Bitcoin Forum

Hello guys,

some sad news :( My blockchain acount is hacked today, lost around 101 bitcoin. I am using the "mtgox yubikey" So i am realy feeling shit :(. Had already lost 10bitcoin on mtgox, thats why i bought myself a yubikey so this couldn't happen again.


Sad to announce, but i think i quit mining with my 4,5ghs.

The transaction hash: 1803eb98f2aaba1facba17d8b9e5d953b78fe63a3d85c9abb25002f09db0d7a8


How can a acount be hacked when i use a yubikey to login.... And i have the yubikey always with me, this means blockchain.info is hacked or the yubikey of Mtgox is cracked :( (also seeing the large drop in bitcoin price i suspect a large bitcoin hack)

Goodbeye guys, ill stop bitcoin from now on. Lost about $1000 :(

(edit $ instead of €)

MtGox yubikey should not be used on anything other than MtGox. MtGox has clearly warned that.

Blockchain.info should stop "supporting" MtGox yubikey

a yubikey should be protecting a acount since its a physical thing you need to press to get a UNIQUE key out of it. Thats all the times different, and will only work 1 time.

Even although its mtgox "branded" it should still be safe to use as its an unique thing.


But it doesn't matter anymore, i stop mining bitcoin. Sad to end it this way instead of buying asic. Its a sad lesson i wasted so much electricity for nothing.

I tried out my MtGox YubiKey on the blockchain wallet service, and I noticed the OTP's that it generates are REUSABLE. It seems Blockchain.info is only looking at the first few letters of the OTP, as they are static, you can actually change the end of the OTP and the website will still accept it.

Doesn't sound secure at all to me and is definitely something that needs to be addressed. This is not 2-factor authentication.

Does the online backups of your wallet need the MtGox Yubikey to be decrypted?  If not maybe some hacked your email, Dropbox or Google Drive?  Otherwise the thief must be someone you know.

You are absolutely correct

https://bitcointalk.org/index.php?topic=64300.0

Good lord.  That's a pretty big deal.

No, it's your own computer got hacked. It MUST have a keylogger

What about if you don't use the MtGox Yubikey but the standard version.  Also can you use the standard version of the Yubikey on more than wallet/site and be safe?

Using AVAST antivirus, so i should be safe. And i didn't download anythin last week (except by steam a game and the demo of it on the official website (Farming simulator 2013)). So that couldn't be it.


But as I said, I think I stop with bitcoin. The loss is to big for me :(.

Maybe going to do BOINC or something, not realy sure.

Have you figured out how did you lose 10BTC on MtGox?

So long, come back in a few years when all this nasty stuff is taken care of.

Edit: How can someone manage to loose so many bitcoins? Have you looked into paper wallets (https://en.bitcoin.it/wiki/Paper_wallet) or Casascius bitcoins (https://www.casascius.com/)?

That sucks man. Sry. But why would you stop mining if you have 4.5 gh? Mining takes no effort and you already purchases the gpu's. You currently make 1.5 coins a day mining.

Simple, if they get your password keyloged and find a copy of your encrypted wallet stored on the blockchain servers, they can decrypt it by simply using your password. The yubickey is merely requested by the blockchain eWallet javascript which however you do not need in order to use the wallet file.

At least that's how I understand it.


I don't think so and I also think yours is the most likely explanation.

... and the first factor of the two factor authentication was? Let me guess a computer running Microsoft Windows. It seems to me that Microsoft Windows rather than bitcoin is the real problem here. By the way I have been using GNU/Linux exclusively for all my online financial transactions since well before bitcoin even existed with no problems.

It does not matter what king of currency one uses BTC, CAD, USD, EUR etc. If one uses Microsoft Windows for financial transactions there is good chance that sooner or later one will get burned.

Sorry to hear this OP. Can you email me your wallet identifier wallet@blockchain.info.

I think you should stop "supporting" mtgox key while you can't really support it. At least you should let users know it is not keylogger-proof

It is better than no yubikey, expecially if the password is reused on other sites. Besides it might not even be related to the yubikey. The attacker might have got access to the OP's wallet backup.

You have an email from me (adriaan_schep@hotmail.com)

thanks that you want to help, but the coins are gone to somewhere in poland :( (probarly an Mtgox europe adress).

I was saving to around 120btc and then buy 2x 500gr silver bar from an online store :( Sucks...

Using the MTGox Yubikey on a site other than MTGox is not Two-Factor Authentication.  It's two password authentication.

http://us.thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx

It's no different than the stupid banking sites asking for "mothers maiden name" as their "2FA."  It's a joke and not any more secure than using one password.  It's basically the TSA of Password security.  Elaborate, complicated security theater that accomplishes nothing, except to give you a false sense of security.

Don't do it ... get a real Yubikey or Google Authenticator.

From what I'm reading in this thread the computer of the OP was hacked with a keylogger or the OP was reusing a password from another site.

Google Authenticator should be used instead.  It is drop-dead easy to implement.

This is the entirety of the code needed to compute a Google Authenticator 6-digit code in C#, given the 10-byte secret and the current time.  This is like 20 lines of code at the most!


The 10-byte secret is a randomly generated number, and can be programmed into the user's phone by showing an on-screen QR code of the following format:

otpauth://totp/USERLOGINNAMEHERE?secret=SECRETHERE

where USERLOGINNAMEHERE is text that will be shown to the user to identify their account, and SECRETHERE is the 10 bytes converted into Base32 using the following alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ234567 (yields a 16-character string, 'A' has the value 0)

1) If I am using a NON-MtGox Yubikey on my Blockchain.info wallet, is this still (relatively) secure?  Or would using google authenticator be more secure?

2) If someone obtains a backup copy of my Blockchain.info wallet, do they need BOTH my password and Yubikey, or just my password?


Note to OP:  Sorry about loosing your BTC.  The only good that comes from it is that hopefully we can all learn from it and try to prevent it from happening again.

This ignores the root cause of the problem. It is not the user or lack of training. It is Microsoft Windows which is a propriety operating system. It is even unclear if the Yubikey (apparently incorrectly used) or the backup wallet was compromised. The reality here is that many new users will loose their bitcoins if they use Microsoft Windows as their Operating System. Two factor authentication can help but as this case sadly demonstrates it is not foolproof.

At a very fundamental level a propriety operating system with over 90% market share worldwide is incompatible with bitcoin as the security of bitcoin is ultimately predicated on each individual user having complete control over their computing experience while propriety software is about the exact opposite. Be it Apple's walled garden or Microsoft's centralized control over people's computers the direction that propriety software has taken is very much about centralized control. For example with the recently released Windows 8 RT. Microsoft has complete control over which software is installed on a particular computer or device.

Centralizing control over the training of new bitcoin users in order to accommodate Microsoft or Apple is simply not the answer.

I use Windows and bitcoin without any problem. All of my coins are under cold storage and my mtgox account is secured by 2-factor authenication. There is noting wrong to use propriety OS. Linux looks safer simply because less people use it and it's not efficient to hack it for stealing coins. If a Linux user misuses the system (downloading warez or storing unencrypted wallet improperly), their coins will get stolen some day. By they way, I don't think mtgox and bitcoinica are running on Windows but both got hacked

Indeed, it seems to do the job. I most admit that I use both Google two-factor authentication on my iPhone https://cdn.walletbit.com/includes/press/twofactor.jpg (https://cdn.walletbit.com/includes/press/twofactor.jpg) to sign in, just a random seed on the image in case anyone wondered.

I then use Secure Card which I have printed out, because this will hide the secure card in the system so I only have it on paper https://cdn.walletbit.com/includes/press/securecard.jpg (https://cdn.walletbit.com/includes/press/securecard.jpg) as well, before I am granted access to my account and to send bitcoins.

Could be I am a little paranoid but with all the hacks and cracks you read about, I am in the state of mind that better safe then sorry.



-

aadje93, sorry for your loss. Is there anything I can do to help you out?

+1 to this...

Yes one can secure Microsoft Windows, but it takes considerable effort and technical expertise. The average consumer's Microsoft Windows computer is more often than not infected with all sorts of rootkits and malware. It is far simpler in these situations to simply ditch Windows and use GNU/Linux. Cold storage can also provide a false sense of security because the moment one needs to move coins then one is exposed.

GNU/Linux is way safer that Microsoft Windows when it comes to malware. There are many reasons that come down to the design of the OS, (it was designed form the ground up as a multi user OS, Windows was not), and the culture, (most GNU/Linux users download their software from trusted repositories, do not run as root, and have no motivation at all to download warez even if warez that actually runs natively on GNU/Linux even exists!). The entire Free Software / Open Source model of software development is far more secure since there is no opportunity for "security by obscurity". The latter is very popular with propriety software vendors. DRM for example is entirely based on security by obscurity.

There is a lot wrong with using a propriety OS with bitcoin, particularly one that has over 90% market share since that creates a massive single point of failure for a very large portion of the bitcoin network. If a Microsoft Windows related attack were to hit the bitcoin network, bitcoin's chance of survival will likely rest with those of us who have chosen to run bitcoin nodes and mining on GNU/Linux.

As for the MTGox and Bitcoinica hacks we are talking about servers being compromised because of less than optimal security procedures of the server administrators. This has nothing to do with the issue at hand here, namely malware on consumer computers.

Here is a security suggestion I'm not sure I've seen. Don't click on links in Bitcoin forums unless your absolutely sure the link is to a reputable web site. Hover over the link to make certain your going to the site you think your going to. Never click on links that use url shorteners. Good luck Aadje93.

Hovering over a URL before clicking on it is a very good idea if the source of the URL is in any way suspicious. I do it all the time with spam emails. In many cases the URL ends with .exe (Windows executable!).

That is not bitcoin at all. It is more like MintChip. http://mintchipchallenge.com/ (http://mintchipchallenge.com/). Bitcoin is about putting the end user in control and for that one needs a Free Libre Open Source Software OS.

However that is the WHOLE POINT of 2FACTOR.  If you use a strong password and your computer is never compromised you never need the second factor.   For blockchain.info to offer a "second factor" which can be compromised in the same manner as the first one is just poor design.  If the user for example was using google authenticator (which he may have used if blockchain.info DIDN'T offer a weak re-use of MtGox yubikey) a compromised system wouldn't mean a compromised google authenticator.

This is not clear to me at all. The OP's backup wallet could have been compromised by a Windows based keylogger.

Even if true it doesn't change the fact that having a "2 factor" method which can be compromised along with the 1st factor is stupid.  How the user was hack doesn't change the vulnerability.

The backups doens't need the Yubikey to be decrypted, and from what I know, neither another form of 2-factor. You're only relying on your passphrase complexity. Big alert for false sense of security, IMO.

Upon checking the past few days of access logs the OP's wallet was only accessed from his home IP and browser. Also the transaction in question was not made through the My Wallet interface (once a hacker has access to an account I don't know why they would go to the trouble of exporting the private keys before emptying the wallet).

This leads me to believe the most probable scenario is the Users dropbox account was compromised and the wallet backup taken directly from there. Prehaps reusing the same password somewhere else?

I have disabled Mt.Gox yubikeys for new wallets now. It was introduced before Google Authenticator and SMS two factor authentication were available, these are better options now.

It's reasons like this that make me glad I got rid of Windows.

Question:

I routinely get emailed backups of my wallet. How securely do I need to keep those backups? If somebody gains access to my backup, what else do they need in order to steal all of my coins? My passphrase, right?

If that's the case then I really only need to worry about keyloggers getting my passphrase. But since I'm using Linux, the chances of that happening are close to nil, right?

As long as you only download software from secure trusted repositories yes.  Unless possibly there was some kind of browser based attack using Java or something maybe.

I never said such a thing; however if Bitcoin were to reach the level of penetration of GNU/linux on the desktop 1% market share the BTC / USD exchange rate would be in the neighborhood of 1 BTC = 10000 USD. We have a very long way to go with the "nerd fringe element" alone.

What I do not want to see is the average soccer mom losing their money, be it BTC, CAD, USD, EUR because of the sheer incompetence of a multinational corporation. Microsoft Windows is by far more difficult to use, secure and maintain than a modern GNU/Linux distribution such as Ubuntu. The average soccer mom is likely already mining bitcoins for the profit of some criminal botnet because of Microsoft Windows so in a sense they are already using bitcoin, they just do not realize it yet. The reason I know this is because I have removed bitcoin mining malware from the computer of a "soccer mom" who had no idea what bitcoin was.

Just to clarify I mean 1% of the the world money supply which would put Bitcoin use when compared to Government currencies in a market share comparable to GNU/Linux on the desktop. The most conservative estimates of the GNU/Linux on the desktop market share is 1%

+1

Totally agree, and I'm pretty sure you dont have to download something the get infected with keyloguer on a Windows system !

That's quite sad.. but, why stopping mining if your minig rig is already setup and working at more than 1 BTC/day ?  I'll say, better have 30+ BTC in a month than 0 forever !!

Dont get pissed for that, I've lost 120+ BTC from not changing a very very poor password on a site I had those BTC.. I did'nt quit.. I've mined a lot more since then.  And be sure, now my passwords are all more than 20 char, Lower/Upper/Number/Special... That's not keylogguer proof, but few times a year, I store some BTC on an offline wallet and start a new one with a new password..

I'm pretty sure things will get more user-friendly-and-safer by 2 years or so.. Bitcoin is still very young.  What if you quit BTC, and give it a look back in to years to realize they are trading over 100 U$ each.. you may end up not having 3000+ U$ by not continuing to mine !

As you wish,

was my 2 satoshi

Thank you all for the responses :).

But i still think blockchain is not 100% foolproof when a "hijacked" backup of my wallet can ben just used on another wallet. Why backup then?... As seen by the logg nobody has entered my acount from a different IP or even browser ;)


I was pissed off, but i think i need to make a new wallet adress on my account, or a whole new wallet? As the attacker has the backup of month ago, why backup weekly etc.


And how about making a wallet on a (windows) pc thats just only mining? Is that safe? I thought the online wallet was safe because the backup is done by them.


Ill start mining again :). But i am not sure where to send my coins to, as i dont thrust the client either because it failed sometime to start on a windows machine (not my pc, laptop in the beginning while trying out bitcoin client to mine solo and as a wallet after finding online wallets)


edit, new acount made. And now ill just convert all to physical items (or steam games :P) on lower amounts, now more saving up 100btc probarly.


And if my dropbox is being hijacked, it could only be by facebook probarly because i had shared it on facebook to get some free MB for each referal. And why all the hassle if there are wallets with over 5k btc...

God dammit!!

Made new acount with my yubikey as authenticator,

And now i cant even login to it!! (yubikey wrong) You can add your yubikey, but don't login with it.


Made new post to made this very clear!! DON'T CONNECT Mt GOX YUBI TO BLOCKCHAIN.INFO AT THE MOMENT!!

The best security for all practical purposes is a master password you memorize that is used to open an encrypted password database such as keepass.  I don't think two factor is necessary in the presence of one strong password that is unique and not used in conjunction with other online accounts.

There allot lower but not nil, I would still use a separate minimal install (os) to manage financial data. Even when you just buy stuff on line, don't fill out any forms with credit card or any other sensitive data on you main install (os). (logins excluded ofc, but then again I'm so paranoid I won't even register on a site with my every day os)

Even if you or your anti virus notices it at some point chances are high that the data is already gone and just waiting for a buyer that will use it to empty your accounts.

some of the keyloggers can grab the passwd when you control+v it from keepas.

I don't think you really know  how cold storage like Armory or Electrum works. The private will never expose to the internet.

If mtgox or bitcoinica running on *inx could be hacked, your desktop computer with linux could be hacked too, if you have less than optimal security procedures. As I said, there is less malware on Linux just because there is lack of enough incentive to do it.

Use a regular (non-admin) user account, disable Java applets and use any other browser than IE. -> Just these 3 simple things bring the risk of virus/trojan/keylogger infection very close to zero (Linux-like). Really, it's that simple.

I love Linux as much as the next geek, but I've been using Windows as my main OS for 10+ years (mostly due to some very specialized apps that only exist for Windows) and have never had an infection despite downloading tons of software, thanks to the above measures. I think many other knowledgeable Windows users can confirm this.

Also consider the fact that Satoshi himself (whom we can reasonably call a security god, can't we?) was using Windows to develop Bitcoin!

I can confirm this (the only issue I've had in the last 10+ years was plugging in a friend's USB flash drive to find it was infected which luckily my AV software detected before anything bad actually happened).

That being said it is certainly not as easy to protect a Windows install vs. a Linux one.

Made new acount/wallet. No more dropbox backup for me.

If you want to help me and give me some BTC to help me getting the 101btc again: 1FZb3GDLTstYECV9QKmaTJh3xPRZfRfuxz any donation is very appreciated :).

Make sure you use Google Authenticator or an actual YubiKey and not an MtGox one, until Blockchain.info support it correctly.

What you should do for long term storage is a cold wallet. If you only need a few BTC in your account at block chain then transfer the rest to your cold wallet.

You can do it right from blockchain.info and you can transfer the money back with the same wallet you normally use.

If you need some help I can help you, it's quite simple you just send the money to your offline wallet. I am selling beautiful unfunded paper bitcoins which are perfect for this and fully compatable with blockchain.info's import tools. Its only 1.5 BTC for 10 of them. They are custom printed to your specifications. Here is a link.....

BitcoinTalk link...
https://bitcointalk.org/index.php?topic=120221.msg1294820#msg1294820

BitMit Link with escrow...
https://www.bitmit.net/en/trade/i/8717-beautiful-unfunded-paper-bitcoins-custom-printing-free-ship

If you re-use passwords, getting hacked is just a matter of time, fucking yahoo stores password in plaintext,
they just leaked 500k passwords, including my password, and my yahoo mail got hacked, but luckily I don't
re-use passwords, so this had about zero effect on me, yahoo mail I stopped using a long time ago, only
a few old contacts got virus/trojan sent to them.

First step to not get hacked, get Lastpass or some password manager, that defeats keyloggers and forces you
to not re-use password.

Casascius provides hosted wallet security level. At least to the degree it is verifiable from outside. Please don't share the private keys of your life savings with anybody.

I sincerely hope to have a dedicated – not proprietary – device for my bitcoins at some point.

(From my bitcoinqt, bitcoinspinner (android), schildbach (android) and various hosted wallets I don't know if bitcoinqt (on my developer/gamer/everything linux laptop that I carry around) or spinner (on my developer android that I barely carry around and that has only work-related apps installed) is the safer place to put my money. Right now I have half on my laptop and half on cold storage and keyloggers scare me every time I type in my 12 char password. Backups have more like 35 chars passwords.)

Another ID10T keeping coins on some website and losing them. It never ends
HAHA. BTC , just what grandma needs.... HAHAHAHA

You could try - http://www.flexcoin.com/ - for your new savings wallet.  As they offer to put your coins into cold storage for you.

The problem is not keeping coins on website, blockchain.info is quite safe. The problem is re-use of passwords, simple passwords and not using a secure password manager like Lastpass.

Hey everyone, just thought I would point out that despite Mt. Gox Yubikeys being disabled, they are still described as useable on Blockchain's tutorials:

https://blockchain.info/wallet/yubikey

This page should be updated.

-Chris

old post. thought i might fresh it up. even mine was stolen and i had google auth.. so 2factor is still bullcrap. if you desktop is hajjacked your fucked. even if u have 10000 passwords