Probably his roomate or someone else who was able to get access to his phone.
Don't be showing off your fancy bitcoin account with 2FA to all your friends...
Topic: Bad News. A guy with 2FA in Mt has been stolen for $7000+ (Read 1602 times)
Does accessing your wallet via your mobile phone increase the risk of getting hacked?
It's amazing that an account under 2FA in Mt.gox can be hacked. This guy found his money withdrawn on May 31, 2013. Someone changed his password and cancelled all 2FA in Security Center. He says he didn't use his mobile phone to get on Mt.gox. How did the hacker get his private key of 2FA??
It's so terrible which means the 2FA maybe not safe.
Link to this post:https://bitcointalk.org/index.php?topic=221098.0
It's so terrible which means the 2FA maybe not safe.
Link to this post:https://bitcointalk.org/index.php?topic=221098.0
My money is on keylogger on his machine or on any machine he used to access his account.
Stop leaving your Bitcoins out in the open on internet accounts, holy crap, don't people ever learn?
Thing is, I'm just as afraid to leave them on my computer.Paper wallets, but then those are moderately inconvenient. Still, it's what I use for larger BTC balances, at least until the hardware wallets come out.
Stop leaving your Bitcoins out in the open on internet accounts, holy crap, don't people ever learn?
+1
Stop leaving your Bitcoins out in the open on internet accounts, holy crap, don't people ever learn?
There is no unbreakable authentication method, but the problem with most methods is that they aren't fool-proof.
There are several ways to attack 2FA:
There are several ways to attack 2FA:
- Break the algorithm. Google Authenticator uses SHA-HMAC, so that's not the case here.
- The attacker discovered some exploit in Mt.Gox's server. Unless stories about hacked accounts start to pile up, that's also not the case.
- The phone was compromised. If the phone has access to the Mt.Gox password (e.g., it's stored in a password manager), malware or somebody with physical access to the phone could obtain both the password and the secret key.
- The device that was used to generate the secret key was compromised at the moment. Since you have to log into Mt.Gox to generate your secret key, it suffices to have a malware infection on that computer.
Actually I read about an interesting fifth way just the other day.
Because there's something like a 30 second window that the GA code is valid, someone stealing the code with something like a keylogger could re-use the code to do whatever he wants if he's fast enough after getting the code.
There is no unbreakable authentication method, but the problem with most methods is that they aren't fool-proof.
There are several ways to attack 2FA:
There are several ways to attack 2FA:
- Break the algorithm. Google Authenticator uses SHA-HMAC, so that's not the case here.
- The attacker discovered some exploit in Mt.Gox's server. Unless stories about hacked accounts start to pile up, that's also not the case.
- The phone was compromised. If the phone has access to the Mt.Gox password (e.g., it's stored in a password manager), malware or somebody with physical access to the phone could obtain both the password and the secret key.
- The device that was used to generate the secret key was compromised at the moment. Since you have to log into Mt.Gox to generate your secret key, it suffices to have a malware infection on that computer.
The "user" does not have a private key. Bitcoind uses shared wallets. If you got one private key, you got all private keys on the server.
Is it possible to get user's private key from exchange site?
No. Google Authenticator is not linked to Google. It's a local app on your smartphone (or desktop).
Possible physical compromise. Does he live with a room mate? Did he left his phone somewhere? Malware on phone?
They are all quite unlikely, but then again reports of 2FA hacks are very very rare.
They are all quite unlikely, but then again reports of 2FA hacks are very very rare.
It's amazing that an account under 2FA in Mt.gox can be hacked. This guy found his money withdrawn on May 31, 2013. Someone changed his password and cancelled all 2FA in Security Center. He says he didn't use his mobile phone to get on Mt.gox. How did the hacker get his private key of 2FA??
It's so terrible which means the 2FA maybe not safe.
Link to this post:https://bitcointalk.org/index.php?topic=221098.0
It's so terrible which means the 2FA maybe not safe.
Link to this post:https://bitcointalk.org/index.php?topic=221098.0
Jump to: