Pages:
Author

Topic: Tor+Blockchain wallet hacked? 633 btc loss (Read 14360 times)

legendary
Activity: 1568
Merit: 1031
November 11, 2014, 01:12:19 PM
Damn  Lips sealed and this is exactly why I don't use Online wallets  Undecided
newbie
Activity: 18
Merit: 0
November 11, 2014, 12:28:35 PM
People are trolling the guy for not taking enough security. It's getting to the point where if you do not have PhD in computer science then your coins can be hacked... cold wallets are difficult enough to understand having the correct background.

We need better insurance policies for the regular users. It would be better there were insurance plans for bitcoins.

When somebody hacks your bank account, the bank gives you back all your money. In this respect the banking system is far superior for large amounts of money.
The OP has mentioned that he normally keeps his bitcoin in a wallet other then on blockchain.info. He also said that he only transferred his coins to a blockchain.info wallet in order to use their shared send feature. The fact that he was trying to use shared send via tor would likely mean IMO that he was doing something illegal with his bitcoin

Why does it matter if he was doing something illegal with his coins?
I would say that it matters because if he was then there should be less sympathy for the OP. It would also be less of a technological concern for the bitcoin community as helping people commit crimes via bitcoin should not be a high priority

Does not matter if it is illegal indeed. I just hope for him that he bought it for 50 cents a piece...
member
Activity: 119
Merit: 100
November 09, 2014, 06:38:07 PM
People are trolling the guy for not taking enough security. It's getting to the point where if you do not have PhD in computer science then your coins can be hacked... cold wallets are difficult enough to understand having the correct background.

We need better insurance policies for the regular users. It would be better there were insurance plans for bitcoins.

When somebody hacks your bank account, the bank gives you back all your money. In this respect the banking system is far superior for large amounts of money.
The OP has mentioned that he normally keeps his bitcoin in a wallet other then on blockchain.info. He also said that he only transferred his coins to a blockchain.info wallet in order to use their shared send feature. The fact that he was trying to use shared send via tor would likely mean IMO that he was doing something illegal with his bitcoin

Why does it matter if he was doing something illegal with his coins?
I would say that it matters because if he was then there should be less sympathy for the OP. It would also be less of a technological concern for the bitcoin community as helping people commit crimes via bitcoin should not be a high priority
full member
Activity: 155
Merit: 100
November 09, 2014, 04:04:52 PM
This is true for business accounts, but personal accounts are still safe
legendary
Activity: 4522
Merit: 3426
November 09, 2014, 02:09:04 PM
When somebody hacks your bank account, the bank gives you back all your money. In this respect the banking system is far superior for large amounts of money.

That is not always true.

http://www.businessnewsdaily.com/5855-why-your-bank-account-might-not-be-as-safe-as-you-think.html
http://www.nytimes.com/2012/06/14/business/smallbusiness/protecting-business-accounts-from-hackers.html?pagewanted=all
full member
Activity: 155
Merit: 100
November 09, 2014, 01:49:15 PM
People are trolling the guy for not taking enough security. It's getting to the point where if you do not have PhD in computer science then your coins can be hacked... cold wallets are difficult enough to understand having the correct background.

We need better insurance policies for the regular users. It would be better there were insurance plans for bitcoins.

When somebody hacks your bank account, the bank gives you back all your money. In this respect the banking system is far superior for large amounts of money.
The OP has mentioned that he normally keeps his bitcoin in a wallet other then on blockchain.info. He also said that he only transferred his coins to a blockchain.info wallet in order to use their shared send feature. The fact that he was trying to use shared send via tor would likely mean IMO that he was doing something illegal with his bitcoin

I am not the OP but have a similar story to him.

I am a high volume cash trader. I need to obscure where my bitcoins came from in case a client tries to rob me through violence. You're making incorrect assumptions. 
You don't need to use tor to obscure the source of your bitcoin, using a "normal" internet connection (or even a VPN) would be sufficiently secure as it is unlikely that anyone you are trading with would have access to your IP address or would be able to monitor traffic from your IP address if they did have it
legendary
Activity: 4522
Merit: 3426
November 09, 2014, 01:47:49 PM
The fact that he was trying to use shared send via tor would likely mean IMO that he was doing something illegal with his bitcoin

You have no idea why he was using shared send via tor. It does not mean that he was doing something illegal with his bitcoin. Don't be ignorant. Think for yourself. Don't be a willing victim of oppression.
member
Activity: 182
Merit: 10
November 09, 2014, 12:46:18 PM
People are trolling the guy for not taking enough security. It's getting to the point where if you do not have PhD in computer science then your coins can be hacked... cold wallets are difficult enough to understand having the correct background.

We need better insurance policies for the regular users. It would be better there were insurance plans for bitcoins.

When somebody hacks your bank account, the bank gives you back all your money. In this respect the banking system is far superior for large amounts of money.
The OP has mentioned that he normally keeps his bitcoin in a wallet other then on blockchain.info. He also said that he only transferred his coins to a blockchain.info wallet in order to use their shared send feature. The fact that he was trying to use shared send via tor would likely mean IMO that he was doing something illegal with his bitcoin

Why does it matter if he was doing something illegal with his coins?
sr. member
Activity: 297
Merit: 250
November 09, 2014, 08:16:13 AM
People are trolling the guy for not taking enough security. It's getting to the point where if you do not have PhD in computer science then your coins can be hacked... cold wallets are difficult enough to understand having the correct background.

We need better insurance policies for the regular users. It would be better there were insurance plans for bitcoins.

When somebody hacks your bank account, the bank gives you back all your money. In this respect the banking system is far superior for large amounts of money.
The OP has mentioned that he normally keeps his bitcoin in a wallet other then on blockchain.info. He also said that he only transferred his coins to a blockchain.info wallet in order to use their shared send feature. The fact that he was trying to use shared send via tor would likely mean IMO that he was doing something illegal with his bitcoin

I am not the OP but have a similar story to him.

I am a high volume cash trader. I need to obscure where my bitcoins came from in case a client tries to rob me through violence. You're making incorrect assumptions. 
full member
Activity: 206
Merit: 100
November 09, 2014, 03:11:44 AM
People are trolling the guy for not taking enough security. It's getting to the point where if you do not have PhD in computer science then your coins can be hacked... cold wallets are difficult enough to understand having the correct background.

We need better insurance policies for the regular users. It would be better there were insurance plans for bitcoins.

When somebody hacks your bank account, the bank gives you back all your money. In this respect the banking system is far superior for large amounts of money.
The OP has mentioned that he normally keeps his bitcoin in a wallet other then on blockchain.info. He also said that he only transferred his coins to a blockchain.info wallet in order to use their shared send feature. The fact that he was trying to use shared send via tor would likely mean IMO that he was doing something illegal with his bitcoin
full member
Activity: 183
Merit: 100
November 08, 2014, 12:35:43 PM
first mistake is using online wallet.
second is using tor with it and i am sure there were no 2FA
third mistake is keeping 633 BTC in one place, for god's sake by 13-10-2014 (time of tx) it was 250K worth of dollars

Sorry mate I'm actually looking to hear from people who know what they're talking about.

1. I don't store coins there. I was just using the service primarily for the shared coin feature.
2. I did use 2FA - read back.
3. Blockchain.info does not have access to one's private keys - they're generated locally so is not at risk to an MtGox-type hack.
4. Blockchain.info employs https.


Given all of this info, I want to hear ideas (there have been some helpful suggestions already on this thread) on how I was exploited. I don't want to hear about what I supposedly did wrong, I want to hear what the attacker may have done. It's an investigation.
It was likely some kind of MITM attack when the "S" of https was faked.

Also 2FA does nothing once an attacker is able to log in to your wallet as they can simply download a backup of your wallet and import it into a new wallet that does not employ 2fa (2fa is not done at the wallet level, only the identifier level).

EDIT: I think it would probably have been safer to use a trusted mixing service like bitmixer (I think they are trustworthy, but that is ultimately your decision), as when you are given an address to send to they will give you a signed message from their primary address (1bitmixer....) so you can verify the message and that the transaction will proceed according to your wishes
hero member
Activity: 552
Merit: 501
November 08, 2014, 05:16:18 AM
first mistake is using online wallet.
second is using tor with it and i am sure there were no 2FA
third mistake is keeping 633 BTC in one place, for god's sake by 13-10-2014 (time of tx) it was 250K worth of dollars

Sorry mate I'm actually looking to hear from people who know what they're talking about.

1. I don't store coins there. I was just using the service primarily for the shared coin feature.
2. I did use 2FA - read back.
3. Blockchain.info does not have access to one's private keys - they're generated locally so is not at risk to an MtGox-type hack.
4. Blockchain.info employs https.


Given all of this info, I want to hear ideas (there have been some helpful suggestions already on this thread) on how I was exploited. I don't want to hear about what I supposedly did wrong, I want to hear what the attacker may have done. It's an investigation.

What form of 2FA did you have? I'm struggling even to imagine how a hacker could get past 2FA. If that becomes possible then we have a very serious problem.
member
Activity: 100
Merit: 10
November 08, 2014, 03:41:31 AM
I have never thought about this before.. but it's possible. Only because of how Tor works, sending data through different nodes before reaching to the actuall server.. and vice-versa.
So someone could have manipulated the data transfer between the user and the server as a "middle man" of some kind.
The middle man can only be the exit node as this is when the data eventually gets decrypted and the exit node is the only node that can see the data that is being transferred from the tor network to the rest of the internet. The middle nodes and the entry guards cannot see the traffic in decrypted format
sr. member
Activity: 259
Merit: 250
November 07, 2014, 07:37:09 PM
I have never thought about this before.. but it's possible. Only because of how Tor works, sending data through different nodes before reaching to the actuall server.. and vice-versa.
So someone could have manipulated the data transfer between the user and the server as a "middle man" of some kind.
member
Activity: 462
Merit: 10
November 07, 2014, 07:30:13 PM
Oh man. I feel sorry for the guy especially living in China. Did you say he was from China? I forget.
hero member
Activity: 732
Merit: 500
Nosce te Ipsum
November 07, 2014, 07:00:04 PM
Looks like the same thing happened to a vendor on one of the many dark markets.


Quote
xxxxx Forums
General Category => Security Discussion => Topic started by: xxxxxxxx on November 02, 2014, 07:09:44 PM

Title: WARNING to all Blockchain wallet users!
Post by: xxxxx on November 02, 2014, 07:09:44 PM

    We just got robbed a really huge amount of BTC straight out of our wallet from blockchain.info

    We dont know how they got access to our wallet and the pw is also really hard, so keep your eyes open if you have coins on a blochchain wallet!!!

Title: Re: WARNING to all Blockchain wallet users!
Post by: xxxxxxx on November 02, 2014, 07:24:18 PM
    yeah it's a security issue with tor. they can steal your info if they operate a malicous tor exit node. forces you to http instead of https and they get the login and take your coins.

Title: Re: WARNING to all Blockchain wallet users!
Post by: xxxxxx on November 03, 2014, 07:46:40 AM
    Quote from: xxxx on November 03, 2014, 01:44:24 AM

        Wtf this is crazy how can you protect yourself from this?


    Sorry for your coin loss OP, xxxxxx is correct about the method. Tor ships with "HTTPS Everywhere" installed, I don't know how that could be subverted though.

    Regardless, the way to avoid it is by only using Blockchain with a normal clearnet browser.

    But again, ideally you shouldn't be storing any bitcoins on 3rd-party websites to begin with. You're a vendor. Why use blockchain.info at all? Tumble your coins from xxxxx to a private wallet that you control. Electrum, Armory, MultiBit, whatever. Then either hold them there indefinitely, or cash them out in small chunks. When a website like blockchain has your private key, at the end of the day, you don't own those coins, the website does.

Title: Re: WARNING to all Blockchain wallet users!
Post by: xxxxxx on November 03, 2014, 06:35:34 PM
    We used this wallet since years now without any problem (for sure we changed it every 3-4 weeks to a new one), so we had no clue that it is possible to catch our login data. We are now using electrum, really nice, just bad that we discovered it that late.

    So to all other peops who are using this BC wallet, be careful, especially when you have a load of coins on it!

    Is there any good and safe way to tumble the coins when sending them out of our electrum wallet? Until now we have done this over the send shared function from BC, but now we are really scared to load up just one penny on the BC site.

Title: Re: WARNING to all Blockchain wallet users!
Post by: xxxxxxxx on November 03, 2014, 07:20:06 PM
    Quote from: xxxxx on November 03, 2014, 07:46:40 AM

        Quote from: xxxxx on November 03, 2014, 01:44:24 AM

            Wtf this is crazy how can you protect yourself from this?


        Sorry for your coin loss OP, xxxxx is correct about the method. Tor ships with "HTTPS Everywhere" installed, I don't know how that could be subverted though.

        Regardless, the way to avoid it is by only using Blockchain with a normal clearnet browser.

        But again, ideally you shouldn't be storing any bitcoins on 3rd-party websites to begin with. You're a vendor. Why use blockchain.info at all? Tumble your coins from xxxxx to a private wallet that you control. Electrum, Armory, MultiBit, whatever. Then either hold them there indefinitely, or cash them out in small chunks. When a website like blockchain has your private key, at the end of the day, you don't own those coins, the website does.


    maybe it's a javascript expoit and steals the info like that somehow. I know blockchain.info doesn't work without javascript so that would open him up to all kinds of attacks
Title: Re: WARNING to all Blockchain wallet users!
Post by: xxxxxx on November 05, 2014, 05:05:52 AM
    Thanks for that info even though I don't trust them except for maybe a one time throw away wallet rarely. STRANGE that a financial company that deals with the most popular and valuable digital currency....wouldn't re-direct you to the HTTPS site before loading any user data. I believe Firefox has started warning blockchain.info users that the site is trying to permanently store info on your computer...NO THANKS! One of the worst things I've seen that they don't seem to care to fix is you can backup your wallet to Google Drive, Dropbox, or a paper wallet that downloads:

    1. Via un-secured connection
    2. In .PDF format with wallet recovery phrase and QR code that you can print out and scan for quick and easy exit node stealing...I mean backing up.

    What's your preferred wallet? Electrum actually seems good, it only loads a short [recent] history of the blockchain for "current" transactions. I can't imagine having to do a fresh install of the official BTC client with a 30GB blockchain file to download. I think Electrum might be a good BTC client to squeeze into a future [beta?] release of TAILS as long as you always keep your wallet backup in your persistence volume or other storage device.

    For those of you who have a significant amount of money on blockchain.info I would HIGHLY reccomend that you add an email address as it will send you an authorization link to your email every time you login. Use an email provider that not only forces SSL connections for login info but session data as well since you would be downloading the email via the web. Choose an email provider wisely...It's tricky because you NEED anonymity/privacy AND reliability/security. You don't want a brand new anonymous email service for this type of account management. I believe a lot of tormail.net users lost access to a lot of accounts because their verification emails were going nowhere...or worse data forensics. email company preventing you from accessing your money because you forgot to backup and can't authorize yourself via email. That being said I believe you can also setup 2-factor auth with SMS text messages, Google Authentication, and YubiKey. Alerts when sending and/or receiving or when your transaction has reached X (1-6) confirmations.

    They offer the ability to have a second password, both of which are required to login, but this will double the encryption on your wallet. If you were going to be using it with a cheap VPN provider then it would resolve a lot of the security issues because there wouldn't be any TOR exit nodes sniffing any data that might be unknowingly transfered in the clear. After taking a deeper look at blockchain.info's site now I see that the data they want to permanently store in your browser is wallet backups. I can't begin to tell you how much it terrifies me of what goes on in the background processes (especially Windows)...Windows so you can have a fully searchable index of everything on your computer. There is a decent computer that I just use for testing stuff and I like to test beta software to see what's ahead...never any personal info & its even on its own network. Installed Windows 10 beta and one of the first things that I notice is all the logging & indexing services and "features" or should I say inconveniences. Basically a lot of Windows 10's features and services won't work without the file/data logging and indexing that THEN must be uploaded to Microsoft's cloud service. You can disable it which made a few inconveniences but nothing I would really get pissed off over. MS like Apple wants you to stay in their eco-system which is closed source, government cooperation....I don't need to go on...They are all really just data miners now but their reasoning is to provide a better experience across multiple platforms. I could choose to sign into each [online] application/service separate but instead you are required for all this data to be on Microsoft servers.

    And now back to blockchain.info's breaking security update...honestly with 2-factor auth working great, and the ability to create an alias blockchain.info/wallet/HackMeIamPoor   but you won't be able to add the alias until you have completed registration and manage your account settings.

    I have a tendency to say a lot because I have strong opinions, so I'll make the summary short.

    Blockchain.info has a good/reliable track record and having an online wallet can have many benefits if you have multiple devices. Since it seems that some data is being sent in the clear I WOULDN'T use them to store/save your bitcoins. While two-factor auth, option to require 2 passwords + have an additional Account Recovery Phrase which can be one word or 255 characters long regardless...we all use TOR and if blockchain doesn't force SSL on everything then they can add every security feature in the world but they'll be the next MT Gox. Never trust Mt Gox myself. The only thing BC's wallet service is IDEAL for is someone who is either connecting directly or connecting via VPN in addition to the additional pass phrases and 2-factor auth. I didn't mention if you were lets say just a bitcoin trader then you could change your BC.info account settings to block any connections from TOR network and you can also block or allow specific IP addresses or IP ranges if you have a dynamic IP address.


    I won't go into personal setup details, but keep the majority of your coins on a local machine...on the machine of your choice and back up any time there any any transactions for your addresses. "Offline" wallets are a really good option for the BULK of your coins that you don't plan on spending soon...like a savings account it's your bitcoin vault basicly. Then you may use one or two online wallet services that are reputable and reliable, it's easy to just create a whole new account a month or two later and "start over" on another wallet, I don't know many people who keep more than a few coins stored in an online wallet. It's main advantage...SPEED and CONVENIENCE the two biggest pitfalls in security. It's quick and easy to login to the website and make a payment from anywhere on virtually any device.

    Wow that was more than I thought I'd have to say, sorry if I wasted time in anyone's life if i repeated myself....I do it sometimes because it must be important.

    What online/offline wallets do you use? How do you use them? Of course, leave out any specific or personal info.

    This also reminds me that using Microsoft's Bitlocker, Apple's FileVault, and [somewhat surprised] TrueCrypt is not safe for archiving your data anymore. YES USE IT, it's better than nothing, but there are people and organizations that have the resources to get every ***BIT*** of data off any device and create a clone of the storage that has to meet specific legal specifications for the court...now thats scary. Most of us as we learned from SR is that most 90-95% of users here would never be targets or persued it's the admins, developers?, moderators and LARGE SCALE vendors that past events have shown us.

    In that regard the name of the site and not having a bunch of mods/admins/staff etc makes it harder to locate. You don't see much for xxxxx in search engines, as there are too many existing clearnet sites that are about Greece's assemblies and markets that were open freely to anyone. "Open" markets like this may dissapear for security reasons or worse being raided. But I've seen that we all learn something each time that has happened, and with an entire customer base with no store to go to it's easy to attract vendors/buyers to your site. But it takes a lot of knowledge and thinking that you at some point won't want to be featured in WIRED magazine or on CNN or even BBC. To me "DPR" made a crucial mistake by having an identity even if its his nick name, book collection listed in a post then that it SOMETHING that they will try to follow in hopes it will lead to something.

    This may seem silly, but I think that each market has to reach a limit considering the limited resources and new technical challenges that have to be solved for growth to continue. I would like to have seen Twitter as an .onion service.....scalability HA. One thought is to have an anonymous/secure communication sent to any of the sites that mention xxxxx as the new SR but bigger to please remove the article or at some point just close down registration. But I am certainly impressed by xxxxx's setup....but at some point as I said before it would be a good idea to let some categories go and focus more on where it's best vendors do biz...in this case drugs....duh. I KNOW the armory was a mistake when I read about it, they gained loads of international media attention. Sure they closed the armory way before SR was raided but it didn't help that the site was described to the US Drug Czar as the Amazon or eBay of illegal drugs and illegal weapons. That's when SR could have some serious vulnerabilities with constant downtime media attention, posting on Dice.com that you are looking to hire web developers that know php, can manage large databases, and be familiar enough with Bitcoin (at it's early stages) that you can develop a wallet, escrow, and mixing systems and services for a large user base using very limited resources....posted via a local ISP IP address and personal account on Dice, or was it LinkedIn? Anyways I have more than caught up on rambling so I believe I'm just going to respond to a few other topics now and see if anyone would like me to post my referral link in that forum lol.


Title: Re: WARNING to all Blockchain wallet users!
Post by: xxxxxx on November 05, 2014, 07:13:20 AM
    Quote from: xxxxxx on November 05, 2014, 05:05:52 AM

        What's your preferred wallet? Electrum actually seems good, it only loads a short [recent] history of the blockchain for "current" transactions.


    I've always used MultiBit, which does the same thing (no full blockchain download). I've never used Electrum, but it's actually probably the better client from what I've read, since you can store wallets deterministically and re-generate them from a 12-word seed. On MultiBit, you have to back up the wallets offline just in case, though I've never had any issues or had to use the backups.

    If a vendor is comfortable enough with the protocol behind bitcoin wallets, generate a bunch of paper wallets and steadily send all your xxxxx/DNM coins to them. No bitcoin client required at all. Then, when you want to cash out a little, pick one of the paper wallets, import the private key into Electrum (or MultiBit), send it through a tumbler, and you're done. For paper wallets, I have an unhealthy fascination with VanityGen (to make wallets like 1oooooDsdWofTUAp5bhveefdfdQFHFGiR or the raffle wallet 1xxxxxZAfLdY3csCcyXC7QJxGB1QgwGjDX), but random-letter paper wallets work just the same.

    "Blockchain.info" never even comes into it. If using paper wallets, just be wary of the notion of change wallet addresses (http://bitzuma.com/posts/five-ways-to-lose-money-with-bitcoin-change-addresses/).

Title: Re: WARNING to all Blockchain wallet users!
Post by: xxxxxx on November 05, 2014, 09:16:12 AM
    Great info guys.
    " I would like to have seen Twitter as an .onion service...."
    Facebook created a hidden service on our little dark web in past few days. details at tor blog.

Title: Re: WARNING to all Blockchain wallet users!
Post by: xxxxxx on November 06, 2014, 06:23:22 PM
    Quote from: xxxxxx on November 03, 2014, 01:44:24 AM

        Wtf this is crazy how can you protect yourself from this?

        just check for https?

        I


    You must use two factor authentication otherwise a malicious exit node operator can sniff out your password.

SMF 2.0.6 | SMF © 2013, Simple Machines
member
Activity: 182
Merit: 10
November 07, 2014, 06:11:10 PM
Quote
That's the risk of decentralization... Sad

Yea, I hope in the future it will be safe and commonplace that bitcoin will be considered on par with other currencies. Then maybe banks or other institutions can accept the coins and give insurance.

As the market cap increases, there will be more and more sophisticated attacks.

If somebody ever figures out how a wallet provider is generating their seeds, then everybody is at risk. What about an ASIC for brute forcing the seed creation algorithm? At current computer speeds it is unthinkable, but technology is changing so rapidly it cannot be ruled out.
newbie
Activity: 18
Merit: 0
November 07, 2014, 06:06:08 PM
People are trolling the guy for not taking enough security. It's getting to the point where if you do not have PhD in computer science then your coins can be hacked... cold wallets are difficult enough to understand having the correct background.

We need better insurance policies for the regular users. It would be better there were insurance plans for bitcoins.

When somebody hacks your bank account, the bank gives you back all your money. In this respect the banking system is far superior for large amounts of money.

That's the risk of decentralization... Sad
member
Activity: 182
Merit: 10
November 07, 2014, 06:03:43 PM
People are trolling the guy for not taking enough security. It's getting to the point where if you do not have PhD in computer science then your coins can be hacked... cold wallets are difficult enough to understand having the correct background.

We need better insurance policies for the regular users. It would be better there were insurance plans for bitcoins.

When somebody hacks your bank account, the bank gives you back all your money. In this respect the banking system is far superior for large amounts of money.
legendary
Activity: 1246
Merit: 1011
November 07, 2014, 05:08:56 PM
Sorry mate I'm actually looking to hear from people who know what they're talking about.

1. I don't store coins there. I was just using the service primarily for the shared coin feature.
2. I did use 2FA - read back.
3. Blockchain.info does not have access to one's private keys - they're generated locally so is not at risk to an MtGox-type hack.
4. Blockchain.info employs https.

Given all of this info, I want to hear ideas (there have been some helpful suggestions already on this thread) on how I was exploited. I don't want to hear about what I supposedly did wrong, I want to hear what the attacker may have done. It's an investigation.

Hmm...  I'm really not sure about this one.  A more detalied timeline might help.  Did you lose your coins at the moment of the coin-join operation or was it a few hours/days out?
Pages:
Jump to: