Edit: Session Fixation attacks, based on my cursory understanding, would not be limited by the use of 2FA.
However, after the compromise I both enabled 2FA and deposited some BTC in the account. BTC is still there.
It's just unclear what happened. Buyer beware.
Hello, everyone.
I wanted to let everyone know about the compromise of my GLBSE account on 8/23.
The price dip for ASICMINER indeed resulted from the compromise of my account. 3000 shares were sold at 17:00 GLBSE time (?) for approximately 23 BTC.
The most important message I have for you is that GLBSE is not secure without 2FA enabled. I had recently created the GLBSE account for the specific purpose of owning ASICMINER. The account was created on a system lacking any prior security compromises. The account password was a new, unused 14 character, mixed case, mixed character class.
Taking responsibility for the fact 2FA was not enabled on my account contributed to the theft of the shares. On the flip side of this GLBSE is a dangerous place for the uninitiated with Google 2FA. I say this since my impression was that Google 2FA was only available to smart phone users. This is why I didn't use it.
Nefario has investigated GLBSE logs in attempt to establish any pattern or method used to compromise the account. Nefario's judgement is that it is unclear how my account was compromised. Nefario gave no further information regarding IP accesses, but only suggested that:
From what I can tell the only thing that would allow someone access would be a session fixation attack, where they set the session id in your browser for GLBSE to something they know. Then when you login to GLBSE they can just use the site as you (because you're using their session).
There are a number of possible reactions to what I've said. Such as,
1. Use 2FA, stupid.
My use case is pretty clearly stated above. If you don't tell users it's dangerous not to use 2FA, and at the same time not provide the links to any necessary security software that is 3rd party OSS and not supplied by Google directly, then there is a certain element of negligence on the part of GLBSE.
In fact, if it's so dangerous, evidenced by my predicament, GLBSE should not allow account creations without the use of the Google 2FA.
2. GLBSE negligence you say? Hog-wash.
No, GLBSE is a financial institution and should not leave it's users unaware and unprepared - which, yes, requires a higher level of user notification and security
requirements - only to be raped.
Food for thought. Do you think Bank of America Web portals are vulnerable to Nefario's suggestion of Session Fixation? If that were the case my BoA account would be f'ed right now.
It isn't. And none of any other my important online accounts have been tampered with.
Nefario's position is the same as past incidents of this nature involving shareholders. I presented the option to Nefario of me reimbursing those who purchased the ASICMINER shares as a result of the compromise in exchange for the recall/reversal of the share sale. Nefario declined any share reversals.
A 22 BTC theft costing me both a good investment opportunity and a $3000+ debt to the security issuer.
I sincerely wish ASICMINER success. Enjoy
my the cheap shares.
)