Mt.Gox Account secured with Yubikey but still had 29 BTCs stolen

[ArticMine]

I am extremely shocked that MtGox does not have one simple security feature that I have asked for more than a year ago (when I still was willing to do business with MtGox):

Allow users to lock withdrawals to a single bitcoin address

And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker

This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)

There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.

+21000000

-21000000 MSFT shares

It will not solve the problem if the Bitcoin address is in a wallet that is in a compromised Microsoft Windows computer. One must keep in mind that is the theft is caused by malware on the user's computer in the first place. How is locking the account to a Bitcoin address on the same infected computer going to solve the problem? It only serves to create a false sense of security for the user.

[mpr20rt]

I am extremely shocked that MtGox does not have one simple security feature that I have asked for more than a year ago (when I still was willing to do business with MtGox):

Allow users to lock withdrawals to a single bitcoin address

And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker

This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)

There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.

+21000000

-21000000 MSFT shares

It will not solve the problem if the Bitcoin address is in a wallet that is in a compromised Microsoft Windows computer. One must keep in mind that is the theft is caused by malware on the user's computer in the first place. How is locking the account to a Bitcoin address on the same infected computer going to solve the problem? It only serves to create a false sense of security for the user.

brain or paper wallets solve that

[ArticMine]

brain or paper wallets solve that

Not if they are created on an infected computer in the first place.

[jedunnigan]

Guys, keep the conversation on point.

JRam did you withdraw bitcoins recently?

[JRam]

Guys, keep the conversation on point.

JRam did you withdraw bitcoins recently?

When I pumped BTCs into my account, my intention was to day trade. And I was day trading fairly well up to this point. I never had the need to withdraw any funds from my Mt. Gox account.

I am extremely shocked that MtGox does not have one simple security feature that I have asked for more than a year ago (when I still was willing to do business with MtGox):

Allow users to lock withdrawals to a single bitcoin address

And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker

This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)

There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.

+21000000

-21000000 MSFT shares

It will not solve the problem if the Bitcoin address is in a wallet that is in a compromised Microsoft Windows computer. One must keep in mind that is the theft is caused by malware on the user's computer in the first place. How is locking the account to a Bitcoin address on the same infected computer going to solve the problem? It only serves to create a false sense of security for the user.

If this was really malware on my PC, the logs would not show the Chinese ip address of 60.166.242.186 accessing my account. After all, wouldn't it be more legitimate to simply use my own ip address to access my account?

The notion that I just 'sat' on my Yubikey sent to me by Mt. Gox is just silly. I had no other use for this piece of junk. I wish I had the wisdom to save some of the images I posted so I could use it to catch Mt. Gox on an inconsistently later but I think this is the end of the line for me on bitcoins. Now that I can't trust the largest BTC exchange, I think I'm done here. Although this might sound harsh to some, I won't be trying any other alternative cryptocurrencies since I see bitcoin as the gold standard. If I can't invest in bitcoins, I definitely can't invest in other alternatives.

Thanks for anyone that helped and believed in my case. I will be pursuing this case a bit further with my local police department but that will be it.

[ArticMine]

I am extremely shocked that MtGox does not have one simple security feature that I have asked for more than a year ago (when I still was willing to do business with MtGox):

Allow users to lock withdrawals to a single bitcoin address

And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker

This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)

There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.

+21000000

-21000000 MSFT shares

It will not solve the problem if the Bitcoin address is in a wallet that is in a compromised Microsoft Windows computer. One must keep in mind that is the theft is caused by malware on the user's computer in the first place. How is locking the account to a Bitcoin address on the same infected computer going to solve the problem? It only serves to create a false sense of security for the user.

If this was really malware on my PC, the logs would not show the Chinese ip address of 60.166.242.186 accessing my account. After all, wouldn't it be more legitimate to simply use my own ip address to access my account?

The notion that I just 'sat' on my Yubikey sent to me by Mt. Gox is just silly. I had no other use for this piece of junk. I wish I had the wisdom to save some of the images I posted so I could use it to catch Mt. Gox on an inconsistently later but I think this is the end of the line for me on bitcoins. Thanks for anyone that helped and believed in my case. I will be pursuing this case a bit further with my local police department but that will be it.

The malware steals the credentials via for example a keylogger, and then sends them to the attacker in China. The attacker then logs into the account at MTGox with the stolen credentials from China. Even if the case be made that the Yubikey was compromised, there still remains the fact that the computer was compromised by malware running on Microsoft Windows to obtain the login credentials and to compromise the Yubikey in the first place.

[Han]

Guys, keep the conversation on point.

JRam did you withdraw bitcoins recently?

When I pumped BTCs into my account, my intention was to day trade. And I was day trading fairly well up to this point. I never had the need to withdraw any funds from my Mt. Gox account.

I am extremely shocked that MtGox does not have one simple security feature that I have asked for more than a year ago (when I still was willing to do business with MtGox):

Allow users to lock withdrawals to a single bitcoin address

And allow changes only with a signed message (PGP or a signed message from the current address) EDIT: or (per another suggestion in this thread) after waiting out a lockout period long enough for the real account owner to contest a request initiated by a hacker

This would virtually eliminate ALL the theft without ANY groundbreaking innovation (other than a small modicum of easily acquired common sense)

There might still be theft if the person gets their wallet stolen, but that's a burden that sits squarely on the user, and moves the risk completely out of MtGox's sphere of concern.

+21000000

-21000000 MSFT shares

It will not solve the problem if the Bitcoin address is in a wallet that is in a compromised Microsoft Windows computer. One must keep in mind that is the theft is caused by malware on the user's computer in the first place. How is locking the account to a Bitcoin address on the same infected computer going to solve the problem? It only serves to create a false sense of security for the user.

If this was really malware on my PC, the logs would not show the Chinese ip address of 60.166.242.186 accessing my account. After all, wouldn't it be more legitimate to simply use my own ip address to access my account?

The notion that I just 'sat' on my Yubikey sent to me by Mt. Gox is just silly. I had no other use for this piece of junk. I wish I had the wisdom to save some of the images I posted so I could use it to catch Mt. Gox on an inconsistently later but I think this is the end of the line for me on bitcoins. Now that I can't trust the largest BTC exchange, I think I'm done here. Although this might sound harsh to some, I won't be trying any other alternative cryptocurrencies since I see bitcoin as the gold standard. If I can't invest in bitcoins, I definitely can't invest in other alternatives.

Thanks for anyone that helped and believed in my case. I will be pursuing this case a bit further with my local police department but that will be it.

Yes, filing a police report and posting proof of it would also bolster your credibility against Gox as filing a false report is fraud.

[Ghostofkobra]

One mistake i made in my police report was that i said i did not think MtGox took the money.
Then the police didnt investigate much at all, and did not put any pressure on gox to solve the issue whatsoever.
If you are not 110% sure noone at gox are involved, do NOT say you dont think its gox.



My account was cleaned out about a year ago, and mtGox's logs showed that noone was logged on when the withdraw was made.
Everyone pointed at This auth stuff for security, but now the same or some other security flaw has surfaced for a yubikey user.

But i am guessing this will get the usual, "We only talk to the police" answer from Gox.


I hope that i am wrong, that you get your cash refunded, they find and patch the hole and eventually catch the thieves.

[joesmoe2012]

Seems this guy didn't enable 2FA until after the attack. 

[Han]

Seems this guy didn't enable 2FA until after the attack. 

Right now, both he and Mark Karpeles could be telling the truth if the attacker disabled 2fa, then reenabled it after he was done.

[solex]

Seems this guy didn't enable 2FA until after the attack. 

Right now, both he and Mark Karpeles could be telling the truth if the attacker disabled 2fa, then reenabled it after he was done.

2FA on withdrawal is pointless if it can be disabled after login.
My understanding is that once Yubikey is enabled on MtGox for withdrawals it can't be disabled (by the user), hence the multi-week delay for lost/broken Yubikeys while account ownerwhip is re-verified and MtGox enables a replacement Yubikey.

[01BTC10]

Seems this guy didn't enable 2FA until after the attack. 

Right now, both he and Mark Karpeles could be telling the truth if the attacker disabled 2fa, then reenabled it after he was done.

2FA on withdrawal is pointless if it can be disabled after login.
My understanding is that once Yubikey is enabled on MtGox for withdrawals it can't be disabled (by the user), hence the multi-week delay for lost/broken Yubikeys while account ownerwhip is re-verified and MtGox enables a replacement Yubikey.

It can be disabled with the OTP code.

[solex]

Seems this guy didn't enable 2FA until after the attack.  

Right now, both he and Mark Karpeles could be telling the truth if the attacker disabled 2fa, then reenabled it after he was done.

2FA on withdrawal is pointless if it can be disabled after login.
My understanding is that once Yubikey is enabled on MtGox for withdrawals it can't be disabled (by the user), hence the multi-week delay for lost/broken Yubikeys while account ownerwhip is re-verified and MtGox enables a replacement Yubikey.

It can be disabled with the OTP code.

But only by using the Yubikey...

[01BTC10]

Seems this guy didn't enable 2FA until after the attack.  

Right now, both he and Mark Karpeles could be telling the truth if the attacker disabled 2fa, then reenabled it after he was done.

2FA on withdrawal is pointless if it can be disabled after login.
My understanding is that once Yubikey is enabled on MtGox for withdrawals it can't be disabled (by the user), hence the multi-week delay for lost/broken Yubikeys while account ownerwhip is re-verified and MtGox enables a replacement Yubikey.

It can be disabled with the OTP code.

But only by using the Yubikey...

Exact. I did it when I changed my Google Authenticator because I wanted to backup the seed.

[joesmoe2012]

If someone were going to start attacking MtGox accounts, they aren't going to steal 29 BTC, et even worth the attention it brings... 2FA works fine, the OP enabled 2FA after attack. That simple. 

[jedunnigan]

If someone were going to start attacking MtGox accounts, they aren't going to steal 29 BTC, et even worth the attention it brings... 2FA works fine, the OP enabled 2FA after attack. That simple.  

He is claiming otherwise. Although you are right, we would probably see evidence of more 2fa heists if the OPs claim is true. Perhaps this was a test run. Perhaps it's just a gox troll.

Logs would be nice (from gox), at the very least. Perhaps you can pull logs from the yubikey, idk if that is at all possible. In the end of the day the logs could be tampered with by either party so there is no way to know for sure.

If this is a lie by the OP we would need to find motive, perhaps another exchange spreading FUD.  

[ardana123]

Come on... Why are people even thinking Gox would be a possible scenario in this... I don't think they would go through all that just to steal 29 BTC o_O

[Han]

Highly unlikely that Gox stole the BTC. The focus on Gox is whether they had a security flaw/bug that wasn't patched at the time of the supposed hack and won't reveal until they fix it/wait long enough without incident for everyone to forget. I'm OK with the last scenario b/c it means that the event is a very low probability one, although we can't be sure until much time passes.

[samson]

I think an email verification link to click in addition to entering the OTP would be better than just the OTP on it's own when a withdrawal is made.

This option should be made available ASAP. I'm not sure if it would make any difference to the Yubikey users but it would definitely add an additional layer of security if the Google Authenticator private key was leaked.

I wonder if something like this is planned for when the major long planned upgrade is rolled out.

[BitCoinNutJob]

do yubikeys punch in the same code each time, mine always looks very similar, what stopping a virus to just steal the yubikey code?