[Bitcoin-development] MtGox blames bitcoin

Peter Todd pete at petertodd.org
Mon Feb 10 19:40:32 UTC 2014


On Tue, Feb 11, 2014 at 01:00:21AM +0530, naman naman wrote:
> Hi guys,
> 
> Please check this thread
> https://bitcointalk.org/index.php?topic=458608.0for a possible attack
> scenario.
> 
> Already mailed Gavin, Mike Hearn and Adam about this :
> 
> See if it makes sense.

That's basically what appears to have happened with Mt. Gox.

Preventing the attack is as simple as training your customer service
people to ask the customer if their wallet software shows a payment to a
specific address of a specific amount at some approximate time. Making
exact payment amounts unique - add a few satoshis - is a trivial if
slightly ugly way of making sure payments can be identified uniquely
over the phone. That the procedure at Mt. Gox let front-line customer
service reps manually send funds to customers without a proper
investigation of why the funds didn't arrive was a serious mistake on
their part.

Ultimately this is more of a social engineering attack than a technical
one, and a good example of why well-thought-out payment protocols are
helpful. Though the BIP70 payment protocol doesn't yet handle busines to
individual, or individual to indivudal, payments a future iteration can
and this kind of problem will be less of an issue.

Similarly stealth addresses have an inherent per-tx unique identifier,
the derived pubkey, which a UI might be able to take advantage of.

-- 
'peter'[:-1]@petertodd.org
0000000076654614e7bf72ac80d47c57bca12503989f4d602538d3cd7892ca7d
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 685 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140210/eff54755/attachment.sig>


More information about the bitcoin-dev mailing list