MtGox and 2 Factor Authentication | Bitcointalksearch.org

kokojie

legendary

Activity: 1806

Merit: 1003

Quote from: genjix on July 13, 2012, 05:00:07 AM

We regret to inform you that there has been another huge breach of Bitcoinica. While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged. The breach today occured because the password for LastPass was in fact a duplicate password which had been compromised during the hack.

Unbeknownst to us, Tihan was using the mtgox api key as the password for a website called LastPass.

Holy shit, how fucking stupid can a person be, I'd like to know what kind of fucked up logic this person used to decide that: hey I'll just use my fucking mtgox api key as my lastpass master password, which leads to ALL my other passwords. Oh and let's not change the lastpass master password, because hey there's 0.001% chance that it didn't get compromised after our first hack, so let's take that chance. Oh shit, it did get compromised in the first round of hacks, now the hacker has all the password + mtgox api key, because some fucktard decided to re-use passwords.

no name

newbie

Activity: 43

Merit: 0

Quote from: MagicalTux on July 13, 2012, 06:38:26 PM

We are preparing options to force delays on Bitcoins (rule set depending on aggregated 24 hours transfer amount - option configurable from the user) and emergency account lockout (that would automatically cancel any delayed transfer).

bump!

jcp

newbie

Activity: 14

Merit: 0

Quote from: MagicalTux on July 13, 2012, 06:38:26 PM

We are preparing options to force delays on Bitcoins (rule set depending on aggregated 24 hours transfer amount - option configurable from the user) and emergency account lockout (that would automatically cancel any delayed transfer).

Be sure to let it be configurable to at least 72+ hours if the user so desires. In financial markets 3 days as a standard clearing time has a particular history and is a standard for many markets, probably because it's 1 full working day plus the 2 weekend days (as people do not pay close attention over the weekend).

HorseRider

donator

Activity: 1120

Merit: 1001

Quote from: kiba on July 13, 2012, 04:34:07 PM

Also, stop withdrawing coins and dollars immediately! There should be a 24 hours notice for withdrawal.

Yes, this should be an "option configurable from the user", and if the users once chose so and then they want to change, it will need another periods of time, say 3 days, to be effective.

dust

hero member

Activity: 840

Merit: 1000

Quote from: finway on July 14, 2012, 06:53:25 AM

Quote from: MagicalTux on July 13, 2012, 06:38:26 PM

We are preparing options to force delays on Bitcoins (rule set depending on aggregated 24 hours transfer amount - option configurable from the user) and emergency account lockout (that would automatically cancel any delayed transfer).

No!! You can't do this.

This(Instant Bitcoins Withdraw) is the only thing that keep you different from FRB banks.

If you do this, i will never trust you again. Instant Withdraw should be the STANDARD of Bitcoin Banks.

Sounds like this would be a user configurable option. Mandating some form of two factor authentication for "large" transactions would be reasonable.

finway

hero member

Activity: 714

Merit: 500

Quote from: MagicalTux on July 13, 2012, 06:38:26 PM

We are preparing options to force delays on Bitcoins (rule set depending on aggregated 24 hours transfer amount - option configurable from the user) and emergency account lockout (that would automatically cancel any delayed transfer).

No!! You can't do this.

This(Instant Bitcoins Withdraw) is the only thing that keep you different from FRB banks.

If you do this, i will never trust you again. Instant Withdraw should be the STANDARD of Bitcoin Banks.

acoindr

legendary

Activity: 1050

Merit: 1002

Quote from: MagicalTux on July 13, 2012, 06:38:26 PM

We are preparing options to force delays on Bitcoins (rule set depending on aggregated 24 hours transfer amount - option configurable from the user) and emergency account lockout (that would automatically cancel any delayed transfer).

Nice! Thanks for being proactive and remaining a positive Bitcoin force.

Please also make it unmistakably obvious to users what security practices and settings are recommended.

MagicalTux

vip

Activity: 608

Merit: 501

-

We are preparing options to force delays on Bitcoins (rule set depending on aggregated 24 hours transfer amount - option configurable from the user) and emergency account lockout (that would automatically cancel any delayed transfer).

Bitcoin Oz

hero member

Activity: 686

Merit: 500

Wat

How come 40 000 USD was instant whereas people with much smaller amounts it takes weeks ?

Spekulatius

legendary

Activity: 1022

Merit: 1000

mandatory delays on mtgox...

Arent withrawal delays mandatory on mtgox already?

Littleshop

legendary

Activity: 1386

Merit: 1004

As far as I know, MTGOX has not had any reported losses on accounts with ubikey only and no API access. Is this correct?

kiba

legendary

Activity: 980

Merit: 1014

Also, I would like to point out that mtgox appears to not have login attempt limitation. When I forgot my passwords, I tried more than 3 times to enter my password.(Probably at least ten time until I realize that I was using the wrong username). This should not have happened, methink.

acoindr

legendary

Activity: 1050

Merit: 1002

Quote from: Yankee (BitInstant) on July 13, 2012, 05:05:33 PM

Quote from: acoindr on July 13, 2012, 04:58:24 PM

Quote from: kiba on July 13, 2012, 04:50:36 PM

I am told API key was already revoked. Information seems to be conflicting and confusing.

The API key was used as a password to LastPass, which in turn had the password to log into Mt.Gox.

Is that a joke?

Oh wow. Thanks for bringing this to light.

Quote from: genjix on July 13, 2012, 05:00:07 AM

We regret to inform you that there has been another huge breach of Bitcoinica. While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged. The breach today occured because the password for LastPass was in fact a duplicate password which had been compromised during the hack.

Unbeknownst to us, Tihan was using the mtgox api key as the password for a website called LastPass.

Yankee (BitInstant)

legendary

Activity: 1078

Merit: 1000

Charlie 'Van Bitcoin' Shrem

Quote from: acoindr on July 13, 2012, 04:58:24 PM

Quote from: kiba on July 13, 2012, 04:50:36 PM

I am told API key was already revoked. Information seems to be conflicting and confusing.

The API key was used as a password to LastPass, which in turn had the password to log into Mt.Gox.

Is that a joke?

Oh wow. Thanks for bringing this to light.

acoindr

legendary

Activity: 1050

Merit: 1002

Quote from: kiba on July 13, 2012, 04:50:36 PM

I am told API key was already revoked. Information seems to be conflicting and confusing.

The API key was used as a password to LastPass, which in turn had the password to log into Mt.Gox.

kiba

legendary

Activity: 980

Merit: 1014

Quote from: rjk on July 13, 2012, 04:48:17 PM

Although forcing all users to have it is a bit harsh, I think at the very least all trusted users with adjusted withdrawal limits needs to be forced to use 2FA. If they can't afford a Yubikey or a GA-capable smartphone, then why the hell are they trading such large amounts of $ and BTC?

Smartphone penetration in the US grown to 54.9%. At some point in the future, smartphone will be ubiquitous. A yubikey should be cheaper than a phone.

kiba

legendary

Activity: 980

Merit: 1014

Quote from: Yankee (BitInstant) on July 13, 2012, 04:47:22 PM

Kiba, while you are correct that EVERYONE should use 2 factor...this is not why Bitcoinica was hacked.

Bitcoinica was hacked (this time) because they had their mtgox API key on the server which the hacker was able to exploit.

I'm not sure if its possible to do 2 factor with the API.

I am told API key was already revoked. Information seems to be conflicting and confusing.

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: Yankee (BitInstant) on July 13, 2012, 04:47:22 PM

Kiba, while you are correct that EVERYONE should use 2 factor...this is not why Bitcoinica was hacked.

Bitcoinica was hacked (this time) because they had their mtgox API key on the server which the hacker was able to exploit.

I'm not sure if its possible to do 2 factor with the API.

My understanding is that the API key was the master password for LastPass, which allowed the hacker access to the mtgox account with a password. No 2FA was used on the mtgox account, because LastPass was considered secure. This is what I have gathered.

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Although forcing all users to have it is a bit harsh, I think at the very least all trusted users with adjusted withdrawal limits needs to be forced to use 2FA. If they can't afford a Yubikey or a GA-capable smartphone, then why the hell are they trading such large amounts of $ and BTC?

kiba

legendary

Activity: 980

Merit: 1014

Quote from: acoindr on July 13, 2012, 04:45:17 PM

I don't like the idea of mandating action (it seems a bit opposite of Bitcoin free market theme),

MtGox is not the whole free markeet you know. They can do whatever they want and users can choose other providers that doesn't require 2 factor authentication.

Quote

but I do like the idea of delayed withdrawals. That would be good if users could choose the option.

On second thought, this could be mandatory at mtgox too.

Topic: MtGox and 2 Factor Authentication (Read 2312 times)