Pages:
Author

Topic: Money was stolen out of my localbitcoins account (Read 2456 times)

legendary
Activity: 1456
Merit: 1001
This is the land of wolves now & you're not a wolf
September 08, 2014, 11:12:40 PM
#37
install firewall, antivirus and antimaleware. update all. scan.

deinstall all shitty mining progs or free bitcoin generators.

I would go out on a limb and say that at least 80% of people that have installed a bitcoin generator have probably had their BTC stolen shortly after.
sr. member
Activity: 420
Merit: 250
In theory, someone could use one of those cell towers that are meant to spy on people using the cell tower. (there is a thread in politics and society about this). The attacker could make it so your cell phone does not use encryption, requests a 2FA code th]ey know will be delivered to your phone and then intercept the code, and not deliver it to your phone. If they know your account credentials then they would have access to your account.

No they could not.

First, they could not disable encryption on your phone.  They would require root access to do that.

Second, even if they did that they could not "intercept" your 2FA code.  That 2FA code is not generated from a server somewhere to be intercepted, it is generated by your phone using a time based code.

Neil
From this thread.
Quote
Rather than offering you cellphone service, the towers appear to be connecting to nearby phones, bypassing their encryption, and either tapping calls or reading texts
If the tower does not accept encryption then encryption will not be used. This is similar to doing trades in the marketplace, if the seller does not accept escrow, then escrow will not be used, in the marketplace the buyer can simply decline the transaction, however cell phones are setup so that they will connect to the closest tower/tower with the strongest signal.

If the 2FA code was sent via text message, then the tower could read the unencrypted text message and not relay the message to the cell phone.


No, no, no, no.  All misinformation.

The cell phone tower has absolutely nothing to do with your phone and it talking to an encrypted service, they cannot turn it off, it is all FUD!!

The 2FA code is not sent via sms (I know a few services do that, but this one, like most does not) and it cannot be intercepted.

Neil
I believe that LBC does use SMS to send their 2FA code to user's phones. I think a lot of other sites will send 2FA codes the same way. This prevents the site from locking you out if you lose and replace your phone with the same phone number.
legendary
Activity: 812
Merit: 1002
LBC Told me there was nothing  they can do.. I'm almost 99.9 percent sure I didn't click a phishing link.. Says my account was failed login 22 times yesterday... If he had my password then there wouldn't be 20 failed login across the us something isn't adding up.. Don't wanna bash LBC.. but someone is hacking there shit and they will never admit it.. And I'm out 435 bucks :/

I didn't expect LBC to do anything about this. It's 100% user fault. Imagine if every time you lost your coins and they had to reimburse you; this opens a lot of opportunity for abuse.

It only took 20 tries to log in? That's some weaksauce password. It's more likely that the thief already had your PW and tried variations to hit the correct one.
legendary
Activity: 896
Merit: 1000
In theory, someone could use one of those cell towers that are meant to spy on people using the cell tower. (there is a thread in politics and society about this). The attacker could make it so your cell phone does not use encryption, requests a 2FA code th]ey know will be delivered to your phone and then intercept the code, and not deliver it to your phone. If they know your account credentials then they would have access to your account.

No they could not.

First, they could not disable encryption on your phone.  They would require root access to do that.

Second, even if they did that they could not "intercept" your 2FA code.  That 2FA code is not generated from a server somewhere to be intercepted, it is generated by your phone using a time based code.

Neil
From this thread.
Quote
Rather than offering you cellphone service, the towers appear to be connecting to nearby phones, bypassing their encryption, and either tapping calls or reading texts
If the tower does not accept encryption then encryption will not be used. This is similar to doing trades in the marketplace, if the seller does not accept escrow, then escrow will not be used, in the marketplace the buyer can simply decline the transaction, however cell phones are setup so that they will connect to the closest tower/tower with the strongest signal.

If the 2FA code was sent via text message, then the tower could read the unencrypted text message and not relay the message to the cell phone.


No, no, no, no.  All misinformation.

The cell phone tower has absolutely nothing to do with your phone and it talking to an encrypted service, they cannot turn it off, it is all FUD!!

The 2FA code is not sent via sms (I know a few services do that, but this one, like most does not) and it cannot be intercepted.

Neil
sr. member
Activity: 420
Merit: 250
In theory, someone could use one of those cell towers that are meant to spy on people using the cell tower. (there is a thread in politics and society about this). The attacker could make it so your cell phone does not use encryption, requests a 2FA code th]ey know will be delivered to your phone and then intercept the code, and not deliver it to your phone. If they know your account credentials then they would have access to your account.

No they could not.

First, they could not disable encryption on your phone.  They would require root access to do that.

Second, even if they did that they could not "intercept" your 2FA code.  That 2FA code is not generated from a server somewhere to be intercepted, it is generated by your phone using a time based code.

Neil
From this thread.
Quote
Rather than offering you cellphone service, the towers appear to be connecting to nearby phones, bypassing their encryption, and either tapping calls or reading texts
If the tower does not accept encryption then encryption will not be used. This is similar to doing trades in the marketplace, if the seller does not accept escrow, then escrow will not be used, in the marketplace the buyer can simply decline the transaction, however cell phones are setup so that they will connect to the closest tower/tower with the strongest signal.

If the 2FA code was sent via text message, then the tower could read the unencrypted text message and not relay the message to the cell phone.
sr. member
Activity: 309
Merit: 250

And when you contacted LBC customer support, they said.... Huh?



Ya.   Should have been done before creating this thread.   Probably wasn't.

-B-


 LBC Told me there was nothing  they can do.. I'm almost 99.9 percent sure I didn't click a phishing link.. Says my account was failed login 22 times yesterday... If he had my password then there wouldn't be 20 failed login across the us something isn't adding up.. Don't wanna bash LBC.. but someone is hacking there shit and they will never admit it.. And I'm out 435 bucks :/
legendary
Activity: 896
Merit: 1000
In theory, someone could use one of those cell towers that are meant to spy on people using the cell tower. (there is a thread in politics and society about this). The attacker could make it so your cell phone does not use encryption, requests a 2FA code they know will be delivered to your phone and then intercept the code, and not deliver it to your phone. If they know your account credentials then they would have access to your account.

No they could not.

First, they could not disable encryption on your phone.  They would require root access to do that.

Second, even if they did that they could not "intercept" your 2FA code.  That 2FA code is not generated from a server somewhere to be intercepted, it is generated by your phone using a time based code.

Neil
sr. member
Activity: 308
Merit: 250
you need 2fa to log in and withdraw coins but not to release from escrow. that is the prerogative 0f the seller/buyer.

Yes, you do need 2FA to release from escrow. At least on my account you need that. I just checked and there was no option to choose when 2FA will be used.
In theory, someone could use one of those cell towers that are meant to spy on people using the cell tower. (there is a thread in politics and society about this). The attacker could make it so your cell phone does not use encryption, requests a 2FA code they know will be delivered to your phone and then intercept the code, and not deliver it to your phone. If they know your account credentials then they would have access to your account.
hero member
Activity: 924
Merit: 1001

And when you contacted LBC customer support, they said.... Huh?



Ya.   Should have been done before creating this thread.   Probably wasn't.

-B-
legendary
Activity: 896
Merit: 1000
What if your phone gets stolen? If you have a weak password then the person who has your phone would essentially be able to access any of your accounts.

What if you lose your phone? You would essentially be locked out of your accounts unless there was some way to disable it without knowing the 2FA code.

Both valid points and reasons why there is still a password in the mix, neither of them are a good reason not to use 2FA though.

If you did a very unscientific search on this board queering posts about people who have had their account hacked* I imagine you will find none of them had 2FA enabled, it is that good at protecting your goodies.

* I hate using hacked in this context, I am old enough to still think of it in it's original context before any Angelina Jolie feel good pubescent teen movie.
hero member
Activity: 588
Merit: 500
What if you lose your phone? You would essentially be locked out of your accounts unless there was some way to disable it without knowing the 2FA code.

Take a print screen of the QR-code as a backup when enabling 2FA. Then you can use this to configure your new phone.
Wouldn't this essentially make this screen print/picture essentially as good as your password? If someone were to get a hold of this screen print they could essentially configure their own phone to be a 2FA device on the account. 
legendary
Activity: 1193
Merit: 1003
9.9.2012: I predict that single digits... <- FAIL
What if you lose your phone? You would essentially be locked out of your accounts unless there was some way to disable it without knowing the 2FA code.

Take a print screen of the QR-code as a backup when enabling 2FA. Then you can use this to configure your new phone.
hero member
Activity: 868
Merit: 1001
https://keybase.io/masterp FREE Escrow Service
You might have clicked on a phising link a while back and the scammer just waits dormant until you have a large transaction. Why didn't you activate 2FA? It would prevent this kind of stuff. You can even give out your user name and PW, but no one will be able to withdraw unless they have your personal device.
2FA does not work quite that well (at least not all the time). There are always potential ways around 2FA on websites. I would consider it to be reckless if someone is careless about their password simply because 2FA is enabled. 2FA should only be an additional security method, not the only security measure.

Two Factor Authentication (2FA) is the best thing since sliced bread.  It almost makes choosing a password trivial, the additional security that you gain almost makes passwords obsolete.

Neil

What if your phone gets stolen? If you have a weak password then the person who has your phone would essentially be able to access any of your accounts.

What if you lose your phone? You would essentially be locked out of your accounts unless there was some way to disable it without knowing the 2FA code.
full member
Activity: 630
Merit: 103
Seems like he scammed too many people lol
legendary
Activity: 812
Merit: 1002
you need 2fa to log in and withdraw coins but not to release from escrow. that is the prerogative 0f the seller/buyer.

Yes, you do need 2FA to release from escrow. At least on my account you need that. I just checked and there was no option to choose when 2FA will be used.
reg
sr. member
Activity: 463
Merit: 250
You might have clicked on a phising link a while back and the scammer just waits dormant until you have a large transaction. Why didn't you activate 2FA? It would prevent this kind of stuff. You can even give out your user name and PW, but no one will be able to withdraw unless they have your personal device.
2FA does not work quite that well (at least not all the time). There are always potential ways around 2FA on websites. I would consider it to be reckless if someone is careless about their password simply because 2FA is enabled. 2FA should only be an additional security method, not the only security measure.

Yes but I don't think this applies to LBC, which is the case with OP. You need 2FA to log in, withdraw coins, or release coins from escrow. Basically anything that involves movement of coins needs 2FA. To disable the 2FA, you'd have to have access to it in the first place.

you need 2fa to log in and withdraw coins but not to release from escrow. that is the prerogative 0f the seller/buyer.
legendary
Activity: 1456
Merit: 1001
This is the land of wolves now & you're not a wolf
it is very possible that your bitcoins were stolen because you logged into a fake localbitcoins site by accident and the site recorded your name and password.

The scammers pay for an ad on google and when people type "localbitcoins" into google, the fake site is listed first because it is a paid ad. People click on the ad and log in because it looks just like the real site.


I have heard of this happening more and more, and this is terrible.   It is especially bad because for BTC to be adopted mainstream, we want more and more new people using BTC daily.   I think it should be stickied somewhere on this forum, how to report phishing sites, and we all should be more pro-active in helping try to stop it...
sr. member
Activity: 318
Merit: 251

And when you contacted LBC customer support, they said.... Huh?

legendary
Activity: 896
Merit: 1000
You might have clicked on a phising link a while back and the scammer just waits dormant until you have a large transaction. Why didn't you activate 2FA? It would prevent this kind of stuff. You can even give out your user name and PW, but no one will be able to withdraw unless they have your personal device.
2FA does not work quite that well (at least not all the time). There are always potential ways around 2FA on websites. I would consider it to be reckless if someone is careless about their password simply because 2FA is enabled. 2FA should only be an additional security method, not the only security measure.

Two Factor Authentication (2FA) is the best thing since sliced bread.  It almost makes choosing a password trivial, the additional security that you gain almost makes passwords obsolete.

Neil
legendary
Activity: 812
Merit: 1002
You might have clicked on a phising link a while back and the scammer just waits dormant until you have a large transaction. Why didn't you activate 2FA? It would prevent this kind of stuff. You can even give out your user name and PW, but no one will be able to withdraw unless they have your personal device.
2FA does not work quite that well (at least not all the time). There are always potential ways around 2FA on websites. I would consider it to be reckless if someone is careless about their password simply because 2FA is enabled. 2FA should only be an additional security method, not the only security measure.

Yes but I don't think this applies to LBC, which is the case with OP. You need 2FA to log in, withdraw coins, or release coins from escrow. Basically anything that involves movement of coins needs 2FA. To disable the 2FA, you'd have to have access to it in the first place.
Pages:
Jump to: