Bitcoin Forum
November 08, 2024, 05:40:52 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 [6]  All
  Print  
Author Topic: Mt.Gox Account secured with Yubikey but still had 29 BTCs stolen  (Read 8578 times)
ardana123
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
September 16, 2013, 12:30:42 PM
 #101

it's a unique code each time. and every code is only valid once
jedunnigan
Sr. Member
****
Offline Offline

Activity: 279
Merit: 250


View Profile
September 16, 2013, 01:34:13 PM
 #102

it's a unique code each time. and every code is only valid once

Unless 2FA has been implemented poorly. There have been cases where yubikeys have been compromised on blockchain.info, allowing the attacker to get the seed (or reuse codes, can't remember); this is the first gox 2fa breach I have heard of though (unless of course he is lying about having the 2fa setup).
Ente
Legendary
*
Offline Offline

Activity: 2126
Merit: 1001



View Profile
September 16, 2013, 03:22:43 PM
 #103

it's a unique code each time. and every code is only valid once

Unless 2FA has been implemented poorly. There have been cases where yubikeys have been compromised on blockchain.info, allowing the attacker to get the seed (or reuse codes, can't remember); this is the first gox 2fa breach I have heard of though (unless of course he is lying about having the 2fa setup).

You can always do a MITM, man-in-the-middle attack:
The trojan intercept the OTP, yubikey-code, sms-code, whatever, when it is used by the user. Then it either uses it to directly steal the funds, or, a bit more clever, to deactivate the yubikey. Then it redoes the action the user intended to do with the code, since then there is no yubikey needed any more.
Even addidional layers of security may not help once your computer is infiltrated. How about stealing that additional mail right out of the mailclient? How about faking the whole MtGox site and stealing/relaying/editing at will? That additional layer might even put the user in a false sense of security.

Only one thing really helps: Transactional dependend one-time-codes. I have that on my onlinebanking, for example. I create my wire transfer, this creates a unique "challenge", which is read (via flicker-code, think animated QR) by my tangenerator. This one displays the address and amount to transfer for verification, and creates a response-code. The device can't be hacked (reasonably), as it is very low-level and has no connection whatsoever except a flicker-sensor. If the data is manipulated on my computer at any point, either the display on the device will show it, or the generated response code will not match and will not work.
This is, until now, the only system I am aware of which is failsafe (as long as you watch the display).

This is slightly OT I guess.
Long story short:
MtGox, Yubikey, Google Authenticator, they all are pretty much useless once a dedicated software owns your computer.

Ente
JRam (OP)
Newbie
*
Offline Offline

Activity: 31
Merit: 0


View Profile
September 16, 2013, 07:55:21 PM
 #104

If someone were going to start attacking MtGox accounts, they aren't going to steal 29 BTC, et even worth the attention it brings... 2FA works fine, the OP enabled 2FA after attack. That simple.  
He is claiming otherwise. Although you are right, we would probably see evidence of more 2fa heists if the OPs claim is true. Perhaps this was a test run. Perhaps it's just a gox troll.

Logs would be nice (from gox), at the very least. Perhaps you can pull logs from the yubikey, idk if that is at all possible. In the end of the day the logs could be tampered with by either party so there is no way to know for sure.

If this is a lie by the OP we would need to find motive, perhaps another exchange spreading FUD.  

Gox has my real info, they can verify if I'm associated to another exchange or not. You're right about the seeing evidence of more 2fa heists though since my incident shouldn't be an isolated incident. For now, I have filed a police report with my local pd in addition to contacting my attorney general.
Deprived
Hero Member
*****
Offline Offline

Activity: 532
Merit: 500


View Profile
September 16, 2013, 08:21:45 PM
 #105

do yubikeys punch in the same code each time, mine always looks very similar, what stopping a virus to just steal the yubikey code?

They look similar because the first 12 characters ARE the same every time - they identify the key.  The remainder, which is the sequence number + OTP plus check-sum is different each time.  If you're seeing them in a small input box which only displays the start of the key then it'll always look the same.
Han
Newbie
*
Offline Offline

Activity: 40
Merit: 0


View Profile
September 16, 2013, 09:58:29 PM
 #106

it's a unique code each time. and every code is only valid once

Unless 2FA has been implemented poorly. There have been cases where yubikeys have been compromised on blockchain.info, allowing the attacker to get the seed (or reuse codes, can't remember); this is the first gox 2fa breach I have heard of though (unless of course he is lying about having the 2fa setup).

You can always do a MITM, man-in-the-middle attack:
The trojan intercept the OTP, yubikey-code, sms-code, whatever, when it is used by the user. Then it either uses it to directly steal the funds, or, a bit more clever, to deactivate the yubikey. Then it redoes the action the user intended to do with the code, since then there is no yubikey needed any more.
Even addidional layers of security may not help once your computer is infiltrated. How about stealing that additional mail right out of the mailclient? How about faking the whole MtGox site and stealing/relaying/editing at will? That additional layer might even put the user in a false sense of security.

Only one thing really helps: Transactional dependend one-time-codes. I have that on my onlinebanking, for example. I create my wire transfer, this creates a unique "challenge", which is read (via flicker-code, think animated QR) by my tangenerator. This one displays the address and amount to transfer for verification, and creates a response-code. The device can't be hacked (reasonably), as it is very low-level and has no connection whatsoever except a flicker-sensor. If the data is manipulated on my computer at any point, either the display on the device will show it, or the generated response code will not match and will not work.
This is, until now, the only system I am aware of which is failsafe (as long as you watch the display).

This is slightly OT I guess.
Long story short:
MtGox, Yubikey, Google Authenticator, they all are pretty much useless once a dedicated software owns your computer.

Ente

Indeed, given what JRam and Karpeles have said so far, they can both be telling the truth if the attacker disabled 2fa, then re-enabled it afterwards.
VossArtesian
Newbie
*
Offline Offline

Activity: 7
Merit: 0


View Profile
September 17, 2013, 03:53:51 AM
 #107

If someone were going to start attacking MtGox accounts, they aren't going to steal 29 BTC, et even worth the attention it brings... 2FA works fine, the OP enabled 2FA after attack. That simple.  
He is claiming otherwise. Although you are right, we would probably see evidence of more 2fa heists if the OPs claim is true. Perhaps this was a test run. Perhaps it's just a gox troll.

Logs would be nice (from gox), at the very least. Perhaps you can pull logs from the yubikey, idk if that is at all possible. In the end of the day the logs could be tampered with by either party so there is no way to know for sure.

If this is a lie by the OP we would need to find motive, perhaps another exchange spreading FUD.  

Gox has my real info, they can verify if I'm associated to another exchange or not. You're right about the seeing evidence of more 2fa heists though since my incident shouldn't be an isolated incident. For now, I have filed a police report with my local pd in addition to contacting my attorney general.

FACT:
Mt.Gox did not steal your coins.  They can literally print all the goxUSD, and trading BTC they want, and can be much more discreet, without leaving a paper trail. 
jedunnigan
Sr. Member
****
Offline Offline

Activity: 279
Merit: 250


View Profile
September 17, 2013, 04:36:16 AM
 #108

If someone were going to start attacking MtGox accounts, they aren't going to steal 29 BTC, et even worth the attention it brings... 2FA works fine, the OP enabled 2FA after attack. That simple.  
He is claiming otherwise. Although you are right, we would probably see evidence of more 2fa heists if the OPs claim is true. Perhaps this was a test run. Perhaps it's just a gox troll.

Logs would be nice (from gox), at the very least. Perhaps you can pull logs from the yubikey, idk if that is at all possible. In the end of the day the logs could be tampered with by either party so there is no way to know for sure.

If this is a lie by the OP we would need to find motive, perhaps another exchange spreading FUD.  

Gox has my real info, they can verify if I'm associated to another exchange or not. You're right about the seeing evidence of more 2fa heists though since my incident shouldn't be an isolated incident. For now, I have filed a police report with my local pd in addition to contacting my attorney general.

FACT:
Mt.Gox did not steal your coins.  They can literally print all the goxUSD, and trading BTC they want, and can be much more discreet, without leaving a paper trail. 

Read the thread man, this has been addressed many times. No one really thinks they stole it. We want to see if there is an issue with the 2FA implementation.
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1010


View Profile
September 17, 2013, 04:37:13 AM
 #109

For now, I have filed a police report with my local pd in addition to contacting my attorney general.

The statement by MagicalTux of Mt. Gox was that 2FA was added after the withdrawal.  I'ld love to see your police report.

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


btcdrak
Legendary
*
Offline Offline

Activity: 1064
Merit: 1000


View Profile
September 17, 2013, 02:06:56 PM
 #110

Well it's officially a scam now:

Quote
BtcDrak
@btcdrak
            
@MagicalTux Yeah, funny Smiley ref the other case, was the Yubikey also off? He lists Google Auth and Yubikey. Peopl need to know for confidence - 17 Sep
   
Mark Karpeles
@MagicalTux
    
@btcdrak what I can say for sure right now is that the currently enabled otps were enabled after the withdrawals.

The OP shows both OTP and Yubikey enabled.

End of story for me.
Han
Newbie
*
Offline Offline

Activity: 40
Merit: 0


View Profile
September 17, 2013, 05:52:44 PM
 #111

Well it's officially a scam now:

Quote
BtcDrak
@btcdrak
            
@MagicalTux Yeah, funny Smiley ref the other case, was the Yubikey also off? He lists Google Auth and Yubikey. Peopl need to know for confidence - 17 Sep
   
Mark Karpeles
@MagicalTux
    
@btcdrak what I can say for sure right now is that the currently enabled otps were enabled after the withdrawals.

The OP shows both OTP and Yubikey enabled.

End of story for me.

Nope, based on EVERYTHING that both parties have asserted as FACT so far (i.e. not including any of their speculations), they could both be telling the truth if the attacker disabled, then re-enabled 2fa. Now if Karpeles were to clarify that 2fa was never enabled until after the hack, then one of them is no longer telling the truth, or is at least factually incorrect. Mark's careful language here, "currently enabled otps", suggests that there may have been previously enabled otps as well. He ought to clarify.
samson
Legendary
*
Offline Offline

Activity: 2097
Merit: 1070


View Profile
September 17, 2013, 05:55:14 PM
 #112

Well it's officially a scam now:

Quote
BtcDrak
@btcdrak
            
@MagicalTux Yeah, funny Smiley ref the other case, was the Yubikey also off? He lists Google Auth and Yubikey. Peopl need to know for confidence - 17 Sep
   
Mark Karpeles
@MagicalTux
    
@btcdrak what I can say for sure right now is that the currently enabled otps were enabled after the withdrawals.

The OP shows both OTP and Yubikey enabled.

End of story for me.

Nope, based on EVERYTHING that both parties have asserted as FACT so far (i.e. not including any of their speculations), they could both be telling the truth if the attacker disabled, then re-enabled 2fa. Now if Karpeles were to clarify that 2fa was never enabled until after the hack, then one of them is no longer telling the truth, or is at least factually incorrect. Mark's careful language here, "currently enabled otps", suggests that there may have been previously enabled otps as well. He ought to clarify.

+1 clarification is needed here.
marcovaldo
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250



View Profile
September 17, 2013, 09:27:07 PM
 #113

Seems like a fake ...
Can we have some proofs/logs?

BITEX
            ███     ███     ███
              ███     ███     ███
                ███     ███     ███
                  ███     ███     ███
                    ███     ███     ███
                      ███     ███     ███
                        ███     ███     ███
                          ███     ███     ███
                            ███     ███     ███
                              ███     ███     ███
                            ███     ███     ███
                          ███     ███     ███
                        ███     ███     ███
                      ███     ███     ███
                    ███     ███     ███
                  ███     ███     ███
                ███     ███     ███
              ███     ███     ███
            ███     ███     ███

The First Locally-Embedded, Yet Global, Crypto-Bank
TELEGRAM    FACEBOOK   TWITTER    YOUTUBE    LINE

                  ███     ███     ███
                ███     ███     ███
              ███     ███     ███
            ███     ███     ███
          ███     ███     ███
        ███     ███     ███
      ███     ███     ███
    ███     ███     ███
  ███     ███     ███
███     ███     ███
  ███     ███     ███
    ███     ███     ███
      ███     ███     ███
        ███     ███     ███
          ███     ███     ███
            ███     ███     ███
              ███     ███     ███
               ███     ███     ███
                 ███     ███     ███

WHITEPAPER | ANN
JOIN WHITELIST NOW!
quentinn
Newbie
*
Offline Offline

Activity: 47
Merit: 0


View Profile
September 22, 2013, 05:36:33 PM
 #114

Updates?
pinger
Legendary
*
Offline Offline

Activity: 1512
Merit: 1001


Bitcoin - Resistance is futile


View Profile WWW
September 22, 2013, 05:43:35 PM
 #115

I think no updates means its a fake. Its really a threat if it is real.

For rent
Pages: « 1 2 3 4 5 [6]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!