Pages:
Author

Topic: 24 BTC stolen from my bitstamp account 2FA and email confirmation protected (Read 14978 times)

legendary
Activity: 3808
Merit: 1723
Its been 6 months and the money still hasn't moved.

Why steal money and not transfer it out? Especially when back in Feb it was worth double of what it is worth today.


hero member
Activity: 563
Merit: 500
If you saved either the 2FA code key they give you when you first set it up, or the QR code image itself, an attacker would be able to use that to bypass 2FA.


I encrypt them with gpg immediatly. I wouldn't say that to be the weak point...

Is it possible that the machine you used to gpg encrypt them is compromised?
hero member
Activity: 980
Merit: 1002
This couldn't happen with strong security measures.
It 's time to demand that the exchanges do their job seriously.

http://dassori.me/2014/03/06/open-letter-dear-bitcoin-exchanges/
sr. member
Activity: 302
Merit: 250
I am guessing that you have an android phone?  Undecided
hero member
Activity: 493
Merit: 500
One of the many things I cannot explain myself is why he has changed my password and changed it back.
This part only makes sense if you have a keylogger.
full member
Activity: 162
Merit: 100
Yes I have logged in from my phone to bitstamp and I had there my google authenticator installed.
Yes I had my email account with the password saved on the same phone
Yes it was connected to a 3g data plan

This means that the criminal(s) could steal all your money if they indeed have compromised your phone and I am guessing this is the case here. :-/

This is a rather sad and expensive life lesson for you. I hope you and others learn from it.

Sad and expensive indeed ...
I hope you will recover soon.

Try to keep tracking their wallet address with your btc. One day they must spend it. Maybe they will do a small mistake and you will be able to track them. But perhaps this would be difficult.


I agree... Do you know a good address tracker? I used one last year but I don't even remember the name (it wasn't so good anyway)
legendary
Activity: 2212
Merit: 1199
Yes I have logged in from my phone to bitstamp and I had there my google authenticator installed.
Yes I had my email account with the password saved on the same phone
Yes it was connected to a 3g data plan

This means that the criminal(s) could steal all your money if they indeed have compromised your phone and I am guessing this is the case here. :-/

This is a rather sad and expensive life lesson for you. I hope you and others learn from it.

Sad and expensive indeed ...
I hope you will recover soon.

Try to keep tracking their wallet address with your btc. One day they must spend it. Maybe they will do a small mistake and you will be able to track them. But perhaps this would be difficult.
newbie
Activity: 29
Merit: 0
Most likely a login session on the phone was not terminated, so hacker simply re-enter bitstamp and at the same time email account is usually auto-login, no 2FA is required

This would have been my guess also, but from the history it says:

Code:
* 2014-02-22 19:56:08   109.163.234.9   Logged in using two-factor authentication

109.163.234.9 is a TOR relay, so it seems it was the hacker that did a full logon from TOR using 2FA (also it is the same address that withdraws the BTC).

The most likely option then is that they have access to (atleast) your phone.

I think the reason the hacker changed the password was so you would not log on yourself and change the password in case you saw the withdrawal email. He then changed it back to cover his tracks, just in case you would not notice.

* Did he delete the confirmation emails bitstamp sent from your email?

* You should make a list of all ip addresses the hackers used and confirm that they are TOR relays on https://metrics.torproject.org/relay-search.html
Not likely, but the hacker might have made a mistake somewhere in not using TOR.

* It would be interesting if you could export a list from your Android phone of all the applications installed and post it here, especially those installed just (1-2 weeks) before the hack.
sr. member
Activity: 280
Merit: 250
Really It seems the only explanation for me is that I did it and forgot about it but there is no trace of the confirmation emails and I don't have trace of the destination address.
No offense, but what the hell is this supposed to mean? "I did it and forgot about it?" Who moves 11000-16000 USD and "forgets" about it?
legendary
Activity: 1260
Merit: 1008
I went on vacation on the 21st. On 23rd I logged in to bitstamp because I thought one week of storage of bitcoin on an exchange were too much.

My balance was zero $ and zero bitcoins. From the history I saw someone (not me) made this astonishing things:

* 2014-02-22 19:56:08   109.163.234.9   Logged in using two-factor authentication
* 2014-02-22 20:01:39   109.163.234.9   Opened bitcoin withdrawal request for 23.83677391 BTC to 1PGPkndy1nYLUee3nKKLez8smjqK5zBNKE
* 2014-02-22 20:01:39   109.163.234.9   Bitcoin withdrawal request: email was sent to user
* 2014-02-22 20:02:00   109.163.234.9   Bitcoin withdrawal request: email confirmed by user
* 2014-02-22 20:09:33   161.53.74.122   Changed user password
* 2014-02-22 20:12:33   96.47.226.20   Opened instant buy order for $36.30
* 2014-02-22 20:13:38   96.47.226.20   Opened bitcoin withdrawal request for 0.05965404 BTC to 1PGPkndy1nYLUee3nKKLez8smjqK5zBNKE
* 2014-02-22 20:13:38   96.47.226.20   Bitcoin withdrawal request: email was sent to user
* 2014-02-22 20:15:35   96.47.226.20   Bitcoin withdrawal request: email confirmed by user
* 2014-02-22 20:24:24   141.212.108.13   Changed user password


if I read correctly it seems they managed to restore your usual password after the hack, am i right?
newbie
Activity: 48
Merit: 0
Most likely a login session on the phone was not terminated, so hacker simply re-enter bitstamp and at the same time email account is usually auto-login, no 2FA is required

There is a weakness from bitstamp's side: You don't need 2FA code for withdraw. Since usually your email session is always logged in, once a malware took control of the device, he only need to wait until you logged into bitstamp

I just checked my computer, my email session is always automatically logged in, so it is also possible a malware can withdraw all my coins when I logged into bitstamp. Scary but true Embarrassed Embarrassed



this seems like the most likely to me. it bypasses 2fa and if they already had your email it would be easy. wait till you log in to bitstamp, initiate withdrawal, confirm the email.

if it is from inside bitstamp it's very scary thought to have.
full member
Activity: 162
Merit: 100
I don't use authenticator, is it possible to just log into your regular google account and disable it in settings? Attacker seemed to have used email as 2FA.
Your phone should've sent you all sorts of notifications when you got those emails unless you turned them off, or the attacker immediately turned off sync/notifications when they got control of your gmail.

I also endorse the immutable withdraw address(es) option to prevent this in the future. They will need control over your wallet as well to get the coins or somehow social engineer the exchange into resetting the immutable withdraw addresses.

The only form of 2FA possible on Bitstamp is Google Authenticator.
hero member
Activity: 899
Merit: 1002
I don't use authenticator, is it possible to just log into your regular google account and disable it in settings? Attacker seemed to have used email as 2FA.
Your phone should've sent you all sorts of notifications when you got those emails unless you turned them off, or the attacker immediately turned off sync/notifications when they got control of your gmail.

I also endorse the immutable withdraw address(es) option to prevent this in the future. They will need control over your wallet as well to get the coins or somehow social engineer the exchange into resetting the immutable withdraw addresses.
full member
Activity: 162
Merit: 100
Update: On 2/22 I had an access to my gmail account fro Cyprus... Never been there.

I already explained to you that the IPs used to haxor you are IPs belonging to the Tor network. https://www.torproject.org/

yes there will be lots of IPs from all around the world used.

How answer the more interesting questions.

a) have you ever logged into bitstamp from your phone
b) do you use e-mail on your phone and have a e-mail client on it with your password saved
c) was the phone connected to wifi or a network provider with a data plan at the time in question?

Protip for everyone: There is a small program called "JAuth" with is a Java based open source implementation of Google 2FA. You can install this on an old otherwise unused computer that is not connected to the internet or anything else. There are also cheap $90 android phones you can use for this purpose, only install google auth on it and nothing else & delete all the google spyware & permanently turn off wifi and don't have a SIM card in it.

Also people, beware that 25 BTC is a lot of money. There are those willing to do customized targeting (including social engineering attacks) to get at that kind of money. U fat and ugly and some hot blond girl approaches you and wants to fuck? be suspicious, she's likely after your money

Yes I have logged in from my phone to bitstamp and I had there my google authenticator installed.
Yes I had my email account with the password saved on the same phone
Yes it was connected to a 3g data plan
member
Activity: 97
Merit: 10
If i understood properly from what i read, my bets would be on the the hacker having had access to your smartphone.
Either via some malware you installed OR via known security holes in the software installed on your device and or known backdoors the NSA builds into every such spy-device known as smartphone, the hacker also knew about.

It is my understanding that via your smartphone you accessed also your email, were trading on bitstamp and also using it for the 2FA

So the hacker had access to your email password via the phone, bistamp password, and of course the 2FA  (be it a keylogger, trojan with full access, NSA backdoor, security hole in your smartphone OS etc)


The above is the reason why i refuse to own a smart(dumb)phone and decided to use an old laptop with linux to do the 2 factor authentication for me.

The laptop will never touch the internet ever again. The codes for the 2 FA are on a usb stick and also printed out in case of hardware damage allowing me to restore the 2FA on another device if ever required. (you have to make sure the clock on the laptop displays the right time or 2FA won't work)

There are probably many ways to do the 2FA in linux, like using jauth, or installing virtualbox and then install android within it(old laptop too slow for this), but i decided to use wine and used winauth inside it.

To use winauth you first have to install dotnet 4.0 however, and that is not so easy. Tutorials on the net using winetricks did not work for me. I ended up copying the whole msnet 4.0 folders into the appropriate locations in the wine folders from a win98 install in virtualbox and to my surprise it worked...
legendary
Activity: 1988
Merit: 1012
Beyond Imagination
Most likely a login session on the phone was not terminated, so hacker simply re-enter bitstamp and at the same time email account is usually auto-login, no 2FA is required

There is a weakness from bitstamp's side: You don't need 2FA code for withdraw. Since usually your email session is always logged in, once a malware took control of the device, he only need to wait until you logged into bitstamp

I just checked my computer, my email session is always automatically logged in, so it is also possible a malware can withdraw all my coins when I logged into bitstamp. Scary but true Embarrassed Embarrassed

legendary
Activity: 2212
Merit: 1199

they took 5 days to answer you? thats a fucking disgrace

Disgrace is how Bitstamp indeed is threating their customers. MtGox had same problem.. perhaps both exchanges will get their lessons..
member
Activity: 106
Merit: 10
Sorry for your loss OP

Do we have a list of exchanges that have implemented this locked-withdrawal address? I heard of it earlier but can't remember the site that was going to use it.

I think given the implications, that this feature should be universal in all exchanges.
legendary
Activity: 1316
Merit: 1000

they took 5 days to answer you? thats a fucking disgrace
member
Activity: 69
Merit: 20
Does you cellphone have access to your email and  Google Authenticator?
If so could somebody got access to your phone while on vacation?
Pages:
Jump to: