by Nikita Sechenko
Translated from the Russian by Daniel Nagy
There are two approaches to one's personal safety. The first one is difficult: never leave the iron plugged in, never smoke in bed, do not place the gas stove near the window. The second approach is a lot easier: you don't follow any rules and hope that there will be no fire. Same with WebMoney. There's a difficult way: for example, read "Security Encyclopedia" and follow all the rules in there. This, of course, requires time and effort, which is unacceptable for many. The other method -- not reading anything, ignoring all the warnings in the Keeper (WM's wallet application), indiscriminately opening all your email, launching all sorts of suspicious programs, not using antivirus software and firewalls. This article is dedicated to those who have chosen this easy way. Since there is a substantial risk that the money from your pruses will be stolen, it's useful to know how to get them back. That's what we'll talk about below.
So, the bad guys have "planted" a virus on your computer (you like opening email attachments, don't you?), found the *.kwm key-files on your harddrive (you don't keep them on removable media, do you?), caught the passphrase as you typed it, and sent all of that to their mailbox (your *.kwm files weighed a mere 50K, didn't they?). Then he connects to your WMID using his computer (you have, of course, turned pre-activation by email and IP blocking off) and stole all the title certificates in there. What can you do?
First, don't panic. You should know that the staff of WebMoney, in particular the arbitration service and tech support, are responsive to pleas of help in case of stolen keys and assets from purses. Be assured, they will do everything they can. Secondly, the solution of the problem should not be postponed. You should act as fast as possible. Every minute counts. Your main task is to get ahead of the bad guys. Taking into account their head start, it will be difficult, but still possible. Finally, the third rule is not giving up. From my experience as an arbiter, I can tell that returning your assets is often possible even in situations that look hopeless at first.
And now for the concrete measures. Your actions will depend on several factors. First and foremost whether or not you have lost access to your identifier.
If you do have access to your WMID and you can check your transaction history and find out the WMID of the offender, the most effective way of proceeding is filing a complaint under "unauthorized payment" against that WMID at the website of the arbitration service (http://arbitrage.webmoney.ru). At this point you will need to pay the arbitration fee immediately, as doing so automatically block payments from the WMID with a certification level lower than "initial" (note of the translator: basically, it means blocking anonymous accounts). This way, the assets on the defendant's account will stay there until the arbitration comission rules on the case. WMIDs with an initial level certificate or a registrator level certificate can be blocked only with a sanction of the arbitration comission, but holders of such certificates are not in the theft business, as a rule.
In order to file an "unauthorized payment" complaint, a pseudonym certificate suffices (note of the translator: these are given to whoever asks without any verification). The arbitration fee is 10% of the contested payment. First, it can make sense to file a minimal complaint, as low as 1 WMZ and pay a 0.1 WMZ fee. Filing the complaint will take only a few minutes.
However, as the funds could have been transfered a number of times in order to confuse the investigation, after filing the complaint, you can immediately contact the arbitration service's administrator (WMID 937717494180, arbitrage@webmoney.ru) and ask him to trace the chain of payments, should one exist. The administrator (after careful consideration), may block all the accounts along the chain and will send you a report on how much money has been "caught" where. You will need this information for further arbitration proceedings. Keep in mind, however, that arbitration is a service for resolving conflicts, not a 911 service. They work from monday to friday between 10am and 6pm.
If the offender has left, for some reason, funds on your WMID or you have other WMIDs for the security of which you cannot vouch after the attack, contact the tech support (+7 095 727-43-33, support@wmtransfer.com, WMID 941977853154) and ask them to temporarily block outgoing payments from your accounts as well.
As we have said, filing a complaint is the best solution in this situation. But what can be done if everything has been stolen up to the last penny, and quickly finding a few WMZ to pay the arbitration fee is not an option? In this case, you should email and telephone tech suport and arbitration asking them to block the WMID of the offender, after which you should, nevertheless, file a complaint initiating arbitration proceedings as quickly as you can. Keep in mind that tech support can only block WMIDs, but they have no means of tracing the payment chain along which your money has been siphoned off. The arbitration sercive, on the other hand, can block accounts, trace payments and check balances.
But, as you understand, thieves typically do not transfer funds to their purses or if they do, they don't leave them there for a longer period of time in order to buy ebook classics, should they get bored, but try to hide their traces and get rid of evidence as quickly as they can. In order to do so, they exchange stolen WM for assets in other payment systems, typically e-gold. Then exchange them back to WM and repeat a number of times. In this case, the problem becomes significantly more complex. You should contact the administration of the automated exchange through which the exchange has been transacted and find out the fate of your assets (filing a complaint against the exchange makes no sense, see below). Later the administrator of the arbitration service will send a query to the other payment system, but that seldom helps. E-gold, for example, having received a request from WebMoney, blocks offending accounts, but gives transaction information out only at the requests of courts and law enforcement.
In the worst case, the offender uses an "offline" exchange, cashing the stolen assets. In this case, arbitration cannot help: the exchange did their job and had no means of knowing about the origin of the funds. Hence, the accounts of the exchange won't be blocked and they are under no obligation whatsoever to return your funds. This is when you should turn to law enforcement and hope that the exchange has checked and recorded the passport data of their clients as required by the rules of our system.
If, however, you have lost access to your WMID (the attacker has changed the password or the key file), then you should immediately contact tech support and ask them to block your WMID, just in case there is some money left there. In addition, you should contact the administrator of the arbitration service and report the loss of access to your WMID. It is desirable to correspond using the same email address that is indicated in your certificate and in the Keeper's personal data section. In your email, you should give information as comprehensive as possible in order to establish that you are, indeed, the legitimate owner of the WMID in question. Namely, your WMID, the purses' numbers, the last transactions complete with dates and so on. The administrator, in turn, will tell you the current balance of your purses, where funds were transfered and whether they were successfully blocked. The rest of the procedure is analogous to the one described in the previous section.
That's all. I hope, you will make the right conclusions and choose for yourself that difficult way of protecting yourself from calamities. Remember: lost nerve cells cannot be recovered.
* * *
Note from the translator: This is a translation for which I have not received a permission from the author, completed for purely educational purposes. I have done my best to provide an accurate translation, but take no responsibility for its correctness.
Posted by iang at June 6, 2005 02:11 PM | TrackBackWMID == Weapons of Mass Identity Destruction
Posted by: Jean Camp at June 8, 2005 03:12 PM