
Ottawa Bitcoin exchange defrauded of $100,000 in cyber currency - rpledge
http://www.ottawacitizen.com/business/Ottawa+bitcoin+exchange+defrauded+cyber+currency/9628321/story.html
======
ig1
"Basically, we were in a race to develop new anti-fraud techniques and they
were in a race to develop new ways to steal money. The by-product of it was
all our competitors got wiped out because as the Russian mobsters got better
and better, they got better and better at destroying all of our competitors."
\- Max Levchin on the history of Paypal.

Those who don't learn from history are doomed to repeat it.

~~~
sillysaurus3
The quote was so interesting that I went and found the source:
[http://ecorner.stanford.edu/1028.ect](http://ecorner.stanford.edu/1028.ect)

Now there's this gem:

 _" it was basically became clear that we either figure out how to beat the
fraudsters or the fraudsters will take us under. And the company more or less
refocused itself as a research entity towards figuring out innovative
technological ways of destroying fraud in the Internet. And that alone could
be the subject of an entire class or a series of classes so I will completely
skip over all the cool technology we developed. Some of you might have seen
stuff in the news, words like EOR or ELIA, all these tools that we've built.
They're as cool as they sound. I could never tell you about them because
they're very secret and they're still in use. But maybe if you want to hang
out afterwards, I can tell you a little bit. But they're really cool and we
did really figured out how to kill fraud.

...

The submerged part of PayPal is this massive and very, very numerically-driven
risk management system which allows us to instantaneously tell when you're
moving money to someone else, with a very high degree of certainty whether the
money you're moving is yours or you got it illegally and we might be on the
hook later on to help the authorities investigate or retrieve the money, et
cetera, et cetera."_

I simply must know. I'll never find out how Paypal killed fraud unless I ask
HN right now, and I've got to know. So, with apologies for branching into a
completely unrelated topic:

What magic did Paypal invent in order to do all of those amazing things
described above? How'd they kill fraud? What are the details of how the
technology works? Is it still a closely guarded secret? Do they use some
advanced statistical mathematics to detect fraud, or do they bruteforce the
detection by providing massive quantities of data to the otherwise-dumb
detector algorithm?

What fascinates me is that they've come up with a way to detect fraud
automatically, with no human input. There are false positives, which everyone
here has probably had some terrible experiences with, but... Still, how did
they train a computer to detect and freeze the very sophisticated and very
subtle covert techniques of Russian mobster money launderers?

Any info would be very much appreciated, especially citations / references for
further reading on this topic.

~~~
patio11
I didn't work in risk analysis at Paypal, but I have a passing interest in the
field. A lot of it is much simpler than you think it is.

Want a not-so-secret anti-fraud technique? If the billing address is Kansas
and the IP is China, you probably shouldn't let that transaction go through.
Really obnoxious for those of us who live overseas. Stupendously valuable,
though.

There exists a particular anti-fraud heuristic at a YC company. They shared it
to me in confidence, because as soon as you know it exists, you can trivially
avoid it. I mean _trivially_. It's apparently _insanely_ effective, though,
half because it has a really good handle on who it wants to frustrate and the
other half because it's not in the literature at all and, as a consequence,
the bad guys don't even know they have to avoid defenses in that class of
algorithms. ("But that's security through obscurity!" Good recitation of the
dogma, but can I point out to you "This was implemented, in actual computer
code, and does in fact actually work?")

There exist more complicated things you can do with machine learning. There
also exist more complicated things you can do with heuristics. There also
exist more complicated things you can do with live fraud teams. There is non-
zero value to finding fraud even after it has happened, because shutting down
the fraudulent accounts means you can either keep some horses in the barn or
even, potentially, call some of the stolen ones back.

An underappreciated angle of this is that you don't have to outrun the tiger,
you just have to outrun your friend. You start getting dedicated adversarial
interest as you approach the most lucrative weak link in the entire financial
system. That was Paypal back in the day -- with a bullet. Even though no
startup/bank/etc ships with perfect security, investing sufficiently in
security means the guy that gets victimized is someone other than you. They
either go bankrupt or have their problems burned away in cleansing fire. Then
the cycle repeats. (One reason Bitcoin companies keep getting looted is that
if you plot out "Amount we could conveniently steal" versus "Resources spent
on defense in the last 6 months" for all companies in the financial sector
there are a lot of dots representing Bitcoin companies which are isolated
islands, and the sea is filled with sharks.)

It's a fun field, for a certain perverse and high-stress definition of "fun."
I'd probably have made a career in it, but found making and selling software
(with just a wee bit of risk management/security/etc thrown in) to be more
fulfilling.

~~~
toomuchtodo
> There exists a particular anti-fraud heuristic at a YC company. They shared
> it to me in confidence, because as soon as you know it exists, you can
> trivially avoid it. I mean trivially. It's apparently insanely effective,
> though, half because it has a really good handle on who it wants to
> frustrate and the other half because it's not in the literature at all and,
> as a consequence, the bad guys don't even know they have to avoid defenses
> in that class of algorithms.

Please don't tell me its capitalization of the cardholder name...

~~~
patio11
On a different note, I'm happy to disclose the one heuristic BCC has since I'm
the only one who can get negatively affected by it. I have several thousand
names of people who have previously bought BCC, and they are a pretty diverse
sampling of a slice of the American experience. If you hit the trifecta of a)
a first name I've never seen before, b) you use a free email provider and c)
you've never actually made a bingo card yet, your purchase causes my phone to
light up so that I can refund it prior to the actual cardholder hitting me
with a chargeback. I also add it to a spreadsheet that I periodically bug
Paypal's fraud team with.

This heuristic has literally perfect detection and recall [+] against a
particular carder ring, which was using BCC to test cards (via our Paypal
account, sadly, so I have limited pre-charge options to fix it) this summer.

Paypal, to their credit, has apparently shut down this carder ring, since I
can't remember that heuristic firing in 2014. (Edit: Poor phrasing. The
heuristic not firing doesn't mean I'm safe. Having a historical level of
chargebacks, which is less than one a quarter, rather than having the carder
ring induced "20+ in a week." suggests that I'm safe.)

[+] Edit: It's 2 AM and I can't remember if this is the right circumstance for
that jargon. What I'm trying to say is, of the universe of charges that I can
classify as good or bad at N months after the charge, 100% of the ones this
heuristic flags are in fact caused by a carder ring and 100% of the ones this
heuristic fails to flag are, to the limit of my current understanding, not
caused by that carder ring.

~~~
euroclydon
> a first name I've never seen before

You mean you just see if the first name is not already represented in BCC's
user database? Under what conditions are your users required to give you their
first name? For the trial or just for the purchase?

~~~
svenkatesh
Why would he be refunding someone for a free trial? ...

~~~
euroclydon
You're missing the point. He refunds a purchase if he's not seen the name
before plus the other two conditions. My question is: what exactly does he
mean by "I haven't seen the name before"?

------
nwh
> _We have reviewed our security processes and continue to work with our
> customers to make sure they take advantage of all of our security features._

What an absolute joke. They have an unauthenticated hacker direct access, and
somehow it's the clients fault.

~~~
natdempk
The best part was that they offered them a credit on their account as
compensation. As if they would want to continue their business with a hosting
company that allows unauthenticated users to issue commands to their
technicians.

~~~
mikeash
I wonder just how much time they'd get from $100,000 in hosting credit.

~~~
natdempk
> _Grant said the credit was nowhere near sufficient to cover the company’s
> loss and as a result his firm is contemplating legal action._

I doubt it was $100,000 in hosting credit. Probably a free year or two or
something relatively meaningless.

~~~
mikeash
No doubt, but it's amusing to imagine.

------
jordigh
Before people start commenting on how bitcoin needs this or that or predict
the doom of bitcoin, read the article: this has nothing to do with bitcoin's
security. The attack was perpetrated in the most inane social engineering way,
and actually, the bitcoin exchange was smart enough to not put all of its
bitcoins in the same basket, so 100,000 CAD worth of bitcoin is not a death
blow to this exchange.

~~~
sharpneli
Most of real world fraud is exactly this kind of stuff. Bitcoin solves a
problem which is not actually a problem in real world. And leaves the problems
which actually are problems unsolved.

Don't get me wrong. The proof of work ledger is a cool idea. However using it
as a currency in this kind of implementation with complete disregard to
anything else doesn't work in the long term.

~~~
wyager
>Bitcoin solves a problem which is not actually a problem in real world.

Well, it solves more than one problem, and a few of them are certainly real-
world.

>However using it as a currency in this kind of implementation with complete
disregard to anything else doesn't work in the long term.

Would you care to expand on what you mean by "complete disregard to anything
else"? I mean, clearly this is hyperbole, but I'm curious what you are
referencing specifically.

~~~
sharpneli
I simply meant that the bitcoin as a protocol and the standard client
implementation right now pretty much ignores everything else. Some can be
fixed on the client but it is not there yet. As an example the wallet is
unencrypted by default.

In addition one of the biggest problems with bitcoin stems from the problem it
solves. Transactions cannot be reversed, thus making thefts extremely
lucrative.

Normal banks simply reverse transactions if they are fraudulent. As an example
someone hacked Nordea (Bank operating in Nordic countries) last spring and got
away with 600 000 euros. All of the transactions except one were reverted and
the missing one was compensated by the bank.

~~~
lhgaghl
> Normal banks simply reverse transactions if they are fraudulent.

That's not a feature.

~~~
svenkatesh
Right, fraudsters should be allowed to keep their ill-gotten gains.

~~~
lhgaghl
Rephrased: it is a feature, but it implies a tradeoff: people who are
considered more important than you control your money. One which I don't
consider worth it. I've never had a problem with stolen assets of any kind
other than in the physical world, and I consider my physical assets that were
stolen fair, I would not want a God government who can see every single thing
that happens in any place and any time so they can recover my physical assets.

------
ChuckMcM
Ouch, there is a reason banks usually have leases that don't give the landlord
any access to their buildings. If you're hosting a system that has more than a
few thousand dollars of nominally liquid assets around you really really have
to start with a secure computing environment. That means locked _buildingings_
where only you have the key, and security audits (cameras, key cards,
biometrics, as much as you can get) and ideally additional insurance provided
so you can charge failures on the part of the colo against their insurance up
to the amount of assets you keep at risk.

What is the current ratio of exchangees that lost customer money to ones that
haven't? It feels like it is close to 100%. That can be very damaging to the
long term success of btc.

------
UweSchmidt
In my opinion the two main problems with Bitcon are the complexity and the
libertarian philosophy around it.

Currently the first problem is being exploited. People struggle with how to
keep a bunch of long numbers safe and wrestle with vague abstractions - hot
wallet, cold wallet. People should know better, but they don't, why? Because
it's complicated.

People will probably keep losing money for a while because of that, until
everyone gets a handle on things. But then there's a much bigger unsolved
question though: How will the libertarian thing work out?

In Bitcoin threads the phrase "IF A MAJORITY OF THE MINERS [decides to screw
up everyone]" appears occasionally, usually tempered by "...but being all
rational, they won't!"

I predict that there will be at least one serious attempt at that during the
next 12 months. If the first boom has subsided a bit, and fewer new people
seem start with bitcoin, it would be time for a collusion of people who are
able and willing to try out that angle.

And please take "predict" not as gloating, but rather as a warning. Are you
sure you understand bitcoin well? If not, why not get out now?

~~~
jordigh
> two main problems with Bitcon are the complexity

Agreed, we need to build better software around the bitcoin protocol, with a
cleaner UI. People are working on this problem. (haha, "bitcon", I bet that's
gonna turn into an insulting dysphemism soon).

> and the libertarian philosophy around it.

There isn't any inherent philosophy in the protocol. You can use bitcoins with
a tinfoil hat firmly planted on your head, or you can use bitcoins to build
centralised banking again if you want to. It's just a tool.

~~~
enraged_camel
>>There isn't any inherent philosophy in the protocol. You can use bitcoins
with a tinfoil hat firmly planted on your head, or you can use bitcoins to
build centralised banking again if you want to. It's just a tool.

It's a deflationary currency that enables decentralized commerce. I think that
in and of itself speaks volumes about the philosophy behind it.

~~~
jordigh
I don't understand enough about the economics to understand what kind of
philosophy a deflationary currency entails. Can you please explain?

As to the decentralised nature, I'm not convinced that really appeals to any
deep philosophy other than our greedy nature to want to be able to own what we
think we should own.

~~~
saraid216
Essentially, a deflationary and decentralized currency encourages "our greedy
nature" rather than discouraging it. Inflation is often referred to as a
subtle tax, because it devalues currency. Thus, you're incentivized to spend
your money rather than save it. Deflation, as the inverse, increases value of
currency and incentivizes you to save your money rather than spend it.

There's nothing particularly deep about libertarian philosophy. (Though there
are different amount of nuance depending on which flavor of libertarian you
manage to get into a conversation with. Some of them are competent thinkers; I
have found them to be exceedingly rare.)

Many flavors extol the virtues of selfishness, though. You'll find this is
particularly true with libertarians who agree with Ayn Rand. Even those who
don't will generally say that people should look to their self-interest (it no
longer appears popular to invoke the invisible hand at this point; maybe
because of the intervening years of people noticing that Adam Smith had a lot
to say that contradicts libertarian ideas) and use abstract forces like the
price mechanism to determine policy. (This is a _very_ rough sketch.)

...and anyways, I'm spending too much time trying to be fair. Libertarianism
is fucking stupid, which is an opinion I have based more on its political
bits, which is a teenager's idea of society, than on its economic bits, which
I'm willing to concede more because I'd rather claim ignorance than because I
think there's any merit there.

The point is that looking out for number one is a cornerstone of varying
intensity in libertarianism and Bitcoin's deflationary and decentralized
nature plays very directly into that.

------
Jtsummers
This doesn't absolve Rogers of responsibility for this, but the incident
occurred right as the data center was being acquired. Depending on how far
along the transition was (per [1] it doesn't seem like it would have been very
far) it could be that this was an issue with Granite Networks' security
protocols and not Rogers'.

[1] [http://www.thewhir.com/web-hosting-news/canadian-telecom-
rog...](http://www.thewhir.com/web-hosting-news/canadian-telecom-rogers-
acquires-granite-networks-pivot-data-centers)

~~~
mikeash
Could also be the exact opposite. It's mildly suspicious that this happened so
soon after the acquisition. It's probably a coincidence, but it smells at
least a little bit like Rogers hooked up their own support system without
proper training.

------
Aqueous
Everything seems like obviously Rogers' fault up until this:

"“It’s completely ridiculous,” said Grant. “All they did was go on the chat
session and say, ‘Hi, I’m James Grant and I have a server with you’ and the
data centre said, ‘Yes you do, what can we do for you?"

If Rogers is like many ISPs, where you can chat with a representative but only
after you've logged into their online portal, this seems to suggest that the
attacker had already passed through authentication into Grant's account on
Rogers, which is why they did not do additional verification. I agree that
additional verification, in a form not required in the initial login, should
be done at the beginning of the chat, before taking any user-requested action.
But the article doesn't specify how the hacker in question obtained access to
Grant's Rogers account to begin with. Until we know that we can't fully
ascertain the extent of Rogers' liability here.

~~~
mikeash
Don't most companies let you do a live chat without logging in first? One of
the things you might want to handle with a live chat with tech support is "I
can't log in", so it would be odd to restrict it to logged in users.

For this particular situation, I just went to rogers.com, "Contact Us", and
followed the links to a live chat. Never asked me to log in, although it did
ask me for contact info and I stopped at that point.

I don't know if that gets me access to the servers, but once you're in a
company in any capacity you may be able to socially engineer yourself pretty
far.

~~~
Aqueous
Given how much physical security the article says they have, I seriously doubt
that Rogers would take action on any server through the anonymous, public-
facing live chat. It is possible, of course, but I wish the article would
clear that up.

~~~
fifty50chance
That's why it's so incredulous and negligent. Not a single verification and
Rogers bypassed every security measure in place.

------
onion2k
Keeping 194 BTC in a hot wallet on your server is essentially the same as
trusting $100,000 in cash to the minimum wage security guard at your bank.
You'd certainly hope that the bank has procedures that he's going to follow
correctly, but $100,000 is a lot to risk so perhaps a little extra security
would be a good idea.

Mind you, you'd also rightly expect the bank to cover the loss if the guard
just hands it over to a stranger.

~~~
shawabawa3
I don't know the size of the exchange, but it's reasonable that they would
have enough bitcoins in the hot wallet to process withdrawals on an "unlucky"
day - that is a day where significantly more people withdraw than deposit.
That could easily be 150BTC for even a small exchange. (the article says 150
were stolen, not 194)

considering going up a level in security basically means hosting your own
servers, it's probably worth the risk as long as you assume your hosting
provider doesn't give strangers root access to your box

------
servowire
Ouch, lesson learned: Put that hot-wallet in an encrypted filesystem so that
SingleUser mode hacks don't work.

You would have to manually mount the partition after every boot though.

------
tokenadult
A while ago I wrote that perhaps the greatest contribution the Bitcoin
experiment will make to humankind is to teach you and me and our neighbors
more about the realities of economics. And later I added that the Bitcoin
experiment will also contribute to greater understanding of attack surfaces
and online crime. Many of the ideas about how to mine Bitcoins, store
Bitcoins, and trade with Bitcoins as a medium of exchange illustrate both the
strengths and weaknesses of any other medium of exchange in a world full of
human beings. Seeing the discussion of Bitcoins here on Hacker News reminds me
of early online discussions in the 1990s of online payment systems such as
PayPal, and the arguments beforehand that PayPal wouldn't have to invest a lot
of time and effort (as it eventually did) building defenses against theft and
fraud. If a weakness in a system is attached to a lot of money, the way to bet
is to bet that someone will go looking for that weakness, even if you haven't
thought of it.

------
icpmacdo
“Rogers Data Centres provides the highest level of security in the Canadian
data centre industry. Its security protocol is operationally certified and in
accordance with industry best practices. We have reviewed our security
processes and continue to work with our customers to make sure they take
advantage of all of our security features.”

Sounds like the normal BS that Rogers pulls.

------
viraptor
It looks like it's time to use full disc encryption even in datacenters now.
(there are scripts available to startup ssh and allow remote password input
before mounting root)

The problem is that it does require manual intervention on reboot and may not
be very useful for 100s of machines.

~~~
wyager
I feel like that has a very limited scope of usefulness. Datacenter machines
are on 99.9% of the time, and generally speaking, thieves don't go through the
trouble of stealing hard drives from datacenters.

~~~
rainforest
In this case the wallet was stolen from the machine after it was rebooted into
single user mode. With FDE the machine wouldn't have been usable when it was
rebooted so the attack wouldn't have worked.

------
googletron
I bought bitcoins with these guys, very nice guys shame this happened.
shoutout ottawa.

------
gesman
Wow.

And I work in this building right above Granite Networks!

