Pages:
Author

Topic: *MY* Mt Gox Account was Hacked - lost it all today... now what!? - page 2. (Read 10010 times)

full member
Activity: 154
Merit: 100
They also have a very short term window(in case of Google authenticator) to attack. ( I believe in case of MtGox, once you disable your 2 factor , then you are disallowed to withdraw for some period, so by tricking you enter a one time password could not used to disable the whole 2-factor authentication, they need to immediately use your one time password and send a withdraw request).

Thats not a problem. The attack would happen in realtime anyway. Basically all the attacker has to do is send a different bitcoin address to MtGox compared to whats shown on the screen.

Quote
And they need to change the browser behavior, since you can not just spoof a website without security warning if browser certificate infrastructure is unchanged.

You dont have to! Im not sure anything would need to be changed on the client side, but if so, greasemonkey will do that for you without any impact on security certificates whatsoever. It basically alters the HTML after its been received. Im not a coder, but it cant take make than a few lines of code to modify one address in to another.

Quote
Adding certificate authority should trigger a security warning in most operation systems and ask for admin password on the fly. So the attacker need to disable these features as well.

Again, I dont think so. Ill give it a try by running some greasemonkey script on eg gmail, but Im fairly certain I will still see a green padlock icon and no other warnings. That said, even if you would have to spoof everything, its not rocket science for a decent script kiddy. HTML5 fullscreen FTW.  This seriously sounds easier to me than writing a key logger. As illlustration: http://feross.org/html5-fullscreen-api-attack/


I checked with your illustration, I definitely agree it is possible to attack this way, but as I said, they need to implement a full browser functionality and specific website functionality to get this working, otherwise, a little savvy will help you quickly realize something is wrong. At least when I press the button, I got two address bars, mine and the fake one. And the "website" is not reactive to normal operations. (Checking certificate, for example, and my address bar did show it is not BOA.)

And this is why when I setup two-factor authentication, I usually not make it default for login, but only for withdraws or change security settings, since this way, they at least need some work to make website specific behavior.


Thanks for pointing this possibility out though.
legendary
Activity: 980
Merit: 1040
One more comment; with my homebanking, I have a card reader in which I have to insert my ATM card, and enter the challenge presented by my homebanking website. This challenge always includes the amount and some significant digits of the account Im transferring to. If someone were to use a "greasemonkey in the middle" attack on me, at least I might notice the amount/and or account number dont match what Im trying to send. As I understand, Yubi key doesnt have anything like that, you just plug it in, and thats it. I hate to say it, but that sounds like security theatre to me. Having a unique and decently safe password would give the exact same security AFAICT. If your PC is compromised, not even rooted (!), you are SOL with or without yubi.
legendary
Activity: 980
Merit: 1040
Allright, I tried it. I installed greasemonkey and then some random greasemonkey script that switches gmail to minimal layout.
To get there, Ive never entered my root password, so root isnt even needed (in contrast to a keylogger!). Gmail address bar shows everything okey dokey, and there is no obvious way to see greasemonkey is even running. There is a greasemonkey button added to the toolbar that I didnt even notice at first, but I can remove it, without needing any root privilege.  Mind you, the attacker wouldnt even have to use greasemonkey as such, just trying to show how "easy" it can be.
legendary
Activity: 980
Merit: 1040
They also have a very short term window(in case of Google authenticator) to attack. ( I believe in case of MtGox, once you disable your 2 factor , then you are disallowed to withdraw for some period, so by tricking you enter a one time password could not used to disable the whole 2-factor authentication, they need to immediately use your one time password and send a withdraw request).

Thats not a problem. The attack would happen in realtime anyway. Basically all the attacker has to do is send a different bitcoin address to MtGox compared to whats shown on the screen.

Quote
And they need to change the browser behavior, since you can not just spoof a website without security warning if browser certificate infrastructure is unchanged.

You dont have to! Im not sure anything would need to be changed on the client side, but if so, greasemonkey will do that for you without any impact on security certificates whatsoever. It basically alters the HTML after its been received. Im not a coder, but it cant take make than a few lines of code to modify one address in to another.

Quote
Adding certificate authority should trigger a security warning in most operation systems and ask for admin password on the fly. So the attacker need to disable these features as well.

Again, I dont think so. Ill give it a try by running some greasemonkey script on eg gmail, but Im fairly certain I will still see a green padlock icon and no other warnings. That said, even if you would have to spoof everything, its not rocket science for a decent script kiddy. HTML5 fullscreen FTW.  This seriously sounds easier to me than writing a key logger. As illlustration: http://feross.org/html5-fullscreen-api-attack/
full member
Activity: 154
Merit: 100
How much security does Yubi key really add if your PC is compromised?
Im not sure I fully understand this; if the attacker has root access to my PC, he can show me whatever he wants, and send something else to Mt Gox. All he would have to do is wait for me to do whatever transaction that requires the yubi key, provide Mt gox with a different transaction instead, show me the challenge for that fraudulent transaction and make me confirm it.
Im no expert, never used mtgox or yubi key,  but what am I missing?
That is man in the middle attack, which attacker need a full implenmentation to a specific website to mimic the behavior, and at the same time, not only gaining admin right of your computer, install key logger. , but also change your browser in a very specific way ( for spoofing that specific website, they either install fake certificate authority or disable the function at the same time make the browser behave like normal.)
And doing all these without any infected syndrome.
If the attacker have this capability, thy should start their own business rather than stealing money, way more profitable.
Really doesnt seem that complicated to me, doesnt require a custom browser or even a key logger. Heck, you can probably pull it off with  something as simple as a greasemonkey script.  And yeah, someone knowledgeable might notice that, but those are the people that dont get infected very often in the first place.


They also have a very short term window(in case of Google authenticator) to attack. ( I believe in case of MtGox, once you disable your 2 factor , then you are disallowed to withdraw for some period, so by tricking you enter a one time password could not used to disable the whole 2-factor authentication, they need to immediately use your one time password and send a withdraw request).

And they need to change the browser behavior, since you can not just spoof a website without security warning if browser certificate infrastructure is unchanged.

Adding certificate authority should trigger a security warning in most operation systems and ask for admin password on the fly. So the attacker need to disable these features as well.

Seems a lot of job to me. Of course doable,but way more secure than just have your online password stolen and you are f*cked.
legendary
Activity: 980
Merit: 1040

How much security does Yubi key really add if your PC is compromised?

Im not sure I fully understand this; if the attacker has root access to my PC, he can show me whatever he wants, and send something else to Mt Gox. All he would have to do is wait for me to do whatever transaction that requires the yubi key, provide Mt gox with a different transaction instead, show me the challenge for that fraudulent transaction and make me confirm it.

Im no expert, never used mtgox or yubi key,  but what am I missing?
That is man in the middle attack, which attacker need a full implenmentation to a specific website to mimic the behavior, and at the same time, not only gaining admin right of your computer, install key logger. , but also change your browser in a very specific way ( for spoofing that specific website, they either install fake certificate authority or disable the function at the same time make the browser behave like normal.)

And doing all these without any infected syndrome.
If the attacker have this capability, thy should start their own business rather than stealing money, way more profitable.

Really doesnt seem that complicated to me, doesnt require a custom browser or even a key logger. Heck, you can probably pull it off with  something as simple as a greasemonkey script.  And yeah, someone knowledgeable might notice that, but those are the people that dont get infected very often in the first place.
full member
Activity: 154
Merit: 100

How much security does Yubi key really add if your PC is compromised?

Im not sure I fully understand this; if the attacker has root access to my PC, he can show me whatever he wants, and send something else to Mt Gox. All he would have to do is wait for me to do whatever transaction that requires the yubi key, provide Mt gox with a different transaction instead, show me the challenge for that fraudulent transaction and make me confirm it.

Im no expert, never used mtgox or yubi key,  but what am I missing?
That is man in the middle attack, which attacker need a full implenmentation to a specific website to mimic the behavior, and at the same time, not only gaining admin right of your computer, install key logger. , but also change your browser in a very specific way ( for spoofing that specific website, they either install fake certificate authority or disable the function at the same time make the browser behave like normal.)

And doing all these without any infected syndrome.
If the attacker have this capability, thy should start their own business rather than stealing money, way more profitable.
vip
Activity: 756
Merit: 503
How much security does Yubi key really add if your PC is compromised?

Im not sure I fully understand this; if the attacker has root access to my PC, he can show me whatever he wants, and send something else to Mt Gox. All he would have to do is wait for me to do whatever transaction that requires the yubi key, provide Mt gox with a different transaction instead, show me the challenge for that fraudulent transaction and make me confirm it.

Im no expert, never used mtgox or yubi key,  but what am I missing?
You are right in the case of a sophisticated attacker but most of them are script kiddies who log only username and password. With Yubi key or Google Authenticator you prevent most attack imo.
BCB
vip
Activity: 1078
Merit: 1002
BCJ
PGP won't be widely used until there are better libraries and it is easier to implement and use.
hero member
Activity: 756
Merit: 522
The unspoken underlying fear is that one might have their funds disappear and be in a "he said she said" war with Gox as to how the withdrawal actually occurred.  If MtGox adopts policy and procedures that ensures that all withdrawals can be positively accounted for, and that instant withdrawals to arbitrary addresses are easy to limit, it literally reduces the customers negative fear of unauthorized withdrawal.

Doesn't seem there's much better a way to do this than PGP really.
legendary
Activity: 980
Merit: 1040
How much security does Yubi key really add if your PC is compromised?

Im not sure I fully understand this; if the attacker has root access to my PC, he can show me whatever he wants, and send something else to Mt Gox. All he would have to do is wait for me to do whatever transaction that requires the yubi key, provide Mt gox with a different transaction instead, show me the challenge for that fraudulent transaction and make me confirm it.

Im no expert, never used mtgox or yubi key,  but what am I missing?
full member
Activity: 164
Merit: 100
Someone posts that their account gets hacked and all of a sudden that person is called a lot of names ranging from stupid to much worse.
Read the posts again, and you will notice that your comment is out of place. He makes a false claim that MtGox is "hacked" and that he was using Yubikey. He did not yet correct the title of the thread as of this moment. It is misleading, it spreads unjustified panic, and it is everybody's waste of time.
I am sorry for his loss, and I do hope the thief is caught, but please act with some integrity.


First off, my comment was not about the correct or incorrect title, it was about all those other posts that was made.

Secondly i wrote "their account gets hacked" which is a neutral term as to where the security break was, his pwd or Mt Gox.


Bottom line is, that thread, as well as many other "Gox account hacked" threads are full of namecalling and unintelligent BS in order to belittle the OP.

I am not saying that the Mob should turn on Gox, but i see a systematic behavior of "some elements in the community" that kicks on ppl that gets hacked, calling them stupid and worse.

And i figured i would at least write one post that says that this behavior should end.


/GoK
legendary
Activity: 1806
Merit: 1003
You can use google authenticator on your box account. Its free for browser and smart phone.
That's what I resorted to when my yubi key never showed up.
How is google authenticator different from Yubi Key?

I think it's more convenient since you always have your phone. Plus it's free.
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
You can use google authenticator on your box account. Its free for browser and smart phone.
That's what I resorted to when my yubi key never showed up.
How is google authenticator different from Yubi Key?
You can back up the code at the time if setup, if your phone is lost or broken you can set everything up again easily. Not so easy with yubikey. Having said that, yubikey introduces less risk of security holes than an android phone.
full member
Activity: 154
Merit: 100
You can use google authenticator on your box account. Its free for browser and smart phone.
That's what I resorted to when my yubi key never showed up.
How is google authenticator different from Yubi Key?
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
Someone posts that their account gets hacked and all of a sudden that person is called a lot of names ranging from stupid to much worse.
Read the posts again, and you will notice that your comment is out of place. He makes a false claim that MtGox is "hacked" and that he was using Yubikey. He did not yet correct the title of the thread as of this moment. It is misleading, it spreads unjustified panic, and it is everybody's waste of time.
I am sorry for his loss, and I do hope the thief is caught, but please act with some integrity.
legendary
Activity: 1288
Merit: 1227
Away on an extended break
I am really astonished about the level of abuse that some Forum members subject the people that get their accounts hacked for.

Someone posts that their account gets hacked and all of a sudden that person is called a lot of names ranging from stupid to much worse.

Is it not enough that he/she lost their Bitcoins?


I am also surprised that Mt Gox has such a high standing in the community that anyone that does not talk favorably about them get
their threads spammed and again are called names and worse.


Please, think before you post and dont post drunk.

/GoK
Title is misleading. He got hacked not MtGox.

Very Misleading, Please fix!

Agreed. Added a single word.
sr. member
Activity: 364
Merit: 250
I am really astonished about the level of abuse that some Forum members subject the people that get their accounts hacked for.

Someone posts that their account gets hacked and all of a sudden that person is called a lot of names ranging from stupid to much worse.

Is it not enough that he/she lost their Bitcoins?


I am also surprised that Mt Gox has such a high standing in the community that anyone that does not talk favorably about them get
their threads spammed and again are called names and worse.


Please, think before you post and dont post drunk.

/GoK
Title is misleading. He got hacked not MtGox.

Very Misleading, Please fix!
vip
Activity: 756
Merit: 503
I am really astonished about the level of abuse that some Forum members subject the people that get their accounts hacked for.

Someone posts that their account gets hacked and all of a sudden that person is called a lot of names ranging from stupid to much worse.

Is it not enough that he/she lost their Bitcoins?


I am also surprised that Mt Gox has such a high standing in the community that anyone that does not talk favorably about them get
their threads spammed and again are called names and worse.


Please, think before you post and dont post drunk.

/GoK
Title is misleading. He got hacked not MtGox.
hero member
Activity: 756
Merit: 522
I am really astonished about the level of abuse that some Forum members subject the people that get their accounts hacked for.

Someone posts that their account gets hacked and all of a sudden that person is called a lot of names ranging from stupid to much worse.

Is it not enough that he/she lost their Bitcoins?

Actually I was considering starting a fund to pay people to abuse those who "got hacked" further. There's certainly not enough of it being done naturally.

That aside, wasn't muchly aware of such a great standing of MtGox? Perhaps you're confusing Inaba's unpopularity with MtGox's popularity?
Pages:
Jump to: