I received my free Yubikey from MtGox today

elggawf

sr. member

Activity: 308

Merit: 250

Quote from: forbun on August 30, 2011, 04:09:37 PM

Why bother-- How does using separate profiles for login and withdrawal add security?

Only thing I can think of? It solves MITM attacks accidentally allowing withdrawals.

If you MITM someone, get a login session to MtGox, you can't just "oops you're logged out" the client end in order to get another yubikey code to let you withdraw... because that would be a login code not a withdraw code. In order to actually steal from someone, you have to MITM the login session and the withdraw request, replacing the withdraw request with your own information.

It's not a huge leap of security, but it ups the bar a bit (because the user has to want to create a withdrawal while the attack is going on).

forbun

member

Activity: 107

Merit: 10

Why bother-- How does using separate profiles for login and withdrawal add security?

Also, on https://yubikey.mtgox.com/ why does the top of the page say: Last Price: 0.53910961 High:0.53910961 Low: 0.53910961 Volume: 0

elggawf

sr. member

Activity: 308

Merit: 250

Quote from: geek-trader on August 09, 2011, 11:08:01 PM

Tell me if I have this right: A Yubikey has 2 "profiles" - a short press and a long press.

If this is correct, then MtGox is using them both. A short press to login, and long press to withdraw funds.

Yes.

geek-trader

sr. member

Activity: 294

Merit: 250

Quote from: cepler on August 09, 2011, 11:02:27 PM

There's no technical reason for Mt. Gox to lock the second profile. If they left it open then you could use it for whatever you wanted, static password, Challenge-Response, a Yubico OTP, whatever but nope, they decided to lock it in to Mt. Gox only. I suppose an argument could be made that it makes it so that if you hold the button down past the first profile's time it'll activate the second and still get you in but that's about it. Hopefully they'll just give out the key soon so people can take advantage of the other profile, especially since they're paying a premium for a pre-configured one. (Ya I know, labor to configure/ship etc them)

Tell me if I have this right: A Yubikey has 2 "profiles" - a short press and a long press.

If this is correct, then MtGox is using them both. A short press to login, and long press to withdraw funds.

cepler

newbie

Activity: 46

Merit: 0

There's no technical reason for Mt. Gox to lock the second profile. If they left it open then you could use it for whatever you wanted, static password, Challenge-Response, a Yubico OTP, whatever but nope, they decided to lock it in to Mt. Gox only. I suppose an argument could be made that it makes it so that if you hold the button down past the first profile's time it'll activate the second and still get you in but that's about it. Hopefully they'll just give out the key soon so people can take advantage of the other profile, especially since they're paying a premium for a pre-configured one. (Ya I know, labor to configure/ship etc them)

Maged

legendary

Activity: 1204

Merit: 1015

Quote from: falkenberg on August 09, 2011, 01:54:12 PM

Quote from: error on August 09, 2011, 01:37:59 PM

I was under the impression that MtGox used both keys.

After reading the forum I came to the same conclusion. But why? What's the reason to allocate both slots if just one is needed for OTP? Even if they do not want to share secret keys with Yubiko (but I would trust them more then mtgox: they never loose their database while mtgox was hacked because someone steel the database. What will it be if the database with secret keys will be stolen next time?), they need just one slot.

It's so that if you are man-in-the-middled, the worst someone could do is log in and trade. They wouldn't be able to withdraw, even if they had you pregenerate a bunch of OTPs for login.

elggawf

sr. member

Activity: 308

Merit: 250

Quote from: falkenberg on August 09, 2011, 02:34:07 PM

If I understood it well, with this tool you can change secret AES key, but you need one from Yubiko in case if you want to be authenticated by on-line services. Yubiko's keys are stored in the moment of creation. If mtgox overrides it then you do not have the valid key Sad

If I understood it well, if you blow away your AES key on your Yubikey, then you'd have to convince MtGox to let you update the AES key on their site before you could keep using it with them. Chances are they're not going to want to do that - they'd rather just charge you $30 and send you another key.

falkenberg

member

Activity: 84

Merit: 10

Quote from: cepler on August 09, 2011, 02:16:40 PM

Download the personalization tool and take a peek at it:

If I understood it well, with this tool you can change secret AES key, but you need one from Yubiko in case if you want to be authenticated by on-line services. Yubiko's keys are stored in the moment of creation. If mtgox overrides it then you do not have the valid key Sad

cepler

newbie

Activity: 46

Merit: 0

Quote from: error on August 09, 2011, 01:37:59 PM

Quote from: falkenberg on August 09, 2011, 09:14:07 AM

Quote from: Jack of Diamonds on July 16, 2011, 02:02:27 PM

Negative side, it's bound to Mt. Gox so you can't use it as a normal YK on any other site.

Did you try it on http://demo.yubico.com/php-yubico/one_factor.php ?
It is pitty if the key cannot be used outside MtGox (yes, I've read their EULA

AFAIK yubikey has 2 slots for secret key, they can be switched by long tap. I wonder why they removed Yubiko key instead of using the second slot. If they would leave Yubico's secret key then the key could be used on other sites for authentication...

I was under the impression that MtGox used both keys.

Download the personalization tool and take a peek at it:

http://www.yubico.com/personalization-tool

I have two Yubikeys on the way for password database use (ie: Passpack.com, Lastpass.com, 1Password, etc) and have been reading up on them. Going to try to get the wife to use one... *crosses fingers*

falkenberg

member

Activity: 84

Merit: 10

Quote from: error on August 09, 2011, 01:37:59 PM

I was under the impression that MtGox used both keys.

After reading the forum I came to the same conclusion. But why? What's the reason to allocate both slots if just one is needed for OTP? Even if they do not want to share secret keys with Yubiko (but I would trust them more then mtgox: they never loose their database while mtgox was hacked because someone steel the database. What will it be if the database with secret keys will be stolen next time?), they need just one slot.

error

hero member

Activity: 588

Merit: 500

Quote from: falkenberg on August 09, 2011, 09:14:07 AM

Quote from: Jack of Diamonds on July 16, 2011, 02:02:27 PM

Negative side, it's bound to Mt. Gox so you can't use it as a normal YK on any other site.

Did you try it on http://demo.yubico.com/php-yubico/one_factor.php ?
It is pitty if the key cannot be used outside MtGox (yes, I've read their EULA

AFAIK yubikey has 2 slots for secret key, they can be switched by long tap. I wonder why they removed Yubiko key instead of using the second slot. If they would leave Yubico's secret key then the key could be used on other sites for authentication...

I was under the impression that MtGox used both keys.

falkenberg

member

Activity: 84

Merit: 10

Quote from: Jack of Diamonds on July 16, 2011, 02:02:27 PM

Negative side, it's bound to Mt. Gox so you can't use it as a normal YK on any other site.

Did you try it on http://demo.yubico.com/php-yubico/one_factor.php ?
It is pitty if the key cannot be used outside MtGox (yes, I've read their EULA

AFAIK yubikey has 2 slots for secret key, they can be switched by long tap. I wonder why they removed Yubiko key instead of using the second slot. If they would leave Yubico's secret key then the key could be used on other sites for authentication...

elggawf

sr. member

Activity: 308

Merit: 250

I got mine a while back, forgot to mention it. I'd thought I had trades open at the time, but when I visited the Yubikey page while logged in it kept asking for $29.99. MT straightened that out though, and I received it quite quickly from Japan.

Quote from: MagicalTux on August 01, 2011, 05:57:59 AM

Yep, timing can be tricky, we'll add some explanations.

My only issue with it has been the withdrawal press: 3s seems way too long and the key won't do anything. To log in, I do a fast-touch and don't even count. To withdraw, anything longer than "one mississippi" and it won't do anything, but about 1 second press works for withdrawals.

MagicalTux

vip

Activity: 608

Merit: 501

-

Quote from: Spacy on August 01, 2011, 05:31:26 AM

Quote from: julz on August 01, 2011, 04:15:12 AM

Quote from: Spacy on August 01, 2011, 04:06:28 AM

Thx, I did that. After the code is entered, I get logged out again, and I still can login withouth the Yubikey. I think I have to contact Mtgox support

Thx for the help.

That happened to me when I touched the pad too long. Have you tried a really short tap?

Ah, thank you very much, now it works. When I pressed too short, no code was entered, so I pressed a "little bit" longer ;-)

Yep, timing can be tricky, we'll add some explanations.

Spacy

full member

Activity: 168

Merit: 100

Quote from: julz on August 01, 2011, 04:15:12 AM

Quote from: Spacy on August 01, 2011, 04:06:28 AM

Thx, I did that. After the code is entered, I get logged out again, and I still can login withouth the Yubikey. I think I have to contact Mtgox support

Thx for the help.

That happened to me when I touched the pad too long. Have you tried a really short tap?

Ah, thank you very much, now it works. When I pressed too short, no code was entered, so I pressed a "little bit" longer ;-)

julz

legendary

Activity: 1092

Merit: 1001

Quote from: Spacy on August 01, 2011, 04:06:28 AM

Thx, I did that. After the code is entered, I get logged out again, and I still can login withouth the Yubikey. I think I have to contact Mtgox support

Thx for the help.

That happened to me when I touched the pad too long. Have you tried a really short tap?

Spacy

full member

Activity: 168

Merit: 100

Quote from: julz on August 01, 2011, 04:01:12 AM

Quote from: Spacy on August 01, 2011, 03:58:16 AM

How can I activate the Yubikey on the MtGox website?

Just login and use it. After the first use - it'll be required next time.

You only need to give the pad a very short press for it to spit out it's stuff.

oh.. and make sure the key is the right way up in the USB port.. if you're not used to those flat keys, it's kind of ambiguous Tongue

Thx, I did that. After the code is entered, I get logged out again, and I still can login withouth the Yubikey. I think I have to contact Mtgox support

Thx for the help.

julz

legendary

Activity: 1092

Merit: 1001

Quote from: Spacy on August 01, 2011, 03:58:16 AM

How can I activate the Yubikey on the MtGox website?

Just login and use it. After the first use - it'll be required next time.

You only need to give the pad a very short press for it to spit out it's stuff.

oh.. and make sure the key is the right way up in the USB port.. if you're not used to those flat keys, it's kind of ambiguous Tongue

Spacy

full member

Activity: 168

Merit: 100

How can I activate the Yubikey on the MtGox website?

Jack of Diamonds

sr. member

Activity: 252

Merit: 251

Quote from: d.james on July 16, 2011, 04:22:05 PM

Quote from: RchGrav on July 16, 2011, 12:40:16 PM

Quote from: elggawf on July 16, 2011, 07:59:03 AM

What were the requirements to get a free one?

If you had an active order to purchase BTC at the time of the breach.. you are eligible.

where do you request for one?

Just click on 'Order a Yubikey', on the checkout page it will say the
price is free if you had a trade open when the site crashed.

If it doesn't show 'free' as the price but you really had a trade cancelled, email Mt. Gox and they'll send you one

Topic: I received my free Yubikey from MtGox today (Read 4526 times)