Just had 39.70 bitcoins stolen from blockchain account!

[DeathAndTaxes]

Honestly I hear about people getting robbed from Blockchain all the time - Two-factor auth when using google is not real two-factor, it's an illusion because if one password is compromised by an infected computer so is the other.

Huh? 

Password is on entered on computer.
google auth code is obtained from smartphone.

2FA - as in two factors. 

How exactly does attacker knowing your password, compromise the independent google auth code? (Hint: it doesn't)

[1714823987]

1714823987

[mindtomatter]

Ask David Perry, happened to him last month

[DeathAndTaxes]

Ask David Perry, happened to him last month

I asked you because you made the ridiculous claim. 

[Fairfax]

Damn, that sucks, sorry to hear that.

[mindtomatter]

I don't use blockchain wallets two-factor or otherwise, so claim withdrawn.  I've directed David Perry to this thread to share his experience.

[enmaku]

Ask David Perry, happened to him last month

I still haven't received a real answer as to how my particular robbery happened but evidence points to one of two scenarios:

1. Most 2FA codes (GAuth and such) are good for a short window after generation. A keylogger which transmits to the attacker in real time would be adequate to allow an attacker to log in with a 2FA code I entered on my PC - this was actually a common method of circumventing 2FA to steal WoW gold back in the day. Anyway, since the passwords I need to send coins are the same as the passwords needed to change settings, view private keys etc the attacker could have compromised my account and exported my private keys without my knowledge, then waited until I had a worthwhile amount in the account before acting.

2. Blockchain.info doesn't require the 2FA code when sending from a phone. Prior to adding the PIN lock to the app there was no auth beyond passwords - a keylogged phone would be a much more sensitive attack vector.

In the end it was my fault for keeping more in a hot wallet than I was willing to lose - about $1,000 worth of coin - but it still stings.

[dxtwo]

Sorry for your loss. For others out there, I would not store your wallet anywhere but where you know it's most secure! Storing anywhere in the "cloud" or some website is asking for trouble. I don't even trust the apps on my phone. Also....switch to a non-windows OS, preferably something *nix based...

[mindtomatter]

Ask David Perry, happened to him last month

I still haven't received a real answer as to how my particular robbery happened but evidence points to one of two scenarios:

1. Most 2FA codes (GAuth and such) are good for a short window after generation. A keylogger which transmits to the attacker in real time would be adequate to allow an attacker to log in with a 2FA code I entered on my PC - this was actually a common method of circumventing 2FA to steal WoW gold back in the day. Anyway, since the passwords I need to send coins are the same as the passwords needed to change settings, view private keys etc the attacker could have compromised my account and exported my private keys without my knowledge, then waited until I had a worthwhile amount in the account before acting.

2. Blockchain.info doesn't require the 2FA code when sending from a phone. Prior to adding the PIN lock to the app there was no auth beyond passwords - a keylogged phone would be a much more sensitive attack vector.

In the end it was my fault for keeping more in a hot wallet than I was willing to lose - about $1,000 worth of coin - but it still stings.

Bitcoin is the single most sellable thing you can steal on the internet today.  Unlike credit cards or identies which bring in very low values when fenced, Bitcoins command full face value no matter what you do with them. 

Online wallets are the banks of the internet - Why rob a bank?  Because that's where the money is.

[icebear888]

Dont know if it will be helpful but you can keep your wallet offline so that is not visible.
To transfer BTC, you will then have to provide the private key.

Its bad to see all your BTC being stolen like that.

[piuk]

Sorry to hear this OP. Unfortunately there has been a lot of this going around lately.

- I would not recommend adding an alias to your wallet which is the same username you use on other bitcoin sites or is easily guessable. If you previously had a wallet with a common alias and no 2FA authentication I would recommend to create a new wallet.

- don't re-use the same password on other sites.

- Enable two factor authentication.

- Use the browser extension if you can https://blockchain.info/wallet/browser-extension.

- For any significant amount print a paper wallet https://blockchain.info/wallet/paper-wallet-tutorial-web and keep the majority of funds offline.

[Rampion]

Sorry to hear this OP. Unfortunately there has been a lot of this going around lately.

- I would not recommend adding an alias to your wallet which is the same username you use on other bitcoin sites or is easily guessable. If you previously had a wallet with a common alias and no 2FA authentication I would recommend to create a new wallet.

- Enable two factor authentication.

- Use the browser extension if you can https://blockchain.info/wallet/browser-extension.

- For any significant amount print a paper wallet https://blockchain.info/wallet/paper-wallet-tutorial-web and keep the majority of funds offline.

These are words of wisdom - that's about all you need to do to be pretty much safe (just follow ALL STEPS).

I would add just one thing: stop using Windoze and you will be safer by an order of magnitude. Linux is ideal, but even OSX is way safer out of the box than Microsoft's crap.

EDIT: and disable that Java shit if you have it enable.

[Chrithu]

The solution is to STOP USING ONLINE WALLETS TO STORE VALUE - If you need to use them for transactional stuff, then do it but keeping 5000usd on blockchain is just screaming rob me.

QFT.

Especially because setting up a local wallet and even cold storage isn't that hard to do.

[caveden]

Huh? 

Password is on entered on computer.
google auth code is obtained from smartphone.

2FA - as in two factors. 

How exactly does attacker knowing your password, compromise the independent google auth code? (Hint: it doesn't)

Well, you have to type the auth code given from phone into the potentially infected computer, don't you?

Assuming the malware is evolved enough, it could put itself between you and the site you're authenticating to. It would be like a hidden proxy to your session. Only that it could request withdraws that you did not request.

If another 2F code is required for a withdraw, the malware can still wait for you to do a legitimate transfer and proxy that, replacing the address and the amount that's actually sent to the server (while displaying the good tx data to your browser).

I'm not saying it's easy, but it's possible.

2F would be stronger if the smartphone would actually receive the tx data from the server, display it, and request a confirmation from the user. Sort of like Trezor is supposed to behave. The server would not release the money before receiving a signature from a key it knows is held only in the smartphone. The only vulnerabilities I can think of are (1) infecting both devices at once or (2) end-to-end address replacement. (1) is common to all 2F methods and is considered "unlikely", and (2) would be quite hard to implement (the malware would have to change even the initial source for the address, otherwise the user would see that the address displayed on the smartphone do not match), and, assuming the user checks the amount he confirms, it would not allow the thief to get anything more than what the user is sending (if he never sends large amounts at once, he's partially protected)

[Rampion]

Huh?  

Password is on entered on computer.
google auth code is obtained from smartphone.

2FA - as in two factors.  

How exactly does attacker knowing your password, compromise the independent google auth code? (Hint: it doesn't)

Well, you have to type the auth code given from phone into the potentially infected computer, don't you?

Assuming the malware is evolved enough, it could put itself between you and the site you're authenticating to. It would be like a hidden proxy to your session. Only that it could request withdraws that you did not request.

If another 2F code is required for a withdraw, the malware can still wait for you to do a legitimate transfer and proxy that, replacing the address and the amount that's actually sent to the server (while displaying the good tx data to your browser).

I'm not saying it's easy, but it's possible.

2F would be stronger if the smartphone would actually receive the tx data from the server, display it, and request a confirmation from the user. Sort of like Trezor is supposed to behave. The server would not release the money before receiving a signature from a key it knows is held only in the smartphone. The only vulnerabilities I can think of are (1) infecting both devices at once or (2) end-to-end address replacement. (1) is common to all 2F methods and is considered "unlikely", and (2) would be quite hard to implement (the malware would have to change even the initial source for the address, otherwise the user would see that the address displayed on the smartphone do not match), and, assuming the user checks the amount he confirms, it would not allow the thief to get anything more than what the user is sending (if he never sends large amounts at once, he's partially protected)

Well, obviously 2FA is not "the final solution". An attacker sophisticated enough could very well change the code on the page, so you think you are withdrawing to your address but you are in fact withdrawing the coins to the attacker's address.

It seems to me that was what the Strongcoin.com operator did to "intercept" the coins of one of his users to return them to Ozcoin: https://bitcointalk.org/index.php?topic=184610.0

EDIT: the final solution is a paper wallet. And a very good solution is cold storage with Armory (https://bitcoinarmory.com/)

[Pierre]

One of three things happened:

1) You had a weak, guessable or crackable password

2) You re-used your password on some other (dodgy) site

3) Your computer is infected with spyware

What do you think?

[naphto]

There gone.  Sorry but that is the reality.  Bitcoin was created to be irreversible like cash. 

This.
You kinda deserve to lose it, as you store too many money without any protection.

[Double-Spent]

Do we know how this happened?

[r3wt]

this is why you install good virus protection, spyware protection monitor your processes and clear your cache frequently. for the love of christ download avast internet security and use it in sandbox mode for any type of transaction. credit card, bitcoin, whatever it is. always use the sandbox mode. my buddy owns a faucet and had all his money stolen from his account. Also, please use a a password that is ridiculous and never store it on your computer. memorize it or right it down. my password is 57 charachters long and i know it by heart. as for the scammer he may have one for now but karma will catch up with that little fucker!!

[Stolen]

There gone.  Sorry but that is the reality.  Bitcoin was created to be irreversible like cash. 

This.
You kinda deserve to lose it, as you store too many money without any protection.

"I kinda deserve it"

I work with computers on a daily basis im fully clued up on encryption, i used a totally diff password to any other so called dodgy site i use.

I presumed with 2 passwords on blockchain i was safe!

Not just been me hit is others that dont know yet ive followed my btc thats now sat in russia in an account holding 99k in 4 mear transactions.

but i "kinda deserve to lose it"

you make me sick.....

[Pierre]

So either your password was weak enough to break with a dictionary attack, or your computer is pwned. Which do you think it is?