Bitcoin Forum
October 17, 2021, 07:55:00 AM *
News: Latest Bitcoin Core release: 22.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3]  All
  Print  
Author Topic: Blockchain.info acount hacked while using yubikey....  (Read 14218 times)
DoomDumas
Legendary
*
Offline Offline

Activity: 1001
Merit: 1000


Bitcoin forever !


View Profile WWW
October 28, 2012, 02:35:52 AM
 #41

From what I'm reading in this thread the computer of the OP was hacked with a keylogger or the OP was reusing a password from another site.

+1

Totally agree, and I'm pretty sure you dont have to download something the get infected with keyloguer on a Windows system !

That's quite sad.. but, why stopping mining if your minig rig is already setup and working at more than 1 BTC/day ?  I'll say, better have 30+ BTC in a month than 0 forever !!

Dont get pissed for that, I've lost 120+ BTC from not changing a very very poor password on a site I had those BTC.. I did'nt quit.. I've mined a lot more since then.  And be sure, now my passwords are all more than 20 char, Lower/Upper/Number/Special... That's not keylogguer proof, but few times a year, I store some BTC on an offline wallet and start a new one with a new password..

I'm pretty sure things will get more user-friendly-and-safer by 2 years or so.. Bitcoin is still very young.  What if you quit BTC, and give it a look back in to years to realize they are trading over 100 U$ each.. you may end up not having 3000+ U$ by not continuing to mine !

As you wish,

was my 2 satoshi
1634457300
Hero Member
*
Offline Offline

Posts: 1634457300

View Profile Personal Message (Offline)

Ignore
1634457300
Reply with quote  #2

1634457300
Report to moderator
1634457300
Hero Member
*
Offline Offline

Posts: 1634457300

View Profile Personal Message (Offline)

Ignore
1634457300
Reply with quote  #2

1634457300
Report to moderator
1634457300
Hero Member
*
Offline Offline

Posts: 1634457300

View Profile Personal Message (Offline)

Ignore
1634457300
Reply with quote  #2

1634457300
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1634457300
Hero Member
*
Offline Offline

Posts: 1634457300

View Profile Personal Message (Offline)

Ignore
1634457300
Reply with quote  #2

1634457300
Report to moderator
aadje93
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250



View Profile
October 28, 2012, 06:42:13 AM
Last edit: October 28, 2012, 06:53:51 AM by aadje93
 #42

Thank you all for the responses Smiley.

But i still think blockchain is not 100% foolproof when a "hijacked" backup of my wallet can ben just used on another wallet. Why backup then?... As seen by the logg nobody has entered my acount from a different IP or even browser Wink


I was pissed off, but i think i need to make a new wallet adress on my account, or a whole new wallet? As the attacker has the backup of month ago, why backup weekly etc.


And how about making a wallet on a (windows) pc thats just only mining? Is that safe? I thought the online wallet was safe because the backup is done by them.


Ill start mining again Smiley. But i am not sure where to send my coins to, as i dont thrust the client either because it failed sometime to start on a windows machine (not my pc, laptop in the beginning while trying out bitcoin client to mine solo and as a wallet after finding online wallets)


edit, new acount made. And now ill just convert all to physical items (or steam games Tongue) on lower amounts, now more saving up 100btc probarly.


And if my dropbox is being hijacked, it could only be by facebook probarly because i had shared it on facebook to get some free MB for each referal. And why all the hassle if there are wallets with over 5k btc...

aadje93
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250



View Profile
October 28, 2012, 06:56:33 AM
 #43

God dammit!!

Made new acount with my yubikey as authenticator,

And now i cant even login to it!! (yubikey wrong) You can add your yubikey, but don't login with it.


Made new post to made this very clear!! DON'T CONNECT Mt GOX YUBI TO BLOCKCHAIN.INFO AT THE MOMENT!!

QuantumQrack
Sr. Member
****
Offline Offline

Activity: 340
Merit: 250


View Profile
October 28, 2012, 07:34:06 AM
 #44

The best security for all practical purposes is a master password you memorize that is used to open an encrypted password database such as keepass.  I don't think two factor is necessary in the presence of one strong password that is unique and not used in conjunction with other online accounts.
Insu Dra
Full Member
***
Offline Offline

Activity: 182
Merit: 100



View Profile
October 28, 2012, 09:21:55 AM
Last edit: October 28, 2012, 11:33:58 AM by Insu Dra
 #45

If that's the case then I really only need to worry about keyloggers getting my passphrase. But since I'm using Linux, the chances of that happening are close to nil, right?

There allot lower but not nil, I would still use a separate minimal install (os) to manage financial data. Even when you just buy stuff on line, don't fill out any forms with credit card or any other sensitive data on you main install (os). (logins excluded ofc, but then again I'm so paranoid I won't even register on a site with my every day os)

Even if you or your anti virus notices it at some point chances are high that the data is already gone and just waiting for a buyer that will use it to empty your accounts.

"drugs, guns, and gambling for anyone and everyone!"
Justin00
Legendary
*
Offline Offline

Activity: 910
Merit: 1000


★YoBit.Net★ 350+ Coins Exchange & Dice


View Profile
October 28, 2012, 09:45:06 AM
 #46

some of the keyloggers can grab the passwd when you control+v it from keepas.


The best security for all practical purposes is a master password you memorize that is used to open an encrypted password database such as keepass.  I don't think two factor is necessary in the presence of one strong password that is unique and not used in conjunction with other online accounts.

jl2012
Legendary
*
Offline Offline

Activity: 1792
Merit: 1010


View Profile
October 28, 2012, 09:48:03 AM
 #47

This is just another example of a frustrated user of a complicated system that leaves in disgust because of his inability to use it properly. This isn’t the fault of the user it’s the fault of the training program.
 
The one major difference I can see between open source systems and centrally controlled closed systems is the control of the information and user support. Both types of systems can deliver excellent quality but open source lacks a central point of instruction and authority over training for new users. This needs to change.


This ignores the root cause of the problem. It is not the user or lack of training. It is Microsoft Windows which is a propriety operating system. It is even unclear if the Yubikey (apparently incorrectly used) or the backup wallet was compromised. The reality here is that many new users will loose their bitcoins if they use Microsoft Windows as their Operating System. Two factor authentication can help but as this case sadly demonstrates it is not foolproof.

At a very fundamental level a propriety operating system with over 90% market share worldwide is incompatible with bitcoin as the security of bitcoin is ultimately predicated on each individual user having complete control over their computing experience while propriety software is about the exact opposite. Be it Apple's walled garden or Microsoft's centralized control over people's computers the direction that propriety software has taken is very much about centralized control. For example with the recently released Windows 8 RT. Microsoft has complete control over which software is installed on a particular computer or device.

Centralizing control over the training of new bitcoin users in order to accommodate Microsoft or Apple is simply not the answer.


I use Windows and bitcoin without any problem. All of my coins are under cold storage and my mtgox account is secured by 2-factor authenication. There is noting wrong to use propriety OS. Linux looks safer simply because less people use it and it's not efficient to hack it for stealing coins. If a Linux user misuses the system (downloading warez or storing unencrypted wallet improperly), their coins will get stolen some day. By they way, I don't think mtgox and bitcoinica are running on Windows but both got hacked

Yes one can secure Microsoft Windows, but it takes considerable effort and technical expertise. The average consumer's Microsoft Windows computer is more often than not infected with all sorts of rootkits and malware. It is far simpler in these situations to simply ditch Windows and use GNU/Linux. Cold storage can also provide a false sense of security because the moment one needs to move coins then one is exposed.

GNU/Linux is way safer that Microsoft Windows when it comes to malware. There are many reasons that come down to the design of the OS, (it was designed form the ground up as a multi user OS, Windows was not), and the culture, (most GNU/Linux users download their software from trusted repositories, do not run as root, and have no motivation at all to download warez even if warez that actually runs natively on GNU/Linux even exists!). The entire Free Software / Open Source model of software development is far more secure since there is no opportunity for "security by obscurity". The latter is very popular with propriety software vendors. DRM for example is entirely based on security by obscurity.

There is a lot wrong with using a propriety OS with bitcoin, particularly one that has over 90% market share since that creates a massive single point of failure for a very large portion of the bitcoin network. If a Microsoft Windows related attack were to hit the bitcoin network, bitcoin's chance of survival will likely rest with those of us who have chosen to run bitcoin nodes and mining on GNU/Linux.

As for the MTGox and Bitcoinica hacks we are talking about servers being compromised because of less than optimal security procedures of the server administrators. This has nothing to do with the issue at hand here, namely malware on consumer computers.



I don't think you really know  how cold storage like Armory or Electrum works. The private will never expose to the internet.

If mtgox or bitcoinica running on *inx could be hacked, your desktop computer with linux could be hacked too, if you have less than optimal security procedures. As I said, there is less malware on Linux just because there is lack of enough incentive to do it.

Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
flatfly
Legendary
*
Offline Offline

Activity: 1022
Merit: 1006


View Profile
October 28, 2012, 10:02:08 AM
Last edit: October 28, 2012, 10:21:18 AM by flatfly
 #48

Use a regular (non-admin) user account, disable Java applets and use any other browser than IE. -> Just these 3 simple things bring the risk of virus/trojan/keylogger infection very close to zero (Linux-like). Really, it's that simple.

I love Linux as much as the next geek, but I've been using Windows as my main OS for 10+ years (mostly due to some very specialized apps that only exist for Windows) and have never had an infection despite downloading tons of software, thanks to the above measures. I think many other knowledgeable Windows users can confirm this.

Also consider the fact that Satoshi himself (whom we can reasonably call a security god, can't we?) was using Windows to develop Bitcoin!

My main BTC/XCP address is 1111127SpvabYpoeDoiz5L7QPkfiSh2Q.
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1015


Ian Knowles - CIYAM Lead Developer


View Profile WWW
October 28, 2012, 10:26:52 AM
 #49

I love Linux as much as the next geek, but I've been using Windows as my main OS for 10+ years (mostly due to some very specialized apps that only exist for Windows) and have never had an infection despite downloading tons of software, thanks to the above measures. I think many other knowledgeable Windows users can confirm this.

I can confirm this (the only issue I've had in the last 10+ years was plugging in a friend's USB flash drive to find it was infected which luckily my AV software detected before anything bad actually happened).

That being said it is certainly not as easy to protect a Windows install vs. a Linux one.

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
aadje93
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250



View Profile
October 28, 2012, 01:46:31 PM
 #50

Made new acount/wallet. No more dropbox backup for me.

If you want to help me and give me some BTC to help me getting the 101btc again: 1FZb3GDLTstYECV9QKmaTJh3xPRZfRfuxz any donation is very appreciated Smiley.


Blazr
Hero Member
*****
Offline Offline

Activity: 882
Merit: 1005



View Profile
October 28, 2012, 01:49:04 PM
 #51

Made new acount/wallet. No more dropbox backup for me.

If you want to help me and give me some BTC to help me getting the 101btc again: 1FZb3GDLTstYECV9QKmaTJh3xPRZfRfuxz any donation is very appreciated Smiley.



Make sure you use Google Authenticator or an actual YubiKey and not an MtGox one, until Blockchain.info support it correctly.

FLHippy
Full Member
***
Offline Offline

Activity: 784
Merit: 101



View Profile
October 28, 2012, 02:05:38 PM
Last edit: October 28, 2012, 06:29:42 PM by FLHippy
 #52

Ill start mining again Smiley. But i am not sure where to send my coins to, as i dont thrust the client either because it failed sometime to start on a windows machine (not my pc, laptop in the beginning while trying out bitcoin client to mine solo and as a wallet after finding online wallets)

What you should do for long term storage is a cold wallet. If you only need a few BTC in your account at block chain then transfer the rest to your cold wallet.

You can do it right from blockchain.info and you can transfer the money back with the same wallet you normally use.

If you need some help I can help you, it's quite simple you just send the money to your offline wallet. I am selling beautiful unfunded paper bitcoins which are perfect for this and fully compatable with blockchain.info's import tools. Its only 1.5 BTC for 10 of them. They are custom printed to your specifications. Here is a link.....

BitcoinTalk link...
https://bitcointalk.org/index.php?topic=120221.msg1294820#msg1294820

BitMit Link with escrow...
https://www.bitmit.net/en/trade/i/8717-beautiful-unfunded-paper-bitcoins-custom-printing-free-ship

WHALES HEAVEN
Custody-free Swapping Platform
◈  ────────  Reddit ⬝  BountyWebsiteTelegramTwitterGitHub  ────────  ◈
kokojie
Legendary
*
Offline Offline

Activity: 1792
Merit: 1002



View Profile
October 28, 2012, 02:48:14 PM
 #53

If you re-use passwords, getting hacked is just a matter of time, fucking yahoo stores password in plaintext,
they just leaked 500k passwords, including my password, and my yahoo mail got hacked, but luckily I don't
re-use passwords, so this had about zero effect on me, yahoo mail I stopped using a long time ago, only
a few old contacts got virus/trojan sent to them.

First step to not get hacked, get Lastpass or some password manager, that defeats keyloggers and forces you
to not re-use password.

btc: 15sFnThw58hiGHYXyUAasgfauifTEB1ZF6
giszmo
Legendary
*
Offline Offline

Activity: 1806
Merit: 1063


WalletScrutiny.com


View Profile WWW
October 28, 2012, 04:40:12 PM
 #54

Edit: How can someone manage to loose so many bitcoins? Have you looked into paper wallets or Casascius bitcoins?

Casascius provides hosted wallet security level. At least to the degree it is verifiable from outside. Please don't share the private keys of your life savings with anybody.

ɃɃWalletScrutiny.comIs your wallet secure?(Methodology)
WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value.
ɃɃ
giszmo
Legendary
*
Offline Offline

Activity: 1806
Merit: 1063


WalletScrutiny.com


View Profile WWW
October 28, 2012, 04:48:42 PM
 #55

Perhaps that’s the solution then. Remove all need for understanding or training. Only release the client to the public on a proprietary devise.

That is not bitcoin at all. It is more like MintChip. http://mintchipchallenge.com/. Bitcoin is about putting the end user in control and for that one needs a Free Libre Open Source Software OS.

I sincerely hope to have a dedicated – not proprietary – device for my bitcoins at some point.

(From my bitcoinqt, bitcoinspinner (android), schildbach (android) and various hosted wallets I don't know if bitcoinqt (on my developer/gamer/everything linux laptop that I carry around) or spinner (on my developer android that I barely carry around and that has only work-related apps installed) is the safer place to put my money. Right now I have half on my laptop and half on cold storage and keyloggers scare me every time I type in my 12 char password. Backups have more like 35 chars passwords.)

ɃɃWalletScrutiny.comIs your wallet secure?(Methodology)
WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value.
ɃɃ
GernMiester
Sr. Member
****
Offline Offline

Activity: 285
Merit: 250


View Profile
October 28, 2012, 08:00:10 PM
 #56

Another ID10T keeping coins on some website and losing them. It never ends
HAHA. BTC , just what grandma needs.... HAHAHAHA
matthewh3
Legendary
*
Offline Offline

Activity: 1372
Merit: 1000



View Profile WWW
October 28, 2012, 08:30:21 PM
 #57

You could try - http://www.flexcoin.com/ - for your new savings wallet.  As they offer to put your coins into cold storage for you.

kokojie
Legendary
*
Offline Offline

Activity: 1792
Merit: 1002



View Profile
October 28, 2012, 09:28:53 PM
 #58

Another ID10T keeping coins on some website and losing them. It never ends
HAHA. BTC , just what grandma needs.... HAHAHAHA

The problem is not keeping coins on website, blockchain.info is quite safe. The problem is re-use of passwords, simple passwords and not using a secure password manager like Lastpass.

btc: 15sFnThw58hiGHYXyUAasgfauifTEB1ZF6
chriswilmer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile WWW
February 17, 2013, 10:30:51 PM
 #59

Hey everyone, just thought I would point out that despite Mt. Gox Yubikeys being disabled, they are still described as useable on Blockchain's tutorials:

https://blockchain.info/wallet/yubikey

This page should be updated.

-Chris
ameer1367
Newbie
*
Offline Offline

Activity: 45
Merit: 0



View Profile WWW
November 29, 2013, 01:03:21 AM
 #60

old post. thought i might fresh it up. even mine was stolen and i had google auth.. so 2factor is still bullcrap. if you desktop is hajjacked your fucked. even if u have 10000 passwords
Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!