Topic: Mt.Gox Account secured with Yubikey but still had 29 BTCs stolen - page 2. (Read 8587 times)
September 15, 2013, 06:35:00 PM
If someone were going to start attacking MtGox accounts, they aren't going to steal 29 BTC, et even worth the attention it brings... 2FA works fine, the OP enabled 2FA after attack. That simple.
September 15, 2013, 06:29:53 PM
Seems this guy didn't enable 2FA until after the attack.
Right now, both he and Mark Karpeles could be telling the truth if the attacker disabled 2fa, then reenabled it after he was done.
2FA on withdrawal is pointless if it can be disabled after login.
My understanding is that once Yubikey is enabled on MtGox for withdrawals it can't be disabled (by the user), hence the multi-week delay for lost/broken Yubikeys while account ownerwhip is re-verified and MtGox enables a replacement Yubikey.
But only by using the Yubikey...
September 15, 2013, 06:29:05 PM
Seems this guy didn't enable 2FA until after the attack.
Right now, both he and Mark Karpeles could be telling the truth if the attacker disabled 2fa, then reenabled it after he was done.
2FA on withdrawal is pointless if it can be disabled after login.
My understanding is that once Yubikey is enabled on MtGox for withdrawals it can't be disabled (by the user), hence the multi-week delay for lost/broken Yubikeys while account ownerwhip is re-verified and MtGox enables a replacement Yubikey.
But only by using the Yubikey...
September 15, 2013, 06:09:22 PM
Seems this guy didn't enable 2FA until after the attack.
Right now, both he and Mark Karpeles could be telling the truth if the attacker disabled 2fa, then reenabled it after he was done.
2FA on withdrawal is pointless if it can be disabled after login.
My understanding is that once Yubikey is enabled on MtGox for withdrawals it can't be disabled (by the user), hence the multi-week delay for lost/broken Yubikeys while account ownerwhip is re-verified and MtGox enables a replacement Yubikey.
September 15, 2013, 06:08:24 PM
Seems this guy didn't enable 2FA until after the attack.
Right now, both he and Mark Karpeles could be telling the truth if the attacker disabled 2fa, then reenabled it after he was done.
2FA on withdrawal is pointless if it can be disabled after login.
My understanding is that once Yubikey is enabled on MtGox for withdrawals it can't be disabled (by the user), hence the multi-week delay for lost/broken Yubikeys while account ownerwhip is re-verified and MtGox enables a replacement Yubikey.
September 15, 2013, 05:46:06 PM
Seems this guy didn't enable 2FA until after the attack.
Right now, both he and Mark Karpeles could be telling the truth if the attacker disabled 2fa, then reenabled it after he was done.
September 15, 2013, 05:32:42 PM
Seems this guy didn't enable 2FA until after the attack.
September 15, 2013, 05:08:04 PM
One mistake i made in my police report was that i said i did not think MtGox took the money.
Then the police didnt investigate much at all, and did not put any pressure on gox to solve the issue whatsoever.
If you are not 110% sure noone at gox are involved, do NOT say you dont think its gox.
My account was cleaned out about a year ago, and mtGox's logs showed that noone was logged on when the withdraw was made.
Everyone pointed at This auth stuff for security, but now the same or some other security flaw has surfaced for a yubikey user.
But i am guessing this will get the usual, "We only talk to the police" answer from Gox.
I hope that i am wrong, that you get your cash refunded, they find and patch the hole and eventually catch the thieves.
Then the police didnt investigate much at all, and did not put any pressure on gox to solve the issue whatsoever.
If you are not 110% sure noone at gox are involved, do NOT say you dont think its gox.
My account was cleaned out about a year ago, and mtGox's logs showed that noone was logged on when the withdraw was made.
Everyone pointed at This auth stuff for security, but now the same or some other security flaw has surfaced for a yubikey user.
But i am guessing this will get the usual, "We only talk to the police" answer from Gox.
I hope that i am wrong, that you get your cash refunded, they find and patch the hole and eventually catch the thieves.
September 15, 2013, 04:49:18 PM
Guys, keep the conversation on point.
JRam did you withdraw bitcoins recently?
JRam did you withdraw bitcoins recently?
When I pumped BTCs into my account, my intention was to day trade. And I was day trading fairly well up to this point. I never had the need to withdraw any funds from my Mt. Gox account.
I am extremely shocked that MtGox does not have one simple security feature that I have asked for more than a year ago (when I still was willing to do business with MtGox):
Allow users to lock withdrawals to a single bitcoin address
And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker
This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)
There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.
Allow users to lock withdrawals to a single bitcoin address
And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker
This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)
There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.
+21000000
-21000000 MSFT shares
It will not solve the problem if the Bitcoin address is in a wallet that is in a compromised Microsoft Windows computer. One must keep in mind that is the theft is caused by malware on the user's computer in the first place. How is locking the account to a Bitcoin address on the same infected computer going to solve the problem? It only serves to create a false sense of security for the user.
If this was really malware on my PC, the logs would not show the Chinese ip address of 60.166.242.186 accessing my account. After all, wouldn't it be more legitimate to simply use my own ip address to access my account?
The notion that I just 'sat' on my Yubikey sent to me by Mt. Gox is just silly. I had no other use for this piece of junk. I wish I had the wisdom to save some of the images I posted so I could use it to catch Mt. Gox on an inconsistently later but I think this is the end of the line for me on bitcoins. Now that I can't trust the largest BTC exchange, I think I'm done here. Although this might sound harsh to some, I won't be trying any other alternative cryptocurrencies since I see bitcoin as the gold standard. If I can't invest in bitcoins, I definitely can't invest in other alternatives.
Thanks for anyone that helped and believed in my case. I will be pursuing this case a bit further with my local police department but that will be it.
Yes, filing a police report and posting proof of it would also bolster your credibility against Gox as filing a false report is fraud.
September 15, 2013, 04:47:01 PM
I am extremely shocked that MtGox does not have one simple security feature that I have asked for more than a year ago (when I still was willing to do business with MtGox):
Allow users to lock withdrawals to a single bitcoin address
And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker
This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)
There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.
Allow users to lock withdrawals to a single bitcoin address
And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker
This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)
There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.
+21000000
-21000000 MSFT shares
It will not solve the problem if the Bitcoin address is in a wallet that is in a compromised Microsoft Windows computer. One must keep in mind that is the theft is caused by malware on the user's computer in the first place. How is locking the account to a Bitcoin address on the same infected computer going to solve the problem? It only serves to create a false sense of security for the user.
If this was really malware on my PC, the logs would not show the Chinese ip address of 60.166.242.186 accessing my account. After all, wouldn't it be more legitimate to simply use my own ip address to access my account?
The notion that I just 'sat' on my Yubikey sent to me by Mt. Gox is just silly. I had no other use for this piece of junk. I wish I had the wisdom to save some of the images I posted so I could use it to catch Mt. Gox on an inconsistently later but I think this is the end of the line for me on bitcoins. Thanks for anyone that helped and believed in my case. I will be pursuing this case a bit further with my local police department but that will be it.
The malware steals the credentials via for example a keylogger, and then sends them to the attacker in China. The attacker then logs into the account at MTGox with the stolen credentials from China. Even if the case be made that the Yubikey was compromised, there still remains the fact that the computer was compromised by malware running on Microsoft Windows to obtain the login credentials and to compromise the Yubikey in the first place.
September 15, 2013, 04:32:17 PM
Guys, keep the conversation on point.
JRam did you withdraw bitcoins recently?
JRam did you withdraw bitcoins recently?
When I pumped BTCs into my account, my intention was to day trade. And I was day trading fairly well up to this point. I never had the need to withdraw any funds from my Mt. Gox account.
I am extremely shocked that MtGox does not have one simple security feature that I have asked for more than a year ago (when I still was willing to do business with MtGox):
Allow users to lock withdrawals to a single bitcoin address
And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker
This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)
There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.
Allow users to lock withdrawals to a single bitcoin address
And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker
This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)
There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.
+21000000
-21000000 MSFT shares
It will not solve the problem if the Bitcoin address is in a wallet that is in a compromised Microsoft Windows computer. One must keep in mind that is the theft is caused by malware on the user's computer in the first place. How is locking the account to a Bitcoin address on the same infected computer going to solve the problem? It only serves to create a false sense of security for the user.
If this was really malware on my PC, the logs would not show the Chinese ip address of 60.166.242.186 accessing my account. After all, wouldn't it be more legitimate to simply use my own ip address to access my account?
The notion that I just 'sat' on my Yubikey sent to me by Mt. Gox is just silly. I had no other use for this piece of junk. I wish I had the wisdom to save some of the images I posted so I could use it to catch Mt. Gox on an inconsistently later but I think this is the end of the line for me on bitcoins. Now that I can't trust the largest BTC exchange, I think I'm done here. Although this might sound harsh to some, I won't be trying any other alternative cryptocurrencies since I see bitcoin as the gold standard. If I can't invest in bitcoins, I definitely can't invest in other alternatives.
Thanks for anyone that helped and believed in my case. I will be pursuing this case a bit further with my local police department but that will be it.
September 15, 2013, 04:30:35 PM
Guys, keep the conversation on point.
JRam did you withdraw bitcoins recently?
JRam did you withdraw bitcoins recently?
September 15, 2013, 04:27:11 PM
brain or paper wallets solve that
Not if they are created on an infected computer in the first place.
September 15, 2013, 04:24:43 PM
I am extremely shocked that MtGox does not have one simple security feature that I have asked for more than a year ago (when I still was willing to do business with MtGox):
Allow users to lock withdrawals to a single bitcoin address
And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker
This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)
There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.
Allow users to lock withdrawals to a single bitcoin address
And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker
This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)
There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.
+21000000
-21000000 MSFT shares
It will not solve the problem if the Bitcoin address is in a wallet that is in a compromised Microsoft Windows computer. One must keep in mind that is the theft is caused by malware on the user's computer in the first place. How is locking the account to a Bitcoin address on the same infected computer going to solve the problem? It only serves to create a false sense of security for the user.
brain or paper wallets solve that
September 15, 2013, 04:19:57 PM
I am extremely shocked that MtGox does not have one simple security feature that I have asked for more than a year ago (when I still was willing to do business with MtGox):
Allow users to lock withdrawals to a single bitcoin address
And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker
This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)
There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.
Allow users to lock withdrawals to a single bitcoin address
And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker
This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)
There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.
+21000000
-21000000 MSFT shares
It will not solve the problem if the Bitcoin address is in a wallet that is in a compromised Microsoft Windows computer. One must keep in mind that is the theft is caused by malware on the user's computer in the first place. How is locking the account to a Bitcoin address on the same infected computer going to solve the problem? It only serves to create a false sense of security for the user.
September 15, 2013, 04:04:39 PM
I was wrong about the Bitcoin community not being able to do anything except wait for MtGox's response. We should POUND Mark Karpeles with demands for immediate updates to the situation to minimize the amount of time he has to potentially edit logs which would also minimize the time JRam has to potentially edit his logs in response. Perhaps its already too late.
September 15, 2013, 04:01:59 PM
I am extremely shocked that MtGox does not have one simple security feature that I have asked for more than a year ago (when I still was willing to do business with MtGox):
Allow users to lock withdrawals to a single bitcoin address
And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker
This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)
There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.
Allow users to lock withdrawals to a single bitcoin address
And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker
This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)
There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.
+21000000
September 15, 2013, 03:55:10 PM
I think preliminary, we can treat this as a VERY good hoax.
Indeed; if the MagicalTux quote from Twitter is to be believed. Does the OP have anything to say in response to this? It does seem a shame if JRam tried to take advantage of the bitcoin community if this is true.
Will
I'm out $4,000 but what else can I say to prove my case against the CEO himself? $4,000 might not seem like a lot to the wealthier folks but it is a lot to me. Why would I just sit on my Mt. Gox Yubikey that they sent me and never use it until now? I have also sent Mt. Gox my real personal info to get the verified account so they should know me very well. The only argument I can make if this CEO keeps falsely claiming that I didn't use my Yubikey is this:
"When you think about it, the IP address that stole my coins was from China and I am based in the US. Any half decent business would find this to be a red flag and delay the withdrawal. Maybe Mt. Gox is deliberately letting these glaring red flags slide? "
Okay, so you deny the allegations. This is going to get messy; Mark could certainly post the logs but it is still effectively his word against yours. He is saying you did not have 2FA enabled at the time of the 'heist'.
You should both now post logs. You can use the API to get info about the account (idk how much): https://data.mtgox.com/api/1/generic/private/info
This would work best if you both posted them at the same time. Perhaps you can upload them somewhere, keep the link private and share it once mark posts logs on his end.
@JRam This would be an even better implementation of the Snowden strategy I outlined above, but do it for everything you can think of: logs, support messages, any other data/proof, etc.
Duly noted, I didn't think about the need to catch them on their inconsistency like this. I guess this is one of those life lessons.
September 15, 2013, 03:52:59 PM
This story could be a hoax if this is true: https://twitter.com/MagicalTux/status/379247601289142273 - for those of you who don't know, MagicalTux (Mark Karpeles) is the CEO of MtGox
I would trust MTGox's systems any day before trusting a Microsoft Windows computer. My take is that the theft was due to the OP using Microsoft Windows to trade on MTGox and could have been prevented by the OP having used GNU / Linux instead. By the way storing the Bitcoins in the OP's computer rather than in MTGox, in this case, is not a good idea since the OP is using Microsoft Windows.
September 15, 2013, 03:49:43 PM
I think preliminary, we can treat this as a VERY good hoax.
Indeed; if the MagicalTux quote from Twitter is to be believed. Does the OP have anything to say in response to this? It does seem a shame if JRam tried to take advantage of the bitcoin community if this is true.
Will
I'm out $4,000 but what else can I say to prove my case against the CEO himself? $4,000 might not seem like a lot to the wealthier folks but it is a lot to me. Why would I just sit on my Mt. Gox Yubikey that they sent me and never use it until now? I have also sent Mt. Gox my real personal info to get the verified account so they should know me very well. The only argument I can make if this CEO keeps falsely claiming that I didn't use my Yubikey is this:
"When you think about it, the IP address that stole my coins was from China and I am based in the US. Any half decent business would find this to be a red flag and delay the withdrawal. Maybe Mt. Gox is deliberately letting these glaring red flags slide? "
Okay, so you deny the allegations. This is going to get messy; Mark could certainly post the logs but it is still effectively his word against yours. He is saying you did not have 2FA enabled at the time of the 'heist'.
You should both now post logs. You can use the API to get info about the account (idk how much): https://data.mtgox.com/api/1/generic/private/info
This would work best if you both posted them at the same time. Perhaps you can upload them somewhere, keep the link private and share it once mark posts logs on his end.
@JRam This would be an even better implementation of the Snowden strategy I outlined above, but do it for everything you can think of: logs, support messages, any other data/proof, etc.
Jump to: