Topic: BitMarket.Eu has closed down - page 38. (Read 204067 times)

using Google as an Authenticator is like using the Russian Mafia as en Escrow

Thanks, I've added info about HTML5 version to the post.

There is also a web app implementation that works in Opera Mobile, which means that you can do Google Auth on Nokia (Symbian) phones. (May also work in IE on Windows Phone Nokias, haven't tried it.)

See this thread: https://bitcointalksearch.org/topic/how-to-use-2-factor-auth-on-mtgox-even-without-a-smartphone-111943

Thanks for pointing this out .

Same page, just in English: http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447

BitMarket.eu now supports two-factor authentication

A long overdue security feature is now implemented on BitMarket.eu: two-factor authentication. This greatly enhances your account security, by letting you log in to your account only after entering time-based generated token, in addition to your account password. I encourage every user, especially everyone who use BitMarket.eu to store their Bitcoins to enable this feature. You can find it after loggin in, under Account section -> Security tab.

To use two-factor authentication, you must have a compatible smartphone which runs Google Authenticator, a free application from Google that implements open TOTP (time-based one time passwords) standard. More information about how to get this application can be found on Google support site. This app is compatible with Android, iOS and Blackberry platforms. Alternatively, you can use open source HTML5 implementation of Google Authenticator. It has been packaged using Adobe PhoneGap framework and can be downloaded here. HTML5 version supports Android, Windows Phone, webOS and Symbian.

Note that you will be asked for the token on every login, so you must your device with you every time you want to log in to your account. You will also be asked for the token if you want to disable two-factor authentication, and if you forget your password.

What happens if you lose your device? When enabling this feature, you will be presented with a one-time, unique, 16-character recovery code. Please write it down on paper and store it somewhere safe. In a event of losing your smartphone this recovery code will enable you to access your account.

If you have any questions, or suggestions regarding this feature, feel free to speak up.

http://images2.fanpop.com/image/photos/9300000/Fry-Icon-philip-j-fry-9365666-190-190.jpg

Maybe it is worth to new accounts (without positive trades) lock withdrawal or confirm withdrawals manualy?

In your case, attacker hit the withdrawal security measure, and couldn't withdraw your funds, so he just left them. I have restored your funds and reverted the transactions, but because this was done "by hand", it could look a bit weird from your accounts perspective.

The accounts were created in the day of attack, so yes, they're just sockpuppets.

That is quite weird then… But as I said, my password is unique, and can't be keylogged. It could be detected by a compromised browser or other software, in theory.

The people on the other side of the confirmed and cancelled transactions are all sockpuppets, I assume?
Interestingly, there is one account that had 2 transactions with me, one of which was cancelled and one of which was confirmed.

Yes, I'm sure, because I have detailed access logs. There were no attempts of any SQL injection. All I saw in logs was just a user (behind TOR) logging into accounts like they usually do. He tried different accounts that he had login details to, and if given account was empty, he just left. After he logged in to a account with some money, he'd make a sell offer on it. Then, in logs I have URLs like these:

http://bitmarket.eu/transactions/confirm/[transaction_id]

Which are exactly the same URLs your browsers is directed to when you confirm a transaction. These only work from account that is a seller in given transaction, knowing TX ID wouldn't let to confirm transaction in which you're not the seller.

Edit: Here you have an except from my logs (user info redacted):


These logs can't be accessed via web, only via secure shell connection. Separate logs for SSH connections show no sign of logins that were not made my me.

Edit 2: On Bitmarket.eu server, Bitcoin client lives on a separate user with no permissions to view anything else than the wallet. Apache (web) user also doesn't have permissions to read anything outside of site's main directory. So even if attacker could find an exploit to these, he couldn't get user passwords from it.

Are you sure there were password breaches at all? My transactions were confirmed/cancelled, but the Bitcoins actually in my account were untouched. That's why it seems to me that the attacker merely has some method to confirm/cancel transactions, which sounds to me like SQL injection (perhaps not, if you have ORM and parametrized queries) or XSS. But I'm not a professional at that, xalex could probably describe/test more attack vectors.


Great Wouldn't help if the problem lies somewhere else, but it's still a very good thing to have.

About Google Authenticator, I will implement it as soon as possible, probably even in this week.

While there could be a chance of that (which I highly doubt because I use an ORM layer and parametrized queries while accessing the DB), the passwords are hashed with SHA-256 and double salted (site-global and per-user unique salts). There's just no way to extract passwords from these hashes in reasonable time even if there was a hole in site's code.

I spent whole day yesterday examining if there's a fault somewhere in Bitmarket's source or server software. I found nothing that could give the attacker knowledge of Bitmarket's members passwords.

I have checked my account. I can guarantee my password is not used on any other site, and can also not be keylogged.

My Bitcoins are still there, but, five of my transactions are marked as confirmed (22392, 22403, 22406, 22411, 22415), and one is marked as cancelled (22470). The confirmed ones total 24 Bitcoins, the cancelled one would have been 203 Bitcoins if that had been confirmed. Did I dodge a bullet there?
There are four usernames in the confirmed/cancelled transactions. I have received no transactions for these, although by this time they should have arrived on my bank account.


This is a serious issue, I repeat, my password is cryptographically generated and not used anywhere else, and not typed in on a keyboard either.


Edit: Removed all my Bitcoins from the exchange until this is figured out, or until two-factor auth is implemented. I suggest Google Authenticator. Very easy to set up, on the server side as well as the client.
I would also like to suggest having your site pentested. It sounds to me like you have an SQL injection or XSS issue. Here is someone I trust that can help you: https://bitcointalksearch.org/topic/web-application-penetration-test-service-ethical-hacking-96015

Ok, changed password but and found out that i lost 10 btc...

    

Does BitMarkte.Eu offer multi-factor auth?

[Edit: Inner quotation presumed from message context.]

Thanks for kind words. If someone wants to donate for this cause, you can do it using this address: 1LYSAkN7tKAiQczjhQh2eitqyGirW2Y3uX.

Ok, changed password and found out that my bitcoins were already marked as confirmed (to the people that paid me). So I assume they received my coins ok?

Thank you for your update. Every time that the Bitmarket page is unavailable since December 2011 I'm afraid someone hacked it. I'm paranoid like that and try to not keep more than small amounts at any exchange. Even for the reason that it closes down like Tradehill. I am very glad that the service worked so well for all that time and I think you are very good concerning security so far.

It says 0 donated on my account but I've sent some donations to the donation address manually because I really appreciate the service you are offering. I would be glad to send more donations in the future and I think it would be a good idea for you to post an extra donation address for us to send whatever little we want to at least partly compensate those robbed customers. I know some customers have used passwords more than once but if you don't want to lose those, it would be a good idea to at least try to make up for their losses.

Willing to do my modest part. Once again, thank you for running the service on voluntary donations.