MtGox account compromised

[fabianhjr]

Captcha is better than nothing. Do the ad ones and make a few pennies off the hackers.

Store a column on the table for failed attempts. If the count > 5 then require a captcha with the password. On a successful login, reset the count.

If the count say, gets over 50, lock the account for verification, or run a cron to reset it on a daily basis.

Another flag inside the account when they first login could show these hack attempts, something along the lines of "57 attempts to login to your account were done prior to this login from IP: " etc... TOR IP's of course won't be very helpful.

Last log in from IP can also be helpful if people pay attention to it and normally login from a similar address.

None of that makes it bullet proof, but it certainly makes it easier to quickly spot an issue. Needless to say, your password shouldn't be password for something that stores money in it.

You _never_ lock based on an accunt. You _lock_ based on an IP address the request came from.(Look into the account lockout denial of service attack)

[ElectricGoat]

You _never_ lock based on an accunt. You _lock_ based on an IP address the request came from.(Look into the account lockout denial of service attack)

Locking an IP doesn't protect against distributed attacks. A temporary lock of the account seems preferable to a loss of hundreds of bitcoins. Simply locking an account for one minute makes it horribly slow to try a brute force attack.

[fabianhjr]

What if my goal is just to stop you for participating in the market? If I just want to kick you I just let some bruteforcers on forever and you would never be able to enter again. Even if it is just 1 minute, then in 0.000001 seconds you are blocked again and again and again. :/

[ribuck]

Simply locking an account for one minute makes it horribly slow to try a brute force attack.

No, that doesn't work. Instead of trying 100,000 passwords on one account, the attacker simply tries one password on 100,000 accounts. Same chance of success.

[DarkMatter]

Hi everyone,
I'm sorry for not introducing me before, but guess we have much more important things to talk about right now.
Considering the actual situation (I'm sorry for the user using a common dictionary word as his "bank" account password, and mtgox not having any dictionary attack protection implementation ... ), I just noticed a great drop of the BTC available for free at http://freebitcoins.appspot.com. It dropped about 300BTC in 36hrs. Should we worry?

[Hal]

Now I'm paranoid. I just tried to login to mtgox from my iPad and got an invalid certificate error. The issuer is certificates.godaddy.com. Has anyone else gotten this? I suspect it is a misconfiguration of the mtgox server a la http://blog.boxedice.com/2009/05/11/godaddy-ssl-certificates-and-cannot-verify-identity-on-macsafari/.

[LZ]

I can not find my orders in the Depth Table! Does anybody else?

[kiba]

Code:

01/24/11 00:16	Payment Process	united	0	0	0.003	0

It seem that I'll have to change my security practice too.

[ElectricGoat]

No, that doesn't work. Instead of trying 100,000 passwords on one account, the attacker simply tries one password on 100,000 accounts. Same chance of success.

Of course, it shouldn't be the only security measure, but that's a very helpful one. Trying a password on 100k accounts is slighly more difficult, because you need 100k user names.

[nelisky]

Code:

01/24/11 00:16	Payment Process	united	0	0	0.003	0

It seem that I'll have to change my security practice too.

Code:

01/24/11 00:16	Payment Process	united	0	0	-0.002	0.005

Don't we all... funny how the times are sync'd though.

[LZ]

Yeah, what is that?

Code:

01/24/11 14:51	Payment Process	united
01/24/11 00:16	Payment Process	united

[kiba]

Don't we all... funny how the times are sync'd though.

Well, I didn't have a dictionary password. I used numbers, and a symbol. Maybe it wasn't long enough? In any case, this is a terrible thing to happen.

[kiba]

Bitcoiners from IRC channel reported that their password are randomly generated but their accounts are still compromised.

[DarkMatter]

Bitcoiners from IRC channel reported that their password are randomly generated but their accounts are still compromised.

That's the problem. As you have already stated, this was not a "weak password" hack.
Guess Vladimir is wrong. Could the whole MtGox platform be compromised? Looks so.

[edit]
A brute force/dictionary attack would lead to many "errors" in the platform log.
You are logging failed login attempts, right MtGox?
[/edit]

[nelisky]

Bitcoiners from IRC channel reported that their password are randomly generated but their accounts are still compromised.

I'm no security expert nor am I knowledgeable of mtgox's code, but as a coder when I see my account being stripped of 0.005 coins, which you can't see on the UI unless you look at history and do some math... well, it sounds like the actual server was compromised and DB's scraped.

Just saying.

[kiba]

MtGox said that the event on 1/24 was people merely accessing my account for name.

In other words, it wasn't compromised, maybe?

Even so, I do not feel safe.

[DarkMatter]

Have a look at https://mtgox.com/support/tradeAPI
User credentials are passed along in clear text with GET method, not POST method.
That's sad man, anyone able to sniff the server traffic would have all the credentials.

My bad, that's false.
Didn't read the "The following take your Mt Gox username and password as parameters. They must be sent as a POST. " part.

[DarkMatter]

Bitcoiners from IRC channel reported that their password are randomly generated but their accounts are still compromised.

That's the problem. As you have already stated, this was not a "weak password" hack.
Guess Vladimir is wrong. Could the whole MtGox platform be compromised? Looks so.

I am not wrong, I might be not very well informed 

Yea, it might be worse. Speculating further, in presence of virtually no useful information, just knowing general way how web developers do stuff these days  I would guess that this might be a SQL injection attack, where attacker got to  user auth database and bruteforced  password hashes (probably even using a bunch of 5970 .

Hopefully, mtgox will come up with a statement and stop all these speculations soon.

Sorry man, didnt meant to treat you bad
MtGox should put the whole stuff offline before more BTC are stolen.
And then investigate further.

[kiba]

I am not wrong, I might be not very well informed 

Yea, it might be worse. Speculating further, in presence of virtually no useful information, just knowing general way how web developers do stuff these days  I would guess that this might be a SQL injection attack, where attacker got to  user auth database and bruteforced  password hashes (probably even using a bunch of 5970 .

Hopefully, mtgox will come up with a statement and stop all these speculations soon.

Maybe you could start a bitcoin security company in which you certify sites for following security protocols?

[theymos]

User credentials are passed along in clear text with GET method, not POST method.
That's sad man, anyone able to sniff the server traffic would have all the credentials.

POST is also easily-readable plaintext... GET is just visible in the URL. GET parameters are encrypted when using HTTPS.