Just lost 190 bitcoins through Mt. Gox

[avegetable]

This is very much true! There is no reason why they don't have options to lock IP and/or bitcoin address.

Locked IP is an interesting option. Does any other company offer that?

It does require a little technical knowledge from the users. People with dynamic IPs would have to specify an IP address range. Or several IP ranges for many ISPs.

It could prevent most unauthorized access (though not when the user's PC is hijacked and remove controlled), but there would also be a lot of extra support problems for Mtgox because of users accidentally locking themselves out of their own accounts.

[1715000809]

1715000809

[Prattler]

Locked IP is an interesting option. Does any other company offer that?

It does require a little technical knowledge from the users. People with dynamic IPs would have to specify an IP address range. Or several IP ranges for many ISPs.

It could prevent most unauthorized access (though not when the user's PC is hijacked and remove controlled), but there would also be a lot of extra support problems for Mtgox because of users accidentally locking themselves out of their own accounts.

Just something as simple as send a warning email and allow cash out after 2+ days, if your IP is new.

[Zomdifros]

Locked IP is an interesting option. Does any other company offer that?

Yes, Blockchain does. However, as Prattler states, a simple email warning plus temporary lock for new IP's would be sufficient for now and must be quite easy to implement. It would of course increase the amount of work for their customer service but then again, if MtGox wants to remain the largest Bitcoin exchange in a few years time (and ultimately make an obscene amount of money), now would be the time to invest in their service.

[Bitsaurus]

Funny that the mining pools seem to have more safety lockouts than MtGox does.

[avegetable]

Funny that the mining pools seem to have more safety lockouts than MtGox does.

It's not such a surprise. It's generally a good thing for Mtgox if as many people as possible sign up. A nice security feature that tends to lock idiots out of their own accounts won't help them achieve that.

For a mining pool on the other hand, having a feature that deters the less tech-savvy is probably good

[robocoin]

Let me guess.... no two factor authentication?

how I can activate two factor authentication on mtgox?

ID verify your Mt.Gox account, you should than receive the offer to obtain a yubikey - FOR FREE.

[DeathAndTaxes]

That point is of course quite true, however, it is basically illegal to send money through the mail for that very reason.

In the US it isn't illegal to send cash in the mail.  Never has been, just an urban legend.  Now the USPS recommends you don't send cash in the mail unless you send it registered mail as it isn't insured but the same applies to other valuables as well.

Bitcoin is not going to win any supporters if it just takes the attitude "sorry but you are just too stupid to use this" (this last was about attitude at not any sort of attack on the OP btw).

I think the larger point is that MtGox has offered 2FA for what two years now.  Despite the never ending stream of "my coins are gone" posts they all have one thing in common ... 2FA wasn't enabled.  I don't think anyone said "too stupid" but if your house comes equipped with the ability to lock the doors but you choose not to and then get robbed well ...  Now if MtGox provided no mechanism to keep balances safe that would be a different story but they do.  Despite all the prior losses it seems people just refuse to accept that passwords are insecure.  That is why 2FA exists.

[Zomdifros]

Bitcoin is not going to win any supporters if it just takes the attitude "sorry but you are just too stupid to use this" (this last was about attitude at not any sort of attack on the OP btw).

I think the larger point is that MtGox has offered 2FA for what two years now.  Despite the never ending stream of "my coins are gone" posts they all have one thing in common ... 2FA wasn't enabled.  I don't think anyone said "too stupid" but if your house comes equipped with the ability to lock the doors but you choose not to and then get robbed well ...  Now if MtGox provided no mechanism to keep balances safe that would be a different story but they do.  Despite all the prior losses it seems people just refuse to accept that passwords are insecure.  That is why 2FA exists.

Sure, they offer 2FA, but as a customer you pretty much have to find it out yourself. With a regular bank account it isn't even possible to make a withdrawal without 2FA in some form, it is a hard requirement. If we want Bitcoin to emerge from the niche it is in right now, everybody should be able to use it safely, even those who don't understand what 2FA is or why they need it, they should simply be forced to use it.

[robocoin]

Bitcoin is not going to win any supporters if it just takes the attitude "sorry but you are just too stupid to use this" (this last was about attitude at not any sort of attack on the OP btw).

I think the larger point is that MtGox has offered 2FA for what two years now.  Despite the never ending stream of "by coins are gone" posts they all have one thing in common ... 2FA wasn't enabled.  I don't think anyone said "too stupid" but if your house comes equipped with the ability to lock the doors but you choose not to and then get robbed well ...  Now if MtGox provided no mechanism to keep balances safe that would be a different story.

Everything is there you need. Maybe force 2FA for accounts with balances greater than 50 BTC.

Once I got ripped off 500€ from my bank account (bancomat skimmer), my bank immediatly compensated it. BUT if an attacker has your bank login AND your mobile phone is infected so the attcker can read your sms to retrieve the TAN numbers (mandatory 2FA here in Germany). Well, then you're on your own... I imagine there will be bank like Bitcoin systems in the future, eg. BitcoinCentral, just to be insurred against stuff like this.
40 years ago people did only brain fart in front of a computer. Secruity, cryptography and general awareness of computer systems will be more common for the "John Q. Public's" in near future. Its not that Bitcoin and the systems around it need to adjust itself down to "anyone's" abilities. Its more like that society will adjust itself to the level needed for Bitcoin.

[Stephen Gornick]

Maybe force 2FA for accounts with balances greater than 50 BTC.

Yup, or some checkbox that says "I ACKNOWLEDGE THAT 2FA IS RECOMMENDED BUT DECLINE THE RECOMMENDATION."


Because there a lot of that going on.

MtGox account got cleared out
 - http://bitcointalk.org/index.php?topic=85533.0

All BTC disappeared from my Mt. Gox account
 - http://bitcointalk.org/index.php?topic=88368.0

Another:
 - http://bitcointalk.org/index.php?topic=80562.msg941759#msg941759

And another: My mtgox account got compromised, what can I do?
 - http://bitcointalk.org/index.php?topic=84585.0

Yet more: MT.Gox account hacked - lost 2k USD - MT.GOX will not explain how.
 - http://bitcointalk.org/index.php?topic=89142.0

And more again: Bitcoins stolen from MtGox
 - http://www.reddit.com/r/Bitcoin/comments/x8lcv/bitcoins_stolen_from_mtgox

And yet more: Stolen from Mt.Gox coins. Help return the coins.
 - http://bitcointalk.org/index.php?topic=119816.0

Or more here: Email from Mt.Gox this morning.
 - http://www.reddit.com/r/Bitcoin/comments/z0na5/email_from_mtgox_this_morning

And even more here: I just had $715 stolen out of my Mt. Gox account.
 - http://www.reddit.com/r/Bitcoin/comments/12j9gi/i_just_had_715_stolen_out_of_my_mt_gox_account

And the biggie: Bitcoinica MtGox account compromised
 - http://bitcointalk.org/index.php?topic=93074.0

With more here: Unauthorized Account Activity on my Mt.Gox Account - Account Compromised/Hacked?
 - http://bitcointalk.org/index.php?topic=94140.0

And even more: *MY* Mt Gox Account was Hacked - lost it all today... now what!?
 - http://bitcointalk.org/index.php?topic=137795.0

Ditto: My MtGox account was just exploited - 3 BTC stolen
 - http://bitcointalk.org/index.php?topic=141816.0

And now this one gets added to the list: Just lost 190 bitcoins through Mt. Gox
 - http://bitcointalk.org/index.php?topic=141831.0

And on other services as well. Here same thing happened to some GLBSE users:
 - http://bitcointalk.org/index.php?topic=84893.0

And elsewhere, BitMarket.eu in this instance:
 - http://bitcointalk.org/index.php?topic=5441.msg1259168#msg1259168

And now on bitcoin.de as well: Bitcoins stolen from bitcoin.de.
 - http://bitcointalk.org/index.php?topic=130264.0

In none of these was the person using multi-factor authentication. Mt. Gox has had Yubikey support for a while. Mt. Gox accounts now support Google Authenticator:
 - https://mtgox.com/press_release_20120605.html

If the exchange you are storing funds with doesn't provide OTP, consider using a different exchange:
 - http://bitcoin.stackexchange.com/questions/4113/which-two-factor-authentication-methods-are-available-at-which-exchanges

If you are storing funds in an EWallet, consider using a paper wallet.

Here is a fantastic guide: How to use 2-factor auth on mtgox, even without a smartphone (from a second device, of course, not from the same computer you log in on).
 - http://bitcointalk.org/index.php?topic=111943.0

[CIYAM]

I think the larger point is that MtGox has offered 2FA for what two years now.  Despite the never ending stream of "my coins are gone" posts they all have one thing in common ... 2FA wasn't enabled.

In regards to sending cash in Aus every *delivery* company makes it *clear* you *cannot* send cash (so maybe different to the US) and I'm not know talking about legality but instead about any guarantee of refund for losses incurred (IANAL).

Also in Australia (at least) even if your 2FA is compromised your bank is *insured* and you will likely be *refunded* for losses due to theft (unless they can pretty much *prove* you *stole* the funds yourself).

Mt. Gox offers 0% protection AFAIA (correct me if I am wrong) and that is my point (no "mom's and dad's" are going to invest in something with zero guarantee in case of theft when there is a guaranteed option available and nor should they).

[sublime5447]

Pay pal locks out based on IP address, If I try to access from a strange IP it ask me a security question. MT gox doesn't give a shit because they have zero liability. To all the tech guys talking about yubikeys and 2fa nerd stuff you dont get it people aren't going to do that. This thing only works if people use it. I am shocked to see the bitcoin faith in here. It is all worthless if people dont adopt it. If you think bitcoin is a retirement plan you are out of your mind.

[rollingpaperguy]

My guess is that you used the same email and password as you used somewhere else....mtgox might be tough to crack...but any other website, not so much.

Make sure your bitcoin wallet and bitcoin accounts all have different passwords.

[mintymark]

I think this is truly sickening, and I am very sorry to hear about it. If normal people make mistakes that end up in financial loss, then there is the suggestion that you need to be "superman" in order to avoid this. Well I for one am not!

Goldmoney, and most banks banks do offer better security here, and (in my view) the reason this happened is because MtGox is not offering reasonable security here. Other exchanges such as Bitstamp are equally vulnerable.

Goldmoney sends an email pin, and disallows email changes. (Or maybe slows them down, I dont remember.)

I think IP address locking is also very useful. You could also do it based on geo-location based on IP address. Someone in Sweden wants a withdrawal? Well I live in the USA and sometimes fly to London, so do not accept it from anywhere else!!  Challenge response is also useful.

There are lots of ways to do this well it seems to me and it seems to me that many Bitcoin exchanges are not doing it well right now. The non-reversability of Bitcoin means it needs to be done better than the companies doing fiat transactions do!! 

[sublime5447]

I think this is truly sickening, and I am very sorry to hear about it. If normal people make mistakes that end up in financial loss, then there is the suggestion that you need to be "superman" in order to avoid this. Well I for one am not!

Goldmoney, and most banks banks do offer better security here, and (in my view) the reason this happened is because MtGox is not offering reasonable security here. Other exchanges such as Bitstamp are equally vulnerable.

Goldmoney sends an email pin, and disallows email changes. (Or maybe slows them down, I dont remember.)

I think IP address locking is also very useful. You could also do it based on geo-location based on IP address. Someone in Sweden wants a withdrawal? Well I live in the USA and sometimes fly to London, so do not accept it from anywhere else!!  Challenge response is also useful.

There are lots of ways to do this well it seems to me and it seems to me that many Bitcoin exchanges are not doing it well right now. The non-reversability of Bitcoin means it needs to be done better than the companies doing fiat transactions do!! 

100% agreed  couldn't have said it better. It bugs me when someone has been taken advantage of and there is a huge outcry blaming the victim. Basically the claim goes like this.. It is your fault for not being a big enough tech nerd. It you read wired magazine everyday and spent 90 percent of your time online learning about bitcoin like I do then you wouldnt have gotten scammed. Bitcoin is beyond reproach and the community shares no blame. 

[SgtSpike]

I think this is truly sickening, and I am very sorry to hear about it. If normal people make mistakes that end up in financial loss, then there is the suggestion that you need to be "superman" in order to avoid this. Well I for one am not!

Goldmoney, and most banks banks do offer better security here, and (in my view) the reason this happened is because MtGox is not offering reasonable security here. Other exchanges such as Bitstamp are equally vulnerable.

Goldmoney sends an email pin, and disallows email changes. (Or maybe slows them down, I dont remember.)

I think IP address locking is also very useful. You could also do it based on geo-location based on IP address. Someone in Sweden wants a withdrawal? Well I live in the USA and sometimes fly to London, so do not accept it from anywhere else!!  Challenge response is also useful.

There are lots of ways to do this well it seems to me and it seems to me that many Bitcoin exchanges are not doing it well right now. The non-reversability of Bitcoin means it needs to be done better than the companies doing fiat transactions do!! 

100% agreed  couldn't have said it better. It bugs me when someone has been taken advantage of and there is a huge outcry blaming the victim. Basically the claim goes like this.. It is your fault for not being a big enough tech nerd. It you read wired magazine everyday and spent 90 percent of your time online learning about bitcoin like I do then you wouldnt have gotten scammed. Bitcoin is beyond reproach and the community shares no blame. 

I'll agree with you here!

MtGox needs to implement better security options.  Withdrawal locks based on IP, email, and time should all be available options to users.  I would be so much more comfortable with putting funds on MtGox if I knew they couldn't be withdrawn to a different address other than what I've specified without email confirmation and a 7-day delay.  And I even have a yubikey required for logging in and withdrawal already!

[farlack]

I've read a 2F get hacked too. I bet its gox themselves..

I mean come on whats the likelihood of 7.6 billion people and only a few thousand that use bitcoin and all these gox hacks going around.


Id like to see a huge list of reports of peoples wallets on their computer, or blockchain.info getting fucked.

[Zomdifros]

I think this is truly sickening, and I am very sorry to hear about it. If normal people make mistakes that end up in financial loss, then there is the suggestion that you need to be "superman" in order to avoid this. Well I for one am not!

Goldmoney, and most banks banks do offer better security here, and (in my view) the reason this happened is because MtGox is not offering reasonable security here. Other exchanges such as Bitstamp are equally vulnerable.

Goldmoney sends an email pin, and disallows email changes. (Or maybe slows them down, I dont remember.)

I think IP address locking is also very useful. You could also do it based on geo-location based on IP address. Someone in Sweden wants a withdrawal? Well I live in the USA and sometimes fly to London, so do not accept it from anywhere else!!  Challenge response is also useful.

There are lots of ways to do this well it seems to me and it seems to me that many Bitcoin exchanges are not doing it well right now. The non-reversability of Bitcoin means it needs to be done better than the companies doing fiat transactions do!! 

100% agreed  couldn't have said it better. It bugs me when someone has been taken advantage of and there is a huge outcry blaming the victim. Basically the claim goes like this.. It is your fault for not being a big enough tech nerd. It you read wired magazine everyday and spent 90 percent of your time online learning about bitcoin like I do then you wouldnt have gotten scammed. Bitcoin is beyond reproach and the community shares no blame. 

I'll agree with you here!

MtGox needs to implement better security options.  Withdrawal locks based on IP, email, and time should all be available options to users.  I would be so much more comfortable with putting funds on MtGox if I knew they couldn't be withdrawn to a different address other than what I've specified without email confirmation and a 7-day delay.  And I even have a yubikey required for logging in and withdrawal already!

So, I guess we all agree that MtGox is making a half-assed job of their security, can anybody tell us why they aren't upgrading this?

[gweedo]

So, I guess we all agree that MtGox is making a half-assed job of their security, can anybody tell us why they aren't upgrading this?

Half-assed job of security is kinda strong don't you think? I mean where does security on the consumer side start? 2 factor auth is the saving grace if you don't have that you can kiss your coins goodbye. Then you don't need all those bells and whistles which would probably cause more issues then they are worth. I think as long as Mt Gox isn't getting hack and leaking bitcoins from there wallet, I say security is good then. Take some responsibility, don't make Mt Gox your mom.

[SgtSpike]

So, I guess we all agree that MtGox is making a half-assed job of their security, can anybody tell us why they aren't upgrading this?

Half-assed job of security is kinda strong don't you think? I mean where does security on the consumer side start? 2 factor auth is the saving grace if you don't have that you can kiss your coins goodbye. Then you don't need all those bells and whistles which would probably cause more issues then they are worth. I think as long as Mt Gox isn't getting hack and leaking bitcoins from there wallet, I say security is good then. Take some responsibility, don't make Mt Gox your mom.

People WANT to take some responsibility, they just want more options to do it.  2FA is good for some things, but having some way to delay withdrawals to a new address seems like a sensible option to add.