Topic: MTGOX really is affecting me being able to feed my family - page 2. (Read 4449 times)

Personally,I'll only use MTgox for "at the moment trades",if I ever use them again,I'll never leave any coins or money in there again & I recommend everyone to do the same.

I was trading my cash for coins & vise versa,I made 15 BTC in 6 weeks this way,buy low sell high.I thought thier site was secure.I have an IT network guy coming over to scan my PC today,I'll let you guys know what we find.

Root cause detected (most likely):
 - https://passfault.appspot.com/password_strength.html#menu

Would be nice if Mt. Gox (and other exchanges) would warn if a weak password is entered.
 - http://en.wikipedia.org/wiki/Password_strength

Use secure passwords, and use KeePass or LastPass:
 - http://superuser.com/questions/432844/how-do-i-securely-store-and-manage-180-passwords

Well, that comment was describing how two factor authentication (which Mt. Gox offered first with Yubikey, and as of a few hours ago now supports Google Authenticator as well) is needed for using Mt. Gox, especially on Windows, but really all platforms, to be protected from these password-only thefts.

For a local wallet / BTC client there's no concept of two factor, and thus there needs to be a level of security appropriate for the risk.  For larger amounts, there's a secure method -- an air gapped system used for transacting.  When M of N transactions are implemented, that will help to lessen the risk of theft as well.

For now, what you have is probably much more secure than what most do, but it still is vulnerable if your host is compromised, say from a 0-day.  Or let's say some thieving software engineer at ATI slipped in a wallet stealer into their GPU driver binaries.  We'ld probably never know until after the wallets are gone.  (Your VM image probably wouldn't run the ATI binary driver so you'ld probably be safe from that specific vulnerability.)

Never used TOR
Never been part of a VPN
Private home network behind a router with firewall & AV installed (Avast),but use other AV's when necessary.
Never click on any emails from any one I don't know personally.

My old PW was Capri200,kinda simple but I won't forget it.I'm not a software guru or crypto phreak.No I did not use that PW anywhere else ever.

I use Win 7 64 bit.I have been building PC's for 12 years,so I'm not new to the PC enviroment,just a little naive I guess.I know all about phising emails & never click any links in emails or websites without thinking,if I need to do so I use a spare PC that I can "sacrifice" by reinstalling (I have 4 PC's in my room for gaming & surfing).

My situation is exactly like this one:

https://bitcointalksearch.org/topic/my-mtgox-account-got-compromised-what-can-i-do-84585

I would've posted there,but I didn't browse the threads far enough

Why are you using MtGox if you need to be able to withdraw on a timely basis?

Have you done ANY research on these companies? MtGox is notoriously slow with notoriously crappy customer service. The folks at Dwolla are confirmed scammer douchebags who change their TOS to rip people off.

The solution is to stop using MTGox.  Their constant lies about funding times and delay after delay is indicative of a larger problem that they are not admitting to (insolvency, outright fraud, using funds interest free?  Who knows).  But the fact is, they continually lie about what is going on and the "reason" why they somehow can't complete requests. 

They are a, in a nutshell, incredibly dishonest and people need to stop using them.  Find another exchange.

How do you go about two factor authentication, when using a local wallet / BTC client?

Personally I use an encrypted wallet, and run a client inside a VM which is on an encrypted truecrypt container which I only mount to run bitcoin. Still, everything occurs at my computer locally. Do you have something else in mind when you advocate two factor authentication?

I would like answers to my questions about network security. It seems that the recent claims of compromise are made by those that don't want to discuss whether their network is secure.

I want to know:
Have you used or are you using Tor?
Have you used or are you using a VPN?
Are you on a corporate network?
(And further to the above, has your company admin installed a company trusted root certificate on your box)
Have you ever clicked a link to mtgox in an email?

Also, since your password is unique for all sites, I'm sure you will have no problem sharing it with us for analysis since we can assume it has been compromised.

There's no point posting here asking for help if we can't have the information to help you.

But you are not. You can't buy an anti-stupidity software, you know?

Stop clicking links to phishing sites inside phishing emails.

One thing I have asked for in the past and never gotten a response from MtGox on is a IRREVOCABLE DELAY TIMER.
Make it optional but it could add security and prevent thefts like this.  Pretty simple concept.

User sets a irrevocable waiting period of sending coins.  
User understands when setting it that it can't be removed without waiting the same amount of time (i.e. if you remove a 60 min waiting period it takes 60 minutes before it is removed).

So it works like this:
1) Attack attempts to send coins.
2) MtGox accepts the requests and delays it x minutes (preset by user).
3) MtGox sends email (and SMS it is 2012) to user with amount of coins, address, and a CANCEL THIS IS FRAUD link.
4) If user clicks cancel link it DOESN'T require a password (as attacker may have changed it), the tx is canceled and account frozen
5) If tx is legit delay timer expires and funds are sent.

It allows users to set the level of security they want.  Users who want ability to instantly send coins can use default 0 min delay timer.  Cautious users could use a delay timer of 30 min.  Ultra paranoid could use a delay time of 240 min.  Combined with email and SMS notifications it becomes very difficult for an attacker to transfer coins off site.

Now using the same process the user could WHITE LIST certain addresses which don't need to be delayed.  Obviously adding an address to the whitelist requires the delay (as would changing email or SMS phone #).  User gets emails (w/ fraud link) for adding a whitelisted addess, changing delay timer, removing delay period, changing email/phone, and sending coins.


Maybe I should trademark the term "warm wallet" (i.e. it isn't a "hot wallet" or "cold wallet" but a "warm wallet")?

No I meant Windows.  I'm guessing it was Windows, and wanted a good opportunity to explain how one running Windows cannot make the statement "my PC is very secure".  And to recommend how anyone, particularly someone running Windows, with more than pocket change worth of funds on their exchange should be using two factor authentication.

I assume you mean: which version of Linux?

He said it's very secure, so obviously he's not running Mac OS X or Windows.

Which version of Windows are you running?

That sucks man I assume you changed your password in the mean time?

Did you *ever* use the previous password (the one that was comprimised) on any other website or service or phone or anything?

Was it an easy to guess or bruteforce password? Or rather, if you're sure you're not using that password any longer (which you shouldn't), what was it? Just curious, cause some people really seem to have a twisted ideas about the strength of their password.

Well,I lost $200,somehow my account was hacked (no password changed,I was able to login) & they bought coins with my cash & away they went.MTgox returned my email & said tough titties.

Thank you for your inquiry. We would recommend you to change your password as soon as possible. Unfortunately, bitcoin transactions are irreversible and we can not refund any amount of the stolen funds. As a business if Mt.Gox were to offer you a cash or bitcoin refund in compensation of this extremely unfortunate event, there would be a large increase in the number of hacking attempts to capitalize upon the possibility of financial reward.

As a further remedy, if you wish to retrieve your funds, we ask that you file a police report for the stolen goods. It is preferable for the police to inspect your computer, but not necessary. Once this investigation has occurred and a copy of the police report issued, please send a copy of it along with a notarized copy of your passport or Government issued photo ID to Mt.Gox and have the police contact us so that we can cooperate with their investigation by providing any requested information.

Please let us know how you wish to proceed, and again we apologize for the frustration and inconvenience caused.


Once the bitcoins are sent out, we are unable to retrieve them unless it is an Mt.Gox address and the address where your bitcoins were withdrawn to does not appear to be an Mt.Gox address and therefore, we are unable to get them back for you. Our apologies for the inconvenience caused and please let us know if you would require any further assistance regarding this matter.

So word to the wise: DO NOT keep a large amount of coins in your account.

I'll be using another exchange.

P.S. my PC is very secure.

Thank you so much team MTGOX for coming through thank you so much

You and many people yesterday has been "Cleared", we are continuing to push things forward.

We know that the situation is not ideal lately for some of our users, and I can't stress enough that it only affect a limited number of users, we are working like hell to fix this so please bear with us on this one.

Regards

My transaction went from preparing to confirmed! Thank you mTgox.
It's not at Dwolla yet though.

Thank you MTGOX support. I gave you my MTGOX username and right away you started to process some my dwolla withdraws after reading this thread. I can't explain to you how much this means to me that you are addressing this so quickly. This will help me extremely and wire bank wire transfers I'm sure will be done soon also.
dirtydiego
MTGOX AML verified member

Thank you very much for the info Stephen! I know I'm stupid for not learning from the first times I started noticing a problem not to invest but I guess I trust MTGOX will help speed up the process.  I have very much so enjoyed working with MTGOX as they have been wonderful this past few years. I never had a problem up until about a month and a half ago. I really don't want to switch ex-changers as they have always done me right. I shouldn't have started this thread to complain about an issues I know they are having right now. I apologize  to MTGOX and others who have read this thread as this is my second time complaining about this. Last time was because I had over 15k held up in withdraws for over three weeks but sure enough they did come through about 2-3 weeks later. Thanks to everyone for the advice, even if some of it was a little harsh but I understand why you would say these things. MTGOX did come through with 1 dwolla withdraw since this post which will help me a lot. This time I will learn not to invest in BTC if I can't handle the wait as I hate that I took a big risk to make money in BTC but this stupid risk I took has affected my family and really in hindsight I can't blame MTGOX as they have not robbed me or anyone that I know of. They made me aware of what was going on with the delays from the start and I just thought the delays would have been resolved by now as it states on their support page that they have been but it still has continued. I also realized that they are the biggest ex-changers and well I can imagine they are growing everyday with work and well this must also be an issue for them. Tangible Cryptography I PM'ed you and I really appreciate your very kind offer. I Really can't express to you how much in means to me. So again sorry if in the last month and a half I have a started a few threads about my issue. I'm sure you guys are sick of hearing about it but it was done out of desperation. But now I learned my lesson thanks to everyone in this thread that weighed in.