Just lost 190 bitcoins through Mt. Gox

[nycsurf808]

Have been using it over a year but today found out someone accessed my account and cleaned it out.  Here is the response I got from Mt. Gox (not very helpful):


---------

Hello,

Sorry for the inconvenience.Please change your email address password and Mt.Gox password immediately. Please do not use the same username and password on different services. You can use the Yubikey or Software Authentication on our Security Center to further secure your accounts.

Please file a police report in order for the police to investigate the case and make an effort to retrieve your funds and once filing a police report, please send a copy of the police report and the official ID document to Mt.Gox. We will cooperate with the police authority in providing the necessary information for the investigation, but we are unable to reimburse any stolen funds.

Thanks,

MtGox.com Team

---

I'm trying to decide if it's worth trying to explain the police what a bitcoin is.

There is no other human being on the planet who had my Mt. Gox password... has anyone else had this problem?

[1715340948]

1715340948

[1715340948]

1715340948

[SgtSpike]

This is the 3rd MtGox account I've heard of that's been cleaned out in the last week.  A new vulnerability, perhaps?

[nycsurf808]

Man it really sucks.

Remote IP was 193.11.111.212, for whatever it's worth.

[SgtSpike]

Different IP than the one reported here (https://bitcointalk.org/index.php?topic=141816), but that doesn't mean it's not the same person.  In all likelihood, they'd be using a VPN or botnet computer to cover their tracks.

[DeathAndTaxes]

Let me guess.... no two factor authentication?

[gweedo]

That ip is out of sweden, and owned by www.junet.se so maybe try and reach out to them.

But next time two factor authentication is the only way to go.

[robocoin]

This is the 3rd MtGox account I've heard of that's been cleaned out in the last week.  A new vulnerability, perhaps?

None of them had two factor auth. If there is a vulnerability on Mt.Gox itself I think I would hear more bad news... The botsnets of this world are seriously big. I think more and more bot masters let their bots harvest BTC related data.

[RandomQ]

Let me guess.... no two factor authentication?

Yea beat me too it... I wont put more than 1 BTC anywhere that doesnt support two factor.

I think im up to 20 accounts now with two factor or yubikey

[SgtSpike]

This is the 3rd MtGox account I've heard of that's been cleaned out in the last week.  A new vulnerability, perhaps?

None of them had two factor auth. If there is a vulnerability on Mt.Gox itself I think I would hear more bad news... The botsnets of this world are seriously big. I think more and more bot masters let their bots harvest BTC related data.

Perhaps... maybe someone has access to the database with passwords?  Hashes are pushed against a rainbow table to pick out the easy ones?  Obviously, 2FA would prevent this from working, hence the reason only 1FA accounts have been broken?  I would think many more accounts than just 3 would be accessed in such a case, as you alluded to, but you never know how many have been accessed without the owner finding out yet or without the owner posting here on this forum.

Not sure what else the attacks could be from.  Keylogger?  Maybe.

[robocoin]

This is the 3rd MtGox account I've heard of that's been cleaned out in the last week.  A new vulnerability, perhaps?

None of them had two factor auth. If there is a vulnerability on Mt.Gox itself I think I would hear more bad news... The botsnets of this world are seriously big. I think more and more bot masters let their bots harvest BTC related data.

Perhaps... maybe someone has access to the database with passwords?  Hashes are pushed against a rainbow table to pick out the easy ones?  Obviously, 2FA would prevent this from working, hence the reason only 1FA accounts have been broken?  I would think many more accounts than just 3 would be accessed in such a case, as you alluded to, but you never know how many have been accessed without the owner finding out yet or without the owner posting here on this forum.

Not sure what else the attacks could be from.  Keylogger?  Maybe.

Yes, the keyloggers from the malware victims connected to the botnets, I mean. Many are specialized, like advertising and stuff. But many log paypal logins and bank stuff. I can only imagine, thats one line of code or a name added to a list for the bad guys. This storys will probably increase as Bitcoin adoption grows.

[nycsurf808]

All fair responses.  I guess it's more of a warning...

1. I did not share my password with anyone.
2. I was an active member of Mt. Gox for over a year, maybe more
3. I can show my account was accessed by an IP registered to someplace in Sweden this morning, and someone came into my account and sent about 4k USD of bitcoins into the ether.

I can prove some of the above and would be happy to share whatever info I have, not that it matters, but to whatever extent it would help Mt. Gox of the bitcoin community fix whatever security hole was exploited.  I have no illusions about getting my money back.  I've learned and moved on (an expensive lesson), but I'm not a total newbie... I do think I would know if something was capturing keystrokes etc. or there was some rogue process running on my laptop, but who knows...

Cheers

[robocoin]

All fair responses.  I guess it's more of a warning...

1. I did not share my password with anyone.
2. I was an active member of Mt. Gox for over a year, maybe more
3. I can show my account was accessed by an IP registered to someplace in Sweden this morning, and someone came into my account and sent about 4k USD of bitcoins into the ether.

I can prove some of the above and would be happy to share whatever info I have, not that it matters, but to whatever extent it would help Mt. Gox of the bitcoin community fix whatever security hole was exploited.  I have no illusions about getting my money back.  I've learned and moved on (an expensive lesson), but I'm not a total newbie... I do think I would know if something was capturing keystrokes etc. or there was some rogue process running on my laptop, but who knows...

Cheers

You wouldn't notice advanced malware/keylogger etc, osx or windows. Even security professionals and darn black hats learn this from time to time. A yubikey is our only effective solution at the moment.

Good luck.

[casascius]

I am still waiting to hear about the first person who ever loses a single bitcoin stored on a paper wallet.

[robocoin]

I am still waiting to hear about the first person who ever loses a single bitcoin stored on a paper wallet.

But I can't trade paper wallets on Mt.Gox^^

[casascius]

I am still waiting to hear about the first person who ever loses a single bitcoin stored on a paper wallet.

But I can't trade paper wallets on Mt.Gox^^

Sure you can:

mtgox->paperwallet: use the withdraw function

paperwallet->mtgox: use the import private key function

About all you can't do is list an ask for btc on a paper wallet.

[Jutarul]

Recycled the password or parts of it on a different site?

[robocoin]

I am still waiting to hear about the first person who ever loses a single bitcoin stored on a paper wallet.

But I can't trade paper wallets on Mt.Gox^^

Sure you can:

mtgox->paperwallet: use the withdraw function

paperwallet->mtgox: use the import private key function

About all you can't do is list an ask for btc on a paper wallet.

Yes we can But once they are imported you have to deal with security. 

[casascius]

Wish MtGox offered a way to lock withdrawals to a single address. This would solve so much.

[dust]

This is the 3rd MtGox account I've heard of that's been cleaned out in the last week.  A new vulnerability, perhaps?

Adobe released an emergency patch today for a Flash vulnerability that "is being exploited in the wild" and could lead to malicious code running on users' computers.

I am still waiting to hear about the first person who ever loses a single bitcoin stored on a paper wallet.

To be fair, a common use for a paper wallet is long term storage, so there is a lag between the use of paper wallets and the reporting of lost coins with them.  The majority of paper wallets that have been created have probably never been redeemed.  When people finally get around to redeeming them, they may find them lost, destroyed, stolen, or that the private keys were printed incorrectly in the first place.

Wish MtGox offered a way to lock withdrawals to a single address. This would solve so much.

2-factor authentication solves 99.9% of the issues with stolen mtgox accounts.

[casascius]

Paper wallets having private keys printed incorrectly is an extremely unlikely problem.

It would be like having a dollar print incorrectly.

[sublime5447]

This really sucks. It is to hard to use, get, trust, and secure bitcoin transactions. Another black eye for bitcoin.

[sublime5447]

No one cares about that, what people care about is being able to use it as money. Thefts and scams are black eyes for bitcoin. Every person who loses 4k because of scammy bitcoin tells 100 people about it and do you know what they say?....They say well f@#$ bitcoin they dont ask.. well was it double encryption with yubikey did you have finger print verification, did you have retinal scans? did you print out your paper wallet then bury it in your back yard?   

[fcmatt]

This really sucks. It is to hard to use, get, trust, and secure bitcoin transactions. Another black eye for bitcoin.

No, it's not a black eye for Bitcoin at all. This had absolutely nothing to do with Bitcoin, neither the protocol nor the client.

It kinda is. Look at asic ppl wanting a refund. Cc payers got it. Bitcoin users just cry.
It might not be the client or protocol... But it is def bitcoin's irreversible nature. A victim has no chance in the world to figure out where their money went. That is a big problem for most people.

I am surprised no one mentioned inside job. An employee just slowly milks an account here and there for profit.

[gweedo]

No one cares about that, what people care about is being able to use it as money. Thefts and scams are black eyes for bitcoin. Every person who loses 4k because of scammy bitcoin tells 100 people about it and do you know what they say?....They say well f@#$ bitcoin they dont ask.. well was it double encryption with yubikey did you have finger print verification, did you have retinal scans? did you print out your paper wallet then bury it in your back yard?   

So a person robs a bank, do they go oh no the dollar is unsafe, lets not use it, or identify theft in a credit card scam. This is so false, doing transactions with a web site in any matter currency or just information, with out the proper security is at risk.

[n8rwJeTt8TrrLKPa55eU]

Paper wallets having private keys printed incorrectly is an extremely unlikely problem.

It would be like having a dollar print incorrectly.

Careful with that analogy, it happens more often than people think...

http://www.usarare.com/index22.htm

[CIYAM]

So a person robs a bank, do they go oh no the dollar is unsafe, lets not use it, or identify theft in a credit card scam. This is so false, doing transactions with a web site in any matter currency or just information, with out the proper security is at risk.

A bank is insured - it seems Mt. Gox has *zero* insurance for their BTC and another huge difference is that every other type of internet payment *can* be reversed (as anyone trying to *sell* BTC with another payment system knows all too well).

[Monster Tent]

Paper wallets having private keys printed incorrectly is an extremely unlikely problem.

It would be like having a dollar print incorrectly.

The stock bitcoin client should have a built-in print-to-paper button. Perhaps clicking it opens a html page on your local machine.

[gweedo]

So a person robs a bank, do they go oh no the dollar is unsafe, lets not use it, or identify theft in a credit card scam. This is so false, doing transactions with a web site in any matter currency or just information, with out the proper security is at risk.

A bank is insured - it seems Mt. Gox has *zero* insurance for their BTC and another huge difference is that every other type of internet payment *can* be reversed (as anyone trying to *sell* BTC with another payment system knows all too well).

I think you missed the point but I really getting annoyed by people that don't want to take responsibility this is kinda why our economy is messed up. BUT lets say you mail money to someone and someone intercepts it, no one cries the dollar is unsafe they blame the mailman and the person for not securing it properly.

[CIYAM]

I think you missed the point but I really getting annoyed by people that don't want to take responsibility this is kinda why our economy is messed up. BUT lets say you mail money to someone and someone intercepts it, no one cries the dollar is unsafe they blame the mailman and the person for not securing it properly.

That point is of course quite true, however, it is basically illegal to send money through the mail for that very reason.

Although I agree with taking personal responsibility unfortunately I think that the majority of people in the world simply do not (that's why we have unions and government handouts, etc.).

Bitcoin is not going to win any supporters if it just takes the attitude "sorry but you are just too stupid to use this" (this last was about attitude at not any sort of attack on the OP btw).

[gweedo]

I think you missed the point but I really getting annoyed by people that don't want to take responsibility this is kinda why our economy is messed up. BUT lets say you mail money to someone and someone intercepts it, no one cries the dollar is unsafe they blame the mailman and the person for not securing it properly.

That point is of course quite true, however, it is basically illegal to send money through the mail for that very reason.

Although I agree with taking personal responsibility unfortunately I think that the majority of people in the world simply do not (that's why we have unions and government handouts, etc.).

Bitcoin is not going to win any supporters if it just takes the attitude "sorry but you are just too stupid to use this" (this last was about attitude at not any sort of attack on the OP btw).

I don't think we are calling anyone stupid or something like that. It is like the internet in general, you have to teach people a new type of security to protect themselves. I think people hate to learn those new steps and procedures to do that, but that is the price of this currency and really any new security or attack point should change your thinking.

[CIYAM]

I don't think we are calling anyone stupid or something like that. It is like the internet in general, you have to teach people a new type of security to protect themselves. I think people hate to learn those new steps and procedures to do that, but that is the price of this currency and really any new security or attack point should change your thinking.

I think it is *such a radical new way of thinking* that for most it just won't even make sense ("Whoa... you tell me that there is no way to make a charge back at all and if someone steals my account then I'm screwed - will stick to the credit card and my government backed bank account then thanks buddy!").

Personally I really think a much more likely long term *usage* of BTC will be just as some sort an investment account (and yes *in your bank*) rather than people doing any sort of day to day transactions with it (and btw you can already do that with Gold in China).

[b!z]

Is your computer infected? Scan for rootkits etc. manually, take a look at GMER

[Luno]

The last Mtgox thefts mentioned here has been from from other IP's than the account holders.

Why don't Mtgox have a option to only withdraw Bitcoin to an IP from the same geo location, or there is some email confirmation from your known email required?

They could also insist that withdrawals only can be done when you have required a Yubikey.

One thing is that they don't care to reimburse people that have had their money stolen, but that they don't take more steps to prevent future thefts will backfire on their ass, the day they get a serious hack like in 2011.

[Zomdifros]

MtGox really should increase their security policy. Since they are so crucial to the Bitcoin economy I consider them as one of the greatest vulnerabilities of the whole system.
 
Two-factor authentication should be required for every withdrawal over 1000 USD in 24 hours or the equivalent in BTC. Also, like the Blockchain wallet, they should add sms authentication. They should mail you a warning whenever someone logs in from a previously unused IP-adress and withdrawals should be restricted from this address for 24 hours.

For now I would recommend using Blockchain to store your Bitcoins. A paper wallet is fine as well, though slightly more inconvenient.

[Lethn]

I'm sure a person who is an expert in security can explain this better than me but there is no 100% defence against hacking and I suspect with Bitcoin the hack attempts on peoples internet accounts etc. will only get worse, if you have a large amount of Bitcoins, store them offline and transfer them only when you're going to sell them off immediately and as usual the rule of "Never invest what you can't afford to lose" applies here too.

This reminds me that I need to properly look at how to store Bitcoins offline on a USB myself, then the only risk is on my own head for getting it lost or stolen.

[Prattler]

MtGox really should increase their security policy. Since they are so crucial to the Bitcoin economy I consider them as one of the greatest vulnerabilities of the whole system.

This is very much true! There is no reason why they don't have options to lock IP and/or bitcoin address.

[Zomdifros]

MtGox really should increase their security policy. Since they are so crucial to the Bitcoin economy I consider them as one of the greatest vulnerabilities of the whole system.

This is very much true! There is no reason why they don't have options to lock IP and/or bitcoin address.

And of course, having the option will not suffice, these safeguards should be activated by default. I would even go as far that it would be strictly impossible to make any withdrawal above 10.000 USD without two-factor authentication.
 
The goal should be that I can safely recommend Bitcoin to my grandmother. If these security practices are implemented it would even be possible to insure Bitcoin wallets so there is no risk whatsoever that anybody would become broke overnight due to malicious intent. Only then will Bitcoin be able to substitute fiat money.

[BitStick]

Wish MtGox offered a way to lock withdrawals to a single address. This would solve so much.

Now that's a neat idea, double the security.
If you could do that with any client it would be awesome, only withdrawing coins to a spending account as you need them.

[Flatlinezor]

Yeah, so far Yubikey seems to be the only solution, even regular sweeps with netsec and antivir would not guarantee you safety. :/

[no name]

Let me guess.... no two factor authentication?

But next time two factor authentication is the only way to go.

Yea beat me too it... I wont put more than 1 BTC anywhere that doesnt support two factor.

I think im up to 20 accounts now with two factor or yubikey

how I can activate two factor authentication on mtgox?

I would like to see ip restriction and confirmation options/alerts on demand too!

[avegetable]

This is very much true! There is no reason why they don't have options to lock IP and/or bitcoin address.

Locked IP is an interesting option. Does any other company offer that?

It does require a little technical knowledge from the users. People with dynamic IPs would have to specify an IP address range. Or several IP ranges for many ISPs.

It could prevent most unauthorized access (though not when the user's PC is hijacked and remove controlled), but there would also be a lot of extra support problems for Mtgox because of users accidentally locking themselves out of their own accounts.

[Prattler]

Locked IP is an interesting option. Does any other company offer that?

It does require a little technical knowledge from the users. People with dynamic IPs would have to specify an IP address range. Or several IP ranges for many ISPs.

It could prevent most unauthorized access (though not when the user's PC is hijacked and remove controlled), but there would also be a lot of extra support problems for Mtgox because of users accidentally locking themselves out of their own accounts.

Just something as simple as send a warning email and allow cash out after 2+ days, if your IP is new.

[Zomdifros]

Locked IP is an interesting option. Does any other company offer that?

Yes, Blockchain does. However, as Prattler states, a simple email warning plus temporary lock for new IP's would be sufficient for now and must be quite easy to implement. It would of course increase the amount of work for their customer service but then again, if MtGox wants to remain the largest Bitcoin exchange in a few years time (and ultimately make an obscene amount of money), now would be the time to invest in their service.

[Bitsaurus]

Funny that the mining pools seem to have more safety lockouts than MtGox does.

[avegetable]

Funny that the mining pools seem to have more safety lockouts than MtGox does.

It's not such a surprise. It's generally a good thing for Mtgox if as many people as possible sign up. A nice security feature that tends to lock idiots out of their own accounts won't help them achieve that.

For a mining pool on the other hand, having a feature that deters the less tech-savvy is probably good

[robocoin]

Let me guess.... no two factor authentication?

how I can activate two factor authentication on mtgox?

ID verify your Mt.Gox account, you should than receive the offer to obtain a yubikey - FOR FREE.

[DeathAndTaxes]

That point is of course quite true, however, it is basically illegal to send money through the mail for that very reason.

In the US it isn't illegal to send cash in the mail.  Never has been, just an urban legend.  Now the USPS recommends you don't send cash in the mail unless you send it registered mail as it isn't insured but the same applies to other valuables as well.

Bitcoin is not going to win any supporters if it just takes the attitude "sorry but you are just too stupid to use this" (this last was about attitude at not any sort of attack on the OP btw).

I think the larger point is that MtGox has offered 2FA for what two years now.  Despite the never ending stream of "my coins are gone" posts they all have one thing in common ... 2FA wasn't enabled.  I don't think anyone said "too stupid" but if your house comes equipped with the ability to lock the doors but you choose not to and then get robbed well ...  Now if MtGox provided no mechanism to keep balances safe that would be a different story but they do.  Despite all the prior losses it seems people just refuse to accept that passwords are insecure.  That is why 2FA exists.

[Zomdifros]

Bitcoin is not going to win any supporters if it just takes the attitude "sorry but you are just too stupid to use this" (this last was about attitude at not any sort of attack on the OP btw).

I think the larger point is that MtGox has offered 2FA for what two years now.  Despite the never ending stream of "my coins are gone" posts they all have one thing in common ... 2FA wasn't enabled.  I don't think anyone said "too stupid" but if your house comes equipped with the ability to lock the doors but you choose not to and then get robbed well ...  Now if MtGox provided no mechanism to keep balances safe that would be a different story but they do.  Despite all the prior losses it seems people just refuse to accept that passwords are insecure.  That is why 2FA exists.

Sure, they offer 2FA, but as a customer you pretty much have to find it out yourself. With a regular bank account it isn't even possible to make a withdrawal without 2FA in some form, it is a hard requirement. If we want Bitcoin to emerge from the niche it is in right now, everybody should be able to use it safely, even those who don't understand what 2FA is or why they need it, they should simply be forced to use it.

[robocoin]

Bitcoin is not going to win any supporters if it just takes the attitude "sorry but you are just too stupid to use this" (this last was about attitude at not any sort of attack on the OP btw).

I think the larger point is that MtGox has offered 2FA for what two years now.  Despite the never ending stream of "by coins are gone" posts they all have one thing in common ... 2FA wasn't enabled.  I don't think anyone said "too stupid" but if your house comes equipped with the ability to lock the doors but you choose not to and then get robbed well ...  Now if MtGox provided no mechanism to keep balances safe that would be a different story.

Everything is there you need. Maybe force 2FA for accounts with balances greater than 50 BTC.

Once I got ripped off 500€ from my bank account (bancomat skimmer), my bank immediatly compensated it. BUT if an attacker has your bank login AND your mobile phone is infected so the attcker can read your sms to retrieve the TAN numbers (mandatory 2FA here in Germany). Well, then you're on your own... I imagine there will be bank like Bitcoin systems in the future, eg. BitcoinCentral, just to be insurred against stuff like this.
40 years ago people did only brain fart in front of a computer. Secruity, cryptography and general awareness of computer systems will be more common for the "John Q. Public's" in near future. Its not that Bitcoin and the systems around it need to adjust itself down to "anyone's" abilities. Its more like that society will adjust itself to the level needed for Bitcoin.

[Stephen Gornick]

Maybe force 2FA for accounts with balances greater than 50 BTC.

Yup, or some checkbox that says "I ACKNOWLEDGE THAT 2FA IS RECOMMENDED BUT DECLINE THE RECOMMENDATION."


Because there a lot of that going on.

MtGox account got cleared out
 - http://bitcointalk.org/index.php?topic=85533.0

All BTC disappeared from my Mt. Gox account
 - http://bitcointalk.org/index.php?topic=88368.0

Another:
 - http://bitcointalk.org/index.php?topic=80562.msg941759#msg941759

And another: My mtgox account got compromised, what can I do?
 - http://bitcointalk.org/index.php?topic=84585.0

Yet more: MT.Gox account hacked - lost 2k USD - MT.GOX will not explain how.
 - http://bitcointalk.org/index.php?topic=89142.0

And more again: Bitcoins stolen from MtGox
 - http://www.reddit.com/r/Bitcoin/comments/x8lcv/bitcoins_stolen_from_mtgox

And yet more: Stolen from Mt.Gox coins. Help return the coins.
 - http://bitcointalk.org/index.php?topic=119816.0

Or more here: Email from Mt.Gox this morning.
 - http://www.reddit.com/r/Bitcoin/comments/z0na5/email_from_mtgox_this_morning

And even more here: I just had $715 stolen out of my Mt. Gox account.
 - http://www.reddit.com/r/Bitcoin/comments/12j9gi/i_just_had_715_stolen_out_of_my_mt_gox_account

And the biggie: Bitcoinica MtGox account compromised
 - http://bitcointalk.org/index.php?topic=93074.0

With more here: Unauthorized Account Activity on my Mt.Gox Account - Account Compromised/Hacked?
 - http://bitcointalk.org/index.php?topic=94140.0

And even more: *MY* Mt Gox Account was Hacked - lost it all today... now what!?
 - http://bitcointalk.org/index.php?topic=137795.0

Ditto: My MtGox account was just exploited - 3 BTC stolen
 - http://bitcointalk.org/index.php?topic=141816.0

And now this one gets added to the list: Just lost 190 bitcoins through Mt. Gox
 - http://bitcointalk.org/index.php?topic=141831.0

And on other services as well. Here same thing happened to some GLBSE users:
 - http://bitcointalk.org/index.php?topic=84893.0

And elsewhere, BitMarket.eu in this instance:
 - http://bitcointalk.org/index.php?topic=5441.msg1259168#msg1259168

And now on bitcoin.de as well: Bitcoins stolen from bitcoin.de.
 - http://bitcointalk.org/index.php?topic=130264.0

In none of these was the person using multi-factor authentication. Mt. Gox has had Yubikey support for a while. Mt. Gox accounts now support Google Authenticator:
 - https://mtgox.com/press_release_20120605.html

If the exchange you are storing funds with doesn't provide OTP, consider using a different exchange:
 - http://bitcoin.stackexchange.com/questions/4113/which-two-factor-authentication-methods-are-available-at-which-exchanges

If you are storing funds in an EWallet, consider using a paper wallet.

Here is a fantastic guide: How to use 2-factor auth on mtgox, even without a smartphone (from a second device, of course, not from the same computer you log in on).
 - http://bitcointalk.org/index.php?topic=111943.0

[CIYAM]

I think the larger point is that MtGox has offered 2FA for what two years now.  Despite the never ending stream of "my coins are gone" posts they all have one thing in common ... 2FA wasn't enabled.

In regards to sending cash in Aus every *delivery* company makes it *clear* you *cannot* send cash (so maybe different to the US) and I'm not know talking about legality but instead about any guarantee of refund for losses incurred (IANAL).

Also in Australia (at least) even if your 2FA is compromised your bank is *insured* and you will likely be *refunded* for losses due to theft (unless they can pretty much *prove* you *stole* the funds yourself).

Mt. Gox offers 0% protection AFAIA (correct me if I am wrong) and that is my point (no "mom's and dad's" are going to invest in something with zero guarantee in case of theft when there is a guaranteed option available and nor should they).

[sublime5447]

Pay pal locks out based on IP address, If I try to access from a strange IP it ask me a security question. MT gox doesn't give a shit because they have zero liability. To all the tech guys talking about yubikeys and 2fa nerd stuff you dont get it people aren't going to do that. This thing only works if people use it. I am shocked to see the bitcoin faith in here. It is all worthless if people dont adopt it. If you think bitcoin is a retirement plan you are out of your mind.

[rollingpaperguy]

My guess is that you used the same email and password as you used somewhere else....mtgox might be tough to crack...but any other website, not so much.

Make sure your bitcoin wallet and bitcoin accounts all have different passwords.

[mintymark]

I think this is truly sickening, and I am very sorry to hear about it. If normal people make mistakes that end up in financial loss, then there is the suggestion that you need to be "superman" in order to avoid this. Well I for one am not!

Goldmoney, and most banks banks do offer better security here, and (in my view) the reason this happened is because MtGox is not offering reasonable security here. Other exchanges such as Bitstamp are equally vulnerable.

Goldmoney sends an email pin, and disallows email changes. (Or maybe slows them down, I dont remember.)

I think IP address locking is also very useful. You could also do it based on geo-location based on IP address. Someone in Sweden wants a withdrawal? Well I live in the USA and sometimes fly to London, so do not accept it from anywhere else!!  Challenge response is also useful.

There are lots of ways to do this well it seems to me and it seems to me that many Bitcoin exchanges are not doing it well right now. The non-reversability of Bitcoin means it needs to be done better than the companies doing fiat transactions do!! 

[sublime5447]

I think this is truly sickening, and I am very sorry to hear about it. If normal people make mistakes that end up in financial loss, then there is the suggestion that you need to be "superman" in order to avoid this. Well I for one am not!

Goldmoney, and most banks banks do offer better security here, and (in my view) the reason this happened is because MtGox is not offering reasonable security here. Other exchanges such as Bitstamp are equally vulnerable.

Goldmoney sends an email pin, and disallows email changes. (Or maybe slows them down, I dont remember.)

I think IP address locking is also very useful. You could also do it based on geo-location based on IP address. Someone in Sweden wants a withdrawal? Well I live in the USA and sometimes fly to London, so do not accept it from anywhere else!!  Challenge response is also useful.

There are lots of ways to do this well it seems to me and it seems to me that many Bitcoin exchanges are not doing it well right now. The non-reversability of Bitcoin means it needs to be done better than the companies doing fiat transactions do!! 

100% agreed  couldn't have said it better. It bugs me when someone has been taken advantage of and there is a huge outcry blaming the victim. Basically the claim goes like this.. It is your fault for not being a big enough tech nerd. It you read wired magazine everyday and spent 90 percent of your time online learning about bitcoin like I do then you wouldnt have gotten scammed. Bitcoin is beyond reproach and the community shares no blame. 

[SgtSpike]

I think this is truly sickening, and I am very sorry to hear about it. If normal people make mistakes that end up in financial loss, then there is the suggestion that you need to be "superman" in order to avoid this. Well I for one am not!

Goldmoney, and most banks banks do offer better security here, and (in my view) the reason this happened is because MtGox is not offering reasonable security here. Other exchanges such as Bitstamp are equally vulnerable.

Goldmoney sends an email pin, and disallows email changes. (Or maybe slows them down, I dont remember.)

I think IP address locking is also very useful. You could also do it based on geo-location based on IP address. Someone in Sweden wants a withdrawal? Well I live in the USA and sometimes fly to London, so do not accept it from anywhere else!!  Challenge response is also useful.

There are lots of ways to do this well it seems to me and it seems to me that many Bitcoin exchanges are not doing it well right now. The non-reversability of Bitcoin means it needs to be done better than the companies doing fiat transactions do!! 

100% agreed  couldn't have said it better. It bugs me when someone has been taken advantage of and there is a huge outcry blaming the victim. Basically the claim goes like this.. It is your fault for not being a big enough tech nerd. It you read wired magazine everyday and spent 90 percent of your time online learning about bitcoin like I do then you wouldnt have gotten scammed. Bitcoin is beyond reproach and the community shares no blame. 

I'll agree with you here!

MtGox needs to implement better security options.  Withdrawal locks based on IP, email, and time should all be available options to users.  I would be so much more comfortable with putting funds on MtGox if I knew they couldn't be withdrawn to a different address other than what I've specified without email confirmation and a 7-day delay.  And I even have a yubikey required for logging in and withdrawal already!

[farlack]

I've read a 2F get hacked too. I bet its gox themselves..

I mean come on whats the likelihood of 7.6 billion people and only a few thousand that use bitcoin and all these gox hacks going around.


Id like to see a huge list of reports of peoples wallets on their computer, or blockchain.info getting fucked.

[Zomdifros]

I think this is truly sickening, and I am very sorry to hear about it. If normal people make mistakes that end up in financial loss, then there is the suggestion that you need to be "superman" in order to avoid this. Well I for one am not!

Goldmoney, and most banks banks do offer better security here, and (in my view) the reason this happened is because MtGox is not offering reasonable security here. Other exchanges such as Bitstamp are equally vulnerable.

Goldmoney sends an email pin, and disallows email changes. (Or maybe slows them down, I dont remember.)

I think IP address locking is also very useful. You could also do it based on geo-location based on IP address. Someone in Sweden wants a withdrawal? Well I live in the USA and sometimes fly to London, so do not accept it from anywhere else!!  Challenge response is also useful.

There are lots of ways to do this well it seems to me and it seems to me that many Bitcoin exchanges are not doing it well right now. The non-reversability of Bitcoin means it needs to be done better than the companies doing fiat transactions do!! 

100% agreed  couldn't have said it better. It bugs me when someone has been taken advantage of and there is a huge outcry blaming the victim. Basically the claim goes like this.. It is your fault for not being a big enough tech nerd. It you read wired magazine everyday and spent 90 percent of your time online learning about bitcoin like I do then you wouldnt have gotten scammed. Bitcoin is beyond reproach and the community shares no blame. 

I'll agree with you here!

MtGox needs to implement better security options.  Withdrawal locks based on IP, email, and time should all be available options to users.  I would be so much more comfortable with putting funds on MtGox if I knew they couldn't be withdrawn to a different address other than what I've specified without email confirmation and a 7-day delay.  And I even have a yubikey required for logging in and withdrawal already!

So, I guess we all agree that MtGox is making a half-assed job of their security, can anybody tell us why they aren't upgrading this?

[gweedo]

So, I guess we all agree that MtGox is making a half-assed job of their security, can anybody tell us why they aren't upgrading this?

Half-assed job of security is kinda strong don't you think? I mean where does security on the consumer side start? 2 factor auth is the saving grace if you don't have that you can kiss your coins goodbye. Then you don't need all those bells and whistles which would probably cause more issues then they are worth. I think as long as Mt Gox isn't getting hack and leaking bitcoins from there wallet, I say security is good then. Take some responsibility, don't make Mt Gox your mom.

[SgtSpike]

So, I guess we all agree that MtGox is making a half-assed job of their security, can anybody tell us why they aren't upgrading this?

Half-assed job of security is kinda strong don't you think? I mean where does security on the consumer side start? 2 factor auth is the saving grace if you don't have that you can kiss your coins goodbye. Then you don't need all those bells and whistles which would probably cause more issues then they are worth. I think as long as Mt Gox isn't getting hack and leaking bitcoins from there wallet, I say security is good then. Take some responsibility, don't make Mt Gox your mom.

People WANT to take some responsibility, they just want more options to do it.  2FA is good for some things, but having some way to delay withdrawals to a new address seems like a sensible option to add.

[Zomdifros]

So, I guess we all agree that MtGox is making a half-assed job of their security, can anybody tell us why they aren't upgrading this?

Half-assed job of security is kinda strong don't you think? I mean where does security on the consumer side start? 2 factor auth is the saving grace if you don't have that you can kiss your coins goodbye. Then you don't need all those bells and whistles which would probably cause more issues then they are worth. I think as long as Mt Gox isn't getting hack and leaking bitcoins from there wallet, I say security is good then. Take some responsibility, don't make Mt Gox your mom.

Well perhaps it's a bit too strong worded, they did gave me a free yubikey after all. However, since Bitcoin transactions are non-reversible and it is a lot harder to find out who stole your coins compared to fiat, I think their security should at the very least match that of traditional banks. And when I see that simple solutions as IP restriction aren't implemented and 2FA isn't required, even for very large transactions, I can only say their security just isn't good enough. And let's face it, there is ample evidence of people losing their money on MtGox, so much that it's hard to maintain it's all the consumers fault.

You guys need to vote with your wallet. Stop using services which don't provide you with the product you desire!

Exactly, I'm using MtGox to buy coins and other services to store them.

[gweedo]

So, I guess we all agree that MtGox is making a half-assed job of their security, can anybody tell us why they aren't upgrading this?

Half-assed job of security is kinda strong don't you think? I mean where does security on the consumer side start? 2 factor auth is the saving grace if you don't have that you can kiss your coins goodbye. Then you don't need all those bells and whistles which would probably cause more issues then they are worth. I think as long as Mt Gox isn't getting hack and leaking bitcoins from there wallet, I say security is good then. Take some responsibility, don't make Mt Gox your mom.

Well perhaps it's a bit too strong worded, they did gave me a free yubikey after all. However, since Bitcoin transactions are non-reversible and it is a lot harder to find out who stole your coins compared to fiat, I think their security should at the very least match that of traditional banks. And when I see that simple solutions as IP restriction aren't implemented and 2FA isn't required, even for very large transactions, I can only say their security just isn't good enough. And let's face it, there is ample evidence of people losing their money on MtGox, so much that it's hard to maintain it's all the consumers fault.

So can you show me an example of someone that has used 2FA and has been rob? It is the carelessness of people that use the service. I am sorry but I don't see any reason why they need all these bells and whistles when they have something that is proven and works the best. You also can't require 2FA cause not everyone has a smart phone, trust google, or can afford an yikuby key.

[SgtSpike]

So, I guess we all agree that MtGox is making a half-assed job of their security, can anybody tell us why they aren't upgrading this?

Half-assed job of security is kinda strong don't you think? I mean where does security on the consumer side start? 2 factor auth is the saving grace if you don't have that you can kiss your coins goodbye. Then you don't need all those bells and whistles which would probably cause more issues then they are worth. I think as long as Mt Gox isn't getting hack and leaking bitcoins from there wallet, I say security is good then. Take some responsibility, don't make Mt Gox your mom.

People WANT to take some responsibility, they just want more options to do it.  2FA is good for some things, but having some way to delay withdrawals to a new address seems like a sensible option to add.

You guys need to vote with your wallet. Stop using services which don't provide you with the product you desire!

I will as soon as something better comes along.    In the meantime, I will continue to suggest that they implement measures to satisfy my desires.

[farlack]

Id like to know if everyone that keeps losing gox funds, did the wallet on your computers get raided also? It would only seem logical to raid the .dat on the hard drive too.

[mintymark]

Two-factor Authorisation is useful for some people, but other things that have been suggested are useful too and would stop this. Its possible to make the account secure, even IF the password becomes known to a dishonest person, so why not do that? 2FA certainly does not suit everybody.

Actually its hard to say vote with your feet because thats the problem: there are not that many exchanges, and for many practical reasons the choice often comes down to 1 or 2. The exchanges therefore become complacent because people dont vote with their feet.

But you can be sure it reflects or will reflect badly on bitcoin even though actually it has nothing to do with Bitcoin. If someone using Bitcoin for a year can loose 200 BTC, then they are hardly a Noob.

I would strongly and politely suggest to the exchanges that it is very much in their own interest to implement these things. And it will be all the better for Bitcoin if they do, so lets start writing emails to our favourite exchange. I already have!

[gweedo]

Two-factor Authorisation is useful for some people, but other things that have been suggested are useful too and would stop this. Its possible to make the account secure, even IF the password becomes known to a dishonest person, so why not do that? 2FA certainly does not suit everybody.

Actually its hard to say vote with your feet because thats the problem: there are not that many exchanges, and for many practical reasons the choice often comes down to 1 or 2. The exchanges therefore become complacent because people dont vote with their feet.

But you can be sure it reflects or will reflect badly on bitcoin even though actually it has nothing to do with Bitcoin. If someone using Bitcoin for a year can loose 200 BTC, then they are hardly a Noob.

I would strongly and politely suggest to the exchanges that it is very much in their own interest to implement these things. And it will be all the better for Bitcoin if they do, so lets start writing emails to our favourite exchange. I already have!

So when do you actually take responsibility for securing your funds?

First off IP geo will be a pain for most people, I know I change my location a lot thru my VPN's and just internet connections, now if I am using Mt Gox, I can't. So that option is out.

Second now you want to setup withdrawling that takes a couple days, that defeats the purpose of bitcoins. It suppose to be quick transfer of wealth.

Do you not see how these while you may think better protects the user, are the users responsibility and if you can't setup up Google 2 Factor Auth or buy a Yikub key then maybe you shouldn't be using an exchange.

Look at ATM's it is one pin code, that you have and if someone gets hold of it then your screwed but do you line up at the bank going add that they have to show there driver's licenses no you accepted it because you know that is your responsibility to not share it. You expect the job of the bank to be secure inside, you deal with outside.

TAKE RESPONSIBILITY FOR YOURSELF, I THINK TOO MANY BITCOINERS DON"T UNDERSTAND IT and frankly it is boring to keep iterating this point to people.

[CIYAM]

TAKE RESPONSIBILITY FOR YOURSELF, I THINK TOO MANY BITCOINERS DON"T UNDERSTAND IT and frankly it is boring to keep iterating this point to people.

Your point has been made clearly again and again - and sadly *this* is *why* Bitcoin will *never* be used by average people *ever*.

Average people want *government guaranteed* money that will be refunded in the event of *theft* - so I think we can see clearly where the situation stands (and why no serious investors will actually invest a serious amount of money in BTC - the risk is simply too high).

[gweedo]

TAKE RESPONSIBILITY FOR YOURSELF, I THINK TOO MANY BITCOINERS DON"T UNDERSTAND IT and frankly it is boring to keep iterating this point to people.

Your point has been made clearly again and again - and sadly *this* is *why* Bitcoin will *never* be used by average people *ever*.

Average people want *government guaranteed* money that will be refunded in the event of *theft* - so I think we can see clearly where the situation stands (and why no serious investors will actually invest a serious amount of money in BTC - the risk is simply too high).

Your twisting my words again. How is the risk too high? If you follow security protocols you have no issues, even average people can figure out a 2 factor auth system. Also you said no serious investors will actually invest, yet I have seen a number of articles of day traders and stock people investing. Plus Fred Wilson VC has invested in a bitcoin company and in bitcoins. So your pretty false on those claims and your very off track.

And lets be honest, how many people are going to buy bitcoins to trade on Mt Gox.

[CurbsideProphet]

Let me guess.... no two factor authentication?

how I can activate two factor authentication on mtgox?

ID verify your Mt.Gox account, you should than receive the offer to obtain a yubikey - FOR FREE.

I never received this offer.

[CIYAM]

Your twisting my words again. How is the risk too high? If you follow security protocols you have no issues, even average people can figure out a 2 factor auth system. Also you said no serious investors will actually invest, yet I have seen a number of articles of day traders and stock people investing. Plus Fred Wilson VC has invested in a bitcoin company and in bitcoins. So your pretty false on those claims and your very off track.

I am not trying to twist your words but you just *keep* missing the point. NO GUARANTEE - got it yet?

If my 2FA key from my bank gets stolen I *can still* get my money *refunded* - you *cannot* do this at any BTC exchange (and won't *be* able to for very good reason as we all know well).

By serious investments I am talking 10-100M USD - seen any of those yet?

In any case I think this is all getting rather OT and starting to look a bit silly and I do *agree* if you want to *day trade* at Mt. Gox you really *must* get yourself a Yubikey.

[gweedo]

Your twisting my words again. How is the risk too high? If you follow security protocols you have no issues, even average people can figure out a 2 factor auth system. Also you said no serious investors will actually invest, yet I have seen a number of articles of day traders and stock people investing. Plus Fred Wilson VC has invested in a bitcoin company and in bitcoins. So your pretty false on those claims and your very off track.

I am not trying to twist your words but you just *keep* missing the point. NO GUARANTEE - got it yet?

If my 2FA key from my bank gets stolen I *can still* get my money *refunded* - you *cannot* do this at any BTC exchange (and won't *be* able to for very good reason as we all know well).

WAIT a second, you verify your ID, just like you would have to at a bank. Now lets look at the real point how many people are going to use Mt Gox. Only investors and day traders, and we have proven that many of them are on Mt Gox today! So while there is *NO GUARANTEE* people are fine with it and adapt to the security needed.

[CIYAM]

[/input]

[ProfMac]

This really sucks. It is to hard to use, get, trust, and secure bitcoin transactions. Another black eye for bitcoin.

No, it's not a black eye for Bitcoin at all. This had absolutely nothing to do with Bitcoin, neither the protocol nor the client.

It kinda is. Look at asic ppl wanting a refund. Cc payers got it. Bitcoin users just cry.
It might not be the client or protocol... But it is def bitcoin's irreversible nature. A victim has no chance in the world to figure out where their money went. That is a big problem for most people.

I am surprised no one mentioned inside job. An employee just slowly milks an account here and there for profit.

Isn't there a trail for the address the money went to? 

[hamdi]

Wish MtGox offered a way to lock withdrawals to a single address. This would solve so much.

!

[ProfMac]

MtGox really should increase their security policy. Since they are so crucial to the Bitcoin economy I consider them as one of the greatest vulnerabilities of the whole system.
 
Two-factor authentication should be required for every withdrawal over 1000 USD in 24 hours or the equivalent in BTC. Also, like the Blockchain wallet, they should add sms authentication. They should mail you a warning whenever someone logs in from a previously unused IP-adress and withdrawals should be restricted from this address for 24 hours.

For now I would recommend using Blockchain to store your Bitcoins. A paper wallet is fine as well, though slightly more inconvenient.

I was looking over my MtGox account, and I don't see how to turn on 2 factor authentication.  Can someone walk through the process really slowly?

[DeathAndTaxes]

MtGox really should increase their security policy. Since they are so crucial to the Bitcoin economy I consider them as one of the greatest vulnerabilities of the whole system.
 
Two-factor authentication should be required for every withdrawal over 1000 USD in 24 hours or the equivalent in BTC. Also, like the Blockchain wallet, they should add sms authentication. They should mail you a warning whenever someone logs in from a previously unused IP-adress and withdrawals should be restricted from this address for 24 hours.

For now I would recommend using Blockchain to store your Bitcoins. A paper wallet is fine as well, though slightly more inconvenient.

I was looking over my MtGox account, and I don't see how to turn on 2 factor authentication.  Can someone walk through the process really slowly?

Login > Security Center

Add YubiKey and/or Software Authenticator (Google Smartphone)
Save

Add the credential you just created to login, withdraw, and/or security center.

[SgtSpike]

Two-factor Authorisation is useful for some people, but other things that have been suggested are useful too and would stop this. Its possible to make the account secure, even IF the password becomes known to a dishonest person, so why not do that? 2FA certainly does not suit everybody.

Actually its hard to say vote with your feet because thats the problem: there are not that many exchanges, and for many practical reasons the choice often comes down to 1 or 2. The exchanges therefore become complacent because people dont vote with their feet.

But you can be sure it reflects or will reflect badly on bitcoin even though actually it has nothing to do with Bitcoin. If someone using Bitcoin for a year can loose 200 BTC, then they are hardly a Noob.

I would strongly and politely suggest to the exchanges that it is very much in their own interest to implement these things. And it will be all the better for Bitcoin if they do, so lets start writing emails to our favourite exchange. I already have!

So when do you actually take responsibility for securing your funds?

First off IP geo will be a pain for most people, I know I change my location a lot thru my VPN's and just internet connections, now if I am using Mt Gox, I can't. So that option is out.

Second now you want to setup withdrawling that takes a couple days, that defeats the purpose of bitcoins. It suppose to be quick transfer of wealth.

Do you not see how these while you may think better protects the user, are the users responsibility and if you can't setup up Google 2 Factor Auth or buy a Yikub key then maybe you shouldn't be using an exchange.

Look at ATM's it is one pin code, that you have and if someone gets hold of it then your screwed but do you line up at the bank going add that they have to show there driver's licenses no you accepted it because you know that is your responsibility to not share it. You expect the job of the bank to be secure inside, you deal with outside.

TAKE RESPONSIBILITY FOR YOURSELF, I THINK TOO MANY BITCOINERS DON"T UNDERSTAND IT and frankly it is boring to keep iterating this point to people.

Do the words "optional" not mean anything to you?

2FA is optional.
If IP geo was implemented, it should be optional.
If withdrawal delays of any kind are implemented, they should be adjustable and, of course, optional.

There.  No inconvenience to people like you who don't find those options useful, but better security for those who do.

[SgtSpike]

Do the words "optional" not mean anything to you?

2FA is optional.
If IP geo was implemented, it should be optional.
If withdrawal delays of any kind are implemented, they should be adjustable and, of course, optional.

There.  No inconvenience to people like you who don't find those options useful, but better security for those who do.

2FA while optional is the only way to properly secure your Mt Gox and should be told to everyone, I will admit that is a failure on Mt Gox's part to not reforce that to new users more. BUT it is a false security those options, and we all know someone will easily get thru those if they want too. Lets face it they get your password, the only thing stoping them is 2FA. COME ON you have to agree. Those options are too niche, maybe stop 10% maybe 15% if lucky.

Huh?

If they get my password, and I have some sort of IP lock on my account, then I could receive an email notification of someone else logging into my account from Russia or wherever, indicating there is a problem.  They couldn't withdraw because of the lock though, which would be undone with password + email verification.

If I had a withdrawal address change delay of 7 days, then I could get an email as soon as someone else changed the withdrawal address on my account.  I would then have 7 days to do something about it.

Ok, so maybe my email account is compromised as well.  I'd figure that out once I was no longer able to log in.  Or maybe the attacker is really clever and doesn't change my password, but simply deletes the email so I wouldn't see it.  MtGox could, upon login, still display a very large colorful warning for the next 7 days that the IP lock was removed or that a new withdrawal address was created.  And if I didn't have access to my MtGox account, ideally, support could reset the password for me and send me an email link.  If I didn't have access to my email and attempts to regain access were futile, support could freeze the account in the interim and I could resend identity docs to prove I am the proper owner of it.  But in the meantime, my Bitcoins are SAFE.  They could not be touched with this sort of delay in place, whereas as soon as an attacker compromises an account right now, they can empty it out to the extent of the daily withdrawal restrictions.

So no, I don't "have to agree", nor do I agree with you at all.  I think the more security options we have, the more secure we can make our accounts.

[Zomdifros]

Do the words "optional" not mean anything to you?

2FA is optional.
If IP geo was implemented, it should be optional.
If withdrawal delays of any kind are implemented, they should be adjustable and, of course, optional.

There.  No inconvenience to people like you who don't find those options useful, but better security for those who do.

2FA while optional is the only way to properly secure your Mt Gox and should be told to everyone, I will admit that is a failure on Mt Gox's part to not reforce that to new users more. BUT it is a false security those options, and we all know someone will easily get thru those if they want too. Lets face it they get your password, the only thing stoping them is 2FA. COME ON you have to agree. Those options are too niche, maybe stop 10% maybe 15% if lucky.

Huh?

If they get my password, and I have some sort of IP lock on my account, then I could receive an email notification of someone else logging into my account from Russia or wherever, indicating there is a problem.  They couldn't withdraw because of the lock though, which would be undone with password + email verification.

If I had a withdrawal address change delay of 7 days, then I could get an email as soon as someone else changed the withdrawal address on my account.  I would then have 7 days to do something about it.

Ok, so maybe my email account is compromised as well.  I'd figure that out once I was no longer able to log in.  Or maybe the attacker is really clever and doesn't change my password, but simply deletes the email so I wouldn't see it.  MtGox could, upon login, still display a very large colorful warning for the next 7 days that the IP lock was removed or that a new withdrawal address was created.  And if I didn't have access to my MtGox account, ideally, support could reset the password for me and send me an email link.  If I didn't have access to my email and attempts to regain access were futile, support could freeze the account in the interim and I could resend identity docs to prove I am the proper owner of it.  But in the meantime, my Bitcoins are SAFE.  They could not be touched with this sort of delay in place, whereas as soon as an attacker compromises an account right now, they can empty it out to the extent of the daily withdrawal restrictions.

So no, I don't "have to agree", nor do I agree with you at all.  I think the more security options we have, the more secure we can make our accounts.

+1

[robocoin]

Mt. Gox sent me a free Yubikey after I made some trades.

KeePass password vault should be used for this sort of thing.  It creates complex passwords and pastes them into the box so they are never typed in and then it wipes your clipboard so a keylogger won't work.

Yes you might have to flip a coin to get a key  

[robocoin]

TAKE RESPONSIBILITY FOR YOURSELF, I THINK TOO MANY BITCOINERS DON"T UNDERSTAND IT and frankly it is boring to keep iterating this point to people.

Your point has been made clearly again and again - and sadly *this* is *why* Bitcoin will *never* be used by average people *ever*.

Average people want *government guaranteed* money that will be refunded in the event of *theft* - so I think we can see clearly where the situation stands (and why no serious investors will actually invest a serious amount of money in BTC - the risk is simply too high).

CIYAM, this will be the case for another few years. I wouldn't try to make it easy for everybody. Because it doesn't matter how hard you work for the none-geek. Somebody will always face the evil. People lose money with traditional banks everyday. People are stupid enough to use credit cards on the net. Don't waste your good energy by fighting for this "human nature thingy".

In our everyday life we have to take responsibility, there are so many hints. If you don't get it, you might die.

[Zomdifros]

People lose money with traditional banks everyday. People are stupid enough to use credit cards on the net.

It's not stupid to use credit cards on the net, if it gets hacked, my bank will cover it. That's why I'm comfortable using credit cards on the internet. Same thing with bank accounts, if it gets hacked due to malware or whatever, my bank will reimburse it.

A safer bitcoin environment means more people trust using it means more fiat going into the system means more profit for all of us. I can't see why people are opposing this.

[robocoin]

People lose money with traditional banks everyday. People are stupid enough to use credit cards on the net.

It's not stupid to use credit cards on the net, if it gets hacked, my bank will cover it. That's why I'm comfortable using credit cards on the internet. Same thing with bank accounts, if it gets hacked due to malware or whatever, my bank will reimburse it.

A safer bitcoin environment means more people trust using it means more fiat going into the system means more profit for all of us. I can't see why people are opposing this.

Not in every case. You can buy any fucking geo IP (socks5) from some websites ending with .ru or .onion... You than have to prove it. (Sending your computer to the cops). Or lose the money.

[robocoin]

People lose money with traditional banks everyday. People are stupid enough to use credit cards on the net.

It's not stupid to use credit cards on the net, if it gets hacked, my bank will cover it. That's why I'm comfortable using credit cards on the internet. Same thing with bank accounts, if it gets hacked due to malware or whatever, my bank will reimburse it.

A safer bitcoin environment means more people trust using it means more fiat going into the system means more profit for all of us. I can't see why people are opposing this.

You pay fees for all those services, whether you know it or not.

No one opposes a "safer bitcoin environment". For starters, Bitcoin is as safe as you make it. It's up to the user to protect themselves.

Don't worry, eventually there will be companies you can pay to safeguard your bitcoins, just like with fiat today.

Absolutly, lots of work to do until Bitcoin is recognized as money (by the law and not by you). Lobbying in Washington and Brussels -> I am happy to have the Bitcoin Foundation. 

[Stephen Gornick]

So can you show me an example of someone that has used 2FA and has been rob?

It still requires secure computing.  If someone is sets up 2FA on a machine that has already been compromised or is compromised at a later time after setting up 2FA  (e.g., where the QR code that was scanned by Google Authenticator remains in the browser cache and is then obtained by an attacker) then there still could be a loss.

You also can't require 2FA cause not everyone has a smart phone, trust google, or can afford an yikuby key.

There is a javascript implementation so simply accessing from a second device (e.g., another laptop, for example) works without it being a mobile device:

Here is a fantastic guide: How to use 2-factor auth on mtgox, even without a smartphone (from a second device, of course, not from the same computer you log in on).
 - http://bitcointalk.org/index.php?topic=111943.0

But with $40 mobiles and $80 tablets coming (or decent $100 no-contract smartphone mobiles and $150 tablets here now), there are more and more people already having a device that works adequately for 2FA.

[Fiyasko]

This is the 3rd MtGox account I've heard of that's been cleaned out in the last week.  A new vulnerability, perhaps?

Same here, its making me worried that, either someone at mt.gox is stealing or perhaps people ARE STILL USING EASY PASSWORDS!
but its not even an easy pass that gets you caught usually, most of the time the guy uses the same pass on someplace simmilar but less secure, and Thats where the password gets "hacked" from.

Hopefully its just Some Hacker Smartiepants stealing coins with something like a keylogger

[TimJBenham]

TAKE RESPONSIBILITY FOR YOURSELF, I THINK TOO MANY BITCOINERS DON"T UNDERSTAND IT and frankly it is boring to keep iterating this point to people.

Your point has been made clearly again and again - and sadly *this* is *why* Bitcoin will *never* be used by average people *ever*.

Does this matter?

Average people want *government guaranteed* money that will be refunded in the event of *theft* - so I think we can see clearly where the situation stands (and why no serious investors will actually invest a serious amount of money in BTC - the risk is simply too high).

Where can I get this *government guaranteed* money that will be refunded in the event of *theft*? What government refunds money in the event of theft? I've had fiat cash stolen from my wallet and no govenment gave me a refund.

[CIYAM]

Where can I get this *government guaranteed* money that will be refunded in the event of *theft*? What government refunds money in the event of theft? I've had fiat cash stolen from my wallet and no govenment gave me a refund.

Try opening a bank account or getting a credit card rather than using *cash* (was the point really that hard to understand or is just becoming a trollfest?).

Your bank (and yes pick one of the *big banks* please) IS government guaranteed and your Credit Card is backed by your bank.

Your BTC is insured/backed by no-one and nothing respectively.

I had finished inputting into this thread yesterday and will probably regret putting this in today - so I will refrain from further input - enjoy the arguing!

[fredbabb]

the police have no legal obilgation to protect you.

[sublime5447]

i'm going to be honest..

at this point in time.. there is no way this can be adopted my the masses who barely know how to use computers, are vulnerable etc..
people still fall for nigerian scams.. not everyone is "elite" as some members on here may think they are.. and frankly will never be.
the general population of the world will never be able to use this with so many security pitfalls and lack of guarantees (and no way to verify things).

by stating "bitcoin" owner beware.. doesn't really mean much. i'm sure if some big business like a hotel had all their coins stolen then most of the hotels would hear about it and never touch this thing.
the scammers (as will as in real life too) can easily ruin the whole ecosystem since it's much easier to jack stuff than in real life (bank heists are tough), you can do theft worth a lot of money and probably nothing is easier than with the bitcoins.

i'm not trying to be negative i just want people to understand with the way things are on the internets by solely claiming user beware does not create a good ecosystem

This is an excellent post. The tech guys want the world to work the way they think it should not the way it actually does imo.
 

[TimJBenham]

Where can I get this *government guaranteed* money that will be refunded in the event of *theft*? What government refunds money in the event of theft? I've had fiat cash stolen from my wallet and no govenment gave me a refund.

Try opening a bank account or getting a credit card rather than using *cash* (was the point really that hard to understand or is just becoming a trollfest?).

Your bank (and yes pick one of the *big banks* please) IS government guaranteed and your Credit Card is backed by your bank.

The government deposits guarantee has precious little to do with the refund of stolen account funds. The latter is just a bank policy (adopted with prodding from ASIC). Note the protection is far from absolute and can be voided by customer negligence. See ePayments Code https://www.asic.gov.au/asic/asic.nsf/byheadline/ePayments-Code?openDocument#download.

Your BTC is insured/backed by no-one and nothing respectively.

If there were financial institutions accepting BTC deposits then they could offer the level of insurance they felt appropriate.

[CIYAM]

The government deposits guarantee has precious little to do with the refund of stolen account funds. The latter is just a bank policy (adopted with prodding from ASIC). Note the protection is far from absolute and can be voided by customer negligence. See ePayments Code https://www.asic.gov.au/asic/asic.nsf/byheadline/ePayments-Code?openDocument#download.

Of course and absolutely true (I know what the government guarantee is - was just trying to *simplify* the explanation as it just doesn't seem to get through - and unfortunately although quite correct you probably haven't helped to make things clearer as that will now be picked up by the trolls to try and further muddy the waters ).

Your BTC is insured/backed by no-one and nothing respectively.
IF there were financial institutions accepting BTC deposits then they could offer the level of insurance they felt appropriate.

That is the point - there ISN'T and is not likely there will be for the foreseeable future (especially with some of the Bitcoin Foundation members publicly stating their opposition to banks, etc. - think a bank or insurance company will *want* to talk to them - although hopefully Gavin would).

[sublime5447]

Tons I have lost tons of money. You cant reason with these guys they are under the bitcoin spell. Most people wont touch bitcoin and it is because it is not safe or stable. I personally think the btc community needs a reality check. The masses will not adopt btc it is harder to use and get. It has to be easy and safe anyone can see that! blaming the user or customer how has that worked for you in the past Holiday? This community looks at new users as scammers I look at them as clients. 

[Merralea]

Extreme condolences. People suck sometimes.

[BitVegas]

I'm sorry to hear this . I am worried to use Mt Gox also but I do not know of any other way to have my $$ readily available to buy bitcoins when they drop

[ProfMac]

i'm not trying to be negative i just want people to understand with the way things are on the internets by solely claiming user beware does not create a good ecosystem

The bitcoins are worthless without the ecosystem.

[TimJBenham]

The government deposits guarantee has precious little to do with the refund of stolen account funds. The latter is just a bank policy (adopted with prodding from ASIC). Note the protection is far from absolute and can be voided by customer negligence. See ePayments Code https://www.asic.gov.au/asic/asic.nsf/byheadline/ePayments-Code?openDocument#download.

Of course and absolutely true (I know what the government guarantee is - was just trying to *simplify* the explanation as it just doesn't seem to get through - and unfortunately although quite correct you probably haven't helped to make things clearer as that will now be picked up by the trolls to try and further muddy the waters ).

Alright. Let the trolls troll. As to your original concerns, I get them but they just imply that bitcoin isn't going to directly replace the fiat currency in the chequeing account of Joe Average. I don't think it means bitcoin would be better if it were yet another online soft currency.

Your BTC is insured/backed by no-one and nothing respectively.
IF there were financial institutions accepting BTC deposits then they could offer the level of insurance they felt appropriate.

That is the point - there ISN'T and is not likely there will be for the foreseeable future (especially with some of the Bitcoin Foundation members publicly stating their opposition to banks, etc. - think a bank or insurance company will *want* to talk to them - although hopefully Gavin would).

BTC doesn't have a great future if it is stays the province of drug dealers, tax avoiders, virtual currency geeks and the various shades of anti-banking zealot (I'm not sure it could handle the transaction volume that illegal gamblers generate). It could still grow considerably before it has filled that niche, but I would expect increasing state efforts to stomp on it. It is much more suited to be a reserve currency than a circulating currency. That appears to require some sort of financial intermediation.

[tooniz]

i'm going to be honest..

at this point in time.. there is no way this can be adopted my the masses who barely know how to use computers, are vulnerable etc..
people still fall for nigerian scams.. not everyone is "elite" as some members on here may think they are.. and frankly will never be.
the general population of the world will never be able to use this with so many security pitfalls and lack of guarantees (and no way to verify things).

by stating "bitcoin" owner beware.. doesn't really mean much. i'm sure if some big business like a hotel had all their coins stolen then most of the hotels would hear about it and never touch this thing.
the scammers (as will as in real life too) can easily ruin the whole ecosystem since it's much easier to jack stuff than in real life (bank heists are tough), you can do theft worth a lot of money and probably nothing is easier than with the bitcoins.

i'm not trying to be negative i just want people to understand with the way things are on the internets by solely claiming user beware does not create a good ecosystem

i totally agree, to be honest i think OP's situation must occur in real life online banking, poker sites, etc.

[TimJBenham]

So what is the http://www.bitcoinstore.com/, http://pizzaforcoins.com/, http://bitbrew.net/ , etc...

Small beer?

Bitcoin has a lot of places beside drugs, we need more but there are many so I think saying it is only for drugs and currency geeks is kinda outdated.

Sure we can probably get the pedophiles and the conspiracy guys onside too. Pretty soon we'll have a winning team!
 

[fcmatt]

A lot of legal bitcoin uses consist of middleman wanting a cut. That is about all they do. They rarely buy at true wholesale or manufacturer anything. So they are just an added layer upping the cost of a product. Services like web design or hosting are better though. I admit that.

So i can pay with bitcoin and have no protection or recourse. Or i can use a cc, have protection, get rewarded, extended warranty, etc.. The asic fiasco with tom showed just how true this is with cc.

I am not putting down bitcoin just to make fun of it. I am just explaining how i think when i make an online purchase. American express for the win. Avalon wanting bitcoin only and being so odd.. No sale even with hardware in the wild. The bitbrew website on the other hand deals with such small amount i would consider the risk.

[TimJBenham]

Bank fraud guarantees don't cost the banks that much. In the great majority of cases they suck the money back and the guy left holding the bag is some innocent merchant who made the mistake of selling BTC, bullion or sought after consumer goods for a bank transfer. They arbitrarily transfer the loss from the persons who were in the best position to prevent it, the account holder and the bank, to someone with almost no means to defend himself. They are not an act of generosity and they do not make the online economy a better place.

[sublime5447]

Tons I have lost tons of money. You cant reason with these guys they are under the bitcoin spell. Most people wont touch bitcoin and it is because it is not safe or stable. I personally think the btc community needs a reality check. The masses will not adopt btc it is harder to use and get. It has to be easy and safe anyone can see that! blaming the user or customer how has that worked for you in the past Holiday? This community looks at new users as scammers I look at them as clients.  

You are the one refusing to listen to reason, in various threads.

Bitcoin is volatile. It's a new, disruptive, voluntary currency. Price discovery is going to take some time, not measured in days or months, but years and decades. If this concerns you, perhaps the free market is something you should avoid!

The Bitcoin protocol is quite safe. Coin security currently depends on the user. This can, and will, change in time. Smart businessmen will find ways to protect inept users and they will line their pockets in the process.

Ultimately in life, regardless of the protections provided by businesses or governments, your well being comes down to your decisions and your actions. If you constantly refuse to protect yourself, make poor investment decisions, and refuse to save for a rainy day, you will eventually end up in a situation that might be unrecoverable. You can call this blaming the user or customer if you want, I call it facing reality. The world is a wonderful place, but it can also be cruel and unforgiving. People have been trained to shrug off responsibility, relying on the many security nets which society pays for and provides. This may provide comfort for a time, but can only end badly for those who refuse to accept responsibility for their actions. If Bitcoin has the potential to make the world a better place, teaching responsibility would be a fantastic start! Only after you accept responsibility can you truly be free.

As far as judging new users, they are a blank slate. Their actions define them. Generally, I distrust strangers. Unlike you, I've not lost "tons of money", so this method may have merit. This allows me the freedom to be generous with those close to me.

Ya thanks for the advice. I have been around dont really need any but thanks any ways, If you dont lose money than you dont invest. I left 1800 on top a pay phone, I spent over 70 thousand staying out of jail, I have had deals go south and lose. I lost about 40k during hurricane katrina. So I have lost lots of money I have made lots of money too.

If you think that BTC is a freemarket right now you are wrong. It is a manipulated market. When the monopoly that BTC currently enjoys ends it will get a lot closer to a free market.     

[HappyScamp]

From what I read, there is malware out there that can not only do keylogging, but can turn on your monitor, your mic, or copy your screen and deliver it remotely.

These things can also get into your phone.  A relative had his cc# stolen and used via typing it into his phone.

Whether or not this is what happened in THIS case, it is a potential problem for anyone out there, and needs to be addressed.

IMO BT will not be perceived as safe until that issue set gets handled.

JMO

[BigFigurez]

Wow, so they don't make you confirm anything when sending out a large sum of bitcoins? I'd expect at least an automated phone call or a secret phrase when sending out X amount of BTC at once, or in a given time.

[SgtSpike]

Wow, so they don't make you confirm anything when sending out a large sum of bitcoins? I'd expect at least an automated phone call or a secret phrase when sending out X amount of BTC at once, or in a given time.

Exactly.  More security options would be better.

[twolifeinexile]

Pay pal locks out based on IP address, If I try to access from a strange IP it ask me a security question. MT gox doesn't give a shit because they have zero liability. To all the tech guys talking about yubikeys and 2fa nerd stuff you dont get it people aren't going to do that. This thing only works if people use it. I am shocked to see the bitcoin faith in here. It is all worthless if people dont adopt it. If you think bitcoin is a retirement plan you are out of your mind.

A lot banks already use it, isn't it? SMS one time authorization code, they are not fundamentally different than other 2FA, just people are more used to it. How difficult to open your iphone/android app and type the number showed there into a website?

And probably yes, bitcoin is not for average joe NOW, bitcoin ecosystem is evolving, and evolving fast. 
And becoming a currency is DEFINITELY NOT EASY, if it succeed in the end, it would be a bumpy road, but think about it, in these many thousands years, except for fiat and gold, is there anything else that even get close to become a currency? With bitcoin, it is possibility. That possiblity itself is already a big event.

The whole point of bitcoin is that there are security features build in that allow SOME people with decent knowledge and skillset in computer security could handle it correctly and become the nuclei for further expansion into normal world. In the process, there will be emerging ways to handle it correctly and easy.

[SgtSpike]

Pay pal locks out based on IP address, If I try to access from a strange IP it ask me a security question. MT gox doesn't give a shit because they have zero liability. To all the tech guys talking about yubikeys and 2fa nerd stuff you dont get it people aren't going to do that. This thing only works if people use it. I am shocked to see the bitcoin faith in here. It is all worthless if people dont adopt it. If you think bitcoin is a retirement plan you are out of your mind.

A lot banks already use it, isn't it? SMS one time authorization code, they are not fundamentally different than other 2FA, just people are more used to it. How difficult to open your iphone/android app and type the number showed there into a website?

And probably yes, bitcoin is not for average joe NOW, bitcoin ecosystem is evolving, and evolving fast. 
And becoming a currency is DEFINITELY NOT EASY, if it succeed in the end, it would be a bumpy road, but think about it, in these many thousands years, except for fiat and gold, is there anything else that even get close to become a currency? With bitcoin, it is possibility. That possiblity itself is already a big event.

The whole point of bitcoin is that there are security features build in that allow SOME people with decent knowledge and skillset in computer security could handle it correctly and become the nuclei for further expansion into normal world. In the process, there will be emerging ways to handle it correctly and easy.

I agree - which is why we should be discussing what those emerging ways to handle it correctly will be.  Rather than sit and wait for something to happen, why not discuss what security options should be implemented and push exchanges to implement them?

[Arthur3000]

that sucks

[movellan]

Yeah, so far Yubikey seems to be the only solution, even regular sweeps with netsec and antivir would not guarantee you safety. :/

Yes, until the Yubikey takes a dump. When that happens, it appears you have to send the dead unit back to Japan and wait for delivery of a replacement before accessing your account. I recently closed my Mt Gox account and they tried to get me back by offering a free Yubikey. No thanks.

BTW, Danny said the free Yubikey code is OK for anyone, so if you want, it's good through April 14. PM me.


Update:  Yubikey is gone.

[zeocrash]

I had my mtgox account cleared out about, 2 weeks ago. The attackers somehow got my username and password. Fortunately i only had 2 BTC in there. I feel for you. It's a horrible feeling when you realize that someone has just taken all your BTC. I didn't have 2 factor authentication on, which i now have. I still have no idea how the attacker got my username and password, i did a thorough scan of my computer and my phone for key loggers, Trojans etc. and found nothing.

The withdraw email that MtGox send is incredibly frustrating, why ask me to contact them if there's nothing they can do about it. I'd prefer an email that said

"If you didn't request this withdrawl, tough. You're never seeing those bitcoins again"

At least then i wouldn't have wasted half an hour trying to contact support only to be told that.

[jens]

Hi, a new newbie here.

I bought some bitcoins in July 2011. I moved a few to my wallet to play around with, but left the rest in Mt Gox. Wanting to access them now, I get nowhere. Can't log in, can't retrieve/reset my password, don't get any reply when contacting them. Is my experience common?

Cheers,

Jens

[Jason101]

Hi, a new newbie here.

I bought some bitcoins in July 2011. I moved a few to my wallet to play around with, but left the rest in Mt Gox. Wanting to access them now, I get nowhere. Can't log in, can't retrieve/reset my password, don't get any reply when contacting them. Is my experience common?

Cheers,

Jens

I would write them again, they are pretty good about that I heard

[GerMG]

allways 2 factor

[Darkcoins]

My advice would be..


1. Scan your machine for malware or RAT or Keyloggers
2. Run a free program from microsoft called TCP View. check for any reveres connections from your pc to a botnet, If you are connected to one you will see the remote IP of the computer or network you are connected to.
3. Backup your data and wipe the hard drives with D-ban boot and nuke.  this will remove any virus from the system
4. Use 2 stage authentication, Invest in some more security like yubikey, Passwords are never enough anymore. And if you do decide to use just passwords. make them over 24 characters with symbols and special characters

[Hei_]

feeling bad for you

[bradbrad]

Screw Gox. Would love to provide a reliable alternative, but with the growth rate of BTC and new people flooding the market everyday, there simply isnt one. The lesser of the evils (and been the most reliable for me) is Bitstamp (even though their live trade is f@#ked up recently and you have to rely on bitcoinity for up to date trades).

[jens]

Thanks for your support and suggestions, but I followed Jason's advice and I mailed Mt. Gox once again - and this time the reply came immediately: my account had "been disabled due to inactivity". Phew!

All's well! False alarm!

Jens

[cmp]

Thanks for your support and suggestions, but I followed Jason's advice and I mailed Mt. Gox once again - and this time the reply came immediately: my account had "been disabled due to inactivity". Phew!

All's well! False alarm!

Jens

Hah, thats a nice one. Phew Your bitcoins raised in value bigtime.

[Chrisoldinho]

unlucky, lost 15 LTC the other day myself  not quite on your level though!