My Wallet got hacked and the hacker paid huge transaction fees to take the money

[electerium]

if you computer has been compromised, why would you ever begin changing passwords without ensuring that you are no longer compromised?

Gmail has the easiest 2FA setup. Everyone should atleast use it. And I've been lobbying for a long time that there should also be a geographical restriction that allows the user even more control.

[Waramp22]

I moved the wallet to Blockchain.info, it's not that I trust my gmail account (and dropbox) is completely safe now but I guess it must be impossible to enter the account after I put up the google key two factor authentication.

blockchain.info is even worse than a desktop client! You computer has been compromized. Moving to blockchain.info won't make things any better.

What you should do is backup essential documents, delete everything on your computer, reinstall the operating system, install anti-malware software like anti-virus apps and scan and restore the backups. Then change your passwords everywhere including your email accounts. As far as bitcoins go you should move all the coins to a new wallet. Make sure you set a password on your new wallet.

At least blockchain.info has 2FA. If he sets it up with his phone number, they would need to have his cell phone in their hands to log into the account.

Not to mention it has IP lock so if you are outside if the set I.P address it wont function.
And a disable TOR IP address option too.

 

[empoweoqwj]

if you computer has been compromised, why would you ever begin changing passwords without ensuring that you are no longer compromised?

Gmail has the easiest 2FA setup. Everyone should atleast use it. And I've been lobbying for a long time that there should also be a geographical restriction that allows the user even more control.

You shouldn't. You should start again. Biggest mistake people make is thinking they can run some dodgy anti-virus software to "clean" their system. What a joke.

Havelock.com has both 2FA and geographical restrictions. I turn both on. Still not confident though 

[e4xit]

I moved the wallet to Blockchain.info, it's not that I trust my gmail account (and dropbox) is completely safe now but I guess it must be impossible to enter the account after I put up the google key two factor authentication.

blockchain.info is even worse than a desktop client! You computer has been compromized. Moving to blockchain.info won't make things any better.

What you should do is backup essential documents, delete everything on your computer, reinstall the operating system, install anti-malware software like anti-virus apps and scan and restore the backups. Then change your passwords everywhere including your email accounts. As far as bitcoins go you should move all the coins to a new wallet. Make sure you set a password on your new wallet.

At least blockchain.info has 2FA. If he sets it up with his phone number, they would need to have his cell phone in their hands to log into the account.

Not to mention it has IP lock so if you are outside if the set I.P address it wont function.
And a disable TOR IP address option too.

 

I think all this hoo-har surrounding the blockchain.info 2FA is slightly overblown for the following reason. The 2FA is only required for actions using the site.

Many people back up their wallet file or have it automatically backed-up/emailed to their email by blockchain.info. THIS WALLET FILE IS ENCRYPTED (using your main password) BUT NOT BY 2FA (or blockchain.info's "second password"), which I think many people believe it is.

So all an attacker needs is a copy of this backup file, and your primary password, which apaprently people keep losing.

Just wanted to make that point. I suppose, if your email has a strong password, and 2FA of its own (e.g. gmail), THEN you might be starting to get to somewhere secure.

OP I am interested, I think you mentioned that you are using OS X, right? Also, would you care to divulge your password metadata with us, for example for both your email, dropbox and multibit:

1) were the passwords all different?
2) length of each password?
3) alpha, numerals and symbols (#) in each password

My condolences for your loss too, by the way.

[paul44]

I currently keep mine in a blockchain.info wallet as it was recommended to me a while back. I would certainly be interested to hear if there is something more desirable though.

Electrum. I could never recommend storing your bitcoins online, sorry.

Downloaded electrum now, definitely going to use it. Thanks for the advice, I needed it!

[jbssm]

I currently keep mine in a blockchain.info wallet as it was recommended to me a while back. I would certainly be interested to hear if there is something more desirable though.

Electrum. I could never recommend storing your bitcoins online, sorry.

But the two factor authentication in blockchain.info doesn't make it more secure?
Or even better any local storage that uses the two factor authentication, does it exist?

[empoweoqwj]

I currently keep mine in a blockchain.info wallet as it was recommended to me a while back. I would certainly be interested to hear if there is something more desirable though.

Electrum. I could never recommend storing your bitcoins online, sorry.

Downloaded electrum now, definitely going to use it. Thanks for the advice, I needed it!

You are welcome. Its a gem.

[jbssm]

I moved the wallet to Blockchain.info, it's not that I trust my gmail account (and dropbox) is completely safe now but I guess it must be impossible to enter the account after I put up the google key two factor authentication.

blockchain.info is even worse than a desktop client! You computer has been compromized. Moving to blockchain.info won't make things any better.

What you should do is backup essential documents, delete everything on your computer, reinstall the operating system, install anti-malware software like anti-virus apps and scan and restore the backups. Then change your passwords everywhere including your email accounts. As far as bitcoins go you should move all the coins to a new wallet. Make sure you set a password on your new wallet.

At least blockchain.info has 2FA. If he sets it up with his phone number, they would need to have his cell phone in their hands to log into the account.

Not to mention it has IP lock so if you are outside if the set I.P address it wont function.
And a disable TOR IP address option too.

 

I think all this hoo-har surrounding the blockchain.info 2FA is slightly overblown for the following reason. The 2FA is only required for actions using the site.

Many people back up their wallet file or have it automatically backed-up/emailed to their email by blockchain.info. THIS WALLET FILE IS ENCRYPTED (using your main password) BUT NOT BY 2FA (or blockchain.info's "second password"), which I think many people believe it is.

So all an attacker needs is a copy of this backup file, and your primary password, which apaprently people keep losing.

Just wanted to make that point. I suppose, if your email has a strong password, and 2FA of its own (e.g. gmail), THEN you might be starting to get to somewhere secure.

OP I am interested, I think you mentioned that you are using OS X, right? Also, would you care to divulge your password metadata with us, for example for both your email, dropbox and multibit:

1) were the passwords all different?
2) length of each password?
3) alpha, numerals and symbols (#) in each password

My condolences for your loss too, by the way.

Thank you. Yes, I was using a Mac.

1) No, the passwords for the wallets where the same (I know, stupid me). The passwords for email and Dropbox where different.
2) About 8-10
3) The passwords for the wallets and the email where pretty good: alpha, numerals and symbols. The passwords for Dropbox was just alpha, although it was just a bunch of letters I came up with, not a dictionary word.

Also I turned on 2FA everywhere and changed all the relevant passwords and disabled TOR in blockchaininfo.
But I'm still apprehensive about what you said from the wallet backup from blockchaininfo. I didn't made a backup, I just printed that original wallet access codes. But now I'm a bit paranoid about if it's possible for the hacker to have access to that as well. Any thoughts on that?

I think it's really difficult for the hacker to have some backdoor to my computer. It's a Mac, the SO was freshly installed about 1 month ago and it's got no fixed IP address. I still think this has something to do with Dropbox and/or my Gmail account. But to say the truth, now I'm not sure of anything anymore.

[empoweoqwj]

8-10 ain't enough these days. 14 random characters (of all kinds) bare minimum

[jbssm]

I've just noticed a Multibit Failsafe-data folder in my computer.

It was created (not by me) 2 days ago after I discovered the bitcoin hack (probably about the time I changed my password, but I'm not sure).

Is this file supposed to exist or is it a suspicious activity?

[nosdi26]

the best way to store your coins are offline, i do backups in 3 usb memories every time i make a transaction..and nothing to my pc..

[empoweoqwj]

the best way to store your coins are offline, i do backups in 3 usb memories every time i make a transaction..and nothing to my pc..

3 is a bit over the top ..... and I was told in another thread you don't need to backup after every transaction. But I forget what the  actual criteria is, sorry. Perhaps someone can fill us in.

[empoweoqwj]

What if the hacker had access to the wallet backup and the password? It wouldn't need my computer that way, right?

A wallet back is the same as the wallet. So if he has that, and your password, he has access to your coins. Its not tied to your computer or your identity in any way. Scary isn't it

[Xiaoxiao]

I moved the wallet to Blockchain.info, it's not that I trust my gmail account (and dropbox) is completely safe now but I guess it must be impossible to enter the account after I put up the google key two factor authentication.

blockchain.info is even worse than a desktop client! You computer has been compromized. Moving to blockchain.info won't make things any better.

What you should do is backup essential documents, delete everything on your computer, reinstall the operating system, install anti-malware software like anti-virus apps and scan and restore the backups. Then change your passwords everywhere including your email accounts. As far as bitcoins go you should move all the coins to a new wallet. Make sure you set a password on your new wallet.

Question- I share same wireless network with roommates.  The network is secure, but if their computers are unsafe/malware infected, could that infect my computer since we are on the same wireless network?  I do have 100% security on my computer though: antivirus, malware, firewall and safe browsing habits.

[empoweoqwj]

I moved the wallet to Blockchain.info, it's not that I trust my gmail account (and dropbox) is completely safe now but I guess it must be impossible to enter the account after I put up the google key two factor authentication.

blockchain.info is even worse than a desktop client! You computer has been compromized. Moving to blockchain.info won't make things any better.

What you should do is backup essential documents, delete everything on your computer, reinstall the operating system, install anti-malware software like anti-virus apps and scan and restore the backups. Then change your passwords everywhere including your email accounts. As far as bitcoins go you should move all the coins to a new wallet. Make sure you set a password on your new wallet.

Question- I share same wireless network with roommates.  The network is secure, but if their computers are unsafe/malware infected, could that infect my computer since we are on the same wireless network?  I do have 100% security on my computer though: antivirus, malware, firewall and safe browsing habits.

I'lll stop you at "the network is secure". No network is secure, not even your setup with your roommates.

Never assume anything is safe or protected. Store the majority of your coins offline, not on a computer connected to the Internet.

[theecoinomist]

I currently keep mine in a blockchain.info wallet as it was recommended to me a while back. I would certainly be interested to hear if there is something more desirable though.

Electrum. I could never recommend storing your bitcoins online, sorry.

But the two factor authentication in blockchain.info doesn't make it more secure?
Or even better any local storage that uses the two factor authentication, does it exist?

This has been said hundreds of times, and shall be said again. Blockchain.info does NOT have access to your unencrypted private keys, it's not an online wallet since a thief can't hack their database and steal loads of passwords. The only way you would lose them on Blockchain would be to login while a hacker implemented some malicious javascript, but I still think that's yet to happen..

[empoweoqwj]

I currently keep mine in a blockchain.info wallet as it was recommended to me a while back. I would certainly be interested to hear if there is something more desirable though.

Electrum. I could never recommend storing your bitcoins online, sorry.

But the two factor authentication in blockchain.info doesn't make it more secure?
Or even better any local storage that uses the two factor authentication, does it exist?

This has been said hundreds of times, and shall be said again. Blockchain.info does NOT have access to your unencrypted private keys, it's not an online wallet since a thief can't hack their database and steal loads of passwords. The only way you would lose them on Blockchain would be to login while a hacker implemented some malicious javascript, but I still think that's yet to happen..

So you've audited blockchain.info's code have you? Coins are always safer offline, code is too susceptible to be 100% trustworthy.

[Abdussamad]

This has been said hundreds of times, and shall be said again. Blockchain.info does NOT have access to your unencrypted private keys, it's not an online wallet since a thief can't hack their database and steal loads of passwords. The only way you would lose them on Blockchain would be to login while a hacker implemented some malicious javascript, but I still think that's yet to happen..

bc.i is an online wallet because it serves up an encrypted copy of your wallet to anyone who knows the wallet identifier. It also stores the encrypted wallet on its servers thereby making it available to its employees as well as the datacenter staff.

The other thing is that it uses javascript to generate the random numbers for the wallet and also for the transaction signing. This has caused problems before.

Some ways in which people have lost money on bc.i wallets:

- RNG bug caused random numbers to be reused which made it possible to calculate the private key behind an address.

- Hacked because the user used a simple password and the wallet was bruteforced. This would be much harder on a desktop client because you first have to get access to the encrypted wallet file.

[empoweoqwj]

This has been said hundreds of times, and shall be said again. Blockchain.info does NOT have access to your unencrypted private keys, it's not an online wallet since a thief can't hack their database and steal loads of passwords. The only way you would lose them on Blockchain would be to login while a hacker implemented some malicious javascript, but I still think that's yet to happen..

bc.i is an online wallet because it serves up an encrypted copy of your wallet to anyone who knows the wallet identifier. It also stores the encrypted wallet on its servers thereby making it available to its employees as well as the datacenter staff.

The other thing is that it uses javascript to generate the random numbers for the wallet and also for the transaction signing. This has caused problems before.

Some ways in which people have lost money on bc.i wallets:

- RNG bug caused random numbers to be reused which made it possible to calculate the private key behind an address.

- Hacked because the user used a simple password and the wallet was bruteforced. This would be much harder on a desktop client because you first have to get access to the encrypted wallet file.

Exactly. Not matter how diligent website programmers are, your coins are *always* safer offline