called firefox.
Je ne comprends pas vos allusions. Si vous avez une réponse à ma question "What if people dont want to use a googl service because they dont want their data to be secretly collected and used by googl for dubious purposes?" expliquez-vous clairement.

Why is your browser called Google Chrome? Derp.

So why is it called "Google authenticator"?

It's an open standard that's in no way specific to Google.

What if people dont want to use a googl service because they dont want their data to be secretly collected and used by googl for dubious purposes?

How are you legally set up ?

If you did your homework correctly you should know that holding funds on behalf of third-parties on a plain corporate account is not only dangerous for a lot of reasons but also illegal.

So, I assume you either have a payment service provider license, an electronic money issuer license, an actual partnership deal with ING (which I'm a little doubtful about) or that you don't know what you're doing.

Care to enlighten me ?

(And sorry, I meant to post this in the dutch thread, but my written dutch is terrible)

We have taken all replies in consideration and to increase the safety of our platform we have implemented some additional security measures.
you can now trade 100% safe at FBTC Exchange. You can use the new security measurements if you wish to.

We have an US dollar bank account special for users outside of Europe. Funding of your account through bank transfer will take 4 days due to the process at the local bank of your country.
ING bank have stated to us that all transfers to our US dollar account will be processed immediately. This applies to transfers in and out of our bank account.

If you have a validated account we can do a speed transfer to your account. This transfer is processed at ING the same day. Depending on the speed of your local bank it can be in your bank account the next day.

I will list the security measurements.


Incoming bank transfers:

To transfer funds from your local bank to your account you need to generate a unique transaction code. The combination of your bank account and the transaction code will provide a valid transfer to your account.
With the security measures of incoming transfers and the limit of USD 750,00 per day we reduce the risk to a level that we can absorb.
Transfers with an invalid code or from an unknown bank account will be automatically refunded to the bank account.

We get questions if the same thing that is happend to Bitcoin24 can happen at FBTC Exchange. Bitcoin24 had no validation of incoming transfers. So invalid or fraudulent transfers are changed for Bitoins and taken out of Bitcoin24.
When the bank requested refunds from Bitcoin24 they could not pay the money back.


Two-way authentication:

To protect your account if your username and password are stolen, we have a two-way authentication into the system using Google authenticator.
After activating the Google authenticator you must enter an extra validation for login, sending Bitcoins out of the account and make withdrawal orders out of your account.


Lock of Bitcoin send Addresses:

To add security to your account you can lock a maximum of five Bitcoin addresses. After you lock your addresses you can only send Bitcoins to the specified addresses.
To unlock and change the addresses you have locked you must send a support ticket.
We will ask you for additional verification to release your bitcoin send addresses. (This is not a complete validation of your account.)


Lock of connected bank accounts:

For safety reasons you can lock your connected bank accounts. After the lock of your connected bank accounts you can only make withdrawals to the specified bank accounts.
Once your bank accounts are locked and you want them released you can send us a support ticket.
We will ask you for additional verification to release your bank accounts. (This is not a complete validation of your account.)
 
FBTC Exchange is committed to maximize security. With these additional security measures taken, you are assured that no one can take away your Bitcoins or funds.

greeting,

Peter FBTC Exchange

Love to hear new BTC exchange/.

You are getting off to a very rough start.   It is not good to see someone from the company trying to obfuscate things and claim that they don't have to put KVK number on their web site.  Glad you came around finally, even if only after having others rub your nose in the dutch law, and have now put the KVK number on the website.   

But good luck anyways, if you survive this launch you might have a chance