Bitcoin Forum
November 13, 2024, 11:53:13 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 4 5 6 7 8 9 »  All
  Print  
Author Topic: MtGox account compromised  (Read 110457 times)
Garrett Burgwardt
Sr. Member
****
Offline Offline

Activity: 406
Merit: 256


View Profile
February 01, 2011, 01:08:49 AM
 #21

True, but I'm not worth attacking. Somone intent on stealing bitcoins would go after mtgox and mybitcoin accounts before trying to find me.
caveden
Legendary
*
Offline Offline

Activity: 1106
Merit: 1004



View Profile
February 01, 2011, 08:05:31 AM
 #22

2. Google keepass, download install (on clean system), use.
3. If you can remember a password it is too weak. Generate all your passwords, do not reuse the passwords.

Okay, but then you need to store your passwords somewhere, and you'll want to encrypt them... then you need a password-protected key... in a moment you'll have to remember one good password at least...

But yeah, having generated password for sites seems a good idea...
caveden
Legendary
*
Offline Offline

Activity: 1106
Merit: 1004



View Profile
February 01, 2011, 08:08:46 AM
 #23

mtgox should not have allowed dictionary attacks to take place. Ask them to sort this out for you.

Normally security-sensitive sites like banks block an account after a number of unsuccessful login attempts, and then require some sort of positive identification to unblock.
Another interesting thing is doing like facebook, which asks several questions each time you login form an "unusual" IP... it would probably be useless for Tor users as they would not have an "usual" IP in the first place, but it's something.

These things are annoying but it's quite less annoying than having your account stolen like that...
tcatm
Sr. Member
****
Offline Offline

Activity: 337
Merit: 285


View Profile
February 01, 2011, 08:11:37 AM
 #24

Offtopic: For easy to remember and secure passwords https://www.pwdhash.com/ works pretty good. There are browser extensions for most browsers.
Mike Hearn
Legendary
*
Offline Offline

Activity: 1526
Merit: 1134


View Profile
February 01, 2011, 09:57:05 AM
 #25

MtGox could/should also implement Facebook/Google logins. These companies provide "industrial strength" authentication systems that are secure against things like dictionary attacks, password theft etc. Might as well reuse their investment.
ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1060


View Profile
February 01, 2011, 10:24:56 AM
 #26

MtGox could/should also implement Facebook/Google logins.

Good idea. OpenID, in other words.

Google even offers two-factor authentication to some of its users (password plus mobile phone confirmation).
bitdragon
Hero Member
*****
Offline Offline

Activity: 609
Merit: 501


peace


View Profile WWW
February 01, 2011, 10:57:03 AM
 #27

please explain as many are more proficient than myself in this area:
using facebook login? that is the facebook connect thing? so that you could login to mtgox using fb credentials? doesn't sound very appealing... does that mean that :
a) fb can login to your mtgox as they authenticate your credentials?
b) prone to censorship if fb decides a site is no good and does not let you login?
c) same password for all sites, thus you compromise all accounts if one pwd is lost?

thank you for your help in understanding;

Nefario
Hero Member
*****
Offline Offline

Activity: 602
Merit: 513


GLBSE Support support@glbse.com


View Profile WWW
February 01, 2011, 11:00:12 AM
 #28

MtGox could/should also implement Facebook/Google logins.

Good idea. OpenID, in other words.

Google even offers two-factor authentication to some of its users (password plus mobile phone confirmation).

Or he should not use passwords at all an use gpgauth.

http://www.curetheitch.com/projects/gpgauth/

Right now there is no working plugin for browser but there should be soon, from what I have read. It is also not just a technology, program but a process, protocol for authentication.

Password based authentication has many weaknesses, a move to keypair based authentication is the better thing to do. Then things like dictionary attacks, stealing passwords after breaking in, and rainbow attacks, and storing passwords will not be a problem.

Any news from mtgox and getting his bitcoins back?

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
mtgox
Full Member
***
Offline Offline

Activity: 185
Merit: 102


View Profile WWW
February 01, 2011, 11:32:44 AM
 #29


> Any news from mtgox and getting his bitcoins back?

Yeah it is unfortunate. I've contacted Liberty Reserve about it. I fixed it so they can't use this attack anymore. I think his and one other account (I've emailed you) were the only two compromised. Anyone with a decent password would be safe.

Mike Hearn
Legendary
*
Offline Offline

Activity: 1526
Merit: 1134


View Profile
February 01, 2011, 12:18:45 PM
 #30

please explain as many are more proficient than myself in this area:
using facebook login? that is the facebook connect thing? so that you could login to mtgox using fb credentials? doesn't sound very appealing... does that mean that :
a) fb can login to your mtgox as they authenticate your credentials?
b) prone to censorship if fb decides a site is no good and does not let you login?
c) same password for all sites, thus you compromise all accounts if one pwd is lost?

thank you for your help in understanding;

a) Yes

b) Yes

c) Yes

However, a lot of account hijacking takes place because third party sites are compromised. Facebook is very, very unlikely to be hacked in the same way that MtGox or PlentyOfFish is hacked. If you have a robust password and use a major ID provider to log into sites with, you're at risk of malware and maybe if you don't pay attention phishing, but otherwise you won't be hit by third party site breakins. That's what you want.

Of course you can also create a new password for every single website, but most people don't do that, it's too inconvenient.
slush
Legendary
*
Offline Offline

Activity: 1386
Merit: 1097



View Profile WWW
February 01, 2011, 12:28:50 PM
 #31

Facebook is very, very unlikely to be hacked in the same way that MtGox or PlentyOfFish is hacked.

I'm not paranoic, but don't trust anyone's security just because it's big player. Facebook logins can be hacked, too. Personally I also use facebook login to some pages, but I'll think twice to use it for my bank account login (which mtgox is)...

ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1060


View Profile
February 01, 2011, 12:37:58 PM
 #32

c) same password for all sites, thus you compromise all accounts if one pwd is lost?
Yes, although in practice most people already compromise (almost) all accounts if they lose the password to their email account, due to the easy availability of password reminder/reset facilities.

A bank does need something more than most other sites. I would be happy to pay a fee to have two-factor authentication on my MtGox account.
sirius
Bitcoiner
Sr. Member
****
Offline Offline

Activity: 429
Merit: 1002



View Profile
February 01, 2011, 12:57:48 PM
 #33

A bank does need something more than most other sites. I would be happy to pay a fee to have two-factor authentication on my MtGox account.

My bank snail mails lists of 300 one-use keys you need when logging in. A quicker but perhaps more expensive option is to send the keys in SMS.

Iris — for better social networks
I'm not a forum admin - please contact theymos instead.
barbarousrelic
Hero Member
*****
Offline Offline

Activity: 675
Merit: 502


View Profile
February 01, 2011, 01:27:11 PM
 #34

So were the hacked accounts and the extremely high-value Bitcoin transactions related or not?

Do not waste your time debating whether Bitcoin can work. It does work.

"Early adopters will profit" is not a sufficient condition to classify something as a pyramid or Ponzi scheme. If it was, Apple and Microsoft stock are Ponzi schemes.

There is no such thing as "market manipulation." There is only buying and selling.
ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1060


View Profile
February 01, 2011, 01:31:09 PM
 #35

So were the hacked accounts and the extremely high-value Bitcoin transactions related or not?
It seems unlikely, because the hacker apparently sold bitcoins. This would have tended to lower the MtGox price, not raise it.
Nefario
Hero Member
*****
Offline Offline

Activity: 602
Merit: 513


GLBSE Support support@glbse.com


View Profile WWW
February 01, 2011, 01:31:39 PM
 #36

A bank does need something more than most other sites. I would be happy to pay a fee to have two-factor authentication on my MtGox account.

My bank snail mails lists of 300 one-use keys you need when logging in. A quicker but perhaps more expensive option is to send the keys in SMS.

An application for your mobile phone that generates a lot of one time passwords, and then encrypts using the servers public key and sends the list to the server to be used. You can then use the passwords when you need, as long as you don't lose your phone.

But I think authentication using public/private keys is better, as long as you don't lose your key or let it get compromised.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
sandos
Sr. Member
****
Offline Offline

Activity: 440
Merit: 250


#SWGT CERTIK Audited


View Profile
February 01, 2011, 02:19:21 PM
 #37

When was this bruteforcing done? I have a weird (I think) transaction on my mt gox account:

Code:
When	           Type	          Description	Delta BTC	Delta USD	Total BTC	Total USD
01/24/11 00:17 Payment Process   united         0 0         0          0

riX
Sr. Member
****
Offline Offline

Activity: 326
Merit: 254



View Profile
February 01, 2011, 04:02:59 PM
 #38

When was this bruteforcing done? I have a weird (I think) transaction on my mt gox account:

Code:
When	           Type	          Description	Delta BTC	Delta USD	Total BTC	Total USD
01/24/11 00:17 Payment Process   united         0 0         0          0

Me too: (Where it says "Withdraw Paypal" I actually withdrew some LRUSD to Liberty Reserve..)

Code:
When		Type		Description		Delta BTC	Delta USD	Total BTC	Total USD
01/30/11 18:54 Withdraw Paypal U------- 0 -x.x x.x x.x
01/30/11 --:-- Sold BTC xxx.xx for 0.xxxx -x.x x.x x.x x.x
01/30/11 --:-- Sold BTC xxx.xx for 0.xxxx -x.x x.x x.x x.x
01/24/11 15:00 Payment Process united 0 0 x.x x.x
01/24/11 00:17 Payment Process united 0 0 x.x x.x
01/23/11 --:-- Withdraw BTC --- -x.x 0 x.x x.x

Sorry, I can't help you with your lost password.

PGP key: 0x9F31802C79642F25
Anonymous
Guest

February 01, 2011, 04:05:23 PM
 #39

Alright, who do we go to for an accurate exchange rate now?
Astro
Sr. Member
****
Offline Offline

Activity: 284
Merit: 250



View Profile
February 01, 2011, 05:00:44 PM
 #40

Any site that stores or trades bitcoins should implement the option of some kind of security token or OTP technology.  I've had good success with Yubikeys.

http://www.yubico.com/yubikey
Pages: « 1 [2] 3 4 5 6 7 8 9 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!