Nov 2013 - Inputs.io Additional Lish Attack

$57 000 USD

NOVEMBER 2013

AUSTRALIA

INPUTS.IO

DESCRIPTION OF EVENTS

"In Early 2013 Inputs.io was launched; a free online Bitcoin wallet and anonymous Bitcoin transfer network: featuring instant off chain Bitcoin transfers and embedded automatic untraceable 'mixing' of all Bitcoin transactions. Featuring truly instant, anonymous and highly secure Bitcoin transactions, the inputs.io platform brings a plethora of key innovations to the table, setting a new benchmark for online Bitcoin wallet services. Anyone worldwide can open an inputs.io online wallet in 30 seconds or less."

"TradeFortress created a free online bitcoin wallet (Inputs.io)." "Inputs.io was a free Bitcoin web wallet that leveraged its own off chain payment network. Inputs implemented numerous security measures, and featured instant, fee-less offchain confirmations with an easy to implement developer API." "Inputs.io is a new bitcoin payment processor leveraging an offchain payment network."

"Send bitcoins instantly to an email address - no waiting for confirmations, no fees and no double spending." "Inputs.io Enables Anyone To Send Bitcoin Instantly And Securely" "It's easy and free. We made Bitcoin easy while powerful. Get your secure wallet in 30 seconds. Bitcoin transactions take a hour to confirm. Inputs.io makes it instant with no fees. The most secure wallet ever created. Automatic free mixing for your privacy." "Bitcoin made easy - shave 8 GB of the blockchain off your hard drive, and make a wallet in 30 seconds. Works everywhere - your desktop to mobile." "Off chain transactions are also easier to use. The average user does not want to remember addresses - they want to use Bitcoin like PayPal instead of seeing a "Waiting for 0/6 confirmations"... Zzz."

"No fee for Inputs.io to Inputs.io transactions. If we pay no fee for blockchain transactions.. well, your transactions aren't going to confirm fast (or at all, if it doesn't meet priority requirements)." "Sending Bitco[i]n directly to another inputs.io account via the recipients email address has a number of advantages unique to the service. There are no fees; as the transaction does not go through the Bitcoin blockchain it is not subject to a 0.0005 BTC fee. As these transactions are off the blockchain there is absolutely zero risk of double spending attacks. Bitcoin transfers sent to an email address are also 100% anonymous: processed internally without utilizing the public Bitcoin blockchain. Transactions sent to email addresses are also truly instantaneous and confirm instantly. Currently the Bitcoin network can only handle 7 transactions a second, while inputs.io's system can scale up to theoretically handle an infinite number of transactions per second: enabling the platform to transcend one of the core limitations of Bitcoin itself in its present form."

"Connectivity - push your TX out to the network with more connected nodes, get exchange rates, email notifications of transactions." "If you're using Chrome or another browser that supports desktop notifications, you'll see a new option to enable it under Transactions. You'll receive a notification when you make or receive a transaction, even if you're in another window. No downloads or browser extensions are needed."

"Automatic free mixing - don't use a wallet service that destroys your anonymity (change address reuse) and sells your privacy back to you for 0.5%." "As inputs.io mixes your wallet for you automatically, none of the sending addresses of your transactions actually belong to you for privacy." "3-4 digits of BTC volume per day. There's pretty high variance however."

"I developed Inputs because I was tired of waiting an undetermined amount of time for transactions to go through, especially when I am trading on multiple exchanges. The issue with confirmations is that you don't know how long it will be for a block to be produced - there sometimes are streaks of a hour without a single block." "It's instant, there is no privacy issue with this as you're not sending to one address to have it sent to another - your balance is deducted 'off the chain' and an unrelated transaction is sent to the destination address." "You can generate signed payment receipts to prove that you did send a transaction however if you want, for example for a group by."

"Unlike some shared wallet service, we don't freeze/lock/'chargeback' bitcoins because of claims of scamming. Bitcoins sent are irreversible. Unlike some hybrid wallet service, we don't disclose personal information because of claims of scamming either, unless we're authorized to do so under the privacy policy." "Inputs is privacy focused, which rules us out from touching fiat (at least directly). I will just say: it is an absolutely horrible idea to use a wallet for transactions tied to your identity for Bitcoin. Let's not think of Bitcoin as another funding method, but why Bitcoin was created."

"Easy to integrate API - set dead simple callbacks, send with one URL call." "The reception of our beta to those who know Bitcoin but are not power users who browse this forum have being universally positive - Bitcoin will never succeed if people need to sync 200 weeks of prior transactions, have all their 100% payments public , and worry about keeping their private key safe in case of a natural disaster. We're here to fill this need."

"Security security security - PIN keypad, location based authentication, session & useragent tracking and view, configurable limits, anti phishing bar." "Passwords hashed with SHA256 before sent to the server - we never know your password. Passwords bcrypted on the server with user unique salt. SSL encryption to protect against MITM attacks. Randomized PIN pad protects against nearly all keyloggers. Location based authorization - email confirmation required when signing in from new geographical location. Optional two factor auth protects against malware and remote compromise. Configurable account sending limits on a rolling 48 hour window. XSS (Cross site scripting) hardened. Automatic account locking after a number of attempts to thwart brute force attacks. IP based login rate throttling. Anti phishing bar - makes it harder for phishing sites to be effective. Session tied to IP address & useragent, and is regenerated upon login - preventing session fixation attacks. Protected against SQL injections by escaping all possible user input. CSRF countered by requiring a token for requests. Recovering password and PIN requires recovery key - no risk if your email is compromised. Cold storage system protects coins against server compromise. Automated and manual security auditing system. Web server (the one you are connected to now) communicates to hot pocket and main server securely. Zero bitcoins are kept on this server. Optional GPG auth requires decryption of a key in order to sign in. Tor detection - accounts that registered using Tor can use Tor, other accounts may not for security reasons." "We use bcrypt with a user unique salt. The server does not get plaintext passwords, because your browser does not send it." "Our site is secure against XSS attacks, as well as CSRF attacks." "We use Google's 2FA security model - you can disable 2FA without entering the code in case you lost your phone - this requires you to have a signed in session. Sessions are both IP and user agent locked."

"We're upgrading the security of Inputs.io to make it more resistant to attacks even if our web facing server was compromised. Inputs.io is not compromised at all, this is to make Inputs even more secure." "We have redundancy plans (aka 'dead man's switch'), both automated and manual. This isn't just for seizes / etc, the hot pocket will dump all coins in secure storage if it detects an intrusion." "As ironic as it may sound, not disclosing my identity publicly protects the safety of your coins against physical attacks of extortion. Many trusted members here, including Casascius and people who I have done business with knows my identity and address." "We have decoy accounts which are populated by "real" user data from our other databases. The hot pocket server automatically dumps all coins to cold storage if it sees a payment request from a decoy account. We have methods that makes it very hard for an attacker to determine if an account is decoy or not, even with root access to the linode machine and listening to traffic." "Your session is locked to your IP address and useragent. If someone has physical access to your machine, then you are screwed in every sense of the word - through the attacker must still figure out your PIN. The most malicious thing they could do without your PIN is delete your addressbook."

"No fractional reserve unless you move coins into CoinLenders. If there is any change to this policy, it will be announced in advance."

"All Bitcoin services require trust, and this includes services like Blockchain.info, Coinbase and others. For example, it is trivial for Blockchain.info to make you sign a transaction sending all the coins to them while hiding that on their own website / block explorer." "FYI, I worked on Blockchain.Info's chrome extension, and if I wanted to I could easily have stolen coins with a innocent line of code. It took months or years for bugs in mission critical open source cryptography software to be discovered (see: OpenSSL), and you are deluded if you think that other offerings are more secure. Our security has been independently audited by multiple pen testers - as well as experience with running large Bitcoin services." "I have also put in 570 BTC locked as collateral in Just-Dice, and you can check my trust rating for more assurances. If you want, you can use Inputs as an extended green address where your exposure your risks is in milliseconds." "What is the most valuable thing in the Bitcoin world is reputation - security and trustworthiness. CoinLenders handles XX,XXX BTC sums and we have never been hacked."

"Inputs.io was a Bitcoin Foundation Silver industry member." "DailyBitcoins.org now supports Inputs.io!" "We handle thousands of Bitcoins for CoinLenders which has never been hacked for months, a rarity in the Bitcoin world, and Inputs.io expands upon all the security measures." "Inputs.io processed more than 235,000 BTC during it's operation." "Inputs has transferred more than 235,790 BTC."

"Theoretically, we can spend everyone's coins, but that is true for other services too (even the client JS ones) and it makes very little business sense to do so. If you think I'm here to scam people, check out CoinLenders - our total deposits have been going down for a while (3500 BTC less from peak) due to competition, but I make money from the spread on lending and investments, not scamming."

"It seems you put a lot of thought into security measures. Still it seems the callback API is somehow lacking. The only proof that the callback is actually coming from your site is the IP-Address of the sender. There are possibilities to spoof the source IP of a TCP connection, especially in a case where the attacker has access to the subnet of the receiving system." "You should consider adding another security layer here. For example on bitcoinmonitor.net callback notifications I added a signature to the callback data which makes sure that the callback was created by the server and not someone else." "Thank you for your comments. We support adding secrets to your callback URL. Use SSL so others will not know your secret. It is not open to replay attacks as for record keeping purposes you should be recording all transactions including the TXID."

"Inputs.io isn't just me, although I do the majority of the work." The personality of TradeFortress for the general public remains unknown." In one telephone interview he said about his age: “I’m over 18 but not much over."

"I fully expect to be banned for this but I feel wrong not disclosing this information. theymos on behalf of Bitcoin Talk openly promoted Inputs.io through banner ads and Donations even after being warned by the community several times that Inputs.io was highly unsecure to top it off he also gave him Default Trust allowing TradeFortress to have a Green Positive Rating regardless of any negative ratings issued. To top it off other Moderators and Staff are to blame as they have a direct link to Banner Ads and revenue affiliated with Bitcoin Talk but because they had no choice whether or not theymos chose to have affiliation with TradeFortress I am not listing them as outright Scammers. Kluge on the other hand has yet to remove his Inputs.io signature and is still openly promoting TradeFortress and Inputs.io."

"TradeFortess was warned that it is not OK to use Linode hosting back in July [2013]. Migrating to a physical server could be trivial, but instead he decided to stay with Linode and ignored all warnings."

"His Linode administrative account was first accessed by the hacker on Oct 23rd, from IP Address 101.0.79.18, at 11:57am UTC+10 from Australia." "He gained access to the account by compromising the email address "lailai625@hotmail.com" and requesting a password reset from the Linode server. The reset link was automatically forwarded from the administrative email "admin@glados.cc" to "lailai625@hotmail.com"."

When CoinDesk approached Tradefortress for comment he informed us that "the attacker was able to compromise older email accounts which were easily reset as they didn't have phone numbers attached. Compromising one older email account led to the compromise of another, eventually allowing them to reset the password for the hosting account and obtaining shell access after bypassing two-factor authentication on the host's side." He continued: “We don’t use client-side encryption; that’s hardly foolproof and gives people a false sense of security".

"Database access was also obtained, however passwords are securely stored and are hashed on the client. Bitcoin backend code were transferred to 10;15Hd@mastersearching.com:mercedes49@69.85.88.31 (most likely another compromised server)."

"TradeFortress reset his Linode Manager password and logged into it by 8:25pm UTC+10."

"Inputs.io says that although the hack took place on October 23rd, even depositors who made deposits after that date are not safe, as other users were able to make withdrawals from the shared wallet."

"Why were deposits and withdrawal not disabled? They were in limited capacity. A withdrawal amount limit didn't work as people simply broke up."

"I don't understand how people who made deposits to inputs (then onto coinlenders) well after the attack are out money. The amount has been withdrawn in full by other users. There was a limit designed to prevent much of that, but it was per transaction and people got around it."

"Tradefortress did not shut down the site, he did not move any of the coins to a cold wallet, he did not report the theft to local authorities, he did not notify any depositors, and he did not stop any new users from depositing to his site."

"This wallet was hacked." "Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side."

"4000 bitcoins were stolen on October 24 of 2013, TradeFortress did not have any bitcoins stored in a cold wallet."

"Two hacks totalling about 4100 BTC have left Inputs.io unable to pay all user balances. The attacker compromised the hosting account through compromising email accounts (some very old, and without phone numbers attached, so it was easy to reset). The attacker was able to bypass 2FA due to a flaw on the server host side."

"The alleged hacking happened on both October 23 and 26, with the service's operator, known only as "Tradefortress", saying hackers stole all 4100 Bitcoins held by the wallet service, or $1.3 million at the time of writing. The Bitcoins were stored on servers in the US and it wasn't until this week that he decided to notify customers."

"Why did this change from a few days ago, when people were complaining about a too-small "hot pocket"? The hack occurred on 2013-10-26."

"He worked on Blockchain.info I doubt he's going to take anyones money! Someone needs to contact his server administrator and have this fixed if he's not around."

"Why was the "hot pocket" not immediately emptied after the hack? The attacker didn't take all of the BTCs, perhaps wanting to remain undetected and steal more."

"Since Boelens have decided to only selectively pick responses, after the 4K btc compromise I cloned the disk image as soon as I could (after disbelieving and in horrendous shock), investigated the scope of the breach, regenerated all credentials, and have been exploring any options that allows Inputs users to not lose any money."

"After everything become known TradeFortress announced that he will partially compensate for the losses, by its own admission, he did it from the deposits of new users, who, without suspecting anything, continued to transfer bitcoins."

When queried over how much Inputs.io will be able to reimburse users he responded somewhat obscurely: "[We'll be able to refund] as much as 100%. For Inputs it is solely based on the amount. 1 BTC at the current sliding scale would be 74%, 2 BTC 65%... This figure is not final, and if we have leftover coins we'll be able to refund more." In other words: if you had less than 1 BTC on Inputs you should get it back, otherwise, be prepared to take a haircut."

"In an email interview with Fairfax, he said he would try to refund some of the hacked money using more than 1000 Bitcoins he personally owned and some not taken by hackers."

"Users are being repaid up to 100 per cent depending on the amount (sliding scale), generally 40-75 per cent," Tradefortress said.

"For example, the most affected: DumbFruit, he lost 955.24 BTC, got 199.38 BTC in compensation." "Refunds are based on the amount, and a higher refund % means they withdrew less coins than you, and vice versa."

"Just received most of what I had deposited on October 27th, the day after the hack was discovered. It wasn't a lot of coin, but it was to me, and I salute TF's efforts. Immediate responsiveness, contrasted with Roman/bitfloor."

"There's a huge amount of emails that are being worked through. People are getting refunded, but Inputs doesn't have enough coins to pay everyone fully. Send an email to support@inputs.io with your BTC address."

"Due to major hacks, Inputs does not have enough BTC to repay everyone fully. We're dividing up the coins we do have left based on a sliding scale, and have sent it to the specified address. On your Inputs account, your balance should have flipped to the negative to indicate you've received a refund."

"We apologize sincerely for the lost Bitcoins. It's been a very hard lesson for us, and we're sorry that we have to pass it onto our users. Please respond to the email if you have any queries."

"The major concern now is that TF is asking for ID. He's already considered a scammer and many don't trust him with ID. Therefore many will lose a lot of coins which he KEEPS which was his plan all along. He thought he looked good doing partial refunds to begin with."

"In a phone interview with Australia's AM radio show Tradefortress responded to challenges that the theft was 'an inside job', though he insisted that he wouldn't be reporting the theft to the police because the bitcoins are untraceable and it would be impossible to track the culprit."

"A spokesman for the Australian Federal Police says to his knowledge a theft of bitcoins has never been investigated at either a federal or state level. But he says if it was reported it would be treated like any other theft."

"I know this doesn't mean much, but I'm sorry, and saying that I'm very sad that this happened is an understatement."

"The ugly responses were from users who accused Tradefortress of making up the hacking story."

"Some people think I have their money. I don't and I'm using my personal coins to compensate users, yet there's some ugly messages I'm receiving."

"If you actually read about what has been going on instead of jumping to the "Post" button, the attack was detected in hours but it was only announced today as we investigated and explored our options."

"Inputs is dead and you'll need to find a new service provider. I don't recommend storing any Bitcoins accessible on computers connected to the internet."

"Inputs.io [was] no longer operational as [of] November 7th, 2013."

"[O]n November 8, 2013 the service was hacked again, this time the hacker stole 160 bitcoins." "On November 8th at 6:01am UTC+10, the server was hacked again using a direct Lish connection, bypassing 2FA and stealing an additional 160 bitcoins."

Explore This Case Further On Our Wiki

Inputs.io operated a centralized wallet service. The service suffered attacks on October 23rd, October 24th, and a final time on November 8th. This breach apparently started from an attacker breaking into the Linode admin account through resetting old email addresses. 4,000 BTC were taken from the hot wallet. The attack was not reported for over a week, during which time users continued to deposit more funds into the service. The site was eventually brought offline on November 7th, however even after this point, on November 8th a third attack was possible to drain another 160 BTC from the hot wallet that was newly deposited. TradeFortress has made a continual effort to reach out and repay victims since the event, though all payments are fractional if a user had more than 1 BTC stored on the platform.

HOW COULD THIS HAVE BEEN PREVENTED?

The primary issue with Inputs.io was that all funds were in a hot wallet on the server. The theft could have been fully prevented by having the majority of funds in an offline cold storage.

Another key factor was that the funds were held by an inexperienced and unknown operator, and not part of a multi-signature wallet. Better training or a multi-signature wallet would have also prevented the issue.

Check Our Framework For Safe Secure Exchange Platforms

QUADRIGA INITIATIVE

CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM

A COMMUNITY-BASED, NOT-FOR-PROFIT

$57 000 USD

NOVEMBER 2013

AUSTRALIA

INPUTS.IO

DESCRIPTION OF EVENTS

HOW COULD THIS HAVE BEEN PREVENTED?

More case studies

WhiskChat Bitcoin
Chatroom Data Breach

Sheep Marketplace
Bitcoin Theft

$57 000 USD

NOVEMBER 2013

AUSTRALIA

INPUTS.IO

DESCRIPTION OF EVENTS

HOW COULD THIS HAVE BEEN PREVENTED?

More case studies

WhiskChat BitcoinChatroom Data Breach

Sheep MarketplaceBitcoin Theft

WhiskChat Bitcoin
Chatroom Data Breach

Sheep Marketplace
Bitcoin Theft