Pages:
Author

Topic: MtGox account compromised - page 5. (Read 110476 times)

legendary
Activity: 1540
Merit: 1002
February 01, 2011, 06:40:56 PM
#98
Somewhat off-topic, but regarding this from a few pages earlier:

Considering the actual situation (I'm sorry for the user using a common dictionary word as his "bank" account password, and mtgox not having any dictionary attack protection implementation ... ), I just noticed a great drop of the BTC available for free at http://freebitcoins.appspot.com. It dropped about 300BTC in 36hrs. Should we worry?

The faucet is now empty. 

I see 200BTC there, and when I read you previous message it was 208BTC (give or take). One of us is looking at the wrong place Smiley
sr. member
Activity: 373
Merit: 250
February 01, 2011, 06:34:46 PM
#97
Somewhat off-topic, but regarding this from a few pages earlier:

Considering the actual situation (I'm sorry for the user using a common dictionary word as his "bank" account password, and mtgox not having any dictionary attack protection implementation ... ), I just noticed a great drop of the BTC available for free at http://freebitcoins.appspot.com. It dropped about 300BTC in 36hrs. Should we worry?

The faucet is now empty. 
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
February 01, 2011, 06:32:09 PM
#96
What we're going to do? Call the police?

 Cheesy You can't be serious...


The result would probably that if the police ever did investigate, they would report you to the IRS for tax fraud or something like that.
legendary
Activity: 1540
Merit: 1002
February 01, 2011, 06:09:45 PM
#95
I guess common sense comes to play here. I for one fully trust Jed, so if he told me someone used my account by trying out 3 different passwords I'd pretty much accept full responsibility. But that is not the case here, there was a dictionary attack so either the site doesn't allow weak passwords or it has to have measures to prevent these attacks. Or it is the site owner responsibility.

It's not the site owner responsibility. I don't want to blame the victim either (only the criminals are to blame), but MtGox doesn't have any obligation whatsoever of refunding him. Unless they had explicitly sold such guarantees, they don't have any obligation in keeping our funds protected at all. It's our choice to trust or not in their capacity to do so.

It is still the site owner responsibility. I'm not saying there's an obligation of refunding any losses, that's where the contracts, insurances and premiums come in, but rather that only the site owner could have prevented this, and I'm sure in this case Jed has already closed this particular hole.

If there's any obligation, legal, moral or otherwise, I'm in no position to say. Having happened to me, I would ask for a refund but not require one, as you put it, and very well, I'm the one that trusted the site in the first place. I would go so far as to say Jed should have an opt-in system that would raise the fee per transaction for those who chose to allow it, and the extra fees would go to a fund to cover just these situations, but then it would become very hard to separate real cases from scams, and I don't think Jed wants to become a lawyer (assuming  he's not one already) Smiley
legendary
Activity: 2100
Merit: 1000
February 01, 2011, 06:07:40 PM
#94
It would be good to get the exchanges to a level of other exchanges / bank accounts where you can trade.

On most of the accounts, you get transaction numbers as one time codes for each transaction, on top of your normal username and password veryfication.

establsihing those transaction numbers on bitcoin exchanges would make it much much more secure.
hero member
Activity: 490
Merit: 511
My avatar pic says it all
February 01, 2011, 06:02:04 PM
#93
What we're going to do? Call the police?

 Cheesy You can't be serious...
legendary
Activity: 1106
Merit: 1004
February 01, 2011, 05:55:43 PM
#92
I guess common sense comes to play here. I for one fully trust Jed, so if he told me someone used my account by trying out 3 different passwords I'd pretty much accept full responsibility. But that is not the case here, there was a dictionary attack so either the site doesn't allow weak passwords or it has to have measures to prevent these attacks. Or it is the site owner responsibility.

It's not the site owner responsibility. I don't want to blame the victim either (only the criminals are to blame), but MtGox doesn't have any obligation whatsoever of refunding him. Unless they had explicitly sold such guarantees, they don't have any obligation in keeping our funds protected at all. It's our choice to trust or not in their capacity to do so.

They should have, of course, interest in protecting their site and maybe even refunding our friend here. But that opens dangerous precedents for them as somebody else has already noticed... this case seems true, but who knows about the next that might come...

The whole problem with this is that the bitcoin world is still too small to have professional insurances behind everything. Normally insurance companies would refund such losses, and these same insurances audit the platform for security flaws etc.
legendary
Activity: 1540
Merit: 1002
February 01, 2011, 05:40:23 PM
#91
If the story is as it was told on the forum, I'm sure Jed will come around. It does sound like you were not to blame in any way for what happened, an 8 char numbers and symbols password might not be a 'strong password' but it is still much better than most other passwords there, I bet. It was certainly better than the one I had (and have now changed to something more realistic).
newbie
Activity: 28
Merit: 0
February 01, 2011, 05:38:54 PM
#90
I trust Jeb too, I don't think anyone in the bitcoin community is out to get anyone.  We all want what's best for bitcoin.  If this tightens up security at mtgox and makes bitcoin stronger and we all learned a lesson then I guess that's good for bitcoin.  Just sucks to be the one takin it on the chin for it.
newbie
Activity: 28
Merit: 0
February 01, 2011, 05:33:54 PM
#89
I hear ya.  I'm not pointing the finger at mtgox and demanding they accept all responsibility.  The reality is a bug was found in a system that we all  want to trust.  Bugs get discovered and bugs get patched.  It could have been a lot worse.  Suppose they gained control of more than just my bitcoins and began to manipulate the market.  Bitcoin as a whole is very experimental at this point.  The anonymous nature of leaves little accountability to anyone other than ourselves.  At this point and up to this point it doesn't look like MTGOX wants to take any responsibility.  That's cool, just a year and a half of generating down the tubes.
legendary
Activity: 1540
Merit: 1002
February 01, 2011, 05:27:54 PM
#88
cyrpto - because the site accepted it doesn't mean a lot.

There has to be some user responsibility in all of these cases. Not sure what the % is in this case, just saying.

My password could be 'pWf32fWSf@35%@#4f@#4', perfectly secure, but if i use that same password on a Russian PS3 hacking forum, is it mtgox's fault you account later gets taken from Russia? Sure, you may say it was unique to mtgox, but how does he know? Just playing a little devil's advocate, that's all.

I guess common sense comes to play here. I for one fully trust Jed, so if he told me someone used my account by trying out 3 different passwords I'd pretty much accept full responsibility. But that is not the case here, there was a dictionary attack so either the site doesn't allow weak passwords or it has to have measures to prevent these attacks. Or it is the site owner responsibility.
Of course we are all grown ups and I'm glad to see that the parties here are talking to each other trying to find a solution.
sr. member
Activity: 334
Merit: 250
February 01, 2011, 05:18:55 PM
#87
cyrpto - because the site accepted it doesn't mean a lot.

There has to be some user responsibility in all of these cases. Not sure what the % is in this case, just saying.

My password could be 'pWf32fWSf@35%@#4f@#4', perfectly secure, but if i use that same password on a Russian PS3 hacking forum, is it mtgox's fault you account later gets taken from Russia? Sure, you may say it was unique to mtgox, but how does he know? Just playing a little devil's advocate, that's all.



newbie
Activity: 28
Merit: 0
February 01, 2011, 05:14:35 PM
#86
I'm with you Vladimir   Smiley , that's what I was trying to get across in my email to him.  Still haven't heard back.  

cusipzz - I hear what you are saying, but that was not the case here.  There was a clear vulnerability at mtgox and my password wasn't "password"  It was a combinatinon of 8 letters and numbers.  Not a dolphins butt I know, but mtgox stated that there was a whole that he fixed.  And I have to pay the price.  The site also accepted it as a valid password.
LZ
legendary
Activity: 1722
Merit: 1072
P2P Cryptocurrency
February 01, 2011, 05:13:28 PM
#85
I think it should be safer: using login attempts limit, binding to a range of IP, requesting PIN, using OpenID, etc.

Did everyone who has the "united" transaction have a MtGox account name that is also a Forum username?
Yes, I have the same account name.
sr. member
Activity: 334
Merit: 250
February 01, 2011, 05:05:17 PM
#84
sure that sounds nice and all....but what happens when:

1. create mtgox account
2. load up with BTCs
3. give russian friend credentials and have them spam other failed attempts first to make it look legit
4. create forum pressure for mtgox to reimburse
5. profit !

While I agree there is some site responsibility, no way he should cover some guy with a password of 'password'
LZ
legendary
Activity: 1722
Merit: 1072
P2P Cryptocurrency
February 01, 2011, 04:47:44 PM
#83
I do not know what you guys will do, but I just withdrew all my funds to my bitcoin wallet and to my LR account.

Mt.Gox does not seem reliable to me now.
hero member
Activity: 527
Merit: 500
February 01, 2011, 04:31:03 PM
#82
Mine has absolutely no relation to my forum nick and I have that weird entry, too.
donator
Activity: 826
Merit: 1060
February 01, 2011, 04:27:14 PM
#81
Almost everyone had transactions from "united" ... It does mean that the attacker has your username
A question for people here: Did everyone who has the "united" transaction have a MtGox account name that is also a Forum username? Because it's easy enough to get a list of Forum names.

I have the "united" transaction, and my MtGox account name also happens to be a Forum username (although it's not 'ribuck').

I plugged the vulnerability that allowed them to run the attack so your weak passwords will be safe again.
Weak passwords are never safe. Mine is 71% according to the Password Meter, and I'll be improving it.
member
Activity: 67
Merit: 10
Stop trying to steal my account, thanks.
February 01, 2011, 04:13:00 PM
#80
I don't know, but they're in st. petersberg Russia.  I'm boycotting Vodka!!

Yep, that ip address is shared by some russian websites.
http://bgp.he.net/net/77.222.40.0/22
spaceweb.ru, russian web space provider.
newbie
Activity: 28
Merit: 0
February 01, 2011, 04:10:23 PM
#79
I don't know, but they're in st. petersberg Russia.  I'm boycotting Vodka!!
Pages:
Jump to: