
Bitcoin Payment Processor BitPay Loses $1.8M in Phishing Hack - BallinBige
http://www.americanbanker.com/news/bank-technology/bitcoin-payment-processor-bitpay-loses-1m-in-phishing-hack-1076722-1.html
======
devit
1\. CFO is using Gmail without 2-factor authentication

2\. CFO enters his Google credentials on a random website

3\. CEO takes CFO e-mail as valid without checking for the existence and
verifying a PGP signature

4\. CEO sends Bitcoin for an existing customer to a new address he got by
e-mail rather than to the established one

On the positive side, the CEO eventually sought confirmation from the
customer.

------
iLoch
So many screw ups here because of bad or no company policy. It's hard to feel
bad for these guys. No live/voice confirmation between the CEO and CFO during
the transfer of _$700,000 worth_ of Bitcoins? No confirmation with the
purchaser? No two factor authentication on their Google accounts?

Sorry for your loss BitPay, but that's on you.

~~~
rememberlenny
The phishing attack on the CEO to sign in to "google docs" subverts two
factor.

~~~
iLoch
How? That's exactly what it's for. The attacker would attempt to sign in on
their machine and would be prompted to enter a code.

~~~
adrianmacneil
2 factor doesn't protect against phishing. It's trivial for a phishing site to
ask for a 2fa code, and then immediately use that to sign in on your behalf.

~~~
devit
I think Google asks for 2-factor only when you are connecting from a new
browser/device, so it would be highly suspicious to see that happening
randomly.

Of course, the fact that he's asked for a password while being already logged
in on Gmail is also suspicious, but less so since other sites do that.

~~~
adrianmacneil
It's definitely suspicious. However, often it's not enough to trigger any
alarm bells. It's fairly easy to mindlessly type in password/2fa codes into a
website ("stupid google asking for my password again") rather than
automatically think about a potential phishing attack.

While I haven't see it reported whether or not they had 2fa enabled, we can
hope that they had taken this very basic security measure.

Actually one of the best preventions against this is using a password manager.
I was nearly caught by a phishing site once, and I only noticed because
1Password was refusing to autofill the password field.

------
dbot
The legal case about whether the insurer must pay the claim is pretty
interesting. The insurer's position is that hack was pure social engineering
and that no systems were compromised - everything operated as it should.

That's correct, but the effect was the same as a system hack.

~~~
em3rgent0rdr
Seems like someone needs to develop a "Social Engineering" insurance.

~~~
aianus
Oops, I got socially engineered and sent all my money to this Bitcoin account
that totally doesn't belong to me or my brother in law _wink_. Please double
me up, Mr. Insurer.

Come on.

~~~
eli
Insurance fraud is a crime. They already insure against technical hacks, which
I would think would not be much harder to fake if you wanted to.

~~~
aianus
Crime or no crime, if you make something profitable and easy to get away with,
people will do it. For all we know, this _was_ an instance of insurance fraud.

I wouldn't touch insuring Bitcoin hot wallets with a twelve foot pole. Cold
storage, maybe, but only if I had my experts set it all up and maintained
control over all private keys.

------
weavie
You would have thought they would have had systems in place to ensure that it
would take more than just a simple email from the boss to transfer thousands
of bitcoins.

~~~
aianus
This. This has little to do with social engineering and the compromised email
account and everything to do with a company where standard operating procedure
is to manually send $700,000 around based on an email.

------
em3rgent0rdr
I've used bitpay and liked their service. Seems like these social engineering
hacks can happen to most anyone. Although Im suprised such emails wouldnt
require a two-factor authenitication or at least a PGP-signature.

~~~
jandrese
Good luck getting anybody else to use PGP. I've been trying for years and to
date not a single person has ever sent me an encrypted email. The only company
that bothers is Facebook, and I'm not sure their pilot program is going to
last much longer.

~~~
aianus
We use PGP for sensitive internal emails at Coinbase as well as for signing
releases on some of our open-source client libraries.

Keybase makes it pretty easy. You can see all of our keys here:
[https://keybase.io/coinbase](https://keybase.io/coinbase)

------
Axsuul
Been going through their compliance process recently and all of a sudden no
response. Looks like they have their hands full. Can anyone recommend any
alternatives to BitPay?

~~~
Mahn
Coinbase is often recommended as a BitPay alternative. Unlike BitPay it's not
a specialized processor but an online wallet, but much like PayPal you can use
it to collect payments as well.

------
jostmey
Theft has been a recurring problem with bitcoin and everyone ends up blaming
the users or the institutions.

~~~
adrianmacneil
To be fair, this isn't just a problem with Bitcoin. Spear phishing attacks
leading to fraudulent wire transfers are fairly common.

~~~
pbreit
Bitcoin itself does have a mechanism to mitigate the risk: "2 of 3". As in,
transfers require 2 out of 3 parties (or any n/n+m) to approve.

~~~
dogma1138
No it doesn't you can't choose not to "mine" a specific transaction, it
requires other parties to "witness" it but not to approve it.

~~~
pbreit
OK. I guess I don't understand then what multisig is all about. My impression
was that it could be set up to require 2 parties to authorize a transaction.

~~~
dogma1138
It can require more than 1 "key holder" to initiate a transaction, Bitcoin
supports M of N it's just like splinting the private key between a number of
people.

Once it's out its out, with normal transactions both parties can hold, revoke,
and reverse a transaction this doesn't work with Bitcoin.

It doesn't matter into how many keys you split your private key it's still a
single entity even if within the organization there will be more than 1 person
needed to authorize it.

------
mindcreek
I don't believe the story.

------
snitko
I know it's kind of sad and I honestly wish all the luck to the BitPay guys -
it's not an easy situation. However, this is why we've built Mycelium Gear: we
don't hold merchant's money at all and anyone who wants to accept Bitcoin and
cares about privacy and security should consider using it:
[https://gear.mycelium.com](https://gear.mycelium.com)

~~~
adrianmacneil
This doesn't really have anything to do with holding customers funds, given
that this attack was related to OTC Bitcoin trading.

