Topic: If your Mt. Gox account has been compromised, PLEASE READ. (Read 34602 times)
I see a class action against Mt Gox is in order
* How much funds did you lose?
30.53 BTC
* To what address were your stolen funds sent?
1HQBh6QHduRHgLr9kCx5jd9qpJw7e7LUAD
* What OS are you using (Windows, Linux, Mac OSX ...)?
Mac OS X 10.6.7, Safari
* How long was your old password?
10 chars
* Was your old password random?
nope
* Was your username the same on Mt. Gox as on the forum?
yup
* Did you use your Mt. Gox password somewhere else?
yup, but not anymore
* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?
nope, just smallcaps
* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.
nope
I'm guessing I'm pretty much screwed here.
But I checked the mtgox logs here https://claim.mtgox.com/status.html
The IP 213.112.199.142 seems to reside in Sweden and doesn't seem to run TOR. It could be part of a bot-net though.
30.53 BTC
* To what address were your stolen funds sent?
1HQBh6QHduRHgLr9kCx5jd9qpJw7e7LUAD
* What OS are you using (Windows, Linux, Mac OSX ...)?
Mac OS X 10.6.7, Safari
* How long was your old password?
10 chars
* Was your old password random?
nope
* Was your username the same on Mt. Gox as on the forum?
yup
* Did you use your Mt. Gox password somewhere else?
yup, but not anymore
* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?
nope, just smallcaps
* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.
nope
I'm guessing I'm pretty much screwed here.
But I checked the mtgox logs here https://claim.mtgox.com/status.html
Code:
money withdrawn:
Thu 16 Jun 2011 06:04:15 AM GMT out 1HQBh6QHduRHgLr9kCx5jd9qpJw7e7LUAD 30.53000000 ฿TC
06:45:15 a.m. Thursday June 16, 2011 in GMT converts to 03:45:15 p.m. Thursday June 16, 2011 in JST
Logins by IP-addresses that are not mine:
MTGOX_LOGIN Successful login on Mt.Gox Sat 18 Jun 2011 12:22:44 AM JST 184.105.220.24
MTGOX_LOGIN Successful login on Mt.Gox Thu 16 Jun 2011 03:03:51 PM JST 213.112.199.142 <-- likely logged on and withdrew money
MTGOX_LOGIN Successful login on Mt.Gox Thu 16 Jun 2011 01:14:03 PM JST 76.10.214.89
MTGOX_LOGIN Successful login on Mt.Gox Wed 15 Jun 2011 06:38:29 PM JST 46.166.129.61
The IP 213.112.199.142 seems to reside in Sweden and doesn't seem to run TOR. It could be part of a bot-net though.
Mt Gox and other Bitcoin markets ought to enable and encourage the use of some form of multi-factor authentication. I use a Yubikey in conjunction with my Lastpass account (Lastpass generates very strong, unique passwords for every site so I'm not concerned about my Mt Gox password providing access to anything else), and it's a fantastic and open source authentication system. Since Bitcoin is growing exponentially in usage and legitimacy, trading services should be growing with it and hardening their systems both on the code side, and on the user interaction side. Many banks offer or require multi-factor authentication, why shouldn't Bitcoin services?
I still think that a scheme based on GnuPG, smart card and mTAN would be pretty secure and accessible.
It would work that way: When creating an account one would generate a GnuPG key pair. One would enter the public key together with user name and password at the trading site.
This key can now be used to verify re-authentication in case of a lost password, and this would be MUCH safer than re-authentication by e-mail. It can also be used to certify certain critical transactions. This can be done the way that the trading site generates a authentication token, mails it to the user, and he has to sign it with is private key and return it. Alternatively, the offered token can be displayed in a web form and the user replaces it by the signed token.
One important point is that this authentication can be used to set up a cell phone number for an mTAN scheme (mobile transaction authentication number). With this, when a transaction is done, the system sends a number to the phone which contains the important items of the transaction and an alphanumerical code. The transaction is accepted only when the code is entered in the web page. This is not a perfect system, but works very effectively against key loggers, and it is widely used in many countries.
Among the good things about GnuPG is that it is available on most operation systems (even the ones you shouldn't use) and that it can be used with a smart card. In this case, the private key is moved to the smart card and can't be read from there again. Processing of signatures is done on the smart card itself when one enters a PIN. Thus, it is not possible to steal the private key any more. This type of smart cards is available from many places, see here:
http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/
http://www.gnupg.org/howtos/card-howto/en/ch02s02.html
The device from privacy fundation is an open source project, which means enhanced transparency and security against governmental backdoors.
With the scheme described, you need your account password, and your phone to make an transaction. You need your smart card, your mail account password OR your account password and your smart card PIN to change the account password or the phone number.
There are certainly other solutions (Yubikey and SSL client certificates with hardware tokens have been named, and I don't know them well enough to discuss them) but I believe this one is a cost-effective and safe variant. I think that at least two-factor authentication is a must, otherwise stealing of coins becomes so easy that a real and widespread theft business will emerge within
And for the same reason, I think, it should not be charged for at all. This is just fulfilling basic requirements.
And of course, mTAN can be hacked, if someone gets a SIM card for my number. But that's considerably more difficult than keylogging.
Anyway, that is a VERY good suggestion, the only important thing to take care of, is making sure that it is all very userfriendly. Users should never have to ask themselves "what do I do now?", or there will be issues with the system (and that may scare people away, towards less secure systems).
Mt Gox and other Bitcoin markets ought to enable and encourage the use of some form of multi-factor authentication. I use a Yubikey in conjunction with my Lastpass account (Lastpass generates very strong, unique passwords for every site so I'm not concerned about my Mt Gox password providing access to anything else), and it's a fantastic and open source authentication system. Since Bitcoin is growing exponentially in usage and legitimacy, trading services should be growing with it and hardening their systems both on the code side, and on the user interaction side. Many banks offer or require multi-factor authentication, why shouldn't Bitcoin services?
I still think that a scheme based on GnuPG, smart card and mTAN would be pretty secure and accessible.
It would work that way: When creating an account one would generate a GnuPG key pair. One would enter the public key together with user name and password at the trading site.
This key can now be used to verify re-authentication in case of a lost password, and this would be MUCH safer than re-authentication by e-mail. It can also be used to certify certain critical transactions. This can be done the way that the trading site generates a authentication token, mails it to the user, and he has to sign it with is private key and return it. Alternatively, the offered token can be displayed in a web form and the user replaces it by the signed token.
One important point is that this authentication can be used to set up a cell phone number for an mTAN scheme (mobile transaction authentication number). With this, when a transaction is done, the system sends a number to the phone which contains the important items of the transaction and an alphanumerical code. The transaction is accepted only when the code is entered in the web page. This is not a perfect system, but works very effectively against key loggers, and it is widely used in many countries.
Among the good things about GnuPG is that it is available on most operation systems (even the ones you shouldn't use) and that it can be used with a smart card. In this case, the private key is moved to the smart card and can't be read from there again. Processing of signatures is done on the smart card itself when one enters a PIN. Thus, it is not possible to steal the private key any more. This type of smart cards is available from many places, see here:
http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/
http://www.gnupg.org/howtos/card-howto/en/ch02s02.html
The device from privacy fundation is an open source project, which means enhanced transparency and security against governmental backdoors.
With the scheme described, you need your account password, and your phone to make an transaction. You need your smart card, your mail account password OR your account password and your smart card PIN to change the account password or the phone number.
There are certainly other solutions (Yubikey and SSL client certificates with hardware tokens have been named, and I don't know them well enough to discuss them) but I believe this one is a cost-effective and safe variant. I think that at least two-factor authentication is a must, otherwise stealing of coins becomes so easy that a real and widespread theft business will emerge within months.
And for the same reason, I think, it should not be charged for at all. This is just fulfilling basic requirements.
And of course, mTAN can be hacked, if someone gets a SIM card for my number. But that's considerably more difficult than keylogging.
Anyone that continues to do business on the MtGox exchange after this debacle is both totally nuts and totally stupid. For that matter, anyone doing business on ANY of the bitcoin exchanges is nuts and stupid. Get what little assets you had in the account out and run asap...
I'd agree that keeping funds on any of the Bitcoin exchanges is foolish. The problem with Mt. Gox, and some of the other exchanges, is that they're not just an exchange. They're banks, too. They hold customer funds as deposits.None of the major Bitcoin "exchanges" is solid enough as an institution to act as a bank. They're not even at the level of some small-town independent bank in terms of organization, security, regulation, or financial strength. Mt. Gox, before the crash, was handling more money than some small town banks. But they had only two people, and no clue about security of a financial institution. Real banks and exchanges have insurance bonds on their employees, errors and omissions insurance, and real auditors. Not these guys.
If you use an exchange, sweep all your funds out of it at least once a day.
qft
How can anyone even know at the moment. This is some Newb Garbage.
Does it registered in Japan at all =)) It could be pure virtual company which will disappear at some point.
So, MtGox and the other exchanges are not banks in the same sense as Bank of America or even your local credit unions.
In a strict sense, they're "non-bank depository institutions". But I felt that was too advanced a term for this forum.For background on that subject, see this paper from the Kansas City Fed: "Recent developments at banks and nonbank depository institutions". That was written in 1983, near the beginning of US financial deregulation, as the types of financial institutions started to proliferate. It used to be that the same institutions accepted deposits and made retail loans. The job can be split, though, with one institution accepting deposits and another making loans. Non-bank depository institutions have to put their money somewhere, and if they put it in a bank, they are lending it to the bank.
Bank regulation exists to protect depositor's funds. Generally, banking regulation is applied to depository institutions, regardless of whether they make loans. On the other hand, businesses which lend their own money but do not hold deposits (like payday-loan companies) are not regulated as banks.
So an "exchange" like Mt. Gox would be subject to banking regulation in some jurisdictions. PayPal is regulated as a bank in the European Union, and as a money transfer service in the US and Japan. As of April 1, 2010, money transfer services in Japan must be licensed. Does Mt. Gox have a license?
The problem with Mt. Gox, and some of the other exchanges, is that they're not just an exchange. They're banks, too. They hold customer funds as deposits.
What is commonly considered a bank today is more strictly defined as a commercial bank: "A commercial bank accepts deposits and pools those funds to provide credit, either directly by lending, or indirectly by investing through the capital markets."
So, MtGox and the other exchanges are not banks in the same sense as Bank of America or even your local credit unions.
Anyone that continues to do business on the MtGox exchange after this debacle is both totally nuts and totally stupid. For that matter, anyone doing business on ANY of the bitcoin exchanges is nuts and stupid. Get what little assets you had in the account out and run asap...
I'd agree that keeping funds on any of the Bitcoin exchanges is foolish. The problem with Mt. Gox, and some of the other exchanges, is that they're not just an exchange. They're banks, too. They hold customer funds as deposits.None of the major Bitcoin "exchanges" is solid enough as an institution to act as a bank. They're not even at the level of some small-town independent bank in terms of organization, security, regulation, or financial strength. Mt. Gox, before the crash, was handling more money than some small town banks. But they had only two people, and no clue about security of a financial institution. Real banks and exchanges have insurance bonds on their employees, errors and omissions insurance, and real auditors. Not these guys.
If you use an exchange, sweep all your funds out of it at least once a day.
Anyone that continues to do business on the MtGox exchange after this debacle is both totally nuts and totally stupid. For that matter, anyone doing business on ANY of the bitcoin exchanges is nuts and stupid. Get what little assets you had in the account out and run asap...
http://blog.imperva.com/2011/06/lulzsec-profile-who-are-they.html
doesn't seem like Imperva is using that log at all? is it SOP to obfuscate the allegations by claiming they all come from a single discredited source?
the profile written about you seems to fit you to a T. you don't deny the veracity of the logs, nor being an active member of the(se) chat room(s), nor having them as your friends. but the tone of the conversation indicates you're there for a slightly higher purpose than mere socialization. i haven't a clue as to whether you're the webmaster/designer, but if that's the depth of your work for Lulzsec then congratulations, i suppose? Bin Laden's driver was given 66 months in Guantanamo, a miscarriage of justice that I hope doesn't befall you.
for everyone reading this - accept my apology on how i've mislead you. it's obvious you should trust an individual with links to hacker groups asking publicly for the composition of your old passwords and whether they were reused on other sites with the same user name.
http://blog.imperva.com/2011/06/lulzsec-profile-who-are-they.htmldoesn't seem like Imperva is using that log at all? is it SOP to obfuscate the allegations by claiming they all come from a single discredited source?
Quote
Joepie is a current member of Anonymous, and operates a number of websites used by the group. He feels he is operating legally in his participation in the group, as long as he is only offering material support. Logs show him to be a full participant with access to private irc rooms, but he appears to feel he is committing no crimes as long as he personally abstains from accessing websites, a position he also took during the HBGary intrusion.
Joepie is a bitcoin supporter/enthusiast, and seems to have encouraged its use by the group.
Joepie is a bitcoin supporter/enthusiast, and seems to have encouraged its use by the group.
the profile written about you seems to fit you to a T. you don't deny the veracity of the logs, nor being an active member of the(se) chat room(s), nor having them as your friends. but the tone of the conversation indicates you're there for a slightly higher purpose than mere socialization. i haven't a clue as to whether you're the webmaster/designer, but if that's the depth of your work for Lulzsec then congratulations, i suppose? Bin Laden's driver was given 66 months in Guantanamo, a miscarriage of justice that I hope doesn't befall you.
for everyone reading this - accept my apology on how i've mislead you. it's obvious you should trust an individual with links to hacker groups asking publicly for the composition of your old passwords and whether they were reused on other sites with the same user name.
Based on http://lulzsecexposed.blogspot.com (which has some juicy false assumptions mixed in)
Which was in turn based on the already mentioned http://pastebin.com/QZXBCBYt
http://blog.imperva.com/2011/06/lulzsec-profile-who-are-they.html
doesn't seem like Imperva is using that log at all? is it SOP to obfuscate the allegations by claiming they all come from a single discredited source?
the profile written about you seems to fit you to a T. you don't deny the veracity of the logs, nor being an active member of the(se) chat room(s), nor having them as your friends. but the tone of the conversation indicates you're there for a slightly higher purpose than mere socialization. i haven't a clue as to whether you're the webmaster/designer, but if that's the depth of your work for Lulzsec then congratulations, i suppose? Bin Laden's driver was given 66 months in Guantanamo, a miscarriage of justice that I hope doesn't befall you.
for everyone reading this - accept my apology on how i've mislead you. it's obvious you should trust an individual with links to hacker groups asking publicly for the composition of your old passwords and whether they were reused on other sites with the same user name.
doesn't seem like Imperva is using that log at all? is it SOP to obfuscate the allegations by claiming they all come from a single discredited source?
Quote
Joepie is a current member of Anonymous, and operates a number of websites used by the group. He feels he is operating legally in his participation in the group, as long as he is only offering material support. Logs show him to be a full participant with access to private irc rooms, but he appears to feel he is committing no crimes as long as he personally abstains from accessing websites, a position he also took during the HBGary intrusion.
Joepie is a bitcoin supporter/enthusiast, and seems to have encouraged its use by the group.
Joepie is a bitcoin supporter/enthusiast, and seems to have encouraged its use by the group.
the profile written about you seems to fit you to a T. you don't deny the veracity of the logs, nor being an active member of the(se) chat room(s), nor having them as your friends. but the tone of the conversation indicates you're there for a slightly higher purpose than mere socialization. i haven't a clue as to whether you're the webmaster/designer, but if that's the depth of your work for Lulzsec then congratulations, i suppose? Bin Laden's driver was given 66 months in Guantanamo, a miscarriage of justice that I hope doesn't befall you.
for everyone reading this - accept my apology on how i've mislead you. it's obvious you should trust an individual with links to hacker groups asking publicly for the composition of your old passwords and whether they were reused on other sites with the same user name.
Because every (semi-)private channel on the internet is Lulzsec.
and how did you get in that channel to begin with? why do you appear so close to lulzsec members such that you're allowed to freely enter and chat as old friends? I consider myself a purveyor of only the finest newspapers throughout the land. So lo and behold when I launch the Guardian today and see this article on my iPad - http://www.guardian.co.uk/technology/2011/jun/21/lulzsec-hacker-group-who-belongs
Quote
The group is small – less than 10 or so. (This is confirmed separately by security researcher Rik Ferguson of Trend Micro, who comments that "it seems to be a tight-knit group – it only needs to be a few people, since all they need is a Twitter account and a web page. There's no evidence that they're a particularly sophisticated group.)
The members, according to Imperva:
• "Sabu" – HBgary hacker. Seems to be the leader.
• "Nakomis" – Coder, rumoured to be one of coders of the PHPBB bulletin board.
• "Topiary" – handles finance, such as donations and payment for services (eg botnets)
• "Tflow" – Hacker. (Rumoured.)
• "Kayla" – Hacker. Owns a big botnet.
• "Joepie91" – Website admin.
• "Avunit" - No more detail.
From hacker discussion forums, it seems they might get arrested as soon as many "real world" details on their identities get revealed, suggests Tal Be'ery.
I'm outraged they capitalized Joepie's handle, when clearly it isn't. This will be resolved, I swear!The members, according to Imperva:
• "Sabu" – HBgary hacker. Seems to be the leader.
• "Nakomis" – Coder, rumoured to be one of coders of the PHPBB bulletin board.
• "Topiary" – handles finance, such as donations and payment for services (eg botnets)
• "Tflow" – Hacker. (Rumoured.)
• "Kayla" – Hacker. Owns a big botnet.
• "Joepie91" – Website admin.
• "Avunit" - No more detail.
From hacker discussion forums, it seems they might get arrested as soon as many "real world" details on their identities get revealed, suggests Tal Be'ery.
And surprise surprise! The Guardian article is based on the Imperva article, which in turn is based on the same leaked IRC logs that were claimed to be from Lulzsec but were not.
I suggest you actually respond to some of the things I said before, instead of throwing allegation after allegation.
Thank you for sharing this information.
As I myself thought previously it's a spin-off of Anonymous collective,
this idea is affirmed, alas still no proof.
As I myself thought previously it's a spin-off of Anonymous collective,
this idea is affirmed, alas still no proof.
Ahah so it seems that after having my www.mybitcoin.com harvested from 0.5 BTC, I fell for social engineering from joepie91... O_o
Thanks stubeans. Great investigation !
Thanks stubeans. Great investigation !
I consider myself a purveyor of only the finest newspapers throughout the land. So lo and behold when I launch the Guardian today and see this article on my iPad - http://www.guardian.co.uk/technology/2011/jun/21/lulzsec-hacker-group-who-belongs
Quote
The group is small – less than 10 or so. (This is confirmed separately by security researcher Rik Ferguson of Trend Micro, who comments that "it seems to be a tight-knit group – it only needs to be a few people, since all they need is a Twitter account and a web page. There's no evidence that they're a particularly sophisticated group.)
The members, according to Imperva:
• "Sabu" – HBgary hacker. Seems to be the leader.
• "Nakomis" – Coder, rumoured to be one of coders of the PHPBB bulletin board.
• "Topiary" – handles finance, such as donations and payment for services (eg botnets)
• "Tflow" – Hacker. (Rumoured.)
• "Kayla" – Hacker. Owns a big botnet.
• "Joepie91" – Website admin.
• "Avunit" - No more detail.
From hacker discussion forums, it seems they might get arrested as soon as many "real world" details on their identities get revealed, suggests Tal Be'ery.
I'm outraged they capitalized Joepie's handle, when clearly it isn't. This will be resolved, I swear! The members, according to Imperva:
• "Sabu" – HBgary hacker. Seems to be the leader.
• "Nakomis" – Coder, rumoured to be one of coders of the PHPBB bulletin board.
• "Topiary" – handles finance, such as donations and payment for services (eg botnets)
• "Tflow" – Hacker. (Rumoured.)
• "Kayla" – Hacker. Owns a big botnet.
• "Joepie91" – Website admin.
• "Avunit" - No more detail.
From hacker discussion forums, it seems they might get arrested as soon as many "real world" details on their identities get revealed, suggests Tal Be'ery.
Now that mtgox closed their exchange, how can I tell if I got hacked?
I have read people mention that they checked the "dump" and found their info in it with their email changed (or not changed). Where is this dump?
EDIT: Google Mail just asked me to verify myself due to suspicious activity. I did use the same 9 char. password as my email on mtgox.
I'm scared.
I have read people mention that they checked the "dump" and found their info in it with their email changed (or not changed). Where is this dump?
EDIT: Google Mail just asked me to verify myself due to suspicious activity. I did use the same 9 char. password as my email on mtgox.
I'm scared.
Yes, you are on the list, along with your gmail address, number 3419 out of 61,016 users listed at MtGox.
Understand that the passwords are not directly readable, and must be run through some fairly intense computational power to crack. Very similar to the way BitCoins are mined, actually. Takes a *long* time...
However, I had a 20 character password, using both letters and numbers, and exclusive to MtGox. Looks like my email address was changed in my account and I can't log into my account. I have to assume it lost.
Just change all your passwords that are similar and associated with that address.
Is this the 61k email logins leaked by Lulzsec?
Last 2 days I receive tons of email like this
The joke about, I've never registered to Mt. Gox. Is Mt. Gox in colaboration with this forum? Or any officiel Bitcoin site?
If playing world of warcraft taught me anything is that you cant trust any link coming from an Email anymore.Quote
Dear Mt.Gox user,
Our database has been compromised, including your email...
Our database has been compromised, including your email...
The joke about, I've never registered to Mt. Gox. Is Mt. Gox in colaboration with this forum? Or any officiel Bitcoin site?
Every email address can be faked, the only way to be sure is to read the headers.
Am starting to hate being paranoid to everything online
. Only way to find some rest is with linux.
Because every (semi-)private channel on the internet is Lulzsec.
and how did you get in that channel to begin with? why do you appear so close to lulzsec members such that you're allowed to freely enter and chat as old friends? with your litany of VPN logins? why so many VPN logins, anyhow? guilty by association? probably? moo? i like question marks?Quote
Because I totally did not encourage users to change their passwords to something stronger and completely unlike their current password.
You pretend to be a friend, then exploit the info you gather. Isn't that what SE and intel gathering in general is all about? Quote
Because I am totally a completely evil person whose only mission in life is to gather statistics on passwords that are not used anymore, to throw them into my magical hat and magically get all new passwords and usernames of everyone in the universe!
You may or may not be evil, but you do seem to associate with those online that have less than stellar characters. why?Quote
Because trying to spread fear has worked the past few times something like this happened.
fear? i'm giving people food for thought. it's obvious that some here need that type of nourishment, no?Quote
Go do something constructive instead of accusing people of things they have no involvement with.
considering that i'd otherwise be sleeping on a mattress of the highest quality, i think my time this morning has been quite productive! Jump to: