NSW Negligence by BTC Markets - Where Do I Stand?

[Rod]

Is this not a straightforward case to prove in the court?

Lawyers don't decide, judges do. Remember there is another side to this story and we've heard nothing from them, plus we have seen no correspondence and haven't read the BTC Markets terms and conditions. Too many unknowns for someone online to give any more than a rough guestimate based solely on your post.

I meant acting on principle, rather than trying to recover your principal sum. You need to decide what is best for you. If unsure you can spend an hour or two getting proper legal advice before deciding what to do. If you do go see a lawyer, take all your documentation and see what they say.

It is standard commercial practice to sign a waiver as part of a settlement agreement and in most situations is a reasonable thing to do. Avoids the potential for 'double dipping' by one party.

 

[faustus]

Fair Trading mentioned that they do not have authority to direct BTC Markets to make the payments despite all the evidence.

I believe they are the incorrect body to contact. BTC Markets - Buy Bitcoins | Bitcoin Exchange - Regulation... AUSTRAC, AML/KYC...they are dealing in a financial instrument. Per their own suggestions: BTC Markets - Buy Bitcoins | Bitcoin Exchange - Suggestions and Complaints they tell you to contact the financial ombudsman.

This is the beautiful thing about regulated industries. The more regulated things are, the easier it is for them to have been in breach of something. I base this on my own experience with dealing with telcos:

I'll print out the telecommunications consumer protections code, and with each chat transcript I have of interacting with my provider, I'll find at least 2-3 breaches. I reckon you should print out the the codes to which they are obligated to comply, and slowly read through them and read them again. And again. You'll start seeing breaches everywhere and maybe one of these breaches will be applicable to your case.

A few questions:

1. Are you using their API at all?
2. Who is e-mail provider, and do you have 2fa enabled?
3. Bank?
4. Mobile provider?
5. Do you have a rooted/jailbroken phone?
6. What operating system do you use?
7. Internet connection type? wifi vs ethernet vs public wifi
8. Internet source? router vs gsm modem?

BTC Markets is covering their negligence of the duty of care in protecting the security of my account in the Agreement. The Agreement states the following points which are incorrect.

• I claimed that my account was compromised by third party. In fact, this statement was made by BTC Markets who mentioned that my email account was compromised. I have no evidence from my email account, the emails referred by BTC Markets
  
• There is no mention about BTC Markets disabling the 2FA of my online Trading account which lead to the theft of funds in my account.

That's why you send them a letter via registered post, politely requesting under the privacy act:

1. History of all logins into your account since creation of account to present day

Request unix timestamp, recorded IP address, any records of login fails

2. All logs of all e-mail correspondence send to you, and received by you from creation of account to present day.

Importantly, make sure all e-mails are full and unmodified, including the headers


I'll be honest: if I were BTC Markets and believed I had conducted myself appropriately, I'd offer a settlement amount of $0.00. I've poked around their server code, and I vaguely recall rumours that they weren't securing their site appropriately against script injection, but for the life of me, I can't remember where I had read it.

Notwithstanding, I disagree with you that they were obliged to verify the mobile phone before deactivating 2FA. Your phone was stolen, remember? In my case, I had accidentally flashed my phone so lost my 2FA key. Also, 2FA does not oblige a phone. For example, I've converted my a yubikey NEO into my Google 2FA key.

BTW do yourself a favour, get a yubikey. mobile-based 2FA is extremely vulnerable.

 

[SuKar]

Thanks for your response.

Unlike, you mentioned, my Phone was never stolen. According to BTC Markets, they received an email from my registered email address that "My phone was lost and asked to disable the 2FA". BTC Markets claims that my email account was hacked.

As per BTC Markets FAQ BTC Markets - Buy Bitcoins | Bitcoin Exchange - FAQs in the event of the phone is lost the resetting of 2FA should be done by the End user. The link provided in the FAQ to reset the 2FA validates both "Registered Email" and "Registered Mobile" and sends a Code to the Mobile which should be input to the system to reset. This online process is working perfectly fine. However, BTC markets by passed this process which is clearly a breach of contract. Moreover, BTC Markets did not validate the details provided by the Hacker in the email exposing themselves the Negligence of Duty of care.

While email is my 1st level of Security, Mobile is defined as the 2nd level of Security. Under no circumstances, the 2nd level security should be disabled by the receiving input from 1st level of security (email) as this will defeat the very purpose of having the security in place.

 

[faustus]

This online process is working perfectly fine.

My apologies, I'll try that again.

A little background: I have a BTC Markets account. I also lost my 2FA key by flashing my phone. I tried to reset it by going to their reset page (https://btcmarkets.net/two-fa-reset). However, when I submitted my details I received an error message. Maybe my IP address was different, or I didn't have a particular browser cookie.

Regardless, on the reset page they state: If you have lost access to your two-factor authentication code you can use this form to regain access to your account. If you are still unable to access your account please contact support. So that's how I reset my 2FA. I personally believe that how they handled the process was acceptable. Could be much better but still acceptable.

While email is my 1st level of Security, Mobile is defined as the 2nd level of Security. Under no circumstances, the 2nd level security should be disabled by the receiving input from 1st level of security (email) as this will defeat the very purpose of having the security in place.

This is where you're losing me. Is this what you're arguing? If so, I disagree with you and I think what you're saying is not consistent with the theory behind 2FA. You're describing this as 1st level and 2nd level -- as though you need to pass one authentication stage, and then if successful, you authenticate stage two.

Under no circumstances, the 2nd level security should be disabled by the receiving input from 1st level of security (email) as this will defeat the very purpose of having the security in place.

If you believe this, then I I'm not sure you fully understand 2FA or infosec theory. If you want me to explain to you in detail I'd be happy to. And that's why I suspect they could be hiding something, because if you came to me with this reasoning I would decline to give you anything.

I'm sorry, I know that's not what you want to hear. But read what I'm saying: I think you are wrong, and the fact that they are offering 50% makes me wonder if there something else that they are covering up.

BTC Markets claims that my email account was hacked.

That's what I'm thinking actually happened. But it's not the only possibility. Hence my different questions. You should try to work out how it happened, because it might help you work out if you can recover your losses, just not from BTC Markets. For example, my e-mail address is protected with 2FA. If I had my BTC Markets account drained,

I would not even be looking to recover my losses from them. I would contact my mobile provider and I'd be willing to bet my nutsack that they would lose any complaint I had against them, although I can't comment right now on why this is the case.

 

[faustus]

Ok I think this is a little closer to why they might be offering something.

This is a much better argument: Is your withdrawal delayed? – Enquiries or feedback for BTC Markets



As part of our on-going effort to improve the security of our users accounts, we have enforced two-factor authentication on all withdrawals.

• Users that do not have two-factor authentication enabled on their account will now be required to authorise withdrawals via email.
• Users that have two-factor authentication enabled on their account will now be required to enter a two-factor code when submitting a withdrawal request.

If you no longer have access to your email and want to authorise a withdrawal there are currently two options.

• Enable two-factor authentication on your account (recommended)

You had 2FA enabled. The imposter disabled it. A moment later they attempted to make a withdrawal. They received an e-mail which they then used to authorise the withdrawal.

I have BTC accounts with over 15 exchanges around the world. Long story -- trust me, you had far, far more BTC.

That sort of account activity should have been prevented. For example, one practice is to disable withdrawals for 48 hours after resetting 2FA. And that is one of the more "relaxed" protocols.


Is BTC Markets safe and secure?
Security and privacy of our clients accounts' and data is our top priority. We run regular reconciliations of all our funds (twice a day for crypto and every hour for AUD) to ensure we have a full reserve. We also apply the best practises and are continually developing and enhancing our security measures.


LOL your argument: their claim that they apply best practices was a false or misleading representation. Had you known that their security practices were so non-normative relative to all other providers, you would have utilised a different exchange.

 

[SuKar]

Ok I think this is a little closer to why they might be offering something.

This is a much better argument: Is your withdrawal delayed? – Enquiries or feedback for BTC Markets



As part of our on-going effort to improve the security of our users accounts, we have enforced two-factor authentication on all withdrawals.

• Users that do not have two-factor authentication enabled on their account will now be required to authorise withdrawals via email.
• Users that have two-factor authentication enabled on their account will now be required to enter a two-factor code when submitting a withdrawal request.

If you no longer have access to your email and want to authorise a withdrawal there are currently two options.

• Enable two-factor authentication on your account (recommended)

You had 2FA enabled. The imposter disabled it. A moment later they attempted to make a withdrawal. They received an e-mail which they then used to authorise the withdrawal.

I have BTC accounts with over 15 exchanges around the world. Long story -- trust me, you had far, far more BTC.

That sort of account activity should have been prevented. For example, one practice is to disable withdrawals for 48 hours after resetting 2FA. And that is one of the more "relaxed" protocols.


Is BTC Markets safe and secure?
Security and privacy of our clients accounts' and data is our top priority. We run regular reconciliations of all our funds (twice a day for crypto and every hour for AUD) to ensure we have a full reserve. We also apply the best practises and are continually developing and enhancing our security measures.


LOL your argument: their claim that they apply best practices was a false or misleading representation. Had you known that their security practices were so non-normative relative to all other providers, you would have utilised a different exchange.

Thanks for your inputs once again faustus. I am an Amateur to Bitcoin opportunities. After this bitter experience with BTCMarkets.Net and related Cybercrime, I have been financially impacted and stopped all investment Options. After my experience with BTCMarkets.net, I have now enabled 2FA to my email. Before this incident, I was not aware that 2FA provision was available in email.

I could see you have lot of experience with Bitcoin. It is very evident that BTCMarkets.net did not comply to their process and also exhibited Negligence by disabling the 2FA without proper scrutiny. I would like to seek your opinion the best options to recover my lost funds. I am happy to share any additional information you may need as required. I also like to have a 1-1 interaction with you either by email or Phone.

 

[SuKar]

If you believe this, then I I'm not sure you fully understand 2FA or infosec theory. If you want me to explain to you in detail I'd be happy to. And that's why I suspect they could be hiding something, because if you came to me with this reasoning I would decline to give you anything.

I am very keen to understand 2FA or infosec theory from you. Please let me know the best way to have 1-1 conversation with you.

My Fundamental question is when my email is hacked, how can BTC Markets disable 2FA based on inputs received from the email. Moreover, every question asked by BTC Markets is available in my registered email account which could have been hacked.

In addition 2 responses received from imposter i.e. "Street Type" and "Account balance" were incorrect but still BTC Markets disabled 2FA of my account. I would expect BTC Markets should support the online process validating both email address and Mobile number as mentioned in the Online resetting process.

Alternately, BTC Markets should perform 100% verification of the account in addition to seeking police case number for the lost phone.

 

[faustus]

Moreover, every question asked by BTC Markets is available in my registered email account which could have been hacked.

.
Yes, now you're starting to think. That's a good argument. This is an issue. Big issue.

In addition 2 responses received from imposter i.e. "Street Type" and "Account balance" were incorrect but still BTC Markets disabled 2FA of my account.

I know, I realised that the other day when I re-read your initial post for some clues. I had failed to pick it up because I was skimming. But also because that was your best argument, but you had it tucked away in the middle of your post and never brought it up again. I was going to edit to my post to apologise for missing that, but the edit button disappeared. Regardless, everything I said is still true regardless of this had I not made that error, I would not have been so suspicious of their conduct.

Add that argument to your complaint. Now it's starting to sound like you know that BTC Markets is very sloppy. If I were them, I'd start to take you more seriously.

BTC Markets should perform 100% verification of the account in addition to seeking police case number for the lost phone.

No. The verification protocol shouldn't be adjusted based upon what a stranger claims did or did not happen.

1. That would be so impractical that it is unreasonable to expect them to do that. What is a reasonable measure? The Privacy Act doesn't specify, as it may vary from industry to industry.

More importantly:

2. It means that social engineering can be used to exploit their authentication protocol: in my case, I just lost my 2FA PIN by flashing my phone. What proof do I provide? None. Which means that a hacker could just as easily have said "I lost my 2FA PIN in manner that just so happens to require the least evidence from me"



Here's another one that you wanna look at:

Do you allow VPNs?
We do not specifically disallow the use of VPNs however the use of a VPN can cause delays in our identity verification systems as well as the processing of deposits and withdrawals. Due to these potential issues we recommend not using a VPN while accessing your BTC Markets account.

What do you reckon? Do your hacker used TOR or a VPN? If so, I wonder what failsafes were in place?

I am very keen to understand 2FA or infosec theory from you.

No. You're going to teach yourself, and get back to me if you need to refine your understanding with questions. You will know that you understand an idea if you can explain it to someone else without using big words. When you think you understand it, I will get you to explain it to me.
Or, if you've hit a wall to understanding it, ask me and I will point you further.
PS. If your first question is What is 2FA? Well, then, then my brain may just explode

 

[SuKar]

No. You're going to teach yourself, and get back to me if you need to refine your understanding with questions. You will know that you understand an idea if you can explain it to someone else without using big words. When you think you understand it, I will get you to explain it to me.
Or, if you've hit a wall to understanding it, ask me and I will point you further.
PS. If your first question is What is 2FA? Well, then, then my brain may just explode

I believe, I understand purpose of 2FA from security perspective and also how 2FA works.

I would like to know the legislation in place for 2FA security. As mentioned earlier, I do not agree with the process followed by BTCMarkets.net to disable the 2FA of my online trading account when they received an email from imposter. Moreover, BTC Markets did not verify the details ("Street Type" and "Account Balance" are incorrect) provided by imposter.

 

[faustus]

I believe, I understand purpose of 2FA from security perspective and also how 2FA works.

Good. I would recommend you also learn about:

- Entropy (as it relates to infosec)
- Knowledge-based authentication
- What TOTP is, how it relates to 2FA, and the basics of how it works


---


There's no way to PM (I think). I have put my e-mail address in my signature.