Topic: *MY* Mt Gox Account was Hacked - lost it all today... now what!? - page 4. (Read 9952 times)

True it doesn't provide more security than a strong passphrase (not repeated on any other site) but it does provide irrefutable proof that your key was compromised.   It simply is not possible for a compromise on MtGox end to result in a properly signed message.  The hacked user and the community at large have absolute proof that the fault lies with the user.  2FA should be an optional security enhancement for PGP.  I would also point out that security conscious users can use smart cards with hardware independent keypad to protect PGP private key from keyloggers.

Google Authenticator is Free to use at a few exchanges including Mt Gox. Use it. I wish more exchanges would implement Google Authenticator.

If the computer is compromised can we presume the PGP certificate with corresponding password can also get stolen? I use Google Authenticator and I think it's better unless my phone + computer get compromised by the same hacker.

Glad to see you are at least considering it.  For the record if/when you ever implement a PGP signed message system I would prefer it be in addition to 2FA.  I.e. withdraw requires a PGP signed message PLUS sucessful 2FA challenge.  The PGP signed message creates irrevocable proof of the transaction and the 2FA (google authenticator) provides additional security in the event the PGP key is compromised.   While your at it throw in the ability to create multiple logins (w/ different security permissions) for a single account and optional dual authentication (not to be confused with 2FA) for withdrawals and you would have better security than most corporate banking platforms!

Also since you are reading this thread .... Generating a MtGox code can be properly protected by 2FA challenge (I love it you are one of the few exchanges which do it RIGHT) however one can view the "redeem code" page without 2FA authentication.  This create a potential method to compromise codes before redeemed.  User generates a code and before the counterparty redeems it the attacker (possibly alerted due to compromised email) logs in and redeems the code.  There are two simple solutions (one simpler and more limited).  The easiest method is perform a 2FA challenge when viewing the redeem code page.   The more comprehensive option would be to allow viewing the page but the code is redacted.  User can redeem code but clicking "view code" results in a 2FA challenge.

Mostly a security reason. Anyone could create a bitcoin-related site that claims to accept yubikeys and actually log the used codes to try these later on other related websites.

It would also make us dependend on Yubico's server, making these an even greater target than they already are. Yubikey allows security by decentralization, allowing each operator to run their own auth servers.

We will still eventually allow people who understand the risks to add their yubikey on MtGox eventually, but this has lower priority.


We considered this, but the lack of proper PGP lib (the only few libs around will try to create stuff in $HOME and doesn't allow us to store/provide the public keys easily) or appropriate technical documentation on the signature format (it mostly says "read the source") forced us to delay this.

If MtGox could make it so that you could add your PGP public key and then configure your account such that bitcoin withdrawals require PGP signature of a pre-generated message that contained the destination bitcoin address, MtGox would have undisputable conclusive proof in the event of a disagreement as to whether a withdrawal was authorized.

Put another way, if MtGox's withdrawal had just the same security we have on our IRC channel we use for chatting, confidence would be increased, as we'd have less fear of being stuck in a situation where money has been withdrawn with no way to convince anyone that we didn't do it ourselves.

I say first hand that anything that can be done to increase the confidence in security of funds stored in MtGox will directly correspond to a greater willingness to leave funds in MtGox.

In fact, implementing this idea would put MtGox in an even better position: in the event a hacker really managed to compromise a PGP key and forge a signature on a withdrawal, I think most people in this community would consider it 100% reasonable for MtGox to say "here's his signed request...sorry he's SOL!...do a better job of securing your PGP key next time"... far more than "sorry you must have gotten keylogged or something."

On the subject of Yubikeys, why doesn't MtGox allow plain Yubikeys to be registered with their service?

As we could see thanks to this ticket number, the hacker gained access to the account on first try (ie. already had the correct password on hand). We also confirmed there was no Yubikey linked to this account nor was one ever registered.

I wonder if JMcGrath is not talking about a Yubikey he bought himself separately, in which case there is no way to "link it" to a MtGox account (only Yubikeys delivered by MtGox work on MtGox). Either way there was no order for a MtGox Yubikey on the account's history.

I would rather suspect phishing or hacked computer (key logger/etc). As usual, having a Yubikey or TOTP device linked to the account and enabled would have helped a lot.

I'm sorry if my posts sound a little all over the place, I'm a little on edge here myself so I'll try to be as clear as possible...

* Yes I did have a Yubikey and *thought* I registered it
* I just spoke with Mt Gox and they are claiming that I never had a registered Yubikey
* They provided the IP Address of the person, but it comes up all over the world when I search it
* I know I tried to register my yubi when I got it so I *suspect* there is a fault where it is not "sticking" the first time around as you stated

JMcGrath,

First you state yubikey was active
then you state maybe it wasn't
Not this new posts state it didn't stick for them the first time they activate it so maybe that happened to you.

Point it bitcoin hacks happen.  Could be a virus or keylogger on your system or a MIM attack. 

Regardless this is almost impossible with yubikey activated.

If you were hacked with yubike active that it a problem

If mt gox's yubikey activation process it faulty that it a problem.

Just looking for the Facts.

In my case on initial enabling of 2FA for withdrawals the setting did not stick.  Although the security center reported 2FA was enabled I had to cycle, disable it, then re-enable for it to take effect.


So, I'm suspicious.

I sound sketchy?

I lost a good amount of money today and I'm kinda freakin out I'm just trying to figure out wtf happened! I don't know if that yubi was ever actually activated, I set it for withdrawals only but I never withdrew any money or bitcoins yet so I never actually got to "use" it. I'm trying to figure out if it was ever indeed registered or not...

Anyways, there is a support ticket and they have the information. Basically they told me I'm screwed and to file a police report and send them a copy. Still waiting to hear back about the status of the yubikey however.


Oh btw, that was my question as well - do they lock you out for using the wrong pw x amount of times? If so, then this person got my info in some other way but considering I don't use that same password ANYWHERE ELSE, it would have to be a keylogger or something for them to have gotten the PW. If it was a bruteforce attack, why didn't gox stop the repeated attempts? It wasn't an easy PW to figure out!

A question: Is it possible to un-link your yubikey from your account without use of your yubikey?

If the connection is hijacked, and the hacker keeps the connection after the customer has locked out will he be able to un-link the yubikey without needing to use it to verify?

Maybe Gox could be more proactive:

Disallow withdrawals without yubikey or google auth completely, make it mandetory for both BTC and cash maybe after a trial period?

have a ping trace log on each account, which they might already have, but with automation to block account withdrawls if routing is different and let it demand a new yubikey press. (you can still trade while on vaccation).

Is the API authentication safe? They don't use yubikeys.

Mt.Gox has a kind of panic button now. If you fail log in 3 times, you are locked out for 24 hours. Is that protection if people start posting about a massive hack underway?

Now you sound sketchy.  

Just tell the truth to mt gox and report back.

I would be very surprised if you intact and activated yubikey was indeed compromised.

Thanks for the info guys, this really ruined my day! I am already screwed with bills and stuff and then I log in to find this... ugh

Could this have anything to do with my Yubikey being broken and reported lost? I never got a chance to actually use it on Mt Gox so I don't really know what happened there!?

MagicalTux runs Mt Gox so if your yubi key was indeed compromised or not active it will be addressed.

Again pls keep us posted.

Gotcha, I guess I could post the ticket number here - no sensitive info in that ticket

Not to mention, nothing left in my account now anyways!  

#50629

Haven't heard anything back from anyone at Mt Gox yet on it though...

Sorry, not sure who you are - plenty of people out their claiming they are someone they are not...

I'm too new to these forums to know who is who

He said to open a ticket with that info and then post the ticket number here, not the info itself. Only gox staff (supposedly) can look at the tickets.

Umm why would I post my login credentials and ticket number here?!