JRam (OP)
Newbie
Offline
Activity: 31
Merit: 0
|
|
September 14, 2013, 01:11:05 PM Last edit: September 14, 2013, 11:51:00 PM by JRam |
|
https://i.imgur.com/DyjeYdh.jpghttps://i.imgur.com/TL1rJxc.jpghttps://i.imgur.com/J4dL01c.jpghttps://i.imgur.com/2WiPhYj.jpgAll of the trade activity in the screenshot are not mine. I originally had $4,000 in USD but the culprit converted it to BTC and withdrew. How hard is it to bypass the Yubikey? I was not even awake at around 4 AM when this happened so I don't think it is malware or plishing. In case this is some form of delayed malware, I'm doing a full scan at the moment with Malwarebytes. I am beginning to suspect Mt.Gox internal operations of doing this especially after hearing all the news about Mt.Gox's financial problems. When you think about it, the IP address that stole my coins was from China and I am based in the US. Any half decent business would find this to be a red flag and delay the withdrawal. Maybe Mt. Gox is deliberately letting these glaring red flags slide? I don't want to believe it but the possibility of the largest BTC exchange stealing from its users paints a grim picture for BTC. If my suspicions are correct, I hope this serves as a warning to the rest of the BTC community.
|
|
|
|
01BTC10
VIP
Hero Member
Offline
Activity: 756
Merit: 503
|
|
September 14, 2013, 01:13:09 PM |
|
I know it sounds dumb but I remember reading about someone who had a YubiKey but forgot to activate it in his MtGox security center.
|
|
|
|
JRam (OP)
Newbie
Offline
Activity: 31
Merit: 0
|
|
September 14, 2013, 01:17:18 PM |
|
I know it sounds dumb but I remember reading about someone who had a YubiKey but forgot to activate it in his MtGox security center.
Can you clarify? I see my Yubikey specifically under "Withdrawals".
|
|
|
|
01BTC10
VIP
Hero Member
Offline
Activity: 756
Merit: 503
|
|
September 14, 2013, 01:18:20 PM |
|
I know it sounds dumb but I remember reading about someone who had a YubiKey but forgot to activate it in his MtGox security center.
Can you clarify? I see my Yubikey specifically under "Withdrawals". You should be good then.
|
|
|
|
JRam (OP)
Newbie
Offline
Activity: 31
Merit: 0
|
|
September 14, 2013, 01:38:20 PM |
|
I know it sounds dumb but I remember reading about someone who had a YubiKey but forgot to activate it in his MtGox security center.
Can you clarify? I see my Yubikey specifically under "Withdrawals". You should be good then. Haha, well apparently not since someone still managed to steal from my account. I added screenshots of the Yubikey. Yubikeys aren't supposed to be easy to crack are they? I can only think of Mt. Gox itself doing this so I will never trust them again.
|
|
|
|
01BTC10
VIP
Hero Member
Offline
Activity: 756
Merit: 503
|
|
September 14, 2013, 01:40:03 PM |
|
I know it sounds dumb but I remember reading about someone who had a YubiKey but forgot to activate it in his MtGox security center.
Can you clarify? I see my Yubikey specifically under "Withdrawals". You should be good then. Haha, well apparently not since someone still managed to steal from my account. I added screenshots of the Yubikey. Yubikeys aren't supposed to be easy to crack are they? I can only think of Mt. Gox itself doing this so I will never trust them again. I don't have any clue what went wrong in your case but at least you didn't forget to activate your YubiKey like I've already seen in the past. Does the OTP value I see is Google Authenticator? If you did a backup of the seed somewhere it could have been stolen.
|
|
|
|
Luno
|
|
September 14, 2013, 01:46:35 PM |
|
You don't have Google authenticate or a paired cell phone also on your withdraw methods?
If a Yubikey can be faked every university or other business using them are in trouble and no, you can't sniff the key from a Yubikey it's a hard coded non recursive algorithm that calculates the last characters of you key every time you press the button. The long press used for withdrawals is even more complex.
So Gox hack or inside theft?
|
|
|
|
Pokerfan
|
|
September 14, 2013, 01:49:59 PM |
|
Go into "Security Center" -> "Current API Keys"
Confirm there's nothing there.
|
|
|
|
JRam (OP)
Newbie
Offline
Activity: 31
Merit: 0
|
|
September 14, 2013, 02:02:09 PM Last edit: September 14, 2013, 02:15:12 PM by JRam |
|
Go into "Security Center" -> "Current API Keys"
Confirm there's nothing there.
https://i.imgur.com/CKuu90B.jpgI use the TobbeLino trade bot https://github.com/TobbeLino/GoxTradingBotTobli but its API key was only granted permissions to get_info and trade. This bot was also disabled for over a week so I don't think this is the cause.
|
|
|
|
|
ardana123
|
|
September 14, 2013, 05:10:15 PM |
|
Must be the api access you enabled if you had a yubikey configured.
|
|
|
|
01BTC10
VIP
Hero Member
Offline
Activity: 756
Merit: 503
|
|
September 14, 2013, 05:12:24 PM |
|
Must be the api access you enabled if you had a yubikey configured.
API key was only granted permissions to get_info and trade.
|
|
|
|
ardana123
|
|
September 14, 2013, 05:19:22 PM |
|
Maybe his computer was on at the time, logged in on his Gox account? Someone might've taken over the computer.
|
|
|
|
rufusBTC
Jr. Member
Offline
Activity: 121
Merit: 1
The World’s First Blockchain Core
|
|
September 14, 2013, 05:33:23 PM |
|
there should be a way to reverse these type of transactions when something unauthorized occurs. that's the weakness of BTC right now.
|
▄▄▄▄▄▄▄▄▄▄▄ ▄ ■ SKYNET.co ■ ▄ ▄▄▄▄▄▄▄▄▄▄▄ ▐▬▬▬▬▬▬▬▬▬ PRIVATE SALE is LIVE ▬▬▬▬▬▬▬▬▬▌
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
|
|
September 14, 2013, 05:37:05 PM |
|
there should be a way to reverse these type of transactions when something unauthorized occurs. that's the weakness of BTC right now.
Bitcoin doesn't work like that but exchanges could very easily let you set up your account so that say a BTC transfer won't occur until 24+ hours after requesting it giving you time to cancel such theft attempts. Bitcoin's *strength* is that it isn't reversible - but that does make it harder when building services that use it to help protect the users (it's always going to be a trade-off between speed and expense).
|
|
|
|
niko
|
|
September 14, 2013, 06:40:59 PM |
|
there should be a way to reverse these type of transactions when something unauthorized occurs. that's the weakness of BTC right now.
Yeah, that's the same reason why nobody in the world uses cash... huge weakness. @OP: sorry for your loss. Also, thank you for sharing the information here. It is important that we get to the bottom of this. It's mind boggling. Even if your PC was completely compromised, and you were logged into gox that night, the hacker still needed to long press the yubikey. This is assuming your settings did not leave any holes via API or google auth, etc.
|
They're there, in their room. Your mining rig is on fire, yet you're very calm.
|
|
|
JRam (OP)
Newbie
Offline
Activity: 31
Merit: 0
|
|
September 14, 2013, 08:47:50 PM |
|
Maybe his computer was on at the time, logged in on his Gox account? Someone might've taken over the computer.
https://i.imgur.com/2WiPhYj.jpgMy PC is located in my home but the person who withdrew had an ip address from China. Malwarebytes did not detect anything that I think would take over my computer. I'm not sure what it could be. there should be a way to reverse these type of transactions when something unauthorized occurs. that's the weakness of BTC right now.
Yeah, that's the same reason why nobody in the world uses cash... huge weakness. @OP: sorry for your loss. Also, thank you for sharing the information here. It is important that we get to the bottom of this. It's mind boggling. Even if your PC was completely compromised, and you were logged into gox that night, the hacker still needed to long press the yubikey. This is assuming your settings did not leave any holes via API or google auth, etc. Holes via Google auth? Can you clarify? Maybe someone was testing if they got around my Yubikey but I still don't know how. I am still suspecting Mt. Gox itself doing this.
|
|
|
|
01BTC10
VIP
Hero Member
Offline
Activity: 756
Merit: 503
|
|
September 14, 2013, 08:53:04 PM |
|
You do have a lot of annoying AdWare, this shouldn't be found on a "secure" computer.
|
|
|
|
JRam (OP)
Newbie
Offline
Activity: 31
Merit: 0
|
|
September 14, 2013, 08:59:43 PM |
|
You do have a lot of annoying AdWare, this shouldn't be found on a "secure" computer.
I've did a bit of digging into these AdWare but none of them seems to be able to take over my computer or is even related to bitcoin. I'm running MSE atm but it never recorded any attacks in its log. The logged ip address that did the transfer was from China; is this really something that originated from my PC? I'm still not sure how my Yubikey was bypassed unless it was by Mt. Gox employees.
|
|
|
|
01BTC10
VIP
Hero Member
Offline
Activity: 756
Merit: 503
|
|
September 14, 2013, 09:02:54 PM |
|
There is a weakness if the Google Authenticator seed was somehow compromised. I'm not sure if a session cookie could had been stolen to login without the YubiKey then using Google Authenticator for withdrawal. That would explain the external IP but I'm not sure if stealing your cookie would work.
|
|
|
|
|