| 
			| 
					
								| fabianhjr 
								Sr. Member       Offline 
								Activity: 322 
								Merit: 250
								 
								Do The Evolution
								
								
								
								
								
								   | 
								|  | February 01, 2011, 05:48:15 PM |  | 
 
 Captcha is better than nothing. Do the ad ones and make a few pennies off the hackers.
 Store a column on the table for failed attempts. If the count > 5 then require a captcha with the password. On a successful login, reset the count.
 
 If the count say, gets over 50, lock the account for verification, or run a cron to reset it on a daily basis.
 
 Another flag inside the account when they first login could show these hack attempts, something along the lines of "57 attempts to login to your account were done prior to this login from IP: " etc... TOR IP's of course won't be very helpful.
 
 Last log in from IP can also be helpful if people pay attention to it and normally login from a similar address.
 
 None of that makes it bullet proof, but it certainly makes it easier to quickly spot an issue. Needless to say, your password shouldn't be password for something that stores money in it.
 
 You _never_ lock based on an accunt. You _lock_ based on an IP address the request came from.(Look into the account lockout denial of service attack) |  
						| 
 |  |  | 
| 
			| 
					
								| ElectricGoat 
								Newbie    Offline 
								Activity: 42 
								Merit: 0
								
								
								
								
								     | 
								|  | February 01, 2011, 05:53:56 PM |  | 
 
 You _never_ lock based on an accunt. You _lock_ based on an IP address the request came from.(Look into the account lockout denial of service attack)
 Locking an IP doesn't protect against distributed attacks. A temporary lock of the account seems preferable to a loss of hundreds of bitcoins. Simply locking an account for one minute makes it horribly slow to try a brute force attack. |  
						|  |  |  | 
| 
			| 
					
								| fabianhjr 
								Sr. Member       Offline 
								Activity: 322 
								Merit: 250
								 
								Do The Evolution
								
								
								
								
								
								   | 
								|  | February 01, 2011, 06:05:13 PM |  | 
 
 What if my goal is just to stop you for participating in the market? If I just want to kick you I just let some bruteforcers on forever and you would never be able to enter again. Even if it is just 1 minute, then in 0.000001 seconds you are blocked again and again and again. :/ |  
						| 
 |  |  | 
| 
			| 
					
								| ribuck 
								Donator 
								Hero Member
								    Offline 
								Activity: 826 
								Merit: 1065
								
								
								
								
								   | 
								|  | February 01, 2011, 06:13:31 PM |  | 
 
 Simply locking an account for one minute makes it horribly slow to try a brute force attack.
 No, that doesn't work. Instead of trying 100,000 passwords on one account, the attacker simply tries one password on 100,000 accounts. Same chance of success. |  
						|  |  |  | 
| 
			| 
					
								| DarkMatter 
								Member     Offline 
								Activity: 67 
								Merit: 10
								 
								Stop trying to steal my account, thanks.
								
								
								
								
								
								   | 
								|  | February 01, 2011, 06:21:25 PM |  | 
 
 Hi everyone, I'm sorry for not introducing me before, but guess we have much more important things to talk about right now. Considering the actual situation (I'm sorry for the user using a common dictionary word as his "bank" account password, and mtgox not having any dictionary attack protection implementation ... ), I just noticed a great drop of the BTC available for free at http://freebitcoins.appspot.com . It dropped about 300BTC in 36hrs. Should we worry? |  
						|  |  |  | 
|  | 
| 
			| 
					
								| LZ 
								Legendary    Offline 
								Activity: 1722 
								Merit: 1072
								 
								P2P Cryptocurrency
								
								
								
								
								
								   | 
								|  | February 01, 2011, 06:46:19 PMLast edit: February 01, 2011, 06:58:03 PM by lzsaver
 |  | 
 
 I can not find my orders in the Depth Table! Does anybody else?   |  
						| 
 My OpenPGP fingerprint: 5099EB8C0F2E68C63B4ECBB9A9D0993E04143362 |  |  | 
| 
			| 
					
								| kiba 
								Legendary    Offline 
								Activity: 980 
								Merit: 1029
								
								
								
								
								   | 
								|  | February 01, 2011, 06:50:11 PM |  | 
 
 01/24/11 00:16	Payment Process	united	0	0	0.003	0
It seem that I'll have to change my security practice too.  |  
						| 
 |  |  | 
| 
			| 
					
								| ElectricGoat 
								Newbie    Offline 
								Activity: 42 
								Merit: 0
								
								
								
								
								     | 
								|  | February 01, 2011, 06:51:35 PM |  | 
 
 No, that doesn't work. Instead of trying 100,000 passwords on one account, the attacker simply tries one password on 100,000 accounts. Same chance of success.
 Of course, it shouldn't be the only security measure, but that's a very helpful one. Trying a password on 100k accounts is slighly more difficult, because you need 100k user names. |  
						|  |  |  | 
| 
			| 
					
								| nelisky 
								Legendary    Offline 
								Activity: 1540 
								Merit: 1002
								
								
								
								
								   | 
								|  | February 01, 2011, 06:58:32 PM |  | 
 
 01/24/11 00:16	Payment Process	united	0	0	0.003	0
It seem that I'll have to change my security practice too. 01/24/11 00:16	Payment Process	united	0	0	-0.002	0.005
Don't we all... funny how the times are sync'd though. |  
						|  |  |  | 
| 
			| 
					
								| LZ 
								Legendary    Offline 
								Activity: 1722 
								Merit: 1072
								 
								P2P Cryptocurrency
								
								
								
								
								
								   | 
								|  | February 01, 2011, 07:01:47 PM |  | 
 
 Yeah, what is that? 01/24/11 14:51	Payment Process	united01/24/11 00:16	Payment Process	united
 |  
						| 
 My OpenPGP fingerprint: 5099EB8C0F2E68C63B4ECBB9A9D0993E04143362 |  |  | 
| 
			| 
					
								| kiba 
								Legendary    Offline 
								Activity: 980 
								Merit: 1029
								
								
								
								
								   | 
								|  | February 01, 2011, 07:02:25 PM |  | 
 
 Don't we all... funny how the times are sync'd though.
 Well, I didn't have a dictionary password. I used numbers, and a symbol. Maybe it wasn't long enough? In any case, this is a terrible thing to happen. |  
						| 
 |  |  | 
| 
			| 
					
								| kiba 
								Legendary    Offline 
								Activity: 980 
								Merit: 1029
								
								
								
								
								   | 
								|  | February 01, 2011, 07:09:12 PM |  | 
 
 Bitcoiners from IRC channel reported that their password are randomly generated but their accounts are still compromised. |  
						| 
 |  |  | 
| 
			| 
					
								| DarkMatter 
								Member     Offline 
								Activity: 67 
								Merit: 10
								 
								Stop trying to steal my account, thanks.
								
								
								
								
								
								   | 
								|  | February 01, 2011, 07:11:17 PM |  | 
 
 Bitcoiners from IRC channel reported that their password are randomly generated but their accounts are still compromised.
 That's the problem. As you have already stated, this was not a "weak password" hack. Guess Vladimir is wrong. Could the whole MtGox platform be compromised? Looks so. [edit] A brute force/dictionary attack would lead to many "errors" in the platform log. You are logging failed login attempts, right MtGox? [/edit] |  
						|  |  |  | 
| 
			| 
					
								| nelisky 
								Legendary    Offline 
								Activity: 1540 
								Merit: 1002
								
								
								
								
								   | 
								|  | February 01, 2011, 07:12:49 PM |  | 
 
 Bitcoiners from IRC channel reported that their password are randomly generated but their accounts are still compromised.
 I'm no security expert nor am I knowledgeable of mtgox's code, but as a coder when I see my account being stripped of 0.005 coins, which you can't see on the UI unless you look at history and do some math... well, it sounds like the actual server was compromised and DB's scraped. Just saying. |  
						|  |  |  | 
| 
			| 
					
								| kiba 
								Legendary    Offline 
								Activity: 980 
								Merit: 1029
								
								
								
								
								   | 
								|  | February 01, 2011, 07:15:55 PM |  | 
 
 MtGox said that the event on 1/24 was people merely accessing my account for name.
 In other words, it wasn't compromised, maybe?
 
 Even so, I do not feel safe.
 |  
						| 
 |  |  | 
| 
			| 
					
								| DarkMatter 
								Member     Offline 
								Activity: 67 
								Merit: 10
								 
								Stop trying to steal my account, thanks.
								
								
								
								
								
								   | 
								|  | February 01, 2011, 07:17:27 PM |  | 
 
 Have a look at https://mtgox.com/support/tradeAPIUser credentials are passed along in clear text with GET method, not POST method.
 That's sad man, anyone able to sniff the server traffic would have all the credentials.
My bad, that's false. Didn't read the "The following take your Mt Gox username and password as parameters. They must be sent as a POST. " part. |  
						|  |  |  | 
| 
			| 
					
								| DarkMatter 
								Member     Offline 
								Activity: 67 
								Merit: 10
								 
								Stop trying to steal my account, thanks.
								
								
								
								
								
								   | 
								|  | February 01, 2011, 07:19:33 PM |  | 
 
 Bitcoiners from IRC channel reported that their password are randomly generated but their accounts are still compromised.
 That's the problem. As you have already stated, this was not a "weak password" hack. Guess Vladimir is wrong. Could the whole MtGox platform be compromised? Looks so.I am not wrong, I might be not very well informed    Yea, it might be worse. Speculating further, in presence of virtually no useful information, just knowing general way how web developers do stuff these days  I would guess that this might be a SQL injection attack, where attacker got to  user auth database and bruteforced  password hashes (probably even using a bunch of 5970   .  Hopefully, mtgox will come up with a statement and stop all these speculations soon.Sorry man, didnt meant to treat you bad   MtGox should put the whole stuff offline before more BTC are stolen. And then investigate further. |  
						|  |  |  | 
| 
			| 
					
								| kiba 
								Legendary    Offline 
								Activity: 980 
								Merit: 1029
								
								
								
								
								   | 
								|  | February 01, 2011, 07:22:36 PM |  | 
 
 I am not wrong, I might be not very well informed    Yea, it might be worse. Speculating further, in presence of virtually no useful information, just knowing general way how web developers do stuff these days  I would guess that this might be a SQL injection attack, where attacker got to  user auth database and bruteforced  password hashes (probably even using a bunch of 5970   .  Hopefully, mtgox will come up with a statement and stop all these speculations soon.Maybe you could start a bitcoin security company in which you certify sites for following security protocols? |  
						| 
 |  |  | 
| 
			| 
					
								| theymos 
								Administrator 
								Legendary
								    Offline 
								Activity: 5726 
								Merit: 14694
								
								
								
								
								   | 
								|  | February 01, 2011, 07:35:01 PM |  | 
 
 User credentials are passed along in clear text with GET method, not POST method.That's sad man, anyone able to sniff the server traffic would have all the credentials.
 
 POST is also easily-readable plaintext... GET is just visible in the URL. GET parameters are  encrypted when using HTTPS. |  
						| 
 1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD |  |  | 
	|  |