

BitInstant hacked: What and how it happened - moonlighter
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

======
miles
From the comments section of the linked blog post comes this quote
(apparently) from Ben, the CEO at Site5:

 _To be rather blunt you should have better security questions. You should
always put in a custom answer, for example I might use the question mother's
maiden name and then the answer is "L@J-289098=a9jaosdjf" which I keep in an
encrypted text doc or ecrypted note in 1Password._

Not a bad point.

~~~
doublec
Maybe Site5 should ask better security questions then. If they want users to
enter what is effectively a password for "Mother's maiden name" they should
just ask for a security password.

~~~
obstacle1
I agree that the true-to-life reminder questions are probably an outdated
model. However there's nothing intrinsically wrong with the maiden name
question. There is no server-side code checking in with your mother or running
her middle name against a federal database, you can enter whatever you want in
the box. Surely people who are savvy enough to be trading in Bitcoin realize
this.

~~~
michaelt

      However there's nothing intrinsically wrong with the 
      maiden name question.
    

Asking users to enter their mother's maiden name, when you actually think they
certainly shouldn't do that, then blaming your customers for having used their
maiden name, seems like an odd way of doing it.

If mother's maiden name isn't a good enough security question, stop asking it!
And we all know it isn't a good enough security question.

------
downandout
This attack may have been one of the problems, but there is some indication
that BitInstant has deeper financial issues than this post would indicate.
Perhaps a $12K hit would make a site like Bitinstant go silent and not process
most transactions for weeks on end, but if that is the case then they are
woefully underfunded.

<https://bitcointalk.org/index.php?topic=128314.1380>

At various points in this thread, people posted saying the company even
admitted privately to them that they did not have funds to process orders. FYI
their most popular feature, Cash to Bitcoin Address, is still offline -
presumably because they have no Bitcoins to deliver. The only indication that
they have any funds at all is on the home page of Btc-e.com, which indicates
(as of right now) that they have a $475 reserve at the site.

~~~
cdh
I can see that some people have had serious problems with them. For what it's
worth, though, I used their service for the first time last week. It worked
fine, and only took a few moments for them to complete the transaction after I
deposited the cash.

~~~
moonlighter
Same here. I used the Moneygram service at a CVS, and by the time I got home
they had already sent the bitcoins. Great and prompt service. I hope they get
back on their feet soon.

------
vinhboy
Damn, that must be frustrating as hell when a third party fucks you like that.
And why is it always the DNS providers. Shouldn't that entire industry know
they are target #1 by now?

On a tangential note, I hate security questions. I do not understand the need
for them, or how they keep anything secure, when the questions they asks are
always public knowledge.

~~~
signed0
While I agree that they are useless, I don't mind the security questions that
are used to reset one's password, provided that proof of email ownership is
required. These are just a minor nuisance.

The dangerous ones such as this allow someone to use the security questions in
place of your password. These are less secure than if you were to use your
place of birth and address as your password.

Their thought process probably goes something like "we can't have users giving
us their password over the phone, anyone could overhear that and they would
think it is insecure. Lets have them give us something less confidential
instead".

Services like this that require verbal authentication via the telephone should
generate a passphrase and email it to their uses upon signup.

~~~
tjoff
So, when signing up, how do you know what the security question is going to be
used for? And how do you know that won't change?

Any service that is sensible enough to give you that information will hardly
make use of "security-questions" in the first place...

------
moocows
So they had Mult Factor Authentication, OTP, and Yubikey all and they still
used his mother's actual maiden name and place of birth. With all of that you
would think they would do what everyone else does or should do on that. !@3f49
for place of birth and Erjsh99 for her maiden name. Using real information is
just a weak point in a weak system.

~~~
smsm42
The problem with the latter would be when you call in and try to convince some
service rep that your mother's name is actually Erjsh99.

~~~
signed0
As long as it matches the name they have on record, why would they care?

~~~
dopamean
They probably shouldn't but I had an instance with an ISP back in the day
where they wouldnt accept my answer to a security question because the answer
was ridiculous. The question was "in what city was your high school?" I put
"Upyourassville." The ISP thought there was a problem and wouldnt accept the
answer. These days I use my grandmother's maiden name as my mother's maiden
name to answer these questions. There are people in my own family who dont
know the answer to that.

------
pseudonym
I have very little sympathy: "Reached Thursday, a VirWox representative said
that the exchange has had multi-factor authentication since September 2012.
“Bitinstant was not using it (they learned and do now),” the representative
said in an email message."

If you're going intentionally fuck yourself and your customers over by _not_
using _real_ multifactor authentication (not just "a password and some
security questions"), then I don't even know what to say. At this point it's
on par with having a startup and not having any on-call tax or legal guy-- the
inherent ignorance is almost incomprehensible.

------
ecaron
Are there any monitoring services, like Pingdom, that do external 3rd party
auditing of current DNS endpoints for a domain and offer alerting whenever a
change is made?

That service (being external from the registrar or DNS provider) seems sorely
needed by everyone in our industry because this method of attack is starting
to become the standard.

------
n3rdy
A lesson we can take from this is just because they are supposed to be
security questions based on private and personal information, doesn't mean you
should play along.

Why should the answer to where me and my spouse met really be where we met?
Why couldn't my answer be where Lucille Ball met Ricky Ricardo? Why couldn't
my childhood street address be Evergreen Terrace?

Add a layer of security by creating an entirely different alter ego with a
whole history behind it, and use their birthday, maiden name, etc, instead of
what somebody can look up in public records, or find out from people close to
you.

~~~
charlieok
I usually just generate additional random passwords to put in those fields,
and store those in the password manager right alongside the primary password.

Sure it defeats the purpose of those fields as a secondary layer if you should
lose the password (if I lose everything in my password manager I have bigger
problems) but at least an attacker has no more chance of guessing those than
of guessing the primary password.

~~~
mctx
Is there a best practice for keeping a secure copy of one's password manager
database? USB key in a safe? Single use Dropbox with an anonymous email?
Encrypted file container by yubikey?

~~~
hollerith
I humbly suggest leaving it with a friend _but only if the friend understands
security_ sufficiently well, e.g., a competent professional sysadmin.

------
discountgenius
Whatever happened to "Name your own security question?" You used to be able to
do that with many services, but now it seems every service I use forces me to
a small set of easily guessed questions.

A security feature that requires me to lie to maintain its security is NOT a
good security feature.

------
wackerwacker
It all depends on your risk profile as to whether this type of authentication
is sufficient. Sites doing anything remotely involving money are at greater
risk of being hit therefore their security needs to account for this. Putting
passwords on the internet which is equivalent to having details you use for
authentication in public records, would be a bit silly.

I don't buy the argument that a security system you need to lie on is not a
good one. Security is an onion, it comes with many layers you can't assure a
third party service easily so you've got to add layers to that onion, even if
that means being a liar.

That said security is also a trade off with the lowest common denominator -
user.

------
dolphenstein
Site5 have given a response: [http://www.site5.com/blog/s5/security-and-
social-engineering...](http://www.site5.com/blog/s5/security-and-social-
engineering/20130307/)

------
mikemoka
The russian origin of the attack and the perseverance shown by "them" may be a
sign that international organized crime is very much interested in bitcoins
now.

------
throwaway125
Always allow your users to opt out of a security question during signup. Give
them a friendly warning that you won't be able to assist with lost accounts,
but allow them to make that choice.

------
naz
They should get BitInstant added to the HSTS list. It'll prevent attacks like
this.

~~~
MichaelGG
HSTS would not make a difference here. They redirected the DNS for email to
take over the email accounts.

------
felipelalli
ridiculo

