Bitcoin Forum

 I use 2-step Login verification in almost every online service which provides it..! I want to know is it possible for someone to invade 2-step verification while logging in..! I mean if someone uses phishing they can get my password is it possible to do any similar kind of trick to get pass 2-stop verification .? If yes how to Protect Yeah I know I have to be very conscious about  every link I click and every Page I visit but other than that.?

Check this:

https://coinreport.net/localbitcoins-report-stolen-funds/


Having a 2FA does not always guard you from robbery and hacking.

I know Its not like if i'm using 2FA than no can hack me...! but I want to know what techniques they might use..? like to get my passw they can easily get it through Phishing link or Keylogs , but how they invade 2fa..? because I'm getting OTP in my mobile .

Consider it could be a corrupt admin of the online service you use.  Can't protect against that other than keeping your coins in your own wallet.

Hmm.... So that is the worst case scenario . :P No one can protect me if thats the case..! but other than that I hope I'm secure from other filthy hackers that sends Phisin mails and malicious software to get my ID/Pass .

Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm.
The localbitcoins incident looks like a stolen session key.
http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/

What to do? Well the usual

- dont stay logged in after you are done
- dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible

*THIS* is why we can't have nice things. >:(

For a time based 2FA unless they have the secret you've shared there's no way they will be able to brute-force it before it changes. I suppose they could guess it, but it's like a 1 in 999,999 chance literally to get it right. Basically, it means you're far safer having 2FA than with just a password alone - the only way you'll be compromised is a server side flaw, a scam by the site owner, you lose your secret key and your password to the same person.

I got a good topic to study now..! will collect all the required info about session key to know more about it and how to avoid falling in trap..! I can't even ask for links :p as you mentioned don't click links :p

Or the hackers succeed to steal my mobile number, or any other device used in process..!

Probably a good way to start researching are the steam hacks or steam account hijacks. People take over steam accounts with just a link clicked from within steam chat. And steam uses this 2fa auth system if you want to login on a new system. They send you a mail with a code thats valid for only a short period of time. And even if you get that persons steam password and mail password you have to wait 14 days on the new system to trade. But people get robbed all the time.

Pointing a flaw in a system is always easier than building a system and maintaining it..! this is what hackers do , A coder builds a site from a scratch like a builder builds a building , than after builder finishes the building someone comes to inspection and tells him that there is a some flaw in wiring and the whole building might catch the fire if not repaired..! same story is with hackers they look into the website and finds flaw and exploits any vulnerability they find..!
 Its very hard to create a flawless system... 

Unless you've rooted your phone or done some crazy crap to it it's unlikely that hackers will have access to your phone. It's far more probable you lose your phone/it gets stolen. Even then you should be able to request a new 2FA be set up and you're good to go (remember to backup your secret key by printing it out or writing it down).

Yeah i know the probability of someone stealing my mobile to get pass 2FA is on very lower side , but we never know maybe a person sitting next to me becomes greedy and ....!

I once updated my Android device and it fucked up the Google authenticator but I had screen shots of all the QR codes so it's better to save QR codes or secret key to prevent you from trouble.

I have a nice backup of all the required info offline in multiple hard drives  and also some on paper. 

that's good strategy to save yourself .

I thought that localbitcoins.com was a very reliable and trusted site. But after the Mt Gox fiasco, I am not going to trust anyone too much. In this case, the fiat was being converted to BTC, and was stolen at this stage. So... keeping the coins in an offline wallet argument doesn't matter here.  

The only way would be to steal your 2 factor secret code or to use a man in the middle attack.  It's much more likely that they get into your account through means other than directly logging in.

and if they successfully installed the key logger and got al
ble to know your email address hthen they can steal your couns even though you have a 2FA

There are different types of two factor so it depends. If you've got a keylogger using your email address might not be a good idea.

Yeah mobile verification is pretty safe. Gaining access to your phone is much harder than email.

That's why I like to use blockchain.info for the mobile verifivcation.

First I want to say it feels like you are drunk with all those typos in your post and second I would like to say that it depends what kind of 2FA you are using if it is email address than it is worthless in many cases..! because than you are not only giving away Password on one particular service but giving away details of your email acc/ too