Bitcoin Forum

Economy => Service Discussion => Topic started by: SalehCoder on May 11, 2013, 10:45:15 AM



Title: Friendly advice, & beware of MtGox incompetence
Post by: SalehCoder on May 11, 2013, 10:45:15 AM
Hello guys

Just a friendly note to all of you using MtGox to trade bitcoins. If I were you I would avoid using it. Clearly there is a security breach on the system that allowed the mother-fucking-asshole-may-he-rot-in-hell hacker to hack into my account and withdraw all my BTCs. If you got hacked MtGox won't be able to do anything cause BTC transfers are irreversible.

I would also recommend using the double security measurement in the Security Center if you insist on sticking with MtGox.

If you say it could be XSS hack or key logger, I never enter a malicious website using the same computer I log into MtGox. I don't even enter MtGox from a public wifi. And I haven't stored MtGox password into my computer.

But assuming it is key logger for instance, last time I logged into MtGox was on April 11. That's about a month ago since I got hacked 2 days ago. It is unrealistic for  hacker to wait a month before trying the password. I always check the link is correct and certified https before I enter my username and password.

I followed every possible secure practice except one, not using the double security measurement, which I didn't have a reason to use it at the first place. But most mistakes happens when and where you don't think it will. I wish I had a friend who care enough and would tell me that.

If it could be of any help:
> Transaction reference: 939f9846-7a8e-43ed-9839-10d1416acbeb
>
> Date: 2013-05-09 13:07:01 GMT
>
> IP: 207.29.252.26

The hacker withdrawed to his wallet address: 12Sx7cBx9pUhX2KjT2fvpGBDCQms8z4GXp

I'm fed up with MtGox incompetence in many ways.

P.S. I always check background processes for any weird bot before logging in the website.


Title: Re: Friendly advice, & beware of MtGox incompetence
Post by: CasinoBit on May 11, 2013, 11:01:42 AM
Some Bitcoin related websites will ask you to download their custom Java player in order to play a video...


Title: Re: Friendly advice, & beware of MtGox incompetence
Post by: Terk on May 11, 2013, 11:07:50 AM
And I haven't stored MtGox password into my computer.

Basing on that, I assume that you don't use any password manager. And basing on that, I assume you heavily re-use passwords between websites, as it's impossible to remember hundreds of really different and really strong passwords (especially for websites where you log in once a month).

You should consider possibility that some other website was compromised and you used the same email and the same / very similar password there (or you might even sign up to some website which has a fraudulent owner, especially bitcoin-related website).

I followed every possible secure practice except one, not using the double security measurement

Well, there are at least two best security practices which you didn't use and the second one is not using a secure passwords manager with strong encryption, which allow you have very strong, totally random and totally different passwords for each account you register. And since you thought you followed everything but one, there might be some more good practices you omitted as well.

I'm not trying be hard on you, I just throw ideas to consider possibilities. I think if the fault was on the MtGox side, we would read today about unauthorized withdrawals for amounts totaling up to dozen thousands of coins.

not using the double security measurement, which I didn't have a reason to use it at the first place

Well, one could say that it's third best security practice you didn't follow - not using a security layer where it's available (and doesn't come with much disadvantage, e.g. being difficult or uncomfortable, as you can setup 2-factor auth only for withdrawals at MtGox).


Title: Re: Friendly advice, & beware of MtGox incompetence
Post by: SalehCoder on May 11, 2013, 11:35:35 AM
Some Bitcoin related websites will ask you to download their custom Java player in order to play a video...

Yes but I do not do that.

You should consider possibility that some other website was compromised and you used the same email and the same / very similar password there (or you might even sign up to some website which has a fraudulent owner, especially bitcoin-related website).
I was being careful about it.


Well, one could say that it's third best security practice you didn't follow - not using a security layer where it's available (and doesn't come with much disadvantage, e.g. being difficult or uncomfortable, as you can setup 2-factor auth only for withdrawals at MtGox).
And that caused my downfall. Taking things for granted. But even though, I still blame MtGox for not enforcing that kind of security instead of making it optional. People do not always know what's best for them. And the fact that I use a unique password and I followed other practices means that there is some kind of breach somewhere in MtGox system.

I'm just furious and angry that my BTCs got stolen. But let's get realistic, I'm partly to blame, but MtGox are not doing enough to ensure the safety of people's BTCs. Unauthorized BTC withdrawal is happening a lot for years and the least they can do is ensure that the withdrawal is being done by the account holder either by email (still not enough), or even better by sms or any other means, or enforce YubiKeys! This is a huge incompetence from them that it keeps happening for hundreds or thousands of users and they are not doing much about it. They have to take into account the ignorance of some of their users on safety measurements.


Title: Re: Friendly advice, & beware of MtGox incompetence
Post by: alyssa85 on May 11, 2013, 12:47:21 PM

Basing on that, I assume that you don't use any password manager. And basing on that, I assume you heavily re-use passwords between websites, as it's impossible to remember hundreds of really different and really strong passwords (especially for websites where you log in once a month).

Actually it's perfectly possible to manage hundreds of very different strong passwords without a password manager in your computer, if you go old school.

Buy yourself a hard-backed book which remains in your desk at home. Write down the passwords for every different site in that book. That way, however long and complicated the password, all you need to do is look it up in your book. They'd have to locate your house and steal your book to get at them, and yes this means you can't open your wallet in the office. And, yeah, it's really old school - paper isn't popular in the mainstream world, but isn't it interesting how it is making a comeback in the bitcoin universe?


Title: Re: Friendly advice, & beware of MtGox incompetence
Post by: kjj on May 11, 2013, 12:52:02 PM

Basing on that, I assume that you don't use any password manager. And basing on that, I assume you heavily re-use passwords between websites, as it's impossible to remember hundreds of really different and really strong passwords (especially for websites where you log in once a month).

Actually it's perfectly possible to manage hundreds of very different strong passwords without a password manager in your computer, if you go old school.

Buy yourself a hard-backed book which remains in your desk at home. Write down the passwords for every different site in that book. That way, however long and complicated the password, all you need to do is look it up in your book. They'd have to locate your house and steal your book to get at them, and yes this means you can't open your wallet in the office. And, yeah, it's really old school - paper isn't popular in the mainstream world, but isn't it interesting how it is making a comeback in the bitcoin universe?

That book is still a password manager.


Title: Re: Friendly advice, & beware of MtGox incompetence
Post by: Terk on May 11, 2013, 01:18:04 PM
Actually it's perfectly possible to manage hundreds of very different strong passwords without a password manager in your computer, if you go old school.

I never wrote about the password manager being digital ;-)

But seriously, I know dozens of people using software passwords managers, hundreds of people not using any password manager and no one using paper password manager. That is why I assumed that, statistically, if he doesn't use a software password manager, he doesn't use any at all.

Oh, and I am not counting into the third group any people who put their only and heavily reused password in the sticker inside their desk drawer ;-)


Title: Re: Friendly advice, & beware of MtGox incompetence
Post by: BitcoinUK on May 11, 2013, 01:19:16 PM
next lesson to learn, dont use third party services as a bank. deposit into mtgox, trade then withdraw. leaving funds in a third party service for a month no matter how much you trust them is also a risk. remember the funds are not insured so why risk leaving them in an uninsured location


Title: Re: Friendly advice, & beware of MtGox incompetence
Post by: Jesteroth on May 11, 2013, 01:22:02 PM
Sorry for u mate, how much did u lost btw?


Title: Re: Friendly advice, & beware of MtGox incompetence
Post by: QuantPlus on May 11, 2013, 02:56:19 PM
But let's get realistic, I'm partly to blame, but MtGox are not doing enough to ensure the safety of people's BTCs.

Vladmir's post zeros in on Asset Risk...
Because there's a massive, general security tradeoff...
When you operate pseudo-anonymously in the Underground Economy...
(Passwords, security layers are a small part... counter-party risk is the Big One).

MtGox = Full Tilt Poker circa 2010...
Both basically operating out of a Big Slush Fund.

I actually disperse my BTC trading among several smaller BTC exchanges...
Your random high-tech startup >> trustworthy than MtGox...
Small exchanges have a HUGE incentive to stay in business.

In a parallel universe...
All my Securities Trading accounts are linked to a physical Security Device...
And wires can only go out to specific bank addresses...
And my broker is a solvent, billion $$$ counter-party.

I may not be able to trade on my cellphone while skydiving...
And there MAY be a trail for tax purposes...
But it's impossible to steal my money without breaking into my office. 

http://en.wikipedia.org/wiki/Security_token


Title: Re: Friendly advice, & beware of MtGox incompetence
Post by: coastermonger on May 11, 2013, 05:49:55 PM
OP, just out of curiosity were you using 2-factor?


Title: Re: Friendly advice, & beware of MtGox incompetence
Post by: farlack on May 11, 2013, 11:37:54 PM
People even with 2F get thier shit stolen on gox.

Does anyone ever get jacked from btc-e, or hell even blockchain.info?

I think it gox stealing because they need funds.


Title: Re: Friendly advice, & beware of MtGox incompetence
Post by: Valle on May 12, 2013, 12:25:40 AM
Let me guess - no 2 factor auth or any other protection, just password?


Title: Re: Friendly advice, & beware of MtGox incompetence
Post by: TimJBenham on May 12, 2013, 12:12:17 PM
next lesson to learn, dont use third party services as a bank. deposit into mtgox, trade then withdraw. leaving funds in a third party service for a month no matter how much you trust them is also a risk. remember the funds are not insured so why risk leaving them in an uninsured location

AFAIK there are no insured locations for Bitcoin. If you want to actively trade BTC you need to leave fiat at the exchange too, which I don't think is insured either.


Title: Re: Friendly advice, & beware of MtGox incompetence
Post by: MPOE-PR on May 12, 2013, 01:56:31 PM
Hello guys

Just a friendly note to all of you using MtGox to trade bitcoins. If I were you I would avoid using it

There are two scams in Bitcoin only noobs fall for: MtGox and BFL. Everyone else knows about it, but they advertise massively on Google Ads etc, since their business model is actually scamming noobs (https://bitcointalk.org/index.php?topic=191592.msg1995853#msg1995853).

There are a few shills on this forum struggling to keep the pretense of some community support behind either venture, but this is all fake. Glad to hear you learned better, hope it didn't cost you too much, welcome to Bitcoin. It's the fate of free and open projects that are worth anything that there's going to be scammers at the gates.