|
Title: This redditor claims 160 BTC stolen from his blockchain acct even with 2 factor Post by: coastermonger on April 24, 2013, 11:34:42 PM The thread: http://www.reddit.com/r/Bitcoin/comments/1czrua/just_lost_160_btc_from_address_managed_with/
I was wondering if someone more versed in security could comment on it. Some users seem to think that he mismanaged and the coins got sent to a "change" address still under his control, while the OP insists that this isn't the case here, and someone actually managed to bypass both his password protection and 2-factor security, possibly through an Android wallet App. Needless to say, such news scares the shit out of us. Title: Re: This redditor claims 160 BTC stolen from his blockchain acct even with 2 factor Post by: proudhon on April 25, 2013, 12:49:32 AM The thread: http://www.reddit.com/r/Bitcoin/comments/1czrua/just_lost_160_btc_from_address_managed_with/ I was wondering if someone more versed in security could comment on it. Some users seem to think that he mismanaged and the coins got sent to a "change" address still under his control, while the OP insists that this isn't the case here, and someone actually managed to bypass both his password protection and 2-factor security, possibly through an Android wallet App. Needless to say, such news scares the shit out of us. This underscores the fact that bitcoin isn't ready for mainstream, as the simplest and most secure way to store bitcoin wealth is still more trouble and more technical that what most people are prepared to implement (i.e. offline, air-gapped private keys with encrypted and physical backups). Right now, I wouldn't be pairing blockchain.info wallets with mobile devices. I actually do pair a blockchain.info wallet with my iPhone, but that account only watches addresses associated with offline private keys. I cannot spend from it, and neither could anyone else. Title: Re: This redditor claims 160 BTC stolen from his blockchain acct even with 2 factor Post by: Aseras on April 25, 2013, 01:20:27 AM Blockchains iPhone and android app store your main password in clear text in the db. If you have that, you can simply login, go to export unencrypted and do whatever the hell you want with the private keys. 2 factor or not.
It's useless and it a huge hole that should be plugged. Title: Re: This redditor claims 160 BTC stolen from his blockchain acct even with 2 factor Post by: gbl08ma on April 25, 2013, 04:53:02 PM Blockchains iPhone and android app store your main password in clear text in the db. What, Blockchain.info's mobile apps offer an option for remembering the password? That's just plain stupid. If such an option doesn't exist when using the web browser version, why should it exist on the apps? It's equally unsafe.If I had 160 BTC, I wouldn't be storing them on Blockchain.info but on a very well kept paper wallet. |