Bitcoin-Central.net "We have been compromised"

[Amitabh S]

Just to rub some salt on your wounds, btc24 refunded our btc.   

but not your fiat

I didnt have any

[Kouye]

Received a mail stating my € withdrawal was processed, too.
Still not showing up in my "pending transactions" on bank account, will update when it does.

And still no BTC either.

[mrbitbank]

Received a mail stating my € withdrawal was processed, too.
Still not showing up in my "pending transactions" on bank account, will update when it does.

And still no BTC either.

Could you tell when did you make your withdrawal request, I have one still pending from just before they closed down and is still pending

[Kouye]

Received a mail stating my € withdrawal was processed, too.
Still not showing up in my "pending transactions" on bank account, will update when it does.

And still no BTC either.

Could you tell when did you make your withdrawal request, I have one still pending from just before they closed down and is still pending

I did it as soon as the failover adress went public, on Apr. 26 2013 14:03 CEST

[mrbitbank]

Received a mail stating my € withdrawal was processed, too.
Still not showing up in my "pending transactions" on bank account, will update when it does.

And still no BTC either.

Could you tell when did you make your withdrawal request, I have one still pending from just before they closed down and is still pending

I did it as soon as the failover adress went public, on Apr. 26 2013 14:03 CEST

Thats interesting I have one still pending since 04/23/2013, and I have another one pending from the same time as you. does anyone else has any pending withdrawals still pending or confirmed and has anyone actually received their funds yet

[Pontius]

[...] does anyone else has any pending withdrawals still pending or confirmed and has anyone actually received their funds yet

Requested my BTCs on 04/26/2013 15:55 and it's (still) pending...

[NABiT]

Only just started using B Central so not a lot in there.
As it seems to be an option I think I might just leave BTC/EUR with them and see if they get set up again soon.

[Kouye]

I can now see the € SEPA transfert in my pending transactions.
They chose not to offer the transaction fee, so expect getting 0.99€ less than you should have.

Still no BTC refund.

[Frequency]

Today i received my funds in my bank account now i am waiting for my btc to be send back
So they are transfering funds ....!!!!

[mrbitbank]

Today i received my funds in my bank account now i am waiting for my btc to be send back
So they are transfering funds ....!!!!

Well thats good news, I have just received an email this morning from them that they have completed the first of my two withdraw request. I will post here to let you guys know if the money hits my account, fingers crossed!!!!

[Amitabh S]

Good news indeed. I guess btc will be refunded soon.

[mrb]

OVH CEO confirms that a flaw in their password reset procedure is what lead to the compromise of bitcoin-central:
https://news.ycombinator.com/item?id=5632479

[Amitabh S]

Will B-C resume trading soon?

[samson]

OVH CEO confirms that a flaw in their password reset procedure is what lead to the compromise of bitcoin-central:
https://news.ycombinator.com/item?id=5632479

I don't see why Bitcoin central had to close down, this seems a very drastic measure to me considering the error which led to this situation was beyond their control and is unlikely to be repeated.

Skimping on hosting by using a budget service like OVH was the big mistake here.

I would make the following suggestions :

Move out of your current hosting ASAP.

Purchase your own dedicated server if you haven't already. Something that nobody else has access to and colocate it somewhere.

Host it somewhere secure. I've been working with a guy at mycyberhosting.net for around the last 10 years or so who uses various datacenters and has many cabinets in them. A private cab will cost around 1000 Euro or more a month sepending on where it's located. This might be a bit too much for your needs, however partial cabinets are also available in the various datacenters.

I'm not entirely sure how the wallets are handled within the Bitcoin Central system but I gave this a little thought for a few minutes and if I were implementing a service handling Bitcoin like this online I would keep any wallet operations isolated on a physically separate server and merely send verificable signed messages between the online web server and the physically separated server for any wallet access.

This way the keys are completely isolated from the website system. Even if the whole server got hacked there would be no possibility of keys being leaked.

Wallet isolation is the key, even for the hot wallet. Additional layers of separation are important.

Just my thoughts.

[naphto]

They got hacked twice in bitcoin-central.net on April and once on instawallet, that's pretty obvious that now they want to take their time, and come back only when they are sure that every think is fine

[pedro82]

I'm wating for my BTC since 26-4-2013  ... Any one already receive it ?

[samson]

I logged in and requested a wire transfer for about 1200 Euros during the time when trading was turned off.

The wire transfer for my withdrawal arrived in my UK account today.

I hope the issues are sorted out quickly especially as I see this as being the fault of the web hosting service  and not Bitcoin Central.

New more professional secured hosting and some changes to where the hot wallet is stored and accessed should fix these issues.

[molecular]

OVH CEO confirms that a flaw in their password reset procedure is what lead to the compromise of bitcoin-central:
https://news.ycombinator.com/item?id=5632479

I don't see why Bitcoin central had to close down, this seems a very drastic measure to me considering the error which led to this situation was beyond their control and is unlikely to be repeated.

Skimping on hosting by using a budget service like OVH was the big mistake here.

I would make the following suggestions :

Move out of your current hosting ASAP.

Purchase your own dedicated server if you haven't already. Something that nobody else has access to and colocate it somewhere.

Host it somewhere secure. I've been working with a guy at mycyberhosting.net for around the last 10 years or so who uses various datacenters and has many cabinets in them. A private cab will cost around 1000 Euro or more a month sepending on where it's located. This might be a bit too much for your needs, however partial cabinets are also available in the various datacenters.

I'm not entirely sure how the wallets are handled within the Bitcoin Central system but I gave this a little thought for a few minutes and if I were implementing a service handling Bitcoin like this online I would keep any wallet operations isolated on a physically separate server and merely send verificable signed messages between the online web server and the physically separated server for any wallet access.

This way the keys are completely isolated from the website system. Even if the whole server got hacked there would be no possibility of keys being leaked.

Wallet isolation is the key, even for the hot wallet. Additional layers of separation are important.

Just my thoughts.

What keeps the attacker (with access to webserver and therefor webserver signing key) from sending a signed message to wallet server for transfer of funds?

[molecular]

They got hacked twice in bitcoin-central.net on April and once on instawallet, that's pretty obvious that now they want to take their time, and come back only when they are sure that every think is fine

translation: after getting hacked for the 2nd time they got so extremely pissed that they just felt the overwhelming urge to throw in the towel.

[samson]

What keeps the attacker (with access to webserver and therefor webserver signing key) from sending a signed message to wallet server for transfer of funds?

Something external to the web server alone would prevent this.

For example a request to process a withdrawal could be tied to a verified two factor login session stored in a database which the wallet processing server has access to and can verify. Something that can't be faked without a verified login. It should also be time sensitive.

This way withdrawals are tied to the login session of a user and would only be processed when they are checked against the individual session/login and not processed blindly based on where the request came from.

Obviously any system like this would require some thinking / planning before it's implemented properly to ensure that it's secure.

I hope this is what they're doing right now.

Just requiring that a Bitcoin withdrawal be processed on an isolated server only when a user is currently logged in would provide a greater degree of isolation but this could be expanded on to make the system very secure.