Bitcoin Forum
November 19, 2017, 12:33:30 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 4 5 »  All
  Print  
Author Topic: *MY* Mt Gox Account was Hacked - lost it all today... now what!?  (Read 9635 times)
freeAgent
Sr. Member
****
Offline Offline

Activity: 241



View Profile
January 21, 2013, 11:05:44 PM
 #21

On the subject of Yubikeys, why doesn't MtGox allow plain Yubikeys to be registered with their service?
1511094810
Hero Member
*
Offline Offline

Posts: 1511094810

View Profile Personal Message (Offline)

Ignore
1511094810
Reply with quote  #2

1511094810
Report to moderator
Join ICO Now A blockchain platform for effective freelancing
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511094810
Hero Member
*
Offline Offline

Posts: 1511094810

View Profile Personal Message (Offline)

Ignore
1511094810
Reply with quote  #2

1511094810
Report to moderator
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1358


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 21, 2013, 11:05:48 PM
 #22

If MtGox could make it so that you could add your PGP public key and then configure your account such that bitcoin withdrawals require PGP signature of a pre-generated message that contained the destination bitcoin address, MtGox would have undisputable conclusive proof in the event of a disagreement as to whether a withdrawal was authorized.

Put another way, if MtGox's withdrawal had just the same security we have on our IRC channel we use for chatting, confidence would be increased, as we'd have less fear of being stuck in a situation where money has been withdrawn with no way to convince anyone that we didn't do it ourselves.

I say first hand that anything that can be done to increase the confidence in security of funds stored in MtGox will directly correspond to a greater willingness to leave funds in MtGox.

In fact, implementing this idea would put MtGox in an even better position: in the event a hacker really managed to compromise a PGP key and forge a signature on a withdrawal, I think most people in this community would consider it 100% reasonable for MtGox to say "here's his signed request...sorry he's SOL!...do a better job of securing your PGP key next time"... far more than "sorry you must have gotten keylogged or something."

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
MagicalTux
VIP
Hero Member
*
Offline Offline

Activity: 608


Working on new MtGox features


View Profile WWW
January 21, 2013, 11:25:00 PM
 #23

On the subject of Yubikeys, why doesn't MtGox allow plain Yubikeys to be registered with their service?

Mostly a security reason. Anyone could create a bitcoin-related site that claims to accept yubikeys and actually log the used codes to try these later on other related websites.

It would also make us dependend on Yubico's server, making these an even greater target than they already are. Yubikey allows security by decentralization, allowing each operator to run their own auth servers.

We will still eventually allow people who understand the risks to add their yubikey on MtGox eventually, but this has lower priority.

If MtGox could make it so that you could add your PGP public key and then configure your account such that bitcoin withdrawals require PGP signature of a pre-generated message that contained the destination bitcoin address, MtGox would have undisputable conclusive proof in the event of a disagreement as to whether a withdrawal was authorized.

We considered this, but the lack of proper PGP lib (the only few libs around will try to create stuff in $HOME and doesn't allow us to store/provide the public keys easily) or appropriate technical documentation on the signature format (it mostly says "read the source") forced us to delay this.

DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
January 22, 2013, 01:35:40 AM
 #24

If MtGox could make it so that you could add your PGP public key and then configure your account such that bitcoin withdrawals require PGP signature of a pre-generated message that contained the destination bitcoin address, MtGox would have undisputable conclusive proof in the event of a disagreement as to whether a withdrawal was authorized.

We considered this, but the lack of proper PGP lib (the only few libs around will try to create stuff in $HOME and doesn't allow us to store/provide the public keys easily) or appropriate technical documentation on the signature format (it mostly says "read the source") forced us to delay this.

Glad to see you are at least considering it.  For the record if/when you ever implement a PGP signed message system I would prefer it be in addition to 2FA.  I.e. withdraw requires a PGP signed message PLUS sucessful 2FA challenge.  The PGP signed message creates irrevocable proof of the transaction and the 2FA (google authenticator) provides additional security in the event the PGP key is compromised.   While your at it throw in the ability to create multiple logins (w/ different security permissions) for a single account and optional dual authentication (not to be confused with 2FA) for withdrawals and you would have better security than most corporate banking platforms!

Also since you are reading this thread .... Generating a MtGox code can be properly protected by 2FA challenge (I love it you are one of the few exchanges which do it RIGHT) however one can view the "redeem code" page without 2FA authentication.  This create a potential method to compromise codes before redeemed.  User generates a code and before the counterparty redeems it the attacker (possibly alerted due to compromised email) logs in and redeems the code.  There are two simple solutions (one simpler and more limited).  The easiest method is perform a 2FA challenge when viewing the redeem code page.   The more comprehensive option would be to allow viewing the page but the code is redacted.  User can redeem code but clicking "view code" results in a 2FA challenge.
01BTC10
VIP
Hero Member
*
Offline Offline

Activity: 742



View Profile
January 22, 2013, 01:40:34 AM
 #25

If the computer is compromised can we presume the PGP certificate with corresponding password can also get stolen? I use Google Authenticator and I think it's better unless my phone + computer get compromised by the same hacker.
EuSouBitcoin
Sr. Member
****
Offline Offline

Activity: 470


View Profile
January 22, 2013, 01:41:47 AM
 #26

Google Authenticator is Free to use at a few exchanges including Mt Gox. Use it. I wish more exchanges would implement Google Authenticator.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
January 22, 2013, 01:44:06 AM
 #27

If the computer is compromised can we presume the PGP certificate with and linked password can also get stolen?

True it doesn't provide more security than a strong passphrase (not repeated on any other site) but it does provide irrefutable proof that your key was compromised.   It simply is not possible for a compromise on MtGox end to result in a properly signed message.  The hacked user and the community at large have absolute proof that the fault lies with the user.  2FA should be an optional security enhancement for PGP.  I would also point out that security conscious users can use smart cards with hardware independent keypad to protect PGP private key from keyloggers.
bitfarmer
Newbie
*
Offline Offline

Activity: 24


View Profile
January 22, 2013, 01:46:11 AM
 #28

PGP sounds like a great additional feature, the more the better. Allow the end user to decide what is preferable to them.
jago25_98
Hero Member
*****
Offline Offline

Activity: 892


Crypto Geek


View Profile
January 22, 2013, 01:49:07 AM
 #29

If this guy was using a Ubikey does that mean that Ubikeys are not a reliable protection against Windows virii? It's easy to cloak logging apps and there's a lot of crackers around Bitcoin.

Can this guy assume his install is cracked?
How can he search for whatever may have caused the breach?
Is there a Gox grabbing trojan out there we know about?
Has he installed the Gox app on a phone? (I think that's a risk)

Crypto supporter!
smracer
Donator
Legendary
*
Offline Offline

Activity: 1045



View Profile
January 22, 2013, 01:49:48 AM
 #30

I'm sorry if my posts sound a little all over the place, I'm a little on edge here myself so I'll try to be as clear as possible...

* Yes I did have a Yubikey and *thought* I registered it
* I just spoke with Mt Gox and they are claiming that I never had a registered Yubikey
* They provided the IP Address of the person, but it comes up all over the world when I search it
* I know I tried to register my yubi when I got it so I *suspect* there is a fault where it is not "sticking" the first time around as you stated

Where did you get the Yubikey from?  Could you have bought it from a third party that asked for your username/password and you sent it to them via email or on a website?  Also what is the IP address of the attacker that Mtgox gave you?

1smracer15yDLhJG27fd7GV3tegcNjtg2
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1358


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 22, 2013, 03:41:49 AM
 #31

If MtGox could make it so that you could add your PGP public key and then configure your account such that bitcoin withdrawals require PGP signature of a pre-generated message that contained the destination bitcoin address, MtGox would have undisputable conclusive proof in the event of a disagreement as to whether a withdrawal was authorized.

We considered this, but the lack of proper PGP lib (the only few libs around will try to create stuff in $HOME and doesn't allow us to store/provide the public keys easily) or appropriate technical documentation on the signature format (it mostly says "read the source") forced us to delay this.

Even just offering the option to assign one pre-determined bitcoin address would provide an equivalent level of security, even if you did no PGP automation whatsoever.  The pre-determined bitcoin address could either be a) withdrawn to directly, or b) for those who know how to sign messages, it could be used to sign a message that permits withdrawal to some other address.  All of this could be evaluated in any environment already accustomed to working with bitcoin keypairs.

Either way, the benefit to MtGox is instant vindication of any questionable withdrawal that goes through.  Further, the moment anyone releases a hardware bitcoin wallet, you can bet that this will end up supported as a bonus feature.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
molecular
Donator
Legendary
*
Offline Offline

Activity: 2408



View Profile
January 22, 2013, 08:42:25 AM
 #32

Thanks for the info guys, this really ruined my day! I am already screwed with bills and stuff and then I log in to find this... ugh

Could this have anything to do with my Yubikey being broken and reported lost? I never got a chance to actually use it on Mt Gox so I don't really know what happened there!?

So you never linked your yubi-key to your mgGox account. Well, don't talk about your account "with yubi-key withdrawal protection activated" being hacked, then, dude.

Sorry 'bout your loss, but don't lie to us.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
molecular
Donator
Legendary
*
Offline Offline

Activity: 2408



View Profile
January 22, 2013, 08:46:48 AM
 #33

If MtGox could make it so that you could add your PGP public key and then configure your account such that bitcoin withdrawals require PGP signature of a pre-generated message that contained the destination bitcoin address, MtGox would have undisputable conclusive proof in the event of a disagreement as to whether a withdrawal was authorized.

That's a good idea.

However: what's the difference of having ones password stolen and having ones pgp key stolen and passphrase key-logged?

In other words: mtgox even in this case has proof the withdrawal was authorized (albeit not as strong, it could be faked by gox) by means of a successful login with password.

So while this puts mtGox in a more comfortable situation, this is only better for the user if he protects his pgp key better than his password.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
russ
Jr. Member
*
Offline Offline

Activity: 59


View Profile
January 22, 2013, 09:15:51 AM
 #34

If MtGox could make it so that you could add your PGP public key and then configure your account such that bitcoin withdrawals require PGP signature of a pre-generated message that contained the destination bitcoin address, MtGox would have undisputable conclusive proof in the event of a disagreement as to whether a withdrawal was authorized.

However: what's the difference of having ones password stolen and having ones pgp key stolen and passphrase key-logged?

The difference is the attacker wouldn't have the PGP private key.
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1190


Will read PM's. Have more time lately


View Profile
January 22, 2013, 09:18:17 AM
 #35

If MtGox could make it so that you could add your PGP public key and then configure your account such that bitcoin withdrawals require PGP signature of a pre-generated message that contained the destination bitcoin address, MtGox would have undisputable conclusive proof in the event of a disagreement as to whether a withdrawal was authorized.

However: what's the difference of having ones password stolen and having ones pgp key stolen and passphrase key-logged?

The difference is the attacker wouldn't have the PGP private key.
By PGP key he would mean the private key, of course. Who needs to steal public keys?

My BTC Tip Jar: 1Pgvfy19uwtYe5o9dg3zZsAjgCPt3XZqz9 , GPG ID: B3AAEEB0 ,OTC ID: johnthedong
Escrow service is available on a case by case basis! (PM Me to verify I'm the escrow!)

MagicalTux
VIP
Hero Member
*
Offline Offline

Activity: 608


Working on new MtGox features


View Profile WWW
January 22, 2013, 09:35:00 AM
 #36

Even just offering the option to assign one pre-determined bitcoin address would provide an equivalent level of security, even if you did no PGP automation whatsoever.  The pre-determined bitcoin address could either be a) withdrawn to directly, or b) for those who know how to sign messages, it could be used to sign a message that permits withdrawal to some other address.  All of this could be evaluated in any environment already accustomed to working with bitcoin keypairs.

We could easily add the "limit to one bitcoin address" thing, but there is a problem with the bitcoin message signature process that makes it difficult to implement (last time I checked the bitcoin message signature uses a different way of signing compared to transactions to make shorter signatures, but it's been an issue).

TradeFortress
VIP
Legendary
*
Offline Offline

Activity: 910


View Profile
January 22, 2013, 09:38:08 AM
 #37

Even just offering the option to assign one pre-determined bitcoin address would provide an equivalent level of security, even if you did no PGP automation whatsoever.  The pre-determined bitcoin address could either be a) withdrawn to directly, or b) for those who know how to sign messages, it could be used to sign a message that permits withdrawal to some other address.  All of this could be evaluated in any environment already accustomed to working with bitcoin keypairs.

We could easily add the "limit to one bitcoin address" thing, but there is a problem with the bitcoin message signature process that makes it difficult to implement (last time I checked the bitcoin message signature uses a different way of signing compared to transactions to make shorter signatures, but it's been an issue).

Add optional "withdraw to one address only".

Add 48 hour delay before changing the addresses, during which you'd get two emails, and see a giant warning when you log in.
jago25_98
Hero Member
*****
Offline Offline

Activity: 892


Crypto Geek


View Profile
January 22, 2013, 10:18:29 AM
 #38

OP: Don't listen to people moaning about how we had been thinking we had a Mt.Gox breach even with a Yubikey in use and that turning out not to be the case it's just good that we've been told now and can stop worrying :-)

Sounds like this might have been a generic Ubikey and not the Gox one that has to be used with the site.

Remember though folks, if you're trading on Gox that means you're banking. And fast and highly frequent deposits and withdrawals I don't think are feasible

Crypto supporter!
Hexadecibel
Human Intranet Liason
VIP
Hero Member
*
Offline Offline

Activity: 563


I still <3 u Satoshi


View Profile
January 22, 2013, 11:02:50 AM
 #39

You can use google authenticator on your box account. Its free for browser and smart phone.
That's what I resorted to when my yubi key never showed up.

Avoid the Censored /r/Bitcoin on Reddit.
/r/BTC allows open discussion, and public moderation logs.
Read Satoshi's White paper: http://nakamotoinstitute.org/bitcoin/
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1358


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 22, 2013, 02:12:32 PM
 #40

You can use google authenticator on your box account. Its free for browser and smart phone.
That's what I resorted to when my yubi key never showed up.

The difference is that MtGox has no way to prove someone's use of GA or Yubikey actually took place. It is on MtGox's honor.

A system where MtGox could respond to allegations of fraudulent withdrawals by publishing a signed withdrawal request totally and instantly exonerates Gox against claims of being hacked, and is good for market confidence all the way around.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
Pages: « 1 [2] 3 4 5 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!