Friday, April 18, 2014

Investigation report of the claimed security breach at LocalBitcoins

LocalBitcoins received a lot of  media attention on the 17th of April 2014 regarding claimed security breaches. On the 17th April, 98% of LocalBitcoins trades where conducted without an opened support ticket. LocaBitcoins have been operating since summer 2012, being one of the oldest living sites for exchanging Bitcoins. There has been one known site security breach in the past (summer 2013) where the loss of Bitcoins could be due to an issue on the site.

LocalBitcoins team did not found any evidence of compromised site security.

Claimed two-factor authentication breach

LocalBitcoins allows its users to protect their user accounts with two-factor authentication. In two-factor authentication you need an additional one time token to operate your user account besides knowing your password. Two-factor token generator is stored separately, so that in the case your computer gets compromised the attackers cannot operate your user account with only knowing your password, which has been hijacked either by extracting it from the computer memory or keylogging.

During the history of LocalBitcoins, there have been now two claims (including this one) where the user claimed loss of Bitcoins and the two-factor authentication was enabled before the incident.

In the case of user don4of4, the following is what happened.

  • 21. March 2014, the user activates his/her user account
  • 21. March 2014, the user conducts series of trades, using a desktop browser
  • 16. April 2014, the user conducts series of trades, using a desktop browser
  • 17. April 2014 03:52, the user activates the two-factor authentication, using desktop browser
  • 17. April 2014 12:40, the user does his/her first two-factor login using an Android device
  • 17. April 2014 15:45, the user Bitcoins are transferred away using the two-factor codes and login session the user opened earlier. This request came from a Tor browser, as opposite to the user's Android device.
  • 17. April 2014 ~17:00, the user posts to Reddit claiming that the LocalBitcoins security is compromised
  • 17. April 2014 ~17:00, the user open a support ticket for resolving the incident

The user has admitted storing his two-factor codes on the Android device. In this case if the user used this particular Android device to access LocalBitcoins and the device was compromised, the attacker gained access to user password, user session id and two-factor codes. Furthermore, it was reported on the Reddit that the credentials of this particular user have been found on known compromised user account lists spreading in the Internet.

If one needs to operate LocalBicoins site from a mobile phone, LocalBitcoins offers a paper codes based two-factor authentication which is based on printed one-time passwords. Even if the mobile device is compromised the attacker cannot gain access to the physical printed paper.

This cannot be clickjacking or XSS attack, because the user must always give their password or two-factor code to operate the LocalBitcoins Bitcoin wallet. An automated attack possessing only the user session id is not possible.

In this case, the request for transferring Bitcoins from the users wallet came from an different IP address the user used to log in to the site. LocalBitcoins currently does not use session fixation to an IP address as a further layer of security. However if the attacker is in the control of the device of the user, the attacker can also use this device and its same IP address to make requests to LocalBitcoins. LocalBitcoins team will further discuss whether session fixation to an IP address should be enabled for some users.

This case is also very unlikely to be an inside job. LocalBitcoins logs all the actions done by its support staff and developers to an audit log, so potential abuse of staff privileges is easily uncovered. Two-factor authentication codes and passwords are not accessible by the support staff. Furthermore, it would not be very rational for an insider to attack against one particular user and his/her wallet only if the insider would have access to all wallets.

Due to media reporting of the case, the users where panicing and moving their Bitcoins away from LocalBitcoins. Most of Bitcoins stored on LocalBitcoins are in cold storage. Even if the LocalBitcoins servers were compromised, the attackers would still not get access to stored user Bitcoins.  When the LocalBitcoins hot wallet was being emptied due to high volume of withdraws, the withdraws started to delay. LocalBitcoins choose not to top up the hot wallet until the incident is investigated.

Other claimed Bitcoin losses

On the week of 17th April, 11 separate incidents of claimed Bitcoin losses were reported. In these cases the pattern is that the user bought Bitcoins on LocalBitcoins and then there was a Bitcoin transaction which the user claimed he/she did not make himself/herself.

In all of these cases the user account had no two-factor authentication and had a login coming from an IP address not associated with the users prior behavior pattern. We believe this was an incident either with reused passwords or malware-infection on the use computer. Currently anti-virus industry knows at least 150 different virus or malware strains targetting Bitcoin wallets, so Bitcoin users are very high- alue targets for cybercriminals.

LocalBitcoins security automatically blocks automatic logins and attemps to log in if one particular IP address seems to behave malicious. However if the username and password is known by the attacker and two-factor authentication is not enabled, then it is not possible for LocalBitcoins to differetiate between legit logins and logins done by the attacker.

In cases like this the LocalBitcoins support instructs the users to
  • Clean their PCs from malware and viruses
  • Change password
  • Enable two-factor authentication

Thursday, April 17, 2014

Initial Response regarding Localbitcoins account vulnerability claims

Couple of hours Reddit user don4of4 posted warning to reddit, claiming that localbitcoins user accounts are vulnerable to some kind of exploit.

Similar post has been made on Localbitcoins forums.

So far we have found one systematic and recent attack against LocalBitcoins users, and right now it seems that the amount of users attacked have been under 30, and amount of bitcoins reported has been less than that. The common pattern between these cases has been that prior the transaction there have been login to the account, and the fact that none of the users affected had 2-factor authentication enabled. Most likely explanation to these attacks have been stolen user credentials through phishing or malware. So far nothing indicates that this have been a security flaw on the website itself, but we are going to continue investigating the case.

There have been also two or three isolated cases which does not necessarily fall directly to this pattern*, and those case still need more research before anything can be said from them.

We will continue investigating these cases during the weekend, and meanwhile outgoing transactions might be delayed, since we try to minimize cold storage movements until everything is sorted out. We apologize all inconvenience affected.

*) edit: There have been claims that users with 2FA have been affected. So far we have received three this kind of reports in total during last month, and some further investigation is required before we can draw too many conclusions about these cases.

Tuesday, April 8, 2014

LocalBitcoins updated the servers against OpenSSL Heartbleed vulnerability

LocalBitcoins has updated its servers to fix OpenSSL Heartbleed vulnerability this morning.

The downtime was due to necessary security updates related to the Heartbleed bug. This is a serious security issue affecting most of the Internet. The issue was disclosed some hours ago.

We apologize for any inconvenience caused by this incident.


Advertisements disabled - manual action needed

If you are running trade advertisements on LocalBitcoins you may need to re-enable your LocalBitcoins advertisements.

Due to impact of OpenSSL updates on LocalBitcoins and the Internet, LocalBitcoins did not have valid Bitcoin market exchange rate data available. Because LocalBitcoins users price their advertisement based on different exchange rates they choose, and those exchange rates could not be read, the advertisement where disabled by an automatic process.

Go to your Dashboard on LocalBitcoins. If your advertisement shows a valid price, you can click Enabled / Disabled column to make your advertisement visible again.

We also recommend LocalBitcoins users to use min() and max() functions in the pricing equation to have ceiling and floor values against the volatility of Bitcoin exchange rate.


Security certificate changed

As the Heartbleed bug caused potential security certificate leak,  LocalBitcoins team took action to revoke and replace it. You may receive browser warnings about changed security certificate.

Monday, March 10, 2014

List your Bitcoin ATM on LocalBitcoins

Starting from today you can list the locations of Bitcoin ATMs (automatic teller machines) on LocalBitcoins. LocalBitcoins wants to see the Bitcoin ecosystem growing and we believe ATMs are one important part of in the process of making Bitcoin more consumer friendly.

Buying Bitcoins with cash is safe and easy making LocalBitcoins popular service among the first-time Bitcoin buyers. LocalBitcoins has cash trading activity already in 5000 cities, so advertising your Bitcoin ATM on the site brings good visibility for the machine.

As the writing of this, LocalBitcoins has Bitcoin ATM advertisements e.g. in Helsinki, Singapore, Zurich, Alberta and Boston.
  • Bitcoin ATMs will show up on the map with other cash trades (see ATM in the listing).
  • All ATM models supported (Lamassu, Robocoin, etc.)
  • When setting up an advertisement, separate buy and sell advertisements are required, as all ATM models do not support both functions.
  • Setting up an advertisement is free.
You can find the Create ATM advertisement button under the Dashboard of your user profile on LocalBitcoins site. Here is the direct link for creating a Bitcoin ATM advertisement.

Pricing information is not available yet, so the Bitcoin exchange rates are not shown for ATMs.

Monday, March 3, 2014

LocalBitcoins Responds To The Ukraine/Russia Crisis

Is your country going to war, and your national currency value is dropping like bomb? Or is your country in crisis, and the banks are implementing currency controls? Only able to withdraw $100 cash per day?

You know the solution... Check it out below.

Bitcoin sellers/buyers in Russia
Bitcoin sellers/buyers in Ukraine

Or spread the word and earn Bitcoins using our Affiliate Program.

Monday, February 17, 2014

Introducing the LocalBitcoins ATM

The Bitcoin ATM was succesfully used in
the Helsinki Bitcoin meetup to buy beer
We are happy to announce the first production batch of LocalBitcoins ATM's. The ATM allows both buying and selling BTC, and the cost is about half of that the cheapest model currently on the market. It also doesn't require internet connection by default, which makes it more robust and cost-effective than the competiting models.

You can easily buy and sell bitcoins from LocalBitcoins ATM using your LocalBitcoins wallet. When you buy, the machine generates a redeemable code for the fiat currency amount the user puts in. This code can be redeemed for bitcoins on with the floating rate specified per-ATM.

Selling is almost as simple: an user loads bitcoins to the LocalBitcoins wallet, goes to the ATM url. After that the user can specify, how much fiat he wants to withdraw. After submitting the sell request, the user gets deposit code for the specified fiat amount. Then the user inputs the code to the ATM, and the machine outputs the specified amount cash.

The ATM can be programmed to support over 100 different currencies. Very beneficial is the bank note recycler, which reduces maintenance needs for the machine.

The operator of the machine can specify the premiums, and therefore earn profit by the ATM usage. LocalBitcoins charges 1% fee from the transactions. LocalBitcoins itself doesn't operate the machines, but the LocalBitcoins traders.

The initial batch will be 5 pieces, for operated near Helsinki, Finland area only. The next batch after that will be considerably larger. The price for the first batch model is 1990 EUR + VAT. As these ATM's are experimental, LocalBitcoins will commit to a full refund when problems are found and the ATM is returned. Also the first batch orderers get 70% discount from the next batch if they return the first model.

Do you want to be a pioneer, and be the first to profit from the badly needed bitcoin liquidity injection? Send us a request using this form. If you are able to operate the ATM in Finland, or in nearby cities to Helsinki (Tallinn, Stockholm), you can be part of the initial 5 piece batch.
The first model of ATM is so small, that it can easily be transfered even in a metro
The concept was originally developed by bought the whole package in December 2013, and plans to mass-produce these ATM's at large scale. See the original video of operation (the current model includes a receipt printer, however).

Press enquiries:
Want to be an ATM operator? Fill the form here.

Friday, January 10, 2014

#BitcoinAfrica tour completed at South Africa!

Borja & Elvis managed to find a trader buying Bitcoin in South Africa! That means that the Bitcoin Africa tour is completed quite succesfully. Bitcoin knowledge was spread to many new countries. Exchanges were made at least in South Africa, Namibia, Togo, Morocco, Cameroon and others.

Picture tells more than words: