Topic: Mt.Gox Account secured with Yubikey but still had 29 BTCs stolen - page 3. (Read 8587 times)

I am sorry for your loss, and I understand your frustration if you are legit.
But your argument will not be accepted.

Yes, mt.gox could have / should have added extra protection measure to allow withdrawal of coins (like previously said: delay / email confirmation / an so on).


But, if it is true that you did not have a 2fa activated, it is your responsability to protect your personal data, and access to the account. You can go in holidays in China. I was there in August, and ask for bitcoins from there ...

Okay, so you deny the allegations. This is going to get messy; Mark could certainly post the logs but it is still effectively his word against yours. He is saying you did not have 2FA enabled at the time of the 'heist'.

You should both now post logs. You can use the API to get info about the account (idk how much): https://data.mtgox.com/api/1/generic/private/info

This would work best if you both posted them at the same time. Perhaps you can upload them somewhere, keep the link private and share it once mark posts logs on his end.

Not really much you can do except wait for Mt. Gox's responses like all of us regarding the specifics of their logs. You should also not reveal MtGox support's private, direct responses to you right away. Wait for them to make public statements regarding this issue. This way, if they lie/make inconsistent statements, you can catch them on their lie/inconsistency (is there is any) by later posting their direct responses to you (think Snowden).

I'm out $4,000 but what else can I say to prove my case against the CEO himself? $4,000 might not seem like a lot to the wealthier folks but it is a lot to me. Why would I just sit on my Mt. Gox Yubikey that they sent me and never use it until now?  I have also sent Mt. Gox my real personal info to get the verified account so they should know me very well. The only argument I can make if this CEO keeps claiming that I didn't use my Yubikey is this:

"When you think about it, the IP address that stole my coins was from China and I am based in the US. Any half decent business would find this to be a red flag and delay the withdrawal. Maybe Mt. Gox is deliberately letting these glaring red flags slide? "

MtGox should have the logs to tell exactly when and how many times 2fa has been enabled/disabled on the account.

Yes! Why oh why don't exchanges allow these seemingly-simple solutions to help protect users?

If this claim is B.S., it's really sad.

I'm posting to follow this thread, I see three options:
- OP activated his 2fa after the "hack" and used a Chinese proxy/henchman to "steal" his own funds and double up on mtgox
- OP activated his 2fa after the "hack" and plays possum insisting that they were enabled before the theft
- A real hacker disabled 2fa and enabled it back somehow, allowing the theft and only mtgox can tell

Soon we will know. The fact that this seems to be the lone case at this time suggests there is no exploit on the MtGox side, and the problem is strictly with this user's actions, errors, or intentions.

By the way, and slightly off-topic, those who suggest we should not keep coins or fiat sitting at an exchange are missing the point. These are not savings being kept there, but money actively used for trading. A perfectly good idea as long as you understand the risks.

Finally, I am saddened that in all cases of theft, real and false, the discussion revolves around blaming the victim and the service provider, not the thief.

For anyone that can't or doesn't want to click the twitter link, Mark Karpeles says: "already checked and confirmed 2fa was enabled after the withdraw. Will check system logs too anyway."
In other words either OP is lying, or the CEO of MtGox is lying.  It's like Christmas.  


Mike Casascius is absolutely spot on however, in that exchanges can prevent themselves from being the targets of theft by allowing users to lock-in a withdrawal address or addresses when they sign up. It's not a perfect solution, but they can also allow the user to specify a delay period with withdrawals or a mandatory email confirmation before the funds are actually sent out.  I know that MtGox support staff and many exchanges have had many uncomfortable emails with customers explaining that their funds have been compromised and are impossible to reclaim.  I know they've considered these options because I've requested them via email months ago.  2-factor is nice yes, but why they haven't pursued additional security measures to take some of the heat off themselves is beyond me.  I'll say it again because it's so important:

• Locked withdrawal addresses
• User-defined withdrawal delays
• Mandatory email confirmation of withdrawal

Indeed; if the MagicalTux quote from Twitter is to be believed.  Does the OP have anything to say in response to this?  It does seem a shame if JRam tried to take advantage of the bitcoin community if this is true.

Will

I think preliminary, we can treat this as a VERY good hoax.

Suggestions:

1.  If keeping balances available at all times for rapid trading, consider spreading them between multiple exchanges.  25% of the money at each of 4 exchanges allows a trader to sustain a complete loss at one.  Careful trading over the next month or two may regain the loss.  Later, fully insured or distributed exchanges and multisig can solve this, but for now sudden losses or frozen funds are likely at any exchange.

2.  Use only a known secure computer (such as a clean boot off a live CD) to set up Google Authenticator at an exchange.  Otherwise a keylogger could capture all the withdrawal credentials (as willphase suggested).

3.  For best results, set up 2FA *before* losing money.

Did not know about that lol.
mt.gox CEO is French?

Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in China in order to withdraw your btc and try to file a claim and get refunded?
Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in the world who knows anyone located in China in order to withdraw your btc and try to file a claim and get refunded?
Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in the world who used a chinese VPN in order to withdraw your btc and try to file a claim and get refunded?
Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in the world who know anyone who used a chinese VPN in order to withdraw your btc and try to file a claim and get refunded?
Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in the world who used a chinese VPS in order to withdraw your btc and try to file a claim and get refunded?
Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in the world who know anyone who used a chinese VPN in order to withdraw your btc and try to file a claim and get refunded?

And this is the reason I hate when someone like you has "plenty" of money and zero knowledge. You can add various Yubikeys and Google auth at the same time on your account, just take a little of your time and investigate. I'm not affiliated with gox only had the same issue a while back.

I am extremely shocked that MtGox does not have one simple security feature that I have asked for more than a year ago (when I still was willing to do business with MtGox):

Allow users to lock withdrawals to a single bitcoin address

And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker

This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)

There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.

This story could be a hoax if this is true: https://twitter.com/MagicalTux/status/379247601289142273 - for those of you who don't know, MagicalTux (Mark Karpeles) is the CEO of MtGox

Someone needs to clarify that happened on these withdrawals.

I have about $50,000 in my MtGox account right now and I use google auth to keep it safe.

It's sad that you lost $4,000 but if this was an MtGox wide issue I suspect whoever did this would have cleared out the accounts with large balances on them first and worked their way down to the smaller balances.

I don't keep Bitcoins in my account but obviously I do keep USD there as right now I'm waiting to make a purchase but I consider the current price of Bitcoin to be way overvalued.

I won't use Yubikey with MtGox unless they allow 2 yubikeys to be associated with my account or make it much easier for me to remove a Yubikey from my account in the event that I can't use it.

It's highly unlikely I will lose my Yubikey but if it becomes inoperable for any reason I need to be able to replace it and gain access to my account quickly as there's plenty of money in it and I would not like to be frozen out for weeks while the Yubikey is changed.

Allowing 2 Yubikeys on the account would make much more sense as I could keep one in offsite storage (safety deposit box, car glove box, etc) and one at my computer for daily use.

Until this is implemented I consider Yubikeys to be worthless at Gox due to the account freeze when one is lost / damaged.

Op, sorry for your loose, I also have Mtgox with a Yubi, so I'm worried now. Hope you got the mistery solved.

@btcdrak, the point I'm trying to make is: right now, the only truly safe way of storing bitcoins is by doing it yourself, and offline.

It will not always remain like this, obviously. Hardware-wallets, combined with multi-sig and probably also nLockTime would certainly allow a great level of security for everyone, including those who have no idea of what I'm talking about. Perhaps even those twins' ETF would as well.

But that's not the case right now. So, if you're day-trading, you should consider into the risks of your operations that your account may just be emptied. Even if you take all possible digital-hygiene measures, the exchange's account may be hacked/seized/etc, and your money will be gone.

All that said, I'm also curious as to how has this hack happened, as it settles a dangerous precedent.