Wednesday, December 21, 2011

Why Selling Bitcoins on eBay is a Bad Idea

Not too long ago, I discovered that people were buying and selling Bitcoins on eBay. I also discovered that they were being sold for a whopping 200%-300% more than the current Mt. Gox price! "Wow!" I thought, "I could really make some money here".

The plan was simple: Buy Bitcoins at Mt. Gox, then sell them on eBay. Bam! Instant, easy profit.

Unfortunately, things didn't work out as planned. I did have some legitimate sales, but it didn't take long to discover that there are a lot of dishonest scumbags out there who are willing to lie, cheat and sell their integrity just to make a quick buck.

The Scam:
  • By Bitcoins on eBay and pay with PayPal.
  • Turn around and tell PayPal that someone else has fraudulently used your account to make a purchase.
  • Because you cannot provide a standard "tracking number" to prove that you have sent the goods, PayPal reverses the transaction leaving the scammer with both your money and your bitcoins.
  • eBay, having made it so that sellers cannot leave negative feedback for buyers, effectively protects the scammer so that they can cheat the next guy too. 
Of course, you could provide PayPal with your Bitcoin address and a link to blockexplorer.com where they could see that the transaction took place, but... What are they chances they'd actually understand it?

Granted, I did not try very hard to win the disputes that were filed against me as I had more important uses for my time and the overall amount was less than $100 USD. If you were diligent enough in attempting to prove that they are a lying cheat, you may have more success.

In the end, I definitely recommend NOT selling Bitcoin on eBay. If you find a way to block scammers, let me know and I'd be glad to make a post on it (giving you full credit, of course).

Tuesday, December 20, 2011

Internet Security: How Secure is Your Account?

Some people are jerks.

Just the other day, I woke up to a rude surprise. I had an email from Mt. Gox explaining that my account had been blocked for "violating the rules of exchange". Violating the rules of exchange? That's kind of hard to do in your sleep. As I sat there wondering what was going on, I got a second email from Mt. Gox: "There has been a withdraw from your Mt.Gox account. Please contact us as soon as possible if you did not request this withdrawal". It's rather difficult to withdraw funds from your account while sleeping as well. I logged on to my account at Mt. Gox to discover that my account had been compromised and my account drained - all US$200 in Bitcoins. I had nothing left.

I immediately emailed Mt. Gox about what had happened, as instructed in the second email. Then, I did some digging.

First, I did geolocation lookup of the hacker's IP address. The location: Malaysia.

Bummer.

Then I took a closer look at the emails I received. The email notifying me of the withdrawal was legit. The one notifying me that my account had been blocked, however, was not. Gmail provided me with some useful info:

From: info@mtgox.com via msk4.imhoster.net
mailed-by msk4.imhoster.net


See that? The hacker spoofed the from address. The email was sent from a different server all together. This is a form of what is known as Phishing, a method hackers use to get information from victims by impersonating another person or entity that seems legit and asking for personal information. In this case, the hacker was simply covering his tracks by making it appear that my funds had disappeared due to legitimate reasons.

Mt. Gox was not much help. They told me that the transaction could not be reversed, that they were sorry for my loss and that if I decided to file a police report, they would contribute any necessary information (which, considering the location of the attacker, seems somewhat out of the question).

My purpose here, however, is not to tell my tale of woe, but rather to talk about internet security.

Phishing

As stated earlier, phishing is a type of "social engineering" in which a hacker impersonates an individual or organization that seems trustworthy. Phishing is typically done via E-mail; It will usually appear to be from a website that you frequently use - for example, Facebook, Twitter, online banking, Gmail etc. A common form of phishing is asking the user to "verify" their account information, for example, after a system update. Users who fall for this trick are simply giving their username and password to the hacker - giving them full access to their account. Here's some things to look for to avoid falling for these scams:

How To Avoid Phishing Scams

  1. Watch For Threats
  2. A hacker needs some form of motivation to make you fall into his trap - fear is often the tool of choice. "Your account will be deleted if you do not verify your information" is a typical example. Making threats that something bad will happen if you do not follow the instructions is a definite red flag.
  3. Know Your Grammar
  4. Often, but not always, you'll find spelling errors in fake emails. These scams often originate in China or India where they can hide from the law. I'm sure you've (tried to) read the instructions that came with a product that was "Made in China". If an email is reminiscent of the poor "Engrish" in those instructions, you probably shouldn't trust it.
  5. Asking for Personal Information
  6. Why would your bank want to know your password? Or your credit card number? Shouldn't they already have it? Legitimate organizations will not ask you for sensitive information via email. Email is not a secure form of communication and you should never send passwords etc. via email even if it's to someone you trust. Hackers can intercept unencrypted information sent across the internet.
  7. Encryption
  8. If a link in an email takes you to a website requesting information, make sure that the URL starts with https://, not just http://. The "s" in "https" means "secure" - that information is being encrypted before being transmitted. Fake websites will not use encryption. Also, the address bar of most web browsers will be either green or blue if the webpage you're viewing is secure.