Bitcoin Forum

https://i.imgur.com/DyjeYdh.jpg

https://i.imgur.com/TL1rJxc.jpg

https://i.imgur.com/J4dL01c.jpg

https://i.imgur.com/2WiPhYj.jpg

All of the trade activity in the screenshot are not mine. I originally had $4,000 in USD but the culprit converted it to BTC and withdrew.

How hard is it to bypass the Yubikey? I was not even awake at around 4 AM when this happened so I don't think it is malware or plishing. In case this is some form of delayed malware, I'm doing a full scan at the moment with Malwarebytes. I am beginning to suspect Mt.Gox internal operations of doing this especially after hearing all the news about Mt.Gox's financial problems.

When you think about it, the IP address that stole my coins was from China and I am based in the US. Any half decent business would find this to be a red flag and delay the withdrawal. Maybe Mt. Gox is deliberately letting these glaring red flags slide?

I don't want to believe it but the possibility of the largest BTC exchange stealing from its users paints a grim picture for BTC. If my suspicions are correct, I hope this serves as a warning to the rest of the BTC community.

I know it sounds dumb but I remember reading about someone who had a YubiKey but forgot to activate it in his MtGox security center.

Can you clarify? I see my Yubikey specifically under "Withdrawals".

You should be good then.

Haha, well apparently not since someone still managed to steal from my account. I added screenshots of the Yubikey. Yubikeys aren't supposed to be easy to crack are they? I can only think of Mt. Gox itself doing this so I will never trust them again.

I don't have any clue what went wrong in your case but at least you didn't forget to activate your YubiKey like I've already seen in the past.

Does the OTP value I see is Google Authenticator? If you did a backup of the seed somewhere it could have been stolen.

You don't have Google authenticate or a paired cell phone also on your withdraw methods?

If a Yubikey can be faked every university or other business using them are in trouble and no, you can't sniff the key from a Yubikey it's a hard coded non recursive algorithm that calculates the last characters of you key every time you press the button. The long press used for withdrawals is even more complex.

So Gox hack or inside theft?

Go into "Security Center" -> "Current API Keys"

Confirm there's nothing there.

https://i.imgur.com/CKuu90B.jpg

I use the TobbeLino trade bot https://github.com/TobbeLino/GoxTradingBotTobli but its API key was only granted permissions to get_info and trade. This bot was also disabled for over a week so I don't think this is the cause.

https://blockchain.info/address/1Zq3rJPzNMi9vJ1KqT9SKfAcfHx8NYVds

Just looking for clues...

Why 2.00 + 2.00 + 25.20793 to get them out instead of one transaction?

Then they moved 52 out of their wallet and we get to see a lot of the addresses in their wallet.

Then they moved 101 out of the same wallet and we get to see a lot more of the addresses in their wallet.

So it appears we have a lot to go on here...

47 of the 101 ended up here:  

https://blockchain.info/address/1AYTN944QaxUJiy2kkeyMoue1DNXBtvFTy

56 of the 101 ended up here:  

https://blockchain.info/address/12HXeLmimYVQUz2kojkPcMHHPQYPMaAond

Some of the coins went through this interesting address:  

https://blockchain.info/address/1LBCfs6JUWCgZWzHddHuiZsSMZ7E64YmcP

Does anyone recognize this mixing method?

Must be the api access you enabled if you had a yubikey configured.

Maybe his computer was on at the time, logged in on his Gox account? Someone might've taken over the computer.

there should be a way to reverse these type of transactions when something unauthorized occurs. that's the weakness of BTC right now.

Bitcoin doesn't work like that but exchanges could very easily let you set up your account so that say a BTC transfer won't occur until 24+ hours after requesting it giving you time to cancel such theft attempts.

Bitcoin's *strength* is that it isn't reversible - but that does make it harder when building services that use it to help protect the users (it's always going to be a trade-off between speed and expense).

Yeah, that's the same reason why nobody in the world uses cash... huge weakness.

@OP: sorry for your loss. Also, thank you for sharing the information here. It is important that we get to the bottom of this. It's mind boggling. Even if your PC was completely compromised, and you were logged into gox that night, the hacker still needed to long press the yubikey. This is assuming your settings did not leave any holes via API or google auth, etc.

https://i.imgur.com/2WiPhYj.jpg

My PC is located in my home but the person who withdrew had an ip address from China. Malwarebytes did not detect anything that I think would take over my computer. I'm not sure what it could be.


Holes via Google auth? Can you clarify?


Maybe someone was testing if they got around my Yubikey but I still don't know how. I am still suspecting Mt. Gox itself doing this.

You do have a lot of annoying AdWare, this shouldn't be found on a "secure" computer.

I've did a bit of digging into these AdWare but none of them seems to be able to take over my computer or is even related to bitcoin. I'm running MSE atm but it never recorded any attacks in its log. The logged ip address that did the transfer was from China; is this really something that originated from my PC? I'm still not sure how my Yubikey was bypassed unless it was by Mt. Gox employees.

There is a weakness if the Google Authenticator seed was somehow compromised. I'm not sure if a session cookie could had been stolen to login without the YubiKey then using Google Authenticator for withdrawal. That would explain the external IP but I'm not sure if stealing your cookie would work.

Cash payments are reversible it is called small claims court.

Op i dont shit about the issue you are having but it is screwed up. Goes to show you cant trust institutions.

It makes me sick that this happened to you.

Thank you guys for your input thus far. I think I will have to distance myself from BTC now since the investment portion was a big reason why I got into BTCs. When you can't even trust the largest BTC exchange with your coins, there is nothing I can do.

Long term investment should never be left on an exchange, use a paper wallet or an offline computer with Armory.

If this was Mt. Gox's doing and was a result of their financial situation, wouldn't it still be unsafe in the short term if their financial situation got desperate enough? I'd imagine it would be something similar to Russian roulette with risks increasing every second when they have your BTCs.

I don't leave any coins on any exchange unless I need to trade.

check you didn't have any extensions installed that had full access to your computer (NPAPI) or had access to contents of tabs, or mtgox.

an extension such as this could inject malicious javascript into your mtgox page.

Will

https://i.imgur.com/XVw29qL.jpg

I really don't think its the trade bot. Anyone can take a look at the source code https://github.com/TobbeLino/GoxTradingBotTobli.

what device is your GA stored on?

Is the device rooted?

Did you make backups of the GA seed somehow or somewhere, and if so, where were those stored?

Will

OP, can you ask MtGox to check and confirm:

a) that funds can only be withdrawn from your account when the yubikey is used.
b) that their logs show a 3-sec (long-press) was actually performed on this withdrawal.

Out of curiosity, what verification level is your account?
 - http://en.bitcoin.it/wiki/Mt._Gox#AML

https://i.imgur.com/PioDmwd.jpg

Verified level 1. I did the whole verification process and sent them my info.

You guys are killing me all these security measures. The questions you have asked of the OP I could never answer.

If this guy gets screwed what chance does the average person have?

Here it is straight from my T-Mobile personal account although I had to black out my name and number:

https://i.imgur.com/2gGInBc.jpg

My cell is not rooted and I did not have any backups. I've heard of the rooting process and what it can do but I never personally had a need for it.

so you were using SMS based GA or running the GA app on your phone?

Will

GA app.


I will ask them right away on these specific points.

Thanks for answering all the questions.  I'm not sure how those funds were taken.  It seems you had taken all steps to avoid being hacked, and all the obvious (and some non-obvious) attack vectors were covered.

Will

If Mt. Gox allows withdrawals using either the OTP -or- the Yubikey, Google Authenticator OTP is the far more likely vulnerability.

That would be the case if, when setting up the OTP, you typed its key details into a file on your computer or smartphone (how else would you recover it if there's a problem?)  ... or if you ever installed software on your trading computer to process the OTP (instead of or in addition to Google Authenticator on the phone)  ... or if you ever connect the phone to the computer.  All these scenarios assume a compromised computer, and not necessarily any user error.

Or, the smartphone with GA could itself be compromised.  If the phone was used to trade, or if the Mt. Gox account name & password were kept on it, then the PC need not be involved.


An inside theft by Mt. Gox employees would seem more likely to involve accounts lacking Yubikey withdrawal restrictions, to keep a lower profile, unless the intention of the theft was to visibly harm the exchange's reputation in an especially newsworthy way.

Thank you for your insight into this.


No software installed to process OTP and my phone was never directly connected to my computer. I connect my phone to my wireless router for its internet speed when I needed to download apps like Google Authenticator. The phone itself was never used to trade, I only traded via the PC.

If Mt. Gox ran out of accounts lacking Yubikeys or a combination of other authentication methods, would they eventually grow desperate enough under financial pressure? There are also other reasons why I suspect Mt. Gox, namely the ip address being from China withdrawing from my US based account. No delays or email verifications raised to this glaring red flag. I never had an intention to harm Mt. Gox's reputation since their success would eventually equal to my success. I was trading on trends fairly well and Mt. Gox's volume helps a lot. Without Mt. Gox, I can't do what I have been doing so I lose out too.

This attack seems to be well timed since I get limited support from Mt. Gox on the weekends. I know I have been a bit aggressive with the Mt. Gox representative but I don't see any other options. For anyone interested:

https://i.imgur.com/4hvC4yq.jpg

I'm glad some people are posting on this thread, but frankly I was expecting this to get a lot more attention. This would be the first story, ever, of a person losing money who had a Yubikey and did not also have a trading API key floating out to be used. I've never used a trading bot, so I don't know if there was a mistake in granting permissions there... but this would be a Bitcoin first.

Well it is the weekend so it is understandable. Although having $4,000 stolen hurts, there is not much more I can do about it. I'm confident there is no mistake in granting permissions as you would have to consciously check the 'withdraw' box to grant withdraw permission. I also combed through the trading bot source code at one point looking to see if there are any malicious code.

Thanks for the details.  What about the thought of having typed the Google Authenticator OTP setup seed into a text file (or email, etc.) on the computer, as a way to keep a personal copy of the information in case it was needed later?

If someone did not manage to get your withdrawal credentials, then your report could reveal a new intrusion into Mt. Gox's servers.  Despite the 2FA, an attack could still be from outside the company (unless Mt. Gox has really outdone itself with thoroughly secured login/withdrawal processing).


BTW, does anyone know how long Mt. Gox restricts withdrawals to a given GA OTP, and especially whether the site allows reuse of a prior "OTP"?  In the recent past at least, they certainly did not strictly adhere to the standard 30-second window.  (Conceivably a man-in-the-middle attacker could take advantage of such weaknesses.)

Is having two different 2-factor auths for withdrawal AND or OR? Will you need both to make the withdrawal or just one of them?

We're still missing a lot of information. For example, we don't know whether Gox claims they received a valid YubiKey code when the withdrawal was made. This may get very interesting soon though.

No backups since I didn't think it was needed even if I did somehow lose access to the keys. I recall Mt. Gox gave an option to unlink keys where they lock down your account for 2 weeks and repeatedly email you to verify that the real owner made the request.

https://www.mtgox.com/login/otp-unlink

As I've used my account earlier this week and never received such emails, I don't think this was the attack vector.

Sorry if this was explained already... but why was Google authenticator also being used in addition to a yubikey?

You need to find out if the GA or Yubikey was used in the authorization.

Did you have NoScript installed in your browser?

Could the thief use a keylogger on your system to work out the yubikey seed?

Were you doing any operation at the site that would require the Yubikey code?

Advanced malwares could put themselves in between you and MtGox, and if you request a withdraw to address A, they could change that to address B without you noticing, and make you authorize that via the Yubikey code. That'd be a very advanced malware though, as it would have to somehow replace your browser by a bogus one.

EDIT: Just saw your post on reddit saying that you were not awake while this happened, what rules out my supposition.


Come on. Not wanting to be mean, it's a shame that you've lost your money and I hope this mystery gets solved, but of course there was something you could have done, and you know it very well: you could have stored your coins yourself, offline.

This is to everyone who stores their money on Gox and others: Seriously people, Bitcoin empowers you to be your own bank. To have no counter-party risk. And you keep letting your money in bank-like institutions? What's to prevent MtGox servers to be hacked, and eventually even its cold wallet stolen like bitfloor? Or, even more likely, what if they're raided and all the money seized, à la Cyprus?

Store your bitcoins yourself.

If that sounds "too geeky" and you're not willing to go through the learning curve right now, then perhaps Bitcoin and you are not ready for each other for the moment. Interesting projects like Trezor are on development, and they could bring the two of you together again soon enough.

Again OP, don't take my post in a bad way, I am really sorry this has happened to you. But please don't claim that you haven't been warned - I'm definitely not the first one saying this -, or that there are no ways to hold Bitcoins safely, because you know that's not the case.

How many people replying to this even bothered to read the original post ?

Look - this is what he said :



Well I just read the original post and what you're saying here is clearly incorrect.

The OP had $4000 in his MtGox account. Someone gained unauthorised access and purchased Bitcoin.

After purchasing the Bitcoin they withdrew it.

So he had USD sitting on the exchange - not Bitcoin.

My mistake then. But again, the risks are almost the same. MtGox fiat account could be seized, the entire site hacked and become insolvent, or his personal account hacked. If he intended to keep a fiat balance, it would be safer to do so in a traditional bank that can reverse transactions.

Perhaps he was keeping his fiat there because of MtGox's liquidity problems. Or perhaps he was a day-trader. These possibilities make it much more understandable.

But if you have fiat on Gox and you're not willing to spend this money any time soon, then I'd advice to withdraw it. Even if takes months to come to your bank account, it's safer like this than letting it sitting there. I'd say that MtGox is more vulnerable to account seizures than most banks... it has already happened to their US-domiciled accounts, are you so sure it won't happen to their main accounts in Japan?

EDIT: By the way, my post above is not entirely incorrect when you consider only the quoted part I was replying to:


You should not trust the largest exchange with your coins, but that doesn't mean there's nothing you can do.

There are millions of dollars in fiat sitting in MtGox accounts with bids placed on various price points from just below the current price right down to just a few cents per Bitcoin.

This is how any exchange works. It can't work without large amounts of fiat being on the exchange at any point in time otherwise there would be zero liquidity and no bids.

This issue needs to be addressed properly due to the millions of dollars in fiat which is properly stored on the exchange and must remain there for normal liquidity and trading to continue.

If everyone withdrew all their fiat the price would be back in cents per Bitcoin before you know it. It's just not feasible.

This is what I'm thinking.

If you have both GA and Yubikey enabled on the account does the MtGox system require you to press the Yubikey AND enter the Google Auth code or will just either one of them work on it's own ?

yes this is very curious.  Perhaps MtGox have a bug whereby a trade API key can be somehow coaxed to be used as a withdrawal API key?  The only other option is that the GA seed was compromised somehow but the only way this could have happened was if there was malware actively monitoring the page when the GA device was enrolled, or malware on the phone that was able to access the GA key, but since the phone is not rooted that seems unlikely.

Very curious.

Will

I am sorry - but this is not a very realistic position. What if you are in a short position, ie holding USD pending rebuy at a lower price? If this issue exists, then thief can just buy bitcoins from your balance and xfer the USD out.

If this was any other regulated situation - like a stock-brokerage account, the broker could and WOULD be held accountable for their lax security.

@btcdrak, the point I'm trying to make is: right now, the only truly safe way of storing bitcoins is by doing it yourself, and offline.

It will not always remain like this, obviously. Hardware-wallets, combined with multi-sig and probably also nLockTime would certainly allow a great level of security for everyone, including those who have no idea of what I'm talking about. Perhaps even those twins' ETF would as well.

But that's not the case right now. So, if you're day-trading, you should consider into the risks of your operations that your account may just be emptied. Even if you take all possible digital-hygiene measures, the exchange's account may be hacked/seized/etc, and your money will be gone.

All that said, I'm also curious as to how has this hack happened, as it settles a dangerous precedent.

Op, sorry for your loose, I also have Mtgox with a Yubi, so I'm worried now. Hope you got the mistery solved.

Someone needs to clarify that happened on these withdrawals.

I have about $50,000 in my MtGox account right now and I use google auth to keep it safe.

It's sad that you lost $4,000 but if this was an MtGox wide issue I suspect whoever did this would have cleared out the accounts with large balances on them first and worked their way down to the smaller balances.

I don't keep Bitcoins in my account but obviously I do keep USD there as right now I'm waiting to make a purchase but I consider the current price of Bitcoin to be way overvalued.

I won't use Yubikey with MtGox unless they allow 2 yubikeys to be associated with my account or make it much easier for me to remove a Yubikey from my account in the event that I can't use it.

It's highly unlikely I will lose my Yubikey but if it becomes inoperable for any reason I need to be able to replace it and gain access to my account quickly as there's plenty of money in it and I would not like to be frozen out for weeks while the Yubikey is changed.

Allowing 2 Yubikeys on the account would make much more sense as I could keep one in offsite storage (safety deposit box, car glove box, etc) and one at my computer for daily use.

Until this is implemented I consider Yubikeys to be worthless at Gox due to the account freeze when one is lost / damaged.

This story could be a hoax if this is true: https://twitter.com/MagicalTux/status/379247601289142273 - for those of you who don't know, MagicalTux (Mark Karpeles) is the CEO of MtGox

I am extremely shocked that MtGox does not have one simple security feature that I have asked for more than a year ago (when I still was willing to do business with MtGox):

Allow users to lock withdrawals to a single bitcoin address

And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker

This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)

There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.

And this is the reason I hate when someone like you has "plenty" of money and zero knowledge. You can add various Yubikeys and Google auth at the same time on your account, just take a little of your time and investigate. I'm not affiliated with gox only had the same issue a while back.

Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in China in order to withdraw your btc and try to file a claim and get refunded?
Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in the world who knows anyone located in China in order to withdraw your btc and try to file a claim and get refunded?
Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in the world who used a chinese VPN in order to withdraw your btc and try to file a claim and get refunded?
Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in the world who know anyone who used a chinese VPN in order to withdraw your btc and try to file a claim and get refunded?
Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in the world who used a chinese VPS in order to withdraw your btc and try to file a claim and get refunded?
Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in the world who know anyone who used a chinese VPN in order to withdraw your btc and try to file a claim and get refunded?

Did not know about that lol.
mt.gox CEO is French?

Suggestions:

1.  If keeping balances available at all times for rapid trading, consider spreading them between multiple exchanges.  25% of the money at each of 4 exchanges allows a trader to sustain a complete loss at one.  Careful trading over the next month or two may regain the loss.  Later, fully insured or distributed exchanges and multisig can solve this, but for now sudden losses or frozen funds are likely at any exchange.

2.  Use only a known secure computer (such as a clean boot off a live CD) to set up Google Authenticator at an exchange.  Otherwise a keylogger could capture all the withdrawal credentials (as willphase suggested).

3.  For best results, set up 2FA *before* losing money.

I think preliminary, we can treat this as a VERY good hoax.

Indeed; if the MagicalTux quote from Twitter is to be believed.  Does the OP have anything to say in response to this?  It does seem a shame if JRam tried to take advantage of the bitcoin community if this is true.

Will

For anyone that can't or doesn't want to click the twitter link, Mark Karpeles says: "already checked and confirmed 2fa was enabled after the withdraw. Will check system logs too anyway."
In other words either OP is lying, or the CEO of MtGox is lying.  It's like Christmas.  


Mike Casascius is absolutely spot on however, in that exchanges can prevent themselves from being the targets of theft by allowing users to lock-in a withdrawal address or addresses when they sign up. It's not a perfect solution, but they can also allow the user to specify a delay period with withdrawals or a mandatory email confirmation before the funds are actually sent out.  I know that MtGox support staff and many exchanges have had many uncomfortable emails with customers explaining that their funds have been compromised and are impossible to reclaim.  I know they've considered these options because I've requested them via email months ago.  2-factor is nice yes, but why they haven't pursued additional security measures to take some of the heat off themselves is beyond me.  I'll say it again because it's so important:

• Locked withdrawal addresses
• User-defined withdrawal delays
• Mandatory email confirmation of withdrawal

Soon we will know. The fact that this seems to be the lone case at this time suggests there is no exploit on the MtGox side, and the problem is strictly with this user's actions, errors, or intentions.

By the way, and slightly off-topic, those who suggest we should not keep coins or fiat sitting at an exchange are missing the point. These are not savings being kept there, but money actively used for trading. A perfectly good idea as long as you understand the risks.

Finally, I am saddened that in all cases of theft, real and false, the discussion revolves around blaming the victim and the service provider, not the thief.

I'm posting to follow this thread, I see three options:
- OP activated his 2fa after the "hack" and used a Chinese proxy/henchman to "steal" his own funds and double up on mtgox
- OP activated his 2fa after the "hack" and plays possum insisting that they were enabled before the theft
- A real hacker disabled 2fa and enabled it back somehow, allowing the theft and only mtgox can tell

Yes! Why oh why don't exchanges allow these seemingly-simple solutions to help protect users?

If this claim is B.S., it's really sad.

MtGox should have the logs to tell exactly when and how many times 2fa has been enabled/disabled on the account.

I'm out $4,000 but what else can I say to prove my case against the CEO himself? $4,000 might not seem like a lot to the wealthier folks but it is a lot to me. Why would I just sit on my Mt. Gox Yubikey that they sent me and never use it until now?  I have also sent Mt. Gox my real personal info to get the verified account so they should know me very well. The only argument I can make if this CEO keeps claiming that I didn't use my Yubikey is this:

"When you think about it, the IP address that stole my coins was from China and I am based in the US. Any half decent business would find this to be a red flag and delay the withdrawal. Maybe Mt. Gox is deliberately letting these glaring red flags slide? "

Not really much you can do except wait for Mt. Gox's responses like all of us regarding the specifics of their logs. You should also not reveal MtGox support's private, direct responses to you right away. Wait for them to make public statements regarding this issue. This way, if they lie/make inconsistent statements, you can catch them on their lie/inconsistency (is there is any) by later posting their direct responses to you (think Snowden).

Okay, so you deny the allegations. This is going to get messy; Mark could certainly post the logs but it is still effectively his word against yours. He is saying you did not have 2FA enabled at the time of the 'heist'.

You should both now post logs. You can use the API to get info about the account (idk how much): https://data.mtgox.com/api/1/generic/private/info

This would work best if you both posted them at the same time. Perhaps you can upload them somewhere, keep the link private and share it once mark posts logs on his end.

I am sorry for your loss, and I understand your frustration if you are legit.
But your argument will not be accepted.

Yes, mt.gox could have / should have added extra protection measure to allow withdrawal of coins (like previously said: delay / email confirmation / an so on).


But, if it is true that you did not have a 2fa activated, it is your responsability to protect your personal data, and access to the account. You can go in holidays in China. I was there in August, and ask for bitcoins from there ...

@JRam This would be an even better implementation of the Snowden strategy I outlined above, but do it for everything you can think of: logs, support messages, any other data/proof, etc.

I would trust MTGox's systems any day before trusting a Microsoft Windows computer. My take is that the theft was due to the OP using Microsoft Windows to trade on MTGox and could have been prevented by the OP having used GNU / Linux instead. By the way storing the Bitcoins in the OP's computer rather than in MTGox, in this case, is not a good idea since the OP is using Microsoft Windows.  

Duly noted, I didn't think about the need to catch them on their inconsistency like this. I guess this is one of those life lessons.

+21000000

I was wrong about the Bitcoin community not being able to do anything except wait for MtGox's response. We should POUND Mark Karpeles with demands for immediate updates to the situation to minimize the amount of time he has to potentially edit logs which would also minimize the time JRam has to potentially edit his logs in response. Perhaps its already too late.

-21000000 MSFT shares

It will not solve the problem if the Bitcoin address is in a wallet that is in a compromised Microsoft Windows computer. One must keep in mind that is the theft is caused by malware on the user's computer in the first place. How is locking the account to a Bitcoin address on the same infected computer going to solve the problem? It only serves to create a false sense of security for the user.

brain or paper wallets solve that

Not if they are created on an infected computer in the first place.

Guys, keep the conversation on point.

JRam did you withdraw bitcoins recently?

When I pumped BTCs into my account, my intention was to day trade. And I was day trading fairly well up to this point. I never had the need to withdraw any funds from my Mt. Gox account.


If this was really malware on my PC, the logs would not show the Chinese ip address of 60.166.242.186 accessing my account. After all, wouldn't it be more legitimate to simply use my own ip address to access my account?

The notion that I just 'sat' on my Yubikey sent to me by Mt. Gox is just silly. I had no other use for this piece of junk. I wish I had the wisdom to save some of the images I posted so I could use it to catch Mt. Gox on an inconsistently later but I think this is the end of the line for me on bitcoins. Now that I can't trust the largest BTC exchange, I think I'm done here. Although this might sound harsh to some, I won't be trying any other alternative cryptocurrencies since I see bitcoin as the gold standard. If I can't invest in bitcoins, I definitely can't invest in other alternatives.

Thanks for anyone that helped and believed in my case. I will be pursuing this case a bit further with my local police department but that will be it.

The malware steals the credentials via for example a keylogger, and then sends them to the attacker in China. The attacker then logs into the account at MTGox with the stolen credentials from China. Even if the case be made that the Yubikey was compromised, there still remains the fact that the computer was compromised by malware running on Microsoft Windows to obtain the login credentials and to compromise the Yubikey in the first place.

Yes, filing a police report and posting proof of it would also bolster your credibility against Gox as filing a false report is fraud.

One mistake i made in my police report was that i said i did not think MtGox took the money.
Then the police didnt investigate much at all, and did not put any pressure on gox to solve the issue whatsoever.
If you are not 110% sure noone at gox are involved, do NOT say you dont think its gox.



My account was cleaned out about a year ago, and mtGox's logs showed that noone was logged on when the withdraw was made.
Everyone pointed at This auth stuff for security, but now the same or some other security flaw has surfaced for a yubikey user.

But i am guessing this will get the usual, "We only talk to the police" answer from Gox.


I hope that i am wrong, that you get your cash refunded, they find and patch the hole and eventually catch the thieves.

Right now, both he and Mark Karpeles could be telling the truth if the attacker disabled 2fa, then reenabled it after he was done.

2FA on withdrawal is pointless if it can be disabled after login.
My understanding is that once Yubikey is enabled on MtGox for withdrawals it can't be disabled (by the user), hence the multi-week delay for lost/broken Yubikeys while account ownerwhip is re-verified and MtGox enables a replacement Yubikey.

It can be disabled with the OTP code.

But only by using the Yubikey...

Exact. I did it when I changed my Google Authenticator because I wanted to backup the seed.

He is claiming otherwise. Although you are right, we would probably see evidence of more 2fa heists if the OPs claim is true. Perhaps this was a test run. Perhaps it's just a gox troll.

Logs would be nice (from gox), at the very least. Perhaps you can pull logs from the yubikey, idk if that is at all possible. In the end of the day the logs could be tampered with by either party so there is no way to know for sure.

If this is a lie by the OP we would need to find motive, perhaps another exchange spreading FUD.  

Come on... Why are people even thinking Gox would be a possible scenario in this... I don't think they would go through all that just to steal 29 BTC o_O

Highly unlikely that Gox stole the BTC. The focus on Gox is whether they had a security flaw/bug that wasn't patched at the time of the supposed hack and won't reveal until they fix it/wait long enough without incident for everyone to forget. I'm OK with the last scenario b/c it means that the event is a very low probability one, although we can't be sure until much time passes.

I think an email verification link to click in addition to entering the OTP would be better than just the OTP on it's own when a withdrawal is made.

This option should be made available ASAP. I'm not sure if it would make any difference to the Yubikey users but it would definitely add an additional layer of security if the Google Authenticator private key was leaked.

I wonder if something like this is planned for when the major long planned upgrade is rolled out.

do yubikeys punch in the same code each time, mine always looks very similar, what stopping a virus to just steal the yubikey code?

it's a unique code each time. and every code is only valid once

Unless 2FA has been implemented poorly. There have been cases where yubikeys have been compromised on blockchain.info, allowing the attacker to get the seed (or reuse codes, can't remember); this is the first gox 2fa breach I have heard of though (unless of course he is lying about having the 2fa setup).

You can always do a MITM, man-in-the-middle attack:
The trojan intercept the OTP, yubikey-code, sms-code, whatever, when it is used by the user. Then it either uses it to directly steal the funds, or, a bit more clever, to deactivate the yubikey. Then it redoes the action the user intended to do with the code, since then there is no yubikey needed any more.
Even addidional layers of security may not help once your computer is infiltrated. How about stealing that additional mail right out of the mailclient? How about faking the whole MtGox site and stealing/relaying/editing at will? That additional layer might even put the user in a false sense of security.

Only one thing really helps: Transactional dependend one-time-codes. I have that on my onlinebanking, for example. I create my wire transfer, this creates a unique "challenge", which is read (via flicker-code, think animated QR) by my tangenerator. This one displays the address and amount to transfer for verification, and creates a response-code. The device can't be hacked (reasonably), as it is very low-level and has no connection whatsoever except a flicker-sensor. If the data is manipulated on my computer at any point, either the display on the device will show it, or the generated response code will not match and will not work.
This is, until now, the only system I am aware of which is failsafe (as long as you watch the display).

This is slightly OT I guess.
Long story short:
MtGox, Yubikey, Google Authenticator, they all are pretty much useless once a dedicated software owns your computer.

Ente

Gox has my real info, they can verify if I'm associated to another exchange or not. You're right about the seeing evidence of more 2fa heists though since my incident shouldn't be an isolated incident. For now, I have filed a police report with my local pd in addition to contacting my attorney general.

They look similar because the first 12 characters ARE the same every time - they identify the key.  The remainder, which is the sequence number + OTP plus check-sum is different each time.  If you're seeing them in a small input box which only displays the start of the key then it'll always look the same.

Indeed, given what JRam and Karpeles have said so far, they can both be telling the truth if the attacker disabled 2fa, then re-enabled it afterwards.

FACT:
Mt.Gox did not steal your coins.  They can literally print all the goxUSD, and trading BTC they want, and can be much more discreet, without leaving a paper trail. 

Read the thread man, this has been addressed many times. No one really thinks they stole it. We want to see if there is an issue with the 2FA implementation.

The statement by MagicalTux of Mt. Gox was that 2FA was added after the withdrawal.  I'ld love to see your police report.

Well it's officially a scam now:


The OP shows both OTP and Yubikey enabled.

End of story for me.

Nope, based on EVERYTHING that both parties have asserted as FACT so far (i.e. not including any of their speculations), they could both be telling the truth if the attacker disabled, then re-enabled 2fa. Now if Karpeles were to clarify that 2fa was never enabled until after the hack, then one of them is no longer telling the truth, or is at least factually incorrect. Mark's careful language here, "currently enabled otps", suggests that there may have been previously enabled otps as well. He ought to clarify.

+1 clarification is needed here.

Seems like a fake ...
Can we have some proofs/logs?

Updates?

I think no updates means its a fake. Its really a threat if it is real.