Mt Gox's 'transaction malleability' claim rubbished by researchers By now, we all know the Magic the Gathering Online Exchange says it came undone because of a gap in the Bitcoin protocol called “transaction malleability”. Now, two ETH Zurich researchers have rubbished that claim. In this paper at Arxiv, Christian Decker and Roger Wattenhofer analyse a year's worth of Bitcoin activity to …
I don't think Visa would claim that "only" one in five fraudulent card uses are undetected or Lloyds that "only" one in five bank robbers got away with the swag, and of course the other 4 out of 5 have disappeared empty-handed into the ether or alternatively came back the next four days to see which would be their lucky day.
The almost 10% fraud rate is an amazingly high rate of [fraud] crime for a "banking" system, considering for example that large retailers usually estimate a 5% annual shrinkage loss. The statistic chosen therefore states that Bitcoin crime is almost twice the rate of retail /shoplifting crime.
That is NOT a good statistic to quote.
"The statistic chosen therefore states that Bitcoin crime is almost twice the rate of retail /shoplifting crime."
You and I probably read different articles, but the one under discussion here is about Mt Gox who is the one claiming the 'transaction malleability' problem as an excuse for 100% of their missing funds. The researchers are claiming that it could not have been that high. Note that this particular problem is not a Bitcoin issue.
"That is NOT a good statistic to quote."
Yes it is, because if true, it shows that Mt Gox is likely not telling the truth.
19.46% is NOT the success rate of the attack. That is the rate at which the modified transaction was accepted INSTEAD of the original one. The modified transaction was of the same value (it has to be or the encryption does not work), the same amount of "wealth" was transferred, it just has different ID numbers.
The issue is down to how the exchange tracked transactions - they did not do so in a reliable enough manner, once they saw the original transaction fail they were issuing refunds without checking for a duplicate transaction going through. Other exchanges updated their software competently once the issue was noticed, MtGox didn't. MtGox have a long history of producing duff transactions that failed, rather than fixing the problem they bodged in an auto-refund system.
MtGox and their rubbish software were the problem, there was not a large network-wide issue.
That paper goes on to make a very interesting point. A further very interesting one rather.
The vast majority of malleability attacks, or attempts at them, came *after* MtGox announced its troubles. That is, were driven by people hearing about it and seeing if it would work.
The total number of malleability attacks *before* the MtGox announcement wasn't large enough to have been responsible for the losses at MtGox. Yes, all such attacks everywhere on all exchanges were smaller than the reported losses at MtGox.
Which is really a rather interesting finding....
Leaving the question "So where did the missing Bitcoin go?" open.
Just one question I have from my limited knowledge of how BC works... but as I understand it every BC mined has a history in the blockchain, and in spite of a lot of forks in the blockchain due to how mining/transaction verifying works, the forks are folded back into the original blockchain once a transaction is confirmed... and the blockchains are all public. So bitcoins that weren't 'stolen' by the malleability attacks should be traceable, at least to an id if not to an actual person?
Since the block chain is essentially a public ledger, if the addresses used by MtGox are known, then it should be possible to trace the bitcoins and see where they went. If indeed there were a vulnerability which lead to transactions essentially being doubled, this should be visible in this audit. If, however, it can be seen that the deposits to MtGox addresses, minus the withdrawals do not add up to the numbers they say they have, or if a large number of Bitcoins have been transferred to a single, or small number of addresses, it might indicate that someone there was siphonng off BTC into their own wallets.
If this is the case, is it then possible to trace where those wallets are held via the IP addresses, or some other means?
It's somewhat interesting that those pointing out that almost 20% is still an outrageously high figure got downvoted. I'm not per se against Bitcoin. But I cannot believe that anybody, fanboi or not, thinks 20% is acceptable. On top of that it invalidates Bitcoin's claim of being oh so super secure.
And to add insult to injury, it also points out that the big players (or former big players in case of MT Gox) in the bitcoin business may not be 100% honest, to put it mildly.
The whole MT Gox situation is a huge blow for bitcoin, because it was their biggest public exchange.
Those are facts, which even Bitcoin owners and traders can't dismiss.
It's a pity though, because the bankers will celebrate this for some time to come.
I tihnk maybe it's because it's a figure of '20% of fraudulent transactions succeeeded', not '20% of transactions are fraudulent'. You'll probably find that with conventional payment processing, a significant proportion of transactions are fraudulent (0.1% of credit card transactions according to wikipedia), and of those 0.1%, they probably have a much higher than 20% chance of getting away with it.
You and the rest of the commentards on here need to read the article more clearly.
It ONLY talks about the number of attempted Malleability attacks vs those that were sucessful. It says NOTHING about what proportion of Total transactions they were. So it could be 20% of a very small number or a very big number.
So in context its the same as saying 20% of attacks against an ATM are sucessful - it says nothing about the number of ATM transcations or the amount of cash involved.
I didn't say that 20% of all transactions were fraudulent. So if you feel like being patronising, at least read what I wrote and not what you think I may have intended to write.
I still think 20% success rate for fraudulent transactions is too high. And I did not say that banks and card providers do better, or worse. It was an isolated statement. The reference to the partying bankers was because the Mt Gox cockup is a blow for Bitcoin as a whole as seen by the public (you know, the lesser knowledgeable people; include me there, if you like). It's much the same as everybody complaining about banks in general after Barclay's (or any other bank of your choice) has screwed up yet again.
For any payment method (or currency) to be successful and stable you need a large group of people and businesses using it. The lesser people know, the more they will be put off by negative headlines.
But if we want to go there and draw a comparison between traditional banking and Bitcoin, the people on here who know more about Bitcoin may be able to answer this: Who do you turn to in order to get a refund?
I've had a few fraudulent transactions against my credit cards over the years. Either the bank spotted them straight away, or I did spot on the statement -- and I always got them refunded. Does Bitcoin have a similar safety net?
And does anybody have stats that confirm the success rate for fraudulent transactions in traditional banking?
Genuine questions, which belong together if you want to compare success of fraud! To be honest I'm relatively indifferent when it comes to Bitcoin. For me personally Bitcoin is not an option because of its fluctuations and lack of shops where you can buy stuff with it. That may well change in the futute, albeit a bit further in the future after cockups like this one. That wasn't the subject though.
The only reason the success rate was 20% is because MtGox were using a version of the Bitcoin wallet which they had branched from the 'official' reference version, in which this particular bug was fixed in 2011. Had they not been using shoddy software, the success rate would have been exactly 0%.
This vulnerability was known - it was their sloppy processes that allowed it to persist for years, and this reflects badly on them, not on Bitcoin.
Imagine if a vulnerability were found in VISA, and they announced that all POS terminals should be updated to avoid fraudulent transactions. If a POS manufacturer were found, three years down the line, to not have fixed this bug, and still allow fraudulent transactions to clear, who would be liable - the POS manufacturer, or VISA?
In answer to your question about whether Bitcoin transactions can be reversed; the simple answer is no. Unlike credit card fraud, however, it is not possible for someone to copy your wallet, or operate an equivalent of a 'cardholder not present' scam. Your 'wallet' is, in fact, a cryptographic key which allows access to your balance on the block chain. If you were to allow that key to be stolen, either by having your computer hacked, or by other means, your wallet would be compromised, in the same way that if you had your actual wallet stolen, you would have no way of regaining its contents. Mitigations against this sort of thing consist of keeping funds in an 'offline' wallet, or a 'paper wallet' (essentially a print-out of the key as a 2D barcode) in a safe, and encrypting your wallet so that you need a password to access the key. These measures are all in your hands.
To add to that, as far as I am aware, pretty much 100% of fraudulent credit card transactions are 'successful' in terms of the crooks getting the money and getting way with it. When they get caught, it is rare enough to make the news. In terms of 'losing' your money, the credit card companies essentially insure you against such losses. They do this by charging ~4% fees on something that happens 0.1% of the time (paid by the merchant). Taking their other costs into account, this is why they have big shiny office buildings and their executives have big houses.
I fail to see any facts in your statement. Here are some of my own.
Fact: Mt. Gox was the 7th largest public exchange at the time of its troubles.
Fact: Bitcoin protocol was not the issue. Mt. Gox re-wrote the open source BTC wallet code badly, enabling this exploit.
Fact: You know very little about what you speak.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
