Story 2014-03-20 3GJ Canadian Bitcoin exchange defrauded of $100,000 BTC

Canadian Bitcoin exchange defrauded of $100,000 BTC

in security on (#3GJ)
story imageOttawa bitcoin exchange Canadian Bitcoins was subject to a heist that led to $100,000 worth of bitcoins being stolen. But it was no complicated, security fraud: it was simple, social engineering.

The Ottawa Citizen reports:
The Ottawa police are investigating an Oct. 1, 2013, incident at Canadian Bitcoins, when someone opened an online chat session with a technical support worker at Granite Networks, now owned by Rogers Communications, and claimed to be Canadian Bitcoins owner James Grant. He claimed to have a problem with a server and asked the attendant to reboot it into recovery mode, allowing him to bypass security on the server. "It's ridiculous," said the real James Grant when asked about the incident. "There was absolutely zero verification of who it actually was."
The most frustrating details relate to the high degree of physical security that the real owner was subjected to when attempting to access his server cage - something the thieves didn't face. Canadian Bitcoins' statement on the matter is here.
Reply 5 comments

being conned (Score: 5, Insightful)

by on 2014-03-20 12:35 (#Q2)

is something I have experienced a bunch of times, probably more times even than I know, some of the events being so ridiculous that I can't even picture myself doing what I did. Most of the time I am pretty sceptical and careful with strangers, but basically a variety of human conditions such as feeling happy and safe, being depressed, being very tired, being distracted, and so on can bring your guards down for external reasons and they don't get back up in time when a con arrives at your doorstep. I have since acquired a lot of sympathy for people who get conned because usually they are not ridiculously stupid. Instead, they generally had their guards down for external reasons and made a mistake, a mistake they can easily recognize in hindsight and not repeat in the future, and it usually accomplished little to berate the momentary stupidity.

That said, the discrepancy between the physical security and chat security in this case is remarkable for people managing a financial business. Secure protocols appear to have been missing in this case and could have helped?

Re: being conned (Score: 2, Informative)

by on 2014-03-21 01:30 (#QK)

Seems to me it took a lot more than just opening up a chat session. The attacker needed to know enough about the infrastructure to guide the attack. I suspect either an inside job, or at-least some other inside connection, perhaps the part we know about was only part of the social engineering.

I've always been shocked at how easy it is defeat security with a few words.

To the hotel clerk at the front desk around 2 in the morning: "I left my room key in my room, Can you make me a key for Room number ####?"

I stood ready to produce my photo id, or at-least give the name on the room... neither was asked for .

Re: being conned (Score: 1)

by on 2014-03-21 12:24 (#R1)

Your inside job hypothesis is probably worth pursuing... I hadn't thought about that angle, but maybe that is how someone could portray knowledge that fit being the business owner.

Re: being conned (Score: 2, Interesting)

by on 2014-03-21 12:11 (#QW)

Momentary stupidity can be a bitch. One second you're guarded, then next moment you realize that guy who asked you what time it was intended to act as a distraction while you take your hands out your pockets to look at your cell or watch. Your guard is down, and his friend has your wallet.

That appeal for help is a preying on human generosity and sympathy. Events like that have sadly made me and I bet a large number of people in this world very callous individuals.

Re: being conned (Score: 1)

by on 2014-03-21 12:35 (#R2)

I hear the -- it makes one callous part -- this is a great risk...

I am still frequently puzzled about how to manage the dual goals of "avoid being conned" but "remain being helpful" in lots of circumstances.