[mootothemax]

Mtgox has clearly not had time to respond, and I fear they will claim this is my fault as I have seen in other posts online that they say "report it to the police".

They should compensate me 100%.

This shows one of the fundamental problems with Bitcoin-related services: when people get taken advantage of, they expect to be compensated.

While in the real world, banks will often compensate you if you're the victim of fraud, there isn't any equivalent for Bitcoin, despite people really expecting it.

[DanBC]

...and banks will only compensate if they really have to because there are laws compelling them to do so. If they can get away with saying it's your fault they will.

While I have sympathy for the author it was a pretty silly thing to do.

[mootothemax]

...and banks will only compensate if they really have to because there are laws compelling them to do so. If they can get away with saying it's your fault they will.

Agreed, the banks aren't doing it from the goodness of their heart.

While I have sympathy for the author it was a pretty silly thing to do.

And in the real world, if you gave someone your card and PIN, the bank would be unlikely to compensate you.

I think that this example is more similar to falling victim to card skimming, though.

Whilst one should always check the ATM for suspicious devices, and never let the card leave one's sight, it doesn't mean that it's not easy to fall prey to such fraud all the same.

[danielweber]

"Federal Reserve Regulation E guarantees that US consumers are made whole when their bank passwords are stolen"

From http://research.microsoft.com/apps/pubs/default.aspx?id=1618...

Of course, as that paper points out, the traditional electronic money system is incredibly reversible. If someone transfers $50,000 from my personal bank account to someone else's bank account, it's pretty easy for it to be undone.

The bottleneck is the money mules who are hired (read: suckered) into engaging in irreversible transactions.

[salvadors]

> If someone transfers $50,000 from my personal bank account to someone else's bank account, it's pretty easy for it to be undone.

That depends on the timeframe. Once the money has been moved out of that new account again things start getting much harder.

[jeremyjh]

Not really. If a Bank gets a reversal before funds have cleared its pretty straightforward and the stack will almost unwind itself as each Bank reverses credits to the accounts in response to reversals before them. Depending on type of transfer yes there is a date beyond which reversals are not possible but the number of transfers has little to do with it.

[danielweber]

Thieves want to work to empty that new account as fast as possible. And they still can't without suckers who volunteer to run a "check-cashing business" or similar scam.

Because banks are held responsible for fraud (from consumer accounts), they work hard to never be the ones holding the bag, so they put up roadblocks in attempts to engage in irreversible transactions. If you say "hey, I opened my account yesterday, now I want to withdraw the $40,000 that just showed up in it, 10's and 20's please" they will nod politely and call a bank manager.

[rodgerd]

No, banks will compensate you if they feel that the reputational damage of not doing so is worse than than the financial damage of doing so.

[mikeash]

I felt sorry for the guy up to this point. You have the notoriously insecure Java plugin enabled in the same browser you use to access your digital cash, and you click on random links in a chat full of people with accounts on the same digital cash site? No, that's your fault, not Mtgox's.

He goes on to say, "First because their site is not secured against such rudimentary attacks as has been demonstrated today." I can't fathom how they're supposed to protect from users' computers being taken over. The only real way to do that is to have two-factor authentication... which they offer, and this guy did not use.

It sucks to get robbed, certainly. But blaming Mtgox for this is uncalled-for.

[danielweber]

Does Mt Gox require you to enable client-side Java?

I don't like running Java on my computers even if they don't have access to $10,000 worth of bitcoins.

[serf]

No.

In fact, I use a curses based program alongside the Mt.Gox API.

I had to log in at one point, obviously, but I can handle it all using the API now.

For those interested : https://github.com/prof7bit/goxtool

[psionski]

An example of the normal attitude regarding such "incidents": http://mpex.co/faq_r.html#23 and also 24. I tend to agree. The less mainstream adoption there is, the less support tickets you'll have to answer.

[chii]

but bitcoins are like a digital cash - people don't expect to be compensated when their cash get burgled (at least, not by a bank).

[amalag]

In this analogy, his cash was held by the bank. He can say someone impersonated him to send it. But unfortunately he did not take advantage of two factor authentication and he got phished.

Actually from reading more, i don't understand if MtGox is involved at all. Did the executable just steal the wallet.dat file from his hard drive and have nothing to do with MtGox?

[ghshephard]

Yeah - I'm unclear what's happening here as well. Did his bitcoins get stolen from wallet.dat, or did they get stolen from MtGox?

[dariopy]

Did you read the FA? It was clearly stated that 1. the transaction took place in MtGox, and 2. the rest of his bitcoins were safely encrypted in his hard disk.

[ghshephard]

Right - I read that part. But then, I read the exploit, which is the running of a .exe on his local system, and not a javascript XSS attack. It's very confusing.

Perhaps the .exe logged into his MtGox account through the browser? If so - I don't understand why he would think MtGox is culpable in any way, particularly if he was running java in the browser, clicked YES to all the warnings that said horrible things were going to happen to him, AND wasn't running two-factor auth on his account.

He went out of his way to let the hacker exploit his system. I would hope that anyone as "technically savvy" as him would have known these were all really, really bad things to do.

If there is any consolation, it's that the 34 bitcoins are likely going to be worth less than a $1000 by the end of today.