Pages:
Author

Topic: New Fast Bitcoin Exchange in the Netherlands (Read 6927 times)

legendary
Activity: 2506
Merit: 1010
November 03, 2013, 07:12:36 AM
#40
Malware gang steals $1.4m and sets up bitcoin exchange to launder it
http://www.coindesk.com/malware-gang-steals-1-4m-bitcoin-exchange-launder/
hero member
Activity: 537
Merit: 524

Personally I wouldn't trust my money or bitcoins to this company because it looks like a scam.

Unfotunately it seems like I was right and it is a scam. The website has been down for several days already and today the following news came out:
http://tweakers.net/nieuws/92170/politie-pakt-4-mannen-op-wegens-plunderen-bankrekeningen-via-malware.html (in Dutch). What it basically says is that 4 men were arrested on monday for using TorRAT banking-malware to plunder bank accounts through phishing and that one of the suspects was managing a btc exchange. Although FBTC is not mentioned specifically, one of the suspects comes from Woubrugge where also the company (Larmit beheer BV) managing FBTC is registered. That coupled with the fact that the site has been down for a few days.......
legendary
Activity: 1372
Merit: 1008
1davout
The Third party bank accounts have a monthly check by a register accountant (RA).

One party sets the transfers out of the system, and an other, (third) party checks the transfers and sends them out. So you always need two parties to authorize payments. One party is FBTC Exchange and the other is the registered account (RA).
So, if I read this correctly you're saying you can only send outbound transfers once every month ?


In holland it is called a "third party quality bank account"
If you could please give me the dutch term I'll will look it up, my written dutch is quite terrible but I can read it just fine.


Maybe it would be best if you read the legal aspects of such a bank account and you will see that the regulations are set by law.
Sure, like I said if you give me the dutch terms I'll look it up, my pleasure.


To get a "third party quality bank-account" in the Netherlands you need to registered it legal by a notary. (Do not know if this is possible in France)      
With the papers from the notary you can open a third party quality bank account and the bank provides you with the authorisation system.
Never heard of any such thing in France. On the other hand I have never heard of haring, paling, oliebollen and other dutch delicacies in France either.
If such is the way it works I assume that you have to be transparent in your ToS about it, so your customers know exactly know how their money is being handled. So far your transparency level is pretty much : "don't worry, I'm from the Internet". Anyway, that's an assumption, guess I'll make a more complete opinion about your setup when provided with something I can research against third-party sources.


What is there to enlighten... We work legal and according Dutch laws and regulations. The use of a PSP sets an extra possible security breach because criminals can hack into their systems, and how do you know if the system from your PSP is secure enough for your customers.
Sure, if you reason like this you might as well do your exchange with pen and paper. Duh.
Also PSPs have something that's called "insurance" which is there precisely to cover such risks, making the overall setup much much safer.


Can you enlighten me, maybe there is something that our security experts can help to tighten security at FBTC Exchange.
Well, I actually can give you two pieces of advice to your, ahem, "security experts" :

  • Don't use cloudflare, ever. Just because Bitstamp does it means it's a good thing.
  • Don't hash your passwords with SHA2, ever. If I ever hear anyone say the word "salt" I'll stab him in the face (protip: it doesn't solve shit).

Let's pause for a minute and use our brain jointly by starting with nr. 1 shall we ?

What is an SSL certificate for ? It's to prevent MITM attacks and eavesdropping. Ok, so far so good.
What does Cloudflare do ? It sits between you and the Internet, essentially being a massive MITM in itself, you even give them your SSL cert.

So, why the fuck would you want any Cloudflare employee to be able to sniff the passwords of your users as they travel through their servers ?

Gosh, what were you thinking ? "Bitstamp does it, must be cool!". Guess what, it's not.

Now for the second thing : do not hash passwords with SHA2, MD5, SHA3 or any such function, and salting doesn't help, at all. Let us take a minute to examine why this is, and has notoriously been for a while a terrible, terrible security practice.

What is SHA2 ? It is a hash function. What is it designed for ? It is designed for hashing arbitrarily large chunks of data to a fixed-size fingerprint. And it is heavily optimized to be *fast*. Yes, fast. That means that of all the hash functions, you picked one that actually *helps* the bruteforce process by being heavily performance optimized. Gosh, it's even massively parallelizable! As in "the whole Bitcoin system is based on efficiently bruteforcing the shit out of it".

Once you use your brain the correct solution becomes quite obvious, it is to use something that is designed to be *slow*, and to adapt its slowness to the performance of common computers.

So look up bcrypt, get your stuff straight, and come thank me after your first pwnage, because I'll have avoided a lot of password leakage.

But either way, don't bother to change the SHA2 thing unless you also drop cloudflare, because if you don't, your passwords are already pretty much travelling in cleartext over the wire.


So I'm interested in reading more about your setup. But I encourage you to do something about your glaring security flaws. When you're done with that maybe we can talk security, maybe.
sr. member
Activity: 448
Merit: 250
No longer satoshipoker.org - Can't change avatar
With the assistance of ING bank we can accept and transfer Euro and US dollar.  Our exchange handles trades in both currencies. We will add other currencies and transfer methods in the next 6 months.   

Be really careful. The statements of the Dutch government only apply to BTC2EUR and EUR2BTC transactions, as USD is highly regulated and controlled outside of Holland. Good luck with the site though Smiley
newbie
Activity: 29
Merit: 0
Hello Davout,

Quote
Quote
The bank accounts that are holding third party funds are legally set up for that purpose.
They are third-party bank accounts and are by law outside of the company. The Third party bank accounts have a monthly check by a register accountant (RA).

Ok, so does this particular kind of bank account have a name ?
Who exactly has authority to pull money from it ?

Quote
Quote
Its the same system as used by notaries in the Netherlands to held third party funds.
I understand. In the case of a notary he has an account and maintains an accounting system that is necessary to keep track of funds ownership. Obviously you have such a system too, otherwise you could not have a functioning exchange, my question is : "who has the authoritative accounting data ? Is it you ? Is it some third-party ?"
Quote
Quote
In the case something happens to the company a curator will be appointed by court and the curator will refund everybody's money that is on the bank account.
The funds for our operational costs are in an other, normal business bank account (at a different bank).
If a curator is needed to perform such a task it means that you're holding the funds directly and have full access to the bank account holding customer money. Is this correct ?

I do not know the exact legal terms they call it in other countries. In holland it is called a "third party quality bank account" It are accounts with a double or triple authority system. Non of the parties has direct authority to pull money. One party sets the transfers out of the system, and an other, (third) party checks the transfers and sends them out. So you always need two parties to authorize payments. One party is FBTC Exchange and the other is the registered account (RA).
If the company has trouble then a curator takes the place of FBTC Exchange and pays out the funds to the clients in the same way as explained above. The accountant can set the transfers and the curator sends them to the rightful owners.   

Maybe it would be best if you read the legal aspects of such a bank account and you will see that the regulations are set by law. 


Quote
Quote
The things you assume... lets talk about that.
I'm not really talking about assumptions, but about factual information that I learned over time while doing what I do, and which you seem to have some knowledge about. I'm doing you the professionnal courtesy of sharing some of it with you, make the best out of it. Next time I won't be the one asking the questions, next time you'll be sitting in front of a few not-so-funny people wearing not-so-creative suits.

Thanks for the heads up but we have investigated our legal business structure and regulations regarding the exchange thoroughly.

Quote
Quote
We legally do not need to have a payment service provider license or electronic money issuer license. We use the same bank-account structure for the same reasons as they do.
Let me pause for a minute here and re-read this. You are saying that because you use the same infrastructure you can ditch all the capital, reporting and compliance reporting requirements that a PSP has ? Maybe you could enlighten me regarding this particular point.

What is there to enlighten... We work legal and according Dutch laws and regulations. The use of a PSP sets an extra possible security breach because criminals can hack into their systems, and how do you know if the system from your PSP is secure enough for your customers.   

Quote
Quote
We have a good relationship with ING.
I'll interpret that as "we have a good relationship with our account manager". Might be wrong here though. It would seem extremely weird and unusual though that they open "the same bank-account structure" as a PSP for a regular corporate client that has no particular financial license whatsoever.


To get a "third party quality bank-account" in the Netherlands you need to registered it legal by a notary. (Do not know if this is possible in France)       
With the papers from the notary you can open a third party quality bank account and the bank provides you with the authorisation system.

Quote
Quote
I hope for you that you are soon finished rebuilding Bitcoin-central.
We actually are, we're wrapping up some details before relaunching though. If you actually come to get some experience in this field you'll very soon learn that there's where the devil is…

Lets hope you and your hosting service provider has taken actions to prevent what happened to Bitcoin central a few months ago. I looked at your site and i can not find anything about your security. Is there a reason that you do not state it on your website?  I think people would like to know what you have done to prevent it.
Can you enlighten me, maybe there is something that our security experts can help to tighten security at FBTC Exchange.

Quote
Quote
If we can help you in any way let me know.
It's a little presumptuous to assume you could run not only one, but also help with a second exchange business at the same time, don't you think ? But hey, smart people are always welcome!


Quote
I think we can support each other in building a reliable set of exchanges to provide all Bitcoin users the service they deserve.
Absolutely, that's why I'm more than happy to challenge you on important issues. It is quite important that we have reliable exchanges. And if you don't do your legal background work probably you're up for a lot of pain down the road, not at the beginning, but when you'll start actually picking up some business. Which will make it even harder to handle.

I know how to do Business, been doing it for many years already. Do not see any issues in this section.

Quote
Quote
Advanced bitcoin traders can earn more if they can quickly switch between multiple exchanges.

Like I said, the important thing is reliability, not gadgets for speculators. If we want half-baked corporate structures that'll fall at the first nod we already have Mark Karpeles for that. I strongly encourage you to document yourself about his problems with French banks in court, because right now, I kinda feel you're walking right in his footsteps.

I have no comment on this.


greetings peter

FBTC Exchange
legendary
Activity: 1372
Merit: 1008
1davout
Thank you for your answer!

Since you do not seem to mind, and that being transparent about your setup is generally perceived as a positive thing let us dig a little further, shall we?

Quote
The bank accounts that are holding third party funds are legally set up for that purpose.
They are third-party bank accounts and are by law outside of the company. The Third party bank accounts have a monthly check by a register accountant (RA).

Ok, so does this particular kind of bank account have a name ?
Who exactly has authority to pull money from it ?


Quote
Its the same system as used by notaries in the Netherlands to held third party funds.
I understand. In the case of a notary he has an account and maintains an accounting system that is necessary to keep track of funds ownership. Obviously you have such a system too, otherwise you could not have a functioning exchange, my question is : "who has the authoritative accounting data ? Is it you ? Is it some third-party ?"


Quote
In the case something happens to the company a curator will be appointed by court and the curator will refund everybody's money that is on the bank account.
The funds for our operational costs are in an other, normal business bank account (at a different bank).
If a curator is needed to perform such a task it means that you're holding the funds directly and have full access to the bank account holding customer money. Is this correct ?


Quote
The things you assume... lets talk about that.
I'm not really talking about assumptions, but about factual information that I learned over time while doing what I do, and which you seem to have some knowledge about. I'm doing you the professionnal courtesy of sharing some of it with you, make the best out of it. Next time I won't be the one asking the questions, next time you'll be sitting in front of a few not-so-funny people wearing not-so-creative suits.


Quote
We legally do not need to have a payment service provider license or electronic money issuer license. We use the same bank-account structure for the same reasons as they do.
Let me pause for a minute here and re-read this. You are saying that because you use the same infrastructure you can ditch all the capital, reporting and compliance reporting requirements that a PSP has ? Maybe you could enlighten me regarding this particular point.


Quote
We have a good relationship with ING.
I'll interpret that as "we have a good relationship with our account manager". Might be wrong here though. It would seem extremely weird and unusual though that they open "the same bank-account structure" as a PSP for a regular corporate client that has no particular financial license whatsoever.


Quote
I hope for you that you are soon finished rebuilding Bitcoin-central.
We actually are, we're wrapping up some details before relaunching though. If you actually come to get some experience in this field you'll very soon learn that there's where the devil is…


Quote
If we can help you in any way let me know.
It's a little presumptuous to assume you could run not only one, but also help with a second exchange business at the same time, don't you think ? But hey, smart people are always welcome!


Quote
I think we can support each other in building a reliable set of exchanges to provide all Bitcoin users the service they deserve.
Absolutely, that's why I'm more than happy to challenge you on important issues. It is quite important that we have reliable exchanges. And if you don't do your legal background work probably you're up for a lot of pain down the road, not at the beginning, but when you'll start actually picking up some business. Which will make it even harder to handle.


Quote
Advanced bitcoin traders can earn more if they can quickly switch between multiple exchanges.

Like I said, the important thing is reliability, not gadgets for speculators. If we want half-baked corporate structures that'll fall at the first nod we already have Mark Karpeles for that. I strongly encourage you to document yourself about his problems with French banks in court, because right now, I kinda feel you're walking right in his footsteps.


Looking forward to your answers !
newbie
Activity: 29
Merit: 0
Hello Davout,

Its no problem for me to let you know how we are legally setup. As i stated earlier we are building a solid and trustworthy exchange.

The bank accounts that are holding third party funds are legally set up for that purpose.
They are third-party bank accounts and are by law outside of the company. The Third party bank accounts have a monthly check by a register accountant (RA).

Its the same system as used by notaries in the Netherlands to held third party funds. (For example if you buy a house and you send money to the notary it is held in a similar bank account)
So by law, third party bank account can not be compromised if something happens to the company.

In the case something happens to the company a curator will be appointed by court and the curator will refund everybody's money that is on the bank account.
The funds for our operational costs are in an other, normal business bank account (at a different bank).

The things you assume... lets talk about that.

We legally do not need to have a payment service provider license or electronic money issuer license. We use the same bank-account structure for the same reasons as they do.
We have a good relationship with ING. We have discussed all aspects of the operational side of the exchange with ING. the security issues in money transfers, speed of transfers abroad, criminal attacks, etc etc. ING has extensive safety nets and in case of a breach of the bank-accounts ING will refund everything.

You can read that we know exactly what we are doing. Wink 

I hope for you that you are soon finished rebuilding Bitcoin-central. If we can help you in any way let me know.
I think we can support each other in building a reliable set of exchanges to provide all Bitcoin users the service they deserve. Advanced bitcoin traders can earn more if they can quickly switch between multiple exchanges.   

Fast and reliable services are needed to get Bitcoin generally accepted and increase the value of Bitcoin.

greetings Peter

FBTC Exchange
legendary
Activity: 1372
Merit: 1008
1davout

Let me just re-state my question if you do not mind. (You don't mind, do you?)

How are you legally set up ?

If you did your homework correctly you should know that holding funds on behalf of third-parties on a plain corporate account is not only dangerous for a lot of reasons but also illegal.

So, I assume you either have a payment service provider license, an electronic money issuer license, an actual partnership deal with ING (which I'm a little doubtful about) or that you don't know what you're doing.

Care to enlighten me ?

(And sorry, I meant to post this in the dutch thread, but my written dutch is terrible)
legendary
Activity: 1372
Merit: 1008
1davout
The answer is : "they use another program than Google Authenticator, the same way they can use Firefox instead of Chrome".
   Thanks! That didn't hurt, did it?

Spell it out for a noob, that's how he'll thank you... Should've let you educate yourself.
legendary
Activity: 1017
Merit: 1003
VIS ET LIBERTAS
The answer is : "they use another program than Google Authenticator, the same way they can use Firefox instead of Chrome".
   Thanks! That didn't hurt, did it?
legendary
Activity: 1372
Merit: 1008
1davout
My browser is called firefox.
Je ne comprends pas vos allusions. Si vous avez une réponse à ma question "What if people dont want to use a googl service because they dont want their data to be secretly collected and used by googl for dubious purposes?" expliquez-vous clairement.

The answer is : "they use another program than Google Authenticator, the same way they can use Firefox instead of Chrome".
legendary
Activity: 1017
Merit: 1003
VIS ET LIBERTAS
My browser is called firefox.
Je ne comprends pas vos allusions. Si vous avez une réponse à ma question "What if people dont want to use a googl service because they dont want their data to be secretly collected and used by googl for dubious purposes?" expliquez-vous clairement.
legendary
Activity: 1372
Merit: 1008
1davout
So why is it called "Google authenticator"?

Why is your browser called Google Chrome? Derp.
legendary
Activity: 1017
Merit: 1003
VIS ET LIBERTAS
What if people dont want to use a googl service because they dont want their data to be secretly collected and used by googl for dubious purposes?
It's an open standard that's in no way specific to Google.
So why is it called "Google authenticator"?
legendary
Activity: 1372
Merit: 1008
1davout
What if people dont want to use a googl service because they dont want their data to be secretly collected and used by googl for dubious purposes?

It's an open standard that's in no way specific to Google.
legendary
Activity: 1017
Merit: 1003
VIS ET LIBERTAS
Quote
Two-way authentication:

To protect your account if your username and password are stolen, we have a two-way authentication into the system using Google authenticator.
What if people dont want to use a googl service because they dont want their data to be secretly collected and used by googl for dubious purposes?
legendary
Activity: 1372
Merit: 1008
1davout
How are you legally set up ?

If you did your homework correctly you should know that holding funds on behalf of third-parties on a plain corporate account is not only dangerous for a lot of reasons but also illegal.

So, I assume you either have a payment service provider license, an electronic money issuer license, an actual partnership deal with ING (which I'm a little doubtful about) or that you don't know what you're doing.

Care to enlighten me ?

(And sorry, I meant to post this in the dutch thread, but my written dutch is terrible)
newbie
Activity: 29
Merit: 0
We have taken all replies in consideration and to increase the safety of our platform we have implemented some additional security measures.
you can now trade 100% safe at FBTC Exchange. You can use the new security measurements if you wish to.

We have an US dollar bank account special for users outside of Europe. Funding of your account through bank transfer will take 4 days due to the process at the local bank of your country.
ING bank have stated to us that all transfers to our US dollar account will be processed immediately. This applies to transfers in and out of our bank account.

If you have a validated account we can do a speed transfer to your account. This transfer is processed at ING the same day. Depending on the speed of your local bank it can be in your bank account the next day.

I will list the security measurements.


Incoming bank transfers:

To transfer funds from your local bank to your account you need to generate a unique transaction code. The combination of your bank account and the transaction code will provide a valid transfer to your account.
With the security measures of incoming transfers and the limit of USD 750,00 per day we reduce the risk to a level that we can absorb.
Transfers with an invalid code or from an unknown bank account will be automatically refunded to the bank account.

We get questions if the same thing that is happend to Bitcoin24 can happen at FBTC Exchange. Bitcoin24 had no validation of incoming transfers. So invalid or fraudulent transfers are changed for Bitoins and taken out of Bitcoin24.
When the bank requested refunds from Bitcoin24 they could not pay the money back.


Two-way authentication:

To protect your account if your username and password are stolen, we have a two-way authentication into the system using Google authenticator.
After activating the Google authenticator you must enter an extra validation for login, sending Bitcoins out of the account and make withdrawal orders out of your account.


Lock of Bitcoin send Addresses:

To add security to your account you can lock a maximum of five Bitcoin addresses. After you lock your addresses you can only send Bitcoins to the specified addresses.
To unlock and change the addresses you have locked you must send a support ticket.
We will ask you for additional verification to release your bitcoin send addresses. (This is not a complete validation of your account.)


Lock of connected bank accounts:

For safety reasons you can lock your connected bank accounts. After the lock of your connected bank accounts you can only make withdrawals to the specified bank accounts.
Once your bank accounts are locked and you want them released you can send us a support ticket.
We will ask you for additional verification to release your bank accounts. (This is not a complete validation of your account.)
 
FBTC Exchange is committed to maximize security. With these additional security measures taken, you are assured that no one can take away your Bitcoins or funds.

greeting,

Peter FBTC Exchange
sr. member
Activity: 364
Merit: 250
Love to hear new BTC exchange/.
newbie
Activity: 14
Merit: 0
Hello Stelmoi,

The Compagny is registered on the location in Woubrugge. But we rent a office in Amsterdam and we have an office in haarlem.

In the near future we will move with all locations to one office.


You are getting off to a very rough start.   It is not good to see someone from the company trying to obfuscate things and claim that they don't have to put KVK number on their web site.  Glad you came around finally, even if only after having others rub your nose in the dutch law, and have now put the KVK number on the website.   

But good luck anyways, if you survive this launch you might have a chance Wink
Pages:
Jump to: