joepie91's Ramblings

home RSS

Site5, and their insecure practices and questionable business ethics

08 Mar 2013

So, recently, Site5 was social-engineered, resulting in $12,000 worth of Bitcoins being stolen from BitInstant. And Site5 released a statement.

What is quite notable about this entire event, is that apparently all that was required to compromise BitInstant, were the answers to their security questions. This turned out to be sufficient information to access their account, and change the contact information on it, eventually leading to the theft.

Many people will probably realize that 'security' questions are actually very insecure. When answered truthfully, they can be guessed by anyone with sufficient knowledge of the account holder. When answered untruthfully, you need to keep track of the answers somewhere, thereby completely defeating the point of having security questions "in case you lose your password" - after all, if you lost your password, wouldn't you likely also have lost your security questions?

But apparently Site5 is not responsible for your security, and that' something you have to take care of entirely by yourself as account holder, even if they don't give you the tools to do so. Oh, and those that simply aren't aware of how to do things securely, apparently don't deserve security either. Let's have a look at the thread of comments that ensued... (click for full size, article continues below image)


Now you might be wondering... what are those questionable business ethics I speak of? Well, apparently the PR department at Site5 wasn't happy that someone responded critically to their (lack of) security and responsibility, and the request for "tips and pointers" only extends to things that put Site5 in a positive light. Clearly protecting their reputation is more important to them than keeping their users secure.

If you have a look at the thread as it is now, you'll notice that the above conversation has mysteriously vanished. Entirely. Sadly, my last comment has been unrecoverably lost before it could be screenshotted. It basically came down to "you're just repeating the same things over and over again, ignoring the points I am making".

Oh, and Ben sent me an e-mail. It contained the same (flawed) arguments as before, and apparently the reason for deletion of the thread was as follows:

I removed the posts from the blog as they are not serving any purpose and you are being argumentative.

Can't have someone being argumentative in a comments section, of course.

Anyway, draw your own conclusions.

PS. Ben, I'll gladly continue this conversation, but not via e-mail. I'll only discuss this in a place where your users can get transparency about what's going on, and what they need to be aware of. I have a very low tolerance for dishonesty and hiding security issues, especially if the dishonesty takes place with commercial motives.