Author

Topic: Bad News. A guy with 2FA in Mt has been stolen for $7000+ (Read 1623 times)

hero member
Activity: 882
Merit: 501
Ching-Chang;Ding-Dong
Probably his roomate or someone else who was able to get access to his phone.

Don't be showing off your fancy bitcoin account with 2FA to all your friends...
full member
Activity: 242
Merit: 110
Does accessing your wallet via your mobile phone increase the risk of getting hacked?
legendary
Activity: 2702
Merit: 1468
It's amazing that an account under 2FA in Mt.gox can be hacked. This guy found his money withdrawn on May 31, 2013. Someone changed his password and cancelled all 2FA in Security Center. He says he didn't use his mobile phone to get on Mt.gox. How did the hacker get his private key of 2FA??
It's so terrible which means the 2FA maybe not safe.

Link to this post:https://bitcointalk.org/index.php?topic=221098.0

My money is on keylogger on his machine or on any machine he used to access his account.
legendary
Activity: 1400
Merit: 1005
Stop leaving your Bitcoins out in the open on internet accounts, holy crap, don't people ever learn?
Thing is, I'm just as afraid to leave them on my computer.

Paper wallets, but then those are moderately inconvenient.  Still, it's what I use for larger BTC balances, at least until the hardware wallets come out.
member
Activity: 108
Merit: 10
Stop leaving your Bitcoins out in the open on internet accounts, holy crap, don't people ever learn?

+1
legendary
Activity: 1540
Merit: 1000
Stop leaving your Bitcoins out in the open on internet accounts, holy crap, don't people ever learn?
newbie
Activity: 31
Merit: 0
There is no unbreakable authentication method, but the problem with most methods is that they aren't fool-proof.

There are several ways to attack 2FA:

  • Break the algorithm. Google Authenticator uses SHA-HMAC, so that's not the case here.
  • The attacker discovered some exploit in Mt.Gox's server. Unless stories about hacked accounts start to pile up, that's also not the case.
  • The phone was compromised. If the phone has access to the Mt.Gox password (e.g., it's stored in a password manager), malware or somebody with physical access to the phone could obtain both the password and the secret key.
  • The device that was used to generate the secret key was compromised at the moment. Since you have to log into Mt.Gox to generate your secret key, it suffices to have a malware infection on that computer.

Actually I read about an interesting fifth way just the other day.

Because there's something like a 30 second window that the GA code is valid, someone stealing the code with something like a keylogger could re-use the code to do whatever he wants if he's fast enough after getting the code.
full member
Activity: 231
Merit: 100
There is no unbreakable authentication method, but the problem with most methods is that they aren't fool-proof.

There are several ways to attack 2FA:

  • Break the algorithm. Google Authenticator uses SHA-HMAC, so that's not the case here.
  • The attacker discovered some exploit in Mt.Gox's server. Unless stories about hacked accounts start to pile up, that's also not the case.
  • The phone was compromised. If the phone has access to the Mt.Gox password (e.g., it's stored in a password manager), malware or somebody with physical access to the phone could obtain both the password and the secret key.
  • The device that was used to generate the secret key was compromised at the moment. Since you have to log into Mt.Gox to generate your secret key, it suffices to have a malware infection on that computer.
vip
Activity: 1316
Merit: 1043
👻
The "user" does not have a private key. Bitcoind uses shared wallets. If you got one private key, you got all private keys on the server.
newbie
Activity: 44
Merit: 0
Is it possible to get user's private key from exchange site?
vip
Activity: 1316
Merit: 1043
👻
No. Google Authenticator is not linked to Google. It's a local app on your smartphone (or desktop).
legendary
Activity: 1106
Merit: 1026
Google 2FA is linked to the Google account, correct? Which means, if you take over the Google account, you pass 2FA. Maybe he used the same password on both? Or both of them were keylogged or stolen?
vip
Activity: 1316
Merit: 1043
👻
Possible physical compromise. Does he live with a room mate? Did he left his phone somewhere? Malware on phone?

They are all quite unlikely, but then again reports of 2FA hacks are very very rare.
newbie
Activity: 44
Merit: 0
It's amazing that an account under 2FA in Mt.gox can be hacked. This guy found his money withdrawn on May 31, 2013. Someone changed his password and cancelled all 2FA in Security Center. He says he didn't use his mobile phone to get on Mt.gox. How did the hacker get his private key of 2FA??
It's so terrible which means the 2FA maybe not safe.

Link to this post:https://bitcointalk.org/index.php?topic=221098.0
Jump to: