

Bitcoin Bank Closes after $600,000 Theft - samatman
http://www.bbc.com/news/business-26446142

======
JumpCrisscross
> _Flexcoin was attacked and robbed of all coins in the hot wallet. 'As
> Flexcoin does not have the resources, assets, or otherwise to come back from
> this loss, we are closing our doors immediately.'_

Traders have a concept called value at risk (VaR). VaR can tell a trader the
most they are likely to lose over a given time horizon for a given probability
[1]. For example, a 1% daily VaR of $10 million means a portfolio will lose
more than $10 million 1% of the time (or every 100 trading days). VaR helps
instruct (a) traders to reduce their risk and (b) corporate treasuries to hold
enough liquidity.

The Bitcoin economy is rife with theft and fraud. This is a risk to be
managed. Losing one's hot wallet should never be a lethal blow. If hot wallets
comprise an unsurvivable fraction of one's capital (a) reduce the hot wallets'
sizes or (b) increase your capital.

Will either of these divert steam from growth and profitability? Yes - that is
the price of prudence.

[1]
[http://en.wikipedia.org/wiki/Value_at_risk](http://en.wikipedia.org/wiki/Value_at_risk)

~~~
bertil
You are having a banker’s response, i.e. someone who is used to have a
currency guaranteed by a sovereign government and enforced by the rule of law.

> The Bitcoin economy is rife with theft and fraud. This is a risk to be
> managed.

Nope, it is a PR nightmare that no technicality will get you out of.
‘Malleability bug’, combined with an obnoxious foreigner in an exotic country
was James-Bondian enough to get over people’s head. Most people still don’t
understand what a browser does; they best understanding of cryptography is
that they shouldn’t use their pet’s name for they password because it doesn’t
include a number; their current level of confusion is such that even the BBC
(the smartest media there is) still illustrate its papers with golden doublons
engraved with a sticked B — and you can tell it’s digital because those are
iridescent. BitCoin was beyond a tough sell to begin with; now you have three
unresolved, unexplainable if they were resolved, impossible to repair if they
were explained hacks, each involving more money than anyone can ever expect to
have. It doesn’t matter that ‘hot wallet’ is marginal, transactional or what
you want to call it: even the simplest explanation that is was “‘orders of
magnitude’ less than MtGox” is still is a cop out. The current perception is
that whomever will end up keeping your BitCoin is anyone technically savvier
than you.

You might like that idea because you trust your own skill-set (risk-assessment
and mitigation, I’d say from your comment, not crypto); that’s not the case of
hardly anyone, certainly not the people whom you are trying to convince to
adopt. Even if you pushed them to consider it, I can’t imagine any actuary
seriously pricing the risk of getting it all gone, and only making sense of it
far too late, not with the systemic odds on computer security that we had
recently: a year of unweaving a industrial-spying complex gone loose, major to
the point of being obviously intention SSL breaches at every level of every
OS, even things as inspiring as brick-and-mortar Targets get now attacked
digitally.

Underestimating economic risk because you exclude financial systemic crisis
was one huge mistake; I can’t imagine anyone would jump to the occasion of
doing that at an even more obvious level now.

Your explanations have as much chance saving BitCoin as I had stoping the War
on Terror by pointing out on September 20, 2001 that lives were actually saved
because the reduced traffic and activity after 9/11 meant less road and work
accidents, and that all these people falling in smocking rumbles, that was
demographics as usual. What is needed now is a compelling case of justice and
the rule of law.

~~~
ryanjshaw
I'm having a hard time following your argument.

PR: With no evidence to support your claim that this is a nightmare, I believe
you're overstating the situation. The current BPI/Winkdex/etc. values show
there are plenty of people still quite confident in the Bitcoin system.

Risk management: Consider parent's option (a) again: there is no intrinsic
reason Bitcoin-based services can't reduce their hot wallet size down to zero
and send _all_ settlement through a human review process. The "hot/cold
wallet" design is a _choice_ that many naive but greedy people are choosing in
building their Bitcoin-based systems but it is not the only choice. In banks
you usually only STP low-value, low-risk transactions; in the current breed of
Bitcoin-based systems, it would appear that system designers are naivly STPing
everything. There is no evidence I have seen to suggest that Bitcoin-based
systems _intrinsically_ cannot manage risk properly (this is obvious when you
simply consider that the majority of coins have not been stolen).

Regulation: There is some kind of strange unstated assumption on HN that
regulation magically makes banking safe all by itself, and until that
regulation is in place Bitcoin-based systems cannot be safe or effectively
risk managed. With the exception of insured deposits, which is a question of
policy and time rather than strictly a matter of regulation, there is no
reason that Bitcoin-based services can't proactively implement policies that
the banking world is required to implement by law (AML/KYC rules, auditing,
active risk monitoring, human review in settlement, etc.) Using a service that
doesn't implement these policies is a risky choice (and yes, I believe many
Bitcoin supporters will probably have to change their opinions about e.g.
identity verification if they want to see Bitcoin survive and succeed).

Before anybody makes assumptions: I do not have an opinion about whether
Bitcoin will succeed or not. I do think the underlying technology and
possibilities are being unfairly stigmatised by critics' generalizations of
the inadequacies in implementations of current Bitcoin-based systems.

~~~
mcv
> There is some kind of strange unstated assumption on HN that regulation
> magically makes banking safe all by itself, and until that regulation is in
> place Bitcoin-based systems cannot be safe or effectively risk managed.

Magically? No, that's not how regulation works. It takes a lot of work and
diligence. But if done right, it will make it safer. If a regulator with
sufficient authority had audited MtGox, it would have been closed down a long
time ago, and people wouldn't have lost remotely as much money. Without it,
bitcoin users are at the mercy of a bunch of utter amateurs.

~~~
ryanjshaw
> If a regulator with sufficient authority had audited MtGox, it would have
> been closed down a long time ago, and people wouldn't have lost remotely as
> much money.

You state this as though it was the only option people had available for not
losing money.

> Without it, bitcoin users are at the mercy of a bunch of utter amateurs.

This statement is simply untrue. Nothing stops people from exchanging BTC in
person. Nothing stops people from exchanging small low risk volumes on
exchanges at a time. Regulatory oversight is not necessary to manage risk - it
just makes things easier (and FWIW, something I support).

People who lost money on MtGox lost it because of decisions they made which
they had 100% control over. There were viable alternatives open to them, they
simply chose not to pursue those options.

Every government with an opinion on Bitcoin thus far has made it abundantly
clear that (1) Bitcoin is risky (2) if you stuff up, nobody will rescue you.
If you decide to participate despite these warnings, that's your own free
choice. If you are not aware of those warnings, you're putting your money into
something you haven't adequately researched, and would likely be bound to lose
your money either way.

~~~
mcv
> Nothing stops people from exchanging BTC in person. Nothing stops people
> from exchanging small low risk volumes on exchanges at a time.

Lack of technical knowledge and understanding stops most people from handling
BTC safely. In order to manage risk, you need to understand the risk, and a
lot of people just don't, and nobody is telling them or helping them in an
accessible, understandable and reliable way.

> People who lost money on MtGox lost it because of decisions they made which
> they had 100% control over.

But that doesn't mean they understood them 100%. You make it sound like they
intentionally threw money away. They didn't. They didn't expect this, didn't
understand this was possible, not to mention likely. Had everybody known how
MtGox operated, and had trustworthy experts explained what that meant, nobody
would have put money in MtGox.

No person on earth can afford to understand 100% of everything he deals with.
Easy, safe, reliable interfaces are vital once you move from hunting and
gathering to a more complex society.

~~~
ryanjshaw
> In order to manage risk, you need to understand the risk, and a lot of
> people just don't

Does that excuse them from responsibility for engaging in risky transactions?

> You make it sound like they intentionally threw money away

No, I'm simply advocating taking personal responsibility for one's decisions,
and pointing out that safe Bitcoin use is entirely possible without regulatory
oversight [1].

> They didn't expect this, didn't understand this was possible, not to mention
> likely

MtGox and multiple exchanges have been hacked long prior to this event. That
sets a reasonable expectation of what could happen in the near future. Again,
if you don't do your homework you must expect to get burned.

Bitcoin is an experiment. Just like any other experiment it can end in all
sorts of ways, some good, some bad. You seem to believe that people should be
protected from making mistakes all the time -- if that were the case we would
never have invented the airplane, performed nuclear power (weapons) research,
etc. We can't jump into F1 cars before learning how to drive and expect not to
get hurt.

Sometimes you have to make mistakes to make progress, particularly in a field
that is completely new and unlike anything that has come before it; the people
who cannot deal with the consequences of those mistakes should not be in the
game until the consequences of mistake making is more suitable for them. Sure
it sucks watching all those 15 year old kids become millionaires over night
and you may be tempted to sell your house for Bitcoin, but that's life - don't
be a fool.

[1] Caveat:

(1) unfortunately the operating systems we run today are not very secure, and
this is one risk that is very difficult to mitigate until companies take OS
security to e.g. a capabilities-based level where application confinement can
be guaranteed

(2) this is not to say that I think putting your money in it is a good idea
today, just that fundamentally there's nothing stopping the situation from
improving without regulators, even though - as I said previously - I support
regulation similar to that applicable to similar financial services
institutions

~~~
mcv
> No, I'm simply advocating taking personal responsibility for one's
> decisions, and pointing out that safe Bitcoin use is entirely possible
> without regulatory oversight [1].

I don't see how safe bitcoin use is possible for most people. Their own
devices aren't secure, and online services cannot be trusted. What other
option is there?

> MtGox and multiple exchanges have been hacked long prior to this event.

And yet this was totally non-publicized in the mainstream media. Everybody was
all about how fantastic bitcoin was and how big MtGox was, and those articles
were not followed by equally big articles about how MtGox was totally unsafe,
and so were most other exchanges.

Faced with that, it makes total sense that people think that MtGox is the
place to be.

> You seem to believe that people should be protected from making mistakes all
> the time

No, but I do believe people should be informed. And the bitcoin community
seems very adverse to that.

> We can't jump into F1 cars before learning how to drive and expect not to
> get hurt.

Which is why there's such a thing as a driver's license. People know they
shouldn't jump into a car without one. The cars themselves also need to meet
all sorts of strict rules, without expecting every driver to be able to take
it apart, repair it and, and judge its reliability. There are professional
experts for that. We need similar professionals in bitcoin, otherwise it's
going to stay are the current amateur hobby level.

> Sometimes you have to make mistakes to make progress, particularly in a
> field that is completely new and unlike anything that has come before it

Sure, but bitcoin isn't that new. Both finance and programming are well
established fields, yet bitcoin fans and entrepreneurs insist on ignoring all
the lessons from those two fields, with these disastrous results.

------
ketralnis
"It's like all these bitcoin sites are running a bug bounty without even
realizing it.."
([https://twitter.com/jjarmoc/status/440927360821764097](https://twitter.com/jjarmoc/status/440927360821764097))

------
fourstar
With more of these issues happening in the bitcoin world, it just screams of
bad PR and self-limiting for mass adoption. I know it was stated that this
helps "weed" out the bad apples, but to be honest, I couldn't even tell you
who the legimitate ones are and I bet you can't either because it's just too
soon to tell. There's an implicit trust for me with banks in that they've been
around for a while (even though many have/will fail(ed)), but you get some
satiation with FDIC deposit insurance as well as government regulation.

Curious what other people think about the public perception of bitcoin right
now, and how to avoid something like this.

~~~
FigBug
The way I see it, unless you are a speculator/miner, there is no upside to
using bitcoin for transactions right now. The risks are too high for almost
existence benefits. I understand when merchants would be pushing bitcoin, no
fees, no charge backs etc. But what is the benefit for the consumer?

~~~
berberous
The reduced fees could be split by consumer and merchant, so that the consumer
gets lower prices. Practically though, I agree with you; right now the ability
to reverse transactions is probably worth more than any price savings.

~~~
wpietri
One important barrier to this is that merchant agreements, at least years ago
when I last read one carefully, prevented you from offering lower prices to
non-credit-card payers.

~~~
einhverfr
Although I am not that big of a fan of Dodd-Frank on the whole, one good thing
in that bill, at least in the US, is that it outlawed such clauses in merchant
agreements.

~~~
wpietri
Wow, I missed that. Great to hear!

------
ars
Hackers don't really have much motivation to seriously go after many sites. Or
if they do they don't do much harm.

But with bitcoin there is huge motivation. Anyone running a bitcoin website
has a huge target painted on them.

How do banks manage to make websites without being hacked?

Do they not get hacked in the first place, or is it because they are able to
"undo" most thefts?

~~~
patio11
Banks don't make websites without being hacked. They do, however, spend more
on technical security for a single week than the entire Bitcoin community had
spent on all technology to date, and they have substantial processes in
addition to the tech to mitigate risk.

~~~
camus2
Banks have insurances too,something all these exchanges dont have.No insurer
would ever back up a bc exchange.

~~~
rahimnathwani
Insurance just smooths out risks over time and among different parties. It
doesn't reduce the (expected) total losses from events, across the entire
industry.

Banks have insurance for some risks, yes. They are able to buy insurance for a
reasonable price precisely because the insurer perceives that the risks are
low and well understood.

------
nemothekid
This may be an interesting hurdle for bitcoin that I've never really
considered. Because the real life equivalent of bitcoin is essentially cash
you have to take security extremely seriously. One fuckup and you lose
everything. This isn't really like banks where if someone has their account
hacked they can have funds reversed if they are quick enough.

Even Google couldn't keep their datacenters 100% secure, so how will startups
fair against the extremely high security cost? Hopefully sane security
measures will become widespread, or bitcoin services may be only run by those
who can afford security audits.

~~~
j79
I agree.

While not bitcoin, I played around with dogecoin for a while (I was tipped
about 3000 doge on reddit for a post). Right before Christmas, dogewallet was
hacked (where I had transferred my doges to). Some good folk over at reddit
band together to work on helping out those of us who were hacked. I create a
new wallet, and then submit my info for donation doges.

A week or so later, they send me 3000 doges. I didn't realize until I checked
my account (a few days after it was sent) that they had sent them. Here's the
interesting part - less than an hour after they had sent it to me, those 3000
doges were immediately withdrawn and sent to another address.

Thankfully, I was playing around with Doge (so the value was all of a dollar
fifty), but the entire thing turned me off. If this was bitcoin, or if I had
actual money invested, I would have lost my investment TWICE.

I like to think I'm some what technically savvy, but in that moment, I
realized I had no clue what the hell had happened. Trying to imagine my
parents working with bitcoin...never.

~~~
mgpetkov
I suggest to scan your computer for viruses, spyware, rootkits ... Today I
checked my wallets and they are intact. I also run small mining pool and guess
what ... no coins are missing.

------
tlrobinson
This sucks, but there's a bunch of things in the pipeline that promise to
vastly improve the state of Bitcoin security.

There was a really interesting talk today at the Texas Bitcoin Conference by
Ryan Singer of Crypto Corp ([https://cryptocorp.co/](https://cryptocorp.co/))
about "hierarchical deterministic multisig" (HDM) wallets:
[https://cryptocorp.co/technology.htm](https://cryptocorp.co/technology.htm)

Even exchanges can make use of this sort of technology to avoid holding
customer funds for longer than absolutely necessary.

I think we'll start to see a migration to these sort of systems this year.
Hopefully there will be increasing competitive pressure on services to
implement safeguards like this.

------
Fuxy
There seem to be a lot of attacks lately is this a coordinated attack or are
these exchanges just coming clean now?

Regardless since everybody's instinctive reaction is to sell/get out now It's
the best time to build a proper exchange with all the best coding practices
applied.

Best thing is you don't have to pay anybody for a security review since the
bitcoins are a prime target just don't keep too many in the hot wallet.

Then again paying a few security professionals to hack you may be the cheaper
option but how many exchanges do you think actually do that?

