Security

Bitcoin Market Crash: Auditor Blamed for Breach

Leave a comment

Ten days ago DailyTech gave a long and thoughtful analysis of Bitcoin economics and risk called “Digital Black Friday“. It boiled down to this paragraph, which sounds to me like the equivalent of regulation.

…market volatility poses a very serious risk to BTC users — be they miners, traders, or merchants who accept BTC as payment for goods or services. To that end, a major improvement would be for Bitcoin exchanges to implement mandatory market closures if the currency value dropped below a threshold. In theory this would be relatively easy to implement, and we expect that it will be done at some point to prevent one-day flash inflation/deflation

Of course this was viciously attacked by proponents of a “free economy” who argued that controls are always unjustified. Check the comments at the end of their story and you will find statements like this one:

The concept of artificial market limits has no place in a free economy and cannot stand in one.

DailyTech compared the crash to the stock market, which seems fair, but what they did not include in their analysis was the possibility of a malicious actor. They did not mention the risk of someone stealing accounts and then dumping all the Bitcoin. Yesterday they updated the story with the title “Mega-Hack of Bitcoin“.

Mt. Gox is admitting to a major breach and has shut down, in an unprecedented action. In all, approximately $8.75M USD worth of Bitcoins appear to have — at least temporarily — been stolen in the intrusion.

Suddenly all the individual investment accounts were 0wned by a single entity, and that entity decided they would exercise the freedom to dump value, crash the market and run. The response from Mt. Gox to reports of breached accounts, cited by Daily Tech, is notable.

As I already replied you, your funds were stolen by someone logging in onto your account with your password. Your funds are right now on a bitcoin address and have not moved since then.

As a reminder we assume no responsibility should your funds be stolen by someone using your own password.

The coins stolen from Mt.Gox were not stolen using any CSRF exploit… [the thieves] logged in on users account using the correct login and password. We have logs showing the loggin succeed on first try.

Blame the user is rarely, if ever, a safe response to security incidents. What actually happened, now documented by dataloss.db, is that the Mt. Gox user database was leaked. Then more than 100K Bitcoins were sold and hundreds of thousands more went missing.

It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database.

Interesting that they say it was someone who performs financial audits, as if to deflect blame. Here’s another way of saying the same thing: our system did not detect that an infected system was accessing our database, and we did not notice suspicious activity to highly sensitive data — that someone was downloading the entire database without authorisation/need.

Now the “anarchistic” darling of economic theory is facing questions of compliance: Why did Mt. Gox use weak ciphers to protect the database? Why would they wait to fix inactive accounts? Why did they allow read access to the database from a compromised system? Why did Bitcoin allow for a market crash? Now even free market advocates want to know.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.