Blockchain.info acount hacked while using yubikey....

[DoomDumas]

From what I'm reading in this thread the computer of the OP was hacked with a keylogger or the OP was reusing a password from another site.

+1

Totally agree, and I'm pretty sure you dont have to download something the get infected with keyloguer on a Windows system !

That's quite sad.. but, why stopping mining if your minig rig is already setup and working at more than 1 BTC/day ?  I'll say, better have 30+ BTC in a month than 0 forever !!

Dont get pissed for that, I've lost 120+ BTC from not changing a very very poor password on a site I had those BTC.. I did'nt quit.. I've mined a lot more since then.  And be sure, now my passwords are all more than 20 char, Lower/Upper/Number/Special... That's not keylogguer proof, but few times a year, I store some BTC on an offline wallet and start a new one with a new password..

I'm pretty sure things will get more user-friendly-and-safer by 2 years or so.. Bitcoin is still very young.  What if you quit BTC, and give it a look back in to years to realize they are trading over 100 U$ each.. you may end up not having 3000+ U$ by not continuing to mine !

As you wish,

was my 2 satoshi

[aadje93]

Thank you all for the responses .

But i still think blockchain is not 100% foolproof when a "hijacked" backup of my wallet can ben just used on another wallet. Why backup then?... As seen by the logg nobody has entered my acount from a different IP or even browser


I was pissed off, but i think i need to make a new wallet adress on my account, or a whole new wallet? As the attacker has the backup of month ago, why backup weekly etc.


And how about making a wallet on a (windows) pc thats just only mining? Is that safe? I thought the online wallet was safe because the backup is done by them.


Ill start mining again . But i am not sure where to send my coins to, as i dont thrust the client either because it failed sometime to start on a windows machine (not my pc, laptop in the beginning while trying out bitcoin client to mine solo and as a wallet after finding online wallets)


edit, new acount made. And now ill just convert all to physical items (or steam games ) on lower amounts, now more saving up 100btc probarly.


And if my dropbox is being hijacked, it could only be by facebook probarly because i had shared it on facebook to get some free MB for each referal. And why all the hassle if there are wallets with over 5k btc...

[aadje93]

God dammit!!

Made new acount with my yubikey as authenticator,

And now i cant even login to it!! (yubikey wrong) You can add your yubikey, but don't login with it.


Made new post to made this very clear!! DON'T CONNECT Mt GOX YUBI TO BLOCKCHAIN.INFO AT THE MOMENT!!

[QuantumQrack]

The best security for all practical purposes is a master password you memorize that is used to open an encrypted password database such as keepass.  I don't think two factor is necessary in the presence of one strong password that is unique and not used in conjunction with other online accounts.

[Insu Dra]

If that's the case then I really only need to worry about keyloggers getting my passphrase. But since I'm using Linux, the chances of that happening are close to nil, right?

There allot lower but not nil, I would still use a separate minimal install (os) to manage financial data. Even when you just buy stuff on line, don't fill out any forms with credit card or any other sensitive data on you main install (os). (logins excluded ofc, but then again I'm so paranoid I won't even register on a site with my every day os)

Even if you or your anti virus notices it at some point chances are high that the data is already gone and just waiting for a buyer that will use it to empty your accounts.

[Justin00]

some of the keyloggers can grab the passwd when you control+v it from keepas.

The best security for all practical purposes is a master password you memorize that is used to open an encrypted password database such as keepass.  I don't think two factor is necessary in the presence of one strong password that is unique and not used in conjunction with other online accounts.

[jl2012]

This is just another example of a frustrated user of a complicated system that leaves in disgust because of his inability to use it properly. This isn’t the fault of the user it’s the fault of the training program.
 
The one major difference I can see between open source systems and centrally controlled closed systems is the control of the information and user support. Both types of systems can deliver excellent quality but open source lacks a central point of instruction and authority over training for new users. This needs to change.

This ignores the root cause of the problem. It is not the user or lack of training. It is Microsoft Windows which is a propriety operating system. It is even unclear if the Yubikey (apparently incorrectly used) or the backup wallet was compromised. The reality here is that many new users will loose their bitcoins if they use Microsoft Windows as their Operating System. Two factor authentication can help but as this case sadly demonstrates it is not foolproof.

At a very fundamental level a propriety operating system with over 90% market share worldwide is incompatible with bitcoin as the security of bitcoin is ultimately predicated on each individual user having complete control over their computing experience while propriety software is about the exact opposite. Be it Apple's walled garden or Microsoft's centralized control over people's computers the direction that propriety software has taken is very much about centralized control. For example with the recently released Windows 8 RT. Microsoft has complete control over which software is installed on a particular computer or device.

Centralizing control over the training of new bitcoin users in order to accommodate Microsoft or Apple is simply not the answer.

I use Windows and bitcoin without any problem. All of my coins are under cold storage and my mtgox account is secured by 2-factor authenication. There is noting wrong to use propriety OS. Linux looks safer simply because less people use it and it's not efficient to hack it for stealing coins. If a Linux user misuses the system (downloading warez or storing unencrypted wallet improperly), their coins will get stolen some day. By they way, I don't think mtgox and bitcoinica are running on Windows but both got hacked

Yes one can secure Microsoft Windows, but it takes considerable effort and technical expertise. The average consumer's Microsoft Windows computer is more often than not infected with all sorts of rootkits and malware. It is far simpler in these situations to simply ditch Windows and use GNU/Linux. Cold storage can also provide a false sense of security because the moment one needs to move coins then one is exposed.

GNU/Linux is way safer that Microsoft Windows when it comes to malware. There are many reasons that come down to the design of the OS, (it was designed form the ground up as a multi user OS, Windows was not), and the culture, (most GNU/Linux users download their software from trusted repositories, do not run as root, and have no motivation at all to download warez even if warez that actually runs natively on GNU/Linux even exists!). The entire Free Software / Open Source model of software development is far more secure since there is no opportunity for "security by obscurity". The latter is very popular with propriety software vendors. DRM for example is entirely based on security by obscurity.

There is a lot wrong with using a propriety OS with bitcoin, particularly one that has over 90% market share since that creates a massive single point of failure for a very large portion of the bitcoin network. If a Microsoft Windows related attack were to hit the bitcoin network, bitcoin's chance of survival will likely rest with those of us who have chosen to run bitcoin nodes and mining on GNU/Linux.

As for the MTGox and Bitcoinica hacks we are talking about servers being compromised because of less than optimal security procedures of the server administrators. This has nothing to do with the issue at hand here, namely malware on consumer computers.

I don't think you really know  how cold storage like Armory or Electrum works. The private will never expose to the internet.

If mtgox or bitcoinica running on *inx could be hacked, your desktop computer with linux could be hacked too, if you have less than optimal security procedures. As I said, there is less malware on Linux just because there is lack of enough incentive to do it.

[flatfly]

Use a regular (non-admin) user account, disable Java applets and use any other browser than IE. -> Just these 3 simple things bring the risk of virus/trojan/keylogger infection very close to zero (Linux-like). Really, it's that simple.

I love Linux as much as the next geek, but I've been using Windows as my main OS for 10+ years (mostly due to some very specialized apps that only exist for Windows) and have never had an infection despite downloading tons of software, thanks to the above measures. I think many other knowledgeable Windows users can confirm this.

Also consider the fact that Satoshi himself (whom we can reasonably call a security god, can't we?) was using Windows to develop Bitcoin!

[CIYAM]

I love Linux as much as the next geek, but I've been using Windows as my main OS for 10+ years (mostly due to some very specialized apps that only exist for Windows) and have never had an infection despite downloading tons of software, thanks to the above measures. I think many other knowledgeable Windows users can confirm this.

I can confirm this (the only issue I've had in the last 10+ years was plugging in a friend's USB flash drive to find it was infected which luckily my AV software detected before anything bad actually happened).

That being said it is certainly not as easy to protect a Windows install vs. a Linux one.

[aadje93]

Made new acount/wallet. No more dropbox backup for me.

If you want to help me and give me some BTC to help me getting the 101btc again: 1FZb3GDLTstYECV9QKmaTJh3xPRZfRfuxz any donation is very appreciated .

[Blazr]

Made new acount/wallet. No more dropbox backup for me.

If you want to help me and give me some BTC to help me getting the 101btc again: 1FZb3GDLTstYECV9QKmaTJh3xPRZfRfuxz any donation is very appreciated .

Make sure you use Google Authenticator or an actual YubiKey and not an MtGox one, until Blockchain.info support it correctly.

[FLHippy]

Ill start mining again . But i am not sure where to send my coins to, as i dont thrust the client either because it failed sometime to start on a windows machine (not my pc, laptop in the beginning while trying out bitcoin client to mine solo and as a wallet after finding online wallets)

What you should do for long term storage is a cold wallet. If you only need a few BTC in your account at block chain then transfer the rest to your cold wallet.

You can do it right from blockchain.info and you can transfer the money back with the same wallet you normally use.

If you need some help I can help you, it's quite simple you just send the money to your offline wallet. I am selling beautiful unfunded paper bitcoins which are perfect for this and fully compatable with blockchain.info's import tools. Its only 1.5 BTC for 10 of them. They are custom printed to your specifications. Here is a link.....

BitcoinTalk link...
https://bitcointalk.org/index.php?topic=120221.msg1294820#msg1294820

BitMit Link with escrow...
https://www.bitmit.net/en/trade/i/8717-beautiful-unfunded-paper-bitcoins-custom-printing-free-ship

[kokojie]

If you re-use passwords, getting hacked is just a matter of time, fucking yahoo stores password in plaintext,
they just leaked 500k passwords, including my password, and my yahoo mail got hacked, but luckily I don't
re-use passwords, so this had about zero effect on me, yahoo mail I stopped using a long time ago, only
a few old contacts got virus/trojan sent to them.

First step to not get hacked, get Lastpass or some password manager, that defeats keyloggers and forces you
to not re-use password.

[giszmo]

Edit: How can someone manage to loose so many bitcoins? Have you looked into paper wallets or Casascius bitcoins?

Casascius provides hosted wallet security level. At least to the degree it is verifiable from outside. Please don't share the private keys of your life savings with anybody.

[giszmo]

Perhaps that’s the solution then. Remove all need for understanding or training. Only release the client to the public on a proprietary devise.

That is not bitcoin at all. It is more like MintChip. http://mintchipchallenge.com/. Bitcoin is about putting the end user in control and for that one needs a Free Libre Open Source Software OS.

I sincerely hope to have a dedicated – not proprietary – device for my bitcoins at some point.

(From my bitcoinqt, bitcoinspinner (android), schildbach (android) and various hosted wallets I don't know if bitcoinqt (on my developer/gamer/everything linux laptop that I carry around) or spinner (on my developer android that I barely carry around and that has only work-related apps installed) is the safer place to put my money. Right now I have half on my laptop and half on cold storage and keyloggers scare me every time I type in my 12 char password. Backups have more like 35 chars passwords.)

[GernMiester]

Another ID10T keeping coins on some website and losing them. It never ends
HAHA. BTC , just what grandma needs.... HAHAHAHA

[matthewh3]

You could try - http://www.flexcoin.com/ - for your new savings wallet.  As they offer to put your coins into cold storage for you.

[kokojie]

Another ID10T keeping coins on some website and losing them. It never ends
HAHA. BTC , just what grandma needs.... HAHAHAHA

The problem is not keeping coins on website, blockchain.info is quite safe. The problem is re-use of passwords, simple passwords and not using a secure password manager like Lastpass.

[chriswilmer]

Hey everyone, just thought I would point out that despite Mt. Gox Yubikeys being disabled, they are still described as useable on Blockchain's tutorials:

https://blockchain.info/wallet/yubikey

This page should be updated.

-Chris

[ameer1367]

old post. thought i might fresh it up. even mine was stolen and i had google auth.. so 2factor is still bullcrap. if you desktop is hajjacked your fucked. even if u have 10000 passwords