Pages:
Author

Topic: How Secure is 2-step verification (Read 852 times)

sr. member
Activity: 350
Merit: 252
REAL-EYES || REAL-IZE || REAL-LIES||
April 19, 2014, 03:55:49 AM
#24
and if they successfully installed the key logger and got al
ble to know your email address hthen they can steal your couns even though you have a 2FA
First I want to say it feels like you are drunk with all those typos in your post and second I would like to say that it depends what kind of 2FA you are using if it is email address than it is worthless in many cases..! because than you are not only giving away Password on one particular service but giving away details of your email acc/ too
hero member
Activity: 525
Merit: 500
April 18, 2014, 09:27:06 AM
#23
There are different types of two factor so it depends. If you've got a keylogger using your email address might not be a good idea.

Yeah mobile verification is pretty safe. Gaining access to your phone is much harder than email.

That's why I like to use blockchain.info for the mobile verifivcation.
hero member
Activity: 756
Merit: 500
April 18, 2014, 08:53:45 AM
#22
There are different types of two factor so it depends. If you've got a keylogger using your email address might not be a good idea.

Yeah mobile verification is pretty safe. Gaining access to your phone is much harder than email.
hero member
Activity: 840
Merit: 509
April 18, 2014, 05:49:26 AM
#21
There are different types of two factor so it depends. If you've got a keylogger using your email address might not be a good idea.
sr. member
Activity: 266
Merit: 250
if you want something do something!!!
April 18, 2014, 01:44:49 AM
#20
and if they successfully installed the key logger and got al
ble to know your email address hthen they can steal your couns even though you have a 2FA
cp1
hero member
Activity: 616
Merit: 500
Stop using branwallets
April 18, 2014, 01:29:30 AM
#19
The only way would be to steal your 2 factor secret code or to use a man in the middle attack.  It's much more likely that they get into your account through means other than directly logging in.
legendary
Activity: 3766
Merit: 1217
April 18, 2014, 01:21:44 AM
#18
Consider it could be a corrupt admin of the online service you use.  Can't protect against that other than keeping your coins in your own wallet.

I thought that localbitcoins.com was a very reliable and trusted site. But after the Mt Gox fiasco, I am not going to trust anyone too much. In this case, the fiat was being converted to BTC, and was stolen at this stage. So... keeping the coins in an offline wallet argument doesn't matter here.  
hero member
Activity: 770
Merit: 500
April 18, 2014, 01:19:51 AM
#17
I once updated my Android device and it fucked up the Google authenticator but I had screen shots of all the QR codes so it's better to save QR codes or secret key to prevent you from trouble.
I have a nice backup of all the required info offline in multiple hard drives  and also some on paper. 

that's good strategy to save yourself .
sr. member
Activity: 350
Merit: 252
REAL-EYES || REAL-IZE || REAL-LIES||
April 18, 2014, 01:07:10 AM
#16
I once updated my Android device and it fucked up the Google authenticator but I had screen shots of all the QR codes so it's better to save QR codes or secret key to prevent you from trouble.
I have a nice backup of all the required info offline in multiple hard drives  and also some on paper. 
hero member
Activity: 770
Merit: 500
April 18, 2014, 01:04:19 AM
#15
I once updated my Android device and it fucked up the Google authenticator but I had screen shots of all the QR codes so it's better to save QR codes or secret key to prevent you from trouble.
sr. member
Activity: 350
Merit: 252
REAL-EYES || REAL-IZE || REAL-LIES||
April 18, 2014, 12:59:33 AM
#14
Or the hackers succeed to steal my mobile number, or any other device used in process..!

Unless you've rooted your phone or done some crazy crap to it it's unlikely that hackers will have access to your phone. It's far more probable you lose your phone/it gets stolen. Even then you should be able to request a new 2FA be set up and you're good to go (remember to backup your secret key by printing it out or writing it down).
Yeah i know the probability of someone stealing my mobile to get pass 2FA is on very lower side , but we never know maybe a person sitting next to me becomes greedy and ....!
hero member
Activity: 742
Merit: 502
Circa 2010
April 18, 2014, 12:55:39 AM
#13
Or the hackers succeed to steal my mobile number, or any other device used in process..!

Unless you've rooted your phone or done some crazy crap to it it's unlikely that hackers will have access to your phone. It's far more probable you lose your phone/it gets stolen. Even then you should be able to request a new 2FA be set up and you're good to go (remember to backup your secret key by printing it out or writing it down).
sr. member
Activity: 350
Merit: 252
REAL-EYES || REAL-IZE || REAL-LIES||
April 18, 2014, 12:49:33 AM
#12
Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm.
The localbitcoins incident looks like a stolen session key.
http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/

What to do? Well the usual

- dont stay logged in after you are done
- dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible
I got a good topic to study now..! will collect all the required info about session key to know more about it and how to avoid falling in trap..! I can't even ask for links :p as you mentioned don't click links :p

Probably a good way to start researching are the steam hacks or steam account hijacks. People take over steam accounts with just a link clicked from within steam chat. And steam uses this 2fa auth system if you want to login on a new system. They send you a mail with a code thats valid for only a short period of time. And even if you get that persons steam password and mail password you have to wait 14 days on the new system to trade. But people get robbed all the time.
Pointing a flaw in a system is always easier than building a system and maintaining it..! this is what hackers do , A coder builds a site from a scratch like a builder builds a building , than after builder finishes the building someone comes to inspection and tells him that there is a some flaw in wiring and the whole building might catch the fire if not repaired..! same story is with hackers they look into the website and finds flaw and exploits any vulnerability they find..!
 Its very hard to create a flawless system... 
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
April 18, 2014, 12:39:59 AM
#11
Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm.
The localbitcoins incident looks like a stolen session key.
http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/

What to do? Well the usual

- dont stay logged in after you are done
- dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible
I got a good topic to study now..! will collect all the required info about session key to know more about it and how to avoid falling in trap..! I can't even ask for links :p as you mentioned don't click links :p

Probably a good way to start researching are the steam hacks or steam account hijacks. People take over steam accounts with just a link clicked from within steam chat. And steam uses this 2fa auth system if you want to login on a new system. They send you a mail with a code thats valid for only a short period of time. And even if you get that persons steam password and mail password you have to wait 14 days on the new system to trade. But people get robbed all the time.


sr. member
Activity: 350
Merit: 252
REAL-EYES || REAL-IZE || REAL-LIES||
April 18, 2014, 12:36:59 AM
#10
I use 2-step Login verification in almost every online service which provides it..! I want to know is it possible for someone to invade 2-step verification while logging in..! I mean if someone uses phishing they can get my password is it possible to do any similar kind of trick to get pass 2-stop verification .? If yes how to Protect Yeah I know I have to be very conscious about  every link I click and every Page I visit but other than that.?

For a time based 2FA unless they have the secret you've shared there's no way they will be able to brute-force it before it changes. I suppose they could guess it, but it's like a 1 in 999,999 chance literally to get it right. Basically, it means you're far safer having 2FA than with just a password alone - the only way you'll be compromised is a server side flaw, a scam by the site owner, you lose your secret key and your password to the same person.
Or the hackers succeed to steal my mobile number, or any other device used in process..!
sr. member
Activity: 350
Merit: 252
REAL-EYES || REAL-IZE || REAL-LIES||
April 18, 2014, 12:33:32 AM
#9
Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm.
The localbitcoins incident looks like a stolen session key.
http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/

What to do? Well the usual

- dont stay logged in after you are done
- dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible
I got a good topic to study now..! will collect all the required info about session key to know more about it and how to avoid falling in trap..! I can't even ask for links :p as you mentioned don't click links :p
hero member
Activity: 742
Merit: 502
Circa 2010
April 18, 2014, 12:32:51 AM
#8
I use 2-step Login verification in almost every online service which provides it..! I want to know is it possible for someone to invade 2-step verification while logging in..! I mean if someone uses phishing they can get my password is it possible to do any similar kind of trick to get pass 2-stop verification .? If yes how to Protect Yeah I know I have to be very conscious about  every link I click and every Page I visit but other than that.?

For a time based 2FA unless they have the secret you've shared there's no way they will be able to brute-force it before it changes. I suppose they could guess it, but it's like a 1 in 999,999 chance literally to get it right. Basically, it means you're far safer having 2FA than with just a password alone - the only way you'll be compromised is a server side flaw, a scam by the site owner, you lose your secret key and your password to the same person.
hero member
Activity: 966
Merit: 513
April 18, 2014, 12:26:11 AM
#7
*THIS* is why we can't have nice things. Angry
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
April 18, 2014, 12:20:55 AM
#6
Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm.
The localbitcoins incident looks like a stolen session key.
http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/

What to do? Well the usual

- dont stay logged in after you are done
- dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible

sr. member
Activity: 350
Merit: 252
REAL-EYES || REAL-IZE || REAL-LIES||
April 18, 2014, 12:19:29 AM
#5
Check this:

https://coinreport.net/localbitcoins-report-stolen-funds/

Quote
On reddit, user don4of4 posted a warning to fellow LocalBitcoins.com users that sellers and buyers have been reporting news of stolen funds from their wallets on the website. The user said that he didn’t believe all of the commotion, but when his 5 Bitcoin were transferred from his account without his knowledge, even though he had a 30 character random password and GAuth, he realized something was really wrong.

Having a 2FA does not always guard you from robbery and hacking.
I know Its not like if i'm using 2FA than no can hack me...! but I want to know what techniques they might use..? like to get my passw they can easily get it through Phishing link or Keylogs , but how they invade 2fa..? because I'm getting OTP in my mobile .

Consider it could be a corrupt admin of the online service you use.  Can't protect against that other than keeping your coins in your own wallet.
Hmm.... So that is the worst case scenario . Tongue No one can protect me if thats the case..! but other than that I hope I'm secure from other filthy hackers that sends Phisin mails and malicious software to get my ID/Pass .
Pages:
Jump to: