Mt.Gox Account secured with Yubikey but still had 29 BTCs stolen

[ardana123]

it's a unique code each time. and every code is only valid once

[jedunnigan]

it's a unique code each time. and every code is only valid once

Unless 2FA has been implemented poorly. There have been cases where yubikeys have been compromised on blockchain.info, allowing the attacker to get the seed (or reuse codes, can't remember); this is the first gox 2fa breach I have heard of though (unless of course he is lying about having the 2fa setup).

[Ente]

it's a unique code each time. and every code is only valid once

Unless 2FA has been implemented poorly. There have been cases where yubikeys have been compromised on blockchain.info, allowing the attacker to get the seed (or reuse codes, can't remember); this is the first gox 2fa breach I have heard of though (unless of course he is lying about having the 2fa setup).

You can always do a MITM, man-in-the-middle attack:
The trojan intercept the OTP, yubikey-code, sms-code, whatever, when it is used by the user. Then it either uses it to directly steal the funds, or, a bit more clever, to deactivate the yubikey. Then it redoes the action the user intended to do with the code, since then there is no yubikey needed any more.
Even addidional layers of security may not help once your computer is infiltrated. How about stealing that additional mail right out of the mailclient? How about faking the whole MtGox site and stealing/relaying/editing at will? That additional layer might even put the user in a false sense of security.

Only one thing really helps: Transactional dependend one-time-codes. I have that on my onlinebanking, for example. I create my wire transfer, this creates a unique "challenge", which is read (via flicker-code, think animated QR) by my tangenerator. This one displays the address and amount to transfer for verification, and creates a response-code. The device can't be hacked (reasonably), as it is very low-level and has no connection whatsoever except a flicker-sensor. If the data is manipulated on my computer at any point, either the display on the device will show it, or the generated response code will not match and will not work.
This is, until now, the only system I am aware of which is failsafe (as long as you watch the display).

This is slightly OT I guess.
Long story short:
MtGox, Yubikey, Google Authenticator, they all are pretty much useless once a dedicated software owns your computer.

Ente

[JRam]

If someone were going to start attacking MtGox accounts, they aren't going to steal 29 BTC, et even worth the attention it brings... 2FA works fine, the OP enabled 2FA after attack. That simple.  

He is claiming otherwise. Although you are right, we would probably see evidence of more 2fa heists if the OPs claim is true. Perhaps this was a test run. Perhaps it's just a gox troll.

Logs would be nice (from gox), at the very least. Perhaps you can pull logs from the yubikey, idk if that is at all possible. In the end of the day the logs could be tampered with by either party so there is no way to know for sure.

If this is a lie by the OP we would need to find motive, perhaps another exchange spreading FUD.  

Gox has my real info, they can verify if I'm associated to another exchange or not. You're right about the seeing evidence of more 2fa heists though since my incident shouldn't be an isolated incident. For now, I have filed a police report with my local pd in addition to contacting my attorney general.

[Deprived]

do yubikeys punch in the same code each time, mine always looks very similar, what stopping a virus to just steal the yubikey code?

They look similar because the first 12 characters ARE the same every time - they identify the key.  The remainder, which is the sequence number + OTP plus check-sum is different each time.  If you're seeing them in a small input box which only displays the start of the key then it'll always look the same.

[Han]

it's a unique code each time. and every code is only valid once

Unless 2FA has been implemented poorly. There have been cases where yubikeys have been compromised on blockchain.info, allowing the attacker to get the seed (or reuse codes, can't remember); this is the first gox 2fa breach I have heard of though (unless of course he is lying about having the 2fa setup).

You can always do a MITM, man-in-the-middle attack:
The trojan intercept the OTP, yubikey-code, sms-code, whatever, when it is used by the user. Then it either uses it to directly steal the funds, or, a bit more clever, to deactivate the yubikey. Then it redoes the action the user intended to do with the code, since then there is no yubikey needed any more.
Even addidional layers of security may not help once your computer is infiltrated. How about stealing that additional mail right out of the mailclient? How about faking the whole MtGox site and stealing/relaying/editing at will? That additional layer might even put the user in a false sense of security.

Only one thing really helps: Transactional dependend one-time-codes. I have that on my onlinebanking, for example. I create my wire transfer, this creates a unique "challenge", which is read (via flicker-code, think animated QR) by my tangenerator. This one displays the address and amount to transfer for verification, and creates a response-code. The device can't be hacked (reasonably), as it is very low-level and has no connection whatsoever except a flicker-sensor. If the data is manipulated on my computer at any point, either the display on the device will show it, or the generated response code will not match and will not work.
This is, until now, the only system I am aware of which is failsafe (as long as you watch the display).

This is slightly OT I guess.
Long story short:
MtGox, Yubikey, Google Authenticator, they all are pretty much useless once a dedicated software owns your computer.

Ente

Indeed, given what JRam and Karpeles have said so far, they can both be telling the truth if the attacker disabled 2fa, then re-enabled it afterwards.

[VossArtesian]

If someone were going to start attacking MtGox accounts, they aren't going to steal 29 BTC, et even worth the attention it brings... 2FA works fine, the OP enabled 2FA after attack. That simple.  

He is claiming otherwise. Although you are right, we would probably see evidence of more 2fa heists if the OPs claim is true. Perhaps this was a test run. Perhaps it's just a gox troll.

Logs would be nice (from gox), at the very least. Perhaps you can pull logs from the yubikey, idk if that is at all possible. In the end of the day the logs could be tampered with by either party so there is no way to know for sure.

If this is a lie by the OP we would need to find motive, perhaps another exchange spreading FUD.  

Gox has my real info, they can verify if I'm associated to another exchange or not. You're right about the seeing evidence of more 2fa heists though since my incident shouldn't be an isolated incident. For now, I have filed a police report with my local pd in addition to contacting my attorney general.

FACT:
Mt.Gox did not steal your coins.  They can literally print all the goxUSD, and trading BTC they want, and can be much more discreet, without leaving a paper trail. 

[jedunnigan]

If someone were going to start attacking MtGox accounts, they aren't going to steal 29 BTC, et even worth the attention it brings... 2FA works fine, the OP enabled 2FA after attack. That simple.  

He is claiming otherwise. Although you are right, we would probably see evidence of more 2fa heists if the OPs claim is true. Perhaps this was a test run. Perhaps it's just a gox troll.

Logs would be nice (from gox), at the very least. Perhaps you can pull logs from the yubikey, idk if that is at all possible. In the end of the day the logs could be tampered with by either party so there is no way to know for sure.

If this is a lie by the OP we would need to find motive, perhaps another exchange spreading FUD.  

Gox has my real info, they can verify if I'm associated to another exchange or not. You're right about the seeing evidence of more 2fa heists though since my incident shouldn't be an isolated incident. For now, I have filed a police report with my local pd in addition to contacting my attorney general.

FACT:
Mt.Gox did not steal your coins.  They can literally print all the goxUSD, and trading BTC they want, and can be much more discreet, without leaving a paper trail. 

Read the thread man, this has been addressed many times. No one really thinks they stole it. We want to see if there is an issue with the 2FA implementation.

[Stephen Gornick]

For now, I have filed a police report with my local pd in addition to contacting my attorney general.

The statement by MagicalTux of Mt. Gox was that 2FA was added after the withdrawal.  I'ld love to see your police report.

[btcdrak]

Well it's officially a scam now:

BtcDrak
@btcdrak
            
@MagicalTux Yeah, funny ref the other case, was the Yubikey also off? He lists Google Auth and Yubikey. Peopl need to know for confidence - 17 Sep
   
Mark Karpeles
@MagicalTux
    
@btcdrak what I can say for sure right now is that the currently enabled otps were enabled after the withdrawals.

The OP shows both OTP and Yubikey enabled.

End of story for me.

[Han]

Well it's officially a scam now:

BtcDrak
@btcdrak
            
@MagicalTux Yeah, funny ref the other case, was the Yubikey also off? He lists Google Auth and Yubikey. Peopl need to know for confidence - 17 Sep
   
Mark Karpeles
@MagicalTux
    
@btcdrak what I can say for sure right now is that the currently enabled otps were enabled after the withdrawals.

The OP shows both OTP and Yubikey enabled.

End of story for me.

Nope, based on EVERYTHING that both parties have asserted as FACT so far (i.e. not including any of their speculations), they could both be telling the truth if the attacker disabled, then re-enabled 2fa. Now if Karpeles were to clarify that 2fa was never enabled until after the hack, then one of them is no longer telling the truth, or is at least factually incorrect. Mark's careful language here, "currently enabled otps", suggests that there may have been previously enabled otps as well. He ought to clarify.

[samson]

Well it's officially a scam now:

BtcDrak
@btcdrak
            
@MagicalTux Yeah, funny ref the other case, was the Yubikey also off? He lists Google Auth and Yubikey. Peopl need to know for confidence - 17 Sep
   
Mark Karpeles
@MagicalTux
    
@btcdrak what I can say for sure right now is that the currently enabled otps were enabled after the withdrawals.

The OP shows both OTP and Yubikey enabled.

End of story for me.

Nope, based on EVERYTHING that both parties have asserted as FACT so far (i.e. not including any of their speculations), they could both be telling the truth if the attacker disabled, then re-enabled 2fa. Now if Karpeles were to clarify that 2fa was never enabled until after the hack, then one of them is no longer telling the truth, or is at least factually incorrect. Mark's careful language here, "currently enabled otps", suggests that there may have been previously enabled otps as well. He ought to clarify.

+1 clarification is needed here.

[marcovaldo]

Seems like a fake ...
Can we have some proofs/logs?

[quentinn]

Updates?

[pinger]

I think no updates means its a fake. Its really a threat if it is real.