Bitcoin Forum
November 11, 2024, 05:24:37 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 »  All
  Print  
Author Topic: How to use 2-factor auth on mtgox, even without a smartphone  (Read 27414 times)
bitcoinBull (OP)
Legendary
*
Offline Offline

Activity: 826
Merit: 1001


rippleFanatic


View Profile
September 21, 2012, 10:50:02 PM
Last edit: September 22, 2012, 12:05:09 PM by bitcoinBull
 #1

So, bitcoins are now probably the most wanted target of hackers and trojan-botnet operators in search of easy profit. They are the most easily monetized score of digital theft, valued at face in BTC while credit card numbers are sold for pennies on the dollar.

Every time you download programs, or re-install windows using that iso you got a from a torrent, chances are ever greater that there is a trojan/virus. The chances are also good that it will go Fully UnDetected by most, if not all, Anti-Virus programs (botnet operators use a "FUD crypter" for this). If so, your mtgox password will be captured and added to the botnet database of login/password form submissions.

Then dude takes your mtgox funds.

I lost roughly 2000 USD from my MT.Gox account at 08:40 JST on the 31th of may 2012.

A lot of that going on.

"MtGox account got cleared out"
 - http://bitcointalk.org/index.php?topic=85533.0

"All BTC disappeared from my Mt. Gox account"
 - http://bitcointalk.org/index.php?topic=88368.0

Another:
 - http://bitcointalk.org/index.php?topic=80562.msg941759#msg941759

And another:
"My mtgox account got compromised, what can I do?"
 - http://bitcointalk.org/index.php?topic=84585.0

And on other services as well.  Here same thing happened to some GLBSE users:
 - http://bitcointalk.org/index.php?topic=84893.0

In none of these was the person using multi-factor authentication.  Mt. Gox has had Yubikey support for a while.  Mt. Gox accounts now support Google Authenticator:
 - https://mtgox.com/press_release_20120605.html


But not you! Because you used 2-factor auth for withdrawals and dude only has your mtgox password, not your OTP private key.
 

Step 1:

Go to your mtgox security center and click "ADD NEW" under software authenticators.



Take a screenshot of this window, print it out, and lock it in a safe. Or copy/paste the secure private key and save it encrypted to a USB and lock that in a safe. Write it on a post-it, memorize it and then eat the post-it. Whatever you do, keep it secret but don't lose it.


Step 2:

If you have an android phone, install the google authenticator app for android. If you have an iOS device (iPod touch, iPad, iPhone), install the iOS app.

If you have neither, you can use this html5 google authenticator app. Download the zip file, extract it and open the index.html in your browser.

Now click the plus sign and add your secure private key. You are only running a local html5 app, so your secure private key is not being shared with anyone. You can even do this on an offline computer; you don't have to be online to use your secure private key to generate a one-time-passcode.




Step 3:

Use your generated one-time-passcode in the mtgox security center.



This passcode changes every 30 seconds. That's how long you have to type it into mtgox and "save" your new 2-factor auth system.




Step 4:

Add your new 2-factor method to "Withdrawal" to protect withdrawals.






Step 5:

Also add it to "Security Center". Otherwise, anyone with your login password can simply go to security center and remove your 2-factor auth protection.






Now a one-time-passcode is needed to remove 2-factor from withdrawals.



Step 6:

Your withdrawals are now protected.





CAVEAT on using the google authenticator html5 app:

Obviously, if you use your 2-factor "secure private key" on the same computer, it can be stolen along with the password. So pray that dude's trojan doesn't keylog everything, just login form passwords to sites like mtgox. Or use the google authenticator app on an offline computer. If you're ultra-paranoid, remember that your secure private key could be captured at set-up time when done on an insecure computer.

Also, the html5 app saves the secure private key to html5 localStorage, so click the (x) after use to remove it. Or clear it from the browser's cache/localStorage.

College of Bucking Bulls Knowledge
koin
Legendary
*
Offline Offline

Activity: 873
Merit: 1000


View Profile
September 21, 2012, 11:04:49 PM
 #2

Or use the google authenticator app on an offline computer.

the clock on an offline computer will vary over time, which will make your otp give a bad result.  update the time manually if the otp is gives doesn't work.
nedbert9
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250

Inactive


View Profile
September 21, 2012, 11:18:12 PM
 #3




This


This type of professional documentation for account security should have been developed by all the high profile Bitcoin sites that use Google 2FA.


It's a statement about their professionalism that they don't take the time to do this.


markm
Legendary
*
Offline Offline

Activity: 3010
Merit: 1121



View Profile WWW
September 22, 2012, 08:58:56 AM
 #4

This seems to assume you have a phone? Yet subject/title said even without one?

Is it that if you have no phone you have to get a yubikey instead?

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
phatsphere
Hero Member
*****
Offline Offline

Activity: 763
Merit: 500


View Profile
September 22, 2012, 09:15:09 AM
 #5

Is it that if you have no phone you have to get a yubikey instead?
if you have no phone, you can use the html5 app.

And if you don't have a graphical front-end at all (text-only terminal console), there is a python script on github that does the hmac hash calculation for you.

h
sinner
Hero Member
*****
Offline Offline

Activity: 615
Merit: 500



View Profile
September 22, 2012, 10:22:05 AM
 #6

is there a way to use 2 factor auth on your bitcoin wallet?
bitcoinBull (OP)
Legendary
*
Offline Offline

Activity: 826
Merit: 1001


rippleFanatic


View Profile
September 22, 2012, 11:59:05 AM
 #7

Is it that if you have no phone you have to get a yubikey instead?
if you have no phone, you can use the html5 app.

And if you don't have a graphical front-end at all (text-only terminal console), there is a python script on github that does the hmac hash calculation for you.

h

btw, if you use that python script, you have to add padding to the "secure private key" mtgox provides (other google auth apps will accept the secret key without padding). So "RPAAJZCGOW7NSAAJCFRCCHIN44" with base32 padding becomes "RPAAJZCGOW7NSAAJCFRCCHIN44======".

Code:
>>> import hmac, base64, struct, hashlib, time
>>> import onetimepass as otp
>>> my_secret = "RPAAJZCGOW7NSAAJCFRCCHIN44======"
>>> otp.get_totp(my_secret)
956735

College of Bucking Bulls Knowledge
foo
Sr. Member
****
Offline Offline

Activity: 409
Merit: 250



View Profile
September 22, 2012, 11:23:02 PM
 #8

Very cool, thanks for the guide. Put up a donation address and I will send you a few bitcents for your trouble. Grin

I also found that the HTML5 app works in Opera Mobile, so I now have Google Auth on my Nokia (Symbian) phone!

I know this because Tyler knows this.
bitcoinBull (OP)
Legendary
*
Offline Offline

Activity: 826
Merit: 1001


rippleFanatic


View Profile
September 23, 2012, 01:55:27 AM
 #9

Very cool, thanks for the guide. Put up a donation address and I will send you a few bitcents for your trouble. Grin

I also found that the HTML5 app works in Opera Mobile, so I now have Google Auth on my Nokia (Symbian) phone!

You're very welcome. tip jar: 1DUCK7StixdPxMCia8qgqQ6zoaGRdGRnqU

College of Bucking Bulls Knowledge
buddrulez
Full Member
***
Offline Offline

Activity: 164
Merit: 100



View Profile
September 23, 2012, 06:31:00 PM
 #10

NIce work on the tut very handy ifor! I will throw some your way aswell soon thanks!
Hasimir
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile WWW
September 24, 2012, 08:46:13 PM
 #11

As an alternative to deleting the entry (on computers rather than phones) when you're done, just store the entire GAuth directory on an encrypted volume (e.g. TrueCrypt) and only mount it when you need it.

Website: Organised Adversary
OpenPGP/GPG key: 0x321E4E2373590E5D  I provide GPG Training services
IRC nick: Hasimir (Freenode and elsewhere)
BTC address: 19hiwsQq7xMAEyQMdiyGjkMGNmpN6GA5wL
bitcoinBull (OP)
Legendary
*
Offline Offline

Activity: 826
Merit: 1001


rippleFanatic


View Profile
September 24, 2012, 09:04:30 PM
 #12

As an alternative to deleting the entry (on computers rather than phones) when you're done, just store the entire GAuth directory on an encrypted volume (e.g. TrueCrypt) and only mount it when you need it.

That's a good idea, but it won't work. The GAuth page/app uses html5 localStorage, so the entry/"secret key" gets saved to the browser's data/cache folder, not to the folder with the GAuth html and javascript files.

You could edit the GAuth javascript file and replace the hardcoded example alice@google.com. Then it would be contained in the Gauth folder.

College of Bucking Bulls Knowledge
Hasimir
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile WWW
September 25, 2012, 07:30:49 AM
 #13

btw, if you use that python script, you have to add padding to the "secure private key" mtgox provides (other google auth apps will accept the secret key without padding). So "RPAAJZCGOW7NSAAJCFRCCHIN44" with base32 padding becomes "RPAAJZCGOW7NSAAJCFRCCHIN44======".

Code:
>>> import hmac, base64, struct, hashlib, time
>>> import onetimepass as otp
>>> my_secret = "RPAAJZCGOW7NSAAJCFRCCHIN44======"
>>> otp.get_totp(my_secret)
956735

Yep, that works.  Is there a way to report the number of seconds the OTP is valid for?  I can only see the check for whether it's true or false (and invoking that in the same script will always return true).

Website: Organised Adversary
OpenPGP/GPG key: 0x321E4E2373590E5D  I provide GPG Training services
IRC nick: Hasimir (Freenode and elsewhere)
BTC address: 19hiwsQq7xMAEyQMdiyGjkMGNmpN6GA5wL
Hasimir
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile WWW
September 25, 2012, 07:34:41 AM
 #14

As an alternative to deleting the entry (on computers rather than phones) when you're done, just store the entire GAuth directory on an encrypted volume (e.g. TrueCrypt) and only mount it when you need it.

That's a good idea, but it won't work. The GAuth page/app uses html5 localStorage, so the entry/"secret key" gets saved to the browser's data/cache folder, not to the folder with the GAuth html and javascript files.

You could edit the GAuth javascript file and replace the hardcoded example alice@google.com. Then it would be contained in the Gauth folder.

Ah well, the Python script will be good enough for me.  Which takes care of that problem.

Website: Organised Adversary
OpenPGP/GPG key: 0x321E4E2373590E5D  I provide GPG Training services
IRC nick: Hasimir (Freenode and elsewhere)
BTC address: 19hiwsQq7xMAEyQMdiyGjkMGNmpN6GA5wL
Korbman
Legendary
*
Offline Offline

Activity: 1064
Merit: 1001



View Profile
September 25, 2012, 03:40:31 PM
 #15

Excellent tutorial, and well written. We should see more like this!

Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1010


View Profile
October 22, 2012, 04:58:29 AM
 #16

Two-factor provides security when every withdrawal or security change (e.g., change password, e-mail address, remove two-factor, etc.) action will require a new OTP to be entered.

This is addressed in this thread:

A plea to exchanges ... lets do 2 factor right!
 - http://bitcointalk.org/index.php?topic=109424.0

If your exchange or EWallet provider claims to have two-factor but doesn't do two-factor right, let them know otherwise they'll continue thinking they are protecting their customers which can be even worse, due to having a false sense of security ("oh ya, I have two factor -- I'm safe storing even larger amounts there now!").

Here's a list of EWallets where two-factor is offered:
 - http://bitcoin.stackexchange.com/a/4114/153

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


jborkl
Sr. Member
****
Offline Offline

Activity: 246
Merit: 250


Team Heritage Motorsports


View Profile WWW
October 22, 2012, 05:51:14 PM
 #17

and a Gox yubikey is only $29 last time I checked.

They sent me one for free,  it is really I nice piece of hardware.

short press and long press. So you have built in additional press to withdraw

no name
Newbie
*
Offline Offline

Activity: 43
Merit: 0


View Profile
February 12, 2013, 08:12:31 AM
 #18

Or use the google authenticator app on an offline computer.

the clock on an offline computer will vary over time, which will make your otp give a bad result.  update the time manually if the otp is gives doesn't work.

I tried to set 2fa on mtgox use this method via offlline computer (mini winxp on hirens boot usb) and get wrong otp. I had set  time and date same in second and get different otps. Online (same comp as mtgox session) generated otp well matched.

any advice, what is going wrong? thanks in advance!
Hasimir
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile WWW
February 12, 2013, 10:45:26 AM
 #19

Or use the google authenticator app on an offline computer.

the clock on an offline computer will vary over time, which will make your otp give a bad result.  update the time manually if the otp is gives doesn't work.

I tried to set 2fa on mtgox use this method via offlline computer (mini winxp on hirens boot usb) and get wrong otp. I had set  time and date same in second and get different otps. Online (same comp as mtgox session) generated otp well matched.

any advice, what is going wrong? thanks in advance!

This is most likely the clock creep issue.  The OTP only lasts for 30 seconds, so if the clock is wrong it will not be calculated for the correct time as observed by Mt. Gox.  The best solution is to use a system connected to a time (NTP) server, otherwise you'll have to update the clock manually.

Website: Organised Adversary
OpenPGP/GPG key: 0x321E4E2373590E5D  I provide GPG Training services
IRC nick: Hasimir (Freenode and elsewhere)
BTC address: 19hiwsQq7xMAEyQMdiyGjkMGNmpN6GA5wL
foo
Sr. Member
****
Offline Offline

Activity: 409
Merit: 250



View Profile
February 14, 2013, 09:09:46 AM
 #20

Or use the google authenticator app on an offline computer.

the clock on an offline computer will vary over time, which will make your otp give a bad result.  update the time manually if the otp is gives doesn't work.

I tried to set 2fa on mtgox use this method via offlline computer (mini winxp on hirens boot usb) and get wrong otp. I had set  time and date same in second and get different otps. Online (same comp as mtgox session) generated otp well matched.

any advice, what is going wrong? thanks in advance!
Wrong time zone on the offline computer?

I know this because Tyler knows this.
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!