Whenever we do any type of business on the internet we receive a warning that our passwords will never be requested in an email. The reason for this is simple: Scammers often pose as legitimate businesses in phishing scams. While requests for passwords are unusual, they are not unknown and sometimes are necessary. Blockchain.info is an excellent example of this and the company has recently requested account passwords from many of its users.
Blockchain.info has been exposed on two different occasions by the white hat hacker Johoe for having abysmal security. After running scripts that he created, Johoe was able to exploit the systems weaknesses and skim off several hundred BTC. Johoe has since reimbursed Blockchain.info and the company is reimbursing the assets to users that have been affected but apparently because of the company´s policies these reimbursements are running into a snag.
Blockchain.info, as a security measure, does not store either private keys or passwords used by its clients. The company has made several statements about how they are dealing with the issue. They said that any customer that had experienced compromised keys would be reimbursed. But if this reimburse program is to be successful, according to the company´s statements, the company needed to access the wallets that were affected. A Reddit post describing the issue follows:
“Blockchain never has access to your addresses or private keys. It also means our support team has no optics into wallet balances or addresses. As part of our process to reimburse users we have to ask for their input and review each wallet individually.
“Here is how we’re doing it. First, we ask wallet owners to set up a completely new wallet then move any remaining funds into completely new addresses. Next, once the wallet with issues has an empty balance, we’re asking users for their original passwords so we can decrypt the wallets and confirm they were in custody of the weakly generated address at the time the funds were swept. Finally, upon confirmation they owned the address we’re reimbursing them to a new address provided by the end user.
“We warn them very clearly to move the funds first and never use that wallet again. We realize this is a stressful time for many and we’re working around the clock to wrap up the reimbursements. So far we’re processed hundreds and if you have questions or concerns drop us a case at blockchain.zendesk.com.”
There are a number of people who are criticizing Blockchain.info for openly requesting passwords on open email. This certainly is questionable and probably could have been handled differently, but in defense of Blockchain.info the company made it very clear that affected account holders were to make sure that the affected wallet was completely empty and never used again before turning over any account information to the company.
This is yet another example of why web based wallets is a bad idea. The fact is that if you trust your assets to an online service you effectively trust your money to a third party whose business is situated in a high crime area. If you insist on using these types of services, it might be better to keep your money in a bank instead of with cryptocurrencies because one of the main features of virtual currencies is that it allows users to have complete control over their funds. Blockchain.info is not a bad company and it certainly does not appear that they are a scam. But their business is located in a venue that leaves them open to attacks that their users have no way to either anticipate or control.
Did you enjoy this article? You may also be interested in reading these ones:
- Blockchain.info Investigates Security Lapse
- White Hat Hacker Returns Missing Bitcoins to Blockchain.info
- Johoe Strikes Again, Lifts More than 300 Bitcoins from ‘Secure’ Wallets