Yep, I agree with you, I have learned my lesson and will definitely use a Yubikey. I will not use MtGox as they have many security flaws in their system. I've never had my bank accounts, equity accounts, or even email accounts hacked, because of basic security precautions taken by those companies. Would be really easy for MtGox to avoid issues like this with a simple email confirmation.
AFAIK, MtGox is the only one offering the Yubikey option (someone correct me if I'm wrong, or if any other exchange has two factor authentication). I would agree that there are simple things MtGox could do to improve security - for example, like requiring a 2nd password for withdrawal above a limit, or making withdrawals wait a little while to give you time to blow the whistle, or requiring a PGP signature to withdraw. On the other hand, if you have a compromised machine, or a compromised e-mail account, none of this will be much help. They should go the route of a pin requirement for any actions. The thing that really bothers me is that you can change your account email within MtGox without any confirmation whatsoever. That's what really screwed my over, I was unable to put a stop to any actions. |
|
|
|
Did you click a link in an "Mt Gox" email? Or basically, were you phished?
They have been warning about phishing emails for months.
Nope I didn't. I just received an email saying that there was a withdrawal. I went to MtGox on a separate page and tried to login to my account and I couldn't login. |
|
|
|
Hello, this happened three days ago. My password was very strong and never compromised. I would love to know myself how my account was hijacked. I've continued to ask support for help, but they are doing nothing, other than restoring my original email. There were several withdrawals on my account, all done within minutes, the largest withdrawal was 258btc. The problem I have is that the hijackers was able to use my $ to buy bitcoins with several transactions, and make several withdrawals, all without confirmation from me and within 20 minutes total. MtGox has destroyed the BTC market, and I feel they will continue to compromise the overall market for BTC.
Unless you boot your computer freshly from a live CD or have just barely installed an OS, the moment anyone starts browsing the internet at large, there is no way they can be certain they don't have a keylogger on their machine. Bitcoin is known to malware authors, and they will target bitcoin-related passwords. If you get keylogged, you will never have any way to prove or disprove that that's what happened. Likewise, MtGox isn't going to be able to either - the only thing they can do is say that somebody from IP address x.x.x.x logged in and withdrew your funds to address X. This is why I have a Yubikey. I am conscientious and practice safe computing habits, but you never know when you're going to get compromised by the next "0-day" vulnerability. Safe computing means assuming your computer is probably compromised all of the time and planning accordingly to reduce your risk. (For example, not only do I use Yubikey, the computer I use to log in to MtGox and transacting Bitcoins is absolutely NEVER used for surfing the web, because I believe a computer not used for web surfing is far less likely to be compromised). The Yubikey is far from perfect - but it is pretty effective against keyloggers and makes you a far more challenging target for hackers. It is also pretty powerful because the physical key has two modes, one for generating login passwords and one for generating withdrawal passwords. A Yubikey code generated for a login won't work for a withdrawal, so even if somebody breaks into your account, they can't do anything with it (other than trade) without a code they're far less likely to have a chance at getting. Yep, I agree with you, I have learned my lesson and will definitely use a Yubikey. I will not use MtGox as they have many security flaws in their system. I've never had my bank accounts, equity accounts, or even email accounts hacked, because of basic security precautions taken by those companies. Would be really easy for MtGox to avoid issues like this with a simple email confirmation. |
|
|
|
|
I thought it might help to post the hijacker's transactions on my account, and how it wasn't necessary to authorized or confirm these transactions by MtGox.
Purchases
Tue 13 Dec 2011 03:29:47 PM GMT Spent BTC bought: [tid:1323790187459527] 6.84700000 BTC at $3.22000 $22.04734 $0.68522
Tue 13 Dec 2011 03:29:03 PM GMT Spent BTC bought: [tid:1323790143318090] 32.79614017 BTC at $3.22000 $105.60357 $22.73256
Tue 13 Dec 2011 03:29:03 PM GMT Spent BTC bought: [tid:1323790143203780] 160.98640384 BTC at $3.22000 $518.37622 $128.33613
Tue 13 Dec 2011 03:29:03 PM GMT Spent BTC bought: [tid:1323790143159223] 19.89999999 BTC at $3.21899 $64.05790 $646.71235
Tue 13 Dec 2011 03:29:03 PM GMT Spent BTC bought: [tid:1323790143032510] 43.85985600 BTC at $3.21899 $141.18444 $710.77025
Tue 13 Dec 2011 03:29:02 PM GMT Spent BTC bought: [tid:1323790142989042] 0.99400000 BTC at $3.21898 $3.19967 $851.95469
Tue 13 Dec 2011 03:29:02 PM GMT Spent BTC bought: [tid:1323790142956975] 22.00000000 BTC at $3.21000 $70.62000 $855.15436
Withdrawals:
Tue 13 Dec 2011 03:30:01 PM GMT Withdraw Bitcoin withdraw to1NMBnbywM8KBppQxictvQKmyPz2uUSqJ79 6.81831800 BTC 0.00000000 BTC
Tue 13 Dec 2011 03:29:15 PM GMT Withdraw Bitcoin withdraw to 19HiW7hqsm2E4sqJK8wnfG9TCEyiPG2hVT 282.54000000 BTC 0.00760710 BTC
|
|
|
|
US$1k isn't a lot to have sitting in an account, but it is enough to be annoying to have stolen. Trying to play with $50 or 10 BTC is tiny, especially if you are moving things between exchanges and it takes an age for that to happen at times.
Yes, yubikeys and the like help, but having an exchange with some responsibility to users against negligence would also be an improvement. I've struck several exchanges that didn't want to help when their systems were at fault, and I've been lucky to escape them before losing too much money (BitPLN and Bitcoin7).
Also, bear in mind Mt.Gox is about 85% of the exchange market and assess if you think they are over-represented in the problems that keep recurring. When I trade their I work on the belief that I might not get my money out. I can't make a positive accusation, but they are not my #1 preferred place to transfer anything of value.
Thanks for the input. I didn't think 1k was a lot to mess around with and I thought it was a good time to buy. MtGox has completely lost my trust and as the #1 exchange, it's amazing that they have so many flaws in their system. How do they let you change your account email, which is main method to confirm your identity, so easy? Once the hacker did that, it was easy for them to "reset" a new password. The withdrawal email stated that I should reply immediately if I didn't authorize the trade, which I did to no avail. Why would they put that in emails if it doesn't work? I'm afraid to buy bitcoins as I'm confident Mtgox lack of security will cause another massive BTC crash. |
|
|
|
Holy shit. Sorry for your loss. I hope you've haven't completely lost your faith in bitcoin due to Mtgox :/
How did the attacker know to recover from your account? Were you talking to people somewhere about how much cash you had in your account, or was this just some one-time happenstance thing?
Hi Greed, Not sure how the hacker accessed my account. The only thing I received was one notice that there was a withdrawal from my account, which I immediately responded to. After that, I couldn't access my account, the hacker changed everything, my email, password, etc.. Which I can't believe is possible in the account setting without confirmation from the old email. I emailed MtGox so many times to freeze my account immediately after the withdrawal email, but didn't hear back until 2 days later and it was too late. I'll never use MtGox again, in my opinion, they're irresponsibility is the reason we had the BTC crash. |
|
|
|
Totally agree with this, my MtGox account was hacked, my password and email were changed, and my bitcoins are now gone, about 300. Nothing from MtGox, they don't give a shit. When I received the account withdrawal email, I immediately told them to freeze my account, they didn't.
When did this happen? Did you use the same password on multiple systems? Did you use a crappy short password? I'm not trying to 'blame the victim' here - but in most cases it does seem to turn out that the user was using woefully inadequate passwords, or that the security breach was on the user's side, so please let us know if you have any information on how your 'account was hacked'. Also - there is a daily withdrawal limit in place on most mtgox accounts.. are you saying that all 300 or so disappeared at once - or that this happened over a period of time? How much followup have you done with mtgox support? Hello, this happened three days ago. My password was very strong and never compromised. I would love to know myself how my account was hijacked. I've continued to ask support for help, but they are doing nothing, other than restoring my original email. There were several withdrawals on my account, all done within minutes, the largest withdrawal was 258btc. The problem I have is that the hijackers was able to use my $ to buy bitcoins with several transactions, and make several withdrawals, all without confirmation from me and within 20 minutes total. MtGox has destroyed the BTC market, and I feel they will continue to compromise the overall market for BTC. |
|
|
|
|
Yes, thank you for the advice. It wasn't that I had so many bitcoins, I actually had none, it was that I had about $1k in cash, ready to buy up bitcoins. The hijacker bought up the bitcoins with my cash and then withdrew. I was just shocked that there were no safety precautions with MtGox, no fail safe, no way to stop the transaction. Ultimately I was locked out of my account and the hijacker was free to do whatever they want. There should be a Freeze account option with MtGox.
|
|
|
|
|
I'd like to share my recent experience with MtGox. I deposited about $1k to mess around with. I purchased 45 bitcoins with no problem. Then two days ago, I get an email stating that there's been a withdrawal from my account and that if I didn't authorize it, I should reply immediately. I replied immediately telling them to freeze my account. Then I tried to login to MtGox, couldn't and my IP was blocked. Furthermore, I tried password recovery but that was also blocked. Turns out someone hijacked my account, changed the email and password, cashed all my money for bitcoins and withdrew everything, about 300 bitcoins. I can't believe you can change the email and password of an account without confirmation from the original email. Anyway, my support ticket is closed and my account is empty. Thanks MtGox.
|
|
|
|
|
Talk about my terrible experience with MtGox and how they basically stole over 300 BTC from me.
|
|
|
|
|
Totally agree with this, my MtGox account was hacked, my password and email were changed, and my bitcoins are now gone, about 300. Nothing from MtGox, they don't give a shit. When I received the account withdrawal email, I immediately told them to freeze my account, they didn't.
|
|
|
|
|
This should be the first post on the forum, had to search for this.
|
|
|
|
|
Show Posts
