The problem of digital identity, or how to circumvent Blockchain.info 2FA and e-mail authorisation

Subject: [Blockchain] Re: wallet e-mail
From: Jade (Blockchain) <support@blockchain.zendesk.com>

Date: January 5, 11:12 pm
To: Pete D <bitcoinpete@hushmail.com>i

##- Please type your reply above this line -##

[Blockchain] Re: wallet e-mail

Your request (#33920) has been updated. Reply to this email or click the link below:

http://blockchain.zendesk.com/requests/33920
———————————————-
Jade, Jan 06 01:12

The verified email associated with Wallet ID [redacted], is bitcoinpete@hushmail.com. Unfortunately, hushmail’s stringent spam and add filters have a tendency to reject .info labeled emails before ever reaching the customer. I suggest submitting a two-factor authorization reset form in which you can update the email.

https://blockchain.info/wallet/reset-two-factor

The 2FA reset request process is fully automated with a waiting time of between 7 days – 1 month enforced depending on the level of security enabled on the wallet. If the request is malicious this gives time for the real wallet owner to come forward and block the request, as multiple emails will be sent to the verified email address on the wallet before the request is approved. I’m sorry, but we are unable to expedite the request.

++Please note the third area of this form labelled “New Email”:++

If you have lost access to the email address associated with your wallet enter a new email address here. If the two factor authentication reset request is approved this email address will automatically be set as your new wallet email.

This will remove two factor authentication and/or IP restrictions on this wallet, and will then add the email address you added to the “New Email” section as the verified email on your account. We apologize for the inconvenience.
—–
Jade | Blockchain.info Support

Facebook: https://www.facebook.com/blockchain Twitter: https://twitter.com/blockchain

Blog: https://blog.blockchain.com/

Appreciate the help? Send me a tip at https://blockchain.info/address/1BKrJPjpQPxkfJrnqJ2GkotY5ruKKyRH15ii
———————————————-
Peter D, Jan 05 16:31

Greetings,

I’m trying to access one of my wallets with Blockchain.info

([redacted] specifically) but I can’t seem to figure out which email address it’s attached to. I’ve tried my usual ones but nothing is showing up

I have the password, 2-factor, pnemoniciii and everything else, but the system won’t let me access it without the e-mail confirmation. It didn’t do this before so it wasn’t previously an issue. Is this a new feature?

It’s causing me some stress!

In any event, your help in accessing this wallet is much appreciated.

Thank you for your consideration.

Cheers!
Peter
——————————–

This email is a service from Blockchain.

[After completing the requested request.]

Subject: Email Confirmation Needed to Remove Two Factor Authentication
From: Blockchain <no-reply@blockchain.info>

Date: January 6, 2015 11:18 am
To: Pete D <d@gmail.com>

Email Confirmation Needed

A request has been made to remove two factor authentication from Blockchain.info
wallet identifier *[redacted]* and update the email address to d@gmail.com. Please confirm this request is genuine.

*Approve Request:*
[Approve Request link]

*Decline Request:*
[Decline Request link]

[After clicking the “Approve Request” link, and waiting patiently.]

Subject: Two Factor Authentication Disabled
From: Blockchain <no-reply@blockchain.info>

Date: January 20, 2015 11:21am
To: Pete D <d@gmail.com>

Two Factor Authentication Disabled

A request to remove two factor authentication from blockchain.info wallet identifier *[redacted]* was approved. Two factor authentication is now disabled.

*Time:* 2015-01-20 18:21:12

[Followed by a log-in attempt on blockchain.info]

Subject: Authorize log-in attempt
From: Blockchain <no-reply@blockchain.info>

Date: January 20, 2015 11:30am
To: Pete D <d@gmail.com>

Authorize log-in attempt

An attempt to login to your blockchain.info wallet was made from an unknown browser. Please confirm the following details are correct:

*Time:* 2015-01-20 18:30:01
*IP Address:* [redacted]
*Browser:* [redacted]
*User Agent*: [redacted]

*Please check the ip address and browser carefully.* If the above details are correct click the following link to approve the request:

[Approve Request link]

If this login attempt was not made by you it means someone visited your wallet login page from an unrecognised browser. It may be an indication you have been the target of a phishing attempt and might want to consider moving your funds to a new wallet.

Your wallet identifier is: [redacted]

[Unsubscribe link]

As you can see, the 2FA/e-mail authorisation scheme,iv along with any pretense that Blockchain.info could possibly offer its users any security whatsoever, is readily dismissed.

By simply submitting a webwallet identifier and password, scooped via, say, phishing schemev or keylogger,vi it’s a trivial two-week wait to lay your hands on a fresh batch of coins. All the while, the original user is entirely in the dark and won’t have the faintest clue that they’re about to be robbed. That is, until the next time they log into bc.info and find a starkly bolded “0.00 BTC” in the upper-right-hand corner, where once there were hopes and dreams.

For the help desk’s part, no control of the original e-mail address associated with the webwallet was required nor was any further form of identity verification requested. How could they be? Normal people, bc.info’s intended customers, lose their e-mail passwords on the floor all the time and expect there to be a safety net the size of Somalia to catch them.vii

It’s quite inconceivable to this particular service provide that the user should be told to “get lost” or “fuck off.” This is evident from the two philosophies that Blockchain prides themselves in: 1) “not knowing their customers”viii and 2) “providing excellent customer service.”ix

I in no way disagree with the former philosophy, the AML/KYC shit should absolutely be put out to pasture, it’s just that their intent to appeal to the lowest common denominator and to fulfil the obligations of the latter philosophy, entail utterly lethal compromises from which there is no recovering.x

In addition to Blockchain.info’s use of CloudFlarexi their pathetic PRNG, and their advertising of known scams, their horribly broken security implementations stemming from their application of fiat-based customer service ideology to what would otherwise be a Bitcoin business is the absolute death knell.xii

Put it up on the board if you haven’t already:

Blockchain.info is yet another wallet inspector.

___ ___ ___

  1. Yes, once upon a time, just shortly after the last ice age in fact, I used a PGP e-mail service that didn’t give me control over the private key. This is, of course, patent insanity. Trusting hushmail to encrypt your e-mail is like trusting your iPhone’s Touch ID to unlock your house, your car, and your daughter’s chastity belt.

    It’s ok, I got better. And you can too.

  2. Because this is a restaurant now?
  3. Is a “pnemnoic” a category of words that sounds like “tire,” from the French word “pneu?” Such as fire, liar, wire, mire, shire, or pyre? If it wasn’t before, it is now.

    In a similar vein, I’m also known to say “close the lights” (“fermer les lumières), which apparently doesn’t make sense in English. AS IF SWITCHES WERE “TURNED” or something.

    No matter, it’s “mnemonic,” I get it!

  4. Yes, it’s a scheme. 2FA, e-mail authorisation, and multi-sig are just a few of the various ways “the community” misunderstands the world in general and Bitcoin in particular.
  5. Anyone who has used bc.info for any length of time* will attest to the various and sundry phishing attempts. While I haven’t seen such a tempt land in my inbox in the last six months or so, it’s suppose it’s conceivable that the gullible old ladies have already been weeded out. This correlating with the observation that obvious scams aren’t raising capital like they did in 2013.

    ___

    *I used bc.info for ~2 years for storing pocket change (real money goes on paper wallets), but after this little exercise, I don’t even store that there, or on any webwallet for that matter. Gotta practise what you preach, right?

  6. That is, the use of Windows.
  7. Compare this with MPEx FAQ #24:

    What will you do in case I can’t sign with my key anymore ?
    Most likely nothing. If either your account is very large and / or I know you I might try to verify you. Maybe. Don’t count on it, but instead proceed with the clear state of mind that if you lose your keys you lose your assets. It’s healthier.

  8. Meaning that Blockchain “only” requests an e-mail address in order to create a new webwallet. Because knowing something is the same as not knowing anything!

    Note that while some sort of user ID is clearly required, PGP is far better suited to the task. PGP is just, y’know, hard.

  9. Meaning that Blockchain rents a call centre.
  10. From the perspective of Blockchain, there’s no doubt that these compromises are “necessary,” primarily because their customers, not to mention they themselves, are the products of the first best largest socialist democracy evar.
  11. For “DDoS imtigation” or some such nonsense, and notably in use during “regular site maintenance” at the time of this writing.
  12. Maybe this is beating a dead horse, but I have little doubt that the odd Contravex reader still uses this service, or Coinbase’s, or whatever.

14 thoughts on “The problem of digital identity, or how to circumvent Blockchain.info 2FA and e-mail authorisation

  1. Tal says:

    “All the while, the original user is entirely in the dark and won’t have the faintest clue that they’re about to be robbed.”

    The original user would only be in the dark if they didn’t check their email for a couple weeks, no?

    • Pete D. says:

      Nah. See, let’s paint the scene:

      – You create a Blockchain.info webwallet
      – You send coins there that you don’t plan to use for months, maybe years
      – You tick all the sooper sekoority boxes including 2FA and e-mail authorisation
      – You get phished or otherwise lose just the identifier and password. You still have complete control over your 2FA device and e-mail.
      – Attacker uses the webwallet identifier, nothing more!, to submit a “Reset Two Factor Authentication” form with Blockchain.info, quite unbeknownst to you
      – Blockchain.info sends confirmation e-mail to attacker
      – Blockchain.info spends the next two weeks attending conferences and lobbying politicians or whatever they do
      – Attacker receives e-mail indicating that 2FA and e-mail authorisation have been reset
      – Attacker logs into webwallet using phished credentials and his e-mail address
      – Attacker absconds with your coins

      Blockchain.info makes no effort to contact the user at their original e-mail address. Or at least they don’t make attempts that are able to worm their way through hushmail’s otherwise loose filters. Do you know how many sexy girls looking for a good time manage what Blockchain can’t? Maybe Nic Cary needs to sex it up a bit, I dunno.

      Efforts to contact the original user could, of course, warn them that something is afoot, giving them time to move their coins or change their password before the 2FA/e-mail authorisation is reset.

  2. Tal says:

    Ah, interesting, so even though blockchain.info says “multiple emails will be sent to the verified email address on the wallet before the request is approved”, when you tried it they didn’t send any emails to the original account. Got it. That is pretty bad.

  3. […] Gavin “30% of my mom’s friends support a fork” Andresen and those guys over at blockchain.info. […]

  4. […] lay this stellar example of permissionless innovation – the fiat equivalent of Circle, Blockchain.info, Ethereum, and Flexcoin, among many others. This is what permissionless innovation looks like […]

  5. […] to make a proper passphrase with a diceware list, 2FA lulls you into a false sense of security. It doesn’t work for Blockchain.info and it won’t work for […]

  6. […] Doesn’t quite line up, does it ? Next, I also compared the checksums with the figures posted on “Firefox 29.0″ for Winbloze on OldApps.com, just to give them the benefit of the doubt that perhaps a link had improperly re-directed. Nope. No match. I was dealing with a planted mystery file, the kind you expect in spam e-mail from Nigerian princes and b1ockchain.info sc4mzors. […]

  7. […] more convincing than the rotten bitcoin-flavoured garbaje requesting that you to access your webwallet by visiting b1ockchain.com or offering you an “emergency back-up file” by […]

  8. […] was revealed to have insufficiently random nonces for private key generation, be vulnerable to 2FA work-arounds, and before they were “hacked” to the tune of 267 […]

  9. […] which was widely known to be at best a laughingstock and at worst a very marginal improvement on webwallets.iii But while the old Foundation’s jig was up and their puerile pretenders to the throne were […]

  10. […] means of upvotes and likes, but through financial domination (eg. a) and public humiliation (eg. a, b, c, d). It is not the miners who have “the go button” anymore than they have known […]

  11. […] least in the sense that your coins are only in SV‘s hands for a confirmation at most. On the other hand, on the off-chance that you’re […]

  12. […] “just wanted to” blah blah or for whatever mistaken reason you thought that e-mail, 2FA, or any of the other USG.Techs were valid forms of communication and identification […]

  13. […] 17. The Revolution Was Fiat, The Reaction Is Bitcoin 18. Breaking A Bitcoin Brainwallet 19. The problem of digital identity, or how to circumvent Blockchain.info 2FA and e-mail authorisation 20. The economics of sinking 20 MB Gavincoin blocks. 21. Bitcoin is unfair. That’s the point […]

Leave a Reply to Meta-metastasis, or how a dancing shark jumped the shark. | Contravex: A blog by Pete D. Cancel reply

Your email address will not be published. Required fields are marked *