From the comments section of the linked blog post comes this quote (apparently) from Ben, the CEO at Site5:<p><i>To be rather blunt you should have better security questions. You should always put in a custom answer, for example I might use the question mother's maiden name and then the answer is "L@J-289098=a9jaosdjf" which I keep in an encrypted text doc or ecrypted note in 1Password.</i><p>Not a bad point.
This attack may have been one of the problems, but there is some indication that BitInstant has deeper financial issues than this post would indicate. Perhaps a $12K hit would make a site like Bitinstant go silent and not process most transactions for weeks on end, but if that is the case then they are woefully underfunded.<p><a href="https://bitcointalk.org/index.php?topic=128314.1380" rel="nofollow">https://bitcointalk.org/index.php?topic=128314.1380</a><p>At various points in this thread, people posted saying the company even admitted privately to them that they did not have funds to process orders. FYI their most popular feature, Cash to Bitcoin Address, is still offline - presumably because they have no Bitcoins to deliver. The only indication that they have any funds at all is on the home page of Btc-e.com, which indicates (as of right now) that they have a $475 reserve at the site.
Damn, that must be frustrating as hell when a third party fucks you like that. And why is it always the DNS providers. Shouldn't that entire industry know they are target #1 by now?<p>On a tangential note, I hate security questions. I do not understand the need for them, or how they keep anything secure, when the questions they asks are always public knowledge.
So they had Mult Factor Authentication, OTP, and Yubikey all and they still used his mother's actual maiden name and place of birth. With all of that you would think they would do what everyone else does or should do on that. !@3f49 for place of birth and Erjsh99 for her maiden name. Using real information is just a weak point in a weak system.
I have very little sympathy: "Reached Thursday, a VirWox representative said that the exchange has had multi-factor authentication since September 2012. “Bitinstant was not using it (they learned and do now),” the representative said in an email message."<p>If you're going intentionally fuck yourself and your customers over by <i>not</i> using <i>real</i> multifactor authentication (not just "a password and some security questions"), then I don't even know what to say. At this point it's on par with having a startup and not having any on-call tax or legal guy-- the inherent ignorance is almost incomprehensible.
Are there any monitoring services, like Pingdom, that do external 3rd party auditing of current DNS endpoints for a domain and offer alerting whenever a change is made?<p>That service (being external from the registrar or DNS provider) seems sorely needed by everyone in our industry because this method of attack is starting to become the standard.
A lesson we can take from this is just because they are supposed to be security questions based on private and personal information, doesn't mean you should play along.<p>Why should the answer to where me and my spouse met really be where we met? Why couldn't my answer be where Lucille Ball met Ricky Ricardo? Why couldn't my childhood street address be Evergreen Terrace?<p>Add a layer of security by creating an entirely different alter ego with a whole history behind it, and use their birthday, maiden name, etc, instead of what somebody can look up in public records, or find out from people close to you.
Whatever happened to "Name your own security question?" You used to be able to do that with many services, but now it seems every service I use forces me to a small set of easily guessed questions.<p>A security feature that requires me to lie to maintain its security is NOT a good security feature.
It all depends on your risk profile as to whether this type of authentication is sufficient. Sites doing anything remotely involving money are at greater risk of being hit therefore their security needs to account for this. Putting passwords on the internet which is equivalent to having details you use for authentication in public records, would be a bit silly.<p>I don't buy the argument that a security system you need to lie on is not a good one. Security is an onion, it comes with many layers you can't assure a third party service easily so you've got to add layers to that onion, even if that means being a liar.<p>That said security is also a trade off with the lowest common denominator - user.
Site5 have given a response: <a href="http://www.site5.com/blog/s5/security-and-social-engineering/20130307/" rel="nofollow">http://www.site5.com/blog/s5/security-and-social-engineering...</a>
The russian origin of the attack and the perseverance shown by "them" may be a sign that international organized crime is very much interested in bitcoins now.
Always allow your users to opt out of a security question during signup. Give them a friendly warning that you won't be able to assist with lost accounts, but allow them to make that choice.