Mt.Gox Account secured with Yubikey but still had 29 BTCs stolen - page 4.

btcdrak

legendary

Activity: 1064

Merit: 1000

Quote from: caveden on September 15, 2013, 02:54:42 AM

Store your bitcoins yourself.

If that sounds "too geeky" and you're not willing to go through the learning curve right now, then perhaps Bitcoin and you are not ready for each other for the moment. Interesting projects like Trezor are on development, and they could bring the two of you together again soon enough.

Again OP, don't take my post in a bad way, I am really sorry this has happened to you. But please don't claim that you haven't been warned - I'm definitely not the first one saying this -, or that there are no ways to hold Bitcoins safely, because you know that's not the case.

I am sorry - but this is not a very realistic position. What if you are in a short position, ie holding USD pending rebuy at a lower price? If this issue exists, then thief can just buy bitcoins from your balance and xfer the USD out.

If this was any other regulated situation - like a stock-brokerage account, the broker could and WOULD be held accountable for their lax security.

willphase

hero member

Activity: 767

Merit: 500

yes this is very curious. Perhaps MtGox have a bug whereby a trade API key can be somehow coaxed to be used as a withdrawal API key? The only other option is that the GA seed was compromised somehow but the only way this could have happened was if there was malware actively monitoring the page when the GA device was enrolled, or malware on the phone that was able to access the GA key, but since the phone is not rooted that seems unlikely.

Very curious.

Will

samson

legendary

Activity: 2097

Merit: 1070

Quote from: joesmoe2012 on September 15, 2013, 04:26:54 AM

Very odd, this would be the first time I've heard of this happening. The GA must have been compromised. I don't think it's an inside job, if it was, why would they target a $4k account...There's people paying more then that to them in FEES for 5% withdraws...

This is what I'm thinking.

If you have both GA and Yubikey enabled on the account does the MtGox system require you to press the Yubikey AND enter the Google Auth code or will just either one of them work on it's own ?

joesmoe2012

hero member

Activity: 882

Merit: 501

Ching-Chang;Ding-Dong

Very odd, this would be the first time I've heard of this happening. The GA must have been compromised. I don't think it's an inside job, if it was, why would they target a $4k account...There's people paying more then that to them in FEES for 5% withdraws...

samson

legendary

Activity: 2097

Merit: 1070

Quote from: caveden on September 15, 2013, 04:16:47 AM

My mistake then. But again, the risks are almost the same. MtGox fiat account could be seized, the entire site hacked and become insolvent, or his personal account hacked. If he intended to keep a fiat balance, it would be safer to do so in a traditional bank that can reverse transactions.

Perhaps he was keeping his fiat there because of MtGox's liquidity problems. Or perhaps he was a day-trader. These possibilities make it much more understandable.

But if you have fiat on Gox and you're not willing to spend this money any time soon, then I'd advice to withdraw it. Even if takes months to come to your bank account, it's safer like this than letting it sitting there. I'd say that MtGox is more vulnerable to account seizures than most banks... it has already happened to their US-domiciled accounts, are you so sure it won't happen to their main accounts in Japan?

There are millions of dollars in fiat sitting in MtGox accounts with bids placed on various price points from just below the current price right down to just a few cents per Bitcoin.

This is how any exchange works. It can't work without large amounts of fiat being on the exchange at any point in time otherwise there would be zero liquidity and no bids.

This issue needs to be addressed properly due to the millions of dollars in fiat which is properly stored on the exchange and must remain there for normal liquidity and trading to continue.

If everyone withdrew all their fiat the price would be back in cents per Bitcoin before you know it. It's just not feasible.

caveden

legendary

Activity: 1106

Merit: 1004

My mistake then. But again, the risks are almost the same. MtGox fiat account could be seized, the entire site hacked and become insolvent, or his personal account hacked. If he intended to keep a fiat balance, it would be safer to do so in a traditional bank that can reverse transactions.

Perhaps he was keeping his fiat there because of MtGox's liquidity problems. Or perhaps he was a day-trader. These possibilities make it much more understandable.

But if you have fiat on Gox and you're not willing to spend this money any time soon, then I'd advice to withdraw it. Even if takes months to come to your bank account, it's safer like this than letting it sitting there. I'd say that MtGox is more vulnerable to account seizures than most banks... it has already happened to their US-domiciled accounts, are you so sure it won't happen to their main accounts in Japan?

EDIT: By the way, my post above is not entirely incorrect when you consider only the quoted part I was replying to:

Quote from: JRam on September 14, 2013, 04:07:38 PM

When you can't even trust the largest BTC exchange with your coins, there is nothing I can do.

You should not trust the largest exchange with your coins, but that doesn't mean there's nothing you can do.

samson

legendary

Activity: 2097

Merit: 1070

How many people replying to this even bothered to read the original post ?

Look - this is what he said :

Quote from: JRam on September 14, 2013, 08:11:05 AM

All of the trade activity in the screenshot are not mine. I originally had $4,000 in USD but the culprit converted it to BTC and withdrew.

Quote from: caveden on September 15, 2013, 02:54:42 AM

Come on. Not wanting to be mean, it's a shame that you've lost your money and I hope this mystery gets solved, but of course there was something you could have done, and you know it very well: you could have stored your coins yourself, offline.

This is to everyone who stores their money on Gox and others: Seriously people, Bitcoin empowers you to be your own bank. To have no counter-party risk. And you keep letting your money in bank-like institutions? What's to prevent MtGox servers to be hacked, and eventually even its cold wallet stolen like bitfloor? Or, even more likely, what if they're raided and all the money seized, à la Cyprus?

Store your bitcoins yourself.

If that sounds "too geeky" and you're not willing to go through the learning curve right now, then perhaps Bitcoin and you are not ready for each other for the moment. Interesting projects like Trezor are on development, and they could bring the two of you together again soon enough.

Again OP, don't take my post in a bad way, I am really sorry this has happened to you. But please don't claim that you haven't been warned - I'm definitely not the first one saying this -, or that there are no ways to hold Bitcoins safely, because you know that's not the case.

Well I just read the original post and what you're saying here is clearly incorrect.

The OP had $4000 in his MtGox account. Someone gained unauthorised access and purchased Bitcoin.

After purchasing the Bitcoin they withdrew it.

So he had USD sitting on the exchange - not Bitcoin.

caveden

legendary

Activity: 1106

Merit: 1004

Were you doing any operation at the site that would require the Yubikey code?

Advanced malwares could put themselves in between you and MtGox, and if you request a withdraw to address A, they could change that to address B without you noticing, and make you authorize that via the Yubikey code. That'd be a very advanced malware though, as it would have to somehow replace your browser by a bogus one.

EDIT: Just saw your post on reddit saying that you were not awake while this happened, what rules out my supposition.

Quote from: JRam on September 14, 2013, 04:07:38 PM

When you can't even trust the largest BTC exchange with your coins, there is nothing I can do.

Come on. Not wanting to be mean, it's a shame that you've lost your money and I hope this mystery gets solved, but of course there was something you could have done, and you know it very well: you could have stored your coins yourself, offline.

This is to everyone who stores their money on Gox and others: Seriously people, Bitcoin empowers you to be your own bank. To have no counter-party risk. And you keep letting your money in bank-like institutions? What's to prevent MtGox servers to be hacked, and eventually even its cold wallet stolen like bitfloor? Or, even more likely, what if they're raided and all the money seized, à la Cyprus?

Store your bitcoins yourself.

If that sounds "too geeky" and you're not willing to go through the learning curve right now, then perhaps Bitcoin and you are not ready for each other for the moment. Interesting projects like Trezor are on development, and they could bring the two of you together again soon enough.

Again OP, don't take my post in a bad way, I am really sorry this has happened to you. But please don't claim that you haven't been warned - I'm definitely not the first one saying this -, or that there are no ways to hold Bitcoins safely, because you know that's not the case.

PurpleTentacle

sr. member

Activity: 384

Merit: 250

Did you have NoScript installed in your browser?

Could the thief use a keylogger on your system to work out the yubikey seed?

btcdrak

legendary

Activity: 1064

Merit: 1000

You need to find out if the GA or Yubikey was used in the authorization.

chriswilmer

legendary

Activity: 1008

Merit: 1000

Sorry if this was explained already... but why was Google authenticator also being used in addition to a yubikey?

JRam

newbie

Activity: 31

Merit: 0

Quote from: coinage on September 14, 2013, 09:36:38 PM

Quote from: JRam on September 14, 2013, 07:24:29 PM

No software installed to process OTP and my phone was never directly connected to my computer. I connect my phone to my wireless router for its internet speed when I needed to download apps like Google Authenticator. The phone itself was never used to trade, I only traded via the PC.

Thanks for the details. What about the thought of having typed the Google Authenticator OTP setup seed into a text file (or email, etc.) on the computer, as a way to keep a personal copy of the information in case it was needed later?

If someone did not manage to get your withdrawal credentials, then your report could reveal a new intrusion into Mt. Gox's servers. Despite the 2FA, an attack could still be from outside the company (unless Mt. Gox has really outdone itself with thoroughly secured login/withdrawal processing).

BTW, does anyone know how long Mt. Gox restricts withdrawals to a given GA OTP, and especially whether the site allows reuse of a prior "OTP"? In the recent past at least, they certainly did not strictly adhere to the standard 30-second window. (Conceivably a man-in-the-middle attacker could take advantage of such weaknesses.)

No backups since I didn't think it was needed even if I did somehow lose access to the keys. I recall Mt. Gox gave an option to unlink keys where they lock down your account for 2 weeks and repeatedly email you to verify that the real owner made the request.

https://www.mtgox.com/login/otp-unlink

As I've used my account earlier this week and never received such emails, I don't think this was the attack vector.

JoelKatz

legendary

Activity: 1596

Merit: 1012

Democracy is vulnerable to a 51% attack.

Quote from: chriswilmer on September 14, 2013, 08:56:23 PM

I'm glad some people are posting on this thread, but frankly I was expecting this to get a lot more attention. This would be the first story, ever, of a person losing money who had a Yubikey and did not also have a trading API key floating out to be used. I've never used a trading bot, so I don't know if there was a mistake in granting permissions there... but this would be a Bitcoin first.

We're still missing a lot of information. For example, we don't know whether Gox claims they received a valid YubiKey code when the withdrawal was made. This may get very interesting soon though.

fimp

sr. member

Activity: 304

Merit: 250

Is having two different 2-factor auths for withdrawal AND or OR? Will you need both to make the withdrawal or just one of them?

coinage

member

Activity: 60

Merit: 10

Quote from: JRam on September 14, 2013, 07:24:29 PM

No software installed to process OTP and my phone was never directly connected to my computer. I connect my phone to my wireless router for its internet speed when I needed to download apps like Google Authenticator. The phone itself was never used to trade, I only traded via the PC.

Thanks for the details. What about the thought of having typed the Google Authenticator OTP setup seed into a text file (or email, etc.) on the computer, as a way to keep a personal copy of the information in case it was needed later?

If someone did not manage to get your withdrawal credentials, then your report could reveal a new intrusion into Mt. Gox's servers. Despite the 2FA, an attack could still be from outside the company (unless Mt. Gox has really outdone itself with thoroughly secured login/withdrawal processing).

BTW, does anyone know how long Mt. Gox restricts withdrawals to a given GA OTP, and especially whether the site allows reuse of a prior "OTP"? In the recent past at least, they certainly did not strictly adhere to the standard 30-second window. (Conceivably a man-in-the-middle attacker could take advantage of such weaknesses.)

JRam

newbie

Activity: 31

Merit: 0

Quote from: chriswilmer on September 14, 2013, 08:56:23 PM

I'm glad some people are posting on this thread, but frankly I was expecting this to get a lot more attention. This would be the first story, ever, of a person losing money who had a Yubikey and did not also have a trading API key floating out to be used. I've never used a trading bot, so I don't know if there was a mistake in granting permissions there... but this would be a Bitcoin first.

Well it is the weekend so it is understandable. Although having $4,000 stolen hurts, there is not much more I can do about it. I'm confident there is no mistake in granting permissions as you would have to consciously check the 'withdraw' box to grant withdraw permission. I also combed through the trading bot source code at one point looking to see if there are any malicious code.

chriswilmer

legendary

Activity: 1008

Merit: 1000

I'm glad some people are posting on this thread, but frankly I was expecting this to get a lot more attention. This would be the first story, ever, of a person losing money who had a Yubikey and did not also have a trading API key floating out to be used. I've never used a trading bot, so I don't know if there was a mistake in granting permissions there... but this would be a Bitcoin first.

JRam

newbie

Activity: 31

Merit: 0

Quote from: willphase on September 14, 2013, 06:52:56 PM

Thanks for answering all the questions. I'm not sure how those funds were taken. It seems you had taken all steps to avoid being hacked, and all the obvious (and some non-obvious) attack vectors were covered.

Will

Thank you for your insight into this.

Quote from: coinage on September 14, 2013, 06:57:10 PM

If Mt. Gox allows withdrawals using either the OTP -or- the Yubikey, Google Authenticator OTP is the far more likely vulnerability.

That would be the case if, when setting up the OTP, you typed its key details into a file on your computer or smartphone (how else would you recover it if there's a problem?) ... or if you ever installed software on your trading computer to process the OTP (instead of or in addition to Google Authenticator on the phone) ... or if you ever connect the phone to the computer. All these scenarios assume a compromised computer, and not necessarily any user error.

Or, the smartphone with GA could itself be compromised. If the phone was used to trade, or if the Mt. Gox account name & password were kept on it, then the PC need not be involved.

An inside theft by Mt. Gox employees would seem more likely to involve accounts lacking Yubikey withdrawal restrictions, to keep a lower profile, unless the intention of the theft was to visibly harm the exchange's reputation in an especially newsworthy way.

No software installed to process OTP and my phone was never directly connected to my computer. I connect my phone to my wireless router for its internet speed when I needed to download apps like Google Authenticator. The phone itself was never used to trade, I only traded via the PC.

If Mt. Gox ran out of accounts lacking Yubikeys or a combination of other authentication methods, would they eventually grow desperate enough under financial pressure? There are also other reasons why I suspect Mt. Gox, namely the ip address being from China withdrawing from my US based account. No delays or email verifications raised to this glaring red flag. I never had an intention to harm Mt. Gox's reputation since their success would eventually equal to my success. I was trading on trends fairly well and Mt. Gox's volume helps a lot. Without Mt. Gox, I can't do what I have been doing so I lose out too.

This attack seems to be well timed since I get limited support from Mt. Gox on the weekends. I know I have been a bit aggressive with the Mt. Gox representative but I don't see any other options. For anyone interested:

coinage

member

Activity: 60

Merit: 10

If Mt. Gox allows withdrawals using either the OTP -or- the Yubikey, Google Authenticator OTP is the far more likely vulnerability.

That would be the case if, when setting up the OTP, you typed its key details into a file on your computer or smartphone (how else would you recover it if there's a problem?) ... or if you ever installed software on your trading computer to process the OTP (instead of or in addition to Google Authenticator on the phone) ... or if you ever connect the phone to the computer. All these scenarios assume a compromised computer, and not necessarily any user error.

Or, the smartphone with GA could itself be compromised. If the phone was used to trade, or if the Mt. Gox account name & password were kept on it, then the PC need not be involved.

An inside theft by Mt. Gox employees would seem more likely to involve accounts lacking Yubikey withdrawal restrictions, to keep a lower profile, unless the intention of the theft was to visibly harm the exchange's reputation in an especially newsworthy way.

willphase

hero member

Activity: 767

Merit: 500

Thanks for answering all the questions. I'm not sure how those funds were taken. It seems you had taken all steps to avoid being hacked, and all the obvious (and some non-obvious) attack vectors were covered.

Will

Topic: Mt.Gox Account secured with Yubikey but still had 29 BTCs stolen - page 4. (Read 8587 times)