Mt.Gox Account secured with Yubikey but still had 29 BTCs stolen

[coinage]

No software installed to process OTP and my phone was never directly connected to my computer. I connect my phone to my wireless router for its internet speed when I needed to download apps like Google Authenticator. The phone itself was never used to trade, I only traded via the PC.

Thanks for the details.  What about the thought of having typed the Google Authenticator OTP setup seed into a text file (or email, etc.) on the computer, as a way to keep a personal copy of the information in case it was needed later?

If someone did not manage to get your withdrawal credentials, then your report could reveal a new intrusion into Mt. Gox's servers.  Despite the 2FA, an attack could still be from outside the company (unless Mt. Gox has really outdone itself with thoroughly secured login/withdrawal processing).


BTW, does anyone know how long Mt. Gox restricts withdrawals to a given GA OTP, and especially whether the site allows reuse of a prior "OTP"?  In the recent past at least, they certainly did not strictly adhere to the standard 30-second window.  (Conceivably a man-in-the-middle attacker could take advantage of such weaknesses.)

[fimp]

Is having two different 2-factor auths for withdrawal AND or OR? Will you need both to make the withdrawal or just one of them?

[JoelKatz]

I'm glad some people are posting on this thread, but frankly I was expecting this to get a lot more attention. This would be the first story, ever, of a person losing money who had a Yubikey and did not also have a trading API key floating out to be used. I've never used a trading bot, so I don't know if there was a mistake in granting permissions there... but this would be a Bitcoin first.

We're still missing a lot of information. For example, we don't know whether Gox claims they received a valid YubiKey code when the withdrawal was made. This may get very interesting soon though.

[JRam]

No software installed to process OTP and my phone was never directly connected to my computer. I connect my phone to my wireless router for its internet speed when I needed to download apps like Google Authenticator. The phone itself was never used to trade, I only traded via the PC.

Thanks for the details.  What about the thought of having typed the Google Authenticator OTP setup seed into a text file (or email, etc.) on the computer, as a way to keep a personal copy of the information in case it was needed later?

If someone did not manage to get your withdrawal credentials, then your report could reveal a new intrusion into Mt. Gox's servers. Despite the 2FA, an attack could still be from outside the company (unless Mt. Gox has really outdone itself with thoroughly secured login/withdrawal processing).

BTW, does anyone know how long Mt. Gox restricts withdrawals to a given GA OTP, and especially whether the site allows reuse of a prior "OTP"?  In the recent past at least, they certainly did not strictly adhere to the standard 30-second window.  (Conceivably a man-in-the-middle attacker could take advantage of such weaknesses.)

No backups since I didn't think it was needed even if I did somehow lose access to the keys. I recall Mt. Gox gave an option to unlink keys where they lock down your account for 2 weeks and repeatedly email you to verify that the real owner made the request.

https://www.mtgox.com/login/otp-unlink

As I've used my account earlier this week and never received such emails, I don't think this was the attack vector.

[chriswilmer]

Sorry if this was explained already... but why was Google authenticator also being used in addition to a yubikey?

[btcdrak]

You need to find out if the GA or Yubikey was used in the authorization.

[PurpleTentacle]

Did you have NoScript installed in your browser?

Could the thief use a keylogger on your system to work out the yubikey seed?

[caveden]

Were you doing any operation at the site that would require the Yubikey code?

Advanced malwares could put themselves in between you and MtGox, and if you request a withdraw to address A, they could change that to address B without you noticing, and make you authorize that via the Yubikey code. That'd be a very advanced malware though, as it would have to somehow replace your browser by a bogus one.

EDIT: Just saw your post on reddit saying that you were not awake while this happened, what rules out my supposition.

When you can't even trust the largest BTC exchange with your coins, there is nothing I can do.

Come on. Not wanting to be mean, it's a shame that you've lost your money and I hope this mystery gets solved, but of course there was something you could have done, and you know it very well: you could have stored your coins yourself, offline.

This is to everyone who stores their money on Gox and others: Seriously people, Bitcoin empowers you to be your own bank. To have no counter-party risk. And you keep letting your money in bank-like institutions? What's to prevent MtGox servers to be hacked, and eventually even its cold wallet stolen like bitfloor? Or, even more likely, what if they're raided and all the money seized, à la Cyprus?

Store your bitcoins yourself.

If that sounds "too geeky" and you're not willing to go through the learning curve right now, then perhaps Bitcoin and you are not ready for each other for the moment. Interesting projects like Trezor are on development, and they could bring the two of you together again soon enough.

Again OP, don't take my post in a bad way, I am really sorry this has happened to you. But please don't claim that you haven't been warned - I'm definitely not the first one saying this -, or that there are no ways to hold Bitcoins safely, because you know that's not the case.

[samson]

How many people replying to this even bothered to read the original post ?

Look - this is what he said :

All of the trade activity in the screenshot are not mine. I originally had $4,000 in USD but the culprit converted it to BTC and withdrew.

Come on. Not wanting to be mean, it's a shame that you've lost your money and I hope this mystery gets solved, but of course there was something you could have done, and you know it very well: you could have stored your coins yourself, offline.

This is to everyone who stores their money on Gox and others: Seriously people, Bitcoin empowers you to be your own bank. To have no counter-party risk. And you keep letting your money in bank-like institutions? What's to prevent MtGox servers to be hacked, and eventually even its cold wallet stolen like bitfloor? Or, even more likely, what if they're raided and all the money seized, à la Cyprus?

Store your bitcoins yourself.

If that sounds "too geeky" and you're not willing to go through the learning curve right now, then perhaps Bitcoin and you are not ready for each other for the moment. Interesting projects like Trezor are on development, and they could bring the two of you together again soon enough.

Again OP, don't take my post in a bad way, I am really sorry this has happened to you. But please don't claim that you haven't been warned - I'm definitely not the first one saying this -, or that there are no ways to hold Bitcoins safely, because you know that's not the case.

Well I just read the original post and what you're saying here is clearly incorrect.

The OP had $4000 in his MtGox account. Someone gained unauthorised access and purchased Bitcoin.

After purchasing the Bitcoin they withdrew it.

So he had USD sitting on the exchange - not Bitcoin.

[caveden]

My mistake then. But again, the risks are almost the same. MtGox fiat account could be seized, the entire site hacked and become insolvent, or his personal account hacked. If he intended to keep a fiat balance, it would be safer to do so in a traditional bank that can reverse transactions.

Perhaps he was keeping his fiat there because of MtGox's liquidity problems. Or perhaps he was a day-trader. These possibilities make it much more understandable.

But if you have fiat on Gox and you're not willing to spend this money any time soon, then I'd advice to withdraw it. Even if takes months to come to your bank account, it's safer like this than letting it sitting there. I'd say that MtGox is more vulnerable to account seizures than most banks... it has already happened to their US-domiciled accounts, are you so sure it won't happen to their main accounts in Japan?

EDIT: By the way, my post above is not entirely incorrect when you consider only the quoted part I was replying to:

When you can't even trust the largest BTC exchange with your coins, there is nothing I can do.

You should not trust the largest exchange with your coins, but that doesn't mean there's nothing you can do.

[samson]

My mistake then. But again, the risks are almost the same. MtGox fiat account could be seized, the entire site hacked and become insolvent, or his personal account hacked. If he intended to keep a fiat balance, it would be safer to do so in a traditional bank that can reverse transactions.

Perhaps he was keeping his fiat there because of MtGox's liquidity problems. Or perhaps he was a day-trader. These possibilities make it much more understandable.

But if you have fiat on Gox and you're not willing to spend this money any time soon, then I'd advice to withdraw it. Even if takes months to come to your bank account, it's safer like this than letting it sitting there. I'd say that MtGox is more vulnerable to account seizures than most banks... it has already happened to their US-domiciled accounts, are you so sure it won't happen to their main accounts in Japan?

There are millions of dollars in fiat sitting in MtGox accounts with bids placed on various price points from just below the current price right down to just a few cents per Bitcoin.

This is how any exchange works. It can't work without large amounts of fiat being on the exchange at any point in time otherwise there would be zero liquidity and no bids.

This issue needs to be addressed properly due to the millions of dollars in fiat which is properly stored on the exchange and must remain there for normal liquidity and trading to continue.

If everyone withdrew all their fiat the price would be back in cents per Bitcoin before you know it. It's just not feasible.

[joesmoe2012]

Very odd, this would be the first time I've heard of this happening. The GA must have been compromised. I don't think it's an inside job, if it was, why would they target a $4k account...There's people paying more then that to them in FEES for 5% withdraws...

[samson]

Very odd, this would be the first time I've heard of this happening. The GA must have been compromised. I don't think it's an inside job, if it was, why would they target a $4k account...There's people paying more then that to them in FEES for 5% withdraws...

This is what I'm thinking.

If you have both GA and Yubikey enabled on the account does the MtGox system require you to press the Yubikey AND enter the Google Auth code or will just either one of them work on it's own ?

[willphase]

yes this is very curious.  Perhaps MtGox have a bug whereby a trade API key can be somehow coaxed to be used as a withdrawal API key?  The only other option is that the GA seed was compromised somehow but the only way this could have happened was if there was malware actively monitoring the page when the GA device was enrolled, or malware on the phone that was able to access the GA key, but since the phone is not rooted that seems unlikely.

Very curious.

Will

[btcdrak]

Store your bitcoins yourself.

If that sounds "too geeky" and you're not willing to go through the learning curve right now, then perhaps Bitcoin and you are not ready for each other for the moment. Interesting projects like Trezor are on development, and they could bring the two of you together again soon enough.

Again OP, don't take my post in a bad way, I am really sorry this has happened to you. But please don't claim that you haven't been warned - I'm definitely not the first one saying this -, or that there are no ways to hold Bitcoins safely, because you know that's not the case.

I am sorry - but this is not a very realistic position. What if you are in a short position, ie holding USD pending rebuy at a lower price? If this issue exists, then thief can just buy bitcoins from your balance and xfer the USD out.

If this was any other regulated situation - like a stock-brokerage account, the broker could and WOULD be held accountable for their lax security.

[caveden]

@btcdrak, the point I'm trying to make is: right now, the only truly safe way of storing bitcoins is by doing it yourself, and offline.

It will not always remain like this, obviously. Hardware-wallets, combined with multi-sig and probably also nLockTime would certainly allow a great level of security for everyone, including those who have no idea of what I'm talking about. Perhaps even those twins' ETF would as well.

But that's not the case right now. So, if you're day-trading, you should consider into the risks of your operations that your account may just be emptied. Even if you take all possible digital-hygiene measures, the exchange's account may be hacked/seized/etc, and your money will be gone.

All that said, I'm also curious as to how has this hack happened, as it settles a dangerous precedent.

[pinger]

Op, sorry for your loose, I also have Mtgox with a Yubi, so I'm worried now. Hope you got the mistery solved.

[samson]

Op, sorry for your loose, I also have Mtgox with a Yubi, so I'm worried now. Hope you got the mistery solved.

Someone needs to clarify that happened on these withdrawals.

I have about $50,000 in my MtGox account right now and I use google auth to keep it safe.

It's sad that you lost $4,000 but if this was an MtGox wide issue I suspect whoever did this would have cleared out the accounts with large balances on them first and worked their way down to the smaller balances.

I don't keep Bitcoins in my account but obviously I do keep USD there as right now I'm waiting to make a purchase but I consider the current price of Bitcoin to be way overvalued.

I won't use Yubikey with MtGox unless they allow 2 yubikeys to be associated with my account or make it much easier for me to remove a Yubikey from my account in the event that I can't use it.

It's highly unlikely I will lose my Yubikey but if it becomes inoperable for any reason I need to be able to replace it and gain access to my account quickly as there's plenty of money in it and I would not like to be frozen out for weeks while the Yubikey is changed.

Allowing 2 Yubikeys on the account would make much more sense as I could keep one in offsite storage (safety deposit box, car glove box, etc) and one at my computer for daily use.

Until this is implemented I consider Yubikeys to be worthless at Gox due to the account freeze when one is lost / damaged.

[btcdrak]

This story could be a hoax if this is true: https://twitter.com/MagicalTux/status/379247601289142273 - for those of you who don't know, MagicalTux (Mark Karpeles) is the CEO of MtGox

[casascius]

I am extremely shocked that MtGox does not have one simple security feature that I have asked for more than a year ago (when I still was willing to do business with MtGox):

Allow users to lock withdrawals to a single bitcoin address

And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker

This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)

There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.