Monthly Archives: August 2011

Spear-Phishing of MTGox Bitcoin Users

This weekend there were several reports of spear-phishing emails targeting users of MtGox, a leading Bitcoin exchange.

The emails purported to come from “info@mtgox.com” and contains a what is claimed as a link to an MtGox newsletter, but the link really goes to: hxxp://mtgox.tk/users/login

The email headers reveal the real source of the email:

Return-Path:
Received: from xm33.hostsila.org (xm33.hostsila.org [194.28.87.253])
...
Received: from fewfewef by xm33.hostsila.org with local (Exim 4.69)
(envelope-from )

It appears that this is a spear-phishing attack. MtGox was hacked a few months ago, and a database of user information appears to have been stolen. It looks like phishers are using that database to send targeted emails to users of MtGox.

This should not come as a surprise. Wherever there is money that can be stolen, cyber-criminals are sure to show up. In fact, 25% of all phishing is targeted at users of online payment services.

Learn more about phishing at the Anti-Phishing Working Group.

Bitcoin Gets Political – Anti-Gold Mining Activists Promote Bitcoin

Less than 11% of gold that is mined is used for anything other than investment or jewelry. Existing gold hoards could fulfill all industrial needs for gold for many decades.

As gold prices escalate to almost $1900 per oz, mining companies are ever more incented to mine more gold. Unfortunately many of these companies are in third world companies, and are not supportive of human rights. Many miners live in almost sub-human conditions, and death rates of miners are high.

An anti-gold mining group, http://protestbarrick.net has come out in favor of Bitcoin. Here is a great article about their position.

Their belief is that having a virtualized commodity for trading, that is not tied to gold, will reduce the incentive for mining companies to exploit workers and the environment.



Comments on MarketWatch’s Bitcoin Commentary

On Friday, Chuck Jaffe at MarketWatch recorded a video interview regarding Bitcoin as a currency investment vehicle. You can watch the video here.

He warns that while Bitcoin has been the best investment of 2011 (up 22,000%), that it is a highly volatile currency. Investing in Bitcoin has been very popular in light of it’s stellar performance, and the dismal performance of the US dollar and stock markets of late.

However, there are many risks to investing in Bitcoin.

1. Security. There are been numerous security breaches at major trading platforms. These have caused big swings in the value of Bitcoins.

2. Validity of trading platforms. Some trading and e-wallet platforms have unknown provenance. Some of these websites are hosted outside the USA, and even obscure the identities of those who operate the sites. It can be difficult to know if a site is legitimate, and if they shut down, there may be no way to recover lost funds.

3. Volatility. Because of these factors, and increasing hype in the media, Bitcoin prices have swung with a high level of volatility. While that can make a great investment opportunity, it can also be dangerous for those who are not trading in a real-time basis.

I think Jaffe does not understand that some of the bigger swings were created by security breaches at large exchanges. Over time, these exchanges will improve their Internet security, and new exchanges that are operated by professionals with backgrounds in trading, payments and security will emerge, and create a more stable market.

The Search for the Owners of MyBitcoin

It appears that we are no closer to finding the true operators of the MyBitcoin.com exchange, which was hacked earlier this month. The website shut down, and now hosts a web page stating that half of the bitcoins stored at the site were stolen (ie. spent) by unknown hackers.

Someone going by the name of “Tom Williams” claims to be the operator of MyBitcoin.com. Numerous users have received a 49% refund of their bitcoins, but there are those who doubt that the site was really hacked. Some suspect that it was a scheme to steal about $800,000 worth of bitcoins, and just blame it on unknown hackers.

The site is registered in Nevis, in the Caribbean West Indies. Nevis is famous as being a dormant volcano, but one which has the potential to become active again, as there are active fumaroles and hot springs on the island. There is a nice Four Seasons resort on the island, which caters primarily to tourists. The small island is home to about 12,000 inhabitants.

Perhaps Tom Williams lives on the island, perhaps not. Nevis is well known as a tax haven, and it’s quite possible that the MyBitcoin people merely registered their domain there, and live somewhere completely different.

I visited the nearby island of Anguilla some years ago, and flew in a small plane by the island of Nevis. I was attending the Financial Cryptography conference. Naturally this conference is usually held in small tax haven islands. Of note when I visited is that the post office of Anguilla (an island about 7 miles long and only 1 mile wide), consists primarily of P.O. Boxes for “companies” supposedly headquartered on the island. Nevis has similar operations.

While speculation rages that the site was not really hacked, I am not so sure. I’ve been deeply involved in tracking online crime and fraud since 2003. I know the sophistication of Eastern European hackers, and the types of malware and mule operations that they run. Given that the Bitcoin economy is worth over $60M, and many of the servers and services are operated by very small teams, it seems a ripe target for cyber criminals. Most sites do not employ 2-factor authentication, and I am sure they are not running a highly layered network security infrastructure. The attack as described at MyBitcoin.com though is one that actually relies on an intimate understanding of how bitcoin transactions are verified to prevent double-spending of electronic coins. It is general practice to confirm a transaction after it’s been included in 3 blocks and no duplicate spends have been found. It’s thought to be very safe after 6 transaction blocks are found, as this indicates that most servers on the network have seen the transactions, and there is no double spending.

MyBitcoin.com apparently confirmed transactions after they were included in just one block (presumably to ensure fast transaction settlement in under 10 minutes). Apparently attackers were double-spending coins based on this incorrect assumption by MyBitcoin.com. Only time, and an FBI investigation, will tell! We will see if U.S. customers complain to the FBI or Secret Service and get an investigation going. We will also see if there is any way for these law enforcement agencies to be effective with a virtual electronic currency, supposedly operated out of a foreign tax haven by unknown people.

Here are the DNS records of MyBitcoin.com

Domain: mybitcoin.com – Whois History
Cache Date: 2010-04-27
Registrar: TUCOWS INC.
Server: whois.tucows.com
Created: 2010-04-25
Updated: 2010-04-25
Expires: 2011-04-25
Reverse Whois: Click on an email address we found in this whois record
to see which other domains the registrant is associated with:

Registrant:
Privacy Shark, LLC
Main Street
PO Box 556
Charlestown, Nevis
KN

Domain name: MYBITCOIN.COM

Administrative Contact:
Privacy Protected Domain, Privacy Shark Domain Trust cHJpdmFjeXNoYXJrLmNvbQ==@privacyshark.com
Main Street
PO Box 556
Charlestown, Nevis
KN
(202) 558-2876
Technical Contact:
Privacy Protected Domain, Privacy Shark Domain Trust cHJpdmFjeXNoYXJrLmNvbQ==@privacyshark.com
Main Street
PO Box 556
Charlestown, Nevis
KN
(202) 558-2876

Registrar of Record: TUCOWS, INC.
Record last updated on 25-Apr-2010.
Record expires on 25-Apr-2011.
Record created on 25-Apr-2010.

Registrar Domain Name Help Center:
http://tucowsdomains.com

Domain servers in listed order:
ANONYMOUS-DNS1.PRIVACYSHARK.COM
ANONYMOUS-DNS2.PRIVACYSHARK.COM

Domain status: clientTransferProhibited
clientUpdateProhibited

Doesn’t Bitcoin Transaction Verification Require Mining?

My understanding of the block structure that verifies Bitcoin transactions is that it is verified by the mining infrastructure, which essentially signs transaction blocks, including transactions. If the rate of mining decreases to the point where it is highly unprofitable, then who will be generating bitcoin blocks in the future?

Most likely we will see blocks increasingly generated by commercial high-speed transaction processing services, and not as much by miners.

The First Bitcoin Conference is this Weekend in New York City

The first Bitcoin conference is being held this weekend in Manhattan, New York. You can find the agenda and all other information here.

Expect to meet Bitcoin developers and founders of exchanges like Mt. Gox and others. We anticipate that several startups will be announcing their apps and online services at the event.

There will be sessions on technology, bitcoin mining, bitcoin clients, trading and exchanges and merchant solutions. There are even several restaurants involved where you can pay your way with your hard-earned bitcoins!

The Immaturity of the Bitcoin Economy – Bitomat.pl Technical Failure

The Polish Bitcoin exchange, bitomat.pl, suffered a “technical problem” where they lost 17,000 Bitcoins from their servers.  This caused the failure of the exchange.  Mt.Gox is acquiring bitomat.pl and will integrate their user database into the Mt. Gox Bitcoin exchange.  Mt. Gox will also release a Polish language version of their exchange.

It’s pretty clear that we need commercial, venture-capital backed development in the Bitcoin economy.  Many of the existing exchanges have been hacked, and we have seen attacks against the very way that Bitcoins are verified (see the Mybitcoin.com debacle).

I’ve heard people in the community praising sites that use HTTPS as “secure”. This illustrates the fundamental lack of knowledge that people in the community have regarding modern hacking and cyber crime.

I’ve been involved with mitigating Internet crime against banks and payment processors since 2003. The measures that are being taken by existing Bitcoin services are orders of magnitude too simple to defeat the attackers that are going to be focusing on this economy. We’ve seen early glimmers of Bitcoin malware, but today hackers do not need to resort to such sophisticated measures. They can use rudimentary security and web application attacks to breach many Bitcoin services, and steal the stored coins.

We need to see a major shift in the security capabilities of Bitcoin services in order to ensure a scalable thriving economy. As it grows, so will the interest of the cyber crime community. And so will the attacks and their sophistication.

Hacking in the BitCoin Economy

Because the Bitcoin economy is relatively new an immature, yet has a stored value as of today at $60M USD, there is considerable financial gain to be had by hackers.

 

The latest fiasco is the attacks against Bitcoin electronic wallet service <a href=”https://www.mybitcoin.com/”>MyBitcoin.com</a&gt;

 

I’m still trying to get my head around the mechanics of the hack, but it seems like this wasn’t simply a break-in that resulted in the theft of Bitcoins.  Rather it seems that Mybitcoin.com was confirming transactions after a single block, which meant that an attacker was able to forge Bitcoin deposits via the Shopping Cart Interface (SCI) and withdraw confirmed/older Bitcoins. This led to a slow trickle of theft that went unnoticed for a few days.

 

It seems that half of the Bitcoins were basically stolen/double spent.  The <a href=”

https://www.mybitcoin.com/accounting.txt”&gt;

accounting disclosure from August 7, 2011</a> indicates that 78,740 went missing.  At a value of around $10 now, that’s over $750,000.

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

							Sunday, August 7th, 2011

                MYBITCOIN ASSETS AND LIABILITIES DISCLOSURE

        Liabilities (Bitcoin)		Assets (Bitcoin)	Percentage
 -----------------------------------------------------------------------------
       	154,406.34272079		75,666.76066691		   49%

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MBC v1.0

iQEcBAEBAgAGBQJOPynGAAoJEJ+5g06lAnqF4dsH/1nl7hcurhpaIbAc64Dnud0H
lDyNPKqhGts0cNzmoXltivxPrQYTNVFLbr0My0Cm1kqEHdf3LlybeBSv3MTGToyR
N0niWx2GWzCbxXnRg+EG8o/iuElIXz/mmzAIUp6K9ReoqLTrYqUGkCSDf5YxDl/k
MpwHJMX7c1pR+YjfepaXMAQrKv54I1U2BQ5E0sf+L6TNdLfGukxKCnlW87D/+Th7
pnwIUuDvgbsGn9eb8IvAbrP/Mdq+rPD9nDgBnCS/9/DVKj4Onhuowb/zlxLXvZVX
phwi9QHl3bupFTeCqUjrEEMgDfxE2kGGBqSAO7d3GP5Derq6hhuX8oj9I3MwfdY=
=iLmO
-----END PGP SIGNATURE-----

 

MtGox Acquires Bitomat.pl Bitcoin Exchange

Hacking seems to be a big problem in the Bitcoin community.  The Mt.Gox currency exchange was hacked earlier this year, resulting in the theft of thousands of Bitcoins, and a subsequent crash in the price of Bitcoins.  Recently the third largest Bitcoin exchange in the world, Bitomat.pl, was hacked.

 

Now there is news that Mt.Gox, the world’s largest Bitcoin exchange, <a href=”https://www.mtgox.com/press_release_20110811.html”>is acquiring Bitomat.pl.</a>  It’s interesting that one hacked market is acquiring another.  Hopefully Mt.Gox has learned a lot about security, and can apply this learning to the operation of the Polish Bitomat.pl exchange.

This transaction does show the global nature of Bitcoin, and how it is truly becoming a global currency.

 

BitCoin – The Deflationary Currency

BitCoin is inherantly deflationary.  The system is designed to have a finite number of bitcoins in circulation.  The system has a distributed mechanism to ensure a steady rate of inflation of 50 bitcoins every 10 minutes.  The system cannot have inflation that is greater than this, because there is no central banker or authority who can change the rules and arbitrarily create more inflation.

The BitCoin algorithm, which is implemented on tens of thousands of computers that form the BitCoin network, is designed to increase the difficulty of the hashing algorithm’s “Proof Of Work” difficulty as the computing power of the network grows.  This means that inflation is pretty much held at a predictable steady rate.

But the demand for BitCoin, the visibility, the mass usability of the system are increasing rapidly.  Thus the value of BitCoins is increasing faster than the rate of inflation.  This makes BitCoin an inherently deflationary currency.

We are used to government currencies that are inherently inflationary.  Meaning that the price of a gallon of gas used to be $0.10 and is now $4.00.  Homes used to be $40,000 and are now $600,000.  This is partly due to the inflation of the currency base (ie. more money is printed).  So each dollar is worth less over time, making everything cost more dollars.

BitCoin appears to be different.  Because inflation is capped, and is currently much lower than the growing interest in the currency, every BitCoin is generally worth more money over time, and if the economy grows, this will continue.  Fortunately BitCoins are divisible into smaller quantities.  Meaning that over time, a loaf of bread might cost 1 bitcoin, and years later might cost 0.1 bitcoin or 0.001 bitcoin.  So get used to a deflationary world where things cost “less” bitcoins over time, not more.