
Instawallet Hacked - LiveTheDream
http://notice.instawallet.org/
======
joecurry
>> If several claims have been filed for the same url, we will process those
claims on a case by case basis, under the presumption that the claim we
received first belongs to the legitimate balance holder.

Is this a joke? They can't be serious.

~~~
GigabyteCoin
And when all of their wallet URLs were indexed in Google, I am pretty sure
they're saying that nobody is getting a refund here.

------
error54
I know it's been said many times before, but we're only going to see a rise in
bitcoin thefts. With the price being over $100/coin and you're stealing
virtually untraceable currency, I'm honestly just surprised that there hasn't
been more thefts. I'm sure the security team at Mt. Gox is top notch as they
probably have dozens of hack attempts per day.

~~~
GigabyteCoin
I for one believe the barrage of attacks and attempted thefts will inevitably
make Bitcoin safer. Just like Google Chrome's pwning contests, eventually
nobody will be capable of claiming the prize.

~~~
ebbv
It's not really comparable to Pwn2Own. Pwn2Own's only vector of attack is by
finding flaws in the software directly.

All of these wallet service companies employ people and many, many successful
hacks are performed by exploiting the people involved / mistakes the people
make.

So while software with enough hardening can eventually get to a state that's
quite safe, as long as people are an active part of the security chain, you're
going to have valid attack vectors.

~~~
makomk
There have also been attacks on Bitcoin companies that exploited their hosting
company's procedures or lax handling by their employees. Securing this stuff
is fundamentally hard.

------
ChuckMcM
This [<https://news.ycombinator.com/item?id=5475389>] conversation suggests
that there might have been a very large withdrawal of funds just prior to the
system shutdown.

It points out again how careful you have to be when suddenly there is "real
money" on the line.

I've yet to see the "exit strategy" where an enterprising crook sets up an
exchange and then loots it once its net value is high enough. But I would not
be surprised to see that happen. It has happened in the brick and mortar world
with banks, no reason it shouldn't be any different in the digital world.

~~~
gesman
So everyone knows the destination address of fraudulent transfer. I wonder if
it would make sense to mark it as "dirty" and mark as "dirty" every other
address where the funds will be transferred from this address. And then every
legitimate merchant, after receiving bitcoin payment would validate incoming
address against "dirty" list to allow tracking of thief? This of course works
only if _every_ merchant and service in bitcoin world would do that.

Just an idea ...

~~~
erikpukinskis
I doubt the miners would accept this idea. It goes against a key principle of
Bitcoin: that transactions are irreversible and no authority can appropriate
your coins.

Even the 0.8->0.7 reversal was hard for some miners to swallow. And in that
case it was only accepted because only doubly-spent transactions would be
reversed. Singly-spend transactions would just transfer over to the new chain.

I don't expect to ever see a Bitcoin fork where a cryptographically valid,
singly-spent, included-in-a-block transaction is reversed.

~~~
gesman
That would be totally merchant-driven, nothing to do with miners. No reversals
needed.

~~~
AnIrishDuck
I don't understand how your proposal is tenable. There's nothing preventing
the fraudulent party with their blocked Wallet A to just create a new Wallet
B, transfer funds to that, and then use it.

If you're a merchant, you'd have to do origin tracing of the funds in all the
wallets you accept. It's not as simple as just creating a blacklist, that
would be very easily avoided. The only thing that might work is getting all
miners to refuse to accept transfers from the "bad" address to ANY other
address (good luck, that's never going to happen).

------
bluetooth
I expect nothing less from Instawallet. Previously, they used to keep private
keys in the URL and allowed google to index these URLs. It took a lot of
pestering and hand-holding to get this fixed. I should have figured this would
have happened sooner or later, given their incompetency regarding security.

~~~
stcredzero
Dunning-Kruger is an order of magnitude stronger for security.

~~~
danielweber
If you are doing security for a Bitcoin site, your motto should be "I am an
idiot and am forgetting something very basic." Then you should try to figure
out how to protect yourself from your own idiocy despite being stupid.

And you should never assume you just got smart.

~~~
wmf
And then a 17 year old launches before you and takes your customers.

~~~
illuminate
And the 17 y/o takes their customers' wallets, what's your point?

~~~
wmf
The market can stay irrational longer than you can stay solvent. Everybody who
tried to "do it right" (TradeHill, CampBX, etc.) seems to have failed while
users flock to the joker du jour.

~~~
illuminate
Wouldn't it then be hard to be the joker du jour for long?

------
jellicle
> Instawallet hacked

Another alternative is that the Instawallet people just decided to keep the
"money" you had stored there, and retire to a small Caribbean island.

You'll never know.

------
vshastry
This type of incident is a key reason the US Treasury's Financial Crimes
Enforcement Network ("FinCEN") issued sensible guidance requiring those who
offer wallet (bitcoin transfers between persons and/or merchants) and currency
conversion services to be regulated as money transmitters. While money
transmitter regulation isn't perfect and is expensive for providers, it can
provide some consumer protections in these scenarios.

Edit: Forgot to link to their guidance

[http://fincen.gov/statutes_regs/guidance/html/FIN-2013-G001....](http://fincen.gov/statutes_regs/guidance/html/FIN-2013-G001.html)

------
bencevans
Clicking the logo directs the user to <http://localhost:3000>.

On a side note... New Business plan:

1\. Setup an online Bitcoin wallet service 2\. Wait a while till people
actually trust/use it 3\. "We got hacked"

~~~
TillE
Very high risk for moderate reward, assuming you're based in a country with
functioning law enforcement.

~~~
iaw
Depends on the countries laws. What makes you think anyone attorney is going
to prosecute the theft of a "digital currency." At this time in the world most
people when informed of bitcoin think it's a toy currency.

------
shocks
How many more times do we need to go through this?

People: Only keep an amount you are willing to lose in an online wallet. Keep
the rest offline and encrypted.

~~~
danielweber
If you are using it as a currency, "offline and encrypted" is "unusable."

If you are using it as a commodity to trade, well, it's perfect.

~~~
bigiain
Maybe. Perhaps it might be useful to compare online bitcoin storage with cash
in your pocket. You wouldn't convert your entire nett worth to cash, stick it
in your pocket (or for "added security", hide it in your sock!) then go out
clubbing.

Unless you're about to buy a car or a house with bitcoin, there's no need to
store tens or hundreds of thousands of dollars worth in an immediately useable
(and hence potentially stealable) status.

------
dcc1
What made Instawallet better than Blockchain for an online wallet? why did
people use it? what was the selling point??

~~~
GigabyteCoin
Who ever said that it was better?

No online wallets are secure, nobody should be using them, but unfortunately
the bitcoin system is still a bit too complicated for a lot of people.

~~~
acebarry
Instawallet always made it clear that no one should keep anything more than
spare change there.

~~~
GigabyteCoin
I don't think they said that on the homepage, they advertised themselves as a
bitcoin wallet.

They did say so at one time or another I believe, but that was long long ago.

------
SkyMarshal
Wow, could become a clusterfuck of epic proportions:

1\. It takes three months to get you BTC back, and only up to a max of 50. If
you have more, it will take longer.

2\. If the hackers can figure out your url and key, they can dispute your
claim. If they actually get their claim in before your legit claim, their
claim is favored.

Yikes. I would not want to be either an Instawallet employee having to sort
that mess, or a client with their BTC frozen for months and potentially at
risk of being stolen.

 _"Important information on claims submission:

For the first 90 days we will accept claims for individual Instawallets. Your
wallet's URL and key will be used to pre-populate a form to file the claim.

After 90 days, if no other claim has been received for the same url, your
Instawallet balance under 50 BTC will be refunded. If several claims have been
filed for the same url, we will process those claims on a case by case basis,
under the presumption that the claim we received first belongs to the
legitimate balance holder.

Claims for wallets that hold a balance greater than 50 BTC will be processed
on a case by case and best efforts basis."_

------
scottrblock
Also troubling is their logo links to localhost:3000. Why would you hard link
that in the first place?

------
afreak
<https://bitcointalk.org/index.php?topic=83794.0>

A good look at previous thefts. The last page contains links to the current
Instawallet issue.

------
shabble
If this is what it sounds like, and the "exploit" was google indexing a bunch
of URLs which allowed direct access to the funds they referenced, how did
google discover them in the first place?

There was mention of a missing/broken robots.txt which allowed GoogleBot to
index them, but what I'm stuck on is how it learned about them in the first
place; where they actually doing something utterly insane like autopublishing
a sitemap, or was there some bug allowing g'bot to sniff/guess the URLs?

I've seen odd behaviour in my logs from google crawls in the past, like g'bot
traffic within minutes of adding a new DNS entry/vhost to a domain, with
absolutely assuredly no mention of it publicly available. I suppose it's
possible they're watching DNS zone changes and scheduling a tentative probe,
but it's a bit creepy (especially if you're disorganised and haven't got the
robots.txt set up right away)

------
Ixiaus
In an authority-less and irreversible transaction currency it still surprises
me when I hear about someone losing money to a service such as this - without
an authority the burden of security truly is on the user themselves and they
are at the mercy of the (supposed) security of whatever exchange or service
they are attempting to use. In this case, having someone manage your wallet
for you.

I personally keep my bitcoin wallet encrypted with GPG, I manually (like a
safe) decrypt it when I want to make a bitcoin transaction and encrypt it when
I'm done.

------
jonjohn84
logo link on this notice page points to localhost:3000, looks like dev/prod
mixup

~~~
lucb1e
They seem to be physically relocating (or at least a new server).

------
GigabyteCoin
Given the fact that instawallet was rarely used in the previous few years, I
doubt this will have much of an impact on the Bitcoin market:
<http://www.alexa.com/siteinfo/instawallet.org>

~~~
itsprofitbaron
FWIW Alexa isn't accurate and can easily be gamed.

~~~
GigabyteCoin
I am aware, but at least it doesn't look like this:
<http://www.alexa.com/siteinfo/bitcoin.org>

Faking a high alexa ranking may be possible, but faking a low alexa ranking is
not.

You can't fake the fact that next to nobody went to instawallet.

~~~
illuminate
"Faking a high alexa ranking may be possible, but faking a low alexa ranking
is not."

You need to be the sort of idiot who runs feature-free bloatware before you
can contribute to their ranking system.

~~~
IheartApplesDix
That is not a counter to his argument.

~~~
illuminate
If you think it is not a counter to his argument, you're missing the point,
that low scores are not indicative of low traffic, and high scores are not
indicative of high traffic (except among a very specific demographic.)

------
marshallford
I use coinbase. How long until they are hacked? Who can I trust! This is the
one con to bitcoin.

------
drivebyacct2
_stop. storing. your. wallet. online._ (I wanted to write this in caps, but I
resisted)

I'll add this to my list of things that people _know_ they should do but are
_too lazy_ to take a few minutes and setup: don't repeat passwords, use a
password manager, make regular backups, don't use GoDaddy.

Stop thinking you're the exception dammit, these things don't take that much
effort to do properly.

~~~
tensafefrogs
To me, this signals a strong need for more secure bitcoin storage options, and
since this is hacker news, perhaps some of us should get started on that :)

~~~
danielweber
I think I could do a pretty good job keeping wallets secure. But it would need
to be a full-time job, not a side project, and it would need a big budget.

You don't bootstrap a bank.

(Plus I did some basics with Bitcoin a few years ago and got pissed off at the
protocol and moved onto less annoying things.)

~~~
M4v3R
I don't like to spam with links, but <http://www.bitalo.com> aims to be the
service you described, and will be launched soon. "Most secure" really means
that no one, even the site admins/hosting platform can never touch your coins.
This will be enforced by the technology used, not just some internal policies.
And also, the site will be backed by a german AG company, which is basically a
type of "Public limited company" backed by minimum of 50,000 EUR.

~~~
foobarqux
How do they plan to accomplish this without using javascript crypto?

~~~
M4v3R
I plan on using Javascript crypto. I've spent many hours reasoning over this
idea, also studying security community reactions on mega.co.nz and I think it
is possible to do now. I don't want to disclose all details now for obvious
reasons, but all I can tell that I will not reinvent the wheel here - all
parts needed are already available and mature, you just have to assemble them
into a complete solution.

~~~
epsylon
> you just have to assemble them into a complete solution.

Many (if not most) of the security vulnerabilites of the past years come from
perfectly safe components assembled in an unsafe way.

Crypto-engineering is _hard_.

------
justplay
shit

