cupo (OP)
Newbie
 Offline
Activity: 44
Merit: 0
|
 |
June 01, 2013, 03:56:02 AM |
|
It's amazing that an account under 2FA in Mt.gox can be hacked. This guy found his money withdrawn on May 31, 2013. Someone changed his password and cancelled all 2FA in Security Center. He says he didn't use his mobile phone to get on Mt.gox. How did the hacker get his private key of 2FA??
It's so terrible which means the 2FA maybe not safe.
Link to this post:https://bitcointalk.org/index.php?topic=221098.0
|
|
|
|
|
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
June 01, 2013, 04:16:30 AM |
|
Possible physical compromise. Does he live with a room mate? Did he left his phone somewhere? Malware on phone?
They are all quite unlikely, but then again reports of 2FA hacks are very very rare.
|
|
|
|
|
dexX7
Legendary
Offline
Activity: 1106
Merit: 1026
|
|
June 01, 2013, 04:20:03 AM |
|
Google 2FA is linked to the Google account, correct? Which means, if you take over the Google account, you pass 2FA. Maybe he used the same password on both? Or both of them were keylogged or stolen?
|
|
|
|
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
June 01, 2013, 04:21:26 AM |
|
No. Google Authenticator is not linked to Google. It's a local app on your smartphone (or desktop).
|
|
|
|
|
cupo (OP)
Newbie
Offline
Activity: 44
Merit: 0
|
|
June 01, 2013, 04:25:05 AM |
|
Is it possible to get user's private key from exchange site?
|
|
|
|
|
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
June 01, 2013, 05:17:33 AM |
|
The "user" does not have a private key. Bitcoind uses shared wallets. If you got one private key, you got all private keys on the server.
|
|
|
|
|
|
redtwitz
|
|
June 01, 2013, 05:25:55 AM |
|
There is no unbreakable authentication method, but the problem with most methods is that they aren't fool-proof. There are several ways to attack 2FA: - Break the algorithm. Google Authenticator uses SHA-HMAC, so that's not the case here.
- The attacker discovered some exploit in Mt.Gox's server. Unless stories about hacked accounts start to pile up, that's also not the case.
- The phone was compromised. If the phone has access to the Mt.Gox password (e.g., it's stored in a password manager), malware or somebody with physical access to the phone could obtain both the password and the secret key.
- The device that was used to generate the secret key was compromised at the moment. Since you have to log into Mt.Gox to generate your secret key, it suffices to have a malware infection on that computer.
|
|
|
|
|
pilotniq
Newbie
Offline
Activity: 31
Merit: 0
|
|
June 02, 2013, 05:11:23 PM |
|
There is no unbreakable authentication method, but the problem with most methods is that they aren't fool-proof. There are several ways to attack 2FA: - Break the algorithm. Google Authenticator uses SHA-HMAC, so that's not the case here.
- The attacker discovered some exploit in Mt.Gox's server. Unless stories about hacked accounts start to pile up, that's also not the case.
- The phone was compromised. If the phone has access to the Mt.Gox password (e.g., it's stored in a password manager), malware or somebody with physical access to the phone could obtain both the password and the secret key.
- The device that was used to generate the secret key was compromised at the moment. Since you have to log into Mt.Gox to generate your secret key, it suffices to have a malware infection on that computer.
Actually I read about an interesting fifth way just the other day. Because there's something like a 30 second window that the GA code is valid, someone stealing the code with something like a keylogger could re-use the code to do whatever he wants if he's fast enough after getting the code. |
|
|
|
|
Lethn
Legendary
Offline
Activity: 1540
Merit: 1000
|
|
June 02, 2013, 05:28:27 PM |
|
Stop leaving your Bitcoins out in the open on internet accounts, holy crap, don't people ever learn?
|
|
|
|
|
bitcoinscanada
Member
Offline
Activity: 108
Merit: 10
|
|
June 03, 2013, 07:53:38 PM |
|
Stop leaving your Bitcoins out in the open on internet accounts, holy crap, don't people ever learn?
+1 |
|
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
June 03, 2013, 07:55:36 PM |
|
Stop leaving your Bitcoins out in the open on internet accounts, holy crap, don't people ever learn?
Thing is, I'm just as afraid to leave them on my computer. Paper wallets, but then those are moderately inconvenient. Still, it's what I use for larger BTC balances, at least until the hardware wallets come out. |
|
|
|
|
af_newbie
Legendary
Offline
Activity: 2702
Merit: 1468
|
|
June 03, 2013, 07:58:13 PM |
|
It's amazing that an account under 2FA in Mt.gox can be hacked. This guy found his money withdrawn on May 31, 2013. Someone changed his password and cancelled all 2FA in Security Center. He says he didn't use his mobile phone to get on Mt.gox. How did the hacker get his private key of 2FA??
It's so terrible which means the 2FA maybe not safe.
Link to this post:https://bitcointalk.org/index.php?topic=221098.0
My money is on keylogger on his machine or on any machine he used to access his account. |
|
|
|
|
dandannn
|
|
June 03, 2013, 08:04:10 PM |
|
Does accessing your wallet via your mobile phone increase the risk of getting hacked?
|
|
|
|
|
|
|
|
joesmoe2012
|
|
June 05, 2013, 06:00:50 AM |
|
Probably his roomate or someone else who was able to get access to his phone.
Don't be showing off your fancy bitcoin account with 2FA to all your friends...
|
|
|
|
|
