thanks for notice
i usually take my wallet with me and then update the localbitcoins
Topic: Localbitcoins Update (Read 3203 times)
Wow now I am extra glad we had this discussion
Is the 24h caching thingy fixed for everyone then?
Is the 24h caching thingy fixed for everyone then?
Yeah it's fixed.
Wow now I am extra glad we had this discussion
Is the 24h caching thingy fixed for everyone then?
Is the 24h caching thingy fixed for everyone then?
You sure LBC will not ask for additional info before generating new 2FA list?
Paper codes list? It should, but I just tried and found a big fucking flaw.
Once you are logged in, you can generate same list again. There is a big flaw, it doesn't generates a new 2FA code list until old one is used, instead of that it shows you current list.
Ie: Once Attacker got your session somehow and logged in your account, he can get your 2FA paper code keys.
I think this method was used to steal users coin and I am sure only those users who were using paper code 2FA got affected.
Ps: I have reported it to jeremias on lbc
edit: it's fixed now, codes were cached by their system for 24 hours.
I don't think there is a "seed". Those 2FA codes cannot be deterministic, or they would be a huge joke 
Maybe you should atleast check localbitcoins or any other site/app that is using 2 factor authentication.
The authentication key (seed)can be used on multiple devices simultaneously
Quote
The most common form of Two-Factor Authentication is TOTP. TOTP uses a secret seed and the current time to generate each of the individual authentication tokens. Essentially:
Given that anyone can know the current time, if the attacker knows the secret seed, he can essentially generate a valid OTP token at any time.
So it's possible that the secret seed that you are using for Two-Factor Authentication might be compromised.
http://blog.authy.com/heartbleed
Given that anyone can know the current time, if the attacker knows the secret seed, he can essentially generate a valid OTP token at any time.
So it's possible that the secret seed that you are using for Two-Factor Authentication might be compromised.
http://blog.authy.com/heartbleed
Ok thanks for the lesson
If it is possible to generate new 2FA codes from seed automatically I don't understand the benefit - seed would be merely another password then
You sure LBC will not ask for additional info before generating new 2FA list?
yesterday i withdraw bitcoin from localbitcoin wallet to my QT wallet and it confirmed after 10-20 mins
cheers
cheers
As for paper codes, one screenshot is enough and sometimes people save them as PDF file for printing on their pc.
Or write emails to themselves containing the seed/key
As for paper codes, one screenshot is enough and sometimes people save them as PDF file for printing on their pc.
I don't think there is a "seed". Those 2FA codes cannot be deterministic, or they would be a huge joke
Maybe you should atleast check localbitcoins or any other site/app that is using 2 factor authentication.
The authentication key (seed)can be used on multiple devices simultaneously
Quote
The most common form of Two-Factor Authentication is TOTP. TOTP uses a secret seed and the current time to generate each of the individual authentication tokens. Essentially:
Given that anyone can know the current time, if the attacker knows the secret seed, he can essentially generate a valid OTP token at any time.
So it's possible that the secret seed that you are using for Two-Factor Authentication might be compromised.
http://blog.authy.com/heartbleed
Given that anyone can know the current time, if the attacker knows the secret seed, he can essentially generate a valid OTP token at any time.
So it's possible that the secret seed that you are using for Two-Factor Authentication might be compromised.
http://blog.authy.com/heartbleed
I don't think there is a "seed". Those 2FA codes cannot be deterministic, or they would be a huge joke
Screenshots, yes. If your PC has been taken over, you are out of luck - but to be honest, then the attacker could just empty your BTC wallet on your PC not just Localbitcoins.
Also the question referred to session takeover only. The session is gone when you close your browser.
Screenshots, yes. If your PC has been taken over, you are out of luck - but to be honest, then the attacker could just empty your BTC wallet on your PC not just Localbitcoins.
Also the question referred to session takeover only. The session is gone when you close your browser.
Thanks for the input Rishodi ! Is a session logout possible with an Active listing?
Huh? Sure it is, close your browser :-)
And if using 2FA, it must be paper based, paper is normally not affected by malware...
It's true but ^ that's false sense of security.
Let's say bob's pc got infected or was infected by some malware, some days later bob started using localbitcoins.
Bob enabled 2 factor authentication on infected pc. Is he's safe? NO
Why? Because he created 2factor seed/keys on a infected machine and malware can capture keystrokes,take screenshot,share screen etc and there are high chances of getting paper code's/2factor seed compromised by hacker.
Thanks for the input Rishodi ! Is a session logout possible with an Active listing?
Huh? Sure it is, close your browser :-)
And if using 2FA, it must be paper based, paper is normally not affected by malware...
Cheers Mr Leopard, I'm just being justifiably paranoid
There's a general consensus on their forums that this issue was largely FUD? - Conducted several sales today, non of my clients have got back to me with any issues, all positive feedback.
From my perspective everything's been working great.
They're a good team the Localbitcoins crew, sure they will post something on their blogspot pretty soon, giving the all clear.
Thanks for the input Rishodi ! Is a session logout possible with an Active listing?
Huh? Sure it is, close your browser :-)
And if using 2FA, it must be paper based, paper is normally not affected by malware...
Coindesk, summary of events:
http://www.coindesk.com/localbitcoins-releases-investigation-report-site-wallet-issues/
http://www.coindesk.com/localbitcoins-releases-investigation-report-site-wallet-issues/
This is the reply which I have posted on the LocalBitcoins blog:
For anyone who uses LocalBitcoins, the safest course of action is to 1) enable 2FA and 2) logout after every session. Logging out will close the user session, and with no active sessions you are not susceptible to a session hijack attempt.
Quote
From the given information, the theft depended on 1) session hijacking and 2) compromised 2FA. Although this is certainly indicative of a compromised user device, LocalBitcoins needs to take more aggressive action to inhibit session hijacking.
Even with 2FA enabled, requests which originate from a user with a different IP address and browser than that which was recorded at the initiation of a session should be responded to by immediately destroying that session and asking the user to reauthenticate. In this particular case, the withdrawal request was associated with an IP address and user agent header which were distinguishably different from that which was recorded at the start of the session. As a result, the request should have been flagged as suspicious and denied.
Of course, such policies may not have been able to prevent the theft in this particular case. If the attacker was able to gain not merely read-only permissions but also execution permissions on the user's device, then the attacker could have sent the request directly from the user's device using the existing session, and the request would not appear suspicious to the server. If the attacker was able to access both the user's password and 2FA code, then the attacker could simply establish a new session from anywhere and subsequently send the withdrawal request.
Nonetheless, it is alarming to find that the security of session management at LocalBitcoins is certainly lacking. Taking a more proactive approach to session security would help to inhibit attacks and bolster trust in the LocalBitcoins platform. A good technical overview of the topic can be found here: https://wblinks.com/notes/secure-session-management-tips/
Even with 2FA enabled, requests which originate from a user with a different IP address and browser than that which was recorded at the initiation of a session should be responded to by immediately destroying that session and asking the user to reauthenticate. In this particular case, the withdrawal request was associated with an IP address and user agent header which were distinguishably different from that which was recorded at the start of the session. As a result, the request should have been flagged as suspicious and denied.
Of course, such policies may not have been able to prevent the theft in this particular case. If the attacker was able to gain not merely read-only permissions but also execution permissions on the user's device, then the attacker could have sent the request directly from the user's device using the existing session, and the request would not appear suspicious to the server. If the attacker was able to access both the user's password and 2FA code, then the attacker could simply establish a new session from anywhere and subsequently send the withdrawal request.
Nonetheless, it is alarming to find that the security of session management at LocalBitcoins is certainly lacking. Taking a more proactive approach to session security would help to inhibit attacks and bolster trust in the LocalBitcoins platform. A good technical overview of the topic can be found here: https://wblinks.com/notes/secure-session-management-tips/
For anyone who uses LocalBitcoins, the safest course of action is to 1) enable 2FA and 2) logout after every session. Logging out will close the user session, and with no active sessions you are not susceptible to a session hijack attempt.
Thanks for the input Rishodi ! Is a session logout possible with an Active listing?
So it looks like the user account was hacked via a user device? I wonder if LBTC did anything fishy here?
This is the reply which I have posted on the LocalBitcoins blog:
For anyone who uses LocalBitcoins, the safest course of action is to 1) enable 2FA and 2) logout after every session. Logging out will close the user session, and with no active sessions you are not susceptible to a session hijack attempt.
Quote
From the given information, the theft depended on 1) session hijacking and 2) compromised 2FA. Although this is certainly indicative of a compromised user device, LocalBitcoins needs to take more aggressive action to inhibit session hijacking.
Even with 2FA enabled, requests which originate from a user with a different IP address and browser than that which was recorded at the initiation of a session should be responded to by immediately destroying that session and asking the user to reauthenticate. In this particular case, the withdrawal request was associated with an IP address and user agent header which were distinguishably different from that which was recorded at the start of the session. As a result, the request should have been flagged as suspicious and denied.
Of course, such policies may not have been able to prevent the theft in this particular case. If the attacker was able to gain not merely read-only permissions but also execution permissions on the user's device, then the attacker could have sent the request directly from the user's device using the existing session, and the request would not appear suspicious to the server. If the attacker was able to access both the user's password and 2FA code, then the attacker could simply establish a new session from anywhere and subsequently send the withdrawal request.
Nonetheless, it is alarming to find that the security of session management at LocalBitcoins is certainly lacking. Taking a more proactive approach to session security would help to inhibit attacks and bolster trust in the LocalBitcoins platform. A good technical overview of the topic can be found here: https://wblinks.com/notes/secure-session-management-tips/
Even with 2FA enabled, requests which originate from a user with a different IP address and browser than that which was recorded at the initiation of a session should be responded to by immediately destroying that session and asking the user to reauthenticate. In this particular case, the withdrawal request was associated with an IP address and user agent header which were distinguishably different from that which was recorded at the start of the session. As a result, the request should have been flagged as suspicious and denied.
Of course, such policies may not have been able to prevent the theft in this particular case. If the attacker was able to gain not merely read-only permissions but also execution permissions on the user's device, then the attacker could have sent the request directly from the user's device using the existing session, and the request would not appear suspicious to the server. If the attacker was able to access both the user's password and 2FA code, then the attacker could simply establish a new session from anywhere and subsequently send the withdrawal request.
Nonetheless, it is alarming to find that the security of session management at LocalBitcoins is certainly lacking. Taking a more proactive approach to session security would help to inhibit attacks and bolster trust in the LocalBitcoins platform. A good technical overview of the topic can be found here: https://wblinks.com/notes/secure-session-management-tips/
For anyone who uses LocalBitcoins, the safest course of action is to 1) enable 2FA and 2) logout after every session. Logging out will close the user session, and with no active sessions you are not susceptible to a session hijack attempt.
most likely insider job.
too many times i see bitcoin services put their hotwallets on remote servers. what makes it worse is they put it on remote servers which accepts bitcoin. this is a bit glowing neon sign that say the hosting provider knows all about bitcoin and has full access to the source code. so no matter how much security the service provider or customers use to prevent outside intrusion. there is nothing to stop insiders..
history has shown that the majority of hacks were actually inside jobs.. will bitcoin service providers ever learn. will service users ever learn
do not store large amounts for long term periods on third party services.
too many times i see bitcoin services put their hotwallets on remote servers. what makes it worse is they put it on remote servers which accepts bitcoin. this is a bit glowing neon sign that say the hosting provider knows all about bitcoin and has full access to the source code. so no matter how much security the service provider or customers use to prevent outside intrusion. there is nothing to stop insiders..
history has shown that the majority of hacks were actually inside jobs.. will bitcoin service providers ever learn. will service users ever learn
do not store large amounts for long term periods on third party services.
LocalBitcoins Team response:
This case is also very unlikely to be an inside job. LocalBitcoins logs all the actions done by its support staff and developers to an audit log, so potential abuse of staff privileges is easily uncovered. Two-factor authentication codes and passwords are not accessible by the support staff. Furthermore, it would not be very rational for an insider to attack against one particular user and his/her wallet only if the insider would have access to all wallets.
now withdrawals are working in lbc ?
Cheers Pandit, how long did it take you?
lol Mybad - Yeah, so some users report that withdrawals are being processed. 45 minutes for full Confirmations.
Localbitcoins Team recently posted this: http://localbitcoins.blogspot.fi/2014/04/investigation-report-of-claimed.html
I'm still waiting for another announcement saying "all is good/secure"
If you are going to try just make sure you have 2FA and run a virus scan first.
now withdrawals are working in lbc ?
Cheers Pandit, how long did it take you?
Jump to: