Bitcoin Forum
October 21, 2017, 06:59:35 AM *
News: Latest stable version of Bitcoin Core: 0.15.0.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 [7]  All
  Print  
Author Topic: Stolen Bitfinex Coins on the Move  (Read 5793 times)
Carlton Banks
Legendary
*
Offline Offline

Activity: 1792



View Profile
February 02, 2017, 12:47:03 PM
 #121

Say, I have an Android emulator installed on my computer (I was using it when there hadn't yet been a tablet version of WhatsApp, and WhatsApp worked), so I could install Google Authenticator there, disable the network connection and use it safely?

You could do that, although I would describe it as "safer", not absolutely safe. It's just a mouse move in the IT security cat & mouse game.

Is FreeOTP available in Google Play? What is the basic principle behind this method of authentication, in two words (as you understand it)?

I believe Play Store has it, but I get my FreeOTP app from the F-Droid Store

It uses the same protocol as GAuth. The principle is that the app creates a "One Time" access code that is only valid for a few minutes. The website checking the access code has a copy of your GAuth key (they gave it to you to begin with), and so they can ascertain that the code you provide to them is authentic. It (the access code) is essentially just your Gauth key and the current time/date run through a hashing algorithm (I think it's a multiple hash algo affair, the codes are shorter than the bitlengths of the hash algos used)
'


Vires in numeris
1508569175
Hero Member
*
Offline Offline

Posts: 1508569175

View Profile Personal Message (Offline)

Ignore
1508569175
Reply with quote  #2

1508569175
Report to moderator
1508569175
Hero Member
*
Offline Offline

Posts: 1508569175

View Profile Personal Message (Offline)

Ignore
1508569175
Reply with quote  #2

1508569175
Report to moderator
Each block is stacked on top of the previous one. Adding another block to the top makes all lower blocks more difficult to remove: there is more "weight" above each block. A transaction in a block 6 blocks deep (6 confirmations) will be very difficult to remove.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1508569175
Hero Member
*
Offline Offline

Posts: 1508569175

View Profile Personal Message (Offline)

Ignore
1508569175
Reply with quote  #2

1508569175
Report to moderator
deisik
Legendary
*
Online Online

Activity: 1358



View Profile
February 02, 2017, 03:02:08 PM
 #122

Say, I have an Android emulator installed on my computer (I was using it when there hadn't yet been a tablet version of WhatsApp, and WhatsApp worked), so I could install Google Authenticator there, disable the network connection and use it safely?

You could do that, although I would describe it as "safer", not absolutely safe. It's just a mouse move in the IT security cat & mouse game.

Is FreeOTP available in Google Play? What is the basic principle behind this method of authentication, in two words (as you understand it)?

I believe Play Store has it, but I get my FreeOTP app from the F-Droid Store

It uses the same protocol as GAuth. The principle is that the app creates a "One Time" access code that is only valid for a few minutes. The website checking the access code has a copy of your GAuth key (they gave it to you to begin with), and so they can ascertain that the code you provide to them is authentic. It (the access code) is essentially just your Gauth key and the current time/date run through a hashing algorithm (I think it's a multiple hash algo affair, the codes are shorter than the bitlengths of the hash algos used)

That seems to be the point that I was missing in understanding what GAuth is basically about (and needed to know). But in that case, I can't possibly see how it can be safer than sms verification. Essentially, the hacker just needs to steal your GAuth code (which is simply your access key) to confirm anything which you set to confirm with it. Indeed, you would still need access to a user account for which the access code is being generated but you would anyway need this access to make use of a successful phone hack. Therefore, I guess, we can compare the security of these two methods of authentication directly, and I don't see any advantages of Google Authenticator. Stealing this key is likely much easier than hacking a phone

What else am I missing here?

Factmine
Sr. Member
****
Offline Offline

Activity: 292


View Profile
February 02, 2017, 11:56:46 PM
 #123

Say, I have an Android emulator installed on my computer (I was using it when there hadn't yet been a tablet version of WhatsApp, and WhatsApp worked), so I could install Google Authenticator there, disable the network connection and use it safely?

You could do that, although I would describe it as "safer", not absolutely safe. It's just a mouse move in the IT security cat & mouse game.

Is FreeOTP available in Google Play? What is the basic principle behind this method of authentication, in two words (as you understand it)?

I believe Play Store has it, but I get my FreeOTP app from the F-Droid Store

It uses the same protocol as GAuth. The principle is that the app creates a "One Time" access code that is only valid for a few minutes. The website checking the access code has a copy of your GAuth key (they gave it to you to begin with), and so they can ascertain that the code you provide to them is authentic. It (the access code) is essentially just your Gauth key and the current time/date run through a hashing algorithm (I think it's a multiple hash algo affair, the codes are shorter than the bitlengths of the hash algos used)

That seems to be the point that I was missing in understanding what GAuth is basically about (and needed to know). But in that case, I can't possibly see how it can be safer than sms verification. Essentially, the hacker just needs to steal your GAuth code (which is simply your access key) to confirm anything which you set to confirm with it. Indeed, you would still need access to a user account for which the access code is being generated but you would anyway need this access to make use of a successful phone hack. Therefore, I guess, we can compare the security of these two methods of authentication directly, and I don't see any advantages of Google Authenticator. Stealing this key is likely much easier than hacking a phone

What else am I missing here?

The problem with SMS verification is that sometimes you don't have your phone with you. Unlike a 2FA google authenticator where you can install it on your PC, tablet, phone or whatever device that supports it. Though, I would say it is a layer of security that would not really be hard to crack like you said. An SMS verification is much more secure but give a lot of hassle in my opinion.


████
║ ║ ║
║ ║ ║
║ ║ ║
║ ║ ║
║ ║ ║
║ ║ ║
║ ║ ║
║ ║ ║

████

████
║ ║ ║
║ ║ ║
║ ║ ║
║ ║ ║
║ ║ ║
║ ║ ║
║ ║ ║
║ ║ ║

████
pinkflower
Sr. Member
****
Offline Offline

Activity: 364


Javvy - More than a crypto exchange!


View Profile
February 03, 2017, 06:11:40 AM
 #124

What about the kind of 2FA that uses the google authenticator app? Those are much safer than the ones used via SMS. Didnt one of the biggest investors of Ethereum and Augur get his cellphone hacked and had all his ETH and REP stolen? I dont know the whole story of what happened but it there was a blog from Kraken that said the hackers were able to receive his 2FA codes.

For using the Google Authenticator 2FA protocol, you don't need a device that's connected to the internet, it just needs to be set to the correct time and date. So, you could mitigate attacks against a phone by keeping a separate phone specifically for your 2FA keys and app, that has no SIM or any WiFi connection.

I would recommend against using Google's closed source Authenticator client on a phone connected to the internet/phone network, but it's probably not an issue for an air-gapped phone. FreeOTP is a good open source authenticator that uses Google's protocol, if you're wanting to use an open source client.

So its safer than 2FA via SMS then. I have an old ipod touch thats lying around in my office desk and hardly use it for anything since all my songs are already in my phone and I use Spotify most of the time anyway. I could start using that only for 2FA purposes.

▄██████████████████████████████████████▄
▄████▀░▀█████████████████████████████████▄
█████▄░▄██████████████████████████████████
██████████████████████████████████████████

░░░░░░██
░░░░░░██░░████▄██░░░░████░░░░████░░░██
░░░░░░██░░░░░██ ██░░░██░░██░░░██░░██░░██
░░░░░░██▄█████░░██░░██░░░██░░██░░░████
░░░░░▄████▄██░░ ██▄██░░░░██▄██░░░░████
░░░█████▀█████░░░████░░░░░████░░░░░███
██▀▀▀▀░░░░░░░░░░░░░░░░░░░░░░░░░░█████░░██
██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▀▀▀▀░░░██
▀████████████████████████████████████████▀


▄▄▄▄▄▄
▄████████████▄
▄████████████████▄
████████▄██▄████████
█████████▀██▀█████████
████████████████████████
██████████████████████████
█████████▄██████▄█████████
█████████▀█▄██▄█▀█████████
███████████▀██▀███████████
██████████████████████████
████████████████████████
███████▄▄█████████████
██████████▀█████████
▀████████████████▀
▀████████████▀
▀▀▀▀▀▀
J V Y

deisik
Legendary
*
Online Online

Activity: 1358



View Profile
February 03, 2017, 08:44:25 AM
 #125

That seems to be the point that I was missing in understanding what GAuth is basically about (and needed to know). But in that case, I can't possibly see how it can be safer than sms verification. Essentially, the hacker just needs to steal your GAuth code (which is simply your access key) to confirm anything which you set to confirm with it. Indeed, you would still need access to a user account for which the access code is being generated but you would anyway need this access to make use of a successful phone hack. Therefore, I guess, we can compare the security of these two methods of authentication directly, and I don't see any advantages of Google Authenticator. Stealing this key is likely much easier than hacking a phone

What else am I missing here?

The problem with SMS verification is that sometimes you don't have your phone with you. Unlike a 2FA google authenticator where you can install it on your PC, tablet, phone or whatever device that supports it. Though, I would say it is a layer of security that would not really be hard to crack like you said. An SMS verification is much more secure but give a lot of hassle in my opinion.

I'm not sure if I'm quite correct on this (I just vaguely remember something like that) but mobile operators (at least some of them) may allow you to access copies of sms sent to your phone through their online services. Thus if you have this option enabled, you can see the confirmation SMS codes even without your phone nearby. Regarding GAuth, its use might be really counterproductive if Google left some hole in it, either intentionally or inadvertently...

So if someone finds it, the app itself could potentially lead to money loss

Pages: « 1 2 3 4 5 6 [7]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!