Pages:
Author

Topic: Mt.Gox Account secured with Yubikey but still had 29 BTCs stolen (Read 8600 times)

legendary
Activity: 1512
Merit: 1001
Bitcoin - Resistance is futile
I think no updates means its a fake. Its really a threat if it is real.
newbie
Activity: 47
Merit: 0
sr. member
Activity: 350
Merit: 250
Seems like a fake ...
Can we have some proofs/logs?
legendary
Activity: 2097
Merit: 1070
Well it's officially a scam now:

Quote
BtcDrak
@btcdrak
            
@MagicalTux Yeah, funny Smiley ref the other case, was the Yubikey also off? He lists Google Auth and Yubikey. Peopl need to know for confidence - 17 Sep
   
Mark Karpeles
@MagicalTux
    
@btcdrak what I can say for sure right now is that the currently enabled otps were enabled after the withdrawals.

The OP shows both OTP and Yubikey enabled.

End of story for me.

Nope, based on EVERYTHING that both parties have asserted as FACT so far (i.e. not including any of their speculations), they could both be telling the truth if the attacker disabled, then re-enabled 2fa. Now if Karpeles were to clarify that 2fa was never enabled until after the hack, then one of them is no longer telling the truth, or is at least factually incorrect. Mark's careful language here, "currently enabled otps", suggests that there may have been previously enabled otps as well. He ought to clarify.

+1 clarification is needed here.
Han
newbie
Activity: 40
Merit: 0
Well it's officially a scam now:

Quote
BtcDrak
@btcdrak
            
@MagicalTux Yeah, funny Smiley ref the other case, was the Yubikey also off? He lists Google Auth and Yubikey. Peopl need to know for confidence - 17 Sep
   
Mark Karpeles
@MagicalTux
    
@btcdrak what I can say for sure right now is that the currently enabled otps were enabled after the withdrawals.

The OP shows both OTP and Yubikey enabled.

End of story for me.

Nope, based on EVERYTHING that both parties have asserted as FACT so far (i.e. not including any of their speculations), they could both be telling the truth if the attacker disabled, then re-enabled 2fa. Now if Karpeles were to clarify that 2fa was never enabled until after the hack, then one of them is no longer telling the truth, or is at least factually incorrect. Mark's careful language here, "currently enabled otps", suggests that there may have been previously enabled otps as well. He ought to clarify.
legendary
Activity: 1064
Merit: 1000
Well it's officially a scam now:

Quote
BtcDrak
@btcdrak
            
@MagicalTux Yeah, funny Smiley ref the other case, was the Yubikey also off? He lists Google Auth and Yubikey. Peopl need to know for confidence - 17 Sep
   
Mark Karpeles
@MagicalTux
    
@btcdrak what I can say for sure right now is that the currently enabled otps were enabled after the withdrawals.

The OP shows both OTP and Yubikey enabled.

End of story for me.
legendary
Activity: 2506
Merit: 1010
For now, I have filed a police report with my local pd in addition to contacting my attorney general.

The statement by MagicalTux of Mt. Gox was that 2FA was added after the withdrawal.  I'ld love to see your police report.
sr. member
Activity: 279
Merit: 250
If someone were going to start attacking MtGox accounts, they aren't going to steal 29 BTC, et even worth the attention it brings... 2FA works fine, the OP enabled 2FA after attack. That simple.  
He is claiming otherwise. Although you are right, we would probably see evidence of more 2fa heists if the OPs claim is true. Perhaps this was a test run. Perhaps it's just a gox troll.

Logs would be nice (from gox), at the very least. Perhaps you can pull logs from the yubikey, idk if that is at all possible. In the end of the day the logs could be tampered with by either party so there is no way to know for sure.

If this is a lie by the OP we would need to find motive, perhaps another exchange spreading FUD.  

Gox has my real info, they can verify if I'm associated to another exchange or not. You're right about the seeing evidence of more 2fa heists though since my incident shouldn't be an isolated incident. For now, I have filed a police report with my local pd in addition to contacting my attorney general.

FACT:
Mt.Gox did not steal your coins.  They can literally print all the goxUSD, and trading BTC they want, and can be much more discreet, without leaving a paper trail. 

Read the thread man, this has been addressed many times. No one really thinks they stole it. We want to see if there is an issue with the 2FA implementation.
newbie
Activity: 7
Merit: 0
If someone were going to start attacking MtGox accounts, they aren't going to steal 29 BTC, et even worth the attention it brings... 2FA works fine, the OP enabled 2FA after attack. That simple.  
He is claiming otherwise. Although you are right, we would probably see evidence of more 2fa heists if the OPs claim is true. Perhaps this was a test run. Perhaps it's just a gox troll.

Logs would be nice (from gox), at the very least. Perhaps you can pull logs from the yubikey, idk if that is at all possible. In the end of the day the logs could be tampered with by either party so there is no way to know for sure.

If this is a lie by the OP we would need to find motive, perhaps another exchange spreading FUD.  

Gox has my real info, they can verify if I'm associated to another exchange or not. You're right about the seeing evidence of more 2fa heists though since my incident shouldn't be an isolated incident. For now, I have filed a police report with my local pd in addition to contacting my attorney general.

FACT:
Mt.Gox did not steal your coins.  They can literally print all the goxUSD, and trading BTC they want, and can be much more discreet, without leaving a paper trail. 
Han
newbie
Activity: 40
Merit: 0
it's a unique code each time. and every code is only valid once

Unless 2FA has been implemented poorly. There have been cases where yubikeys have been compromised on blockchain.info, allowing the attacker to get the seed (or reuse codes, can't remember); this is the first gox 2fa breach I have heard of though (unless of course he is lying about having the 2fa setup).

You can always do a MITM, man-in-the-middle attack:
The trojan intercept the OTP, yubikey-code, sms-code, whatever, when it is used by the user. Then it either uses it to directly steal the funds, or, a bit more clever, to deactivate the yubikey. Then it redoes the action the user intended to do with the code, since then there is no yubikey needed any more.
Even addidional layers of security may not help once your computer is infiltrated. How about stealing that additional mail right out of the mailclient? How about faking the whole MtGox site and stealing/relaying/editing at will? That additional layer might even put the user in a false sense of security.

Only one thing really helps: Transactional dependend one-time-codes. I have that on my onlinebanking, for example. I create my wire transfer, this creates a unique "challenge", which is read (via flicker-code, think animated QR) by my tangenerator. This one displays the address and amount to transfer for verification, and creates a response-code. The device can't be hacked (reasonably), as it is very low-level and has no connection whatsoever except a flicker-sensor. If the data is manipulated on my computer at any point, either the display on the device will show it, or the generated response code will not match and will not work.
This is, until now, the only system I am aware of which is failsafe (as long as you watch the display).

This is slightly OT I guess.
Long story short:
MtGox, Yubikey, Google Authenticator, they all are pretty much useless once a dedicated software owns your computer.

Ente

Indeed, given what JRam and Karpeles have said so far, they can both be telling the truth if the attacker disabled 2fa, then re-enabled it afterwards.
hero member
Activity: 532
Merit: 500
do yubikeys punch in the same code each time, mine always looks very similar, what stopping a virus to just steal the yubikey code?

They look similar because the first 12 characters ARE the same every time - they identify the key.  The remainder, which is the sequence number + OTP plus check-sum is different each time.  If you're seeing them in a small input box which only displays the start of the key then it'll always look the same.
newbie
Activity: 31
Merit: 0
If someone were going to start attacking MtGox accounts, they aren't going to steal 29 BTC, et even worth the attention it brings... 2FA works fine, the OP enabled 2FA after attack. That simple.  
He is claiming otherwise. Although you are right, we would probably see evidence of more 2fa heists if the OPs claim is true. Perhaps this was a test run. Perhaps it's just a gox troll.

Logs would be nice (from gox), at the very least. Perhaps you can pull logs from the yubikey, idk if that is at all possible. In the end of the day the logs could be tampered with by either party so there is no way to know for sure.

If this is a lie by the OP we would need to find motive, perhaps another exchange spreading FUD.  

Gox has my real info, they can verify if I'm associated to another exchange or not. You're right about the seeing evidence of more 2fa heists though since my incident shouldn't be an isolated incident. For now, I have filed a police report with my local pd in addition to contacting my attorney general.
legendary
Activity: 2126
Merit: 1001
it's a unique code each time. and every code is only valid once

Unless 2FA has been implemented poorly. There have been cases where yubikeys have been compromised on blockchain.info, allowing the attacker to get the seed (or reuse codes, can't remember); this is the first gox 2fa breach I have heard of though (unless of course he is lying about having the 2fa setup).

You can always do a MITM, man-in-the-middle attack:
The trojan intercept the OTP, yubikey-code, sms-code, whatever, when it is used by the user. Then it either uses it to directly steal the funds, or, a bit more clever, to deactivate the yubikey. Then it redoes the action the user intended to do with the code, since then there is no yubikey needed any more.
Even addidional layers of security may not help once your computer is infiltrated. How about stealing that additional mail right out of the mailclient? How about faking the whole MtGox site and stealing/relaying/editing at will? That additional layer might even put the user in a false sense of security.

Only one thing really helps: Transactional dependend one-time-codes. I have that on my onlinebanking, for example. I create my wire transfer, this creates a unique "challenge", which is read (via flicker-code, think animated QR) by my tangenerator. This one displays the address and amount to transfer for verification, and creates a response-code. The device can't be hacked (reasonably), as it is very low-level and has no connection whatsoever except a flicker-sensor. If the data is manipulated on my computer at any point, either the display on the device will show it, or the generated response code will not match and will not work.
This is, until now, the only system I am aware of which is failsafe (as long as you watch the display).

This is slightly OT I guess.
Long story short:
MtGox, Yubikey, Google Authenticator, they all are pretty much useless once a dedicated software owns your computer.

Ente
sr. member
Activity: 279
Merit: 250
it's a unique code each time. and every code is only valid once

Unless 2FA has been implemented poorly. There have been cases where yubikeys have been compromised on blockchain.info, allowing the attacker to get the seed (or reuse codes, can't remember); this is the first gox 2fa breach I have heard of though (unless of course he is lying about having the 2fa setup).
hero member
Activity: 504
Merit: 500
it's a unique code each time. and every code is only valid once
legendary
Activity: 1330
Merit: 1000
do yubikeys punch in the same code each time, mine always looks very similar, what stopping a virus to just steal the yubikey code?
legendary
Activity: 2097
Merit: 1070
I think an email verification link to click in addition to entering the OTP would be better than just the OTP on it's own when a withdrawal is made.

This option should be made available ASAP. I'm not sure if it would make any difference to the Yubikey users but it would definitely add an additional layer of security if the Google Authenticator private key was leaked.

I wonder if something like this is planned for when the major long planned upgrade is rolled out.
Han
newbie
Activity: 40
Merit: 0
Highly unlikely that Gox stole the BTC. The focus on Gox is whether they had a security flaw/bug that wasn't patched at the time of the supposed hack and won't reveal until they fix it/wait long enough without incident for everyone to forget. I'm OK with the last scenario b/c it means that the event is a very low probability one, although we can't be sure until much time passes.
hero member
Activity: 504
Merit: 500
Come on... Why are people even thinking Gox would be a possible scenario in this... I don't think they would go through all that just to steal 29 BTC o_O
sr. member
Activity: 279
Merit: 250
If someone were going to start attacking MtGox accounts, they aren't going to steal 29 BTC, et even worth the attention it brings... 2FA works fine, the OP enabled 2FA after attack. That simple.  

He is claiming otherwise. Although you are right, we would probably see evidence of more 2fa heists if the OPs claim is true. Perhaps this was a test run. Perhaps it's just a gox troll.

Logs would be nice (from gox), at the very least. Perhaps you can pull logs from the yubikey, idk if that is at all possible. In the end of the day the logs could be tampered with by either party so there is no way to know for sure.

If this is a lie by the OP we would need to find motive, perhaps another exchange spreading FUD.  

Pages:
Jump to: