Bitcoin Forum

I do not understand how it happened, but it happened.
Withdraw all 9 assets from my account NXT-Q7KC-9GQR-XB4C-EKY7T September 13. Transferred all on account NXT-VKPH-NH97-5556-9ZSPM everything sold on the same day received for it 104947 NXT, followed by 20 September, all brought to account 2792886670414734681.
The question is, what can be done with the thief and how to return the NXT?

So that's about $3,000.

I'm very impressed by NXT...
But have serious concerns about security...
The ecosystem is so centralized that inside jobs must be possible.

Also, there must more to security than a password...
Or accounts above a certain threshold must get an additional layer of security.

A password might be good enough for a transmission network like Ripple...
But not good enough for the storage of Crypto Assets and significant wealth.

Join the club, mine disappeared mysteriously too. No more NXT for me, and don't tell me it was my 128 character randomly generated cut and paste password either.

Qora has said he is confused why NXT choose the password system they use as it's possible to force it open. 

Explain how it's possible to "force it open"?

Password of my account is 75 character with upper letter and special symbol.

Hmm, the strange thing is that this has occurred quite a lot recently. Check the NXT Forums and you'll see a few more cases just like this where NXT balances and assets have been transferred

Sheesh, that sucks, mate.

The usual answer to this is almost always a weak password, with some cases of probable malware.
There was also a very early attack using compromised client software.


So, the usual questions:

Where did u d/l the client ? Did u run the checksum before unzipping ?

Results of your latest virus/malware scanner ?

Anyone else with access to your client ?

Was the password genuinely secure ? One guy used a fairly long Bible quote, with predictable results.

NXT will be implementing an Account Control feature soon, which will allow you to specify conditions for locking down your account. Not that that helps you now, sorry.

BTW: the nextcoin.org thread is from 9 months ago, head on over to www.nxtforum.org, which is currently the biggest NXT forum.

Following the trail....

OPs account:
http://nxtreporting.com/?ac=NXT-Q7KC-9GQR-XB4C-EKY7T

Thief Account 01
http://nxtreporting.com/?ac=NXT-VKPH-NH97-5556-9ZSPM
(Seller of assets)

Thief Account 02
http://nxtreporting.com/?ac=NXT-TLCJ-WM9U-TERB-EUUX7

Thief Account 03
http://nxtreporting.com/?ac=NXT-WTCT-N6HZ-CCKY-4MLJF
Looks like thief central.....

The problem is it is too easy to humanly err with NXT. There are no safeguards such as having a seed and than an account password. NXT has lots of innovations but it fails to understand the needs of the average user.

This is also another reason why I divested from NXT. So much history of scams, hacks, thefts + the never ending arguments against the initial distribution. The tech is sound and all, but it has the worst PR to deal with and I feel the uphill battle is too great to be overcome.

What was the pass phrase you used? You don't need it any more.

I am sorry for you. I would send you some NXT if would have any. All get caught at the end since they never have enough so dont worry, thief will get what he deserve.

Looking even deeper:
https://nxtforum.org/general-discussion/help!-my-nxt-account-stolen-account-for-nxt-wczn-dgql-xm69-62l3n

This guy got ripped by the same hacker/thief....and that was the one with the Bible quote.

Thanx a lot

Wikipedia:

"Passwords or watchwords have been used since ancient times. Polybius describes the system for the distribution of watchwords in the Roman military..."

It's not very reassuring that NXT uses 3,000 year old tech to safeguard wealth...
Because that it all it is and nothing more.

And people wonder why Bitcoin has hit a wall.

@Blazr: can you send me some info on your theft ? Like to see if it's linked....

@Donn: could you send me your passphrase please ?
The account is gone anyway, and it might help other people if we know what sort of passwords are being cracked.
I suspect that it's a quote from something, but i'd like to see. PM me or post here, up to you.

It's curious that pass phrases from hacked accounts are almost never posted, as if the victims know it's their fault they chose a weak password. Posting a pass phrase also helps confirm that the the claim is legitimate, anyone can use the pass phrase to log in to the hacked account to check whether the pass phrase really matches the account.

Don't forget that this works well for 99.99% of NXT users, but, yeah, we need Account Control to be active.
This is not just a NXT problem: other coins are vulnerable to rainbow table attacks on the blockchain in search of private key hashes.

This guy did, first known victim of this thief:
https://nxtforum.org/general-discussion/help!-my-nxt-account-stolen-account-for-nxt-wczn-dgql-xm69-62l3n/msg92255/#msg92255
His pass was just a random phrase from Genesis, complete with full stop.

@Donn: could you send me your passphrase please ?
The account is gone anyway, and it might help other people if we know what sort of passwords are being cracked.
I suspect that it's a quote from something, but i'd like to see. PM me or post here, up to you.
[/quote]

I would not want to disclose my password. What exactly will help you my password, explain in more detail what I'd made ​​the right decision.

Yes, and it was a simple dictionary attack with the Bible quotes as source. I wonder why people don't use the pass phrase provided the NXT client, it's random enough and can't be cracked in a billion years.

Thats why i dont invest on nxt   ;D

that's part of my password:

Uhf;lfybyj,zpfy

more I see no reason to write my password

Does this mean anything in another language/keyboard layout? Google says it does.

Googling this gives me a referat.ru hit - is it possible that the reminder can also be found there?

If you've lost all your funds from the account, why wouldn't you share the password?

Unless you're using the password somewhere else or haven't told the complete truth, you have no reason not to give us the password so we can verify the accuracy of your claims.

Why do you need my account and password? You do not believe that someone stole my NXT? Password I do not want to disclose a number of reasons, which do not consider it necessary to describe here.

The NXT asset exchange and wallets were compromised I seen.

I would avoid using NXT.

1) Your pass phrase would confirm your claim is legitimate. And yes, why would anyone believe your claim in this nest of vipers that this forum is :)
2) Your pass phrase would shed light on whether your account was hacked due to the weak pass phrase, which it most likely was because Google search reveals the part of the pass phrase you provided is in Google's database.

Want to Pick up on password using google to my account.
I can send you any messages from my account to confirm ownership. Password will not write.
The question is how to punish a thief? Maybe I should write a letter to the stock exchanges with his account, or are there any ways?

Oh, not Bible but russian constitution?  :o

Password weak -> money loss. Can not do nothing.  :'(

If NXT password system is so weak why we do not see hacking of >10M accounts? (Bter or Klee were hacked not because of password)  ::)

Jeff Garzik (Bitcoin core developer) thinks there could be a backdoor in NXT that is resulting in all these thefts.

Sorry but I'm not buying it that some brute forcer is inserting every quotation from the bible into the password generator, or that they can crack 125 character passwords consisting of gibberish.

Thanks starik69: google translate proposed "citizen must" for the part provided - but russian text is impossible to understand. (if you don't speak it ;-))

UGOLOVNYI KODEKS, tam ishi parol.  ;)

This is exactly what is happening and has happened for months: opening lines, bible quotes, citations, etc. in different languages and from different sources.
How do you think doctorevil found the 1984 quote that leads to the genesis account?

These are simply no passwords but crap.
And that's not bruteforce but dictionary attacks.

There probably is a backdoor, too many NXT coins have been stolen with No explanation as to how.


NXT is hacked.

All right google translated, but it's not the beginning of the password it is composed of several phrases and symbols.

the following possibilities come to my mind:

password weak: you should disclose the now completely useless password
bad client: which one are you running?
bad third party software / keylogger: possible?
fishing: have you entered your passphrase on an external server or downloaded the client from a "fake" source?
physical theft: did you write it on paper and could this have been copied/stolen?

Can you post a link to something he has written about this.

https://twitter.com/jgarzik/status/511866795582427136

Did you recovered it back  ?

Garzik Sept 16, 2014:
 
"It is telling that #NXT devs push back hard when asked to prove there are no backdoors.
That's on top of closed dev process, anon devs, ..."

"Multiple devs must publicly verify (w/ PGP) build output matches source, before release."

"Must build a system that includes checks before-the-fact, not hope & pray on 'anyone can compile'.

"Build trust with users by having non-core-devs in community also verify hashes match."

-------------------------------------------------------------------------------

Even though there have been threads on NXT Forum saying just do it, why not?
All this has been shot down by anon NXT devs led by Come-from-Beyond.

Would you password protect your $800,000 house...
Then come home to your family one day and find the house has been sold with no explanation? 

Of course not, no civilized society operates on such flimsy principles, but NXT does.

Ever heard of a Rainbow Table ?
Running a RT attack using Bible quotes is a trivial operation, a few seconds work.

The 125 char gibberish will be a lot harder to crack, but not impossible.

Anyhow, if you trace the transactions, we can see that the 2 most recent NXT thefts were carried out by the same guy, and that the NXT is sitting on:
http://nxtreporting.com/?ac=NXT-WTCT-N6HZ-CCKY-4MLJF

The 104,946 transaction is from Donn, the 188650 is from:
http://nxtreporting.com/?ac=NXT-WCZN-DGQL-XM69-62L3N
https://nxtforum.org/general-discussion/help!-my-nxt-account-stolen-account-for-nxt-wczn-dgql-xm69-62l3n/msg105712/#msg105712
And this happened at the end of August.

In Bitcoin the hacker has to steal your wallet and the passphrase to gain access. Here just the passphrase and its gone.

If you still can't see the serious lack of security then this a big problem.

Zer0Sum: there is no back door. We have one obvious weak password (the bible line from 27/08) and one possibly weak password here.
If there was a back door, we'd see much more exploitaion, not just 3 tiny thefts and 2 medium, as we see on the thief account.
We know that RT attacks are happening constantly, and thats why we stress password security.

And that's why Account Control (including 2FA) is coming soon.

2FA? Can you link me please.

TBH, mate, it looks as if your password was not very good. Not as bad as the first line of the Bible, but not good enough.  
But you're the guy who's been stolen from, so I'm not going to blame you for it.

Lets keep watch on the thief account, and see where it all goes. Everything is on the blockchain, so the thief isn't going anywhere with it that we can't see.

On the 2FA:
https://nxtforum.org/general-discussion/help!-my-nxt-account-stolen-account-for-nxt-wczn-dgql-xm69-62l3n/msg105791/#msg105791

(sorry about the URL, the ! breaks it, so copy and paste...)

Thank you all for your support and help. I realize that I look like a beggar, but I stole all my cryptocurrency. I made a new account, send as NXT think it is possible for my new account NXT-7FCR-N8SX-D7BB-AE7F4. Public Key 16b15ef11a7594c8777267f32af63c02b700ab5a6001ba474bc2bb21c4f4a56f
I hope to help the community.

At the risk of sounding newbie, is this true? O_o

NXT default client implements a brain wallet concept, meaning the password you enter is your private key. When you need to create a new account, a pass phrase of 12 random words is suggested. If you use it, you're safe. If you choose your own pass phrase and ignore the one suggested by the software, you're on your own, you must know how to create a complex pass phrase.

A completely random pass phrase of 20-25 chars is enough, provided it's completely random. The few cases of hacks that were reported (around five cases on nxtforum.org), most were due to people using either quotations from known books or very simple pass phrases like a 3-char string multipled 10 times (adradradradradradradradradradr).

Bitcoin doesn't implement the brain wallet concept by default, but you can have brain wallets in Bitcoin too. The default option in Bitcoin is a pregenerated wallet.dat. NXT also has this third-party client developed that implements wallet.dat as a proof of concept, and in the future these clients will be created more and more since there is obviously demand (desktop clients and mobile apps). Both approaches have their pros and cons.

Brain wallet pros:
- no need to take your wallet.dat with you, can access your account from any online computer;
- trojans or people can't steal your wallet.dat, because there is no wallet.dat;

cons:
- have to choose a 20+ char completely random pass phrase (no quotations from books or any dictionary words) or better use the one suggested by the software;

Of course it is, because you say so. How else could it be ;D

Task of the day: Find the mistake in logical consistency.

Go back to your Monero cave bro! BTW, How many hours 'till monero gets destroyed? 24h? L-O-L

That is where NXT and even NODE fails, imho.  I have no idea why people are doing this mandatory brain wallet stuff..  it's always going to be a bad idea in the long run.  NXT is bringing an *optional* wallet.dat but I strongly suspect being optional that it'll really just be cosmetic (people would still be able to access your brain wallet equivalent).

NEM is weeks from launch and I think that's the most secured wallet due to wallet.dat, username login and password requirement.

Aren't they different targeted audiences?  I thought the anonymity coins NXTers only care about is Boolberry or BitcoinDark.

If you really think that Nxt can be hacked pls go hack this account (http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=4747512364439223888) and make yourself a very rich man. -.-

I personally like the idea of a brain wallet really very much but in the end Nxt will have to change to a system with a local wallet.dat file because people are obviously too stupid to create save passphrase.

Btw: How many bitcoins are stolen? https://bitcointalk.org/index.php?topic=83794.0#post_toc_17
Is it bitcoins fault? No, either people are naive and sending stranger people bitcoin without escrow or they downloading so much porn on the same pc where they use the bitcoin wallet.

Thanks for your post PL_CoinTrader!

I suppose that FUD meisters as Nekomata, Come-in-Behind, darkota, Spoetnik, even Jeff Garzik! will not  hack the NXT richest account (http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=4747512364439223888). Not because  it is impossible, but because NXT is doomed and they don't want some free million dollars coming from a POS [piece of shit]  ;D

And I think any security that relies on that people can keep a file hidden on their harddrive is bound to fail too.
Consider that someone can steal your bitcoin wallet even in 20 years ... in many cases even some old file you left somewhere. And if you felt safe to use an easy password, then it will be broken in no time.

NXT's system is bad for short term PR, but better in the long term. Just wait for the day when some hacker sweeps all google-drives for wallet.dat's - that will be one big splash of hundreds of thousands of coins stolen.
If it's really just about 3 public cases where likely it was a brute force attack, then it doesn't seem a bad payoff. Time will tell.

Yeah but this starting to be slippery.  Keeping all your money under your mattress or in a trash bag is bound to fail too.  This is why in the long run crypto currencies, ironically, will probably result in crypto banks and these crypto banks will probably engage in fractional reserve banking (ironically we create these cryptos but end up back at square 1)

yes, i also think that in midle long run "safer" centralized solutions will emerge. but we "linux geeks with keepass installed" will still have option to use decentralized solutions :D