Testing anti-phishing methods

Yesterday two users had bitcoins stolen from their accounts after they clicked AdWords advertisements, entered their passwords on a fake website and then went to the real site to complete a trade. The attackers logged in with the victims’ passwords, waited for the trades to end and withdrew the coins.

Unfortunately the buyers did not have two factor authentication set up.

We have seen all kinds of methods against phishing. They usually fall into one of the following two categories:

1) Some kind of warning displayed to the user. Think of the login seal on Yahoo, or the IP based login picture on Localbitcoins. Kind of worthless, isn’t it? Whoever doesn’t check that they’re on the right website and using a secure HTTPS connection will certainly not spot the difference in images (which change all the time anyway).

2) Second tier checks. Think of Google Authenticator, text message based 2FA or the so called Login Guard on Localbitcoins. These do work for the most part in preventing phishing attacks, the problem is that if you do not force it on users, most won’t enable them and the scammers will keep finding victims. If you do force it on them, it causes a great inconvenience. Think of late text messages, verification e-mails lost due to anti-spam measures and similar.

The real problem is the user giving out his or her password on a fake website. We will continue to refuse to force tedious security procedures on 99.999% of users because of the understandable, but avoidable mistakes done by the 0.0001%.

So do we just sit back and do nothing while Google misleads our users and sends them to phishing pages repeatedly? Of course not. Here is a list of things we do:

- We encourage our users from time to time to enable two factor authentication

- We come up with custom solutions on the fly during a specific attack and use heuristics with virtually zero false positives to prevent coins from being stolen. This has prevented over 20,000 GBP worth of coins from being stolen in the past.

- We contact the hosting provider & domain registry and do our best to get the domain names removed (we have been successful at suspending at dozens of phishing domains so far) - making it much more work and less cost-effective to defraud our users.

Since yesterday’s phishing attack, a new security feature has been introduced. It may be a bit more intrusive than the other measures taken, but false positives will be monitored.The short (and simplified) version: if a withdrawal is attempted from a different IP address than the one which started the recent trade, it is refused and an e-mail is sent to the buyer with the attempted withdrawal’s details.We hope that this feature will prevent loss of bitcoins for many buyers who give out their password on phishing sites without impacting regular use. The security feature will be disabled if it affects too many users (even two users affected per month is too many).