Mt.Gox Account secured with Yubikey but still had 29 BTCs stolen

[sublime5447]

there should be a way to reverse these type of transactions when something unauthorized occurs. that's the weakness of BTC right now.

Yeah, that's the same reason why nobody in the world uses cash... huge weakness.

@OP: sorry for your loss. Also, thank you for sharing the information here. It is important that we get to the bottom of this. It's mind boggling. Even if your PC was completely compromised, and you were logged into gox that night, the hacker still needed to long press the yubikey. This is assuming your settings did not leave any holes via API or google auth, etc.

Cash payments are reversible it is called small claims court.

Op i dont shit about the issue you are having but it is screwed up. Goes to show you cant trust institutions.

It makes me sick that this happened to you.

[1715379546]

1715379546

[1715379546]

1715379546

[JRam]

There is a weakness if the Google Authenticator seed was somehow compromised. I'm not sure if a session cookie could had been stolen to login without the YubiKey then using Google Authenticator for withdrawal. That would explain the external IP but I'm not sure if stealing your cookie would work.

there should be a way to reverse these type of transactions when something unauthorized occurs. that's the weakness of BTC right now.

Yeah, that's the same reason why nobody in the world uses cash... huge weakness.

@OP: sorry for your loss. Also, thank you for sharing the information here. It is important that we get to the bottom of this. It's mind boggling. Even if your PC was completely compromised, and you were logged into gox that night, the hacker still needed to long press the yubikey. This is assuming your settings did not leave any holes via API or google auth, etc.

Cash payments are reversible it is called small claims court.

Op i dont shit about the issue you are having but it is screwed up. Goes to show you cant trust institutions.

It makes me sick that this happened to you.

Thank you guys for your input thus far. I think I will have to distance myself from BTC now since the investment portion was a big reason why I got into BTCs. When you can't even trust the largest BTC exchange with your coins, there is nothing I can do.

[01BTC10]

There is a weakness if the Google Authenticator seed was somehow compromised. I'm not sure if a session cookie could had been stolen to login without the YubiKey then using Google Authenticator for withdrawal. That would explain the external IP but I'm not sure if stealing your cookie would work.

there should be a way to reverse these type of transactions when something unauthorized occurs. that's the weakness of BTC right now.

Yeah, that's the same reason why nobody in the world uses cash... huge weakness.

@OP: sorry for your loss. Also, thank you for sharing the information here. It is important that we get to the bottom of this. It's mind boggling. Even if your PC was completely compromised, and you were logged into gox that night, the hacker still needed to long press the yubikey. This is assuming your settings did not leave any holes via API or google auth, etc.

Cash payments are reversible it is called small claims court.

Op i dont shit about the issue you are having but it is screwed up. Goes to show you cant trust institutions.

It makes me sick that this happened to you.

Thank you guys for your input thus far. I think I will have to distance myself from BTC since the investment portion was a big reason why I got into BTCs. When you can't even trust the largest BTC exchange with your coins, there is nothing I can do.

Long term investment should never be left on an exchange, use a paper wallet or an offline computer with Armory.

[JRam]

There is a weakness if the Google Authenticator seed was somehow compromised. I'm not sure if a session cookie could had been stolen to login without the YubiKey then using Google Authenticator for withdrawal. That would explain the external IP but I'm not sure if stealing your cookie would work.

there should be a way to reverse these type of transactions when something unauthorized occurs. that's the weakness of BTC right now.

Yeah, that's the same reason why nobody in the world uses cash... huge weakness.

@OP: sorry for your loss. Also, thank you for sharing the information here. It is important that we get to the bottom of this. It's mind boggling. Even if your PC was completely compromised, and you were logged into gox that night, the hacker still needed to long press the yubikey. This is assuming your settings did not leave any holes via API or google auth, etc.

Cash payments are reversible it is called small claims court.

Op i dont shit about the issue you are having but it is screwed up. Goes to show you cant trust institutions.

It makes me sick that this happened to you.

Thank you guys for your input thus far. I think I will have to distance myself from BTC since the investment portion was a big reason why I got into BTCs. When you can't even trust the largest BTC exchange with your coins, there is nothing I can do.

Long term investment should never be left on a exchange, use a paper wallet or an offline computer with Armory.

If this was Mt. Gox's doing and was a result of their financial situation, wouldn't it still be unsafe in the short term if their financial situation got desperate enough? I'd imagine it would be something similar to Russian roulette with risks increasing every second when they have your BTCs.

[01BTC10]

I don't leave any coins on any exchange unless I need to trade.

[willphase]

check you didn't have any extensions installed that had full access to your computer (NPAPI) or had access to contents of tabs, or mtgox.

an extension such as this could inject malicious javascript into your mtgox page.

Will

[JRam]

check you didn't have any extensions installed that had full access to your computer (NPAPI) or had access to contents of tabs, or mtgox.

an extension such as this could inject malicious javascript into your mtgox page.

Will

https://i.imgur.com/XVw29qL.jpg

I really don't think its the trade bot. Anyone can take a look at the source code https://github.com/TobbeLino/GoxTradingBotTobli.

[willphase]

what device is your GA stored on?

Is the device rooted?

Did you make backups of the GA seed somehow or somewhere, and if so, where were those stored?

Will

[solex]

OP, can you ask MtGox to check and confirm:

a) that funds can only be withdrawn from your account when the yubikey is used.
b) that their logs show a 3-sec (long-press) was actually performed on this withdrawal.

[Stephen Gornick]

I originally had $4,000 in USD but the culprit converted it to BTC and withdrew.

Out of curiosity, what verification level is your account?
 - http://en.bitcoin.it/wiki/Mt._Gox#AML

[JRam]

I originally had $4,000 in USD but the culprit converted it to BTC and withdrew.

Out of curiosity, what verification level is your account?
 - http://en.bitcoin.it/wiki/Mt._Gox#AML

https://i.imgur.com/PioDmwd.jpg

Verified level 1. I did the whole verification process and sent them my info.

[sublime5447]

You guys are killing me all these security measures. The questions you have asked of the OP I could never answer.

If this guy gets screwed what chance does the average person have?

[JRam]

what device is your GA stored on?

Is the device rooted?

Did you make backups of the GA seed somehow or somewhere, and if so, where were those stored?

Will

Here it is straight from my T-Mobile personal account although I had to black out my name and number:

https://i.imgur.com/2gGInBc.jpg

My cell is not rooted and I did not have any backups. I've heard of the rooting process and what it can do but I never personally had a need for it.

[willphase]

what device is your GA stored on?

Is the device rooted?

Did you make backups of the GA seed somehow or somewhere, and if so, where were those stored?

Will

Here it is straight from my T-Mobile personal account although I had to black out my name and number:



My cell is not rooted and I did not have any backups. I've heard of the rooting process and what it can do but I never personally had a need for it.

so you were using SMS based GA or running the GA app on your phone?

Will

[JRam]

what device is your GA stored on?

Is the device rooted?

Did you make backups of the GA seed somehow or somewhere, and if so, where were those stored?

Will

Here it is straight from my T-Mobile personal account although I had to black out my name and number:

https://i.imgur.com/2gGInBc.jpg

My cell is not rooted and I did not have any backups. I've heard of the rooting process and what it can do but I personally never had a need for it.

so you were using SMS based GA or running the GA app on your phone?

Will

GA app.

OP, can you ask MtGox to check and confirm:

a) that funds can only be withdrawn from your account when the yubikey is used.
b) that their logs show a 3-sec (long-press) was actually performed on this withdrawal.

I will ask them right away on these specific points.

[willphase]

Thanks for answering all the questions.  I'm not sure how those funds were taken.  It seems you had taken all steps to avoid being hacked, and all the obvious (and some non-obvious) attack vectors were covered.

Will

[coinage]

If Mt. Gox allows withdrawals using either the OTP -or- the Yubikey, Google Authenticator OTP is the far more likely vulnerability.

That would be the case if, when setting up the OTP, you typed its key details into a file on your computer or smartphone (how else would you recover it if there's a problem?)  ... or if you ever installed software on your trading computer to process the OTP (instead of or in addition to Google Authenticator on the phone)  ... or if you ever connect the phone to the computer.  All these scenarios assume a compromised computer, and not necessarily any user error.

Or, the smartphone with GA could itself be compromised.  If the phone was used to trade, or if the Mt. Gox account name & password were kept on it, then the PC need not be involved.


An inside theft by Mt. Gox employees would seem more likely to involve accounts lacking Yubikey withdrawal restrictions, to keep a lower profile, unless the intention of the theft was to visibly harm the exchange's reputation in an especially newsworthy way.

[JRam]

Thanks for answering all the questions.  I'm not sure how those funds were taken.  It seems you had taken all steps to avoid being hacked, and all the obvious (and some non-obvious) attack vectors were covered.

Will

Thank you for your insight into this.

If Mt. Gox allows withdrawals using either the OTP -or- the Yubikey, Google Authenticator OTP is the far more likely vulnerability.

That would be the case if, when setting up the OTP, you typed its key details into a file on your computer or smartphone (how else would you recover it if there's a problem?)  ... or if you ever installed software on your trading computer to process the OTP (instead of or in addition to Google Authenticator on the phone)  ... or if you ever connect the phone to the computer.  All these scenarios assume a compromised computer, and not necessarily any user error.

Or, the smartphone with GA could itself be compromised.  If the phone was used to trade, or if the Mt. Gox account name & password were kept on it, then the PC need not be involved.

An inside theft by Mt. Gox employees would seem more likely to involve accounts lacking Yubikey withdrawal restrictions, to keep a lower profile, unless the intention of the theft was to visibly harm the exchange's reputation in an especially newsworthy way.

No software installed to process OTP and my phone was never directly connected to my computer. I connect my phone to my wireless router for its internet speed when I needed to download apps like Google Authenticator. The phone itself was never used to trade, I only traded via the PC.

If Mt. Gox ran out of accounts lacking Yubikeys or a combination of other authentication methods, would they eventually grow desperate enough under financial pressure? There are also other reasons why I suspect Mt. Gox, namely the ip address being from China withdrawing from my US based account. No delays or email verifications raised to this glaring red flag. I never had an intention to harm Mt. Gox's reputation since their success would eventually equal to my success. I was trading on trends fairly well and Mt. Gox's volume helps a lot. Without Mt. Gox, I can't do what I have been doing so I lose out too.

This attack seems to be well timed since I get limited support from Mt. Gox on the weekends. I know I have been a bit aggressive with the Mt. Gox representative but I don't see any other options. For anyone interested:

https://i.imgur.com/4hvC4yq.jpg

[chriswilmer]

I'm glad some people are posting on this thread, but frankly I was expecting this to get a lot more attention. This would be the first story, ever, of a person losing money who had a Yubikey and did not also have a trading API key floating out to be used. I've never used a trading bot, so I don't know if there was a mistake in granting permissions there... but this would be a Bitcoin first.

[JRam]

I'm glad some people are posting on this thread, but frankly I was expecting this to get a lot more attention. This would be the first story, ever, of a person losing money who had a Yubikey and did not also have a trading API key floating out to be used. I've never used a trading bot, so I don't know if there was a mistake in granting permissions there... but this would be a Bitcoin first.

Well it is the weekend so it is understandable. Although having $4,000 stolen hurts, there is not much more I can do about it. I'm confident there is no mistake in granting permissions as you would have to consciously check the 'withdraw' box to grant withdraw permission. I also combed through the trading bot source code at one point looking to see if there are any malicious code.