Pages:
Author

Topic: *MY* Mt Gox Account was Hacked - lost it all today... now what!? - page 3. (Read 9987 times)

full member
Activity: 164
Merit: 100
I am really astonished about the level of abuse that some Forum members subject the people that get their accounts hacked for.

Someone posts that their account gets hacked and all of a sudden that person is called a lot of names ranging from stupid to much worse.

Is it not enough that he/she lost their Bitcoins?


I am also surprised that Mt Gox has such a high standing in the community that anyone that does not talk favorably about them get
their threads spammed and again are called names and worse.


Please, think before you post and dont post drunk.

/GoK

hero member
Activity: 756
Merit: 522
title should read:

"I was surfing porn, downloaded a key logger and now I don't have anymore coins in my Mt. Gox account. "

MY PRONSITE WAS HACKED
full member
Activity: 196
Merit: 100
Another block in the wall
title should read:

"I was surfing porn, downloaded a key logger and now I don't have anymore coins in my Mt. Gox account. "

LOL.
BCB
vip
Activity: 1078
Merit: 1002
BCJ
title should read:

"I was surfing porn, downloaded a key logger and now I don't have anymore coins in my Mt. Gox account. "
legendary
Activity: 1064
Merit: 1001
I'll give a reward if I can find out who this person is so I can beat the **** out of them!

If there's anyone who should be beat, it should be YOU for this fucking misleading thread title!

MtGox DID NOT GET HACKED and all you're doing is stirring shit.

vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
Even just offering the option to assign one pre-determined bitcoin address would provide an equivalent level of security, even if you did no PGP automation whatsoever.  The pre-determined bitcoin address could either be a) withdrawn to directly, or b) for those who know how to sign messages, it could be used to sign a message that permits withdrawal to some other address.  All of this could be evaluated in any environment already accustomed to working with bitcoin keypairs.

We could easily add the "limit to one bitcoin address" thing, but there is a problem with the bitcoin message signature process that makes it difficult to implement (last time I checked the bitcoin message signature uses a different way of signing compared to transactions to make shorter signatures, but it's been an issue).

This would still be a much easier problem to solve than, say, adding a dependency on PGP, given that all the necessary code can be lifted directly from the current build of bitcoind.

And signing aside, simply allowing one the option to restrict their account so that instant bitcoin withdrawals can only go to a single bitcoin address would be of trivial complexity and yet would result in an enormous leap in practical security.  That may not work for some, but for others, it is so simple to understand as to be a meaningful confidence builder.  If you ask people to write that bitcoin address on their AML docs as they send them in, you've got a bulletproof paper trail connecting the withdrawal address to the customer.

The unspoken underlying fear is that one might have their funds disappear and be in a "he said she said" war with Gox as to how the withdrawal actually occurred.  If MtGox adopts policy and procedures that ensures that all withdrawals can be positively accounted for, and that instant withdrawals to arbitrary addresses are easy to limit, it literally reduces the customers negative fear of unauthorized withdrawal.
donator
Activity: 2772
Merit: 1019
OP: Don't listen to people moaning about how we had been thinking we had a Mt.Gox breach even with a Yubikey in use and that turning out not to be the case it's just good that we've been told now and can stop worrying :-)

yeah, true, sorry JMcGrath for being a bit harsh before. Thanks for telling us you probably hadn't linked the yubikey.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
You can use google authenticator on your box account. Its free for browser and smart phone.
That's what I resorted to when my yubi key never showed up.

The difference is that MtGox has no way to prove someone's use of GA or Yubikey actually took place. It is on MtGox's honor.

A system where MtGox could respond to allegations of fraudulent withdrawals by publishing a signed withdrawal request totally and instantly exonerates Gox against claims of being hacked, and is good for market confidence all the way around.
vip
Activity: 571
Merit: 504
I still <3 u Satoshi
You can use google authenticator on your box account. Its free for browser and smart phone.
That's what I resorted to when my yubi key never showed up.
hero member
Activity: 900
Merit: 1000
Crypto Geek
OP: Don't listen to people moaning about how we had been thinking we had a Mt.Gox breach even with a Yubikey in use and that turning out not to be the case it's just good that we've been told now and can stop worrying :-)

Sounds like this might have been a generic Ubikey and not the Gox one that has to be used with the site.

Remember though folks, if you're trading on Gox that means you're banking. And fast and highly frequent deposits and withdrawals I don't think are feasible
vip
Activity: 1316
Merit: 1043
👻
Even just offering the option to assign one pre-determined bitcoin address would provide an equivalent level of security, even if you did no PGP automation whatsoever.  The pre-determined bitcoin address could either be a) withdrawn to directly, or b) for those who know how to sign messages, it could be used to sign a message that permits withdrawal to some other address.  All of this could be evaluated in any environment already accustomed to working with bitcoin keypairs.

We could easily add the "limit to one bitcoin address" thing, but there is a problem with the bitcoin message signature process that makes it difficult to implement (last time I checked the bitcoin message signature uses a different way of signing compared to transactions to make shorter signatures, but it's been an issue).

Add optional "withdraw to one address only".

Add 48 hour delay before changing the addresses, during which you'd get two emails, and see a giant warning when you log in.
vip
Activity: 608
Merit: 501
-
Even just offering the option to assign one pre-determined bitcoin address would provide an equivalent level of security, even if you did no PGP automation whatsoever.  The pre-determined bitcoin address could either be a) withdrawn to directly, or b) for those who know how to sign messages, it could be used to sign a message that permits withdrawal to some other address.  All of this could be evaluated in any environment already accustomed to working with bitcoin keypairs.

We could easily add the "limit to one bitcoin address" thing, but there is a problem with the bitcoin message signature process that makes it difficult to implement (last time I checked the bitcoin message signature uses a different way of signing compared to transactions to make shorter signatures, but it's been an issue).
legendary
Activity: 1288
Merit: 1227
Away on an extended break
If MtGox could make it so that you could add your PGP public key and then configure your account such that bitcoin withdrawals require PGP signature of a pre-generated message that contained the destination bitcoin address, MtGox would have undisputable conclusive proof in the event of a disagreement as to whether a withdrawal was authorized.

However: what's the difference of having ones password stolen and having ones pgp key stolen and passphrase key-logged?

The difference is the attacker wouldn't have the PGP private key.
By PGP key he would mean the private key, of course. Who needs to steal public keys?
newbie
Activity: 59
Merit: 0
If MtGox could make it so that you could add your PGP public key and then configure your account such that bitcoin withdrawals require PGP signature of a pre-generated message that contained the destination bitcoin address, MtGox would have undisputable conclusive proof in the event of a disagreement as to whether a withdrawal was authorized.

However: what's the difference of having ones password stolen and having ones pgp key stolen and passphrase key-logged?

The difference is the attacker wouldn't have the PGP private key.
donator
Activity: 2772
Merit: 1019
If MtGox could make it so that you could add your PGP public key and then configure your account such that bitcoin withdrawals require PGP signature of a pre-generated message that contained the destination bitcoin address, MtGox would have undisputable conclusive proof in the event of a disagreement as to whether a withdrawal was authorized.

That's a good idea.

However: what's the difference of having ones password stolen and having ones pgp key stolen and passphrase key-logged?

In other words: mtgox even in this case has proof the withdrawal was authorized (albeit not as strong, it could be faked by gox) by means of a successful login with password.

So while this puts mtGox in a more comfortable situation, this is only better for the user if he protects his pgp key better than his password.
donator
Activity: 2772
Merit: 1019
Thanks for the info guys, this really ruined my day! I am already screwed with bills and stuff and then I log in to find this... ugh

Could this have anything to do with my Yubikey being broken and reported lost? I never got a chance to actually use it on Mt Gox so I don't really know what happened there!?

So you never linked your yubi-key to your mgGox account. Well, don't talk about your account "with yubi-key withdrawal protection activated" being hacked, then, dude.

Sorry 'bout your loss, but don't lie to us.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
If MtGox could make it so that you could add your PGP public key and then configure your account such that bitcoin withdrawals require PGP signature of a pre-generated message that contained the destination bitcoin address, MtGox would have undisputable conclusive proof in the event of a disagreement as to whether a withdrawal was authorized.

We considered this, but the lack of proper PGP lib (the only few libs around will try to create stuff in $HOME and doesn't allow us to store/provide the public keys easily) or appropriate technical documentation on the signature format (it mostly says "read the source") forced us to delay this.

Even just offering the option to assign one pre-determined bitcoin address would provide an equivalent level of security, even if you did no PGP automation whatsoever.  The pre-determined bitcoin address could either be a) withdrawn to directly, or b) for those who know how to sign messages, it could be used to sign a message that permits withdrawal to some other address.  All of this could be evaluated in any environment already accustomed to working with bitcoin keypairs.

Either way, the benefit to MtGox is instant vindication of any questionable withdrawal that goes through.  Further, the moment anyone releases a hardware bitcoin wallet, you can bet that this will end up supported as a bonus feature.
donator
Activity: 1057
Merit: 1021
I'm sorry if my posts sound a little all over the place, I'm a little on edge here myself so I'll try to be as clear as possible...

* Yes I did have a Yubikey and *thought* I registered it
* I just spoke with Mt Gox and they are claiming that I never had a registered Yubikey
* They provided the IP Address of the person, but it comes up all over the world when I search it
* I know I tried to register my yubi when I got it so I *suspect* there is a fault where it is not "sticking" the first time around as you stated

Where did you get the Yubikey from?  Could you have bought it from a third party that asked for your username/password and you sent it to them via email or on a website?  Also what is the IP address of the attacker that Mtgox gave you?
hero member
Activity: 900
Merit: 1000
Crypto Geek
If this guy was using a Ubikey does that mean that Ubikeys are not a reliable protection against Windows virii? It's easy to cloak logging apps and there's a lot of crackers around Bitcoin.

Can this guy assume his install is cracked?
How can he search for whatever may have caused the breach?
Is there a Gox grabbing trojan out there we know about?
Has he installed the Gox app on a phone? (I think that's a risk)
newbie
Activity: 24
Merit: 0
PGP sounds like a great additional feature, the more the better. Allow the end user to decide what is preferable to them.
Pages:
Jump to: