BitFunder.com has been hacked and IT IS BitFunder's fault

[burnside]

The easiest way to protect yourself would be using web applications that are coded securely. Now I'm not sure if btct.co uses an anti csrf token (I don't think it does?), but their PIN / 2 FA system makes this attack less useful (an attacker can just use JS to submit ~100 most common PINs)

Close, but not entirely correct.  Lockout gets triggered after ~5 bad PIN attempts.

Any btct.co users reading this, turn on 2FA if you can.  The PINs help but are really only placeholders for the 2FA form fields in the interfaces.

Websites are not safe for this application. Learn GPG. That is all.

I detect many suppressed lels in this statement.

GPG used incorrectly (key on your pc) is about as useful as the PINs.  It's better than nothing but a virus can grab your key easy as it can log your PIN.  Using GPG correctly via 2nd non-networked PC and sneakernet storage device is a PITA compared to gAuth or Yubikey.

[🏰 TradeFortress 🏰]

GPG used incorrectly (key on your pc) is about as useful as the PINs.  It's better than nothing but a virus can grab your key easy as it can log your PIN.  Using GPG correctly via 2nd non-networked PC and sneakernet storage device is a PITA compared to gAuth or Yubikey.

But that's not a bad idea if you're dealing with a lot of money. You don't stuff hundreds of thousands of dollars in your mattress, do you?

[burnside]

GPG used incorrectly (key on your pc) is about as useful as the PINs.  It's better than nothing but a virus can grab your key easy as it can log your PIN.  Using GPG correctly via 2nd non-networked PC and sneakernet storage device is a PITA compared to gAuth or Yubikey.

But that's not a bad idea if you're dealing with a lot of money. You don't stuff hundreds of thousands of dollars in your mattress, do you?

I think the point I was trying to make is that GPG is not 2FA out of the box.  You have to follow specific practices to make it that way, and such behavior is not nearly as intuitive as the alternatives.  It is difficult enough to use that it actually encourages insecure use.

[dooglus]

you could probably even implement it yourself in a few lines of any scripting language

You can do it in 7 lines of Python code:

Code:

import hmac, base64, struct, hashlib, time

def get_hotp_token(secret, number):
    h = hmac.new(base64.b32decode(secret, True), struct.pack(">Q", number), hashlib.sha1).digest()
    o = ord(h[19]) & 15
    return (struct.unpack(">I", h[o:o+4])[0] & 0x7fffffff) % 1000000

def get_totp_token(secret):
    return get_hotp_token(secret, int(time.time())//30)

[whiskers75]

Does this one (http://www.maxoutput.com/authenticator/) is good to use with 2-factor ?
It work with bitfunder, then I would add 2-factor on weexchange and now I can't login again, weexchange is very "unstable" like a "beta website" 

Looks like it. 

[Ukyo]

Does this one (http://www.maxoutput.com/authenticator/) is good to use with 2-factor ?
It work with bitfunder, then I would add 2-factor on weexchange and now I can't login again, weexchange is very "unstable" like a "beta website" 

Most likely you failed to enter the password when setting up 2-factor on weexchange, and the page reloaded changing your 2-factor code after you had already scanned it, and then you locked yourself out.

If you need help with this, pm me.

Thanks,
Ukyo