|
aadje93 (OP)
|
 |
October 27, 2012, 02:42:13 PM |
|
Hello guys, some sad news  My blockchain acount is hacked today, lost around 101 bitcoin. I am using the "mtgox yubikey" So i am realy feeling shit . Had already lost 10bitcoin on mtgox, thats why i bought myself a yubikey so this couldn't happen again. Sad to announce, but i think i quit mining with my 4,5ghs. The transaction hash: 1803eb98f2aaba1facba17d8b9e5d953b78fe63a3d85c9abb25002f09db0d7a8 How can a acount be hacked when i use a yubikey to login.... And i have the yubikey always with me, this means blockchain.info is hacked or the yubikey of Mtgox is cracked (also seeing the large drop in bitcoin price i suspect a large bitcoin hack) Goodbeye guys, ill stop bitcoin from now on. Lost about $1000 (edit $ instead of €) |
|
|
|
jl2012
Legendary
 Offline
Activity: 1792
Merit: 1111
|
|
October 27, 2012, 02:49:52 PM |
|
MtGox yubikey should not be used on anything other than MtGox. MtGox has clearly warned that.
Blockchain.info should stop "supporting" MtGox yubikey
|
Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
|
|
|
|
aadje93 (OP)
|
|
October 27, 2012, 02:51:40 PM |
|
a yubikey should be protecting a acount since its a physical thing you need to press to get a UNIQUE key out of it. Thats all the times different, and will only work 1 time.
Even although its mtgox "branded" it should still be safe to use as its an unique thing.
But it doesn't matter anymore, i stop mining bitcoin. Sad to end it this way instead of buying asic. Its a sad lesson i wasted so much electricity for nothing.
|
|
|
|
|
Blazr
|
|
October 27, 2012, 02:51:48 PM |
|
I tried out my MtGox YubiKey on the blockchain wallet service, and I noticed the OTP's that it generates are REUSABLE. It seems Blockchain.info is only looking at the first few letters of the OTP, as they are static, you can actually change the end of the OTP and the website will still accept it.
Doesn't sound secure at all to me and is definitely something that needs to be addressed. This is not 2-factor authentication.
|
|
|
|
matthewh3
Legendary
Offline
Activity: 1372
Merit: 1003
|
|
October 27, 2012, 02:52:19 PM |
|
Does the online backups of your wallet need the MtGox Yubikey to be decrypted? If not maybe some hacked your email, Dropbox or Google Drive? Otherwise the thief must be someone you know.
|
|
|
|
jl2012
Legendary
Offline
Activity: 1792
Merit: 1111
|
|
October 27, 2012, 02:53:14 PM |
|
I tried out my MtGox YubiKey on the blockchain wallet service, and I noticed the OTP's that it generates are REUSABLE. It seems Blockchain.info is only looking at the first few letters of the OTP, as they are static, you can actually change the end of the OTP and the website will still accept it.
Doesn't sound secure at all to me.
You are absolutely correct https://bitcointalk.org/index.php?topic=64300.0 |
Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
|
|
|
proudhon
Legendary
Offline
Activity: 2198
Merit: 1311
|
|
October 27, 2012, 02:53:25 PM |
|
I tried out my MtGox YubiKey on the blockchain wallet service, and I noticed the OTP's that it generates are REUSABLE. It seems Blockchain.info is only looking at the first few letters of the OTP, as they are static, you can actually change the end of the OTP and the website will still accept it.
Doesn't sound secure at all to me and is definitely something that needs to be addressed. This is not 2-factor authentication.
Good lord. That's a pretty big deal. |
Bitcoin Fact: the price of bitcoin will not be greater than $70k for more than 25 consecutive days at any point in the rest of recorded human history.
|
|
|
jl2012
Legendary
Offline
Activity: 1792
Merit: 1111
|
|
October 27, 2012, 02:55:27 PM |
|
How can a acount be hacked when i use a yubikey to login.... And i have the yubikey always with me, this means blockchain.info is hacked or the yubikey of Mtgox is cracked (also seeing the large drop in bitcoin price i suspect a large bitcoin hack) Goodbeye guys, ill stop bitcoin from now on. Lost about $1000 (edit $ instead of €) No, it's your own computer got hacked. It MUST have a keylogger |
Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
|
|
|
matthewh3
Legendary
Offline
Activity: 1372
Merit: 1003
|
|
October 27, 2012, 02:56:16 PM |
|
I tried out my MtGox YubiKey on the blockchain wallet service, and I noticed the OTP's that it generates are REUSABLE. It seems Blockchain.info is only looking at the first few letters of the OTP, as they are static, you can actually change the end of the OTP and the website will still accept it.
Doesn't sound secure at all to me.
You are absolutely correct https://bitcointalk.org/index.php?topic=64300.0What about if you don't use the MtGox Yubikey but the standard version. Also can you use the standard version of the Yubikey on more than wallet/site and be safe? |
|
|
|
|
aadje93 (OP)
|
|
October 27, 2012, 02:59:04 PM |
|
Using AVAST antivirus, so i should be safe. And i didn't download anythin last week (except by steam a game and the demo of it on the official website (Farming simulator 2013)). So that couldn't be it. But as I said, I think I stop with bitcoin. The loss is to big for me . Maybe going to do BOINC or something, not realy sure. |
|
|
|
jl2012
Legendary
Offline
Activity: 1792
Merit: 1111
|
|
October 27, 2012, 03:15:14 PM |
|
Using AVAST antivirus, so i should be safe. And i didn't download anythin last week (except by steam a game and the demo of it on the official website (Farming simulator 2013)). So that couldn't be it. But as I said, I think I stop with bitcoin. The loss is to big for me . Maybe going to do BOINC or something, not realy sure. Have you figured out how did you lose 10BTC on MtGox? |
Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
|
|
|
paraipan
In memoriam
Legendary
Offline
Activity: 924
Merit: 1004
Firstbits: 1pirata
|
|
October 27, 2012, 03:20:05 PM
Last edit: October 27, 2012, 03:40:30 PM by paraipan |
|
... Goodbeye guys, ill stop bitcoin from now on. Lost about $1000 (edit $ instead of €) So long, come back in a few years when all this nasty stuff is taken care of. Edit: How can someone manage to loose so many bitcoins? Have you looked into paper wallets or Casascius bitcoins? |
BTCitcoin: An Idea Worth Saving - Q&A with bitcoins on rugatu.com - Check my rep
|
|
|
ryann
Member
Offline
Activity: 70
Merit: 10
|
|
October 27, 2012, 03:20:19 PM |
|
Hello guys, some sad news My blockchain acount is hacked today, lost around 101 bitcoin. I am using the "mtgox yubikey" So i am realy feeling shit . Had already lost 10bitcoin on mtgox, thats why i bought myself a yubikey so this couldn't happen again. Sad to announce, but i think i quit mining with my 4,5ghs. The transaction hash: 1803eb98f2aaba1facba17d8b9e5d953b78fe63a3d85c9abb25002f09db0d7a8 How can a acount be hacked when i use a yubikey to login.... And i have the yubikey always with me, this means blockchain.info is hacked or the yubikey of Mtgox is cracked (also seeing the large drop in bitcoin price i suspect a large bitcoin hack) Goodbeye guys, ill stop bitcoin from now on. Lost about $1000 (edit $ instead of €) That sucks man. Sry. But why would you stop mining if you have 4.5 gh? Mining takes no effort and you already purchases the gpu's. You currently make 1.5 coins a day mining. |
|
|
|
|
hazek
Legendary
Offline
Activity: 1078
Merit: 1003
|
|
October 27, 2012, 03:20:23 PM |
|
How can a acount be hacked when i use a yubikey to login....
Simple, if they get your password keyloged and find a copy of your encrypted wallet stored on the blockchain servers, they can decrypt it by simply using your password. The yubickey is merely requested by the blockchain eWallet javascript which however you do not need in order to use the wallet file. At least that's how I understand it. Does the online backups of your wallet need the MtGox Yubikey to be decrypted? If not maybe some hacked your email, Dropbox or Google Drive? Otherwise the thief must be someone you know.
I don't think so and I also think yours is the most likely explanation. |
My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)
If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
|
|
|
ArticMine
Legendary
Offline
Activity: 2282
Merit: 1050
Monero Core Team
|
|
October 27, 2012, 03:39:16 PM |
|
Hello guys, some sad news My blockchain acount is hacked today, lost around 101 bitcoin. I am using the "mtgox yubikey" So i am realy feeling shit . Had already lost 10bitcoin on mtgox, thats why i bought myself a yubikey so this couldn't happen again. Sad to announce, but i think i quit mining with my 4,5ghs. The transaction hash: 1803eb98f2aaba1facba17d8b9e5d953b78fe63a3d85c9abb25002f09db0d7a8 How can a acount be hacked when i use a yubikey to login.... And i have the yubikey always with me, this means blockchain.info is hacked or the yubikey of Mtgox is cracked (also seeing the large drop in bitcoin price i suspect a large bitcoin hack) Goodbeye guys, ill stop bitcoin from now on. Lost about $1000 (edit $ instead of €) ... and the first factor of the two factor authentication was? Let me guess a computer running Microsoft Windows. It seems to me that Microsoft Windows rather than bitcoin is the real problem here. By the way I have been using GNU/Linux exclusively for all my online financial transactions since well before bitcoin even existed with no problems. It does not matter what king of currency one uses BTC, CAD, USD, EUR etc. If one uses Microsoft Windows for financial transactions there is good chance that sooner or later one will get burned. |
|
|
|
|
|
jl2012
Legendary
Offline
Activity: 1792
Merit: 1111
|
|
October 27, 2012, 04:06:48 PM |
|
I think you should stop "supporting" mtgox key while you can't really support it. At least you should let users know it is not keylogger-proof |
Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
|
|
|
|
piuk
|
|
October 27, 2012, 04:13:17 PM
Last edit: October 27, 2012, 04:41:31 PM by piuk |
|
I think you should stop "supporting" mtgox key while you can't really support it. At least you should let users know it is not keylogger-proof
It is better than no yubikey, expecially if the password is reused on other sites. Besides it might not even be related to the yubikey. The attacker might have got access to the OP's wallet backup. |
|
|
|
|
aadje93 (OP)
|
|
October 27, 2012, 04:56:55 PM |
|
You have an email from me ( adriaan_schep@hotmail.com) thanks that you want to help, but the coins are gone to somewhere in poland (probarly an Mtgox europe adress). I was saving to around 120btc and then buy 2x 500gr silver bar from an online store Sucks... |
|
|
|
Inaba
Legendary
Offline
Activity: 1260
Merit: 1000
|
|
October 27, 2012, 05:03:18 PM |
|
Using the MTGox Yubikey on a site other than MTGox is not Two-Factor Authentication. It's two password authentication. http://us.thedailywtf.com/Articles/WishItWas-TwoFactor-.aspxIt's no different than the stupid banking sites asking for "mothers maiden name" as their "2FA." It's a joke and not any more secure than using one password. It's basically the TSA of Password security. Elaborate, complicated security theater that accomplishes nothing, except to give you a false sense of security. Don't do it ... get a real Yubikey or Google Authenticator. |
If you're searching these lines for a point, you've probably missed it. There was never anything there in the first place.
|
|
|
|
