PSA Email is NOT 2FA on Blockchain.info learn how to secure Bitcoin properly!

HYPERfuture

hero member

Activity: 686

Merit: 500

HYPER project manager and PR + GoldPieces [GP]

Quote from: hyphymikey on December 01, 2014, 11:28:34 PM

I've always told people to enable the second password. Where you have to enter it to send coins from the wallet. You have to type it in using the on screen keyboard. I was wondering, how hard is it for a hacker to get this password? Do they just record your screen and watch the mouse move around and try to guess where you clicked? Or is that pretty hard to do?

There is malware that waits until you have unlocked your wallet and then bye bye bitcoins. Better use Linux and have a closed down system for your coins if you are keeping them on your computer to decrease the chances of this happening to you.

Quote from: Foxpup on December 02, 2014, 01:40:00 AM

Quote from: hitton on November 30, 2014, 06:18:51 PM

Quote from: HYPERfuture on November 28, 2014, 09:56:14 AM

I've had enough of seeing people who have been hacked and lose coins on blockchain.info so here is a guide for beginners to make your coins 100% secure and safe from hackers.

You forgot the most important step: either don't use TOR to access your Blockchain.info wallet, or use their new onion URL: *questionable link removed*

Due to the alleged questionability of that link (blockchatvqztbll.onion), I questioned it, and found the answer is that it is genuine. It is the link provided by Blockchain.info if you connect to their regular site via Tor (and check the certificate to avoid MITM attacks). Is it really that hard to give newbies any credit whatsoever? Wait, what am I thinking? Of course it is. Never mind.

Ha ha well it is nice to see that hitton had the best of intentions. I would still recommend NEVER using TOR even if a link may supposedly be safe.

Quote from: ikydesu on December 02, 2014, 02:15:55 AM

Quote from: Moonpig on November 29, 2014, 06:55:58 AM

Email still is 2-factor though it is easier to compromise, but I would recommend using the sms 2-factor if you can. Much safer.

You sure sms 2FA is much safer? I think you just lucky guy because hacker don't attack you, so you think sms 2FA is much safer Tongue

wait for some weeks Tongue

Email is NOT true 2FA as all an attacker needs is your email password and bye bye Bitcoins. Real 2FA like Yubikey, Google Auth or SMS (although seems there are vulnerabilities with SMS) on BOTH your email and blockchain account is required at the very least.

ikydesu

hero member

Activity: 686

Merit: 500

fb.com/Bitky.shop | Bitcoin Merch!Premium Quality!

Quote from: Moonpig on November 29, 2014, 06:55:58 AM

Email still is 2-factor though it is easier to compromise, but I would recommend using the sms 2-factor if you can. Much safer.

You sure sms 2FA is much safer? I think you just lucky guy because hacker don't attack you, so you think sms 2FA is much safer Tongue

wait for some weeks Tongue

Foxpup

legendary

Activity: 4536

Merit: 3188

Vile Vixen and Miss Bitcointalk 2021-2023

Quote from: hitton on November 30, 2014, 06:18:51 PM

Quote from: HYPERfuture on November 28, 2014, 09:56:14 AM

I've had enough of seeing people who have been hacked and lose coins on blockchain.info so here is a guide for beginners to make your coins 100% secure and safe from hackers.

You forgot the most important step: either don't use TOR to access your Blockchain.info wallet, or use their new onion URL: *questionable link removed*

Due to the alleged questionability of that link (blockchatvqztbll.onion), I questioned it, and found the answer is that it is genuine. It is the link provided by Blockchain.info if you connect to their regular site via Tor (and check the certificate to avoid MITM attacks). Is it really that hard to give newbies any credit whatsoever? Wait, what am I thinking? Of course it is. Never mind.

hyphymikey

hero member

Activity: 784

Merit: 1000

I've always told people to enable the second password. Where you have to enter it to send coins from the wallet. You have to type it in using the on screen keyboard. I was wondering, how hard is it for a hacker to get this password? Do they just record your screen and watch the mouse move around and try to guess where you clicked? Or is that pretty hard to do?

HYPERfuture

hero member

Activity: 686

Merit: 500

HYPER project manager and PR + GoldPieces [GP]

Quote from: hitton on November 30, 2014, 06:18:51 PM

Quote from: HYPERfuture on November 28, 2014, 09:56:14 AM

I've had enough of seeing people who have been hacked and lose coins on blockchain.info so here is a guide for beginners to make your coins 100% secure and safe from hackers.

You forgot the most important step: either don't use TOR to access your Blockchain.info wallet, or use their new onion URL: LINK REMOVED

I would say don't use TOR and also DO NOT use the link above that has posted by a new account here. Do not click it!

But thank you I forgot that and have updated the OP with do not use TOR information.

hitton

newbie

Activity: 7

Merit: 0

Quote from: HYPERfuture on November 28, 2014, 09:56:14 AM

I've had enough of seeing people who have been hacked and lose coins on blockchain.info so here is a guide for beginners to make your coins 100% secure and safe from hackers.

You forgot the most important step: either don't use TOR to access your Blockchain.info wallet, or use their new onion URL: *questionable link removed*

Testing123

hero member

Activity: 561

Merit: 500

Quote from: wadili89 on November 30, 2014, 10:19:17 AM

Quote from: fast2fix on November 30, 2014, 09:36:17 AM

Quote from: wadili89 on November 30, 2014, 02:15:30 AM

How does one backup a google auth code? I didnt see a easy way.

I use the IP lock along with other measures.

better use authy as 2fa you don't have to worry about backups.

authy?

Yup, Authy. https://www.authy.com/users

wadili89

legendary

Activity: 1106

Merit: 1000

Quote from: btchris on November 30, 2014, 09:26:21 AM

Quote from: wadili89 on November 30, 2014, 02:15:30 AM

How does one backup a google auth code? I didnt see a easy way.

I use the IP lock along with other measures.

See over here, in particular the posts by DeathAndTaxes and the ones that mention TitaniumBackup (root only).

Thanks, it takes some work but anything for safety.

Quote from: fast2fix on November 30, 2014, 09:36:17 AM

Quote from: wadili89 on November 30, 2014, 02:15:30 AM

How does one backup a google auth code? I didnt see a easy way.

I use the IP lock along with other measures.

better use authy as 2fa you don't have to worry about backups.

authy?

fast2fix

legendary

Activity: 1612

Merit: 1001

Quote from: wadili89 on November 30, 2014, 02:15:30 AM

How does one backup a google auth code? I didnt see a easy way.

I use the IP lock along with other measures.

better use authy as 2fa you don't have to worry about backups.

btchris

hero member

Activity: 672

Merit: 504

a.k.a. gurnec on GitHub

Quote from: wadili89 on November 30, 2014, 02:15:30 AM

How does one backup a google auth code? I didnt see a easy way.

I use the IP lock along with other measures.

See over here, in particular the posts by DeathAndTaxes and the ones that mention TitaniumBackup (root only).

HYPERfuture

hero member

Activity: 686

Merit: 500

HYPER project manager and PR + GoldPieces [GP]

Quote from: btchris on November 30, 2014, 01:47:08 AM

Quote from: HYPERfuture on November 29, 2014, 09:51:46 PM

Quote from: btchris on November 29, 2014, 08:20:19 PM

Not to put too fine a point on it, but blockchain.info doesn't support any (decent) 2FA.

Logon-only 2FA (such as supported by Blockchain.info) does help protect against online password brute-forcing attacks, but it does practically nothing to help protect against malware (e.g. keyloggers), which seem to be the more ominous threat.

Per-transaction 2FA (such as supported by GreenAddress.it and BitGo.com) means that each transaction that sends bitcoin out of your wallet must use a new 2FA code. This type of 2FA offers very effective protection against malware (although it's not necessarily perfect).

You should keep all this in mind when weighing your wallet options....

You have heard of Yubikey right? That protects against keyloggers and is used on blockchain. But as I say you should not store large amounts of coins on ANY online wallet.

Unfortunately, it's not that simple (and it's a bit misleading IMO).

When you log into Blockchain.info (even if you use good 2FA such as Yubikey), the private keys for your wallet are sent to your computer. This means that your computer (and any decent malware that's running on it) has access to those private keys, and can use them to relieve you of any funds.

By default, Blockchain.info doesn't save those private keys to disk (if you have 2FA enabled), and that does protect you against stupid malware, but it remains much less secure than per-transaction 2FA used by multisig wallets (where only a portion of the necessary key material is ever on your computer and available for malware to abuse).

Ahh good to know. Thank you. Seems like Trezor is the way to go then.

wadili89

legendary

Activity: 1106

Merit: 1000

How does one backup a google auth code? I didnt see a easy way.

I use the IP lock along with other measures.

btchris

hero member

Activity: 672

Merit: 504

a.k.a. gurnec on GitHub

Quote from: HYPERfuture on November 29, 2014, 09:51:46 PM

Quote from: btchris on November 29, 2014, 08:20:19 PM

Not to put too fine a point on it, but blockchain.info doesn't support any (decent) 2FA.

Logon-only 2FA (such as supported by Blockchain.info) does help protect against online password brute-forcing attacks, but it does practically nothing to help protect against malware (e.g. keyloggers), which seem to be the more ominous threat.

Per-transaction 2FA (such as supported by GreenAddress.it and BitGo.com) means that each transaction that sends bitcoin out of your wallet must use a new 2FA code. This type of 2FA offers very effective protection against malware (although it's not necessarily perfect).

You should keep all this in mind when weighing your wallet options....

You have heard of Yubikey right? That protects against keyloggers and is used on blockchain. But as I say you should not store large amounts of coins on ANY online wallet.

Unfortunately, it's not that simple (and it's a bit misleading IMO).

When you log into Blockchain.info (even if you use good 2FA such as Yubikey), the private keys for your wallet are sent to your computer. This means that your computer (and any decent malware that's running on it) has access to those private keys, and can use them to relieve you of any funds.

By default, Blockchain.info doesn't save those private keys to disk (if you have 2FA enabled), and that does protect you against stupid malware, but it remains much less secure than per-transaction 2FA used by multisig wallets (where only a portion of the necessary key material is ever on your computer and available for malware to abuse).

Foxpup

legendary

Activity: 4536

Merit: 3188

Vile Vixen and Miss Bitcointalk 2021-2023

Quote from: Moonpig on November 29, 2014, 06:55:58 AM

Email still is 2-factor

It isn't. For reference, true two factor authentication means having any two of the following factors:

* What you know (usernames and passwords)
* What you have (mobile phone, security tokens)
* What you are (fingerprints, iris/retina patterns, etc)

Email access is always the first factor only, unless you email account itself uses 2FA. This is bad because the first factor is what is compromised by keyloggers (which is the whole reason for using 2FA in the first place). If you have a keylogger, your email is almost certainly compromised, and is thus useless as a form of authentication.

HYPERfuture

hero member

Activity: 686

Merit: 500

HYPER project manager and PR + GoldPieces [GP]

Quote from: btchris on November 29, 2014, 08:20:19 PM

Not to put too fine a point on it, but blockchain.info doesn't support any (decent) 2FA.

Logon-only 2FA (such as supported by Blockchain.info) does help protect against online password brute-forcing attacks, but it does practically nothing to help protect against malware (e.g. keyloggers), which seem to be the more ominous threat.

Per-transaction 2FA (such as supported by GreenAddress.it and BitGo.com) means that each transaction that sends bitcoin out of your wallet must use a new 2FA code. This type of 2FA offers very effective protection against malware (although it's not necessarily perfect).

You should keep all this in mind when weighing your wallet options....

You have heard of Yubikey right? That protects against keyloggers and is used on blockchain. But as I say you should not store large amounts of coins on ANY online wallet.

btchris

hero member

Activity: 672

Merit: 504

a.k.a. gurnec on GitHub

Not to put too fine a point on it, but blockchain.info doesn't support any (decent) 2FA.

Logon-only 2FA (such as supported by Blockchain.info) does help protect against online password brute-forcing attacks, but it does practically nothing to help protect against malware (e.g. keyloggers), which seem to be the more ominous threat.

Per-transaction 2FA (such as supported by GreenAddress.it and BitGo.com) means that each transaction that sends bitcoin out of your wallet must use a new 2FA code. This type of 2FA offers very effective protection against malware (although it's not necessarily perfect).

You should keep all this in mind when weighing your wallet options....

HYPERfuture

hero member

Activity: 686

Merit: 500

HYPER project manager and PR + GoldPieces [GP]

Quote from: BitCoinDream on November 29, 2014, 10:59:05 AM

Quote from: 1986 on November 29, 2014, 10:03:37 AM

Quote from: HYPERfuture on November 29, 2014, 09:29:13 AM

Quote from: Moonpig on November 29, 2014, 06:55:58 AM

Email still is 2-factor though it is easier to compromise, but I would recommend using the sms 2-factor if you can. Much safer.

You cannot think of email as 2FA. All it takes is a keylogger or virus to get your password and bye bye Bitcoins. Never rely on email for so-called 2FA!

You can. It still provides an extra layer. Plus, my 2-factor email goes to an address I only check on my phone so it's safe and completly unlinked to my computer.

Your phone is more secure than computer because they are not linked ? U must be a funny guy. Ur security is just awaiting to get broken... AMEN

This is why I like Yubikey and recommend it Wink

BitCoinDream

legendary

Activity: 2394

Merit: 1216

The revolution will be digital

Quote from: 1986 on November 29, 2014, 10:03:37 AM

Quote from: HYPERfuture on November 29, 2014, 09:29:13 AM

Quote from: Moonpig on November 29, 2014, 06:55:58 AM

Email still is 2-factor though it is easier to compromise, but I would recommend using the sms 2-factor if you can. Much safer.

You cannot think of email as 2FA. All it takes is a keylogger or virus to get your password and bye bye Bitcoins. Never rely on email for so-called 2FA!

You can. It still provides an extra layer. Plus, my 2-factor email goes to an address I only check on my phone so it's safe and completly unlinked to my computer.

Your phone is more secure than computer because they are not linked ? U must be a funny guy. Ur security is just awaiting to get broken... AMEN

HYPERfuture

hero member

Activity: 686

Merit: 500

HYPER project manager and PR + GoldPieces [GP]

Quote from: 1986 on November 29, 2014, 10:03:37 AM

Quote from: HYPERfuture on November 29, 2014, 09:29:13 AM

Quote from: Moonpig on November 29, 2014, 06:55:58 AM

Email still is 2-factor though it is easier to compromise, but I would recommend using the sms 2-factor if you can. Much safer.

You cannot think of email as 2FA. All it takes is a keylogger or virus to get your password and bye bye Bitcoins. Never rely on email for so-called 2FA!

You can. It still provides an extra layer. Plus, my 2-factor email goes to an address I only check on my phone so it's safe and completly unlinked to my computer.

If your email has 2FA as well like I recommend then it is much more secure. However email without 2FA it doesn't provide an extra layer at all as if someone has your email they can reset your wallet password. However you should also have another form of 2FA (like Yubikey) on your online wallet as well. Then you have double 2FA and less chance of you becoming the next horror story.

1986

full member

Activity: 165

Merit: 100

Quote from: HYPERfuture on November 29, 2014, 09:29:13 AM

Quote from: Moonpig on November 29, 2014, 06:55:58 AM

Email still is 2-factor though it is easier to compromise, but I would recommend using the sms 2-factor if you can. Much safer.

You cannot think of email as 2FA. All it takes is a keylogger or virus to get your password and bye bye Bitcoins. Never rely on email for so-called 2FA!

You can. It still provides an extra layer. Plus, my 2-factor email goes to an address I only check on my phone so it's safe and completly unlinked to my computer.

Topic: PSA Email is NOT 2FA on Blockchain.info learn how to secure Bitcoin properly! (Read 2628 times)