Pages:
Author

Topic: 63.73 BTC Hacked - Blockchain.info secured by 2FA - Starting security podcast? - page 4. (Read 15021 times)

hero member
Activity: 812
Merit: 1000
To the hacker:

I do have your login IP address and .edu email domain from a European country with Google.

I will be investigating this to the fullest extent allowable by law. Please contact me if you don't want this.

Best of luck. But your chances look really slim.

Maybe try to negotiate with him and give him 10% or something to have any shot at getting it back.
hero member
Activity: 658
Merit: 501
Also, how is my gmail logged into when it has 2FA Google Auth activated???

I sent you the link how one can bypass Gmail 2FA.

https://www.duosecurity.com/blog/bypassing-googles-two-factor-authentication

Just one method, but there are probably other ways. This technique allows one to access without notification.


Could it be that his 2FA email did come, but the attacker deleted it?

I think he is referring to Gmails 2FA through the google authenticator app on his cell and not blockchains email 2FA.
legendary
Activity: 1862
Merit: 1011
Reverse engineer from time to time
Could it be that his 2FA email did come, but the attacker deleted it?
legendary
Activity: 2394
Merit: 1216
The revolution will be digital
You can send dust with a public note in blockchain.info, viewable by all.

It appears my gmail was logged into on 22-Nov. Google was supposed to send me a security notification to my phone and email, yet I received neither?

Also, how is my gmail logged into when it has 2FA Google Auth activated???





I think your blockchain.info 2FA was based on gmail and gmail 2FA was based on SMS verification. Am i correct ?
legendary
Activity: 1498
Merit: 1000
To the hacker:

I do have your login IP address and .edu email domain from a European country with Google.

I will be investigating this to the fullest extent allowable by law. Please contact me if you don't want this.
legendary
Activity: 1498
Merit: 1000
Well, would that may be possible via my Thunderbird ASP?

Still though, why did I receive NO notification of the suspicious login?

hero member
Activity: 658
Merit: 501
Also, how is my gmail logged into when it has 2FA Google Auth activated???


Here is one way how:
https://www.duosecurity.com/blog/bypassing-googles-two-factor-authentication



If your computer has a trojan keylogger and you are storing your backup on it all a hacker needs to do is capture your password to unlock your private keys without any need to verify 2FA with Google. The hacker can see and read back a history of everything you type on your computer while you are infected.

Once your computer is rooted you are completely owned. If your cellphone communicates with that infected computer in anyway it can also be compromised. 
legendary
Activity: 1498
Merit: 1000
You can send dust with a public note in blockchain.info, viewable by all.

It appears my gmail was logged into on 22-Nov. Google was supposed to send me a security notification to my phone and email, yet I received neither?

Also, how is my gmail logged into when it has 2FA Google Auth activated???



legendary
Activity: 1456
Merit: 1000
You already know what addresses your coins went to.  Im curious how sending additional dust will get these coins labelled.  Don't quite understand what that will accomplish.  Could someone please explain?

Thanks for the comments guys... PLEASE send dust to these addresses with a public comment marking them back to this thread..I have been trying to do so but it will not work for some reason. I am doing anything I can to get these coins labeled for all to see.


legendary
Activity: 1498
Merit: 1000
Thanks for the comments guys... PLEASE send dust to these addresses with a public comment marking them back to this thread..I have been trying to do so but it will not work for some reason. I am doing anything I can to get these coins labeled for all to see.

legendary
Activity: 1090
Merit: 1000
Blockchain does have the withdrawal password option if I remember right. Don't they also have an on screen keyboard that would defeat a keylogger? 
legendary
Activity: 1315
Merit: 1002
its over for you, sorry...you wanted anonymity, well you got it even when you are hacked and smashed....that is why everything needs a central authority, even BTC, otherwise its doomed..who would trust in that system...anyway...
legendary
Activity: 1078
Merit: 1014
How did I get this Keylogger? I am VERY careful and dont install anything that isnt virus checked.

Is is possible my IP Vanish software which uses Tor was compromised?
virus scan doesn't mean shit any competent hacker will crypt his malware to be undetectable to av and any half decent bot or rat can scan your computer for wallet.dat or anything bitcoin related in a few seconds, 90% its someone from ukraine or russia and you will never find them or your coins, sorry for the loss i' be suicidal over this
legendary
Activity: 1456
Merit: 1000
SMS 2FA is the key, that way they need to compromise your PC and have physical access to your phone.

fact is, i treated my blockchain.info as a WEB wallet, trusting them it was SECURE with 2FA alone.

it was not.

All someone needs can be found by hacking your PC and installing a keylogger.

they need no 2FA whatsoever if they then have your password.

legendary
Activity: 1456
Merit: 1000
Its tools like this solitude turd that perpetuate the problems inherent with BTC now.  I'm glad to see that the majority of users here sympathize with Statdude and are actually providing advice and trying to help.

What the fuck do you want us to do about it faggot?  You dun goofed son.

This isn't reddit, we don't upvote faggots for being retards here.

this post does not represent the majority, security is a learning process, our time is finite
hero member
Activity: 874
Merit: 1000
if the hacker is here... please contact me... and sleep with a clean conscience, and no fear of being caught
Wow!  You are a real optimist man.  At least you'll be able to dream up some 'bright side' to think about from this point.
legendary
Activity: 1148
Merit: 1014
In Satoshi I Trust
dont think that blockchain is not secure but that your computer has team viewer, maleware or TOR installed. or several people have access to your pc etc etc
hero member
Activity: 658
Merit: 501
Have there ever been any cases where Microsoft were held accountable/compensated for security flaws in their OS?

Your thinking about security wrong. All Turing complete devices are susceptible to security flaws. The only way to have a good degree of confidence is by using single purpose security devices (hardware wallets), paperwallets, or multisig where some of the key are in cold storage.

Even if one had 2fa SMS a compromised computer could transmit a worm to the victims cellphone when it was plugged in or connected to the same network.

You can only have a certain degree of confidence in security and 100% confidence never applies to any system or industry.
hero member
Activity: 686
Merit: 500
HYPER project manager and PR + GoldPieces [GP]
If you have a Keylogger on your computer the only thing that will stop unauthorised withdrawals is SMS 2fa - which I understand blockchain.info offers.

If you only have email 2fa the hacker just needs to wait until you login to your email service and they have the password. Then they wait until you log into your blockchain.info account and they have all they need. They could even delete the email from your email account after authorising the transaction.

Note, a keylogger will also give someone access to your local wallet passphrase too. It happened to someone I know and they lost a couple hundred thousand dollars worth. Keyloggers are very very dangerous.

What I am not sure about is if a malicious user gets your blockchain.info login details and you have SMS 2Fa activated can they still grab the private key. That would totally defy the purpose of SMS 2fa so I assume not but I am not sure.

Me too? But surely possible to "clone" somebodies sim card remotely?


I prefer Yubikey for 2FA on blockchain. Cell phones are too accessible
full member
Activity: 238
Merit: 100
If you have a Keylogger on your computer the only thing that will stop unauthorised withdrawals is SMS 2fa - which I understand blockchain.info offers.

If you only have email 2fa the hacker just needs to wait until you login to your email service and they have the password. Then they wait until you log into your blockchain.info account and they have all they need. They could even delete the email from your email account after authorising the transaction.

Note, a keylogger will also give someone access to your local wallet passphrase too. It happened to someone I know and they lost a couple hundred thousand dollars worth. Keyloggers are very very dangerous.

What I am not sure about is if a malicious user gets your blockchain.info login details and you have SMS 2Fa activated can they still grab the private key. That would totally defy the purpose of SMS 2fa so I assume not but I am not sure.

Me too? But surely possible to "clone" somebodies sim card remotely?
Pages:
Jump to: