Robbed more than 100,000 NXT - page 3.

devphp

sr. member

Activity: 336

Merit: 260

Quote from: EvilDave on September 22, 2014, 03:01:51 PM

This guy did, first known victim of this thief:
https://nxtforum.org/general-discussion/help!-my-nxt-account-stolen-account-for-nxt-wczn-dgql-xm69-62l3n/msg92255/#msg92255
His pass was just a random phrase from Genesis, complete with full stop.

Yes, and it was a simple dictionary attack with the Bible quotes as source. I wonder why people don't use the pass phrase provided the NXT client, it's random enough and can't be cracked in a billion years.

donn2012

full member

Activity: 145

Merit: 100

@Donn: could you send me your passphrase please ?
The account is gone anyway, and it might help other people if we know what sort of passwords are being cracked.
I suspect that it's a quote from something, but i'd like to see. PM me or post here, up to you.
[/quote]

I would not want to disclose my password. What exactly will help you my password, explain in more detail what I'd made the right decision.

EvilDave

hero member

Activity: 854

Merit: 1001

Quote from: devphp on September 22, 2014, 02:56:20 PM

It's curious that pass phrases from hacked accounts are almost never posted, as if the victims know it's their fault they chose a weak password. Posting a pass phrase also helps confirm that the the claim is legitimate, anyone can use the pass phrase to log in to the hacked account to check whether the pass phrase really matches the account.

This guy did, first known victim of this thief:
https://nxtforum.org/general-discussion/help!-my-nxt-account-stolen-account-for-nxt-wczn-dgql-xm69-62l3n/msg92255/#msg92255
His pass was just a random phrase from Genesis, complete with full stop.

EvilDave

hero member

Activity: 854

Merit: 1001

Quote from: Zer0Sum on September 22, 2014, 02:51:19 PM

Quote from: megashira1 on September 22, 2014, 02:13:03 PM

The problem is it is too easy to humanly err with NXT. There are no safeguards such as having a seed and than an account password. NXT has lots of innovations but it fails to understand the needs of the average user.

Wikipedia:

"Passwords or watchwords have been used since ancient times. Polybius describes the system for the distribution of watchwords in the Roman military..."

It's not very reassuring that NXT uses 3,000 year old tech to safeguard wealth...
Because that it all it is and nothing more.

And people wonder why Bitcoin has hit a wall.

Don't forget that this works well for 99.99% of NXT users, but, yeah, we need Account Control to be active.
This is not just a NXT problem: other coins are vulnerable to rainbow table attacks on the blockchain in search of private key hashes.

devphp

sr. member

Activity: 336

Merit: 260

It's curious that pass phrases from hacked accounts are almost never posted, as if the victims know it's their fault they chose a weak password. Posting a pass phrase also helps confirm that the the claim is legitimate, anyone can use the pass phrase to log in to the hacked account to check whether the pass phrase really matches the account.

EvilDave

hero member

Activity: 854

Merit: 1001

Quote from: donn2012 on September 22, 2014, 01:50:37 PM

Quote from: Blazr2 on September 22, 2014, 01:42:08 PM

Join the club, mine disappeared mysteriously too. No more NXT for me, and don't tell me it was my 128 character randomly generated cut and paste password either.

Password of my account is 75 character with upper letter and special symbol.

@Blazr: can you send me some info on your theft ? Like to see if it's linked....

@Donn: could you send me your passphrase please ?
The account is gone anyway, and it might help other people if we know what sort of passwords are being cracked.
I suspect that it's a quote from something, but i'd like to see. PM me or post here, up to you.

Zer0Sum

legendary

Activity: 1588

Merit: 1000

Quote from: megashira1 on September 22, 2014, 02:13:03 PM

The problem is it is too easy to humanly err with NXT. There are no safeguards such as having a seed and than an account password. NXT has lots of innovations but it fails to understand the needs of the average user.

Wikipedia:

"Passwords or watchwords have been used since ancient times. Polybius describes the system for the distribution of watchwords in the Roman military..."

It's not very reassuring that NXT uses 3,000 year old tech to safeguard wealth...
Because that it all it is and nothing more.

And people wonder why Bitcoin has hit a wall.

donn2012

full member

Activity: 145

Merit: 100

Quote from: devphp on September 22, 2014, 02:19:08 PM

What was the pass phrase you used? You don't need it any more.

Thanx a lot

EvilDave

hero member

Activity: 854

Merit: 1001

Looking even deeper:
https://nxtforum.org/general-discussion/help!-my-nxt-account-stolen-account-for-nxt-wczn-dgql-xm69-62l3n

This guy got ripped by the same hacker/thief....and that was the one with the Bible quote.

CryptoCarmen

member

Activity: 84

Merit: 10

★Bitin.io★ - Instant Exchange

I am sorry for you. I would send you some NXT if would have any. All get caught at the end since they never have enough so dont worry, thief will get what he deserve.

devphp

sr. member

Activity: 336

Merit: 260

What was the pass phrase you used? You don't need it any more.

megashira1

legendary

Activity: 1146

Merit: 1000

Quote from: ?? on ??

I don't think that the password system is the problem, because when you lose your Private key from bitcoin your coins will be gone as well.

This is rather a exploit or just a Trojaner or man in the middle attack

The problem is it is too easy to humanly err with NXT. There are no safeguards such as having a seed and than an account password. NXT has lots of innovations but it fails to understand the needs of the average user.

This is also another reason why I divested from NXT. So much history of scams, hacks, thefts + the never ending arguments against the initial distribution. The tech is sound and all, but it has the worst PR to deal with and I feel the uphill battle is too great to be overcome.

EvilDave

hero member

Activity: 854

Merit: 1001

Following the trail....

OPs account:
http://nxtreporting.com/?ac=NXT-Q7KC-9GQR-XB4C-EKY7T

Thief Account 01
http://nxtreporting.com/?ac=NXT-VKPH-NH97-5556-9ZSPM
(Seller of assets)

Thief Account 02
http://nxtreporting.com/?ac=NXT-TLCJ-WM9U-TERB-EUUX7

Thief Account 03
http://nxtreporting.com/?ac=NXT-WTCT-N6HZ-CCKY-4MLJF
Looks like thief central.....

EvilDave

hero member

Activity: 854

Merit: 1001

Sheesh, that sucks, mate.

The usual answer to this is almost always a weak password, with some cases of probable malware.
There was also a very early attack using compromised client software.

So, the usual questions:

Where did u d/l the client ? Did u run the checksum before unzipping ?

Results of your latest virus/malware scanner ?

Anyone else with access to your client ?

Was the password genuinely secure ? One guy used a fairly long Bible quote, with predictable results.

NXT will be implementing an Account Control feature soon, which will allow you to specify conditions for locking down your account. Not that that helps you now, sorry.

BTW: the nextcoin.org thread is from 9 months ago, head on over to www.nxtforum.org, which is currently the biggest NXT forum.

Wulfcastle

hero member

Activity: 546

Merit: 500

Quote from: ?? on ??

I don't think that the password system is the problem, because when you lose your Private key from bitcoin your coins will be gone as well.

This is rather a exploit or just a Trojaner or man in the middle attack

Hmm, the strange thing is that this has occurred quite a lot recently. Check the NXT Forums and you'll see a few more cases just like this where NXT balances and assets have been transferred

donn2012

full member

Activity: 145

Merit: 100

Quote from: Blazr2 on September 22, 2014, 01:42:08 PM

Join the club, mine disappeared mysteriously too. No more NXT for me, and don't tell me it was my 128 character randomly generated cut and paste password either.

Password of my account is 75 character with upper letter and special symbol.

Wulfcastle

hero member

Activity: 546

Merit: 500

Quote from: rabbiter on September 22, 2014, 01:44:00 PM

Quote from: Zer0Sum on September 22, 2014, 01:37:24 PM

So that's about $3,000.

I'm very impressed by NXT...
But have serious concerns about security...
The ecosystem is so centralized that inside jobs must be possible.

Also, there must more to security than a password...
Or accounts above a certain threshold must get an additional layer of security.

Qora has said he is confused why NXT choose the password system they use as it's possible to force it open.

Explain how it's possible to "force it open"?

rabbiter

full member

Activity: 168

Merit: 100

Quote from: Zer0Sum on September 22, 2014, 01:37:24 PM

So that's about $3,000.

I'm very impressed by NXT...
But have serious concerns about security...
The ecosystem is so centralized that inside jobs must be possible.

Also, there must more to security than a password...
Or accounts above a certain threshold must get an additional layer of security.

Qora has said he is confused why NXT choose the password system they use as it's possible to force it open.

Blazr2

full member

Activity: 218

Merit: 115

Join the club, mine disappeared mysteriously too. No more NXT for me, and don't tell me it was my 128 character randomly generated cut and paste password either.

Zer0Sum

legendary

Activity: 1588

Merit: 1000

So that's about $3,000.

I'm very impressed by NXT...
But have serious concerns about security...
The ecosystem is so centralized that inside jobs must be possible.

Also, there must more to security than a password...
Or accounts above a certain threshold must get an additional layer of security.

A password might be good enough for a transmission network like Ripple...
But not good enough for the storage of Crypto Assets and significant wealth.

Topic: Robbed more than 100,000 NXT - page 3. (Read 4362 times)