Just lost 190 bitcoins through Mt. Gox - page 4.

gweedo

legendary

Activity: 1498

Merit: 1000

Quote from: Zomdifros on February 08, 2013, 02:40:21 PM

So, I guess we all agree that MtGox is making a half-assed job of their security, can anybody tell us why they aren't upgrading this?

Half-assed job of security is kinda strong don't you think? I mean where does security on the consumer side start? 2 factor auth is the saving grace if you don't have that you can kiss your coins goodbye. Then you don't need all those bells and whistles which would probably cause more issues then they are worth. I think as long as Mt Gox isn't getting hack and leaking bitcoins from there wallet, I say security is good then. Take some responsibility, don't make Mt Gox your mom.

Zomdifros

full member

Activity: 210

Merit: 100

Quote from: SgtSpike on February 08, 2013, 01:46:58 PM

Quote from: sublime5447 on February 08, 2013, 01:39:03 PM

Quote from: mintymark on February 08, 2013, 12:21:24 PM

I think this is truly sickening, and I am very sorry to hear about it. If normal people make mistakes that end up in financial loss, then there is the suggestion that you need to be "superman" in order to avoid this. Well I for one am not!

Goldmoney, and most banks banks do offer better security here, and (in my view) the reason this happened is because MtGox is not offering reasonable security here. Other exchanges such as Bitstamp are equally vulnerable.

Goldmoney sends an email pin, and disallows email changes. (Or maybe slows them down, I dont remember.)

I think IP address locking is also very useful. You could also do it based on geo-location based on IP address. Someone in Sweden wants a withdrawal? Well I live in the USA and sometimes fly to London, so do not accept it from anywhere else!! Challenge response is also useful.

There are lots of ways to do this well it seems to me and it seems to me that many Bitcoin exchanges are not doing it well right now. The non-reversability of Bitcoin means it needs to be done better than the companies doing fiat transactions do!!

100% agreed couldn't have said it better. It bugs me when someone has been taken advantage of and there is a huge outcry blaming the victim. Basically the claim goes like this.. It is your fault for not being a big enough tech nerd. It you read wired magazine everyday and spent 90 percent of your time online learning about bitcoin like I do then you wouldnt have gotten scammed. Bitcoin is beyond reproach and the community shares no blame.

I'll agree with you here!

MtGox needs to implement better security options. Withdrawal locks based on IP, email, and time should all be available options to users. I would be so much more comfortable with putting funds on MtGox if I knew they couldn't be withdrawn to a different address other than what I've specified without email confirmation and a 7-day delay. And I even have a yubikey required for logging in and withdrawal already!

So, I guess we all agree that MtGox is making a half-assed job of their security, can anybody tell us why they aren't upgrading this?

farlack

legendary

Activity: 1310

Merit: 1000

I've read a 2F get hacked too. I bet its gox themselves..

I mean come on whats the likelihood of 7.6 billion people and only a few thousand that use bitcoin and all these gox hacks going around.

Id like to see a huge list of reports of peoples wallets on their computer, or blockchain.info getting fucked.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: sublime5447 on February 08, 2013, 01:39:03 PM

Quote from: mintymark on February 08, 2013, 12:21:24 PM

I think this is truly sickening, and I am very sorry to hear about it. If normal people make mistakes that end up in financial loss, then there is the suggestion that you need to be "superman" in order to avoid this. Well I for one am not!

Goldmoney, and most banks banks do offer better security here, and (in my view) the reason this happened is because MtGox is not offering reasonable security here. Other exchanges such as Bitstamp are equally vulnerable.

Goldmoney sends an email pin, and disallows email changes. (Or maybe slows them down, I dont remember.)

I think IP address locking is also very useful. You could also do it based on geo-location based on IP address. Someone in Sweden wants a withdrawal? Well I live in the USA and sometimes fly to London, so do not accept it from anywhere else!! Challenge response is also useful.

There are lots of ways to do this well it seems to me and it seems to me that many Bitcoin exchanges are not doing it well right now. The non-reversability of Bitcoin means it needs to be done better than the companies doing fiat transactions do!!

100% agreed couldn't have said it better. It bugs me when someone has been taken advantage of and there is a huge outcry blaming the victim. Basically the claim goes like this.. It is your fault for not being a big enough tech nerd. It you read wired magazine everyday and spent 90 percent of your time online learning about bitcoin like I do then you wouldnt have gotten scammed. Bitcoin is beyond reproach and the community shares no blame.

I'll agree with you here!

MtGox needs to implement better security options. Withdrawal locks based on IP, email, and time should all be available options to users. I would be so much more comfortable with putting funds on MtGox if I knew they couldn't be withdrawn to a different address other than what I've specified without email confirmation and a 7-day delay. And I even have a yubikey required for logging in and withdrawal already!

sublime5447

legendary

Activity: 966

Merit: 1000

Quote from: mintymark on February 08, 2013, 12:21:24 PM

I think this is truly sickening, and I am very sorry to hear about it. If normal people make mistakes that end up in financial loss, then there is the suggestion that you need to be "superman" in order to avoid this. Well I for one am not!

Goldmoney, and most banks banks do offer better security here, and (in my view) the reason this happened is because MtGox is not offering reasonable security here. Other exchanges such as Bitstamp are equally vulnerable.

Goldmoney sends an email pin, and disallows email changes. (Or maybe slows them down, I dont remember.)

I think IP address locking is also very useful. You could also do it based on geo-location based on IP address. Someone in Sweden wants a withdrawal? Well I live in the USA and sometimes fly to London, so do not accept it from anywhere else!! Challenge response is also useful.

There are lots of ways to do this well it seems to me and it seems to me that many Bitcoin exchanges are not doing it well right now. The non-reversability of Bitcoin means it needs to be done better than the companies doing fiat transactions do!!

100% agreed couldn't have said it better. It bugs me when someone has been taken advantage of and there is a huge outcry blaming the victim. Basically the claim goes like this.. It is your fault for not being a big enough tech nerd. It you read wired magazine everyday and spent 90 percent of your time online learning about bitcoin like I do then you wouldnt have gotten scammed. Bitcoin is beyond reproach and the community shares no blame.

mintymark

sr. member

Activity: 286

Merit: 251

I think this is truly sickening, and I am very sorry to hear about it. If normal people make mistakes that end up in financial loss, then there is the suggestion that you need to be "superman" in order to avoid this. Well I for one am not!

Goldmoney, and most banks banks do offer better security here, and (in my view) the reason this happened is because MtGox is not offering reasonable security here. Other exchanges such as Bitstamp are equally vulnerable.

Goldmoney sends an email pin, and disallows email changes. (Or maybe slows them down, I dont remember.)

I think IP address locking is also very useful. You could also do it based on geo-location based on IP address. Someone in Sweden wants a withdrawal? Well I live in the USA and sometimes fly to London, so do not accept it from anywhere else!! Challenge response is also useful.

There are lots of ways to do this well it seems to me and it seems to me that many Bitcoin exchanges are not doing it well right now. The non-reversability of Bitcoin means it needs to be done better than the companies doing fiat transactions do!!

rollingpaperguy

newbie

Activity: 22

Merit: 0

My guess is that you used the same email and password as you used somewhere else....mtgox might be tough to crack...but any other website, not so much.

Make sure your bitcoin wallet and bitcoin accounts all have different passwords.

sublime5447

legendary

Activity: 966

Merit: 1000

Pay pal locks out based on IP address, If I try to access from a strange IP it ask me a security question. MT gox doesn't give a shit because they have zero liability. To all the tech guys talking about yubikeys and 2fa nerd stuff you dont get it people aren't going to do that. This thing only works if people use it. I am shocked to see the bitcoin faith in here. It is all worthless if people dont adopt it. If you think bitcoin is a retirement plan you are out of your mind.

CIYAM

legendary

Activity: 1890

Merit: 1086

Ian Knowles - CIYAM Lead Developer

Quote from: DeathAndTaxes on February 08, 2013, 09:00:50 AM

I think the larger point is that MtGox has offered 2FA for what two years now. Despite the never ending stream of "my coins are gone" posts they all have one thing in common ... 2FA wasn't enabled.

In regards to sending cash in Aus every *delivery* company makes it *clear* you *cannot* send cash (so maybe different to the US) and I'm not know talking about legality but instead about any guarantee of refund for losses incurred (IANAL).

Also in Australia (at least) even if your 2FA is compromised your bank is *insured* and you will likely be *refunded* for losses due to theft (unless they can pretty much *prove* you *stole* the funds yourself).

Mt. Gox offers 0% protection AFAIA (correct me if I am wrong) and that is my point (no "mom's and dad's" are going to invest in something with zero guarantee in case of theft when there is a guaranteed option available and nor should they).

Stephen Gornick

legendary

Activity: 2506

Merit: 1010

Quote from: robocoin on February 08, 2013, 09:38:41 AM

Maybe force 2FA for accounts with balances greater than 50 BTC.

Yup, or some checkbox that says "I ACKNOWLEDGE THAT 2FA IS RECOMMENDED BUT DECLINE THE RECOMMENDATION."

Because there a lot of that going on.

MtGox account got cleared out
- https://bitcointalksearch.org/topic/mtgox-account-got-cleared-out-85533

All BTC disappeared from my Mt. Gox account
- https://bitcointalksearch.org/topic/all-btc-disappeared-from-my-mt-gox-account-88368

Another:
- https://bitcointalksearch.org/topic/m.941759

And another: My mtgox account got compromised, what can I do?
- https://bitcointalksearch.org/topic/my-mtgox-account-got-compromised-what-can-i-do-84585

Yet more: MT.Gox account hacked - lost 2k USD - MT.GOX will not explain how.
- https://bitcointalksearch.org/topic/mtgox-account-hacked-lost-2k-usd-mtgox-will-not-explain-how-89142

And more again: Bitcoins stolen from MtGox
- http://www.reddit.com/r/Bitcoin/comments/x8lcv/bitcoins_stolen_from_mtgox

And yet more: Stolen from Mt.Gox coins. Help return the coins.
- https://bitcointalksearch.org/topic/stolen-from-mtgox-coins-help-return-the-coins-119816

Or more here: Email from Mt.Gox this morning.
- http://www.reddit.com/r/Bitcoin/comments/z0na5/email_from_mtgox_this_morning

And even more here: I just had $715 stolen out of my Mt. Gox account.
- http://www.reddit.com/r/Bitcoin/comments/12j9gi/i_just_had_715_stolen_out_of_my_mt_gox_account

And the biggie: Bitcoinica MtGox account compromised
- https://bitcointalksearch.org/topic/bitcoinica-mtgox-account-compromised-93074

With more here: Unauthorized Account Activity on my Mt.Gox Account - Account Compromised/Hacked?
- https://bitcointalksearch.org/topic/unauthorized-account-activity-on-my-mtgox-account-account-compromisedhacked-94140

And even more: *MY* Mt Gox Account was Hacked - lost it all today... now what!?
- https://bitcointalksearch.org/topic/my-mt-gox-account-was-hacked-lost-it-all-today-now-what-137795

Ditto: My MtGox account was just exploited - 3 BTC stolen
- https://bitcointalksearch.org/topic/my-mtgox-account-was-just-exploited-3-btc-stolen-old-news-141816

And now this one gets added to the list: Just lost 190 bitcoins through Mt. Gox
- https://bitcointalksearch.org/topic/just-lost-190-bitcoins-through-mt-gox-141831

And on other services as well. Here same thing happened to some GLBSE users:
- https://bitcointalksearch.org/topic/i-suspect-gpumax-was-compromised-and-passwords-stolen-84893

And elsewhere, BitMarket.eu in this instance:
- https://bitcointalksearch.org/topic/m.1259168

And now on bitcoin.de as well: Bitcoins stolen from bitcoin.de.
- https://bitcointalksearch.org/topic/bitcoins-stolen-from-bitcoinde-130264

In none of these was the person using multi-factor authentication. Mt. Gox has had Yubikey support for a while. Mt. Gox accounts now support Google Authenticator:
- https://mtgox.com/press_release_20120605.html

If the exchange you are storing funds with doesn't provide OTP, consider using a different exchange:
- http://bitcoin.stackexchange.com/questions/4113/which-two-factor-authentication-methods-are-available-at-which-exchanges

If you are storing funds in an EWallet, consider using a paper wallet.

Here is a fantastic guide: How to use 2-factor auth on mtgox, even without a smartphone (from a second device, of course, not from the same computer you log in on).
- https://bitcointalksearch.org/topic/how-to-use-2-factor-auth-on-mtgox-even-without-a-smartphone-111943

robocoin

sr. member

Activity: 252

Merit: 250

Quote from: DeathAndTaxes on February 08, 2013, 09:00:50 AM

Quote from: CIYAM on February 08, 2013, 12:45:57 AM

Bitcoin is not going to win any supporters if it just takes the attitude "sorry but you are just too stupid to use this" (this last was about attitude at not any sort of attack on the OP btw).

I think the larger point is that MtGox has offered 2FA for what two years now. Despite the never ending stream of "by coins are gone" posts they all have one thing in common ... 2FA wasn't enabled. I don't think anyone said "too stupid" but if your house comes equipped with the ability to lock the doors but you choose not to and then get robbed well ... Now if MtGox provided no mechanism to keep balances safe that would be a different story.

Everything is there you need. Maybe force 2FA for accounts with balances greater than 50 BTC.

Once I got ripped off 500€ from my bank account (bancomat skimmer), my bank immediatly compensated it. BUT if an attacker has your bank login AND your mobile phone is infected so the attcker can read your sms to retrieve the TAN numbers (mandatory 2FA here in Germany). Well, then you're on your own... I imagine there will be bank like Bitcoin systems in the future, eg. BitcoinCentral, just to be insurred against stuff like this.
40 years ago people did only brain fart in front of a computer. Secruity, cryptography and general awareness of computer systems will be more common for the "John Q. Public's" in near future. Its not that Bitcoin and the systems around it need to adjust itself down to "anyone's" abilities. Its more like that society will adjust itself to the level needed for Bitcoin.

Zomdifros

full member

Activity: 210

Merit: 100

Quote from: DeathAndTaxes on February 08, 2013, 09:00:50 AM

Quote from: CIYAM on February 08, 2013, 12:45:57 AM

Bitcoin is not going to win any supporters if it just takes the attitude "sorry but you are just too stupid to use this" (this last was about attitude at not any sort of attack on the OP btw).

I think the larger point is that MtGox has offered 2FA for what two years now. Despite the never ending stream of "my coins are gone" posts they all have one thing in common ... 2FA wasn't enabled. I don't think anyone said "too stupid" but if your house comes equipped with the ability to lock the doors but you choose not to and then get robbed well ... Now if MtGox provided no mechanism to keep balances safe that would be a different story but they do. Despite all the prior losses it seems people just refuse to accept that passwords are insecure. That is why 2FA exists.

Sure, they offer 2FA, but as a customer you pretty much have to find it out yourself. With a regular bank account it isn't even possible to make a withdrawal without 2FA in some form, it is a hard requirement. If we want Bitcoin to emerge from the niche it is in right now, everybody should be able to use it safely, even those who don't understand what 2FA is or why they need it, they should simply be forced to use it.

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: CIYAM on February 08, 2013, 12:45:57 AM

That point is of course quite true, however, it is basically illegal to send money through the mail for that very reason.

In the US it isn't illegal to send cash in the mail. Never has been, just an urban legend. Now the USPS recommends you don't send cash in the mail unless you send it registered mail as it isn't insured but the same applies to other valuables as well.

Quote

Bitcoin is not going to win any supporters if it just takes the attitude "sorry but you are just too stupid to use this" (this last was about attitude at not any sort of attack on the OP btw).

I think the larger point is that MtGox has offered 2FA for what two years now. Despite the never ending stream of "my coins are gone" posts they all have one thing in common ... 2FA wasn't enabled. I don't think anyone said "too stupid" but if your house comes equipped with the ability to lock the doors but you choose not to and then get robbed well ... Now if MtGox provided no mechanism to keep balances safe that would be a different story but they do. Despite all the prior losses it seems people just refuse to accept that passwords are insecure. That is why 2FA exists.

robocoin

sr. member

Activity: 252

Merit: 250

Quote from: no name on February 08, 2013, 07:18:16 AM

Quote from: DeathAndTaxes on February 07, 2013, 02:34:47 PM

Let me guess.... no two factor authentication?

how I can activate two factor authentication on mtgox?

ID verify your Mt.Gox account, you should than receive the offer to obtain a yubikey - FOR FREE.

avegetable

member

Activity: 77

Merit: 10

Quote from: Bitsaurus on February 08, 2013, 08:37:10 AM

Funny that the mining pools seem to have more safety lockouts than MtGox does.

It's not such a surprise. It's generally a good thing for Mtgox if as many people as possible sign up. A nice security feature that tends to lock idiots out of their own accounts won't help them achieve that.

For a mining pool on the other hand, having a feature that deters the less tech-savvy is probably good

Bitsaurus

hero member

Activity: 873

Merit: 1007

Funny that the mining pools seem to have more safety lockouts than MtGox does.

Zomdifros

full member

Activity: 210

Merit: 100

Quote from: avegetable on February 08, 2013, 07:40:38 AM

Locked IP is an interesting option. Does any other company offer that?

Yes, Blockchain does. However, as Prattler states, a simple email warning plus temporary lock for new IP's would be sufficient for now and must be quite easy to implement. It would of course increase the amount of work for their customer service but then again, if MtGox wants to remain the largest Bitcoin exchange in a few years time (and ultimately make an obscene amount of money), now would be the time to invest in their service.

Prattler

full member

Activity: 192

Merit: 100

Quote from: avegetable link=topic=141831.msg1512094#msg1512094

Locked IP is an interesting option. Does any other company offer that?

It does require a little technical knowledge from the users. People with dynamic IPs would have to specify an IP address range. Or several IP ranges for many ISPs.

It could prevent most unauthorized access (though not when the user's PC is hijacked and remove controlled), but there would also be a lot of extra support problems for Mtgox because of users accidentally locking themselves out of their own accounts.

Just something as simple as send a warning email and allow cash out after 2+ days, if your IP is new.

avegetable

member

Activity: 77

Merit: 10

Quote from: Prattler on February 08, 2013, 05:31:25 AM

This is very much true! There is no reason why they don't have options to lock IP and/or bitcoin address.

Locked IP is an interesting option. Does any other company offer that?

It does require a little technical knowledge from the users. People with dynamic IPs would have to specify an IP address range. Or several IP ranges for many ISPs.

It could prevent most unauthorized access (though not when the user's PC is hijacked and remove controlled), but there would also be a lot of extra support problems for Mtgox because of users accidentally locking themselves out of their own accounts.

no name

newbie

Activity: 43

Merit: 0

Quote from: DeathAndTaxes on February 07, 2013, 02:34:47 PM

Let me guess.... no two factor authentication?

Quote from: gweedo on February 07, 2013, 02:40:08 PM

But next time two factor authentication is the only way to go.

Quote from: RandomQ on February 07, 2013, 02:56:31 PM

Yea beat me too it... I wont put more than 1 BTC anywhere that doesnt support two factor.

I think im up to 20 accounts now with two factor or yubikey

how I can activate two factor authentication on mtgox?

I would like to see ip restriction and confirmation options/alerts on demand too!

Topic: Just lost 190 bitcoins through Mt. Gox - page 4. (Read 6836 times)