Topic: I was scammed by MtGox. (Read 7865 times)

This doesn't work if you've got a CSRF vulnerability in your website. Since it's the victim's browser carrying out the request on behalf of the attacker, no unusual IP addresses show up in the log. In fact, it's actually impossible to prove that a CSRF vulnerability hasn't been exploited from server logs, which is one of many suspicious things about MagicalTux's recent statements. (You can look at the referrer header, but there are ways for the attacker to blank this out, and many users' browsers don't send a referrer anyway.)

My thoughts exactly

Hmm, I wonder if a pro Tradehill person had anything to do with the recent bleep hit the fan MT Gox hack ?

sturle,

That's the "expect the worse" part, to that end I agree.
You can have security trough obscurity, but you can't think that obscurity may will stand forever.

Now, making everything open doesn't make nothing safer, actually it does the other way around as a potential attacker would know what and where to look for. Making open is a security breach by nature.

Just the fact that you can't see it doesn't make it unknown.  It can even be visible and in plain sight, you just don't know what to look for or where to look.  Treat as much as possible as if it is visible to everyone, and it won't hurt you if it is.  Make sure to protect what you need to protect.  A password is simple to protect.  If you need to protect the password hash to protect your password, you have lost because the hash isn't under your control.

There're a few wrong concepts on your idea sturdle.
There IS security trough obscurity. This a simple fact, you can't know what you don't see.

The idea of "open everything" is the ultimate insecure protocol, for the following main reasons:

- The attacker will know exactly what he is after.
- A regular user by seeing a hashed pass will believe to be facing the ultimate uncrackable thing on Earth, as no matter how weak the hash it will look like mumbo-jumbo to him.
- Computing power is expanding by the day. MD5 was safe for the computing power back in the 90's, isn't anymore today. Same will happen to SHA-512 in time being.

The whole idea must be to have a set of password and use them according. Your car key is by far more complex than the one to open your bike's chain; still you need to have a way to open and start your car (remember in the case of passwords) it otherwise you would be on foot.

Just ten years ago password files, YP, etc with password hashes in the open was the norm.  A crackable password was  as good as a plaintext password.  Passwords had to be good, and the openness ensured that people made good passwords.

Unfortunately after September 1994 a lot of clueless newbies entered the Internet.  Users who had no idea about passwords, security or computers or networks in general.  Also passwords had to be made more and more complex due to increasing computing power available to malicious users.  During the last few years systems have tried to remedy the problem a bit by hiding the hashes from public view.  I'm not sure if this is a good idea or not.

This kind of security by obscurity is false.  First and most important: it is impossible to know if your password is stored in a properly salted and secure hash, or if it is kept in an open database or hashed in an insecure way (NTLM springs to mind).   Secondly: users tend to make bad assumptions about cracking being difficult, and make bad passwords. 

Treat all password databases as open.  Make good and unique passwords, and you are secure if the password database use properly salted and hashed passwords.  (If not the site isn't secure anyway.)

Don't trust "security experts", btw.  People calling themselves experts on computer security typically have little or no real knowledge about security.  Just have a look around this forum for proof.  Real security experts can be recognised by i.e. the lack of firewalls and open WiFi at their home, but would never claim to be an expert on such a complex field.

I'm a bit sick and tired with this load of "I'm a security expert" BS! Stop blaming it on users!
Let your db to leak into the web is way more serious than use even 123 as password. There's no way to blame this guy, except that MtGox hasn't "scam him", he just opened an account at a place with a lousy service.

You are still claiming you were scammed by Mt.Gox, and this picture shows an entirely different scenario.  So you are either lying or trying to prove something else.

Btw, if your password was cracked from a salted MD5 hash, it wasn't secure.  By definition.  Secure passords can't be cracked in finite time with todays technology, even when given the hash.

It is very simple to match http logins with IP addresses.  Any sane trading/currency site would do this logging so if it looks like this:

XX/XX/XXXX XX:XX:XX a.a.a.a - San Diego, CA - Comcast - example
XX/XX/XXXX XX:XX:XX a.a.a.a - San Diego, CA - Comcast - example
XX/XX/XXXX XX:XX:XX a.a.a.a - San Diego, CA - Comcast - example
XX/XX/XXXX XX:XX:XX b.b.b.b - Evil Hacker Town, China - ChinaNet - example

Then it would be pretty clear from their side if an account was hacked.  Mt. Gox is the only one who knows for sure.

Hopefully the logging server is intact.

EDIT: assuming the same account.

I feel your pain.
I too got BTC stolen from mtgox because of the comprimise, and its been reported to mtgox for a while now (who repeately denied it to all of us that got robbed)

Now lets see if the do the right thing, and refund the money to us that was lost due to their negligence and lack of security. (20.19 BTC in my case)

Guys, stop telling me I need to change my password. For anything important, I never reuse a password from a different site. I had a secure alphanumeric password as well. My account was COMPROMISED, like a lot of other users here.

Let me reemphasize that I am not the only one affected. Please read the entire thread and see the link that someone posted earlier.

MtGox on the issue, addressing the security hole:

@OP: MtGox made over $40,000 in legit profits on the days when BTC was around $30. They did not steal your coins.



This is either a dirt-bag phoney (no offense intended) or the OP has a serious keylogger/virus on their PC.
@OP: If you are honest, then you honestly need to clean up your computer, IMO.

MagicalTux went through the logs for Mt. Gox and confirmed that was never exploited except in the test.

The whole point of digital cash is that it has the same benefits and liabilities as real cash.  If you want security, stay with bank notes and credit cards.  If you want freedom, it is riskier by definition.

Well… Anyone having done a withdrawal recently could claim thief.
We see the limits of 2-way trust here… That is the price we pay for enhanced privacy I guess.

I have stepped forward on a few other posts - I also had money stolen from my MtGox account (20.19 BTC)
I even reported it to MtGox with no reply (this report was made before it was announced that there was a security exploit found).
It has recently been revealed that MtGox did in fact have a vulnerability, and someone even showed them the exploit by using it to prove it was there. There are also a dozen or so of us that have had this happen. Yet, the owner claimed that he can see no evidence in his logs that our money was lost due to the exploit, and that he is not going to refund anybody for the BTC stolen from his (insecure) site.
I for one will never use MtGox again.  Its one thing to make a mistake and have such a simple exploit left open it happens. Its another thing to not own up to your responsibilities as a responsible business owner. Look at the number of trades on his market, look at his fee and do the math.  Bottom line is that he makes very good money from his userbase, and should be trivial to do the right thing for a few handfuls of users that lost modest amounts of bitcoins.  I don't know if it can be proven one way or another whether or not the withdrawn funds were via an exploit or not - but honestly, look at the evidence

Edit:
Also, I want to point out that I'm not claiming that I was "scammed" by MtGox.  I do however believe that the lack of security features on the site, and the exploit that was discovered are responsible for my stolen bitcoins, and I believe that he should reimburse those affected.  To those mentioning brute force attacks on passwords, I think its a security vulnerability in its self that an account isn't suspended after X failed login attempts.

It does seam suspicious that the poster is advertising for tradehill!!!!!

I'm concerned that negative comments directed at people whose money has been stolen are driven by self-interested concern about their effects on the exchange rate. Of course thefts affect the exchange rate, but it is much better to have hacking problems exposed, so that Mt. Gox can be fixed or abandoned instead of shutting everyone up and waiting for something really serious to happen (again Allinvain counts as serious in my book). Some of you people are like listening to directives from the CCP Ministry of Truth. 'This is all a conspiracy of the imperialist bankers seeking to discredit bitcoin' Covering up problems until they explode is not a good approach. Thanks to everyone who is reporting thefts and vulnerabilities for helping to improve security.

I use this http://strongpasswordgenerator.com/ for strong password generator to generate secure passwords

Another point -- it can be hard to remember long random passwords, but very long passwords can be simple.  If you have problems remembering long strings of random characters, try using random words.  At least three or four chosen randomly from a long wordlist.  Think of the wordlist as your alphabet.  /usr/share/dict/words on Ubuntu has 98569 words.

This happens if you choose three words from the list:
98569^3 = 957681397954009

This happens if you choose four words from the list:
98569^4 = 94397697714928713121

But please choose words which do not form a meaningful sentence or are logically connected in other ways, and make sure it is at least 12 characters long in total.  "one two three" is a terrible password.  "lion Malaysia snow cutlery" is a very good one.

Looks like it was a security problem at mtgox.com

http://forum.bitcoin.org/index.php?topic=18709.0

You probably visited another site that had custom code that used your active mtgox.com session to get in and do the transfer.

I agree.

Someone login with your credentials and transfer de money.

I dont see any scammed

Request title change as you were not scammed by Mt.Gox but had by someone else.

Some math about passwords:

We start with a password using eight characters form a - z (no capitals).
26^8 = 208827064576

This happens when you also use numbers.
36^8 = 2821109907456

This happens when you add common symbols (! " # $ % & ' ( ) * + - . , / [ ] ^ < > { })
48^8 = 28179280429056

This happens when you add capitals.
52^8 = 53459728531456

This happens when you add one single character
26^9 = 5429503678976

For most people adding capitals is easier and therefore more secure than adding categories.

If you want to create REALLY secure passwords on can easily remember there's diceware.

No, that is not what I meant. I meant that it was a random alphanumeric sequence. I.e. 47329fdj91954fss.

An alphanumeric sequence like abcd1234?  That would be one of the first ten passwords a brute force attacker will try.  There are many such sequences in top 100 lists of common passwords.  It would generally take much shorter time to bruteforce a sequence than a rarely used dictionary word.

My four rules of passwords are:

• Never base your password on dictionary words or sequences of any kind, including keyboard sequences, periodic table, etc.
• Use at least three of the categories capital letters, normal letters, numbers and special characters.
• If your password contain one capital letter, don't place it first.
• If your password contains only one number (one or more digits) or special character, don't place it last.

And remember that trivial transcribations like $ for s, 3 for e, etc, or using the characters above, below or next to a word on the keyboard, are not novel ideas.  Those ideas, and many more stupid tricks to transcribe dictionary words, are known among crackers as well.  Don't even think about words or sequences when you make a password.

My signature has nothing to do with stolen money. I could care less about TradeHill right now, the only important thing to me right now is getting my stolen money back. I haven't even used TH, and I don't plan to use any market in the future that involves depositing my coins. In the future I will always use trustworthy BitcoinExchange for a direct person-to-person exchange.

My password was an alphanumeric sequence. There were no dictionary words and it would take a very long time to brute-force my account.

You also have no proof that it wasn't me. I can show you a screenshot of my wallet, that address is not present nor is the transaction present.

Update: looks like the stealer has sold/sent the BTC to someone else.

My money is on it being a lie. Tradehill has been aggressively viral marketing all over the place. They're not very good at it, either. It's pretty transparent.

You might want people to switch to the exchange in your signature.

Because you want people to switch to

That picture only shows that bitcoins were withdrawn. It doesn't tell us who did it. Could be yourself just as easily.

What password did you use? No real reason to keep it a secret now that it's compromised.

Why would I lie?

I even provided a picture for proof

So you created an account (that's the complete history, right?), just to put some coins there and about two hours later that money disappeared? I am sorry for my distrust, but with hat kind of title and TradeHill in your signature I think it all looks somewhat suspicious to me.

You can still make the title reflect reality if you want. Maybe "What happened to my MtGox funds?" or "Help, MtGox funds taken"

To me it seems like most ppl who got their accounts hacked used the same username on multiple sites, including MtGox. Probably would have been better to use different handles for each site ... glad I'm doing this for years already.

The entire point is that weak passwords are not the issue here: http://forum.bitcoin.org/index.php?topic=18050.0

Everyone? There are far more traders not getting BTC stolen than traders claiming they have had BTC stolen. This sort of thing happens everywhere. Furthermore your title is sensationalist (MtGox clearly didn't scam you, you probably scammed yourself by having a shitty password) which leads me to believe you are lying in order to try get some sort of compensation.

Sorry if your BTC really did get stolen. That sucks. But what were you doing with 17BTC in your MtGox account anyway? Surely you've read all the reports from people claiming to have their accounts compromised.

To be fair, people tend to use terrible passwords. Not sure whether there is a security problem with Mt. Gox or not, but I'd bet that this is just users being users and using passwords like 'password' and '12345'

I've seen a similar thread not too long ago about someone posting how their bitcoins were moved out of mt. gox. He had pictures any everything.

I think I will stay away from mt. gox.

If someone get access to you mtgox account/or somehow have access to any account on mtgox, they would not be able to simply change the payout details for btc/usd, since they would need additional accounts to verify the change thus creating more issues and likely having 2 areas of authentication with regards to email verification.

Please show me any reports of hacked gmail accounts(unless you mean someone storing their email accounts on their pc/keylogged)

If someone has access to the account, it is easy to change the e-mail address.

E-mail verification would not have prevented this, though it might leave a pointer to the perpetrator if they were really stupid.

A hacked gmail account could be used for the e-mail verification.

Perhaps a better solution would be to lock any transfers out for 24 hours after an e-mail change and to send notice of the e-mail change to the new and old e-mail addresses.

That might have stopped this, but it will also annoy some users.

Yes please add this feature. Having email verification for every transaction would make things MUCH more secure, and I would have avoided this.

mtgox if you are reading this can you please set all withdrawal methods to have email account verification if it needs to be changed.

Just having someone grab a password(somehow) and then logging in, changing payout details and processing, isnt secure enough.

If you place email verification for whenever details change, btc address/usd withdrawal address, it will make the site double as secure as it is atm with one access authentication.

Just found this.

http://forum.bitcoin.org/index.php?topic=18050.0

I think you're probably telling the truth but I can't independently verify it and can't do anything about it anyway. I was just throwing that in to reinforce the comment of the person I replied to.

I'm dead serious. 17.18 BTC was just stolen from me. I don't know who did it, but it happened, while the money was sitting in my MtGox account.

We can't even be sure of which threads to believe or not in most cases.

Just a warning to everyone to not use MtGox. Sigh, I knew I should have stuck with BitcoinExchange.

What should I tell them? I mean I swear it was stolen from me. What can they do?

I'm tired of these threads.

Stop whining on the forums and at least try to contact Mt. Gox. What help can we provide? There is nothing we can do.

No, I didn't. I used a secure password.

Did you use an insecure password?

Today, first time using MtGox. I added some BTC, started an order, and then checked back in a few hours to see that someone withdrew ALL of the BTC in my account to some address. I have no idea who this address belongs to. Here is proof.



Here is the Block Explorer for the address: http://blockexplorer.com/address/1KReFavSpHkxZqkR3aZvdz4pbhg6ZqCwhy

I have no idea how my account was accessed, but I do know that I will not be using MtGox again in the future.