Pages:
Author

Topic: My mtgox account got compromised, what can I do? (Read 4483 times)

full member
Activity: 164
Merit: 100
My money on MT.Gox was transferred out ~2k USD on the 31th of may.

And there are no logins that match the withdraw. Did you check if
the logins to your account match the withdraws before you beat yourself up
about your password?

My thread: https://bitcointalksearch.org/topic/mtgox-account-hacked-lost-2k-usd-mtgox-will-not-explain-how-89142

//GoK
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Reminds me, it's about time that I rotated my main passwords. I'm starting to use LastPass more with generated passwords, but the master password for LastPass is a few years old at this point. Although it is more than 20 characters with caps and numbers, it's still based on a phrase and doesn't have symbols. I'll need to come up with a suitable replacement.
legendary
Activity: 2212
Merit: 1001
It sucks people are getting hacked, but nobody can do anything about it Sad so just try make sure it never happens again.
Of course people can do things to prevent it, but sometimes it takes getting hacked to knock some common sense into them. Smiley

Well,with nothing backing BTC like the dollar or other fiat (police or fed gov think BTC is "play" money & don't care),you have no recourse in getting your coins or cash back.Its a hackers paradise (they can suffer no conciqences)& will continue to be so.Illegal activities are too easy to get away with in the make believe land of BTC.

If the exchanges were to make it mandatory for PW's to be ________________(insert digit amount) or something to that effect,maybe it would make it harder for hackers.Most folks aren't cryoto phreaks or super software savvy like alot of you on this forum.Sorry for me/most of us "outsiders" being so ignorant..............

Hell,even exchanges are getting hacked for very large amounts & you'll never see a penny recovered.Will the local gov come & help,yeah right.

Chalk it up to experience Huh You bet,I don't trust anyone or anyplace anymore..............My coins stay on my PC & if I do go to trade,it's only long enough for that trade............
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
It sucks people are getting hacked, but nobody can do anything about it Sad so just try make sure it never happens again.
Of course people can do things to prevent it, but sometimes it takes getting hacked to knock some common sense into them. Smiley
zvs
legendary
Activity: 1680
Merit: 1000
https://web.archive.org/web/*/nogleg.com
i use piece of paper and password kfdJO$3jO:CXZMnfkcxM$L#@:!
newbie
Activity: 42
Merit: 0
It sucks people are getting hacked, but nobody can do anything about it Sad so just try make sure it never happens again.
sr. member
Activity: 490
Merit: 251
I'd like to see Mt Gox and other bitcoin exchanges offer the free two-factor authentication, Google Authenticator.
As of a few hours before your post, they doWink

Sweet! Ask and ye shall receive. I'm going to set up authentication now.
legendary
Activity: 2212
Merit: 1001
I got hacked too.So did a new guy that PM'ed me.

This is something to do with MTgox  Angry
It was a poor password choice.

Maybe so,but I use something similar with banks & had no problems ever.............putting on flame retardent suit  Grin

It just dawned on me that Deepbit always sends an email with a confirm link when changing info or withdrawing coins,MTgox needs something similar.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
I got hacked too.So did a new guy that PM'ed me.

This is something to do with MTgox  Angry
It was a poor password choice.
legendary
Activity: 2212
Merit: 1001
I got hacked too.So did a new guy that PM'ed me.

This is something to do with MTgox  Angry
legendary
Activity: 1204
Merit: 1015
I'd like to see Mt Gox and other bitcoin exchanges offer the free two-factor authentication, Google Authenticator.
As of a few hours before your post, they doWink
sr. member
Activity: 490
Merit: 251
could just as easily happen again if you don't take precautions.
I'ld like to see some measures made for those whose account value is too small to justify the cost of a Yubikey.  

I'd like to see Mt Gox and other bitcoin exchanges offer the free two-factor authentication, Google Authenticator.

The following Bitcoin exchanges currently do offer optional two-factor authentication

BitFloor
Camp BX
Crypto X Change
Mercado Bitcoin
Mt Gox

I think this is a nice optional layer of security to offer for your clients. The 3 methods offered are:

Google Authenticator
SMS Text Message
Yubikey

Of the 3 methods listed above, personally, I prefer Google Authenticator

http://en.wikipedia.org/wiki/Google_Authenticator

I don't like the yubikey because I don't want another piece of hardware.
SMS text message is OK, but I use a prepaid cellphone and have to pay for every text I receive. Being somewhat of a tightwad, I don't like that.

Google Authenticator works on my iPod touch and it's free.

If the cost is free even small accounts can afford to be secure. While it's probably best to just make this an optional level of security, Bitcoin exchanges could make it mandatory for accounts above a certain BTC or fiat currency balance.
TT
member
Activity: 77
Merit: 10
Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist.

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
Possibly related - two GLBSE accounts have been compromised recently:
 - https://bitcointalksearch.org/topic/my-mtgox-account-got-compromised-what-can-i-do-84585

possibly bad link - circular link to this thread
legendary
Activity: 2506
Merit: 1010
Possibly related - two GLBSE accounts have been compromised recently:
 - https://bitcointalksearch.org/topic/i-suspect-gpumax-was-compromised-and-passwords-stolen-84893  [URL fixed, thanks Casascius, Kluge]
legendary
Activity: 2506
Merit: 1010
could just as easily happen again if you don't take precautions.

Exactly.  I'ld switch to the assumption that my system was compromised unless I could prove otherwise.  That usually would mean a reinstall and proper security.

I'ld like to see some measures made for those whose account value is too small to justify the cost of a Yubikey.  Like offering to have a separate password for doing a withdrawal, or the ability to set a grace period on all BTC or redeemable code withdrawals (e.g., an e-mail gets sent out, and the withdraw can be cancelled up to NN hour hours before the BTC gets sent or the code gets created.)
hero member
Activity: 609
Merit: 501
peace
please do share so that we can learn from this.
What was your password ?
have you always used the same computer to access MTGOX?

rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Opening more accounts won't help you if you don't fix the problem(s) that caused the issue in the first place. So if you have a strong password and computer has no viruses etc, there are other ways this could have happened that could just as easily happen again if you don't take precautions.

So do you have any other clues?
Pages:
Jump to: