Yesterday’s news that a number of LocalBitcoins.com users reported missing bitcoins came as a shock to the bitcoin community, no surprise.
Could the trusted platform used by enthusiasts have been compromised in some manner? According to the service, the answer is no.
In a blog post dated Friday, April 18th, the company presented their evidence as to why they aren’t responsible for the recent losses of a small subset of their user base.
“LocalBitcoins team did not found any evidence of compromised site security,” they said.
What made the story interesting is at least one of the users who reported losses was said to have two-factor authentication enabled. This would, if set up correctly, prevent anyone who had key-logged the password from entering the account (as they would have required a secondary code that changes frequently).
The user has admitted storing his two-factor codes on the Android device. In this case if the user used this particular Android device to access LocalBitcoins and the device was compromised, the attacker gained access to user password, user session id and two-factor codes. Furthermore, it was reported on the Reddit that the credentials of this particular user have been found on known compromised user account lists spreading in the Internet.
The Finland-based company took the opportunity to swat down any claims that the loss of bitcoins may have been related to an inside job:
This case is also very unlikely to be an inside job. LocalBitcoins logs all the actions done by its support staff and developers to an audit log, so potential abuse of staff privileges is easily uncovered. Two-factor authentication codes and passwords are not accessible by the support staff. Furthermore, it would not be very rational for an insider to attack against one particular user and his/her wallet only if the insider would have access to all wallets.
A number of other reports came in, and in all cases, all of the users did not have two-factor authentication set up, according to LocalBitcoins.
Attackers can quite easily obtain the credentials of users through elaborate phishing attempts of malware that logs keystrokes. And without two-factor, the system doesn’t really have another way of proving that the individual entering the credentials is legitimate.
As such, the company recommends enabling two-factor authentication, scanning one’s personal computer for malware, and changing an account password if the user feels at risk.
The company noted that they keep a majority of customer bitcoins in cold storage, effectively making them inaccessible to attackers.