Friday, April 25, 2014

LocalBitcoins security updates and tips

Bitcoin users are high value targets for cyber criminals. Thus LocalBitcoins is improving the site  security continuously to keep Bitcoin community safe. Please read in this blog how to secure your LocalBitcoins account and what LocalBitcoins team is doing to keep up the security.

Keep up your basic security

Here are some basic rules for securing your user account.
  • Enable two-factor authentication, either by mobile app or paper codes. More than 99% of the attacks against you can be prevented with two-factor authentication. It takes only few minutes to set it up.
  • Do not share your password across different websites.
  • Do not publish your email address, associated with your LocalBitcoins account, on any website. Do not get involved transactions outside the LocalBitcoins site messaging, e.g. in Skype. The malicious users often use these channels to circumvent the security features present on LocalBitcoins.
  • Do not use the website from a shared computers or devices, like ones in public internet cafes, as they may have keyloggers installed to steal your user credentials. 
  • Always when logging in to the website, read the browser address bar and check that you are logging into and not a phishing domain. Make sure the spelling is exactly, as the phishers, especially email phisheres, often register domain names resembling domain name.
  • If possible when accessing user accounts with Bitcoin wallets, do this from a dedicated computer you have reserved for financial tasks only. Do not use this computer for other tasks. Do not install third party software and browser addons you cannot trust 100%. This greatly reduces the risk of getting malware infection on the computer.  
  • Keep most of Bitcoins safe offline in a cold wallet. We recommend specialized Bitcoin wallet applications like Electrum for this purpose.

New LocalBitcoins security features

We have rolled out some new user facing security features this week.
  • You cannot use the same LocalBitcoins logged in session across different IP addresses. This prevents session hijacking attacks against LocalBitcoins users, but may also cause minor inconvenience for the legit users. This is especially case if you use LocalBitcoins on a mobile device where your IP address may change often.
  • LocalBitcoins may interrupt your normal website actions in the case there is a chance that the action  might not be started by the legit user account owner. In this case you will get an email verification to ensure that it was you who really wanted to perform the action.

Some latest security threads affecting Bitcoin users

Here are some latest threads Bitcoin community has found targetting Bitcoin users. Keep your eyes open for these.

Friday, April 18, 2014

Investigation report of the claimed security breach at LocalBitcoins

LocalBitcoins received a lot of  media attention on the 17th of April 2014 regarding claimed security breaches. On the 17th April, 98% of LocalBitcoins trades where conducted without an opened support ticket. LocaBitcoins have been operating since summer 2012, being one of the oldest living sites for exchanging Bitcoins. There has been one known site security breach in the past (summer 2013) where the loss of Bitcoins could be due to an issue on the site.

LocalBitcoins team did not found any evidence of compromised site security.

Claimed two-factor authentication breach

LocalBitcoins allows its users to protect their user accounts with two-factor authentication. In two-factor authentication you need an additional one time token to operate your user account besides knowing your password. Two-factor token generator is stored separately, so that in the case your computer gets compromised the attackers cannot operate your user account with only knowing your password, which has been hijacked either by extracting it from the computer memory or keylogging.

During the history of LocalBitcoins, there have been now two claims (including this one) where the user claimed loss of Bitcoins and the two-factor authentication was enabled before the incident.

In the case of user don4of4, the following is what happened.

  • 21. March 2014, the user activates his/her user account
  • 21. March 2014, the user conducts series of trades, using a desktop browser
  • 16. April 2014, the user conducts series of trades, using a desktop browser
  • 17. April 2014 03:52, the user activates the two-factor authentication, using desktop browser
  • 17. April 2014 12:40, the user does his/her first two-factor login using an Android device
  • 17. April 2014 15:45, the user Bitcoins are transferred away using the two-factor codes and login session the user opened earlier. This request came from a Tor browser, as opposite to the user's Android device.
  • 17. April 2014 ~17:00, the user posts to Reddit claiming that the LocalBitcoins security is compromised
  • 17. April 2014 ~17:00, the user open a support ticket for resolving the incident

The user has admitted storing his two-factor codes on the Android device. In this case if the user used this particular Android device to access LocalBitcoins and the device was compromised, the attacker gained access to user password, user session id and two-factor codes. Furthermore, it was reported on the Reddit that the credentials of this particular user have been found on known compromised user account lists spreading in the Internet.

If one needs to operate LocalBicoins site from a mobile phone, LocalBitcoins offers a paper codes based two-factor authentication which is based on printed one-time passwords. Even if the mobile device is compromised the attacker cannot gain access to the physical printed paper.

This cannot be clickjacking or XSS attack, because the user must always give their password or two-factor code to operate the LocalBitcoins Bitcoin wallet. An automated attack possessing only the user session id is not possible.

In this case, the request for transferring Bitcoins from the users wallet came from an different IP address the user used to log in to the site. LocalBitcoins currently does not use session fixation to an IP address as a further layer of security. However if the attacker is in the control of the device of the user, the attacker can also use this device and its same IP address to make requests to LocalBitcoins. LocalBitcoins team will further discuss whether session fixation to an IP address should be enabled for some users.

This case is also very unlikely to be an inside job. LocalBitcoins logs all the actions done by its support staff and developers to an audit log, so potential abuse of staff privileges is easily uncovered. Two-factor authentication codes and passwords are not accessible by the support staff. Furthermore, it would not be very rational for an insider to attack against one particular user and his/her wallet only if the insider would have access to all wallets.

Due to media reporting of the case, the users where panicing and moving their Bitcoins away from LocalBitcoins. Most of Bitcoins stored on LocalBitcoins are in cold storage. Even if the LocalBitcoins servers were compromised, the attackers would still not get access to stored user Bitcoins.  When the LocalBitcoins hot wallet was being emptied due to high volume of withdraws, the withdraws started to delay. LocalBitcoins choose not to top up the hot wallet until the incident is investigated.

Other claimed Bitcoin losses

On the week of 17th April, 11 separate incidents of claimed Bitcoin losses were reported. In these cases the pattern is that the user bought Bitcoins on LocalBitcoins and then there was a Bitcoin transaction which the user claimed he/she did not make himself/herself.

In all of these cases the user account had no two-factor authentication and had a login coming from an IP address not associated with the users prior behavior pattern. We believe this was an incident either with reused passwords or malware-infection on the use computer. Currently anti-virus industry knows at least 150 different virus or malware strains targetting Bitcoin wallets, so Bitcoin users are very high- alue targets for cybercriminals.

LocalBitcoins security automatically blocks automatic logins and attemps to log in if one particular IP address seems to behave malicious. However if the username and password is known by the attacker and two-factor authentication is not enabled, then it is not possible for LocalBitcoins to differetiate between legit logins and logins done by the attacker.

In cases like this the LocalBitcoins support instructs the users to
  • Clean their PCs from malware and viruses
  • Change password
  • Enable two-factor authentication

Thursday, April 17, 2014

Initial Response regarding Localbitcoins account vulnerability claims

Couple of hours Reddit user don4of4 posted warning to reddit, claiming that localbitcoins user accounts are vulnerable to some kind of exploit.

Similar post has been made on Localbitcoins forums.

So far we have found one systematic and recent attack against LocalBitcoins users, and right now it seems that the amount of users attacked have been under 30, and amount of bitcoins reported has been less than that. The common pattern between these cases has been that prior the transaction there have been login to the account, and the fact that none of the users affected had 2-factor authentication enabled. Most likely explanation to these attacks have been stolen user credentials through phishing or malware. So far nothing indicates that this have been a security flaw on the website itself, but we are going to continue investigating the case.

There have been also two or three isolated cases which does not necessarily fall directly to this pattern*, and those case still need more research before anything can be said from them.

We will continue investigating these cases during the weekend, and meanwhile outgoing transactions might be delayed, since we try to minimize cold storage movements until everything is sorted out. We apologize all inconvenience affected.

*) edit: There have been claims that users with 2FA have been affected. So far we have received three this kind of reports in total during last month, and some further investigation is required before we can draw too many conclusions about these cases.

Tuesday, April 8, 2014

LocalBitcoins updated the servers against OpenSSL Heartbleed vulnerability

LocalBitcoins has updated its servers to fix OpenSSL Heartbleed vulnerability this morning.

The downtime was due to necessary security updates related to the Heartbleed bug. This is a serious security issue affecting most of the Internet. The issue was disclosed some hours ago.

We apologize for any inconvenience caused by this incident.


Advertisements disabled - manual action needed

If you are running trade advertisements on LocalBitcoins you may need to re-enable your LocalBitcoins advertisements.

Due to impact of OpenSSL updates on LocalBitcoins and the Internet, LocalBitcoins did not have valid Bitcoin market exchange rate data available. Because LocalBitcoins users price their advertisement based on different exchange rates they choose, and those exchange rates could not be read, the advertisement where disabled by an automatic process.

Go to your Dashboard on LocalBitcoins. If your advertisement shows a valid price, you can click Enabled / Disabled column to make your advertisement visible again.

We also recommend LocalBitcoins users to use min() and max() functions in the pricing equation to have ceiling and floor values against the volatility of Bitcoin exchange rate.


Security certificate changed

As the Heartbleed bug caused potential security certificate leak,  LocalBitcoins team took action to revoke and replace it. You may receive browser warnings about changed security certificate.