|
Title: Is it safe to login MtGox on a compromised computer using YubiKey? Post by: finway on January 06, 2012, 05:23:35 AM I mean, can yubikey be copied?
blockchain.info can make use of a MtGox yubikey, so i guess? Title: Re: Is it safe to login MtGox on a compromised computer using YubiKey? Post by: theymos on January 06, 2012, 05:29:07 AM The Yubikey output can't be reused, but malware can withdraw everything once you've logged in.
Edit: Actually, another Yubikey press is required for withdrawal, so you'd have to be withdrawing for the malware to steal your money. Title: Re: Is it safe to login MtGox on a compromised computer using YubiKey? Post by: Maged on January 06, 2012, 05:47:54 AM blockchain.info can make use of a MtGox yubikey, so i guess? I'm honestly confused about how they do that.Title: Re: Is it safe to login MtGox on a compromised computer using YubiKey? Post by: casascius on January 06, 2012, 05:49:33 AM The Yubikey output can't be reused, but malware can withdraw everything once you've logged in. Edit: Actually, another Yubikey press is required for withdrawal, so you'd have to be withdrawing for the malware to steal your money. Further, withdrawal requires a different YubiKey press. YubiKey has two keys in it, one used when you briefly press the button, the other used when you hold it down. The long press is needed for withdrawals. Title: Re: Is it safe to login MtGox on a compromised computer using YubiKey? Post by: finway on January 06, 2012, 06:30:00 AM So logining in need one short press, and withdrawing need one long press.
But can yubikey be copied? Software way or Hardware way? Quote The YubiKey provides strong two-factor authentication, combining something you know (a password) with something you have (a YubiKey). It protects your online identity from viruses, Trojans and hackers at a security level that can be compared with a smart card. To guarantee a secure life-cycle, the YubiKey is manufactured in Sweden with best practice security processes. And i am curious about how piuk make use of a MtGox yubikey too. Title: Re: Is it safe to login MtGox on a compromised computer using YubiKey? Post by: casascius on January 06, 2012, 06:31:47 AM But can yubikey be copied? Software way or Hardware way? Yubikey can't be copied. Computer thinks it is a keyboard, not a USB stick. It types a password on your computer when you press its button. Yubikey uses one shared AES key for each of the two modes. The Yubikey knows it, so does MtGox. The keys cannot be read from the Yubikey, but it can be overwritten with new keys with special software. Title: Re: Is it safe to login MtGox on a compromised computer using YubiKey? Post by: finway on January 06, 2012, 06:37:48 AM But can yubikey be copied? Software way or Hardware way? Yubikey can't be copied. Computer thinks it is a keyboard, not a USB stick. It types a password on your computer when you press its button. Yubikey uses one shared AES key for each of the two modes. The Yubikey knows it, so does MtGox. The keys cannot be read from the Yubikey, but it can be overwritten with new keys with special software. That's neat. Thank you for your elaboration. Title: Re: Is it safe to login MtGox on a compromised computer using YubiKey? Post by: deepceleron on January 06, 2012, 06:40:45 AM Go ahead and type in your password; compromised can mean key logger and screen shots, your wallet file sent to another computer, along with your bookmarks and address book. Hope you didn't use your password anywhere else, or have any btc in your wallet. Yubikey protects against a stolen Mtgox user/pass being able to log into MtGox without the physical fob code, but it doesn't prevent anything else a hacker might want to do.
Title: Re: Is it safe to login MtGox on a compromised computer using YubiKey? Post by: finway on January 06, 2012, 06:50:46 AM Go ahead and type in your password; compromised can mean key logger and screen shots, your wallet file sent to another computer, along with your bookmarks and address book. Hope you didn't use your password anywhere else, or have any btc in your wallet. Yubikey protects against a stolen Mtgox user/pass being able to log into MtGox without the physical fob code, but it doesn't prevent anything else a hacker might want to do. Thank you, i'm not hacked. Just want to figure out the question. |