Following yesterday’s announcement, LocalBitcoins has updated the investigation report regarding the claimed security breach at
the website. The LocalBitcoins team claims that there has been no evidence of a compromised security breach. The Bitcoin trading website adds that it has a function that allows users to implement a two-factor authentication that can help protect their accounts. It was stated,
“In two-factor authentication you need an additional one time token to operate your user account besides knowing your password.”
This two-factor password is stored in a separate place so that if one’s computer gets hacked, the hackers will not be able to access the LocalBitcoins account without the second password.
LocalBitcoins Investigation Report
LocalBitcoins writes that there have only been two claims including the current one, where a user said he/she lost bitcoins and had two-step authentication enabled. The Bitcoin trading website continued the post by writing up what exactly happened with user don4of4, detailing the exact timeline of events. However, later, it was admitted by LocalBitcoins that the timings were off.
In the situation with don4of4, who stored two-factor codes on his Android phone, it was said by LocalBitcoins that,
“In this case if the user used this particular Android device to access LocalBitcoins and the device was compromised, the attacker gained access to user password, user session id and two-factor codes. Furthermore, it was reported on the Reddit that the credentials of this particular user have been found on known compromised user account lists spreading in the Internet.”
In response to this, don4of4 updated his post on Reddit saying that he checked his Android phone for malware and found none. In fact, he wrote that his Android phone was only two weeks old and had a few apps.
LocalBitcoins has written that if a user is planning on accessing the website from a phone, LocalBitcoins offers paper based two-step authentication codes “which is based on printed one time passwords.” This means that even the phone is hacked, the hacker will not have access to the printed paper. Local Bitcoin explains,
“This cannot be clickjacking or XSS attack, because the user must always give their password or two-factor code to operate the LocalBitcoins Bitcoin wallet. An automated attack possessing only the user session id is not possible.”
LocalBitcoins to Decide Session Fixation to IP Address
LocalBitcoins writes that it is considering whether or not session fixation to a specific IP address should be enabled for users. This is because in the above case, the Bitcoins were requested to be transferred from a different IP address. At the moment, LocalBitcoins does not employ session fixation to a specific IP address.
The website’s team continues and adds that this entire case is not an inside job. This is because
“LocalBitcoins logs all the actions done by its support staff and developers to an audit log, so potential abuse of staff privileges is easily uncovered.”
An additional factor is that support staff does not have access to two-step authentication codes. LocalBitcoins explains that if an insider had the access to all the codes, it doesn’t make sense to only hack a few accounts.
LocalBitcoins Mostly in Cold Storage
LocalBitcoins assures users that most of the Bitcoins on the website are held in cold storage, or away from any sort of internet. This means that even if the website was hacked, the hackers would not have access to the cold storage bitcoins.
The reason for the withdrawal delay is because the LocalBitcoins’ hot wallet was emptying too quickly. There was an increase of withdrawals because of the report of a security breach. LocalBitcoins has decided not to increase the hot wallet’s amount until this incident is resolved.
Additionally, LocalBitcoins writes that during the week of April 17th, 11 different incidents occurred where users claimed that they’d lost Bitcoins. From these cases, the users had no two-step authentication and the login was from a different IP address. LocalBitcoins writes that it believes this entire mess was caused by either a malware or the passwords were reused. It adds that the website security blocks login attempts if an IP address seems malicious.
“However if the username and password is known by the attacker and two-factor authentication is not enabled, then it is not possible for LocalBitcoins to differetiate between legit logins and logins done by the attacker.”
LocalBitcoins advises users to clean out their PCs from any malware or viruses, change password, and enable the two-factor authentication.
Image via LocalBitcoins