

Hackers Pull Off $12,000 Bitcoin Heist - doublextremevil
http://www.wired.com/wiredenterprise/2013/03/digital-thieves-pull-off-12000-bitcoin-heist/

======
fomojola
I'm curious why people still use their actual mother's maiden name for the
answer for security questions: I just make something up and write it down on a
piece of paper or store it in an encrypted file. It means I have to look it up
to confirm my identity, but all in all I think that's worth it to eliminate
the break-in risk (you do have the occasional odd conversation where you have
to explain to a service rep "No, my mother's maiden name isn't really 'Winter
is coming'").

------
qwertzlcoatl
Less a hack, more social engineering. It was not an intrusion of cryptography
or computer systems, it was an intrusion of people.

~~~
dagw
Social engineering has traditionally always been a key part of the black hat
hackers toolbox. If you for example read issues of Phreak magazine from back
in the day you'll find many articles about social engineering next to the
articles about crypto and technical details of phone and computer systems.

------
leethax0r
Can someone post a mirror? Wired.com is blocked where I am.

Or even just post the text as a comment. Thanks.

~~~
purpl3p3rs0n
[http://viewtext.org/article?url=http%3A%2F%2Fwww.wired.com%2...](http://viewtext.org/article?url=http%3A%2F%2Fwww.wired.com%2Fwiredenterprise%2F2013%2F03%2Fdigital-
thieves-pull-off-12000-bitcoin-heist%2F&format=)

------
mahmud
I think the bar for "heist" keeps getting lowered.

~~~
csense
What about the bar for "hacker"?

You don't really need technical skills to convince a service provider to give
you access you shouldn't have, when the original signup's security answer was
publicly available information.

This attack vector was exactly how Sarah Palin's Yahoo mail account was
"hacked" in the 2008 presidential campaign. So you'd think people would be
more careful nowadays...

~~~
xyzzy123
Good question...

It's interesting to me, because "socialing" DNS and other providers generally
isn't in-scope during pentesting.

Would be interested to know if there are any pentesters / firms who have this
in their "standard" methodology, for webapp or external network testing.

------
rmc
Bitcoin: Security amateur hour. The bitcoin community really is amateurs.

