Im just been attacked and robbed on my MT Gox account

[J.]

Hi, I checked the account history quickly, and saw the hack had nothing to do with your account email. The attacker used the reset password function and got the right reset key right after, which he used to change your password. Therefore here are my questions for you:

• Was your email password strong too?
• Are you sure you NEVER logged into your email from any other place than your home, on a safe computer (ie. never used that email from a mobile device, for example)

So basically, the attacker gained control of his email account, reset the MtGox password, then stole the coins.

I see this as a definite possibility, especially if his email password wasn't very strong.  As soon as that MtGox list got out, his email address was out there too.  Someone may have brute-forced (or otherwise extracted) his email address password.

Isn't it true that IMAP email/passwords are sent in plaintext unless a secure connection is specified?  Maybe someone was sniffing his data when he connected to his mailserver, and retrieved his account password that way...

J., do you have a "Reset password" email from MtGox in your inbox or deleted mail folder?  It was probably fully deleted, but you never know... not that it would really solve anything, it would just give confirmation to MagicalTux's investigation.

I could not find such an email, with it's no harder than perosner have deleted them afterwards ... the person may very well delete it entirely using my code.

How could it have been a password by email reset hack? You said you logged into your account after coming back form holiday. If this is true then I'm assuming you used the same password as before you went on holiday and the only way that can happen is if the hacker knew your password to set it back... in which case, would they reset your password?

when I came back from vacation, I logged into my account which I usually do, but I could not use my password, so I had to receive a recovery mail from MT Gox, I did and wrote my password again and came in as I wont ... but quickly discovered that something was wrong because everything was in both 0 and $ bitcoins ...

so I went into history and saw that it was sold and move a lot of money and bitcoins.

[error]

Hi, I checked the account history quickly, and saw the hack had nothing to do with your account email. The attacker used the reset password function and got the right reset key right after, which he used to change your password. Therefore here are my questions for you:

• Was your email password strong too?
• Are you sure you NEVER logged into your email from any other place than your home, on a safe computer (ie. never used that email from a mobile device, for example)

So basically, the attacker gained control of his email account, reset the MtGox password, then stole the coins.

I see this as a definite possibility, especially if his email password wasn't very strong.  As soon as that MtGox list got out, his email address was out there too.  Someone may have brute-forced (or otherwise extracted) his email address password.

Isn't it true that IMAP email/passwords are sent in plaintext unless a secure connection is specified?  Maybe someone was sniffing his data when he connected to his mailserver, and retrieved his account password that way...

J., do you have a "Reset password" email from MtGox in your inbox or deleted mail folder?  It was probably fully deleted, but you never know... not that it would really solve anything, it would just give confirmation to MagicalTux's investigation.

I could not find such an email, with it's no harder than perosner have deleted them afterwards ... the person may very well delete it entirely using my code.

How could it have been a password by email reset hack? You said you logged into your account after coming back form holiday. If this is true then I'm assuming you used the same password as before you went on holiday and the only way that can happen is if the hacker knew your password to set it back... in which case, would they reset your password?

when I came back from vacation, I logged into my account which I usually do, but I could not use my password, so I had to receive a recovery mail from MT Gox, I did and wrote my password again and came in as I wont ... but quickly discovered that something was wrong because everything was in both 0 and $ bitcoins ...

so I went into history and saw that it was sold and move a lot of money and bitcoins.

Someone broke into your email account. This has nothing to do with Mt Gox.

[paraipan]

seen all that screen capt., sorry if it made you take more trouble than already did with mtgox, this is similar to something that happened to me not long ago

have two questions if you don't mind, What are the exact dates of your vacation ? and In what place or where you spent that vacancy time ? this would be more helpful
if you can back this up with scans of tickets or whatever better for you but not really necessary.

[error]

So what was the final conclusion?

Email or Mt.Gox Hack?

Email.

[J.]

seen all that screen capt., sorry if it made you take more trouble than already did with mtgox, this is similar to something that happened to me not long ago

have two questions if you don't mind, What are the exact dates of your vacation ? and In what place or where you spent that vacancy time ? this would be more helpful
if you can back this up with scans of tickets or whatever better for you but not really necessary.

are you stupid

what would it be to give that kind of information ??

I have kept holiday home in Denmark been out sailing where I had no internet. I do not have any tickets or anything that can back it up, can send you a receipt of purchase to gasoline, but what would you or better yet I get out of it ..

[paraipan]

seen all that screen capt., sorry if it made you take more trouble than already did with mtgox, this is similar to something that happened to me not long ago

have two questions if you don't mind, What are the exact dates of your vacation ? and In what place or where you spent that vacancy time ? this would be more helpful
if you can back this up with scans of tickets or whatever better for you but not really necessary.

are you stupid

what would it be to give that kind of information ??

I have kept holiday home in Denmark been out sailing where I had no internet. I do not have any tickets or anything that can back it up, can send you a receipt of purchase to gasoline, but what would you or better yet I get out of it ..

thanks for the fast response and for calling me like that 

I asked you a question for a reason just try to give a clear answer please. I will ask again more clearly, What are the exact days of your vacation ?

[paraipan]

So the bottom line is....

Your email got hacked and you're wanting to blame Mt.Gox for it.

you don't have to shout it like this
he knows it, we know it, let's prove it to know for sure

[markm]

That is totally weird, I thought I had caught all of this thread as it grew but my recollection of change of MtGox password was that like all financial sites (I thought, anyway) trying to do such a thing through email alone didn't work.

I tried it, after the goxification affair. They rejected my attempt to claim the account via email alone despite my reminders of things like my being on the IRC channels and the -otc web of trust and facebook and gmail and yahoo and sourceforge and gosh knows where else. I had to remind them of all that again, suggesting we meet up in IRC where gribble could be mutually consulted, that my provider doesn't change my IP address far outside of a few class C nets, etc etc etc then my retry worked.

They (financial services in general, not just mtGox) know what kind of info about your account goes out in their emails, so they don't do stupid things like "email us the following data about your personal and family history that all your millions of diehard fans plus anyone who can use google and/or grasp the basics of what the wikipedia page about you is trying to broadcast and we'll restore your account, since obviously you and not even your mother know what your mother's maiden name was" kind of crap. I thought. Am I drifting into alternate universes again or has a new wave of security expertise determined that no gmail, hotmail, yahoo etc sysadmin could possibly know any of the info stashed in your email account?

-MarkM-

[Intertreuton]

The bottom line for me is:

Why  are e-mails still not safer in these days?  Why does no one develope a secure e-mailing system without the need of beeing bound to a company offering keys or such? We are living in the 21th century, e-mail is too out-dated for beeing used that way any longer.

[NothinG]

The bottom line for me is:

Why  are e-mails still not safer in these days?  Why does no one develope a secure e-mailing system without the need of beeing bound to a company offering keys or such? We are living in the 21th century, e-mail is too out-dated for beeing used that way any longer.

Little bit of money and knowledge and you can set yourself up with an email system so secure, you could lock yourself out of.
Go Exchange!

[GeniuSxBoY]

Mostly all the people in here are full of shit.



The only way to know if he's lying or not is to wait to see if other people's accounts have been hacked. Otherwise, shut up! You didn't learn your lessons the first time MtGox was hacked and MORE THAN 1 person complained about being compromised?!?!

I suggest everyone check their accounts and recheck your accounts often.



Sorry J, for the other user's ignorance.

[GeniuSxBoY]

Known Facts: J. Lost his money and bitcoins by a third party.

Unknown Facts: Everything else.

[fcmatt]

Known Facts: J. Lost his money and bitcoins by a third party.

Unknown Facts: Everything else.

Tux has stated that an IP address on the net used the "i forgot my password, please send something to assist me via email" function
on the website.

I am pretty sure that could be considered a fact unless you wish to call tux a liar or nothing will ever be considered
a fact to you, even J's claims. After all, that could be fake too. Create a few addresses, get on a proxy or two, and create
this tale with some "facts".

I do not think J will ever get satisfaction. But tux could improve this retrieve password via email function to include
something only the user would know and that bit of info would never be sent via email for an attacker to find in the user's inbox.
Just copy what other websites do that seems reasonable.

Markm seems to be reasonable in his understanding of this situation.

[GeniuSxBoY]

Did that ip use any other account on mt gox?

[markm]

But tux could improve this retrieve password via email function to include
something only the user would know and that bit of info would never be sent via email for an attacker to find in the user's inbox.
Just copy what other websites do that seems reasonable.

Markm seems to be reasonable in his understanding of this situation.

Copy not what insured, cover losses up to a specified amount, reverse transactions any time in the next 90 or even 180 days sites do; such sites might invest more in making everything right than in preventing it from going wrong even, maybe.

Rather, copy what MI5, MI6, the CIA, the Mossad et al do or something: sites that rely highly upon prevention because, unfortunately, "resurrection" / "raise dead" is not yet as reliable as on some editions of the Enterprise, let alone some editions of some religious texts.

Or at very least, walk through what e-gold, pecunix, (haven't walked through Liberty Reserve, is theirs any good?) etc do and if improving them would lose some customers due to inconveniencing them let them opt out, at their own liability, of such parts as they consider inconvenient and you do not consider essential to not getting a reputation for callously disregarding the safety / security of your customers, lulling them into false senses of security, setting them up for a fall, etc etc etc.

-MarkM-

[J.]

Mostly all the people in here are full of shit.



The only way to know if he's lying or not is to wait to see if other people's accounts have been hacked. Otherwise, shut up! You didn't learn your lessons the first time MtGox was hacked and MORE THAN 1 person complained about being compromised?!?!

I suggest everyone check their accounts and recheck your accounts often.



Sorry J, for the other user's ignorance.

[SgtSpike]

Did that ip use any other account on mt gox?

This is an important question.

[MagicalTux]

Hi, I checked the account history quickly, and saw the hack had nothing to do with your account email. The attacker used the reset password function and got the right reset key right after, which he used to change your password. Therefore here are my questions for you:

• Was your email password strong too?
• Are you sure you NEVER logged into your email from any other place than your home, on a safe computer (ie. never used that email from a mobile device, for example)

MagicalTux, so if you make the account read-only for 1 week after such an event and display a notice about that having happened in big letters after login, then the risk of such a theft happening again is much lower. You can make this an option at account creation and even let the user specify the read-only time.

We'll start with something more simple, the "security question" on password reset. This should help a lot.

[phillipsjk]

The bottom line for me is:

Why  are e-mails still not safer in these days?  Why does no one develope a secure e-mailing system without the need of beeing bound to a company offering keys or such? We are living in the 21th century, e-mail is too out-dated for beeing used that way any longer.

Nobody seems to implement The OpenPGP standard.

Of course, even if a signed e-mail is needed to reset a password, you still have the compromised computer problem. You can mitigate this my having your "very secure" key on one computer, then signing keys for your less secure computers stating you trust those computers almost as much as the secure one (you would do this for web-mail as well). Every time your keys expire, you have to use them to sign your new keys as well. Presumably, you have to hold onto your expired keys indefinitely so that you can read any encrypted e-mails at a later date.

I don't think computers will be mature until the mid 22nd century anyway.

Edit: The way to avoid being bound to a signing authority is to publish your own keys. Your recipients then have to know enough to confirm the public key fingerprint using out-of-band communication. I tried to do this for a local bank and was told that the actual server would be different in different regions of the country.

[GeniuSxBoY]

Hi, I checked the account history quickly, and saw the hack had nothing to do with your account email. The attacker used the reset password function and got the right reset key right after, which he used to change your password. Therefore here are my questions for you:

• Was your email password strong too?
• Are you sure you NEVER logged into your email from any other place than your home, on a safe computer (ie. never used that email from a mobile device, for example)

MagicalTux, so if you make the account read-only for 1 week after such an event and display a notice about that having happened in big letters after login, then the risk of such a theft happening again is much lower. You can make this an option at account creation and even let the user specify the read-only time.

We'll start with something more simple, the "security question" on password reset. This should help a lot.

what about yubikey?