Hacker got to my MTGOX account, he converted the USD I had......

[joepie91]

My password was a KeePass-generated password of 20 randomly generated alphanumerical characters (mixed case). Needless to say the password has been changed.

I've done a full antivirus scan of my system which found nothing. I've also used various tools such as TCPView, Wireshark, and Security Task Manager (as well as the Windows Task Manager) to see if any suspicious services or processes were running, and it seems my system is clean. I'm not sure what happened here, but it seems unlikely that the issue was on my end.

You are assuming your system is OK after *something* got compromised? Any password is useless against a keylogger (that includes a future Bitcoin cient offering wallet encryption).

Today crimeware kits are sold with a nice GUI for the thump your head variety criminal who barely knows left from right mouse button. A Bitcoin tailored kit will have some kind of exploit to get in, a module for uploading wallet.dat, keylogger/VNC etc. functionality if needed, a module for cleaning up after itself as if it had never existed and one for hiding itself from the usual suspects (all antiviruses, Spybot S&D, Wireshark, process explorer etc.) until such time that your wallet contains enough coin. Hell, the specialists already own a sizable number of machines and the crimeware might function as a search engine for interesting data on the botnet. They may even fix other vulnerabilities to keep the competition out and keep your system in shape to guarantee uptime (a dead zombie is worthless, heh).

The only way to be sure is to start completely fresh. Including BIOS flashes and viewing old backups as compromised too. And changing Bitcoin addresses, obviously.

I'm aware of how malware works, thank you. My bitcoins in my wallet have already been moved to a different machine, and seeing as this is not the machine I usually work on (I usually use my Windows machine for websites testing purposes only) the system being compromised is really not that big of an issue.

Regarding "hiding until there are enough coins" - you do realize the theft was from a Mt. Gox account and not from a wallet file? Did you even completely read my post?

What does KeePass do, is that one of those things that saves your passwords so you don't have to type them in?  Sort of defeats the point, no?

I would say good thing you learned your lesson at 10 BTC instead of 100 BTC or 1000 BTC.

KeePass (and other password safes) are actually one of the few proper methods to manage randomly generated passwords. You can't just "grab someones passwords".

Mt. Gox also really needs to add some sort of secondary verification.

Yes, I was thinking about this too - maybe a confirmation e-mail for every account withdrawal, whether in BTC or USD?

[aral]

The only way to be sure is to start completely fresh. Including BIOS flashes and viewing old backups as compromised too. And changing Bitcoin addresses, obviously.

Perhaps I misunderstand but there have been a few threads like this and it seems a common presumption here that the user is compromised.   People have every reason to be wary of a site like mt gox that suddenly has huge volumes of money moving through it and the operators are relatively inexperienced.  I'm not saying they have a security problem for sure, I just think it would be unwise to leave large balances on there.

[joepie91]

The only way to be sure is to start completely fresh. Including BIOS flashes and viewing old backups as compromised too. And changing Bitcoin addresses, obviously.

Perhaps I misunderstand but there have been a few threads like this and it seems a common presumption here that the user is compromised.   People have every reason to be wary of a site like mt gox that suddenly has huge volumes of money moving through it and the operators are relatively inexperienced.  I'm not saying they have a security problem for sure, I just think it would be unwise to leave large balances on there.

Which is also why I find it unlikely that the compromise was on my side. For example:


I don't see how a login sent using GET should ever be considered secure - someone looking over your shoulder, being saved in browser history, to name a few.
There is no two factor authentication of any kind either.

Now I'm not directly accusing Mt. Gox of being "at fault" here, don't get me wrong, but I think it is reasonable to consider the issue being on Mt. Gox' side as well.

[joepie91]

Some other people that claim to have had their Mt. Gox account compromised in the past few days (I don't know whether these threads are true or just FUD, just posting them here for the sake of having everything in 1 thread):

http://forum.bitcoin.org/index.php?topic=17595.0 (in the Newbies forum)
http://forum.bitcoin.org/index.php?topic=16526.0 (college funds lost)
http://forum.bitcoin.org/index.php?topic=17226.0 (Mt. Gox plus BTCGuild compromised, response from MagicalTux)
http://forum.bitcoin.org/index.php?topic=17082.0 (can not access account anymore)
http://forum.bitcoin.org/index.php?topic=17335.0 (can not access account anymore)

[diven]

Same thing happened to me last night, someone purchased BTC with all USD and withdrew the BTC.  5K in USD and  600 BTC gone with the wind.  Change your passwords people.

[randomguy7]

Same thing happened to me last night, someone purchased BTC with all USD and withdrew the BTC.  5K in USD and  600 BTC gone with the wind.  Change your passwords people.

How strong was your password?

[diven]

Strong by most standards, letters, number, special characters.  Nothing in a dictionary.

[randomguy7]

This is scary. How many chars did you use? And did you use this password somewhere else?

[NO_SLAVE]

keep your money in dwolla, not on the mt.gox account....at least with dwolla it is FDIC insured.

bad bad juju building for BTC with these stories.

[joepie91]

Another case:

http://forum.bitcoin.org/index.php?topic=17930.0

[joepie91]

If your account was broken into, also look here: http://forum.bitcoin.org/index.php?topic=18050.0

[bitcoinminer]

maybe no more putting your wallet addresses in signatures as well...

[joepie91]

maybe no more putting your wallet addresses in signatures as well...

That should not matter.

[bitcoinminer]

maybe no more putting your wallet addresses in signatures as well...

That should not matter.

"Should" doesn't really apply in cases of identity theft... everyone's money SHOULD be safe... I'm just saying - too easy to track who's got what where, etc.  If you see somebody withdrawing 500 BTC from somewhere if you're a hacker, and you search for their wallet ID and come up with their forum name, etc. is what I'm getting at.

[joepie91]

maybe no more putting your wallet addresses in signatures as well...

That should not matter.

"Should" doesn't really apply in cases of identity theft... everyone's money SHOULD be safe... I'm just saying - too easy to track who's got what where, etc.  If you see somebody withdrawing 500 BTC from somewhere if you're a hacker, and you search for their wallet ID and come up with their forum name, etc. is what I'm getting at.

Yes, but if you cannot link that address to other addresses, it won't really do much.

[Nescio]

Wow, flashing your BIOS? Are there actual cases of BIOS malware being used in the wild by hackers/fraudsters?

Not that I know of, but since it's possible you might as well. If you are really paranoid of course, you would need to reflash externally, since it might protect itself against reflashing by immediately reflashing the attack code from memory

It's less likely a generic botnet operator would go to the trouble but that's only because of 'low hanging fruit' being readily available.

I guess the bottom line is that most people will do the minimum for protection, i.e. whatever the client already offers, and malware will focus on the lowest common denominator as long as it's profitable enough, but go the extra mile if it's worth it (and evolve when the client gets better protection etc.).

Regarding "hiding until there are enough coins" - you do realize the theft was from a Mt. Gox account and not from a wallet file?

Yes, and my point was that it's a mistake to discount all possibilities. Your original post didn't say anything about a separate machine BTW. But it hardly matters, unless that machine has not been connecting to your network, or to any network in general, it too cannot be considered as provably clean. Your account has been hacked, you don't know where from, assume the worst.

[Maxxx]

So who's selling that mt. gox database? Share the wealth. Amirite?

I think it's fairly obvious at this point. Changing your password won't help if they are not hashing passwords either. This is speculation btw, but with so many account breaches...

[Nescio]

Perhaps I misunderstand but there have been a few threads like this and it seems a common presumption here that the user is compromised.   People have every reason to be wary of a site like mt gox that suddenly has huge volumes of money moving through it and the operators are relatively inexperienced.  I'm not saying they have a security problem for sure, I just think it would be unwise to leave large balances on there.

Well yeah, if the exchange is compromised you can't do much, but given the fact that a lot of people are using Windows and use it for regular network access at the same time I'm inclined to give them the benefit of the doubt for now.

I'm more curious right now about how they do it, because there is supposedly a $1000 limit a day on transfers, in BTC too.

[dirtyfilthy]

I bet this is related to lulzsec's recent dump of 62,000 passwords. Password reuse anyone?

[Maxxx]

I bet this is related to lulzsec's recent dump of 62,000 passwords. Password reuse anyone?

You could prolly ask joepie91