I was scammed by MtGox. - page 2. | Bitcointalksearch.org

sturle

legendary

Activity: 1437

Merit: 1002

https://bitmynt.no

Quote from: neptop on June 17, 2011, 09:09:09 PM

Some math about passwords:

We start with a password using eight characters form a - z (no capitals).
26^8 = 208827064576

This happens when you also use numbers.
36^8 = 2821109907456

This happens when you add common symbols (! " # $ % & ' ( ) * + - . , / [ ] ^ < > { })
48^8 = 28179280429056

This happens when you add capitals.
52^8 = 53459728531456

This happens when you add one single character
26^9 = 5429503678976

Another point -- it can be hard to remember long random passwords, but very long passwords can be simple. If you have problems remembering long strings of random characters, try using random words. At least three or four chosen randomly from a long wordlist. Think of the wordlist as your alphabet. /usr/share/dict/words on Ubuntu has 98569 words.

This happens if you choose three words from the list:
98569^3 = 957681397954009

This happens if you choose four words from the list:
98569^4 = 94397697714928713121

But please choose words which do not form a meaningful sentence or are logically connected in other ways, and make sure it is at least 12 characters long in total. "one two three" is a terrible password. "lion Malaysia snow cutlery" is a very good one.

Littleshop

legendary

Activity: 1386

Merit: 1003

Looks like it was a security problem at mtgox.com

http://forum.bitcoin.org/index.php?topic=18709.0

You probably visited another site that had custom code that used your active mtgox.com session to get in and do the transfer.

cronopio

newbie

Activity: 55

Merit: 0

Quote from: SlaveInDebt on June 17, 2011, 10:07:46 PM

Request title change as you were not scammed by Mt.Gox but had by someone else.

I agree.

Someone login with your credentials and transfer de money.

I dont see any scammed

SlaveInDebt

hero member

Activity: 699

Merit: 500

Your Minion

Request title change as you were not scammed by Mt.Gox but had by someone else.

neptop

sr. member

Activity: 314

Merit: 251

Some math about passwords:

We start with a password using eight characters form a - z (no capitals).
26^8 = 208827064576

This happens when you also use numbers.
36^8 = 2821109907456

This happens when you add common symbols (! " # $ % & ' ( ) * + - . , / [ ] ^ < > { })
48^8 = 28179280429056

This happens when you add capitals.
52^8 = 53459728531456

This happens when you add one single character
26^9 = 5429503678976

For most people adding capitals is easier and therefore more secure than adding categories.

If you want to create REALLY secure passwords on can easily remember there's diceware.

kiwiasian

full member

Activity: 168

Merit: 100

Quote from: sturle on June 17, 2011, 05:39:05 PM

Quote from: kiwiasian on June 17, 2011, 05:01:51 PM

My password was an alphanumeric sequence. There were no dictionary words and it would take a very long time to brute-force my account.

An alphanumeric sequence like abcd1234? That would be one of the first ten passwords a brute force attacker will try. There are many such sequences in top 100 lists of common passwords. It would generally take much shorter time to bruteforce a sequence than a rarely used dictionary word.

My four rules of passwords are:

Never base your password on dictionary words or sequences of any kind, including keyboard sequences, periodic table, etc.
Use at least three of the categories capital letters, normal letters, numbers and special characters.
If your password contain one capital letter, don't place it first.
If your password contains only one number (one or more digits) or special character, don't place it last.

And remember that trivial transcribations like $ for s, 3 for e, etc, or using the characters above, below or next to a word on the keyboard, are not novel ideas. Those ideas, and many more stupid tricks to transcribe dictionary words, are known among crackers as well. Don't even think about words or sequences when you make a password.

No, that is not what I meant. I meant that it was a random alphanumeric sequence. I.e. 47329fdj91954fss.

sturle

legendary

Activity: 1437

Merit: 1002

https://bitmynt.no

Quote from: kiwiasian on June 17, 2011, 05:01:51 PM

My password was an alphanumeric sequence. There were no dictionary words and it would take a very long time to brute-force my account.

An alphanumeric sequence like abcd1234? That would be one of the first ten passwords a brute force attacker will try. There are many such sequences in top 100 lists of common passwords. It would generally take much shorter time to bruteforce a sequence than a rarely used dictionary word.

My four rules of passwords are:

Never base your password on dictionary words or sequences of any kind, including keyboard sequences, periodic table, etc.
Use at least three of the categories capital letters, normal letters, numbers and special characters.
If your password contain one capital letter, don't place it first.
If your password contains only one number (one or more digits) or special character, don't place it last.

And remember that trivial transcribations like $ for s, 3 for e, etc, or using the characters above, below or next to a word on the keyboard, are not novel ideas. Those ideas, and many more stupid tricks to transcribe dictionary words, are known among crackers as well. Don't even think about words or sequences when you make a password.

kiwiasian

full member

Activity: 168

Merit: 100

My signature has nothing to do with stolen money. I could care less about TradeHill right now, the only important thing to me right now is getting my stolen money back. I haven't even used TH, and I don't plan to use any market in the future that involves depositing my coins. In the future I will always use trustworthy BitcoinExchange for a direct person-to-person exchange.

My password was an alphanumeric sequence. There were no dictionary words and it would take a very long time to brute-force my account.

You also have no proof that it wasn't me. I can show you a screenshot of my wallet, that address is not present nor is the transaction present.

Update: looks like the stealer has sold/sent the BTC to someone else.

mweather

newbie

Activity: 8

Merit: 0

My money is on it being a lie. Tradehill has been aggressively viral marketing all over the place. They're not very good at it, either. It's pretty transparent.

InstaGx

member

Activity: 70

Merit: 10

Quote from: kiwiasian on June 17, 2011, 09:16:30 AM

Why would I lie?

You might want people to switch to the exchange in your signature.

Because you want people to switch to

Quote from: kiwiasian on June 17, 2011, 09:16:30 AM

I even provided a picture for proof

That picture only shows that bitcoins were withdrawn. It doesn't tell us who did it. Could be yourself just as easily.

AtlasONo

hero member

Activity: 551

Merit: 500

What password did you use? No real reason to keep it a secret now that it's compromised.

kiwiasian

full member

Activity: 168

Merit: 100

Why would I lie?

I even provided a picture for proof

neptop

sr. member

Activity: 314

Merit: 251

So you created an account (that's the complete history, right?), just to put some coins there and about two hours later that money disappeared? I am sorry for my distrust, but with hat kind of title and TradeHill in your signature I think it all looks somewhat suspicious to me.

FreeMoney

legendary

Activity: 1246

Merit: 1015

Strength in numbers

You can still make the title reflect reality if you want. Maybe "What happened to my MtGox funds?" or "Help, MtGox funds taken"

Djao

full member

Activity: 208

Merit: 100

Risk-hedging platform for cryptocurrency investors

Quote from: joepie91 on June 17, 2011, 06:41:31 AM

The entire point is that weak passwords are not the issue here: http://forum.bitcoin.org/index.php?topic=18050.0

To me it seems like most ppl who got their accounts hacked used the same username on multiple sites, including MtGox. Probably would have been better to use different handles for each site ... glad I'm doing this for years already.

joepie91

sr. member

Activity: 294

Merit: 250

Quote from: Garrett Burgwardt on June 17, 2011, 01:23:46 AM

Quote from: Edward50 on June 17, 2011, 01:20:04 AM

I've seen a similar thread not too long ago about someone posting how their bitcoins were moved out of mt. gox. He had pictures any everything.

I think I will stay away from mt. gox.

To be fair, people tend to use terrible passwords. Not sure whether there is a security problem with Mt. Gox or not, but I'd bet that this is just users being users and using passwords like 'password' and '12345'

Quote from: pancakes on June 17, 2011, 02:10:38 AM

Quote from: kiwiasian on June 16, 2011, 11:33:37 PM

Just a warning to everyone to not use MtGox. Sigh, I knew I should have stuck with BitcoinExchange.

What should I tell them? I mean I swear it was stolen from me. What can they do?

Everyone? There are far more traders not getting BTC stolen than traders claiming they have had BTC stolen. This sort of thing happens everywhere. Furthermore your title is sensationalist (MtGox clearly didn't scam you, you probably scammed yourself by having a shitty password) which leads me to believe you are lying in order to try get some sort of compensation.

Sorry if your BTC really did get stolen. That sucks. But what were you doing with 17BTC in your MtGox account anyway? Surely you've read all the reports from people claiming to have their accounts compromised.

The entire point is that weak passwords are not the issue here: http://forum.bitcoin.org/index.php?topic=18050.0

pancakes

newbie

Activity: 29

Merit: 0

Quote from: kiwiasian on June 16, 2011, 11:33:37 PM

Just a warning to everyone to not use MtGox. Sigh, I knew I should have stuck with BitcoinExchange.

What should I tell them? I mean I swear it was stolen from me. What can they do?

Everyone? There are far more traders not getting BTC stolen than traders claiming they have had BTC stolen. This sort of thing happens everywhere. Furthermore your title is sensationalist (MtGox clearly didn't scam you, you probably scammed yourself by having a shitty password) which leads me to believe you are lying in order to try get some sort of compensation.

Sorry if your BTC really did get stolen. That sucks. But what were you doing with 17BTC in your MtGox account anyway? Surely you've read all the reports from people claiming to have their accounts compromised.

Garrett Burgwardt

sr. member

Activity: 406

Merit: 256

Quote from: Edward50 on June 17, 2011, 01:20:04 AM

I've seen a similar thread not too long ago about someone posting how their bitcoins were moved out of mt. gox. He had pictures any everything.

I think I will stay away from mt. gox.

To be fair, people tend to use terrible passwords. Not sure whether there is a security problem with Mt. Gox or not, but I'd bet that this is just users being users and using passwords like 'password' and '12345'

Edward50

hero member

Activity: 602

Merit: 500

I've seen a similar thread not too long ago about someone posting how their bitcoins were moved out of mt. gox. He had pictures any everything.

I think I will stay away from mt. gox.

Clipse

hero member

Activity: 504

Merit: 502

Quote from: anewbie on June 17, 2011, 12:02:06 AM

Quote from: kiwiasian on June 16, 2011, 11:52:59 PM

Yes please add this feature. Having email verification for every transaction would make things MUCH more secure, and I would have avoided this.

If someone has access to the account, it is easy to change the e-mail address.

E-mail verification would not have prevented this, though it might leave a pointer to the perpetrator if they were really stupid.

A hacked gmail account could be used for the e-mail verification.

Perhaps a better solution would be to lock any transfers out for 24 hours after an e-mail change and to send notice of the e-mail change to the new and old e-mail addresses.

That might have stopped this, but it will also annoy some users.

If someone get access to you mtgox account/or somehow have access to any account on mtgox, they would not be able to simply change the payout details for btc/usd, since they would need additional accounts to verify the change thus creating more issues and likely having 2 areas of authentication with regards to email verification.

Please show me any reports of hacked gmail accounts(unless you mean someone storing their email accounts on their pc/keylogged)

Topic: I was scammed by MtGox. - page 2. (Read 7844 times)