Topic: Newbie Experience with MtGox - page 2. (Read 3241 times)

AFAIK, MtGox is the only one offering the Yubikey option (someone correct me if I'm wrong, or if any other exchange has two factor authentication).

I would agree that there are simple things MtGox could do to improve security - for example, like requiring a 2nd password for withdrawal above a limit, or making withdrawals wait a little while to give you time to blow the whistle, or requiring a PGP signature to withdraw.  On the other hand, if you have a compromised machine, or a compromised e-mail account, none of this will be much help.

Yep, I agree with you, I have learned my lesson and will definitely use a Yubikey.  I will not use MtGox as they have many security flaws in their system.  I've never had my bank accounts, equity accounts, or even email accounts hacked, because of basic security precautions taken by those companies.  Would be really easy for MtGox to avoid issues like this with a simple email confirmation.

I thought it might help to post the hijacker's transactions on my account, and how it wasn't necessary to authorized or confirm these transactions by MtGox.

Purchases

Tue 13 Dec 2011 03:29:47 PM GMT    Spent    BTC bought: [tid:1323790187459527] 6.84700000 BTC at $3.22000    $22.04734    $0.68522

Tue 13 Dec 2011 03:29:03 PM GMT    Spent    BTC bought: [tid:1323790143318090] 32.79614017 BTC at $3.22000    $105.60357    $22.73256

Tue 13 Dec 2011 03:29:03 PM GMT    Spent    BTC bought: [tid:1323790143203780] 160.98640384 BTC at $3.22000    $518.37622    $128.33613

Tue 13 Dec 2011 03:29:03 PM GMT    Spent    BTC bought: [tid:1323790143159223] 19.89999999 BTC at $3.21899    $64.05790    $646.71235

Tue 13 Dec 2011 03:29:03 PM GMT    Spent    BTC bought: [tid:1323790143032510] 43.85985600 BTC at $3.21899    $141.18444    $710.77025

Tue 13 Dec 2011 03:29:02 PM GMT    Spent    BTC bought: [tid:1323790142989042] 0.99400000 BTC at $3.21898    $3.19967    $851.95469

Tue 13 Dec 2011 03:29:02 PM GMT    Spent    BTC bought: [tid:1323790142956975] 22.00000000 BTC at $3.21000    $70.62000    $855.15436

Withdrawals:

Tue 13 Dec 2011 03:30:01 PM GMT    Withdraw    Bitcoin withdraw to1NMBnbywM8KBppQxictvQKmyPz2uUSqJ79    6.81831800 BTC    0.00000000 BTC

Tue 13 Dec 2011 03:29:15 PM GMT    Withdraw    Bitcoin withdraw to 19HiW7hqsm2E4sqJK8wnfG9TCEyiPG2hVT     282.54000000 BTC    0.00760710 BTC

Unless you boot your computer freshly from a live CD or have just barely installed an OS, the moment anyone starts browsing the internet at large, there is no way they can be certain they don't have a keylogger on their machine.  Bitcoin is known to malware authors, and they will target bitcoin-related passwords.  If you get keylogged, you will never have any way to prove or disprove that that's what happened.  Likewise, MtGox isn't going to be able to either - the only thing they can do is say that somebody from IP address x.x.x.x logged in and withdrew your funds to address X.

This is why I have a Yubikey.  I am conscientious and practice safe computing habits, but you never know when you're going to get compromised by the next "0-day" vulnerability.  Safe computing means assuming your computer is probably compromised all of the time and planning accordingly to reduce your risk.  (For example, not only do I use Yubikey, the computer I use to log in to MtGox and transacting Bitcoins is absolutely NEVER used for surfing the web, because I believe a computer not used for web surfing is far less likely to be compromised).

The Yubikey is far from perfect - but it is pretty effective against keyloggers and makes you a far more challenging target for hackers.  It is also pretty powerful because the physical key has two modes, one for generating login passwords and one for generating withdrawal passwords.  A Yubikey code generated for a login won't work for a withdrawal, so even if somebody breaks into your account, they can't do anything with it (other than trade) without a code they're far less likely to have a chance at getting.

Thanks for the input.  I didn't think 1k was a lot to mess around with and I thought it was a good time to buy.  MtGox has completely lost my trust and as the #1 exchange, it's amazing that they have so many flaws in their system. 

How do they let you change your account email, which is main method to confirm your identity, so easy?  Once the hacker did that, it was easy for them to "reset" a new password.  The withdrawal email stated that I should reply immediately if I didn't authorize the trade, which I did to no avail.  Why would they put that in emails if it doesn't work?  I'm afraid to buy bitcoins as I'm confident Mtgox lack of security will cause another massive BTC crash.

Hi Greed,

Not sure how the hacker accessed my account.  The only thing I received was one notice that there was a withdrawal from my account, which I immediately responded to.  After that, I couldn't access my account, the hacker changed everything, my email, password, etc..  Which I can't believe is possible in the account setting without confirmation from the old email.  I emailed MtGox so many times to freeze my account immediately after the withdrawal email, but didn't hear back until 2 days later and it was too late.  I'll never use MtGox again, in my opinion, they're irresponsibility is the reason we had the BTC crash.

Hello, this happened three days ago.  My password was very strong and never compromised.  I would love to know myself how my account was hijacked.  I've continued to ask support for help, but they are doing nothing, other than restoring my original email.  There were several withdrawals on my account, all done within minutes, the largest withdrawal was 258btc.  The problem I have is that the hijackers was able to use my $ to buy bitcoins with several transactions, and make several withdrawals, all without confirmation from me and within 20 minutes total.  MtGox has destroyed the BTC market, and I feel they will continue to compromise the overall market for BTC.   

The current limit is 400 BTC or $1K

I would also be one to mention that if the limit is 100 BTC per day, how did the attacker get more than that in a single day, and if not, what's the limit?

Holy shit. Sorry for your loss. I hope you've haven't completely lost your faith in bitcoin due to Mtgox :/

How did the attacker know to recover from your account? Were you talking to people somewhere about how much cash you had in your account, or was this just some one-time happenstance thing?

US$1k isn't a lot to have sitting in an account, but it is enough to be annoying to have stolen.  Trying to play with $50 or 10 BTC is tiny, especially if you are moving things between exchanges and it takes an age for that to happen at times.

Yes, yubikeys and the like help, but having an exchange with some responsibility to users against negligence would also be an improvement.  I've struck several exchanges that didn't want to help when their systems were at fault, and I've been lucky to escape them before losing too much money (BitPLN and Bitcoin7). 

Also, bear in mind Mt.Gox is about 85% of the exchange market and assess if you think they are over-represented in the problems that keep recurring.  When I trade their I work on the belief that I might not get my money out.  I can't make a positive accusation, but they are not my #1 preferred place to transfer anything of value.

I would agree, the Yubikey is a very strong shield against this kind of attack.

THey should promote it more.  In a way they do - the way I got my Yubikey is I was offered a free one after I made a fairly large deposit.  I took it.  In retrospect, if I felt about yubikey then the way I do now, I'd have gladly paid for one.

The Yubikey ships from Japan, but they ship it with express mail kind of shipping, so it gets to the US pretty fast.  It is worthwhile if you're going to do anything serious with bitcoins.

Others argue correctly that the Yubikey won't do squat if MtGox itself is compromised, but the risk of one's password getting compromised or keylogged is a constant presence outside of the control of MtGox, and of course, the issue at hand in this case.

When did this happen?  Did you use the same password on multiple systems? Did you use a crappy short password?

I'm not trying to 'blame the victim' here - but in most cases it does seem to turn out that the user was using woefully inadequate passwords, or that the security breach was on the user's side, so please let us know if you have any information on how your 'account was hacked'.

Also - there is a daily withdrawal limit in place on most mtgox accounts.. are you saying that all 300 or so disappeared at once - or that this happened over a period of time?

How much followup have you done with mtgox support?

I don't keep much of a balance in Mt. Gox.  At most, I've had about $50 in USD and no more than 10BTC.  Once I buy BTC, I generally send it immediately to my personal encrypted wallet. Sorry to hear about your loss and I'm disturbed to hear that Mt.Gox doesn't have better security policies.  You'd think they'd have learned something after the mid-summer crash.  I'm feeling more comfortable with TradeHill now (met one of the founders recently, and he's a real straight-arrow).  Haven't tried Crypto X Change, but may give them a look.  I like seeing more competition in the BTC exchange market!

Sorry to hear of your financial loss.

MtGox has a ticket-based support system.  Have you opened a ticket?
  http://support.mtgox.com

Withdrawals are limited based on the exchange's default AML related limits.  It used to be a fairly low BTC level, like 100 BTC per day.  I don't know what the threshold is nowadays.

The exchange does encourage the use of Yubikey:
 - https://yubikey.mtgox.com/

Yes, thank you for the advice.  It wasn't that I had so many bitcoins, I actually had none, it was that I had about $1k in cash, ready to buy up bitcoins.  The hijacker bought up the bitcoins with my cash and then withdrew.  I was just shocked that there were no safety precautions with MtGox, no fail safe, no way to stop the transaction.  Ultimately I was locked out of my account and the hijacker was free to do whatever they want.  There should be a Freeze account option with MtGox.

That's really unfortunate, sorry for your troubles. 
You should try not to keep so many BTC in the same place though, unless you're immediately going to execute a trade.. A bit late for that, I know, but don't let this one bad experience turn you off BTC completely. Keep an encrypted wallet file on a USB key, or encrypted with something like Kleopatra, and never keep all your BTC in the same wallet.
Hope you can get some sort of resolution with Mt. Gox though.

I'd like to share my recent experience with MtGox.  I deposited about $1k to mess around with.  I purchased 45 bitcoins with no problem.  Then two days ago, I get an email stating that there's been a withdrawal from my account and that if I didn't authorize it, I should reply immediately.  I replied immediately telling them to freeze my account.  Then I tried to login to MtGox, couldn't and my IP was blocked.  Furthermore, I tried password recovery but that was also blocked.  Turns out someone hijacked my account, changed the email and password, cashed all my money for bitcoins and withdrew everything, about 300 bitcoins.  I can't believe you can change the email and password of an account without confirmation from the original email.  Anyway, my support ticket is closed and my account is empty.  Thanks MtGox.