Localbitcoins: Account has multiple failed logins from unknown IPs - page 2.

almightyruler

legendary

Activity: 2268

Merit: 1092

Quote from: TryNinja on August 23, 2019, 07:06:43 PM

Quote from: almightyruler on August 23, 2019, 06:30:52 PM

[Edited to add] I can see a clear problem here: to disable 2FA, you need to provide signed proof you possess a secret, but that secret is shown right there on the same screen.

With every other 2FA I've had to reset today (new phone), the recovery key is only shown at the first or second step. Some sites made me re-enter the recovery key to confirm I had it saved. LBC is the only one out of several exchanges I've loaded today that shows the recovery key after 2FA is enabled.

Not that I agree with the way the show this, but wouldn't this be the same if it was just a QR code with the 2FA secret code? How would you be able to activate it in your phone without actually seeing it in the screen? And most services will only require the 2FA code to disable it, something you can also get just from the secret code/QR. And a malware/anyone with access to your screen would be able to see it/screenshot it/scan it/etc...

Quote

Anyone with access to your computer within the first 24 hours after 2FA is added could quietly disable it, and without needing to know your password.

Anyone with access to your ACCOUNT. And if they have this, your code is probably compromised anyway.

Yeah, I agree that if your machine is compromised - screen and key logging etc - then it doesn't matter if that secret only shows up for 2 seconds. You're done for, anyway.

But displaying the recovery key on the very same screen that allows you to disable 2FA is just plain dumb, since it means anyone with physical access can disable 2FA, without knowing your login details.

To me there seems to be something very wrong with this scenario:

"In order to reduce security on your account, you will need to prove you have the secret."

"By the way, the secret is XYZ."

Once you've proven your device has accepted the key (by inputting the 6 digit signature) there should be no need to show the recovery key again.

malevolent

legendary

Activity: 3472

Merit: 1721

Quote from: TryNinja on August 23, 2019, 07:06:43 PM

Not that I agree with the way the show this, but wouldn't this be the same if it was just a QR code with the 2FA secret code? How would you be able to activate it in your phone without actually seeing it in the screen? And most services will only require the 2FA code to disable it, something you can also get just from the secret code/QR. And a malware/anyone with access to your screen would be able to see it/screenshot it/scan it/etc...

Quote

Anyone with access to your computer within the first 24 hours after 2FA is added could quietly disable it, and without needing to know your password.

Anyone with access to your ACCOUNT. And if they have this, your code is probably compromised anyway.

They shouldn't be showing the code after 2FA has already been enabled. It's being displayed for an unnecessary 24 hours and a lot can happen within that time frame, and they're making it slightly and needlessly easier for bad hombres to hijack accounts.

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: almightyruler on August 23, 2019, 06:30:52 PM

The text seems to be saying that it will only be displayed for 24 hours after 2FA is enabled. Still risky, since anyone who can access your computer when logged in (including remotely capturing your screen when you load the 2FA page) will be able to capture and replicate your secret.

[Edited to add] I can see a clear problem here: to disable 2FA, you need to provide signed proof you possess a secret, but that secret is shown right there on the same screen.

With every other 2FA I've had to reset today (new phone), the recovery key is only shown at the first or second step. Some sites made me re-enter the recovery key to confirm I had it saved. LBC is the only one out of several exchanges I've loaded today that shows the recovery key after 2FA is enabled.

Not that I agree with the way the show this, but wouldn't this be the same if it was just a QR code with the 2FA secret code? How would you be able to activate it in your phone without actually seeing it in the screen? And most services will only require the 2FA code to disable it, something you can also get just from the secret code/QR. And a malware/anyone with access to your screen would be able to see it/screenshot it/scan it/etc...

Quote

Anyone with access to your computer within the first 24 hours after 2FA is added could quietly disable it, and without needing to know your password.

Anyone with access to your ACCOUNT. And if they have this, your code is probably compromised anyway.

almightyruler

legendary

Activity: 2268

Merit: 1092

Quote from: malevolent on August 23, 2019, 06:04:29 PM

I haven't logged in in a while, but can your really see the 2FA key when logged in? That doesn't sound like a good security practice.

The text seems to be saying that it will only be displayed for 24 hours after 2FA is enabled. Still risky, since anyone who can access your computer when logged in (including remotely capturing your screen when you load the 2FA page) will be able to capture and replicate your secret.

[Edited to add] I can see a clear problem here: to disable 2FA, you need to provide signed proof you possess a secret, but that secret is shown right there on the same screen. Anyone with access to your computer within the first 24 hours after 2FA is added could quietly disable it, and without needing to know your password.

With every other 2FA I've had to reset today (new phone), the recovery key is only shown at the first or second step. Some sites made me re-enter the recovery key to confirm I had it saved. LBC is the only one out of several exchanges I've loaded today that shows the recovery key after 2FA is enabled.

squatter

legendary

Activity: 1666

Merit: 1196

STOP SNITCHIN'

Quote from: almightyruler on August 23, 2019, 04:54:56 PM

To log in, LBC allows you to use your email address (which is private) or your username (which is publicly listed on feedback pages)

In 2019? I'm amazed. Most sites switched to email logins years ago because this is such an easy avenue to brute force weakly secured accounts.

Quote from: almightyruler on August 23, 2019, 04:54:56 PM

LBC even helpfully shows your 2FA recovery code when you're logged in, which means their web server has read access to that secret.

Yikes. I was already paranoid about my TOTP shared secret being stored on exchange databases as it is. Localbitcoins seems to take the cake for terrible security practices.

malevolent

legendary

Activity: 3472

Merit: 1721

Quote from: almightyruler on August 23, 2019, 04:54:56 PM

2. 2FA isn't an unbreakable fortress. To verify the 2FA signature your device generates, LBC has to compare against a copy of a shared secret, so anyone who possesses that secret (eg employee, hacker) will be able to generate a valid 2FA signature.

If you don't trust Localbitcoins employees not to defraud you, you shouldn't be using their site. I think a bigger worry (with exchanges and similar sites in general) is that someone may successfully socially engineering their customer support to take over another person's account. (maybe not anymore in 2019 with selfie verifications being common but still)

I haven't logged in in a while, but can your really see the 2FA key when logged in? That doesn't sound like a good security practice.

Stedsm

legendary

Activity: 3052

Merit: 1273

If I'm not wrong, they give us a set of codes which we need to write down? I've had my 2fa enabled on one of my accounts which used to be very active, but the image file that I saved on my offline PC got deleted by me accidentally. Is there any way you know to recover this 2fa thing there?

I've actually had no funds in it so I'm at least safe there (as I believe that even my 2fa could have been stolen if I may have gone online through that PC ever maybe, because I've an IMAGE saved of those codes).

Mahanton

hero member

Activity: 2730

Merit: 632

Quote from: almightyruler on August 23, 2019, 04:54:56 PM

Quote from: BitcoinGirl.Club on August 23, 2019, 04:40:30 PM

You will be worried if you see any successful login attempt.

Yes, I understand that they're unlikely to be able to successfully access my account, but it's worth considering:

1. To log in, LBC allows you to use your email address (which is private) or your username (which is publicly listed on feedback pages)

2. 2FA isn't an unbreakable fortress. To verify the 2FA signature your device generates, LBC has to compare against a copy of a shared secret, so anyone who possesses that secret (eg employee, hacker) will be able to generate a valid 2FA signature.

LBC even helpfully shows your 2FA recovery code when you're logged in, which means their web server has read access to that secret.

Nothing is unbreakable thats why we got really worried if hackers do really able to bypass LBC security but for now theres nothing to worry.
Its a little bit alarming that you do have multiple log-in from unknown IP's which isnt yours.It do proves out that your email info is known.
2fa is a must specially to accounts that had funds on it.

almightyruler

legendary

Activity: 2268

Merit: 1092

Quote from: BitcoinGirl.Club on August 23, 2019, 04:40:30 PM

You will be worried if you see any successful login attempt.

Yes, I understand that they're unlikely to be able to successfully access my account, but it's worth considering:

1. To log in, LBC allows you to use your email address (which is private) or your username (which is publicly listed on feedback pages)

2. 2FA isn't an unbreakable fortress. To verify the 2FA signature your device generates, LBC has to compare against a copy of a shared secret, so anyone who possesses that secret (eg employee, hacker) will be able to generate a valid 2FA signature.

LBC even helpfully shows your 2FA recovery code when you're logged in, which means their web server has read access to that secret.

BitcoinGirl.Club

legendary

Activity: 2800

Merit: 2736

Farewell LEO: o_e_l_e_o

Quote from: almightyruler on August 23, 2019, 04:38:30 PM

In recent days my LBC account has been repeatedly probed:

08/17/2019 06:32 Failed login attempt 175.136.7.241 08/16/2019 22:30 Failed login attempt 175.136.53.202 08/16/2019 20:56 Failed login attempt 1.9.207.170 08/16/2019 17:10 Failed login attempt 210.195.23.136 08/14/2019 08:08 Failed login attempt 115.134.62.224 08/11/2019 16:36 Failed login attempt 124.13.250.203 08/11/2019 14:03 Failed login attempt 161.142.59.116 08/10/2019 23:55 Failed login attempt 210.186.99.148 08/10/2019 21:52 Failed login attempt 60.51.2.234 08/10/2019 18:01 Failed login attempt 219.92.150.84 08/10/2019 00:58 Failed login attempt 42.188.120.179 08/09/2019 08:18 Failed login attempt 210.195.40.83

All the IPs are from Malaysia, which is not where I live.

I'm assuming someone has scraped feedback and is targeting accounts they think will hold funds (mine is listed as 20+ BTC traded)

I have 2FA active on the account, so cracking it would be useless anyway. (If you're not using 2FA - enable it now!)

Anyone else seeing this sort of activity in their LBC account?

It's Failed login attempt, so do not worry much about it.
Anyone can use your username and try to login with random password or even if they know the password (worse case)but your 2fa is not known to them then they can not login to your account but for that attempt it will keep a log which you are seeing in this case.

You will be worried if you see any successful login attempt.

almightyruler

legendary

Activity: 2268

Merit: 1092

In recent days my LBC account has been repeatedly probed:

08/17/2019 06:32 Failed login attempt 175.136.7.241 08/16/2019 22:30 Failed login attempt 175.136.53.202 08/16/2019 20:56 Failed login attempt 1.9.207.170 08/16/2019 17:10 Failed login attempt 210.195.23.136 08/14/2019 08:08 Failed login attempt 115.134.62.224 08/11/2019 16:36 Failed login attempt 124.13.250.203 08/11/2019 14:03 Failed login attempt 161.142.59.116 08/10/2019 23:55 Failed login attempt 210.186.99.148 08/10/2019 21:52 Failed login attempt 60.51.2.234 08/10/2019 18:01 Failed login attempt 219.92.150.84 08/10/2019 00:58 Failed login attempt 42.188.120.179 08/09/2019 08:18 Failed login attempt 210.195.40.83

All the IPs are from Malaysia, which is not where I live.

I'm assuming someone has scraped feedback and is targeting accounts they think will hold funds (mine is listed as 20+ BTC traded)

I have 2FA active on the account, so cracking it would be useless anyway. (If you're not using 2FA - enable it now!)

Anyone else seeing this sort of activity in their LBC account?

Topic: Localbitcoins: Account has multiple failed logins from unknown IPs - page 2. (Read 353 times)