How Secure is 2-step verification | Bitcointalksearch.org

rohnearner

sr. member

Activity: 350

Merit: 252

REAL-EYES || REAL-IZE || REAL-LIES||

Quote from: jodybay on April 18, 2014, 02:44:49 AM

and if they successfully installed the key logger and got al
ble to know your email address hthen they can steal your couns even though you have a 2FA

First I want to say it feels like you are drunk with all those typos in your post and second I would like to say that it depends what kind of 2FA you are using if it is email address than it is worthless in many cases..! because than you are not only giving away Password on one particular service but giving away details of your email acc/ too

Rampton

hero member

Activity: 525

Merit: 500

Quote from: Dogtanian on April 18, 2014, 09:53:45 AM

Quote from: yatsey87 on April 18, 2014, 06:49:26 AM

There are different types of two factor so it depends. If you've got a keylogger using your email address might not be a good idea.

Yeah mobile verification is pretty safe. Gaining access to your phone is much harder than email.

That's why I like to use blockchain.info for the mobile verifivcation.

Dogtanian

hero member

Activity: 756

Merit: 500

Quote from: yatsey87 on April 18, 2014, 06:49:26 AM

There are different types of two factor so it depends. If you've got a keylogger using your email address might not be a good idea.

Yeah mobile verification is pretty safe. Gaining access to your phone is much harder than email.

yatsey87

hero member

Activity: 840

Merit: 509

There are different types of two factor so it depends. If you've got a keylogger using your email address might not be a good idea.

jodybay

sr. member

Activity: 266

Merit: 250

if you want something do something!!!

and if they successfully installed the key logger and got al
ble to know your email address hthen they can steal your couns even though you have a 2FA

cp1

hero member

Activity: 616

Merit: 500

Stop using branwallets

The only way would be to steal your 2 factor secret code or to use a man in the middle attack. It's much more likely that they get into your account through means other than directly logging in.

bryant.coleman

legendary

Activity: 3752

Merit: 1217

Quote from: Vod on April 18, 2014, 01:16:23 AM

Consider it could be a corrupt admin of the online service you use. Can't protect against that other than keeping your coins in your own wallet.

I thought that localbitcoins.com was a very reliable and trusted site. But after the Mt Gox fiasco, I am not going to trust anyone too much. In this case, the fiat was being converted to BTC, and was stolen at this stage. So... keeping the coins in an offline wallet argument doesn't matter here.

Equate

hero member

Activity: 770

Merit: 500

Quote from: rohnearner on April 18, 2014, 02:07:10 AM

Quote from: Equate on April 18, 2014, 02:04:19 AM

I once updated my Android device and it fucked up the Google authenticator but I had screen shots of all the QR codes so it's better to save QR codes or secret key to prevent you from trouble.

I have a nice backup of all the required info offline in multiple hard drives and also some on paper.

that's good strategy to save yourself .

rohnearner

sr. member

Activity: 350

Merit: 252

REAL-EYES || REAL-IZE || REAL-LIES||

Quote from: Equate on April 18, 2014, 02:04:19 AM

I once updated my Android device and it fucked up the Google authenticator but I had screen shots of all the QR codes so it's better to save QR codes or secret key to prevent you from trouble.

I have a nice backup of all the required info offline in multiple hard drives and also some on paper.

Equate

hero member

Activity: 770

Merit: 500

I once updated my Android device and it fucked up the Google authenticator but I had screen shots of all the QR codes so it's better to save QR codes or secret key to prevent you from trouble.

rohnearner

sr. member

Activity: 350

Merit: 252

REAL-EYES || REAL-IZE || REAL-LIES||

Quote from: Light on April 18, 2014, 01:55:39 AM

Quote from: rohnearner on April 18, 2014, 01:36:59 AM

Or the hackers succeed to steal my mobile number, or any other device used in process..!

Unless you've rooted your phone or done some crazy crap to it it's unlikely that hackers will have access to your phone. It's far more probable you lose your phone/it gets stolen. Even then you should be able to request a new 2FA be set up and you're good to go (remember to backup your secret key by printing it out or writing it down).

Yeah i know the probability of someone stealing my mobile to get pass 2FA is on very lower side , but we never know maybe a person sitting next to me becomes greedy and ....!

Light

hero member

Activity: 742

Merit: 502

Circa 2010

Quote from: rohnearner on April 18, 2014, 01:36:59 AM

Or the hackers succeed to steal my mobile number, or any other device used in process..!

Unless you've rooted your phone or done some crazy crap to it it's unlikely that hackers will have access to your phone. It's far more probable you lose your phone/it gets stolen. Even then you should be able to request a new 2FA be set up and you're good to go (remember to backup your secret key by printing it out or writing it down).

rohnearner

sr. member

Activity: 350

Merit: 252

REAL-EYES || REAL-IZE || REAL-LIES||

Quote from: shorena on April 18, 2014, 01:39:59 AM

Quote from: rohnearner on April 18, 2014, 01:33:32 AM

Quote from: shorena on April 18, 2014, 01:20:55 AM

Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm.
The localbitcoins incident looks like a stolen session key.
http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/

What to do? Well the usual

- dont stay logged in after you are done
- dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible

I got a good topic to study now..! will collect all the required info about session key to know more about it and how to avoid falling in trap..! I can't even ask for links :p as you mentioned don't click links :p

Probably a good way to start researching are the steam hacks or steam account hijacks. People take over steam accounts with just a link clicked from within steam chat. And steam uses this 2fa auth system if you want to login on a new system. They send you a mail with a code thats valid for only a short period of time. And even if you get that persons steam password and mail password you have to wait 14 days on the new system to trade. But people get robbed all the time.

Pointing a flaw in a system is always easier than building a system and maintaining it..! this is what hackers do , A coder builds a site from a scratch like a builder builds a building , than after builder finishes the building someone comes to inspection and tells him that there is a some flaw in wiring and the whole building might catch the fire if not repaired..! same story is with hackers they look into the website and finds flaw and exploits any vulnerability they find..!
Its very hard to create a flawless system...

shorena

copper member

Activity: 1498

Merit: 1528

No I dont escrow anymore.

Quote from: rohnearner on April 18, 2014, 01:33:32 AM

Quote from: shorena on April 18, 2014, 01:20:55 AM

Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm.
The localbitcoins incident looks like a stolen session key.
http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/

What to do? Well the usual

- dont stay logged in after you are done
- dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible

I got a good topic to study now..! will collect all the required info about session key to know more about it and how to avoid falling in trap..! I can't even ask for links :p as you mentioned don't click links :p

Probably a good way to start researching are the steam hacks or steam account hijacks. People take over steam accounts with just a link clicked from within steam chat. And steam uses this 2fa auth system if you want to login on a new system. They send you a mail with a code thats valid for only a short period of time. And even if you get that persons steam password and mail password you have to wait 14 days on the new system to trade. But people get robbed all the time.

rohnearner

sr. member

Activity: 350

Merit: 252

REAL-EYES || REAL-IZE || REAL-LIES||

Quote from: Light on April 18, 2014, 01:32:51 AM

Quote from: rohnearner on April 18, 2014, 12:49:26 AM

I use 2-step Login verification in almost every online service which provides it..! I want to know is it possible for someone to invade 2-step verification while logging in..! I mean if someone uses phishing they can get my password is it possible to do any similar kind of trick to get pass 2-stop verification .? If yes how to Protect Yeah I know I have to be very conscious about every link I click and every Page I visit but other than that.?

For a time based 2FA unless they have the secret you've shared there's no way they will be able to brute-force it before it changes. I suppose they could guess it, but it's like a 1 in 999,999 chance literally to get it right. Basically, it means you're far safer having 2FA than with just a password alone - the only way you'll be compromised is a server side flaw, a scam by the site owner, you lose your secret key and your password to the same person.

Or the hackers succeed to steal my mobile number, or any other device used in process..!

rohnearner

sr. member

Activity: 350

Merit: 252

REAL-EYES || REAL-IZE || REAL-LIES||

Quote from: shorena on April 18, 2014, 01:20:55 AM

Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm.
The localbitcoins incident looks like a stolen session key.
http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/

What to do? Well the usual

- dont stay logged in after you are done
- dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible

I got a good topic to study now..! will collect all the required info about session key to know more about it and how to avoid falling in trap..! I can't even ask for links :p as you mentioned don't click links :p

Light

hero member

Activity: 742

Merit: 502

Circa 2010

Quote from: rohnearner on April 18, 2014, 12:49:26 AM

I use 2-step Login verification in almost every online service which provides it..! I want to know is it possible for someone to invade 2-step verification while logging in..! I mean if someone uses phishing they can get my password is it possible to do any similar kind of trick to get pass 2-stop verification .? If yes how to Protect Yeah I know I have to be very conscious about every link I click and every Page I visit but other than that.?

For a time based 2FA unless they have the secret you've shared there's no way they will be able to brute-force it before it changes. I suppose they could guess it, but it's like a 1 in 999,999 chance literally to get it right. Basically, it means you're far safer having 2FA than with just a password alone - the only way you'll be compromised is a server side flaw, a scam by the site owner, you lose your secret key and your password to the same person.

solarion

hero member

Activity: 966

Merit: 513

*THIS* is why we can't have nice things. Angry

shorena

copper member

Activity: 1498

Merit: 1528

No I dont escrow anymore.

Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm.
The localbitcoins incident looks like a stolen session key.
http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/

What to do? Well the usual

- dont stay logged in after you are done
- dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible

rohnearner

sr. member

Activity: 350

Merit: 252

REAL-EYES || REAL-IZE || REAL-LIES||

Quote from: Vod on April 18, 2014, 01:16:23 AM

Quote from: rohnearner on April 18, 2014, 01:15:04 AM

Quote from: bryant.coleman on April 18, 2014, 01:07:05 AM

Check this:

https://coinreport.net/localbitcoins-report-stolen-funds/

Quote

On reddit, user don4of4 posted a warning to fellow LocalBitcoins.com users that sellers and buyers have been reporting news of stolen funds from their wallets on the website. The user said that he didn’t believe all of the commotion, but when his 5 Bitcoin were transferred from his account without his knowledge, even though he had a 30 character random password and GAuth, he realized something was really wrong.

Having a 2FA does not always guard you from robbery and hacking.

I know Its not like if i'm using 2FA than no can hack me...! but I want to know what techniques they might use..? like to get my passw they can easily get it through Phishing link or Keylogs , but how they invade 2fa..? because I'm getting OTP in my mobile .

Consider it could be a corrupt admin of the online service you use. Can't protect against that other than keeping your coins in your own wallet.

Hmm.... So that is the worst case scenario . Tongue

No one can protect me if thats the case..! but other than that I hope I'm secure from other filthy hackers that sends Phisin mails and malicious software to get my ID/Pass .

Vod

legendary

Activity: 3668

Merit: 3010

Licking my boob since 1970

Quote from: rohnearner on April 18, 2014, 01:15:04 AM

Quote from: bryant.coleman on April 18, 2014, 01:07:05 AM

Check this:

https://coinreport.net/localbitcoins-report-stolen-funds/

Quote

On reddit, user don4of4 posted a warning to fellow LocalBitcoins.com users that sellers and buyers have been reporting news of stolen funds from their wallets on the website. The user said that he didn’t believe all of the commotion, but when his 5 Bitcoin were transferred from his account without his knowledge, even though he had a 30 character random password and GAuth, he realized something was really wrong.

Having a 2FA does not always guard you from robbery and hacking.

I know Its not like if i'm using 2FA than no can hack me...! but I want to know what techniques they might use..? like to get my passw they can easily get it through Phishing link or Keylogs , but how they invade 2fa..? because I'm getting OTP in my mobile .

Consider it could be a corrupt admin of the online service you use. Can't protect against that other than keeping your coins in your own wallet.

rohnearner

sr. member

Activity: 350

Merit: 252

REAL-EYES || REAL-IZE || REAL-LIES||

Quote from: bryant.coleman on April 18, 2014, 01:07:05 AM

Check this:

https://coinreport.net/localbitcoins-report-stolen-funds/

Quote

On reddit, user don4of4 posted a warning to fellow LocalBitcoins.com users that sellers and buyers have been reporting news of stolen funds from their wallets on the website. The user said that he didn’t believe all of the commotion, but when his 5 Bitcoin were transferred from his account without his knowledge, even though he had a 30 character random password and GAuth, he realized something was really wrong.

Having a 2FA does not always guard you from robbery and hacking.

I know Its not like if i'm using 2FA than no can hack me...! but I want to know what techniques they might use..? like to get my passw they can easily get it through Phishing link or Keylogs , but how they invade 2fa..? because I'm getting OTP in my mobile .

bryant.coleman

legendary

Activity: 3752

Merit: 1217

Check this:

https://coinreport.net/localbitcoins-report-stolen-funds/

Quote

On reddit, user don4of4 posted a warning to fellow LocalBitcoins.com users that sellers and buyers have been reporting news of stolen funds from their wallets on the website. The user said that he didn’t believe all of the commotion, but when his 5 Bitcoin were transferred from his account without his knowledge, even though he had a 30 character random password and GAuth, he realized something was really wrong.

Having a 2FA does not always guard you from robbery and hacking.

rohnearner

sr. member

Activity: 350

Merit: 252

REAL-EYES || REAL-IZE || REAL-LIES||

I use 2-step Login verification in almost every online service which provides it..! I want to know is it possible for someone to invade 2-step verification while logging in..! I mean if someone uses phishing they can get my password is it possible to do any similar kind of trick to get pass 2-stop verification .? If yes how to Protect Yeah I know I have to be very conscious about every link I click and every Page I visit but other than that.?

Topic: How Secure is 2-step verification (Read 849 times)