Bitcoin Forum

I have never been phished in 2 years in the darknet then today I buy . 8 (my paycheck this week) I,ride home from the bank and the money is gone.. I log out then back in and it says only my ip was last login(so no one else) ... Something is up I don't have a,keylogger,on my computer but something is up this person (maybe lbc employee) is stealing like crazy. I just don't get it.

  SCAMMER ADDY :1DzPa5AdWk1yukdTbCnVMA76tHsDDdb2oe

Anyone wanna tell me how this could happen I'm in total devastation and asked for money in another forum and got laughed at..  Don't think is a laughing matter I'm broke :( but I'm not gonna drop a addy just hope for some good karma see if I can get some peanut butter and jelly from the food bank for this week lol..was gonna turn that 400 into,1,000 you,know how it works ;)

Do you have 2FA activated?

Its good if u please post the Tx hash of the transaction by which your fund was stolen.

    09/05/2014 10:49         0.80908    Sent to 1DzPa5AdWk1yukdTbCnVMA76tHsDDdb2oe
txid 499dc004aead4f1aa2bad8b998f5bb58f980f8ebbaa37aeec962e408608feb79

it is very possible that your bitcoins were stolen because you logged into a fake localbitcoins site by accident and the site recorded your name and password.

The scammers pay for an ad on google and when people type "localbitcoins" into google, the fake site is listed first because it is a paid ad. People click on the ad and log in because it looks just like the real site.

Lol really bro I've made 50 purchases on localbitcoins.. It was someone I used before got he coins then 10 minutes later they were withdrawn no password or anything  weirdest thing ever

I don't understand exactly what happened. You said that you purchased .8 BTC from someone on LBC, was it a face to face trade? If so then the seller would have had to release escrow for the bitcoin to be available in your account. You seem to imply that someone somehow withdrew bitcoin from your account. I do not see what the person you bought from has to do with anything if this was the case. I also do not see how you know the coins were withdrawn with no password.

install firewall, antivirus and antimaleware. update all. scan.

deinstall all shitty mining progs or free bitcoin generators.

No it wasn't the seller.. I bought the coins then 10 minutes later someone withdrew them.. Never hit a fishing link never used same password or name on any site.. I'm so confused how I got hacked

How do you know you never clicked on a phishing link? You could have easily clicked on a link that would capture your login information, forward it to LBC and log you in if the credentials were correct. This would steal your credentials while hiding the fact that they were stolen from you.

well ... since february 2014, i have to WITHDRAWN when to many BTC is stored to VIRTUAL wallet.

While you are in some other mood you don't know you are being phissed.Sorry to hear your loss

You might have clicked on a phishing link a while back and the scammer just waits dormant until you have a large transaction. Why didn't you activate 2FA? It would prevent this kind of stuff. You can even give out your user name and PW, but no one will be able to withdraw unless they have your personal device.

2FA does not work quite that well (at least not all the time). There are always potential ways around 2FA on websites. I would consider it to be reckless if someone is careless about their password simply because 2FA is enabled. 2FA should only be an additional security method, not the only security measure.

What way does one get around 2FA?  Could someone brute force 2FA such as google AUTH ?

Various sites have had ways to get around to needing to input the 2FA code, or being asked for the 2FA code. I vaguely remember an example of a website allowing a user with 2FA enabled for someone to login via the API with just the username and password.

In theory it would also be possible to have 2FA disabled if you were to contact customer service and claim you are having difficulty receiving text messages with your 2FA device (social engineering).

Painful to hear.  However, it's somewhat of low price tuition for higher learning. I recommend enabled in the security settings:

(1) 2FA + (2) Login guard which requires additional authentication for new browser detection.

If the above two are enabled, it would be very very very difficult to steal coins from your wallet.

Yes but I don't think this applies to LBC, which is the case with OP. You need 2FA to log in, withdraw coins, or release coins from escrow. Basically anything that involves movement of coins needs 2FA. To disable the 2FA, you'd have to have access to it in the first place.

Two Factor Authentication (2FA) is the best thing since sliced bread.  It almost makes choosing a password trivial, the additional security that you gain almost makes passwords obsolete.

Neil

And when you contacted LBC customer support, they said.... ????

I have heard of this happening more and more, and this is terrible.   It is especially bad because for BTC to be adopted mainstream, we want more and more new people using BTC daily.   I think it should be stickied somewhere on this forum, how to report phishing sites, and we all should be more pro-active in helping try to stop it...

you need 2fa to log in and withdraw coins but not to release from escrow. that is the prerogative 0f the seller/buyer.

Yes, you do need 2FA to release from escrow. At least on my account you need that. I just checked and there was no option to choose when 2FA will be used.

Seems like he scammed too many people lol

What if your phone gets stolen? If you have a weak password then the person who has your phone would essentially be able to access any of your accounts.

What if you lose your phone? You would essentially be locked out of your accounts unless there was some way to disable it without knowing the 2FA code.

Take a print screen of the QR-code as a backup when enabling 2FA. Then you can use this to configure your new phone.

Wouldn't this essentially make this screen print/picture essentially as good as your password? If someone were to get a hold of this screen print they could essentially configure their own phone to be a 2FA device on the account. 

Both valid points and reasons why there is still a password in the mix, neither of them are a good reason not to use 2FA though.

If you did a very unscientific search on this board queering posts about people who have had their account hacked* I imagine you will find none of them had 2FA enabled, it is that good at protecting your goodies.

* I hate using hacked in this context, I am old enough to still think of it in it's original context before any Angelina Jolie feel good pubescent teen movie.

Ya.   Should have been done before creating this thread.   Probably wasn't.

-B-

In theory, someone could use one of those cell towers that are meant to spy on people using the cell tower. (there is a thread in politics and society about this). The attacker could make it so your cell phone does not use encryption, requests a 2FA code they know will be delivered to your phone and then intercept the code, and not deliver it to your phone. If they know your account credentials then they would have access to your account.

No they could not.

First, they could not disable encryption on your phone.  They would require root access to do that.

Second, even if they did that they could not "intercept" your 2FA code.  That 2FA code is not generated from a server somewhere to be intercepted, it is generated by your phone using a time based code.

Neil

 LBC Told me there was nothing  they can do.. I'm almost 99.9 percent sure I didn't click a phishing link.. Says my account was failed login 22 times yesterday... If he had my password then there wouldn't be 20 failed login across the us something isn't adding up.. Don't wanna bash LBC.. but someone is hacking there shit and they will never admit it.. And I'm out 435 bucks :/

From this thread. (https://bitcointalk.org/index.php?topic=769581.0#quickreply)
If the tower does not accept encryption then encryption will not be used. This is similar to doing trades in the marketplace, if the seller does not accept escrow, then escrow will not be used, in the marketplace the buyer can simply decline the transaction, however cell phones are setup so that they will connect to the closest tower/tower with the strongest signal.

If the 2FA code was sent via text message, then the tower could read the unencrypted text message and not relay the message to the cell phone.

No, no, no, no.  All misinformation.

The cell phone tower has absolutely nothing to do with your phone and it talking to an encrypted service, they cannot turn it off, it is all FUD!!

The 2FA code is not sent via sms (I know a few services do that, but this one, like most does not) and it cannot be intercepted.

Neil

I didn't expect LBC to do anything about this. It's 100% user fault. Imagine if every time you lost your coins and they had to reimburse you; this opens a lot of opportunity for abuse.

It only took 20 tries to log in? That's some weaksauce password. It's more likely that the thief already had your PW and tried variations to hit the correct one.

I believe that LBC does use SMS to send their 2FA code to user's phones. I think a lot of other sites will send 2FA codes the same way. This prevents the site from locking you out if you lose and replace your phone with the same phone number.

I would go out on a limb and say that at least 80% of people that have installed a bitcoin generator have probably had their BTC stolen shortly after.