Pages:
Author

Topic: MtGox account compromised (Read 110476 times)

legendary
Activity: 2100
Merit: 1000
June 21, 2011, 11:58:25 AM
mea culpa.
full member
Activity: 196
Merit: 101
June 21, 2011, 11:54:37 AM
The same thing happened to me too. I login my account today and found I lost 42.9$ in my account, and I have no idea about the latest two trade in my trade history. I mean even my account is week, the hacker shouldn't know my username. Someone in the office must be leaking user's information.


How can you log into your MtGox account? I thought is is still closed?

HIS POST IS FROM JUNE 10.

you fail.
legendary
Activity: 2100
Merit: 1000
June 21, 2011, 11:52:45 AM
The same thing happened to me too. I login my account today and found I lost 42.9$ in my account, and I have no idea about the latest two trade in my trade history. I mean even my account is week, the hacker shouldn't know my username. Someone in the office must be leaking user's information.


How can you log into your MtGox account? I thought is is still closed?
legendary
Activity: 2156
Merit: 1072
Crypto is the separation of Power and State.
June 19, 2011, 10:40:50 PM
This mtgox biz and many other things which we are witnessing with bitcoin will be in history books.

History books?  Hell, I feel like I've been living inside a Bruce Sterling sci-fi novel for the last month.

Today topped them all, as an especially Islands-In-The-Net kind of day.  Damn those data pirates!

/wants razorgirl bodyguard
sr. member
Activity: 365
Merit: 250
June 19, 2011, 10:28:25 PM
This mtgox biz and many other things which we are witnessing with bitcoin will be in history books.

So true.
hero member
Activity: 540
Merit: 500
The future begins today
June 19, 2011, 10:27:04 PM
well... my mtgox password was ªç!¼:Üý\†€BZ*Š”TbŠòê  unique for this site, moreover I never sent them a single penny, bit or fiat.

Learn from the pros, kids.

I am still pissed off by finding my email in that damn list.

This mtgox biz and many other things which we are witnessing with bitcoin will be in history books.





Same here, getting some really fucked up spam now.
hero member
Activity: 812
Merit: 1001
-
June 19, 2011, 10:24:09 PM
well... my mtgox password was ªç!¼:Üý\†€BZ*Š”TbŠòê  unique for this site, moreover I never sent them a single penny, bit or fiat.

Learn from the pros, kids.

I am still pissed off by finding my email in that damn list.

This mtgox biz and many other things which we are witnessing with bitcoin will be in history books.



mrb
legendary
Activity: 1512
Merit: 1028
June 19, 2011, 09:26:44 PM
Not a really good comparison since you'd have to have the hash of the password, and we could compile a rainbow table for almost anything. One way to defeat Rainbow tables is salting the password hashes (you are salting your passwords MtGox aren't you?) Cheesy

Now, we know that 1765 of the MtGox password hashes leaked today were not salted. :-(
member
Activity: 102
Merit: 10
June 10, 2011, 06:08:15 AM
The same thing happened to me too. I login my account today and found I lost 42.9$ in my account, and I have no idea about the latest two trade in my trade history. I mean even my account is week, the hacker shouldn't know my username. Someone in the office must be leaking user's information.
sr. member
Activity: 294
Merit: 273
March 22, 2011, 04:28:37 PM
Tracing bitcoins is basically the same as tracing cash:  if you catch the original person spending the cash directly you have them, otherwise the bills will just show up at banks after having been passed through multiple organisations with no way to track them.  A smart enough criminal can keep from getting caught after a cash heist, and similarly a smart enough criminal can keep from getting caught after a bitcoin heist.  Fortunately, many criminals are stupid and get caught anyways through some small slip-up.  Gaining expertise in the entire system and how to catch those tiny slipups will give law enforcement the same edge with regards to bitcoin that they have with cash.  Some criminals will get away, and some will get caught; expertise on the part of law enforcement will increase the proportion caught.
member
Activity: 82
Merit: 10
March 22, 2011, 03:22:49 PM
So this all makes me wonder if there is a way to create a central database about fraudulent transactions, and associated addresses.

It's nearly impossible to mark certain Bitcoins as stolen or dirty because they can be so easily laundered.  For example, send the stolen coins to an account at MyBitcoin.com, withdraw the coins to a new Bitcoin address.  The withdrawn coins are completely clean and other MyBitcoin.com users end up with the "dirty" coins.

Though, realize if "bitcoincop" is a real "cop" then he may be thinking that is easy. Once you find one of those users, you question him, and when he tells you that he uses mybitcoin, then you go to mybitcoin and try to get them to release their records, afterall, they should be able to make the connection with the account that they were deposited into.

That said, if mybitcoin can be convinced (or compelled) to help, then this should be a trivial step. Of course, since you can access them as a location hidden service, and they require no real information to sign up, it could easily be a dead end too.... and that is before we even consider other possibilities.... like coin tumbler (or similar). Unless the thief was the only person using it at the time, and not particularly clever about it, simply going from one service like mybitcoin or mtgox to another, through coin tumbler with multiple addresses well... I hope you get the picture.

hell, I recall even seeing someone on Silk Road who was offering pre-laundered bitcoins for sale. They claim to do some sort of escrow, so its not even like that person could cheat and send back the same coins (not that it would be hard to determine, but as a scam, i bet would work most of the time) and wouldn't even know the buyers real name.... though, I guess if you were sure that he did it, again, its no better or worst than mybitcoin in terms of, you could at least ask him to help you pick the trail back up. (assuming that he keeps records)

Though, how you convince an anonymous people, running services intended to gaurd your anonymity, to voluntarily cooperate in compromising someones anonymity, even in an indeterminate way like this, is an open question. I guess its possible that accusations of thievery may sway them to help, but, they may want you to prove it before they are willing to help.

Afterall, its not like you can pull them into an interrogation room and get out the rubber hoses. That is, unless you can compromise their identities first.

vip
Activity: 447
Merit: 258
March 22, 2011, 01:25:53 PM
So this all makes me wonder if there is a way to create a central database about fraudulent transactions, and associated addresses.

It's nearly impossible to mark certain Bitcoins as stolen or dirty because they can be so easily laundered.  For example, send the stolen coins to an account at MyBitcoin.com, withdraw the coins to a new Bitcoin address.  The withdrawn coins are completely clean and other MyBitcoin.com users end up with the "dirty" coins.
newbie
Activity: 1
Merit: 0
March 21, 2011, 11:06:19 PM
So this all makes me wonder if there is a way to create a central database about fraudulent transactions, and associated addresses. Someone would make an entry into such a database and provide contact information or other community based details, perhaps sign them with a key that they use as a part of transactions on bitcoin-otc/IRC.  Then, when someone else who cares and receives a payment with these bitcoins from someone else, they can contact the original person to get details and perhaps deny the sender the goods/services they're trying to purchase with the stolen bitcoins.

Yes, it would take an outside database, and yes it would take a strong community with reputation and social trust, but it could be helpful.

One example of such a database for Laptops/computers is: http://www.stolencomputers.org/home.html

Access to a database for bitcoins would come as a plugin or add on for a user to install on their bitcoin server.

hero member
Activity: 588
Merit: 500
March 07, 2011, 12:19:23 PM
Ah, but all of the password I generate are stored on my encrypted drive, and the drive password is, well, longer than my screen. That one I remember completely. Cheesy
member
Activity: 82
Merit: 10
March 07, 2011, 09:48:06 AM
I generate passwords with:

Code:
dd bs=32 count=1 if=/dev/random | sha256sum

Cheesy

I started using mnemonics for passwords years ago. Take some phrase from a song, movie, or anything you like.... then make a string out of it. Something like "I started using mnemonics years ago"

Can become a string like:
I
Reduces the time it takes before I can type them from memory, and makes it much easier to recall them later, sometimes even years later.
newbie
Activity: 42
Merit: 0
March 06, 2011, 07:28:34 PM
This thread was quite an interesting read. One thing that seems to have become unnoticed is Liberty Reserve's part in the stolen Bitcoins. I think that in the case of large transactions like the ones that happened in this thread there really needs to be an obligation to check whether the Bitcoins are stolen or not. MtGox took the right approach to trace how the funds were stolen and where they went. In fact I think that if Liberty Reserve was not so quick to trade the Bitcoins into cash then there would have been a larger chance to catch the thief with the Bitcoins.

I think in the end all avenues need to be checked and not simply the ones that deal with password security or server security. Simply sweeping this problem under the rug isn't going to solve anything and when problems like these do happen they need to be documented in their fullest. This is the second time I've read a thread where a lot of money was stolen and I can only imagine this problem escalating as Bitcoin becomes more known to the general people and especially to those that do not take security seriously.
hero member
Activity: 527
Merit: 500
March 06, 2011, 05:23:53 PM
I prefer pwgen -s 60 (less to type) Smiley
hero member
Activity: 588
Merit: 500
March 06, 2011, 04:39:25 PM
I generate passwords with:

Code:
dd bs=32 count=1 if=/dev/random | sha256sum

Cheesy
member
Activity: 82
Merit: 10
March 06, 2011, 02:32:21 AM
Firstly a dictionary attack means that somebody has used a dictionary word for his password. Or maybe 2 dictionary words sticked together. Already with 3 sticked together it's really unlikely that it could be completed in any reasonable time. Consider an english dictionary of 3000 words (that's low, let's assume just common/simple words and english language), you use 3 of them sticked together, suppose you even use all noncapitals characters, no digits and no spaces, it still means the attacker has to bruteforce 3000^3 = 27000000000 combinations. The attacker needs to try half of those combinations on average, to crack the password.

Well kinda. Firstly, stringing words together isn't the most common of things people do. Shit, even I use one word dictionary passwords in some places. Common is a dictironary word, word with numbers at the end, more likely than not all lower case.... some words are more common than others... in any case, there are optimizations that reduce effective keyspace.

Also, hashes can have collisions. Technically, you don't need to guess THE password, just something that hashes to the same value (unlikely but, no way to rule out collisions). Then there is the number of accounts. Maybe instead of scanning one account for all possible good passwords, you just try lots of different accounts in the set of bad ones?

Remember, even the HBGary hacks, a security company, BOTH founder and CEO had 6 char, all lower case passwords with numbers at the end (or so the claim goes).

All that said, I am skeptical of dictionary attacks. More likely attacks, to my mind? Well, again back tot he HBGary hack... same password on multiple accounts anyone? I almost garauntee that you go to ANY forum on the net, including this one, post a link to a site you own, with some reason to register, and you will get a list of usernames and passwords that are probably valid on other sites.

Do it here, and the chances they work on mtgox.... well.... you get the picture.
full member
Activity: 126
Merit: 101
March 05, 2011, 10:29:09 PM
Generally a dictionary attack would be done with a pregenerated list of common passwords sorted by frequency of use.
Pages:
Jump to: