Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Bitcoin Discussion
Re: BREAKING: Atlanta based Bitcoin giant BitPay hacked for nearly $2,000,000!
by
DavidBAL
on 23/09/2015, 05:22:49 UTC
Quote from: Gleb Gamow on September 22, 2015, 11:22:38 PM
Quote from: smoothie on September 22, 2015, 10:53:34 PM
Quote from: Gleb Gamow on September 22, 2015, 03:06:33 PM
Quote from: ournem on September 22, 2015, 12:13:33 PM
A good case for 2-factor authorization on your email as well as your bitcoin accounts, as well as a text/email alert system for activity on your account.  I'm a little surprised the heads of the company didn't have text messages being sent to them for any transfers over a certain amount.  

In fact, this is an excellent case for multi-factor authentication and multi-signature, combined, to be implemented.

Example below as to how such could've been used to thwart the successful ~$1.8M phishing attempts if were in place:

MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 1,000 BTC transfer: Tony
Sign if you approve this 1,000 BTC transfer: Stephen
Sign if you approve this 1,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to the size of the above transaction, please wait at least one hour before playing again.

MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 1,000 BTC transfer: Tony
Sign if you approve this 1,000 BTC transfer: Stephen
Sign if you approve this 1,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to the size of the last two transactions, please wait an additional at-least twelve hours before playing again.



MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 3,000 BTC transfer: Tony
Sign if you approve this 3,000 BTC transfer: Stephen
Sign if you approve this 3,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to having the combined MFA and MS in place, a phishing attempt was almost halted in its tracks. Thanks for playing. Enjoy the rest of your Break-away Friday.


I like it phin. Perfect way to avoid a hack. Other variations exist but this is pretty comprehensive other than an actual token key each person could have to sign/verify they are who they are in the confirmation process.

My outline works when you include the secret handshake and wiggle your ears.

In case anybody missed it, a two- or multi-factor authentication and multi-signature wouldn't of worked to thwart the phishing attempt, especially the latter since all parties (not Alice and Bob) were already in agreement when sending the moneys.

Here's a question: Which one of the three (Tony, Stephen, or Bryan) wouldn't pick up the phone to make a call to verify after a loved one who just supposedly emailed them requested a mere $1,000 USD? I'll make it simple for you: All three would make the call. But, we're lead to believe that not a one of them had the same exact foresight to pick up a phone upon an ~$1.8M USD payment request spread out over two days in three payments.

Here's another question: How did SecondMarket know for sure that the request from BitPay was genuine? Either SecondMarket didn't have any defense mechanisms in place, or the person making the call from BitPay had to jump through hoops to get the requested moneys, but not once thought about using the same, or a similar procedure to verify what's requested of them, of which was of a higher BTC/$ amount.

If you've been boiling water for years sans a lid, but for the first time notice some dude using a lid whereupon his water boils faster, as a college grad you'll be inclined to start using a lid yourself from that moment forward oppose to ignoring what you just witnessed the competition doing.

One final question: Since a crime was committed, was a police report filed or just an insurance claim?

Police report- it's an active investigation involving multiple law enforcement agencies. I could answer most of these questions but at this point it is unwise considering the ongoing lawsuit. Look forward to sharing more later when the dust settles... as much as I enjoy the entertainment in this thread there is zero basis for any of it. This incident should be taken as a wake up call to all bitcoin startups that highly skilled groups of hackers are actively stalking you, and will go to extreme lengths, working for months around the clock, to exploit your systems. And to be clear, 2-factor is not good enough.