Mt.Gox Account secured with Yubikey but still had 29 BTCs stolen

[paraipan]

...

Allowing 2 Yubikeys on the account would make much more sense as I could keep one in offsite storage (safety deposit box, car glove box, etc) and one at my computer for daily use.

Until this is implemented I consider Yubikeys to be worthless at Gox due to the account freeze when one is lost / damaged.

And this is the reason I hate when someone like you has "plenty" of money and zero knowledge. You can add various Yubikeys and Google auth at the same time on your account, just take a little of your time and investigate. I'm not affiliated with gox only had the same issue a while back.

[marcovaldo]

Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in China in order to withdraw your btc and try to file a claim and get refunded?
Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in the world who knows anyone located in China in order to withdraw your btc and try to file a claim and get refunded?
Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in the world who used a chinese VPN in order to withdraw your btc and try to file a claim and get refunded?
Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in the world who know anyone who used a chinese VPN in order to withdraw your btc and try to file a claim and get refunded?
Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in the world who used a chinese VPS in order to withdraw your btc and try to file a claim and get refunded?
Did you share your personal info (Yubikey, passwords) to a friend / relative / anyone located in the world who know anyone who used a chinese VPN in order to withdraw your btc and try to file a claim and get refunded?

[marcovaldo]

This story could be a hoax if this is true: https://twitter.com/MagicalTux/status/379247601289142273 - for those of you who don't know, MagicalTux (Mark Karpeles) is the CEO of MtGox

Did not know about that lol.
mt.gox CEO is French?

[coinage]

Suggestions:

1.  If keeping balances available at all times for rapid trading, consider spreading them between multiple exchanges.  25% of the money at each of 4 exchanges allows a trader to sustain a complete loss at one.  Careful trading over the next month or two may regain the loss.  Later, fully insured or distributed exchanges and multisig can solve this, but for now sudden losses or frozen funds are likely at any exchange.

2.  Use only a known secure computer (such as a clean boot off a live CD) to set up Google Authenticator at an exchange.  Otherwise a keylogger could capture all the withdrawal credentials (as willphase suggested).

3.  For best results, set up 2FA *before* losing money.

[btcdrak]

I think preliminary, we can treat this as a VERY good hoax.

[willphase]

I think preliminary, we can treat this as a VERY good hoax.

Indeed; if the MagicalTux quote from Twitter is to be believed.  Does the OP have anything to say in response to this?  It does seem a shame if JRam tried to take advantage of the bitcoin community if this is true.

Will

[coastermonger]

For anyone that can't or doesn't want to click the twitter link, Mark Karpeles says: "already checked and confirmed 2fa was enabled after the withdraw. Will check system logs too anyway."
In other words either OP is lying, or the CEO of MtGox is lying.  It's like Christmas.  


Mike Casascius is absolutely spot on however, in that exchanges can prevent themselves from being the targets of theft by allowing users to lock-in a withdrawal address or addresses when they sign up. It's not a perfect solution, but they can also allow the user to specify a delay period with withdrawals or a mandatory email confirmation before the funds are actually sent out.  I know that MtGox support staff and many exchanges have had many uncomfortable emails with customers explaining that their funds have been compromised and are impossible to reclaim.  I know they've considered these options because I've requested them via email months ago.  2-factor is nice yes, but why they haven't pursued additional security measures to take some of the heat off themselves is beyond me.  I'll say it again because it's so important:

• Locked withdrawal addresses
• User-defined withdrawal delays
• Mandatory email confirmation of withdrawal

[niko]

For anyone that can't or don't want to click the twitter link, Mark Karpeles says: "already checked and confirmed 2fa was enabled after the withdraw. Will check system logs too anyway."
In other words either OP is lying, or the CEO of MtGox is lying.  It's like Christmas.  

Soon we will know. The fact that this seems to be the lone case at this time suggests there is no exploit on the MtGox side, and the problem is strictly with this user's actions, errors, or intentions.

By the way, and slightly off-topic, those who suggest we should not keep coins or fiat sitting at an exchange are missing the point. These are not savings being kept there, but money actively used for trading. A perfectly good idea as long as you understand the risks.

Finally, I am saddened that in all cases of theft, real and false, the discussion revolves around blaming the victim and the service provider, not the thief.

[BombaUcigasa]

I'm posting to follow this thread, I see three options:
- OP activated his 2fa after the "hack" and used a Chinese proxy/henchman to "steal" his own funds and double up on mtgox
- OP activated his 2fa after the "hack" and plays possum insisting that they were enabled before the theft
- A real hacker disabled 2fa and enabled it back somehow, allowing the theft and only mtgox can tell

[BitPappa]

 I'll say it again because it's so important:

• Locked withdrawal addresses
• User-defined withdrawal delays
• Mandatory email confirmation of withdrawal

Yes! Why oh why don't exchanges allow these seemingly-simple solutions to help protect users?

If this claim is B.S., it's really sad.

[Han]

I'm posting to follow this thread, I see three options:
- OP activated his 2fa after the "hack" and used a Chinese proxy/henchman to "steal" his own funds and double up on mtgox
- OP activated his 2fa after the "hack" and plays possum insisting that they were enabled before the theft
- A real hacker disabled 2fa and enabled it back somehow, allowing the theft and only mtgox can tell

MtGox should have the logs to tell exactly when and how many times 2fa has been enabled/disabled on the account.

[JRam]

I think preliminary, we can treat this as a VERY good hoax.

Indeed; if the MagicalTux quote from Twitter is to be believed.  Does the OP have anything to say in response to this?  It does seem a shame if JRam tried to take advantage of the bitcoin community if this is true.

Will

I'm out $4,000 but what else can I say to prove my case against the CEO himself? $4,000 might not seem like a lot to the wealthier folks but it is a lot to me. Why would I just sit on my Mt. Gox Yubikey that they sent me and never use it until now?  I have also sent Mt. Gox my real personal info to get the verified account so they should know me very well. The only argument I can make if this CEO keeps claiming that I didn't use my Yubikey is this:

"When you think about it, the IP address that stole my coins was from China and I am based in the US. Any half decent business would find this to be a red flag and delay the withdrawal. Maybe Mt. Gox is deliberately letting these glaring red flags slide? "

[Han]

I think preliminary, we can treat this as a VERY good hoax.

Indeed; if the MagicalTux quote from Twitter is to be believed.  Does the OP have anything to say in response to this?  It does seem a shame if JRam tried to take advantage of the bitcoin community if this is true.

Will

I'm out $4,000 but what else can I say to prove my case against the CEO himself? $4,000 might not seem like a lot to the wealthier folks but it is a lot to me. Why would I just sit on my Mt. Gox Yubikey that they sent me and never use it until now?  I have also sent Mt. Gox my real personal info to get the verified account so they should know me very well. The only argument I can make if this CEO keeps falsely claiming that I didn't use my Yubikey is this:

"When you think about it, the IP address that stole my coins was from China and I am based in the US. Any half decent business would find this to be a red flag and delay the withdrawal. Maybe Mt. Gox is deliberately letting these glaring red flags slide? "

Not really much you can do except wait for Mt. Gox's responses like all of us regarding the specifics of their logs. You should also not reveal MtGox support's private, direct responses to you right away. Wait for them to make public statements regarding this issue. This way, if they lie/make inconsistent statements, you can catch them on their lie/inconsistency (is there is any) by later posting their direct responses to you (think Snowden).

[jedunnigan]

I think preliminary, we can treat this as a VERY good hoax.

Indeed; if the MagicalTux quote from Twitter is to be believed.  Does the OP have anything to say in response to this?  It does seem a shame if JRam tried to take advantage of the bitcoin community if this is true.

Will

I'm out $4,000 but what else can I say to prove my case against the CEO himself? $4,000 might not seem like a lot to the wealthier folks but it is a lot to me. Why would I just sit on my Mt. Gox Yubikey that they sent me and never use it until now?  I have also sent Mt. Gox my real personal info to get the verified account so they should know me very well. The only argument I can make if this CEO keeps falsely claiming that I didn't use my Yubikey is this:

"When you think about it, the IP address that stole my coins was from China and I am based in the US. Any half decent business would find this to be a red flag and delay the withdrawal. Maybe Mt. Gox is deliberately letting these glaring red flags slide? "

Okay, so you deny the allegations. This is going to get messy; Mark could certainly post the logs but it is still effectively his word against yours. He is saying you did not have 2FA enabled at the time of the 'heist'.

You should both now post logs. You can use the API to get info about the account (idk how much): https://data.mtgox.com/api/1/generic/private/info

This would work best if you both posted them at the same time. Perhaps you can upload them somewhere, keep the link private and share it once mark posts logs on his end.

[marcovaldo]

I'm out $4,000 but what else can I say to prove my case against the CEO himself? $4,000 might not seem like a lot to the wealthier folks but it is a lot to me. Why would I just sit on my Mt. Gox Yubikey that they sent me and never use it until now?  I have also sent Mt. Gox my real personal info to get the verified account so they should know me very well. The only argument I can make if this CEO keeps falsely claiming that I didn't use my Yubikey is this:

"When you think about it, the IP address that stole my coins was from China and I am based in the US. Any half decent business would find this to be a red flag and delay the withdrawal. Maybe Mt. Gox is deliberately letting these glaring red flags slide? "

I am sorry for your loss, and I understand your frustration if you are legit.
But your argument will not be accepted.

Yes, mt.gox could have / should have added extra protection measure to allow withdrawal of coins (like previously said: delay / email confirmation / an so on).


But, if it is true that you did not have a 2fa activated, it is your responsability to protect your personal data, and access to the account. You can go in holidays in China. I was there in August, and ask for bitcoins from there ...

[Han]

I think preliminary, we can treat this as a VERY good hoax.

Indeed; if the MagicalTux quote from Twitter is to be believed.  Does the OP have anything to say in response to this?  It does seem a shame if JRam tried to take advantage of the bitcoin community if this is true.

Will

I'm out $4,000 but what else can I say to prove my case against the CEO himself? $4,000 might not seem like a lot to the wealthier folks but it is a lot to me. Why would I just sit on my Mt. Gox Yubikey that they sent me and never use it until now?  I have also sent Mt. Gox my real personal info to get the verified account so they should know me very well. The only argument I can make if this CEO keeps falsely claiming that I didn't use my Yubikey is this:

"When you think about it, the IP address that stole my coins was from China and I am based in the US. Any half decent business would find this to be a red flag and delay the withdrawal. Maybe Mt. Gox is deliberately letting these glaring red flags slide? "

Okay, so you deny the allegations. This is going to get messy; Mark could certainly post the logs but it is still effectively his word against yours. He is saying you did not have 2FA enabled at the time of the 'heist'.

You should both now post logs. You can use the API to get info about the account (idk how much): https://data.mtgox.com/api/1/generic/private/info

This would work best if you both posted them at the same time. Perhaps you can upload them somewhere, keep the link private and share it once mark posts logs on his end.

@JRam This would be an even better implementation of the Snowden strategy I outlined above, but do it for everything you can think of: logs, support messages, any other data/proof, etc.

[ArticMine]

This story could be a hoax if this is true: https://twitter.com/MagicalTux/status/379247601289142273 - for those of you who don't know, MagicalTux (Mark Karpeles) is the CEO of MtGox

I would trust MTGox's systems any day before trusting a Microsoft Windows computer. My take is that the theft was due to the OP using Microsoft Windows to trade on MTGox and could have been prevented by the OP having used GNU / Linux instead. By the way storing the Bitcoins in the OP's computer rather than in MTGox, in this case, is not a good idea since the OP is using Microsoft Windows.  

[JRam]

I think preliminary, we can treat this as a VERY good hoax.

Indeed; if the MagicalTux quote from Twitter is to be believed.  Does the OP have anything to say in response to this?  It does seem a shame if JRam tried to take advantage of the bitcoin community if this is true.

Will

I'm out $4,000 but what else can I say to prove my case against the CEO himself? $4,000 might not seem like a lot to the wealthier folks but it is a lot to me. Why would I just sit on my Mt. Gox Yubikey that they sent me and never use it until now?  I have also sent Mt. Gox my real personal info to get the verified account so they should know me very well. The only argument I can make if this CEO keeps falsely claiming that I didn't use my Yubikey is this:

"When you think about it, the IP address that stole my coins was from China and I am based in the US. Any half decent business would find this to be a red flag and delay the withdrawal. Maybe Mt. Gox is deliberately letting these glaring red flags slide? "

Okay, so you deny the allegations. This is going to get messy; Mark could certainly post the logs but it is still effectively his word against yours. He is saying you did not have 2FA enabled at the time of the 'heist'.

You should both now post logs. You can use the API to get info about the account (idk how much): https://data.mtgox.com/api/1/generic/private/info

This would work best if you both posted them at the same time. Perhaps you can upload them somewhere, keep the link private and share it once mark posts logs on his end.

@JRam This would be an even better implementation of the Snowden strategy I outlined above, but do it for everything you can think of: logs, support messages, any other data/proof, etc.

Duly noted, I didn't think about the need to catch them on their inconsistency like this. I guess this is one of those life lessons.

[chriswilmer]

I am extremely shocked that MtGox does not have one simple security feature that I have asked for more than a year ago (when I still was willing to do business with MtGox):

Allow users to lock withdrawals to a single bitcoin address

And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker

This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)

There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.

+21000000

[Han]

I was wrong about the Bitcoin community not being able to do anything except wait for MtGox's response. We should POUND Mark Karpeles with demands for immediate updates to the situation to minimize the amount of time he has to potentially edit logs which would also minimize the time JRam has to potentially edit his logs in response. Perhaps its already too late.