flatfly
Legendary
 Offline
Activity: 1078
Merit: 1011
760930
|
 |
May 13, 2013, 06:22:54 PM |
|
Stop believing the myth that TFA is uncrackable. It does improve security, sure, but it is no way the holy grail. There have been precedents where malware could steal funds despite TFA. http://www.wired.com/insights/2013/04/five-myths-of-two-factor-authentication-and-the-reality/this is crazy, but why dont gox have like you have to enter your birth date or something to cash out as well. that would make this bs avoidable. they could also have a setting so you receive e-mail if someone with ip outside your country logs in.
Measures like the above would greatly help secure user accounts (in addition to TFA) while being rather easy to implement, so Gox really has no excuses for neglecting such details. |
|
|
|
|
|
|
|
|
|
"With e-currency based on cryptographic proof, without the need to
trust a third party middleman, money can be secure and transactions
effortless." -- Satoshi
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
May 13, 2013, 06:28:42 PM |
|
Please provide some examples, your linked article did nothing of the sort. Nobody said anything about holy grail but extraordinary claims require extraordinary details. The OP provided no details so to assume MtGox 2FA has been compromised is dubious at this time. Measures like the above would greatly help secure user accounts (in addition to TFA) while being rather easy to implement, so Gox really has no excuses for neglecting such details.
Unless the OP had a horribly weak password the most common attack vector is compromise to the users machine and gain access to credentials via keylogger. In that instance it is highly likely the user's email address is compromised as well (unless it is also protected by 2FA). A more sophisticated attack would use OP computer as a proxy or to just steal the OP session when already logged in. In either case the only IP would be the users. Layering steps and procedures which all involve the same compromised machine is probably just "feel good" security. |
|
|
|
|
ctlegacy
Newbie
Offline
Activity: 21
Merit: 0
|
|
May 13, 2013, 06:33:42 PM |
|
I agree, until OP gives more details... There were thousands of people reporting being hacked on Diablo 3 despite having a mobile authenticator. To this day not a single claim was proven. It's just not possible. I'm sure some TFAs can be cracked but it's highly unlikely. Just a troll I guess
|
|
|
|
|
yacoin
Newbie
Offline
Activity: 28
Merit: 0
|
|
May 13, 2013, 06:33:56 PM |
|
Edit: nvm, I suggested 2fa but you already had that.
Did you download any weird .exes ?
|
|
|
|
|
flatfly
Legendary
Offline
Activity: 1078
Merit: 1011
760930
|
|
May 13, 2013, 06:59:22 PM |
|
Please provide some examples, your linked article did nothing of the sort. Nobody said anything about holy grail but extraordinary claims require extraordinary details. The OP provided no details so to assume MtGox 2FA has been compromised is dubious at this time. Measures like the above would greatly help secure user accounts (in addition to TFA) while being rather easy to implement, so Gox really has no excuses for neglecting such details.
Unless the OP had a horribly weak password the most common attack vector is compromise to the users machine and gain access to credentials via keylogger. In that instance it is highly likely the user's email address is compromised as well (unless it is also protected by 2FA). A more sophisticated attack would use OP computer as a proxy or to just steal the OP session when already logged in. In either case the only IP would be the users. Layering steps and procedures which all involve the same compromised machine is probably just "feel good" security. My claim was not that extraordinary... It's not like I'm saying I was abducted by a UFO or something  Anyway, here's one rather famous example: http://arstechnica.com/security/2012/12/sophisticated-botnet-steals-more-than-47m-by-infecting-pcs-and-phones/I agree with the rest of your comments. |
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
May 13, 2013, 07:04:05 PM |
|
Please provide some examples, your linked article did nothing of the sort. Nobody said anything about holy grail but extraordinary claims require extraordinary details. The OP provided no details so to assume MtGox 2FA has been compromised is dubious at this time. Measures like the above would greatly help secure user accounts (in addition to TFA) while being rather easy to implement, so Gox really has no excuses for neglecting such details.
Unless the OP had a horribly weak password the most common attack vector is compromise to the users machine and gain access to credentials via keylogger. In that instance it is highly likely the user's email address is compromised as well (unless it is also protected by 2FA). A more sophisticated attack would use OP computer as a proxy or to just steal the OP session when already logged in. In either case the only IP would be the users. Layering steps and procedures which all involve the same compromised machine is probably just "feel good" security. My claim was not that extraordinary... It's not like I'm saying I was abducted by a UFO or something Anyway, here's one rather famous example: http://arstechnica.com/security/2012/12/sophisticated-botnet-steals-more-than-47m-by-infecting-pcs-and-phones/I agree with the rest of your comments. Nice example. This is one reason why I favor dedicated offline tokens. PayPal (of all people) uses a nice one which is the size of a credit card so you can easily store it in your wallet. The extraordinary claim was more direct at the OP claim. Some details would be nice. Past examples of people reporting their 2FA on MtGox was compromised turned out to be untrue (in one example user never activated it due to user error). |
|
|
|
|
ija
Newbie
Offline
Activity: 8
Merit: 0
|
|
May 13, 2013, 07:41:47 PM |
|
Fawksey
uhmn, run a virus scan on your pc and mobile... and please tell us if you have any malicious software installed.
Hnm could be a decent hacker who just deletes the malicious software after use. There probably is something that points to what happened.
If she had back ups of her reset keys then they could "bypass" the security.
Ps fawkesy i agree with you about monsanto ... very naughty peeps.
|
|
|
|
|
saint-tropez
Newbie
Offline
Activity: 8
Merit: 0
|
|
May 13, 2013, 07:45:47 PM |
|
this is so sad...
|
|
|
|
|
|
MPOE-PR
|
|
May 13, 2013, 08:02:14 PM |
|
I have two factor authentication on my accounts.
It was stolen despite this.
Ouch. This is as far as I know the first report of 2FA being worthless on MtGox. And if memory serves, the last time they got hacked it also started with two weeks of compromised accounts (which the "victims of their own success" blamed on the actual victims, of course). D&T does have a point tho, any details you can provide would be useful. |
|
|
|
|
solidshotnosh
|
|
May 13, 2013, 08:09:11 PM |
|
unless this was some sort of inside job. apparently its happened to other people as well.
gox basically sent me their "call the police" form letter. When I explained that I did all their authentications right, they didnt' reply.
I dunno, the whole point of this endeavor was to camwhore on reddit for tips, and then take some of my personal funds and invest with the hope of making ends meet a little easier. Now if anything the situation is far worse.
I think I may leave btc. Nobody ever broke into my USD bank account and stole all my money. Even if they did, I could get it back.
I think the worst part though is seeing the tor exit node and wallet name on blockchain and knowing some bastard did this to me.
Stop being so dramatic. If you really put your "grocery" money into this, then you did this to yourself. If you had actually spent time researching and combing through the forums for even a day you would have known the risks. |
|
|
|
|
|
buddrulez
|
|
May 13, 2013, 08:17:33 PM |
|
Your a can whore on credit and your complaining?!
|
|
|
|
|
Troophey
Newbie
Offline
Activity: 9
Merit: 0
|
|
May 13, 2013, 08:31:29 PM |
|
that is a sad story my friend  |
|
|
|
|
|
MPOE-PR
|
|
May 13, 2013, 08:44:36 PM |
|
Your a can whore on credit and your complaining?!
Well at least she can grenner. |
|
|
|
|
buddrulez
|
|
May 13, 2013, 08:47:22 PM |
|
Your a can whore on credit and your complaining?!
Well at least she can grenner. God damm auto correct FML! |
|
|
|
|
girlfawkesy (OP)
Newbie
Offline
Activity: 55
Merit: 0
|
|
May 13, 2013, 11:39:23 PM |
|
Sorry I was at work all day.
Yes, I got the email from gox, I emailed back and forth with them on their support site and basically they told me I'm screwed, the transaction is irreversable.
I was logged into gox last night shortly before going to bed when it happened. Nobody had physical access.
I'm thinking either my session got jacked or I have a keylogger/phone virus.
The ip the withdrawl came from was a tor exit node in sweden.
I know I"m screwed at this point, it just sucks.
|
|
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1136
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
May 13, 2013, 11:44:11 PM |
|
MtGox should make it so you can lock BTC withdrawals to a single preset bitcoin address. This would be simple and straightforward and would 100% eliminate losses like this. This isn't the first time I have ever mentioned this crazy idea, there is no reason this can't be implemented yesterday, and I hope their competition brings it sooner than later.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
Aineko
Newbie
Offline
Activity: 5
Merit: 0
|
|
May 13, 2013, 11:58:44 PM |
|
Only store on a e-wallet what you can afford to loose.
Learn a thing or two about computer security.
Try and use Linux to store your wallet
|
|
|
|
|
|
Equilux
|
|
May 14, 2013, 12:00:50 AM |
|
I have two factor authentication on my accounts.
It was stolen despite this.
Ouch. This is as far as I know the first report of 2FA being worthless on MtGox. And if memory serves, the last time they got hacked it also started with two weeks of compromised accounts (which the "victims of their own success" blamed on the actual victims, of course). D&T does have a point tho, any details you can provide would be useful. Yeah how could it be that 2FA was worthless? The article linked earlier talk about the kind where text-messages were intercepted, but I can't imagine how a google authenticator could be intercepted. And why not make a fixed withdrawal-address? That's really fucking easy to implement, and just send an e-mail when it's changed but make sure it takes two weeks before it would be really changed. which give you plenty on time to sort things out with MtGox. |
|
|
|
quixotist
Newbie
Offline
Activity: 7
Merit: 0
|
|
May 14, 2013, 01:42:09 AM |
|
The ip the withdrawl came from was a tor exit node in sweden.
Wow, I thought MtGox blocked accounts that were accessed via Tor. Is this not right? |
|
|
|
|
|
data_teks
|
|
May 14, 2013, 01:50:12 AM |
|
The ip the withdrawl came from was a tor exit node in sweden.
Wow, I thought MtGox blocked accounts that were accessed via Tor. Is this not right? They can't catch everything. Losing money sucks, but least it was only 4 BTC. |
|
|
|
|
|
