I'm distraught over this. A hacker can simply break into your account, steal your bitcoin by sending it off to his own account, and no one has to hold any type of accountability? Is there no way to trace, cancel, or reverse a transaction? Is there anything at all I can do?
So basically you want the government to have no ability to lock down funds or regulate transfers, yet you also want the ability for the government to step in and stop people who have stolen your bitcoins.
Can people really be this oblivious? If you have bitcoins, do not just put them on random websites with zero auditing and expect them to be in any way secure. If you don't know how to secure a computer, you need to stay far away from bitcoins, they are not for you.
Also, if there is anything Coinbase does, or, if one there is any laws regarding such things that might help him.
Agreed on the part about he should take more care with security though, two-way auth etc etc.
1. As far as the police are concerned, someone stealing your bitcoin is like someone on an internet forum stealing your avatar / profile picture.
2. Bitcoin have no intrinsic value -- Welcome to the land of non-fiat "currency".
3. Someone taking your BTC simply doesn't register as a crime for them.
What is the whole address and transaction id just to trace and see where it went? There is no way to cancel the transaction.
[edit]
Here is the info[1] about the transaction. It seems the transaction way relayed by IP address 71.206.70.250, somewhere in Florida (Comcast customer). It also seems the address[2] only holds your balance for now. You can call Comcast and let them know.
[1]https://blockchain.info/tx/d3f6547f901b45b3c79315e78a1bbcc98...
[2]https://blockchain.info/address/12aW8jPeEc9iQa5ocXCDReJ6Nij4...
Transferred to: 12aW8jPeEc9iQa5ocXCDReJ6Nij4c9xHtX
Transaction: d3f6547f901b45b3c79315e78a1bbcc988e27e6b98feab321f5628e2312b5377
I think this might be related to a recent Twitter account hack that happened a month or so ago, where a fake tweet was posted on the account. I had used the same email and pw on that account. Maybe they were scanning the stolen Twitter accounts against Coinbase.
You used the same credentials for a social networking site as for your Bitcoin account with Coinbase? And you didn't change them once your Twitter account was hacked?
You should probably call it a relatively cheap lesson in not reusing passwords.
I thought lack of regulation was one of the features of Bitcoin.
EDIT: spelling correction.
You can file a police report. If somebody stole your physical cash, what would you do?
Bitcoin advocates claim this is a feature, not a bug. They say bitcoin should be the digital equivalent of cash.
Personally, I would probably get something like a Raspberry Pi (if it's beefy enough) with a Linux distro which runs straight from RAM just for Bitcoin transactions. So, every time you boot up, it's a totally new installation. You could make sure that your media that you are loading it from is ready only. Then enter your Bitcoin info, do your transaction and shut off the computer. Next time you boot it up, new installation again. With these distro's, you don't actually have to install Linux every time, they just run from a read only image typically. I use Puppy Linux.
This should do a lot to keep you safe from malware. Just using Linux makes you a little less of a target. Using a fresh install every time you boot up reduces your vulnerability window. I'm sure that if you are connected to the internet, anything could happen. If you use this method, you would probably need to be specifically targeted by someone who really knows what they are doing. There are easier targets out there. ;)
This is basically exactly what you're talking about: http://piperwallet.com
Looks like you didn't have Two-Factor enabled https://news.ycombinator.com/item?id=6947037). Enable it now. We've stopped lots of Coinbase account password compromises. Most of the time we see that the e-mail was hacked.
Do the following:
1. Enable Two-Factor Authentication on your e-mail.
2. If you use GMail, go to Settings -> Forwarding POP/Imap. Check that no "weird" addresses are added to your account.
3. Change your E-mail password.
4. Change your Coinbase password.
If you have Two-Factor enabled we can also temporarily block your account if you suspect a hacker is trying to get into it. Contact us at support@authy.com and we'll block it.
I might also encourage Coinbase to limit the maximum dollar value of transfer from an account to, say, $100 per day until someone enables two-factor auth. Typically people have very poor security habits, and strongly encouraging them to improve them will help both users and Coinbase's reputation.
It would seem that you understand Bitcoin very well.
A review of all of the hacks/breakins/inside jobs since 2011 would have told you this already. You DID research its history, rather than jumping in blind, right?
There are a few rules about trustworthiness in economy. Our whole economic system is held together because one rogue actor would be rejected by all its partners if it failed a transaction, and the person wouldn't be able to create a new company if they acted unfairly. This peer-to-peer network is also backed by trade unions, then banks, then governments who vouch for each other.
By trusting Coinbase, a single actor in a very small economy, you have very little leverage, except talking about your mistake on HN and trying to get the consumer's snowball effect. It is not backed by its trade union, nor by its banks, insurances or government.
Don't forget that Bitcoin is a token game which is parallel to your national currency, and allows bypassing taxes. Bitcoins should get what they deserve: As a subversive currency allowing to bypass taxes, it should be fought by governments. Receiving money for a Blizzard account is just as illegal. Because it's a parallel economy which prevents taxes from being duly collected.
I'm not to say that I'm on the governments side, nor on the Bitcoin side. I'm saying they are competing and proponents of one side should be rejected by the other side.
Givn this background, you losing 0.12 BTC is a very mild outcome.
Perhaps something to do with the API (which is disabled by default but some victims have noticed was enabled) https://coinbase.com/docs/api/authentication "If someone obtains your api_key or an access_token with the send or all permission, they will be able to send all the bitcoin out of your account."
(edit: followed the transaction trail on one of those links, ended up with week old address that had received 49,497BTC https://blockchain.info/address/1Facb8QnikfPUoo8WVFnyai3e1Hc...)
I was under the impression that 2 factor auth on CoinBase wasn't optional, but I guess not.
CoinBase should also be failbanning any computer trying to brute force the same account with more than one password.
By immediately transferring the BTC to a paper wallet address generated on a secure, offline computer, it is simply impossible to withdraw the BTC without possession of the information on that physical piece of paper. This is far more secure than any digital or two factor auth.
Edit: I notice that Coinbase does store the vast majority of their BTC in paper wallets[1]. The problem is, Coinbase still has a copy of the private keys associated with your BTC address. While this may hinder the efforts of outside attackers, there still exists a vulnerability with those employees who have access to the systems that move BTC from cold to warm storage. That's why your BTC should always reside in an address you generated yourself and solely possess the private key to.
[1] http://blog.coinbase.com/post/33197656699/coinbase-now-stori...
The guys at Coinbase need to turn OFF the API key feature as soon as possible. It has the potential of hurting the entire ecosystem.
Edit: One suggestion to Coinbase would be to change the API key feature to only allow the API methods which don't result in sending payments. This allows quick use of their APIs in doing architectural design and ensures protection against key leakage. A second suggestion is to queue up outgoing transactions initiated by the API key into batches and use alerts (like through Pagerduty or similar) to notify the account owner transactions are pending and need approval.
Welcome to the brave new world!
There is nothing one can do. MtGox can't protect users from getting their account hacked when it's nothing they've done. I filed a police report, but there's not much the police can do in the case of btc...
One learns from ones mistakes, so, now; stopped reusing passwords, and added two-way auth for important/sensitive things, alas, a bit too late (got 9 btc stolen ;_; although at the time, they were only worth ~100$/btc).
Hacking is pervasive, but anonymous currencies are providing a more interesting target than sending spam or renting botnets. Generally, security is very poor everywhere but most people don't really notice. This is going to have to change at some point as more of our lives go online.
I'm researching BitCoin to try to have a really in depth understanding of it. What is the best, even if complex, paper/blog/website on how to properly secure bitcoins?
Personally, I keep my btc wallet.dat file in a AES encrypted diskimage (sparsebundle on OS X) in my Dropbox, and then symlink that file to the place where it needs to be on the computer. My wallet is always backed up, and secure enough (you need either physical access to my computer and get the password right, or, access to my dropbox account and, again, the password for the wallet diskimage).
Quite content with my setup, I just mount the diskimage before I open my Wallet application...
You trusted your valuables to a third party and were careless with your own access credentials to communicate with that third party. Your fault, your consequences.
(Out of interest, did you "make money" from bitcoin, when it was going up)
I'm very cautious now about considering bitcoin any further. I'm certainly glad I never linked a bank account to Coinbase.
Do you have any antivirus software installed?
