Bitcoin Forum
November 13, 2024, 09:54:06 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 [5] 6 7 8 9 »  All
  Print  
Author Topic: MtGox account compromised  (Read 110457 times)
ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1060


View Profile
February 01, 2011, 09:27:14 PM
 #81

Almost everyone had transactions from "united" ... It does mean that the attacker has your username
A question for people here: Did everyone who has the "united" transaction have a MtGox account name that is also a Forum username? Because it's easy enough to get a list of Forum names.

I have the "united" transaction, and my MtGox account name also happens to be a Forum username (although it's not 'ribuck').

I plugged the vulnerability that allowed them to run the attack so your weak passwords will be safe again.
Weak passwords are never safe. Mine is 71% according to the Password Meter, and I'll be improving it.
randomguy7
Hero Member
*****
Offline Offline

Activity: 527
Merit: 500


View Profile
February 01, 2011, 09:31:03 PM
 #82

Mine has absolutely no relation to my forum nick and I have that weird entry, too.
LZ
Legendary
*
Offline Offline

Activity: 1722
Merit: 1072


P2P Cryptocurrency


View Profile
February 01, 2011, 09:47:44 PM
 #83

I do not know what you guys will do, but I just withdrew all my funds to my bitcoin wallet and to my LR account.

Mt.Gox does not seem reliable to me now.

My OpenPGP fingerprint: 5099EB8C0F2E68C63B4ECBB9A9D0993E04143362
Cusipzzz
Sr. Member
****
Offline Offline

Activity: 334
Merit: 250



View Profile
February 01, 2011, 10:05:17 PM
 #84

sure that sounds nice and all....but what happens when:

1. create mtgox account
2. load up with BTCs
3. give russian friend credentials and have them spam other failed attempts first to make it look legit
4. create forum pressure for mtgox to reimburse
5. profit !

While I agree there is some site responsibility, no way he should cover some guy with a password of 'password'
LZ
Legendary
*
Offline Offline

Activity: 1722
Merit: 1072


P2P Cryptocurrency


View Profile
February 01, 2011, 10:13:28 PM
Last edit: February 01, 2011, 10:33:10 PM by lzsaver
 #85

I think it should be safer: using login attempts limit, binding to a range of IP, requesting PIN, using OpenID, etc.

Did everyone who has the "united" transaction have a MtGox account name that is also a Forum username?
Yes, I have the same account name.

My OpenPGP fingerprint: 5099EB8C0F2E68C63B4ECBB9A9D0993E04143362
cryptofo (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 01, 2011, 10:14:35 PM
 #86

I'm with you Vladimir   Smiley , that's what I was trying to get across in my email to him.  Still haven't heard back.  

cusipzz - I hear what you are saying, but that was not the case here.  There was a clear vulnerability at mtgox and my password wasn't "password"  It was a combinatinon of 8 letters and numbers.  Not a dolphins butt I know, but mtgox stated that there was a whole that he fixed.  And I have to pay the price.  The site also accepted it as a valid password.
Cusipzzz
Sr. Member
****
Offline Offline

Activity: 334
Merit: 250



View Profile
February 01, 2011, 10:18:55 PM
 #87

cyrpto - because the site accepted it doesn't mean a lot.

There has to be some user responsibility in all of these cases. Not sure what the % is in this case, just saying.

My password could be 'pWf32fWSf@35%@#4f@#4', perfectly secure, but if i use that same password on a Russian PS3 hacking forum, is it mtgox's fault you account later gets taken from Russia? Sure, you may say it was unique to mtgox, but how does he know? Just playing a little devil's advocate, that's all.



nelisky
Legendary
*
Offline Offline

Activity: 1540
Merit: 1002


View Profile
February 01, 2011, 10:27:54 PM
 #88

cyrpto - because the site accepted it doesn't mean a lot.

There has to be some user responsibility in all of these cases. Not sure what the % is in this case, just saying.

My password could be 'pWf32fWSf@35%@#4f@#4', perfectly secure, but if i use that same password on a Russian PS3 hacking forum, is it mtgox's fault you account later gets taken from Russia? Sure, you may say it was unique to mtgox, but how does he know? Just playing a little devil's advocate, that's all.

I guess common sense comes to play here. I for one fully trust Jed, so if he told me someone used my account by trying out 3 different passwords I'd pretty much accept full responsibility. But that is not the case here, there was a dictionary attack so either the site doesn't allow weak passwords or it has to have measures to prevent these attacks. Or it is the site owner responsibility.
Of course we are all grown ups and I'm glad to see that the parties here are talking to each other trying to find a solution.
cryptofo (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 01, 2011, 10:33:54 PM
 #89

I hear ya.  I'm not pointing the finger at mtgox and demanding they accept all responsibility.  The reality is a bug was found in a system that we all  want to trust.  Bugs get discovered and bugs get patched.  It could have been a lot worse.  Suppose they gained control of more than just my bitcoins and began to manipulate the market.  Bitcoin as a whole is very experimental at this point.  The anonymous nature of leaves little accountability to anyone other than ourselves.  At this point and up to this point it doesn't look like MTGOX wants to take any responsibility.  That's cool, just a year and a half of generating down the tubes.
cryptofo (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 01, 2011, 10:38:54 PM
 #90

I trust Jeb too, I don't think anyone in the bitcoin community is out to get anyone.  We all want what's best for bitcoin.  If this tightens up security at mtgox and makes bitcoin stronger and we all learned a lesson then I guess that's good for bitcoin.  Just sucks to be the one takin it on the chin for it.
nelisky
Legendary
*
Offline Offline

Activity: 1540
Merit: 1002


View Profile
February 01, 2011, 10:40:23 PM
 #91

If the story is as it was told on the forum, I'm sure Jed will come around. It does sound like you were not to blame in any way for what happened, an 8 char numbers and symbols password might not be a 'strong password' but it is still much better than most other passwords there, I bet. It was certainly better than the one I had (and have now changed to something more realistic).
caveden
Legendary
*
Offline Offline

Activity: 1106
Merit: 1004



View Profile
February 01, 2011, 10:55:43 PM
 #92

I guess common sense comes to play here. I for one fully trust Jed, so if he told me someone used my account by trying out 3 different passwords I'd pretty much accept full responsibility. But that is not the case here, there was a dictionary attack so either the site doesn't allow weak passwords or it has to have measures to prevent these attacks. Or it is the site owner responsibility.

It's not the site owner responsibility. I don't want to blame the victim either (only the criminals are to blame), but MtGox doesn't have any obligation whatsoever of refunding him. Unless they had explicitly sold such guarantees, they don't have any obligation in keeping our funds protected at all. It's our choice to trust or not in their capacity to do so.

They should have, of course, interest in protecting their site and maybe even refunding our friend here. But that opens dangerous precedents for them as somebody else has already noticed... this case seems true, but who knows about the next that might come...

The whole problem with this is that the bitcoin world is still too small to have professional insurances behind everything. Normally insurance companies would refund such losses, and these same insurances audit the platform for security flaws etc.
The Madhatter
Hero Member
*****
Offline Offline

Activity: 490
Merit: 511


My avatar pic says it all


View Profile
February 01, 2011, 11:02:04 PM
 #93

What we're going to do? Call the police?

 Cheesy You can't be serious...
S3052
Legendary
*
Offline Offline

Activity: 2100
Merit: 1000


View Profile
February 01, 2011, 11:07:40 PM
 #94

It would be good to get the exchanges to a level of other exchanges / bank accounts where you can trade.

On most of the accounts, you get transaction numbers as one time codes for each transaction, on top of your normal username and password veryfication.

establsihing those transaction numbers on bitcoin exchanges would make it much much more secure.

nelisky
Legendary
*
Offline Offline

Activity: 1540
Merit: 1002


View Profile
February 01, 2011, 11:09:45 PM
 #95

I guess common sense comes to play here. I for one fully trust Jed, so if he told me someone used my account by trying out 3 different passwords I'd pretty much accept full responsibility. But that is not the case here, there was a dictionary attack so either the site doesn't allow weak passwords or it has to have measures to prevent these attacks. Or it is the site owner responsibility.

It's not the site owner responsibility. I don't want to blame the victim either (only the criminals are to blame), but MtGox doesn't have any obligation whatsoever of refunding him. Unless they had explicitly sold such guarantees, they don't have any obligation in keeping our funds protected at all. It's our choice to trust or not in their capacity to do so.

It is still the site owner responsibility. I'm not saying there's an obligation of refunding any losses, that's where the contracts, insurances and premiums come in, but rather that only the site owner could have prevented this, and I'm sure in this case Jed has already closed this particular hole.

If there's any obligation, legal, moral or otherwise, I'm in no position to say. Having happened to me, I would ask for a refund but not require one, as you put it, and very well, I'm the one that trusted the site in the first place. I would go so far as to say Jed should have an opt-in system that would raise the fee per transaction for those who chose to allow it, and the extra fees would go to a fund to cover just these situations, but then it would become very hard to separate real cases from scams, and I don't think Jed wants to become a lawyer (assuming  he's not one already) Smiley
Nefario
Hero Member
*****
Offline Offline

Activity: 602
Merit: 513


GLBSE Support support@glbse.com


View Profile WWW
February 01, 2011, 11:32:09 PM
 #96

What we're going to do? Call the police?

 Cheesy You can't be serious...


The result would probably that if the police ever did investigate, they would report you to the IRS for tax fraud or something like that.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
Ricochet
Sr. Member
****
Offline Offline

Activity: 373
Merit: 250



View Profile
February 01, 2011, 11:34:46 PM
 #97

Somewhat off-topic, but regarding this from a few pages earlier:

Considering the actual situation (I'm sorry for the user using a common dictionary word as his "bank" account password, and mtgox not having any dictionary attack protection implementation ... ), I just noticed a great drop of the BTC available for free at http://freebitcoins.appspot.com. It dropped about 300BTC in 36hrs. Should we worry?

The faucet is now empty. 
nelisky
Legendary
*
Offline Offline

Activity: 1540
Merit: 1002


View Profile
February 01, 2011, 11:40:56 PM
 #98

Somewhat off-topic, but regarding this from a few pages earlier:

Considering the actual situation (I'm sorry for the user using a common dictionary word as his "bank" account password, and mtgox not having any dictionary attack protection implementation ... ), I just noticed a great drop of the BTC available for free at http://freebitcoins.appspot.com. It dropped about 300BTC in 36hrs. Should we worry?

The faucet is now empty. 

I see 200BTC there, and when I read you previous message it was 208BTC (give or take). One of us is looking at the wrong place Smiley
Ricochet
Sr. Member
****
Offline Offline

Activity: 373
Merit: 250



View Profile
February 01, 2011, 11:44:42 PM
 #99

I see 200BTC there, and when I read you previous message it was 208BTC (give or take). One of us is looking at the wrong place Smiley
Yeah I dunno what happened.  Upon refreshing the page I now see 200.78, though I do promise you that when I posted it indeed said "The faucet is now empty, try again tomorrow, maybe some kind person will donate some" or something to that effect.  Must have been a glitch in the site or something.  My apologies for the minor panic and off-topic chatter.
cryptofo (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 01, 2011, 11:46:20 PM
 #100

By choosing to be involved in the bitcoin experiment and trading $ for btc in the first place we expose our to inherent risk.  This is something we all understand.  By trusting that a particular site is secure I mtake the risk I get that.  I understand the "what happens in the future when..." argument, but this is the case right now. Mtgox had a security hole.  As an ancillary benefit to the attack, Jed has discovered a hole and fixed it.  Mtgox is now more secure.  The bitcoin community is more secure.  I am out 900 btc.  I in effect was used to expose a flaw in their security and never compensated for it.  I'm clearly biased in my opinion, but this should be considered a cost of doing business on Jed's part.  I'm not saying that mtgox should be responsible for any and all situations and possibilities, but honestly If I was running the site and this had happened I would make it a point to see that the user was made good.
Pages: « 1 2 3 4 [5] 6 7 8 9 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!