Topic: 24 BTC stolen from my bitstamp account 2FA and email confirmation protected - page 2. (Read 14978 times)

convenience is an advanced feature.

you're blaming tools (2FA, strong pw, conf email) when none of that has anything to do with you being compromised.

Your level of being compromised would render basically any computer system vulnerable, it has nothing to do with bitcoin and everything to do with your being hacked via bad software OR the issue of trusting a 3rd party with a "promise."


for example, confirmation emails with a static confirm link only work if your email isn't compromised. they should link you to a page on the site that requires you to use a specific IP address, redundant 2FA and possibly another password for a secure login. That would be "more secure" but "less convenient."

Indeed ... so best storage is cold storage - but there is a chance for devs to dev some nice antihack apps for bitcoin users.

I agree,
logging into email & bitstamp from the same phone you get the 2FA codes from kinda compromises the idea of 2FA.
Before using 2FA on phones, you would get a little RSA standalone token for this purpose. The idea is, to get the 2FA codes from a disconnected source from the one you type your normal password in, so if somebody just hacks you he can't get into your accounts without also stealing the RSA token physically from you.

And if you have to get your RSA codes from an internet connected phone (which I think, at this point is still fine) it is still some longshot that if your PC is compromised your phone will be too. But to login from the same phone you get 2FA from is obviously the easiest way to get compromised, as it completly eliminates the idea that something physical also has to be stolen from you for gaining access to your accounts.

I also agree with the poster who said there should be an option of bitstamp and other sites to set some withdraw addresses, and only be able to change them with another password and maybe some wait time also (obviously not forced on the users, but optional settings). Would make stealing a whole lot harder. And then you could even set one of those addresses to some safely stored paper wallet and in case you get paranoid that you might be infected, you can just sent it there.

what you can do? You will track IP? IP of someone who did not know anything about this?

You can only track transaction, and maybe - maybe you can find someone on some forum with wallet address where your money were transfered.

Not a lot you can do.

Seems like your Bitcoins are still @1PGPkndy1nYLUee3nKKLez8smjqK5zBNKE ... so it is hard to track owner ...

Lesson : do not use Bitstamp
Lesson2: do not keep your money @ exchange.

Big lesson learned.
Thanks everybody for taking care.

I'm really frustrated. if 2FA, strong password,confirmation email is not enough I don't know how is possible to develop this thing in which I strongly believed.

Paper and offline wallets are not handy, hardware wallets are not ready, brainwallets are not safe.

I lost 30 BTC at bitstamp about 6 months ago

did not get them back - suspect a inside job or bug in there system
in my case no email was sent to me ( and they had no log of email being sent)

in your case to guess a long password and 2FA in get into to your account is nearly impossible to crack

even if the thief has access to your pc  they still need your phone for the 2fa

I think they have a bug  or it's a inside job ----  bitstamp are not very helpful ---- as most exchanges all care but no responsibly ---- IE  store your money on  cold wallet --- don't trust anyone --- it's like cash

sorry for your loss

Update: Bitstamp replied.
in summary they haven't detected anything strange or suspicious in the related operations on their part.
In my ticket I specifically asked if there heve been changes in my account email but there were not. So it's obvious to me that he had also the control of my email. This is also confirmed by the connection from different tor related IPs.

They suggested me to contact a computer expert. It will be tough I think. I have to start from scratch.

I'm just trying to think to everything possible even if not feasible... I have never heard about something so sophisticated and I must think I had an involuntary part in it...

Yes. this could be it. 

Or at least is the least fantascientific hypothesis I could immagine. The phone is the attack vector probably.

I encrypt them with gpg immediatly. I wouldn't say that to be the weak point...

If you logged into Bitstamp on your phone, the hacker would have access to your login credentials, and if you accessed gmail on the phone and also used it for 2FA, you were 100% compromised.

One thing come to my mind:
Thanks to what everybody has written I could think that the only thing they could hack was the phone.
I read about some malaware able to steal your session while you are logged in.
It is possible that I logged in on that night on my phone on bitstamp. If they stole my session they had been able to do what they did and they could have access to my mail too but that's just an hypothesis. My wife tells me she doesn't remember I was playing on the phone but I do remember having done something that night.

Did you store a backup of your 2FA secret somewhere that is accessible from the internet (such as on your main computer)? If the attacker somehow obtained your 2FA secret, he could have used that to generate his own, perfectly correct 2FA-codes.

Alternatively, if your computer was already compromised at the time you activated 2FA, it is possible that some malware captured the 2FA secret at that point.

If you saved either the 2FA code key they give you when you first set it up, or the QR code image itself, an attacker would be able to use that to bypass 2FA.

Quite possible for email. Less explicative for the bitstamp account and 2FA authentication...

Hackers usually leverage servers all over the place to hide their tracks.

Just thinking out loud. Some banks have region restrictions on payment cards. So for instance if your details are lost, they can't be used in say Asia. Not sure if google has such features on Gmail, but limiting usage of Gmail to say only a certain country, or even a whitelist of ip's might be a good idea. Not sure if that kind of stuff even exist with gmail.

Update: On 2/22 I had an access to my gmail account fro Cyprus... Never been there.