Bitcoin Forum

I just wanted to make a post, I would have posted this in the main forums but I'm a newb lurker so I signed up to post this.

This morning I got an email from mt gox letting me know there had been a withdrawal on my account.

I didn't authorize one, and I had no idea wtf this was talking about, so I logged in to see the $480 USD I had in there had vaporized. Someone had logged into my account, bought btc, and then transferred it to themselves.

https://blockchain.info/address/1LuLza3QfbXP3GcABCe86MYSAy9jDq3DRm

The fucking wallet is 1LuLz just to taunt me as well.

I dunno what else to say about this other than 'be careful' but I thought I was being careful. I trusted gox with my money and now its gone and nobody has replied to me from them or answered me at all. This was my big attempt at taking my own money investing in BTC and this is where it has gotten me. Those of you that know me from camwhoring on reddit know that i've managed to scrape together a little  btc from tips and such but mostly I invested my own money to daytrade with.

That wallet is kept on my computer in a truecrypt container, yet I still felt it was less secure than keeping it somewhere safe like a big online company like mtgox.

That wallet is

https://blockchain.info/address/1669nJLncdiyuwRYmBfk4D6qF4Dibz7GjQ

and I think the only reason it didn't get raped as well is that it didn't have anything to steal.

So whoever did this. Thanks for stealing my groceries. You're a terrible person.

sucks men, sorry to hear that, truly.

That really sucks man, try to contact mtgox and scan your pc for viruses and did you installed something or visited any site that have java based chat or something?

I have two factor authentication on my accounts.

It was stolen despite this.

You have Google Authenticator OTP?

Man i use that i thought that was fool proof. It doesnt make sense..

If you did use Google One Time Password... they would have to had access to that... unless you had the back up keys in an easy to find place

That's a bloody blow to the gut.

Bad luck. At the end of the day.. All forms of hacking have to be due to some sort of fault by the victim. I guess this could be seen as a some what expensive lesson.

I hope you don't give up on Bitcoin though due to this.

unless this was some sort of inside job. apparently its happened to other people as well.

gox basically sent me their "call the police" form letter. When I explained that I did all their authentications right, they didnt' reply.

I dunno, the whole point of this endeavor was to camwhore on reddit for tips, and then take some of my personal funds and invest with the hope of making ends meet a little easier. Now if anything the situation is far worse.

I think I may leave btc. Nobody ever broke into my USD bank account and stole all my money. Even if they did, I could get it back.

I think the worst part though is seeing the tor exit node and wallet name on blockchain and knowing some bastard did this to me.

oh, im very sorry for you.
did they know your password?

oh, the irony

i had money sitting in mtgox for days, after i install the 2 step authentication..

Felt pretty safe.

To be honest though it seems a great security method.. the passowrd changes every 30 secounds. So they would need fyour phone to get that data... so maybe theres virus on your phone.. or googles securties been hacked.

Either way ...

Zaih saying its a an expensive lesson to learn is totally unproductive. what has been learned from this?

Nothing, we don't know the exact method to how she lost her coins.

Do a virus scan please Fawksgirl.. also on your phone... would help people alot if we could understand where the leaky part of your securty was...

and sorry this sucks big time....

Let me get this straight... they stole from a 2fa protected mtgox account and had the guts to push the funds to a vanity address?

I always want to learn more about this kind of story - if the OP could find out what exactly happened and report back, it might help everyone else down the line...

I can't tell you much more than what I already have. It was a major player in the btc community who told me it might have been an inside job. Gox continues to ignore me.

All I can do is show you my addresses on blockchain so you can see the theft yourself. I personally will never use gox again for anything.

That sucks! Just out of interest. Do you use Windows, Mac or Linux as your main computer when accessing mt Gox?

You might as well say; "you left your window opened, you deserved to get raped!"

Trojans and malware are continually being created or updated to get around antivirus applications. Antivirus apps, malwarebytes, etc are continually being updated to clean PCs.

I am sorry this happened to you girlfawkesy. With two-factor authentication that shouldn't have happened.

IMO wouldn't leave money like that around on GOX/coinbase etc.  Best bet is to keep it on your computer and not download malicious keyloggers and keep computer up to date on virus software.  That way if the big companies get DDoSed or hacked you can't lose your money.  If you need to exchange the coins then transfer them in and the money out asap or vice versa.

this is crazy, but why dont gox have like you have to enter your birth date or something to cash out as well. that would make this bs avoidable. they could also have a setting so you receive e-mail if someone with ip outside your country logs in. just feels to me gox is half assing everything, but when it comes to veryfing account there is no fing limit to their stupid demands. lousey exchange hope a real alternative comes along.

Some technical details would be useful.  There has never been a case of TOTP being "cracked".

Was TOTP (Google Authenticator) enabled on WITHDRAW (settings can be found in security center)?
Was the Google Authenticator installed a second device (i.e. MtGox accessed from home computer,  code generated on android phone)?
Does anyone else have access to the generator (roommate, friend, etc)?

First off, I'm sorry your funds got stolen. That really sucks. Secondly, you could help prevent other people from suffering this if you provided more details about the security setup you were using so how this attack could have taken place can be discovered/prevented in the future.

This doesn't seem legit. How could someone with 2FA get their account stolen? unless it was someone you live with and you openly have passwords written down.

Dont go on websites you are unsure about... ALWAYS have two factor authentication. It's highly unlikely for 2FA to be broken into.

Its unfortunate to hear. Didnt you got an email from Mt gox like:

There has been a withdrawal from your Mt.Gox account:
Transaction reference: 8ajr341-kjsdf-4f27-8sdb-isjfue739df
Date: 2013-xx-xx 09:26:55 GMT
IP: xxx.xxx.123.254
You can access your account history for more details.
Please contact us as soon as possible by replying to this email if you did not request this withdrawal.

If you contacted them, wouldn't be possible to repudiate the transaction?

Stop believing the myth that TFA is uncrackable.
It does improve security, sure, but it is no way the holy grail.
There have been precedents where malware could steal funds despite TFA.

http://www.wired.com/insights/2013/04/five-myths-of-two-factor-authentication-and-the-reality/



Measures like the above would greatly help secure user accounts (in addition to TFA) while being rather easy to implement, so Gox really has no excuses for neglecting such details.
 

Please provide some examples, your linked article did nothing of the sort.  

Nobody said anything about holy grail but extraordinary claims require extraordinary details. The OP provided no details so to assume MtGox 2FA has been compromised is dubious at this time.


Unless the OP had a horribly weak password the most common attack vector is compromise to the users machine and gain access to credentials via keylogger.  In that instance it is highly likely the user's email address is compromised as well (unless it is also protected by 2FA).  A more sophisticated attack would use OP computer as a proxy or to just steal the OP session when already logged in.  In either case the only IP would be the users.  Layering steps and procedures which all involve the same compromised machine is probably just "feel good" security.

I agree, until OP gives more details... There were thousands of people reporting being hacked on Diablo 3 despite having a mobile authenticator. To this day not a single claim was proven. It's just not possible. I'm sure some TFAs can be cracked but it's highly unlikely. Just a troll I guess

Edit: nvm, I suggested 2fa but you already had that.

Did you download any weird .exes ?

My claim was not that extraordinary... It's not like I'm saying
I was abducted by a UFO or something :)

Anyway, here's one rather famous example:

http://arstechnica.com/security/2012/12/sophisticated-botnet-steals-more-than-47m-by-infecting-pcs-and-phones/

I agree with the rest of your comments.

Nice example.  This is one reason why I favor dedicated offline tokens.  PayPal (of all people) uses a nice one which is the size of a credit card so you can easily store it in your wallet.

The extraordinary claim was more direct at the OP claim.  Some  details would be nice.  Past examples of people reporting their 2FA on MtGox was compromised turned out to be untrue (in one example user never activated it due to user error).

Fawksey

uhmn, run a virus scan on your pc and mobile... and please tell us if you have any malicious software installed.

Hnm could be a decent hacker who just deletes the malicious software after use. There probably is something that points to what happened.


If she had back ups of her reset keys then they could "bypass" the security.

Ps fawkesy i agree with you about monsanto ... very naughty peeps.

this is so sad...

Ouch.

This is as far as I know the first report of 2FA being worthless on MtGox.

And if memory serves, the last time they got hacked it also started with two weeks of compromised accounts (which the "victims of their own success" blamed on the actual victims, of course).

D&T does have a point tho, any details you can provide would be useful.

Stop being so dramatic.

If you really put your "grocery" money into this, then you did this to yourself.

If you had actually spent time researching and combing through the forums for even a day you would have known the risks.

Your a can whore on credit and your complaining?!

that is a sad story my friend :(

Well at least she can grenner.

God damm auto correct FML!

Sorry I was at work all day.

Yes, I got the email from gox, I emailed back and forth with them on their support site and basically they told me I'm screwed, the transaction is irreversable.

I was logged into gox last night shortly before going to bed when it happened. Nobody had physical access.

I'm thinking either my session got jacked or I have a keylogger/phone virus.

The ip the withdrawl came from was a tor exit node in sweden.

I know I"m screwed at this point, it just sucks.

MtGox should make it so you can lock BTC withdrawals to a single preset bitcoin address.  This would be simple and straightforward and would 100% eliminate losses like this.  This isn't the first time I have ever mentioned this crazy idea, there is no reason this can't be implemented yesterday, and I hope their competition brings it sooner than later.

Only store on a e-wallet what you can afford to loose.
Learn a thing or two about computer security.
Try and use Linux to store your wallet

Yeah how could it be that 2FA was worthless? The article linked earlier talk about the kind where text-messages were intercepted, but I can't imagine how a google authenticator could be intercepted. And why not make a fixed withdrawal-address? That's really fucking easy to implement, and just send an e-mail when it's changed but make sure it takes two weeks before it would be really changed. which give you plenty on time to sort things out with MtGox.

Wow, I thought MtGox blocked accounts that were accessed via Tor. Is this not right?

They can't catch everything.  Losing money sucks, but least it was only 4 BTC.

GUYS GUYS I'M A GIRL

Feel sorry for me and donate to help me recuperate my stupid ass mistakes.


Ignore this shit.

You never should have blindly thrown your money into something you CLEARLY know nothing about

I'm sorry for your loss, but you did not lost your money. You lost the bitcoins your account bought.
And bitcoin is not safe: you can't do shit and will never see them again.


If someone stole your euros/usd/money, you could do something (go to the police station), but now, you're fucked up.

sorry to hear that, very unfortunate

ive had some troubles and now use google auth tokens, they make it much more complicated and annoying to log in, but it gives you piece of mind

That won't protect you from an inside job. They'll claim somebody close to you, who knew your birthday, must have done it. ("do you trust the people in your environment?")

Only thing that would help is to specify a whitelist of withdrawal addresses in advance, and only allow coins to be withdrawn to those addresses. And in order to add new addresses, have them confirmed through email and enforce a week delay (before any new address becomes whitelisted) so sudden hit & run theft is no longer possible. Well, of course a MtGox insider could still take your coins, but in this scenario it's obviously a fucked up at their end so they can be held responsible.

Not to mention most anyone sane does it that way. Karpeles is too smart to listen tho, so.