Yet another Bitcoin business is hacked; BitInstant loses $12k in social engineering scam
You may have heard the news by now, but popular Bitcoin payment provider BitInstant was hacked last week. It wasn’t a massive hack like we’ve seen on MyBitcoin or Mt. Gox so I didn’t see much reason to write on it when I saw it 3 days before Wired’s article, but as I looked at it more I figured I’d point out some interesting points.
First, the hack was a regular social engineering hack. Really simple stuff.
Over the weekend the BitInstant team has been hard at work securing our system from a sophisticated attack on Thursday evening. Overall, due to major choke points and redundancies in our system, the hacker was only able to walk away with $12,480 USD in BTC, and send them in 3 installments of 333 BTC to bitcoin addresses.
The attacker contacted our domain registrar at Site5 posing as me and using a very similar email address as mine, they did so by proxying through a network owned by a haulage company in the UK whom I suspect are innocent victims the same as ourselves. Armed with knowledge of my place of birth and mother’s maiden name alone (both facts easy to locate on the public record) they convinced Site5 staff to add their email address to the account and make it the primary login (this prevented us from deleting it from the account). We immediately realized what was going on, and logged in to change the information back. After changing this info and locking the attacker out, overnight he was able to revert my changes and point our website somewhere else.
After gaining access, they redirected DNS by pointing the nameservers to hetzner.de in germany, they used hetzner’s nameservers to redirect traffic to a hosting provider in ukraine. By doing this, he locked out both my login and Gareths’s login and they used this to hijack our emails and reset the login for one exchange (VirWox), enabling them to gain access and steal $12,480 USD worth of BTC.
BitInstant is shifting the blame totally on the host. Never mind the fact that they used real, publicly accessible information on of the owners wide-open Facebook page, this is totally the host’s fault.
Site5 has since responded since the hack.
Security & Social Engineering
This day and age requires us all to be security-conscious – especially when it comes to our identities and our online accounts. To help promote our company goal of open communication, I wanted to share with our customers and non-customers alike a situation that recently occurred.
A customer of ours recently had their account taken over by someone impersonating them. Wired picked up the original story, and in interest of maintaining openness, I wanted to outline our role in it since we were mentioned.
How did they gain access?
The impersonator gained access to the account because they knew the answers to both of the security questions the customer chose for the account. The impersonator did not gain the knowledge of the personal information from Site5 staff.
Once we are provided correct answers to security questions, the person is considered verified and we will make account modifications as requested. This includes password resets, email address changes, and other changes. As evident by the articles, this is exactly what transpired.
Our staff followed procedure every step along the way. To reiterate – at no point did we provide the impersonator the answers to the security questions.
It’s a very unfortunate situation, and we absolutely helped our customer as quickly as we could when the issue was reported to us.
Let’s back up a bit here and explain what BitInstant does. BitInstant is one of many ways to convert your Bitcoins to USD and vice versa. They hook into various exchanges such as Mt. Gox and facilitate the conversion faster than many of these exchanges do themselves.
They also take your security super serious, which is why they have strong language like this on their website:
Encrypt everything, use default deny on all firewalls, lock down ACLs and filesystem access, restrict syscalls on daemon processes and trust nobody. We assume that 24/7, somebody is actively trying to break into our system and is desperate to do so. This assumption assures that in the scenario where the bad guys are not so active our system stands up.
Except if you let the world know your place of birth on your facebook page.
Going back to the original hack, one key point to make is that even though the guys got access to their emails, multi-factor auth could have prevented this. And BitInstant used multi-factor auth on all their exchanges except one, Virwox, which is used to convert Linden dollars or something. VirWox has had multi-factor auth for a while now, BitInstant simply failed to impliment it. Weakest link in the chain and all that.
It also says something when you claim the hacker wasn’t very sophisticated yet he was still able to make off with $12k of your customer’s money.
No where in that “transparent” blog post however is how or when the missing money will be replaced, or even if it belongs to customers in the first place.
Some customers are claiming they are missing money however.
It’s been almost 6 days and I have yet to see the bitcoins I got from Bit instant. I’m missing over 200 dollars. (self.Bitcoin)
submitted ago by DucoNihilum