Bitcoin Forum

Other => Off-topic => Topic started by: rohnearner on April 18, 2014, 04:49:26 AM



Title: How Secure is 2-step verification
Post by: rohnearner on April 18, 2014, 04:49:26 AM
 I use 2-step Login verification in almost every online service which provides it..! I want to know is it possible for someone to invade 2-step verification while logging in..! I mean if someone uses phishing they can get my password is it possible to do any similar kind of trick to get pass 2-stop verification .? If yes how to Protect Yeah I know I have to be very conscious about  every link I click and every Page I visit but other than that.?


Title: Re: How Secure is 2-step verification
Post by: bryant.coleman on April 18, 2014, 05:07:05 AM
Check this:

https://coinreport.net/localbitcoins-report-stolen-funds/

Quote
On reddit, user don4of4 posted a warning to fellow LocalBitcoins.com users that sellers and buyers have been reporting news of stolen funds from their wallets on the website. The user said that he didn’t believe all of the commotion, but when his 5 Bitcoin were transferred from his account without his knowledge, even though he had a 30 character random password and GAuth, he realized something was really wrong.

Having a 2FA does not always guard you from robbery and hacking.


Title: Re: How Secure is 2-step verification
Post by: rohnearner on April 18, 2014, 05:15:04 AM
Check this:

https://coinreport.net/localbitcoins-report-stolen-funds/

Quote
On reddit, user don4of4 posted a warning to fellow LocalBitcoins.com users that sellers and buyers have been reporting news of stolen funds from their wallets on the website. The user said that he didn’t believe all of the commotion, but when his 5 Bitcoin were transferred from his account without his knowledge, even though he had a 30 character random password and GAuth, he realized something was really wrong.

Having a 2FA does not always guard you from robbery and hacking.
I know Its not like if i'm using 2FA than no can hack me...! but I want to know what techniques they might use..? like to get my passw they can easily get it through Phishing link or Keylogs , but how they invade 2fa..? because I'm getting OTP in my mobile .


Title: Re: How Secure is 2-step verification
Post by: Vod on April 18, 2014, 05:16:23 AM
Check this:

https://coinreport.net/localbitcoins-report-stolen-funds/

Quote
On reddit, user don4of4 posted a warning to fellow LocalBitcoins.com users that sellers and buyers have been reporting news of stolen funds from their wallets on the website. The user said that he didn’t believe all of the commotion, but when his 5 Bitcoin were transferred from his account without his knowledge, even though he had a 30 character random password and GAuth, he realized something was really wrong.

Having a 2FA does not always guard you from robbery and hacking.
I know Its not like if i'm using 2FA than no can hack me...! but I want to know what techniques they might use..? like to get my passw they can easily get it through Phishing link or Keylogs , but how they invade 2fa..? because I'm getting OTP in my mobile .

Consider it could be a corrupt admin of the online service you use.  Can't protect against that other than keeping your coins in your own wallet.


Title: Re: How Secure is 2-step verification
Post by: rohnearner on April 18, 2014, 05:19:29 AM
Check this:

https://coinreport.net/localbitcoins-report-stolen-funds/

Quote
On reddit, user don4of4 posted a warning to fellow LocalBitcoins.com users that sellers and buyers have been reporting news of stolen funds from their wallets on the website. The user said that he didn’t believe all of the commotion, but when his 5 Bitcoin were transferred from his account without his knowledge, even though he had a 30 character random password and GAuth, he realized something was really wrong.

Having a 2FA does not always guard you from robbery and hacking.
I know Its not like if i'm using 2FA than no can hack me...! but I want to know what techniques they might use..? like to get my passw they can easily get it through Phishing link or Keylogs , but how they invade 2fa..? because I'm getting OTP in my mobile .

Consider it could be a corrupt admin of the online service you use.  Can't protect against that other than keeping your coins in your own wallet.
Hmm.... So that is the worst case scenario . :P No one can protect me if thats the case..! but other than that I hope I'm secure from other filthy hackers that sends Phisin mails and malicious software to get my ID/Pass .


Title: Re: How Secure is 2-step verification
Post by: shorena on April 18, 2014, 05:20:55 AM
Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm.
The localbitcoins incident looks like a stolen session key.
http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/

What to do? Well the usual

- dont stay logged in after you are done
- dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible



Title: Re: How Secure is 2-step verification
Post by: solarion on April 18, 2014, 05:26:11 AM
*THIS* is why we can't have nice things. >:(


Title: Re: How Secure is 2-step verification
Post by: Light on April 18, 2014, 05:32:51 AM
I use 2-step Login verification in almost every online service which provides it..! I want to know is it possible for someone to invade 2-step verification while logging in..! I mean if someone uses phishing they can get my password is it possible to do any similar kind of trick to get pass 2-stop verification .? If yes how to Protect Yeah I know I have to be very conscious about  every link I click and every Page I visit but other than that.?

For a time based 2FA unless they have the secret you've shared there's no way they will be able to brute-force it before it changes. I suppose they could guess it, but it's like a 1 in 999,999 chance literally to get it right. Basically, it means you're far safer having 2FA than with just a password alone - the only way you'll be compromised is a server side flaw, a scam by the site owner, you lose your secret key and your password to the same person.


Title: Re: How Secure is 2-step verification
Post by: rohnearner on April 18, 2014, 05:33:32 AM
Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm.
The localbitcoins incident looks like a stolen session key.
http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/

What to do? Well the usual

- dont stay logged in after you are done
- dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible
I got a good topic to study now..! will collect all the required info about session key to know more about it and how to avoid falling in trap..! I can't even ask for links :p as you mentioned don't click links :p


Title: Re: How Secure is 2-step verification
Post by: rohnearner on April 18, 2014, 05:36:59 AM
I use 2-step Login verification in almost every online service which provides it..! I want to know is it possible for someone to invade 2-step verification while logging in..! I mean if someone uses phishing they can get my password is it possible to do any similar kind of trick to get pass 2-stop verification .? If yes how to Protect Yeah I know I have to be very conscious about  every link I click and every Page I visit but other than that.?

For a time based 2FA unless they have the secret you've shared there's no way they will be able to brute-force it before it changes. I suppose they could guess it, but it's like a 1 in 999,999 chance literally to get it right. Basically, it means you're far safer having 2FA than with just a password alone - the only way you'll be compromised is a server side flaw, a scam by the site owner, you lose your secret key and your password to the same person.
Or the hackers succeed to steal my mobile number, or any other device used in process..!


Title: Re: How Secure is 2-step verification
Post by: shorena on April 18, 2014, 05:39:59 AM
Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm.
The localbitcoins incident looks like a stolen session key.
http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/

What to do? Well the usual

- dont stay logged in after you are done
- dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible
I got a good topic to study now..! will collect all the required info about session key to know more about it and how to avoid falling in trap..! I can't even ask for links :p as you mentioned don't click links :p

Probably a good way to start researching are the steam hacks or steam account hijacks. People take over steam accounts with just a link clicked from within steam chat. And steam uses this 2fa auth system if you want to login on a new system. They send you a mail with a code thats valid for only a short period of time. And even if you get that persons steam password and mail password you have to wait 14 days on the new system to trade. But people get robbed all the time.




Title: Re: How Secure is 2-step verification
Post by: rohnearner on April 18, 2014, 05:49:33 AM
Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm.
The localbitcoins incident looks like a stolen session key.
http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/

What to do? Well the usual

- dont stay logged in after you are done
- dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible
I got a good topic to study now..! will collect all the required info about session key to know more about it and how to avoid falling in trap..! I can't even ask for links :p as you mentioned don't click links :p

Probably a good way to start researching are the steam hacks or steam account hijacks. People take over steam accounts with just a link clicked from within steam chat. And steam uses this 2fa auth system if you want to login on a new system. They send you a mail with a code thats valid for only a short period of time. And even if you get that persons steam password and mail password you have to wait 14 days on the new system to trade. But people get robbed all the time.
Pointing a flaw in a system is always easier than building a system and maintaining it..! this is what hackers do , A coder builds a site from a scratch like a builder builds a building , than after builder finishes the building someone comes to inspection and tells him that there is a some flaw in wiring and the whole building might catch the fire if not repaired..! same story is with hackers they look into the website and finds flaw and exploits any vulnerability they find..!
 Its very hard to create a flawless system... 


Title: Re: How Secure is 2-step verification
Post by: Light on April 18, 2014, 05:55:39 AM
Or the hackers succeed to steal my mobile number, or any other device used in process..!

Unless you've rooted your phone or done some crazy crap to it it's unlikely that hackers will have access to your phone. It's far more probable you lose your phone/it gets stolen. Even then you should be able to request a new 2FA be set up and you're good to go (remember to backup your secret key by printing it out or writing it down).


Title: Re: How Secure is 2-step verification
Post by: rohnearner on April 18, 2014, 05:59:33 AM
Or the hackers succeed to steal my mobile number, or any other device used in process..!

Unless you've rooted your phone or done some crazy crap to it it's unlikely that hackers will have access to your phone. It's far more probable you lose your phone/it gets stolen. Even then you should be able to request a new 2FA be set up and you're good to go (remember to backup your secret key by printing it out or writing it down).
Yeah i know the probability of someone stealing my mobile to get pass 2FA is on very lower side , but we never know maybe a person sitting next to me becomes greedy and ....!


Title: Re: How Secure is 2-step verification
Post by: Equate on April 18, 2014, 06:04:19 AM
I once updated my Android device and it fucked up the Google authenticator but I had screen shots of all the QR codes so it's better to save QR codes or secret key to prevent you from trouble.


Title: Re: How Secure is 2-step verification
Post by: rohnearner on April 18, 2014, 06:07:10 AM
I once updated my Android device and it fucked up the Google authenticator but I had screen shots of all the QR codes so it's better to save QR codes or secret key to prevent you from trouble.
I have a nice backup of all the required info offline in multiple hard drives  and also some on paper. 


Title: Re: How Secure is 2-step verification
Post by: Equate on April 18, 2014, 06:19:51 AM
I once updated my Android device and it fucked up the Google authenticator but I had screen shots of all the QR codes so it's better to save QR codes or secret key to prevent you from trouble.
I have a nice backup of all the required info offline in multiple hard drives  and also some on paper. 

that's good strategy to save yourself .


Title: Re: How Secure is 2-step verification
Post by: bryant.coleman on April 18, 2014, 06:21:44 AM
Consider it could be a corrupt admin of the online service you use.  Can't protect against that other than keeping your coins in your own wallet.

I thought that localbitcoins.com was a very reliable and trusted site. But after the Mt Gox fiasco, I am not going to trust anyone too much. In this case, the fiat was being converted to BTC, and was stolen at this stage. So... keeping the coins in an offline wallet argument doesn't matter here.  


Title: Re: How Secure is 2-step verification
Post by: cp1 on April 18, 2014, 06:29:30 AM
The only way would be to steal your 2 factor secret code or to use a man in the middle attack.  It's much more likely that they get into your account through means other than directly logging in.


Title: Re: How Secure is 2-step verification
Post by: jodybay on April 18, 2014, 06:44:49 AM
and if they successfully installed the key logger and got al
ble to know your email address hthen they can steal your couns even though you have a 2FA


Title: Re: How Secure is 2-step verification
Post by: yatsey87 on April 18, 2014, 10:49:26 AM
There are different types of two factor so it depends. If you've got a keylogger using your email address might not be a good idea.


Title: Re: How Secure is 2-step verification
Post by: Dogtanian on April 18, 2014, 01:53:45 PM
There are different types of two factor so it depends. If you've got a keylogger using your email address might not be a good idea.

Yeah mobile verification is pretty safe. Gaining access to your phone is much harder than email.


Title: Re: How Secure is 2-step verification
Post by: Rampton on April 18, 2014, 02:27:06 PM
There are different types of two factor so it depends. If you've got a keylogger using your email address might not be a good idea.

Yeah mobile verification is pretty safe. Gaining access to your phone is much harder than email.

That's why I like to use blockchain.info for the mobile verifivcation.


Title: Re: How Secure is 2-step verification
Post by: rohnearner on April 19, 2014, 08:55:49 AM
and if they successfully installed the key logger and got al
ble to know your email address hthen they can steal your couns even though you have a 2FA
First I want to say it feels like you are drunk with all those typos in your post and second I would like to say that it depends what kind of 2FA you are using if it is email address than it is worthless in many cases..! because than you are not only giving away Password on one particular service but giving away details of your email acc/ too