CoinReport
BREAKING NEWS

LocalBitcoins Updates Investigation Report on Stolen Bitcoins

Posted On 18 Apr 2014
By :
Comment: 0
Tag: , , ,
LocalBitcoins

LocalBitcoins

Following yesterday’s announcement, LocalBitcoins has updated the investigation report regarding the claimed security breach at
the website. The LocalBitcoins team claims that there has been no evidence of a compromised security breach. The Bitcoin trading website adds that it has a function that allows users to implement a two-factor authentication that can help protect their accounts. It was stated,

“In two-factor authentication you need an additional one time token to operate your user account besides knowing your password.”

This two-factor password is stored in a separate place so that if one’s computer gets hacked, the hackers will not be able to access the LocalBitcoins account without the second password.

LocalBitcoins Investigation Report

LocalBitcoins writes that there have only been two claims including the current one, where a user said he/she lost bitcoins and had two-step authentication enabled. The Bitcoin trading website continued the post by writing up what exactly happened with user don4of4, detailing the exact timeline of events. However, later, it was admitted by LocalBitcoins that the timings were off.

In the situation with don4of4, who stored two-factor codes on his Android phone, it was said by LocalBitcoins that,

“In this case if the user used this particular Android device to access LocalBitcoins and the device was compromised, the attacker gained access to user password, user session id and two-factor codes. Furthermore, it was reported on the Reddit that the credentials of this particular user have been found on known compromised user account lists spreading in the Internet.”

In response to this, don4of4 updated his post on Reddit saying that he checked his Android phone for malware and found none. In fact, he wrote that his Android phone was only two weeks old and had a few apps.

LocalBitcoins has written that if a user is planning on accessing the website from a phone, LocalBitcoins offers paper based two-step authentication codes “which is based on printed one time passwords.” This means that even the phone is hacked, the hacker will not have access to the printed paper. Local Bitcoin explains,

“This cannot be clickjacking or XSS attack, because the user must always give their password or two-factor code to operate the LocalBitcoins Bitcoin wallet. An automated attack possessing only the user session id is not possible.”

LocalBitcoins to Decide Session Fixation to IP Address

LocalBitcoins writes that it is considering whether or not session fixation to a specific IP address should be enabled for users. This is because in the above case, the Bitcoins were requested to be transferred from a different IP address. At the moment, LocalBitcoins does not employ session fixation to a specific IP address.

The website’s team continues and adds that this entire case is not an inside job. This is because

“LocalBitcoins logs all the actions done by its support staff and developers to an audit log, so potential abuse of staff privileges is easily uncovered.”

An additional factor is that support staff does not have access to two-step authentication codes. LocalBitcoins explains that if an insider had the access to all the codes, it doesn’t make sense to only hack a few accounts.

LocalBitcoins Mostly in Cold Storage

LocalBitcoins assures users that most of the Bitcoins on the website are held in cold storage, or away from any sort of internet. This means that even if the website was hacked, the hackers would not have access to the cold storage bitcoins.

The reason for the withdrawal delay is because the LocalBitcoins’ hot wallet was emptying too quickly. There was an increase of withdrawals because of the report of a security breach. LocalBitcoins has decided not to increase the hot wallet’s amount until this incident is resolved.

Additionally, LocalBitcoins writes that during the week of April 17th, 11 different incidents occurred where users claimed that they’d lost Bitcoins. From these cases, the users had no two-step authentication and the login was from a different IP address. LocalBitcoins writes that it believes this entire mess was caused by either a malware or the passwords were reused. It adds that the website security blocks login attempts if an IP address seems malicious.

“However if the username and password is known by the attacker and two-factor authentication is not enabled, then it is not possible for LocalBitcoins to differetiate between legit logins and logins done by the attacker.”

LocalBitcoins advises users to clean out their PCs from any malware or viruses, change password, and enable the two-factor authentication.

Image via LocalBitcoins

Related Posts

ShapeShift ceases New York service in BitLicense protest
0

ShapeShift CEO Erik Voorhees says security hack executed with inside help

Posted On 14 Apr 2016
, By
More Bitcoin companies drop New York service due to BitLicense
0

More Bitcoin companies drop New York service due to BitLicense

Posted On 14 Aug 2015
, By
1

Bitcoin.org says ‘The World is Going to Change’

Posted On 21 May 2014
, By
LocalBitcoins
0

LocalBitcoins Website Experiencing Downtime

Posted On 19 May 2014
, By

Leave a Reply

*

Free eBook

Recent News

ADK, EnvisionX announce first successful blockchain campaign with Unilever Japan

ADK, EnvisionX announce first successful blockchain campaign with Unilever Japan

Posted On30 Apr 2019
IOST introduces OnBlock to let everyday users interact with on-network DApps with email, mobile number

IOST introduces OnBlock to let everyday users interact with on-network DApps with email, mobile number

Posted On27 Apr 2019
Intelligent Mobility initiative by University of Nevada, Reno, selects Filament’s blockchain IoT technology for autonomous vehicle smart city project

Intelligent Mobility initiative by University of Nevada, Reno selects Filament’s blockchain IoT technology for autonomous vehicle smart city project

Posted On25 Apr 2019
SEC staff announces FinTech Forum agenda

SEC staff announces FinTech Forum agenda

Posted On24 Apr 2019
Cardano partner EMURGO announces blockchain explorer Seiza

Cardano partner EMURGO announces blockchain explorer Seiza

Posted On23 Apr 2019
Neutral announces stablecoin NUSD initially comprising of USDC, TUSD, DAI, PAX

Neutral announces stablecoin NUSD initially comprising of USDC, TUSD, DAI, PAX

Posted On20 Apr 2019
University of Luxembourg joins Ripple Blockchain Research Initiative

University of Luxembourg joins Ripple Blockchain Research Initiative

Posted On20 Apr 2019
Online Privacy Policy Agreement Copyright 2014 CoinReport. All rights reserved. Terms of Service