Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Hijack Leads To Bitcoin Heist

Posted by timothy on from the don't-make-trouble-nobody-gets-hoit dept.

First time accepted submitter FearTheFez writes "Social Engineering and poor DNS Security lead to a Bitcoin heist worth about $12000. Bitcoin broker Bitinstant was robbed after thieves managed to take over ownership of their domains. While Bitinstant claims that no customers lost any money, without 2 factor authentication all it took was a place of birth and a mothers maiden name to gain access. This looks like poor security from everyone involved."

34 of 126 comments (clear)

  1. The most likely suspect is... by Anonymous Coward · · Score: 5, Funny

    Bitinstant's mother. She knows both her maiden name and his birthdate, probably.

  2. Re:Conviction for stealing bitcoins by Zemran · · Score: 5, Insightful

    I do not think that any court or official government body recognizes your television as being a legitimate currency but I can be prosecuted for stealing it. If it has value to the owner, it can be stolen.

    --
    I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
  3. Re:Conviction for stealing bitcoins by HairyNevus · · Score: 3, Informative

    Lamps, dog food, and records aren't currency, but if someone broke in your house stole them from you it would still be a crime.

    --
    You were critically hit for no damage. The bruise will look nice, and maybe the scars will make good party talk.
  4. Non story by Zemran · · Score: 3, Insightful

    If a standard currency exchange was robbed for $12,000 we would not even read the story. This is a trivial crime and of little interest. It serves more as a warning rather than as a bank robbery story. I hope that those that are concerned learn from this but if this is the crime of the century in the Bitcoin world then they are doing really well.

    --
    I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
    1. Re:Non story by Anonymous Coward · · Score: 2

      On the other hand, if standard banking websites were created by rube PHP coderz and buttards who can't secure their domain, it would be major news.

      Bitcoin is stil mostly underground, and therefore the community is full of incompetents, phonies, and scammers. Goes with the territory.

      captcha: superego

    2. Re:Non story by mkraft · · Score: 5, Interesting

      If a standard currency exchange was robbed for $12,000 we would not even read the story. This is a trivial crime and of little interest. It serves more as a warning rather than as a bank robbery story. I hope that those that are concerned learn from this but if this is the crime of the century in the Bitcoin world then they are doing really well.

      No, the Bitcoin crime of the century was last year when the same server was hacked twice, to a tune of several hundred thousand dollars, as mentioned in TFA. Bitcoin hacks are becoming more and more common, so it's only a matter of time before that amount is surpassed.

      Personally I don't see the point of bitcoins. I don't pay for everything in cash in the real world because it lacks the protections that other payment methods have. I don't see a reason to use a digital equivalent of cash in the online world. Bitcoins' anonymity might be it's biggest strength, but it's also it's biggest weakness.

    3. Re:Non story by ArsenneLupin · · Score: 3, Insightful
      Part of the hack was to exploit the unsecure procedures at the DNS registrar to add a new e-mail address for administering the victim's domain.

      Any other company at the same registrar could fall victim for this, even a bank! And actually many registrars are this unsecure: not so long ago, it was possible to do similar things with just a faxed request with a (faked) signature. Not even necessary to know birth town and mother maiden name.

      So, blaming this on lack of PHP (or other) coding skills of the victim is silly. Blame the insecure DNS registrar.

      What would protect a brick and mortar bank against a similar hack would not be its coding skills, but rather its notoriety: a DNS registrar would hesitate if suddenly somebody asked to add a hotmail e-mail address to a well-known bank's registry information, and would try to confirm this by phoning back the bank during business hours before doing such change.

    4. Re:Non story by Pentium100 · · Score: 2, Insightful

      I pay for everything in cash or debit card, but the card is only for convenience - my salary is wired to the bank account, so to have cash I have to go to an ATM and take it. Also, since I also buy stuff online, I have to have money in my bank account (since I can't pay an online store in cash).

      Bitcoin has some problems though. When I pay in cash, I am physically in the store, I can inspect the item etc and if the store does something wrong, I know where it is and can complain to the authorities. Online purchases are quite risky, since I am not there (maybe not even in the country where the seller is) when I pay - the seller might ship the wrong item or not ship at all and without the added protection of paypal and similar services it would be impossible to prove that the seller did something wrong or reverse the transaction.

      I do lie the anonymity though.

    5. Re:Non story by philip.paradis · · Score: 4, Informative

      There's nothing stopping you from conducting a Bitcoin transaction in person, aside from the other party needing to hold and/or be able to receive BTC as well. For the holding part, new solutions providers such as Coinbase are starting to focus on merchant gateway style solutions. Progress is being made.

      --
      Write failed: Broken pipe
    6. Re:Non story by Pentium100 · · Score: 4, Insightful

      There's nothing stopping you from conducting a Bitcoin transaction in person, aside from the other party needing to hold and/or be able to receive BTC as well.

      Yes, but if the transaction is in person, I might as well use cash. Neither me nor him would need an internet connected device to send/receive money and no need to wait for confirmations.

      One day Bitcoin may be really convenient, but right now it is too much like cash for online use and too much like a wire transfer (or paypal) for in person use.

    7. Re:Non story by Sam+H · · Score: 2

      Oh, so you don’t believe the Bitcoin crime of the century was pirateat40’s BS&T going away with 500,000 BTC, that are now valued at about 20 million dollars?

      --
      God, root, what is difference ?
    8. Re:Non story by philip.paradis · · Score: 3, Informative

      I think you're missing some of the benefits of BTC-based transactions. First, they're rather difficult to forge by virtue of reliance upon math for integrity verification. The same can't be said of cash, and the average man on the street would be hard pressed to discern half decent counterfeit paper currency from the real deal. While this particular example may represent a corner case for some, I happen to know two people who have been defrauded with counterfeit currency.

      Second, Internet connected devices are everywhere. It's getting rather hard to find people without basic web access via a smart-ish phone in many areas, and full fledged BTC apps are popping up for those with anything fairly modern in terms of radio handsets. I wouldn't be terribly shocked to find devices that cater to simple apps and BTC transactions popping up in developing areas in the near future either.

      With respect to waiting for confirmation, most transactions are verified on the BTC network within one hour. If you're willing to pay a small transaction fee to the network, verification can come more quickly. As a side effect of this state of affairs, you might just gain the benefit of meeting up with your transactional counterpart at a coffee house and having a tasty beverage. I call that an excuse to take a break, and welcome it.

      --
      Write failed: Broken pipe
    9. Re:Non story by TsuruchiBrian · · Score: 2

      If you are talking about credit cards, that is completely different. You still have to pay of your credit card somehow.

      If you are talking about something linked to a bank account (e.g. like a debit card), then it is similar to paying with bitcoin.

      The difference is not in how you pay but how the money is stored. If your money is stored in a US bank account, it can be taken easily be seized by anyone with enough authority. The US government freezes people's bank accounts regularly. If you bury US dollars in your back yard, the US government can just create more US dollars and devaluing your money without your consent.

      Bitcoin is like the digital version of gold. The US government can't arbitrarily decide to print more gold. Gold actually requires resources to find, and it's getting harder to find every day. There is a finite amount of gold on the earth. Unlike gold, bitcoin is easy to manage, through digital transactions.

    10. Re:Non story by athmanb · · Score: 4, Insightful

      One hour? If "ease of use" means to have to wait a full hour for confirmation whether the purchase of your coffee went through or not I think I'd rather use cash...

    11. Re:Non story by philip.paradis · · Score: 2

      Depending of course upon the physical stage for the transaction, the verification period may indeed be a rote formality, more importantly if you've dealt with the other party to the transaction before and most importantly if you plan on dealing with that party again (which represents the very foundation of "credit" ala reputation in economic systems). Again, it's also easy to drastically accelerate the verification time by paying a small transaction fee to the network for processing it. I'd also encourage you to think in more flexible terms such as stored value purchase devices; to use a common example, Starbucks cards let you buy goods from Starbucks. The retailer can set an arbitrary minimum balance on the retail stored value account, at which point verification time means nothing. Especially coupled with additional fiscal and social rewards for utilizing such payments vehicles, the transaction verification time to load the stored value device with credits is removed as a significant factor in the relationship.

      --
      Write failed: Broken pipe
    12. Re:Non story by IamTheRealMike · · Score: 2

      Right, banking websites are only ever made by experts, no coderz or buttards there.

    13. Re:Non story by IamTheRealMike · · Score: 2, Interesting

      The DNS registrar actually spoke about this incident publicly - it turns out that there was no social engineering, BitInstant just selected dumb security questions/answers when they registered the domain name. It's poor security on BitInstants part, no more or less.

    14. Re:Non story by rvw · · Score: 2

      Part of the hack was to exploit the unsecure procedures at the DNS registrar to add a new e-mail address for administering the victim's domain.

      Any other company at the same registrar could fall victim for this, even a bank! And actually many registrars are this unsecure: not so long ago, it was possible to do similar things with just a faxed request with a (faked) signature. Not even necessary to know birth town and mother maiden name.

      We had this at our company last year. Someone hacked into our account at the DNS provider, changed the DNS for the mail of one domain, then used that to request a new password for our Amazon EC2 account, which had two-factor login. They called Amazon, which disabled the two-factor login, after which they could take over the Amazon account. It took us two days to gain full control back over the account, as Amazon was unable to log the out. The DNS provider didn't give any good explanation about how this was possible. Amazon said they would discuss it and change policy, but did they? I don't know.

    15. Re:Non story by mysticalreaper · · Score: 2

      BitInstant just selected dumb security questions/answers when they registered the domain name.

      Wait, were the questions dumb, or the answers?

      Allowing your clients to select dumb, insecure questions means that you have an optionally secure registration platform, which requires your customers to be competent about security.

      To me, this kind of incedent points out the need for a more expensive, higher security registrar, who designs systems which are very hard to subvert. Till now, DNS regstrars have competed on price. This story says that security is important too, especially when control of the domain leads directly to cash money.

  5. So what can you buy with bitcoins? by Seumas · · Score: 2

    I've heard a few people with bitcoins complaining about how they can't do anything with them and they're locked in. Apparently there's an online store that catalogs all the stuff you can buy all over the place, with bitcoins . . . and it looked to me like the kind of shitty collection of stuff you'd expect at a flea market. High priced low-end windows laptops and speaker wire and shampoo and shit.

    1. Re:So what can you buy with bitcoins? by Anonymous Coward · · Score: 3, Interesting

      yelling filter blablablabla but the point is,

      The point is that anyone who answers stereotypical "security" questions with factual information is a complete and utter moron.

      My mother's maiden name is Banana. My favorite color is Jupiter Capitolinus. My first car was Abraham Lincoln. Come at me, Facebook Data Scrapers.

  6. what, only 300 BTC ? by Janek+Kozicki · · Score: 3, Interesting

    You talk here about theft worth only 300 BTCs or 12 000$

    Well, I can only conclude that overall BTC security maybe has improved. Recall previous thefts worth of 25 000 BTC or 500 000$ (at that time) or 18 547 BTC or 87 000$ (at that time).

    Why such conclusion? Well, if those evil people started to go after such low-profile target, it *can* mean that all high profile targets have adequate security.

    --
    #
    #\ @ ? Colonize Mars
    #
    1. Re:what, only 300 BTC ? by Janek+Kozicki · · Score: 2

      bitcoin is in much more aspects like gold, than you would initially expect.

      How would you "disable" stolen gold bars? Theoretically there are ways to mark gold using rare gold isotopes, so that even smelting will not destroy the signature. But this is not practical - it would require isotope detector at every place that trades even smallest amounts of gold.

      With bitcoin it is similar. In fact all bitcoins are already marked separately, and can be precisely tracked, but tracking only stolen ones (even if we reach an agreement how to decide if they are indeed stolen) is simply not practical - everyone using bitcoins would need to download (and update frequently) a centralized blacklist of stolen bitcoins and refuse to process them. Sounds familiar? So this approach would clearly break one of main strengths of bitcoin: decentralization.

      --
      #
      #\ @ ? Colonize Mars
      #
  7. Re:Conviction for stealing bitcoins by aztracker1 · · Score: 4, Insightful

    It's wire fraud. Nobody needs to recognize the currency to prosecute for that.

    --
    Michael J. Ryan - tracker1.info
  8. Re:Conviction for stealing bitcoins by Troed · · Score: 4, Informative

    The court ruled that:

    *) Virtual items have value in virtual of the effort and time invested in obtaining them
    *) The value in Virtual items is recognised by those that play the game (including the defendents who went to the trouble to take them)
    *) The Virtual items were under the exclusive control of the player – who was relieved of this control

    The court made reference to cases of electricity theft which is a similar intangible good but certainly has properties of power and control, and consequently can be stolen.

    http://www.virtualpolicy.net/runescape-theft-dutch-supreme-court-decision.html

    --
    it's in my head
  9. Re:Conviction for stealing bitcoins by TsuruchiBrian · · Score: 5, Informative

    bitcoins aren't data per se. A person's private key for their bitcoin wallet that is used to transfer ownership of bitcoins is data. It's just a long number. The proof of work used to establish a bitcoin is data. The transaction history of each bitcoin is data.

    A bitcoin is more than just the data underlying it. There are may thousands of copies of each bitcoin, but at any given time only one person has the authority to transfer a bitcoin to someone else.

    A bitcoin itself cannot be copied. To copy a bitcoin would mean copying it's ability to be spent (allowing it to be spent twice). This would ruin any currency. And much of the design of bitcoin is prevention of double spending.

    This is similar to how xeroxing your bank statement doesn't double the amount of money you have in the bank.

  10. Re:Conviction for stealing bitcoins by osu-neko · · Score: 2

    If someone steals your car in the night, you find no car in your driveway in the morning. If someone steals your television, you have nothing to watch this evening. If someone steals anything, the stolen item is no longer in your possession: that's what stealing is.

    In your example, the money was stolen. The data, however, was not.

    --
    "Convictions are more dangerous enemies of truth than lies."
  11. Re:Serial numbers? by icebraining · · Score: 2

    Not exactly; Bitcoins themselves don't have or are numbers, they're just an amount.

    The Bitcoin protocol is essentially a ledger. In order to take some bitcoins from an account, you need to identify where did they come from (previous transaction crediting that account).

    So, transactions have hashes, but coins themselves don't; they're just amounts that get transferred.

    --
    Dilbert RSS feed
  12. Re:what the? by Chrisq · · Score: 2

    Do people really use this stuff in place of real money? I'll keep my real cash thanks... And as the world's currencies (particularly the dollar) are being intentionally devalued, I'll hang on to my precious metals.

    Hey is that you Ebenezer Scrooge?

  13. Stengthen your security. by MrL0G1C · · Score: 4, Insightful

    Mothers maiden name: 9zimu8sj4q99uf
    Place of birth: wj9awitkj4girc

    If you use real details, you're a fool.

    --
    Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
  14. Re:Conviction for stealing bitcoins by MrL0G1C · · Score: 3, Insightful

    I think the court got it wrong, The value inherent in virtual goods is in the price that people are willing to pay for them or would be willing were they on the market. Supply and demand dictates value.

    --
    Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
  15. crime doesn't pay by PopeRatzo · · Score: 4, Funny

    One of the thieves was later seen at the racetrack, trying to put down 1024 bitcoins on a horse in the third race.

    He was apprehended and later sentenced to 10 years of ridicule without possibility of parole.

    --
    You are welcome on my lawn.
  16. Re:Conviction for stealing bitcoins by raymorris · · Score: 2

    Supply and demand dictates value.

    The court's 1) is supply and 2) is demand.

  17. It's a bit of a strawman... by denzacar · · Score: 3, Insightful

    It is not the data that is being stolen. Data is just bits and bytes, kilobytes etc. of ones and zeroes.

    What APPEARS AS being stolen is the information encoded within the data.
    What is actually happening is UNAUTHORIZED ACCESS. Possibly unauthorized dissemination of information, revealing of trade and other secrets etc. IF the information is relayed to a third party.

    It helps if you think of it as a case of early 20th century spying.
    A spy intercepts and reads an enciphered radio transmission - he has the data but no information. Information gets to its intended recipient, clearly not stolen.

    A spy deciphers the transmission - he has access to what he was actually after. The information.
    Information still gets to its intended recipient, still not stolen, BUT - the spy above has also had access to information.

    So far, all that the spy is guilty of is unauthorized access.
    If and when he delivers the information to the third party, then he is guilty of various other things. None of them being stealing.

    You can absolutely steal data. If you steal someone's debit card and buy a bunch of stuff with it, you have stolen data that allowed you to gain access to their bank account. Someone else ends up losing the stolen dollars you used.

    That is not stealing data.
    That is stealing a physical object, a debit card, THEN using it without authorization to gain access to the bank account, THEN stealing the money from the account.
    No data was stolen. No, not even when the money was stolen in the end.
    Data on the card was USED to access the bank account but it was not stolen - the CARD was stolen. And the money.

    Same way you are not stealing the position of the teeth on a key used to open a safe - you are stealing a key.

    Now, making a copy of the card or key - that's unauthorized copying OR just making a copy.
    When you bring a "borrowed" key to a key copying store, the employee is not copying a key without authorization. He is just making a copy.
    YOU are doing the unauthorized copying, but only if there is a specific rule prohibiting access to that key or making copies of it.

    Same with the card.
    Making a copy is unauthorized copying, accessing the account is unauthorized access, stealing money is stealing - but the card or the data were not stolen.
    Money was.

    --
    Mit der Dummheit kämpfen Götter selbst vergebens