Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Hijack Leads To Bitcoin Heist

Posted by timothy on from the don't-make-trouble-nobody-gets-hoit dept.

First time accepted submitter FearTheFez writes "Social Engineering and poor DNS Security lead to a Bitcoin heist worth about $12000. Bitcoin broker Bitinstant was robbed after thieves managed to take over ownership of their domains. While Bitinstant claims that no customers lost any money, without 2 factor authentication all it took was a place of birth and a mothers maiden name to gain access. This looks like poor security from everyone involved."

10 of 126 comments (clear)

  1. Re:Conviction for stealing bitcoins by Zemran · · Score: 5, Insightful

    I do not think that any court or official government body recognizes your television as being a legitimate currency but I can be prosecuted for stealing it. If it has value to the owner, it can be stolen.

    --
    I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
  2. Non story by Zemran · · Score: 3, Insightful

    If a standard currency exchange was robbed for $12,000 we would not even read the story. This is a trivial crime and of little interest. It serves more as a warning rather than as a bank robbery story. I hope that those that are concerned learn from this but if this is the crime of the century in the Bitcoin world then they are doing really well.

    --
    I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
    1. Re:Non story by ArsenneLupin · · Score: 3, Insightful
      Part of the hack was to exploit the unsecure procedures at the DNS registrar to add a new e-mail address for administering the victim's domain.

      Any other company at the same registrar could fall victim for this, even a bank! And actually many registrars are this unsecure: not so long ago, it was possible to do similar things with just a faxed request with a (faked) signature. Not even necessary to know birth town and mother maiden name.

      So, blaming this on lack of PHP (or other) coding skills of the victim is silly. Blame the insecure DNS registrar.

      What would protect a brick and mortar bank against a similar hack would not be its coding skills, but rather its notoriety: a DNS registrar would hesitate if suddenly somebody asked to add a hotmail e-mail address to a well-known bank's registry information, and would try to confirm this by phoning back the bank during business hours before doing such change.

    2. Re:Non story by Pentium100 · · Score: 2, Insightful

      I pay for everything in cash or debit card, but the card is only for convenience - my salary is wired to the bank account, so to have cash I have to go to an ATM and take it. Also, since I also buy stuff online, I have to have money in my bank account (since I can't pay an online store in cash).

      Bitcoin has some problems though. When I pay in cash, I am physically in the store, I can inspect the item etc and if the store does something wrong, I know where it is and can complain to the authorities. Online purchases are quite risky, since I am not there (maybe not even in the country where the seller is) when I pay - the seller might ship the wrong item or not ship at all and without the added protection of paypal and similar services it would be impossible to prove that the seller did something wrong or reverse the transaction.

      I do lie the anonymity though.

    3. Re:Non story by Pentium100 · · Score: 4, Insightful

      There's nothing stopping you from conducting a Bitcoin transaction in person, aside from the other party needing to hold and/or be able to receive BTC as well.

      Yes, but if the transaction is in person, I might as well use cash. Neither me nor him would need an internet connected device to send/receive money and no need to wait for confirmations.

      One day Bitcoin may be really convenient, but right now it is too much like cash for online use and too much like a wire transfer (or paypal) for in person use.

    4. Re:Non story by athmanb · · Score: 4, Insightful

      One hour? If "ease of use" means to have to wait a full hour for confirmation whether the purchase of your coffee went through or not I think I'd rather use cash...

  3. Re:Conviction for stealing bitcoins by aztracker1 · · Score: 4, Insightful

    It's wire fraud. Nobody needs to recognize the currency to prosecute for that.

    --
    Michael J. Ryan - tracker1.info
  4. Stengthen your security. by MrL0G1C · · Score: 4, Insightful

    Mothers maiden name: 9zimu8sj4q99uf
    Place of birth: wj9awitkj4girc

    If you use real details, you're a fool.

    --
    Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
  5. Re:Conviction for stealing bitcoins by MrL0G1C · · Score: 3, Insightful

    I think the court got it wrong, The value inherent in virtual goods is in the price that people are willing to pay for them or would be willing were they on the market. Supply and demand dictates value.

    --
    Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
  6. It's a bit of a strawman... by denzacar · · Score: 3, Insightful

    It is not the data that is being stolen. Data is just bits and bytes, kilobytes etc. of ones and zeroes.

    What APPEARS AS being stolen is the information encoded within the data.
    What is actually happening is UNAUTHORIZED ACCESS. Possibly unauthorized dissemination of information, revealing of trade and other secrets etc. IF the information is relayed to a third party.

    It helps if you think of it as a case of early 20th century spying.
    A spy intercepts and reads an enciphered radio transmission - he has the data but no information. Information gets to its intended recipient, clearly not stolen.

    A spy deciphers the transmission - he has access to what he was actually after. The information.
    Information still gets to its intended recipient, still not stolen, BUT - the spy above has also had access to information.

    So far, all that the spy is guilty of is unauthorized access.
    If and when he delivers the information to the third party, then he is guilty of various other things. None of them being stealing.

    You can absolutely steal data. If you steal someone's debit card and buy a bunch of stuff with it, you have stolen data that allowed you to gain access to their bank account. Someone else ends up losing the stolen dollars you used.

    That is not stealing data.
    That is stealing a physical object, a debit card, THEN using it without authorization to gain access to the bank account, THEN stealing the money from the account.
    No data was stolen. No, not even when the money was stolen in the end.
    Data on the card was USED to access the bank account but it was not stolen - the CARD was stolen. And the money.

    Same way you are not stealing the position of the teeth on a key used to open a safe - you are stealing a key.

    Now, making a copy of the card or key - that's unauthorized copying OR just making a copy.
    When you bring a "borrowed" key to a key copying store, the employee is not copying a key without authorization. He is just making a copy.
    YOU are doing the unauthorized copying, but only if there is a specific rule prohibiting access to that key or making copies of it.

    Same with the card.
    Making a copy is unauthorized copying, accessing the account is unauthorized access, stealing money is stealing - but the card or the data were not stolen.
    Money was.

    --
    Mit der Dummheit kämpfen Götter selbst vergebens