I suspect GPUMax was compromised and passwords stolen

MPOE-PR

hero member

Activity: 756

Merit: 522

Quote from: rjk on June 02, 2012, 11:44:37 AM

Question: when is someone going to invent a be-all, end-all service that is totally full of awesome and win, and then decide to force all users to use a proper 2-factor authentication system?

This has happened, except it forces users to use gpg not worthless 2fa. And the users complain about the

Quote from: stochastic on October 01, 2012, 10:15:41 PM

ease-of-use, customer service, and personality of exchange manager.

molecular

donator

Activity: 2772

Merit: 1019

Quote from: Nefario on June 06, 2012, 06:04:12 PM

You cannot withdraw using the API.

thanks for clarifying.

Nefario

hero member

Activity: 602

Merit: 512

GLBSE Support [email protected]

You cannot withdraw using the API.

molecular

donator

Activity: 2772

Merit: 1019

Quote from: BlackBison on June 06, 2012, 05:01:23 AM

Quote from: TT on June 02, 2012, 03:51:12 PM

I've been proposing the following:

Quote from: TT on June 02, 2012, 03:46:30 PM

Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist.

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.

https://bitcointalksearch.org/topic/m.937236

Please, exchanges, implement this SOON. You cannot implement it soon enough.

+1. Nefario it would be great if you could get this put on glbse.

you can already activate 2-factor withdrawal on glbse... oh, via API, hmm, didn't check that. Is it possible to withdraw without 2-factor-auth using the api even if it's activated for withdrawals?

BlackBison

sr. member

Activity: 250

Merit: 250

Quote from: TT on June 02, 2012, 03:51:12 PM

I've been proposing the following:

Quote from: TT on June 02, 2012, 03:46:30 PM

Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist.

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.

https://bitcointalksearch.org/topic/m.937236

Please, exchanges, implement this SOON. You cannot implement it soon enough.

+1. Nefario it would be great if you could get this put on glbse.

FreeMoney

legendary

Activity: 1246

Merit: 1015

Strength in numbers

Quote from: Aseras on June 03, 2012, 02:43:07 PM

There is no perfect way. As soon as you make one someone else wind find a way to break it or work around it. If its accessible in any form. Someone can break in.

Give up human!

Aseras

hero member

Activity: 658

Merit: 500

There is no perfect way. As soon as you make one someone else wind find a way to break it or work around it. If its accessible in any form. Someone can break in.

molecular

donator

Activity: 2772

Merit: 1019

Quote from: FreeMoney on June 02, 2012, 03:44:58 PM

Quote from: imsaguy on June 02, 2012, 02:23:22 PM

How many of those users had bitcoinica accounts?

+3 funny, FreeMoney

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: Stephen Gornick on June 03, 2012, 02:44:55 AM

Quote from: dave3 on June 03, 2012, 02:40:30 AM

Do you know if you can use the same yubikey for several different services, or do you need to get a separate one for each account?

The Yubikey from Mt. Gox can only be used with Mt. Gox (and BlockChain.info wallet, apparently, which I'm guessing has permission to auth through Mt. Gox API or something)

It doesn't work on other services where a Yubikay is used.

The Yubikey from Yubico works at Mt. Gox and elsewhere where Yubikeys are supported.

Slight correction - only keys programmed by MtGox can be used with MtGox - you can't use one that you got direct from Yubico. The reason is that MtGox runs their own authentication server with their own keypairs, instead of using Yubico's free cloud authentication system.

However, any website that uses the free service provided by Yubico for authentication will support a generic device ordered from Yubico.

Stephen Gornick

legendary

Activity: 2506

Merit: 1010

Quote from: dave3 on June 03, 2012, 02:40:30 AM

Do you know if you can use the same yubikey for several different services, or do you need to get a separate one for each account?

The Yubikey from Mt. Gox can only be used with Mt. Gox (and BlockChain.info wallet, apparently, which I'm guessing has permission to auth through Mt. Gox API or something)

It doesn't work on other services where a Yubikey is used.

The Yubikey from Yubico works ~~at Mt. Gox and~~ [Edit: see rjk's correction below] elsewhere where Yubikeys are supported.

dave3

sr. member

Activity: 344

Merit: 250

Quote from: rjk on June 02, 2012, 02:12:21 PM

Several ways. Yubikey is my personal favorite, but here is a bunch of links:

http://yubico.com/ <-- The makers of the Yubikey
http://www.symantec.com/verisign/vip-authentication-service <-- paid service that PayPal and many others use for authentication. Yubico makes a credential that is compatible with this service as well.
http://onlinenoram.gemalto.com/ <-- TOTP token that AWS uses for authentication, made by Gemalto. This is a dedicated device that can do the same thing as Google Auth, without the phone.
http://motp.sourceforge.net/#7 <-- links to lots of tokens and related software.
https://lastpass.com/ <-- password storage software that works on almost any platform and almost any browser, and that can use 2-factor auth for logging in.

Do you know if you can use the same yubikey for several different services, or do you need to get a separate one for each account?

FreeMoney

legendary

Activity: 1246

Merit: 1015

Strength in numbers

The title needs to be changed imo.

Math Man

full member

Activity: 150

Merit: 100

I think this thread belongs in the "speculation" sub-category. Better yet, create a "wild speculation" sub-category. It would fit better there.

Phinnaeus Gage

legendary

Activity: 1918

Merit: 1570

Bitcoin: An Idea Worth Spending

Quote from: ?? on ??

Quote from: smickles on June 02, 2012, 06:09:18 PM

http://yourlogicalfallacyis.com/false-cause

They always blame the pirate, don't they?

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: smickles on June 02, 2012, 06:09:18 PM

http://yourlogicalfallacyis.com/false-cause

"cum hoc ergo propter hoc"

<3 latin

smickles

sr. member

Activity: 446

Merit: 250

http://yourlogicalfallacyis.com/false-cause

TT

member

Activity: 77

Merit: 10

I've been proposing the following:

Quote from: TT on June 02, 2012, 03:46:30 PM

Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist.

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.

https://bitcointalksearch.org/topic/m.937236

Please, exchanges, implement this SOON. You cannot implement it soon enough.

FreeMoney

legendary

Activity: 1246

Merit: 1015

Strength in numbers

Quote from: imsaguy on June 02, 2012, 02:23:22 PM

How many of those users had bitcoinica accounts?

Stephen Gornick

legendary

Activity: 2506

Merit: 1010

Probably unrelated, but just wanted to bring it up in case it is relevant:

"My mtgox account got compromised, what can I do?" [June 1, 2012]
- https://bitcointalksearch.org/topic/my-mtgox-account-got-compromised-what-can-i-do-84585

bitlane

sr. member

Activity: 462

Merit: 250

I heart thebaron

Quote from: imsaguy on June 02, 2012, 02:23:22 PM

How many of those users had bitcoinica accounts?

Please stay on topic. This is clearly GPUMAX's fault (as stated in the first post).
It couldn't possibly have anything to do with another service Roll Eyes

...I mean, just look at GPUMAX's (and Pirate's....in general) track record when it comes to security and loss.

Please re-apply tunnel vision and/or add blinders to continue this conversation Wink

Topic: I suspect GPUMax was compromised and passwords stolen (Read 6353 times)