Topic: Mt.Gox Account secured with Yubikey but still had 29 BTCs stolen (Read 8527 times)

I think no updates means its a fake. Its really a threat if it is real.

Updates?

Seems like a fake ...
Can we have some proofs/logs?

+1 clarification is needed here.

Nope, based on EVERYTHING that both parties have asserted as FACT so far (i.e. not including any of their speculations), they could both be telling the truth if the attacker disabled, then re-enabled 2fa. Now if Karpeles were to clarify that 2fa was never enabled until after the hack, then one of them is no longer telling the truth, or is at least factually incorrect. Mark's careful language here, "currently enabled otps", suggests that there may have been previously enabled otps as well. He ought to clarify.

Well it's officially a scam now:


The OP shows both OTP and Yubikey enabled.

End of story for me.

The statement by MagicalTux of Mt. Gox was that 2FA was added after the withdrawal.  I'ld love to see your police report.

Read the thread man, this has been addressed many times. No one really thinks they stole it. We want to see if there is an issue with the 2FA implementation.

FACT:
Mt.Gox did not steal your coins.  They can literally print all the goxUSD, and trading BTC they want, and can be much more discreet, without leaving a paper trail. 

Indeed, given what JRam and Karpeles have said so far, they can both be telling the truth if the attacker disabled 2fa, then re-enabled it afterwards.

They look similar because the first 12 characters ARE the same every time - they identify the key.  The remainder, which is the sequence number + OTP plus check-sum is different each time.  If you're seeing them in a small input box which only displays the start of the key then it'll always look the same.

Gox has my real info, they can verify if I'm associated to another exchange or not. You're right about the seeing evidence of more 2fa heists though since my incident shouldn't be an isolated incident. For now, I have filed a police report with my local pd in addition to contacting my attorney general.

You can always do a MITM, man-in-the-middle attack:
The trojan intercept the OTP, yubikey-code, sms-code, whatever, when it is used by the user. Then it either uses it to directly steal the funds, or, a bit more clever, to deactivate the yubikey. Then it redoes the action the user intended to do with the code, since then there is no yubikey needed any more.
Even addidional layers of security may not help once your computer is infiltrated. How about stealing that additional mail right out of the mailclient? How about faking the whole MtGox site and stealing/relaying/editing at will? That additional layer might even put the user in a false sense of security.

Only one thing really helps: Transactional dependend one-time-codes. I have that on my onlinebanking, for example. I create my wire transfer, this creates a unique "challenge", which is read (via flicker-code, think animated QR) by my tangenerator. This one displays the address and amount to transfer for verification, and creates a response-code. The device can't be hacked (reasonably), as it is very low-level and has no connection whatsoever except a flicker-sensor. If the data is manipulated on my computer at any point, either the display on the device will show it, or the generated response code will not match and will not work.
This is, until now, the only system I am aware of which is failsafe (as long as you watch the display).

This is slightly OT I guess.
Long story short:
MtGox, Yubikey, Google Authenticator, they all are pretty much useless once a dedicated software owns your computer.

Ente

Unless 2FA has been implemented poorly. There have been cases where yubikeys have been compromised on blockchain.info, allowing the attacker to get the seed (or reuse codes, can't remember); this is the first gox 2fa breach I have heard of though (unless of course he is lying about having the 2fa setup).

it's a unique code each time. and every code is only valid once

do yubikeys punch in the same code each time, mine always looks very similar, what stopping a virus to just steal the yubikey code?

I think an email verification link to click in addition to entering the OTP would be better than just the OTP on it's own when a withdrawal is made.

This option should be made available ASAP. I'm not sure if it would make any difference to the Yubikey users but it would definitely add an additional layer of security if the Google Authenticator private key was leaked.

I wonder if something like this is planned for when the major long planned upgrade is rolled out.

Highly unlikely that Gox stole the BTC. The focus on Gox is whether they had a security flaw/bug that wasn't patched at the time of the supposed hack and won't reveal until they fix it/wait long enough without incident for everyone to forget. I'm OK with the last scenario b/c it means that the event is a very low probability one, although we can't be sure until much time passes.

Come on... Why are people even thinking Gox would be a possible scenario in this... I don't think they would go through all that just to steal 29 BTC o_O

He is claiming otherwise. Although you are right, we would probably see evidence of more 2fa heists if the OPs claim is true. Perhaps this was a test run. Perhaps it's just a gox troll.

Logs would be nice (from gox), at the very least. Perhaps you can pull logs from the yubikey, idk if that is at all possible. In the end of the day the logs could be tampered with by either party so there is no way to know for sure.

If this is a lie by the OP we would need to find motive, perhaps another exchange spreading FUD.