Ugh... Are you kidding me? Are there bots prowling the network with a boatload of password-account combinations stored watching the for transactions to known addresses or something?
I got some NXT a long time ago and kept it tucked away, but with the updated client it seems I didn't have a public key, so I sent a message.. easy enough... my balance was there, but I couldn't forge because it was unconfirmed... so I figure this has something to do with old balances being 'unconfirmed' under the updated protocol until it's seen activity.. So I flip my NXT into another account that I used in the past (tx 3603756272827733121), wait for it to confirm, and as soon as it does the NXT has moved on to an account out of my control (tx 10738856805317237622)...!!!
WTF? I sat here waiting for a confirm to flip it right back, and it vanishes before my very eyes! We're talking within 2 seconds of the first confirmation!
If the network is this compromised, how do you ever expect mainstream adoption... I've had an eye on NXT since the beginning and was really into the new look and feel, the asset exchange, etc.. My interest was building in NXT again (initially less than impressed by the distribution, but it seemed a lot of great work had gone into the protocol..) Too bad.. Nxt looked cool, but as it stands I'm out.. Not sure that this can be called a 2nd generation crypto when it's this vulnerable to theft. I'd say the target audience is even more specialized than bitcoin; the average joe can hardly remember "Password1"!
I got some NXT a long time ago and kept it tucked away, but with the updated client it seems I didn't have a public key, so I sent a message.. easy enough... my balance was there, but I couldn't forge because it was unconfirmed... so I figure this has something to do with old balances being 'unconfirmed' under the updated protocol until it's seen activity.. So I flip my NXT into another account that I used in the past (tx 3603756272827733121), wait for it to confirm, and as soon as it does the NXT has moved on to an account out of my control (tx 10738856805317237622)...!!!
WTF? I sat here waiting for a confirm to flip it right back, and it vanishes before my very eyes! We're talking within 2 seconds of the first confirmation!
If the network is this compromised, how do you ever expect mainstream adoption... I've had an eye on NXT since the beginning and was really into the new look and feel, the asset exchange, etc.. My interest was building in NXT again (initially less than impressed by the distribution, but it seemed a lot of great work had gone into the protocol..) Too bad.. Nxt looked cool, but as it stands I'm out.. Not sure that this can be called a 2nd generation crypto when it's this vulnerable to theft. I'd say the target audience is even more specialized than bitcoin; the average joe can hardly remember "Password1"!
Sorry for your loss. Can you share the password of your second account? I also find it weird that someone compromised your account that fast.
I would rather not share my 'passphrase' or unique key or whatever you want to call it because it has elements of a common password that I use for low security purposes (i.e. one-use account on random forums). It was admittedly a meager 21 chars including dictionary words and spaces.. Much better than a laymans password but not the level of security I usually use (thus why it was a depreciated account/wallet). I haven't been in that account for about 4-5 months and was just using it to bounce my nxt to see if that would get it properly recognized (effective balance was 0 despite having NXT).
The thing that concerns me is that the transaction occurred within 2 seconds of the first confirmation.. It's not like I left nxt sitting around in an unsecure account, this was just a brief bounce to try to 'reactivate' my nxt.
The amount is irrelevant in this case - about 250 nxt (all I had), but the fact that it was so rapidly snagged is concerning to say the least.. it made me realize a major flaw for NXT and the layman.. A bot can easily collect a massive list of account keys and related 'security phrases' via brute force (offline so it's undetected), store these, and watch the blockchain for transactions to accounts that fall within it's dictionary, then instantly log in and with bot-like speed, snipe those NXT on the first transaction...
One simple question: If you google your password (with the quotes "" , i.e " blah blah my pass") , how many hits do you get?
If it's in thousands you just as well post it here and change your other password
Quote
The thing that concerns me is that the transaction occurred within 2 seconds of the first confirmation.. It's not like I left nxt sitting around in an unsecure account, this was just a brief bounce to try to 'reactivate' my nxt.
That's because the hacker had pre calculated the hash for it as it well known password already in his database. When his computer saw the transaction to that account, it did immediate transaction in 2 seconds.
Clearly the pass phrase was in his database. Googling it provides just over 10,000 results, though most include other punctuation. Admittedly more than I expected, but at 21 chars it's still a hell of a lot better than an average joe's "password1". Again - I figured a couple minutes would be safe - more concerned about barriers to usability for the layman than the paltry sum of NXT lost. Wasn't going to take over the world with 250 NXT, it was really just to play with and get a feel for the system / participate in some way.
... (effective balance was 0 despite having NXT)...
Relating to this, your effective balance can be thought of as your forging balance. To forge, you need to wait for 1440 confirmations (roughly 1.5 days).
Until you get 1440 confirmations, effective balance remains at 0 no matter how many Nxt you have in the account. Had you just moved it when you saw this?
(I could probably check most of this on the blockchain but can't right now)
That NXT had been sitting in my wallet since 2013.
Yes, there are Bots monitoring the blockchain for transactions related to accounts with weak passwords.
****
Bots
A Bot in general is an automated computer program. In the case of Nxt, the bots have been programmed to find the account numbers to all accounts associated with Weak Passphrases (such as ‘Dog’, ‘12345’ and ‘opensesame’). They continuously scan the Blockchain looking for Transactions happening in these accounts. Once a Transaction is detected, the Bots then automatically log into the account and move the NXT to an account they control. This often only takes a matter of minutes from the transaction into the account and nothing can be done to retrieve the stolen NXT. It is therefore VERY IMPORTANT to use a Strong Passphrase to ensure that your NXT is not stolen. Also see Brainwallet.
****
Source: Nxt Glossary >>> https://wiki.nxtcrypto.org/wiki/Glossary
Allowing people to use weak passwords was a flaw, client's now create strong diceware passwords for users (you can still enter any password you want but there are extra steps). Sorry for you loss, I'll send you 250 NXT when I get home if no one else has done it before me, just post the address you want it to go to.
We're talking about a 21 char password - not 'dog' or 'opensesame', more like 'dog opensessame 12345'. I moved away from it BECAUSE it was unsecure, but figured it was secure enough for a quick bounce of NXT. Clearly a bad call on my part, didn't expect that bot exploitation was nearly that bad.
I appreciate your offer Daedelus, and will take you up on it.. Moving over to NXT-ZNL5-2A7Q-G5GJ-7K4SX.. I've always had an interest in NXT, would love to see it thrive despite my personal lack of NXT, but I see some serious barriers to broader adoption.. LOVE the asset exchange, and would love to see live web portals, though that brings a slew of new security concerns along with it.. The benefit of the passphrase is portability, but the down-side is security.. Always hard to find a balance between usability and security, and I certainly hope NXT can find that balance
Cheers
Z
