UNKNOWN

OCTOBER 2013

AUSTRALIA

INPUTS.IO

DESCRIPTION OF EVENTS

"In Early 2013 Inputs.io was launched; a free online Bitcoin wallet and anonymous Bitcoin transfer network: featuring instant off chain Bitcoin transfers and embedded automatic untraceable 'mixing' of all Bitcoin transactions. Featuring truly instant, anonymous and highly secure Bitcoin transactions, the inputs.io platform brings a plethora of key innovations to the table, setting a new benchmark for online Bitcoin wallet services. Anyone worldwide can open an inputs.io online wallet in 30 seconds or less."

 

"TradeFortress created a free online bitcoin wallet (Inputs.io)." "Inputs.io was a free Bitcoin web wallet that leveraged its own off chain payment network. Inputs implemented numerous security measures, and featured instant, fee-less offchain confirmations with an easy to implement developer API." "Inputs.io is a new bitcoin payment processor leveraging an offchain payment network."

 

"Send bitcoins instantly to an email address - no waiting for confirmations, no fees and no double spending." "Inputs.io Enables Anyone To Send Bitcoin Instantly And Securely" "It's easy and free. We made Bitcoin easy while powerful. Get your secure wallet in 30 seconds. Bitcoin transactions take a hour to confirm. Inputs.io makes it instant with no fees. The most secure wallet ever created. Automatic free mixing for your privacy." "Bitcoin made easy - shave 8 GB of the blockchain off your hard drive, and make a wallet in 30 seconds. Works everywhere - your desktop to mobile." "Off chain transactions are also easier to use. The average user does not want to remember addresses - they want to use Bitcoin like PayPal instead of seeing a "Waiting for 0/6 confirmations"... Zzz."

 

"No fee for Inputs.io to Inputs.io transactions. If we pay no fee for blockchain transactions.. well, your transactions aren't going to confirm fast (or at all, if it doesn't meet priority requirements)." "Sending Bitco[i]n directly to another inputs.io account via the recipients email address has a number of advantages unique to the service. There are no fees; as the transaction does not go through the Bitcoin blockchain it is not subject to a 0.0005 BTC fee. As these transactions are off the blockchain there is absolutely zero risk of double spending attacks. Bitcoin transfers sent to an email address are also 100% anonymous: processed internally without utilizing the public Bitcoin blockchain. Transactions sent to email addresses are also truly instantaneous and confirm instantly. Currently the Bitcoin network can only handle 7 transactions a second, while inputs.io's system can scale up to theoretically handle an infinite number of transactions per second: enabling the platform to transcend one of the core limitations of Bitcoin itself in its present form."

 

"Connectivity - push your TX out to the network with more connected nodes, get exchange rates, email notifications of transactions." "If you're using Chrome or another browser that supports desktop notifications, you'll see a new option to enable it under Transactions. You'll receive a notification when you make or receive a transaction, even if you're in another window. No downloads or browser extensions are needed."

 

"Automatic free mixing - don't use a wallet service that destroys your anonymity (change address reuse) and sells your privacy back to you for 0.5%." "As inputs.io mixes your wallet for you automatically, none of the sending addresses of your transactions actually belong to you for privacy." "3-4 digits of BTC volume per day. There's pretty high variance however."

 

"I developed Inputs because I was tired of waiting an undetermined amount of time for transactions to go through, especially when I am trading on multiple exchanges. The issue with confirmations is that you don't know how long it will be for a block to be produced - there sometimes are streaks of a hour without a single block." "It's instant, there is no privacy issue with this as you're not sending to one address to have it sent to another - your balance is deducted 'off the chain' and an unrelated transaction is sent to the destination address." "You can generate signed payment receipts to prove that you did send a transaction however if you want, for example for a group by."

 

"Unlike some shared wallet service, we don't freeze/lock/'chargeback' bitcoins because of claims of scamming. Bitcoins sent are irreversible. Unlike some hybrid wallet service, we don't disclose personal information because of claims of scamming either, unless we're authorized to do so under the privacy policy." "Inputs is privacy focused, which rules us out from touching fiat (at least directly). I will just say: it is an absolutely horrible idea to use a wallet for transactions tied to your identity for Bitcoin. Let's not think of Bitcoin as another funding method, but why Bitcoin was created."

 

"Easy to integrate API - set dead simple callbacks, send with one URL call." "The reception of our beta to those who know Bitcoin but are not power users who browse this forum have being universally positive - Bitcoin will never succeed if people need to sync 200 weeks of prior transactions, have all their 100% payments public , and worry about keeping their private key safe in case of a natural disaster. We're here to fill this need."

 

"Security security security - PIN keypad, location based authentication, session & useragent tracking and view, configurable limits, anti phishing bar." "Passwords hashed with SHA256 before sent to the server - we never know your password. Passwords bcrypted on the server with user unique salt. SSL encryption to protect against MITM attacks. Randomized PIN pad protects against nearly all keyloggers. Location based authorization - email confirmation required when signing in from new geographical location. Optional two factor auth protects against malware and remote compromise. Configurable account sending limits on a rolling 48 hour window. XSS (Cross site scripting) hardened. Automatic account locking after a number of attempts to thwart brute force attacks. IP based login rate throttling. Anti phishing bar - makes it harder for phishing sites to be effective. Session tied to IP address & useragent, and is regenerated upon login - preventing session fixation attacks. Protected against SQL injections by escaping all possible user input. CSRF countered by requiring a token for requests. Recovering password and PIN requires recovery key - no risk if your email is compromised. Cold storage system protects coins against server compromise. Automated and manual security auditing system. Web server (the one you are connected to now) communicates to hot pocket and main server securely. Zero bitcoins are kept on this server. Optional GPG auth requires decryption of a key in order to sign in. Tor detection - accounts that registered using Tor can use Tor, other accounts may not for security reasons." "We use bcrypt with a user unique salt. The server does not get plaintext passwords, because your browser does not send it." "Our site is secure against XSS attacks, as well as CSRF attacks." "We use Google's 2FA security model - you can disable 2FA without entering the code in case you lost your phone - this requires you to have a signed in session. Sessions are both IP and user agent locked."

 

"We're upgrading the security of Inputs.io to make it more resistant to attacks even if our web facing server was compromised. Inputs.io is not compromised at all, this is to make Inputs even more secure." "We have redundancy plans (aka 'dead man's switch'), both automated and manual. This isn't just for seizes / etc, the hot pocket will dump all coins in secure storage if it detects an intrusion." "As ironic as it may sound, not disclosing my identity publicly protects the safety of your coins against physical attacks of extortion. Many trusted members here, including Casascius and people who I have done business with knows my identity and address." "We have decoy accounts which are populated by "real" user data from our other databases. The hot pocket server automatically dumps all coins to cold storage if it sees a payment request from a decoy account. We have methods that makes it very hard for an attacker to determine if an account is decoy or not, even with root access to the linode machine and listening to traffic." "Your session is locked to your IP address and useragent. If someone has physical access to your machine, then you are screwed in every sense of the word - through the attacker must still figure out your PIN. The most malicious thing they could do without your PIN is delete your addressbook."

 

"No fractional reserve unless you move coins into CoinLenders. If there is any change to this policy, it will be announced in advance."

 

"All Bitcoin services require trust, and this includes services like Blockchain.info, Coinbase and others. For example, it is trivial for Blockchain.info to make you sign a transaction sending all the coins to them while hiding that on their own website / block explorer." "FYI, I worked on Blockchain.Info's chrome extension, and if I wanted to I could easily have stolen coins with a innocent line of code. It took months or years for bugs in mission critical open source cryptography software to be discovered (see: OpenSSL), and you are deluded if you think that other offerings are more secure. Our security has been independently audited by multiple pen testers - as well as experience with running large Bitcoin services." "I have also put in 570 BTC locked as collateral in Just-Dice, and you can check my trust rating for more assurances. If you want, you can use Inputs as an extended green address where your exposure your risks is in milliseconds." "What is the most valuable thing in the Bitcoin world is reputation - security and trustworthiness. CoinLenders handles XX,XXX BTC sums and we have never been hacked."

 

"Inputs.io was a Bitcoin Foundation Silver industry member." "DailyBitcoins.org now supports Inputs.io!" "We handle thousands of Bitcoins for CoinLenders which has never been hacked for months, a rarity in the Bitcoin world, and Inputs.io expands upon all the security measures." "Inputs.io processed more than 235,000 BTC during it's operation." "Inputs has transferred more than 235,790 BTC."

 

"Theoretically, we can spend everyone's coins, but that is true for other services too (even the client JS ones) and it makes very little business sense to do so. If you think I'm here to scam people, check out CoinLenders - our total deposits have been going down for a while (3500 BTC less from peak) due to competition, but I make money from the spread on lending and investments, not scamming."

 

"It seems you put a lot of thought into security measures. Still it seems the callback API is somehow lacking. The only proof that the callback is actually coming from your site is the IP-Address of the sender. There are possibilities to spoof the source IP of a TCP connection, especially in a case where the attacker has access to the subnet of the receiving system." "You should consider adding another security layer here. For example on bitcoinmonitor.net callback notifications I added a signature to the callback data which makes sure that the callback was created by the server and not someone else." "Thank you for your comments. We support adding secrets to your callback URL. Use SSL so others will not know your secret. It is not open to replay attacks as for record keeping purposes you should be recording all transactions including the TXID."

 

"Inputs.io isn't just me, although I do the majority of the work."

 

"I fully expect to be banned for this but I feel wrong not disclosing this information. theymos on behalf of Bitcoin Talk openly promoted Inputs.io through banner ads and Donations even after being warned by the community several times that Inputs.io was highly unsecure to top it off he also gave him Default Trust allowing TradeFortress to have a Green Positive Rating regardless of any negative ratings issued. To top it off other Moderators and Staff are to blame as they have a direct link to Banner Ads and revenue affiliated with Bitcoin Talk but because they had no choice whether or not theymos chose to have affiliation with TradeFortress I am not listing them as outright Scammers. Kluge on the other hand has yet to remove his Inputs.io signature and is still openly promoting TradeFortress and Inputs.io."

 

"TradeFortess was warned that it is not OK to use Linode hosting back in July [2013]. Migrating to a physical server could be trivial, but instead he decided to stay with Linode and ignored all warnings."

 

"His Linode administrative account was first accessed by the hacker on Oct 23rd, from IP Address 101.0.79.18, at 11:57am UTC+10 from Australia." "He gained access to the account by compromising the email address "lailai625@hotmail.com" and requesting a password reset from the Linode server. The reset link was automatically forwarded from the administrative email "admin@glados.cc" to "lailai625@hotmail.com"."

 

When CoinDesk approached Tradefortress for comment he informed us that "the attacker was able to compromise older email accounts which were easily reset as they didn't have phone numbers attached. Compromising one older email account led to the compromise of another, eventually allowing them to reset the password for the hosting account and obtaining shell access after bypassing two-factor authentication on the host's side." He continued: “We don’t use client-side encryption; that’s hardly foolproof and gives people a false sense of security".

 

"The attacker was able to empty the balance on accounts with the API key enabled. The issue is being actively looked upon. API access has been disabled."

 

"A full update will be posted soon, don't panic. Only people with the API key enabled was compromised (and will be reimbursed), passwords are securely stored one way in the database." "The hacker dumped API keys and PIN from the DB. API keys (re)generated after the hack haven't being stolen."

 

"Tradefortress did not shut down the site, he did not move any of the coins to a cold wallet, he did not report the theft to local authorities, he did not notify any depositors, and he did not stop any new users from depositing to his site."

 

"Why were deposits and withdrawal not disabled? They were in limited capacity. A withdrawal amount limit didn't work as people simply broke up."

 

"Security is obviously the most important thing to a Bitcoin wallet, and it's unfortunate that a compromise occurred, and we're learning a lot from it (things that pentests won't catch)."

 

"There will be a full update soon, but this compromise was not through a fault of the code but rather like a 'side channel' attack."

 

"Database access was also obtained, however passwords are securely stored and are hashed on the client. Bitcoin backend code were transferred to 10;15Hd@mastersearching.com:mercedes49@69.85.88.31 (most likely another compromised server)."

 

"TradeFortress reset his Linode Manager password and logged into it by 8:25pm UTC+10."

 

"Everyone who has lost money will be fully reimbursed."

 

"Inputs.io says that although the hack took place on October 23rd, even depositors who made deposits after that date are not safe, as other users were able to make withdrawals from the shared wallet."

Inputs.io operated a centralized wallet service. The service suffered their first attack on October 23rd, where it was reported that unauthorized access to the API system was able to withdraw the funds of anyone with an API key. This breach apparently started from an attacker breaking into the Linode admin account through resetting old email addresses. At the time, TradeFortress promised a full refund. However, he didn't move any funds to a cold storage or take any further actions to report the issue.

HOW COULD THIS HAVE BEEN PREVENTED?

The primary issue with Inputs.io was that all funds were in a hot wallet on the server. The theft could have been fully prevented by having the majority of funds in an offline cold storage.

 

Another key factor was that the funds were held by an inexperienced and unknown operator, and not part of a multi-signature wallet. Better training or a multi-signature wallet would have also prevented the issue.

 

Check Our Framework For Safe Secure Exchange Platforms

Legendary profiles of bitcointalk. (Mar 7)
Inputs.io - Free and Secure Bitcoin Wallet for Everyone (Mar 14)
Inputs.io - Bitcoin Wiki (Mar 14)
Inputs.io - Free and Secure Bitcoin Wallet for Everyone (Mar 14)
Online Bitcoin Wallet Service Inputs.io Enables Anyone To Send Bitcoin Instantly And Securely | Stock Market Summary (NSDQ, NYSE, AMEX and more) on Boston.com  (Mar 14)
Inputs.io - Free and Secure Bitcoin Wallet for Everyone (Mar 14)
Inputs.io | Instant Payments, Offchain API, Secure Wallet, 235k+ BTC transferred (Mar 14)
Coinchat Is A Chatroom Where Talking Sense Earns You Bitcoin – TechCrunch (Mar 14)
Someone just transferred 0.095 from my Inputs.io wallet without my authorization. : Bitcoin (Mar 14)
Inputs.io Hacked and Shutdown - 4100 BTC Stolen : Bitcoin (Mar 14)
Inputs.io Security (Mar 14)
Inputs.io | Instant Payments, Offchain API, Secure Wallet, 235k+ BTC transferred (Mar 14)
Inputs.io | Instant Payments, Offchain API, Secure Wallet, 235k+ BTC transferred (Mar 14)
SCAM ACCUSATION: TradeFortress + Inputs.io + theymos (Mar 14)
SCAM ACCUSATION: TradeFortress + Inputs.io + theymos (Mar 14)
Inputs.io | Instant Payments, Offchain API, Secure Wallet, 235k+ BTC transferred (Mar 14)
Inputs.io: Is it a high-security bitcoin web wallet? (Mar 14)
Hackers steal $1.2 Million of bitcoins from Inputs.io, a wallet service (Mar 14)
Inputs.io | Instant Payments, Offchain API, Secure Wallet, 235k+ BTC transferred (Mar 15)
Inputs.io | Instant Payments, Offchain API, Secure Wallet, 235k+ BTC transferred (Mar 15)
Inputs.io HACKED, 4K+ BTC stolen (Mar 15)
AM - Massive bitcoin robbery hits Australian website, raises questions over regulations 08/11/2013 (Mar 15)
No Title? (Mar 15)
Inputs.io hacked – 4100 BTC stolen | Hacker News (Mar 15)
Transaction: 9536feebe3a50b94f85ca27d56e669a7209bd4188385d55c5b97227c95cf7f74 | Blockchain Explorer (Mar 15)
Loading 3rd party ad content (Mar 15)
$1 Million Bitcoin Theft in Australia (Mar 15)
18-Year-Old Reports $1 Million Bitcoin Theft From 'Bank' He Controlled — And Says He Can't Call The Cops (Mar 15)
No Title? (Mar 15)
CoinLenders Script :: Bitcoin Bank (Borrow+Deposit) Software :: Demo Available (Mar 20)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.