Im just been attacked and robbed on my MT Gox account

[sharky112065]

MY IP Adress i 192.168.2.103

That is your IP within your home LAN or WLAN. When you surf the web or chat in IRC or whatever, you will have an IP address assigned to you by your ISP. Check a page like http://msv.dk/ms302.aspx to see your IP.

@topic: new day, new drama ... I love this board

Or

http://whatismyipaddress.com/

[1713305652]

1713305652

[J.]

MY IP Adress i 192.168.2.103

That is your IP within your home LAN or WLAN. When you surf the web or chat in IRC or whatever, you will have an IP address assigned to you by your ISP. Check a page like http://msv.dk/ms302.aspx to see your IP.

@topic: new day, new drama ... I love this board

Yes that is my IP adresse 192.168.2.103

ore 188.178.220.198

[J.]

J.: Have you been to Malaysia?

Yes in 2009:)

[Djao]

Yes that is my IP adresse 192.168.2.103

ore 188.*.*.*

http://en.wikipedia.org/wiki/Private_network

The 188.*.*.* one is what you're looking for ... just saying. And I wouldn't post it here, really not.

[J.]

Yes that is my IP adresse 192.168.2.103

ore 188.*.*.*

http://en.wikipedia.org/wiki/Private_network

The 188.*.*.* one is what you're looking for ... just saying. And I wouldn't post it here, really not.

Fuck, im don with Bitcoins...

I was just about to have the last things in place to invest in 20 mining rigs with a capacity of 3GHash per machine ... but again I think just that I sell the last bitcoins I have and live my life without bitcoins.

[fitty]

If he's a day-trader, it's entirely necessary to keep funds in one's account.  At least $$$ funds.  The bitcoins can be transferred in and out easily enough, but dollars or other currencies often take days.

I don't think it's reasonable to expect an active trader to move funds in and out of their mtgox account every day.  MtGox SHOULD be secure.  If they are not, then we should stop using them.

Should be secure? Fairly sure MtGox has proven they are not secure. If you're still choosing to be a day trader on MtGox that's on you. MtGox isn't regulated. They don't have to meet security standards. You can't sue them (realistically anyway). It's not 100% clear who owns the parent company, where it's setup, and it's not backed by anything.

Again, he went on vacation? Even a day trader, I'd cash out. Second, he posted he left Bitcoins on MtGox. Then went on vacation.

Sorry he's retarded.

[J.]

If he's a day-trader, it's entirely necessary to keep funds in one's account.  At least $$$ funds.  The bitcoins can be transferred in and out easily enough, but dollars or other currencies often take days.

I don't think it's reasonable to expect an active trader to move funds in and out of their mtgox account every day.  MtGox SHOULD be secure.  If they are not, then we should stop using them.

Should be secure? Fairly sure MtGox has proven they are not secure. If you're still choosing to be a day trader on MtGox that's on you. MtGox isn't regulated. They don't have to meet security standards. You can't sue them (realistically anyway). It's not 100% clear who owns the parent company, where it's setup, and it's not backed by anything.

Again, he went on vacation? Even a day trader, I'd cash out. Second, he posted he left Bitcoins on MtGox. Then went on vacation.

Sorry he's retarded.

I'm not a day trader, I have not written some places that I have bitcoins on my account with MT Gox and subsequently taken on holiday ..

it's bullshit to write, you can consolidate surely not a damn thing.

  I got a confirmation that my password was secure enough that I could get my account back, so it can not be my problem that MT Gox not in control of their security

and basically that means this could happen to all of you other osgå. I'm not retaderet or stupid, I have even more companies, mostly online, and know all about safety and how to use the internet, so stop all this bullshit about lack of skill.

But we can talk again when your account has been emptied.

[paraipan]

nice thread you have here, and you haven't posted one single proof of what you're saying ...

what proof do you want?

sorry, didn't mean to be rude, just trying to believe you here, you make your proofs thinking at all things that could back up what you say: screen captures of your emptied mt.gox account, at present, and of bitcoin client too, all ip's connected to your mt.gox account (get this one with a scanned police report sent to mt.gox support), bank account screen capt, etc.

if the sum of money you lost matters to you, don't worry too much about your privacy, we have none, and you're talking on a public forum. Show us what you got

[error]

The IP addresses of both transactions are 115.133.198.86 and 64.120.79.136.

The first is somewhere in Malaysia. The second is a dedicated server hosted in Dallas, USA. Both are very unlikely to be legitimate traffic in this context.

Me password was (have been changed) J08-uU33-1604-82-xXx

Unfortunately this isn't a very strong password.

[jondecker76]

The IP addresses of both transactions are 115.133.198.86 and 64.120.79.136.

The first is somewhere in Malaysia. The second is a dedicated server hosted in Dallas, USA. Both are very unlikely to be legitimate traffic in this context.

Me password was (have been changed) J08-uU33-1604-82-xXx

Unfortunately this isn't a very strong password.

I disagree - that should have definitely been a sufficient password in that:
A) its 20 characters long
B) it has lower case letters
C) it has upper case letters
D) it has numeric digits
E) it has special characters (the hyphens)
F) It has no real words in there

I would even think that its in the upper 50 percentile of MtGox user's passwords, from a security standpoint. And even if not, it most definitely fit the definition of a secure password as defined from Mt Gox's own recovery process.

Simply put, this password should not have been guessed or brute-forced on a live system over the Internet.

[defxor]

Simply put, this password should not have been guessed or brute-forced on a live system over the Internet.

edit: Speculation superseded by MT's post after this.

Agreed. If brute forcing this password was the attack vector then someone has access to the MtGox hashes incl. salt or is able to perform an enormous amounts of live tries towards the API.

(J. has stated the pw only ever existed at MtGox, wasn't reused etc etc)

[MagicalTux]

Hi, I checked the account history quickly, and saw the hack had nothing to do with your account email. The attacker used the reset password function and got the right reset key right after, which he used to change your password. Therefore here are my questions for you:

• Was your email password strong too?
• Are you sure you NEVER logged into your email from any other place than your home, on a safe computer (ie. never used that email from a mobile device, for example)

[SgtSpike]

Hi, I checked the account history quickly, and saw the hack had nothing to do with your account email. The attacker used the reset password function and got the right reset key right after, which he used to change your password. Therefore here are my questions for you:

• Was your email password strong too?
• Are you sure you NEVER logged into your email from any other place than your home, on a safe computer (ie. never used that email from a mobile device, for example)

So basically, the attacker gained control of his email account, reset the MtGox password, then stole the coins.

I see this as a definite possibility, especially if his email password wasn't very strong.  As soon as that MtGox list got out, his email address was out there too.  Someone may have brute-forced (or otherwise extracted) his email address password.

Isn't it true that IMAP email/passwords are sent in plaintext unless a secure connection is specified?  Maybe someone was sniffing his data when he connected to his mailserver, and retrieved his account password that way...

J., do you have a "Reset password" email from MtGox in your inbox or deleted mail folder?  It was probably fully deleted, but you never know... not that it would really solve anything, it would just give confirmation to MagicalTux's investigation.

[fcmatt]

perhaps it should not be so easy to reset a password on mtgox then?
perhaps it should be more painful for those who forget their passwords and have to wait
for a call from a mtgox employee who will then quiz them about details of their account?

[neofutur]

perhaps it should not be so easy to reset a password on mtgox then?
perhaps it should be more painful for those who forget their passwords and have to wait
for a call from a mtgox employee who will then quiz them about details of their account?

 The yubikey would have saved him from this attack, +1 from the 2 factor auth !

[just_someguy]

perhaps it should not be so easy to reset a password on mtgox then?
perhaps it should be more painful for those who forget their passwords and have to wait
for a call from a mtgox employee who will then quiz them about details of their account?

Come on, there's only so much mtgox can do.
If someone breaks into your primary email address they've got you.

[fcmatt]

perhaps it should not be so easy to reset a password on mtgox then?
perhaps it should be more painful for those who forget their passwords and have to wait
for a call from a mtgox employee who will then quiz them about details of their account?

Come on, there's only so much mtgox can do.
If someone breaks into your primary email address they've got you.

Here we have a mtgox user who got owned due to a process on mtgox that made it easy for the attacker
to do so via a password reset while having access to the user's email account.

It strikes me as very beneficial for mtgox to close this hole.

The yubikey was a good suggestion but it is optional. If kept optional many users will fail to get one.
Thus make resetting a password via email harder is an option. Or make yubikey mandatory in 30 days.

Doing any step to close this issue for future OPs would be a move in the right direction and lead the way for exchanges
to follow suit. MTGOX can be the leader...

[just_someguy]

Here we have a mtgox user who got owned due to a process on mtgox that made it easy for the attacker
to do so via a password reset while having access to the user's email account.

It strikes me as very beneficial for mtgox to close this hole.

The "hole" happens to be standard security procedure for every site on the internet... even banks.
If you lose control of it there is nothing a site can reasonably be expected to do.

[jondecker76]

This recent discussion also assumes that MagicalTux is telling the truth about what is being found on their end (and I'm not saying that he is or isn't, just a simple case-in-point), which there would never be a way for a normal user to verify.  Owners of these services have a trump card in this regard, and unfortunately its impossible to ever call them out on it if they ever were dishonest.

A lot of us that lost BTC in the big MtGox hack reported these losses to MtGox before the hack was known about, and were also told that it was our fault for bad passwords and that the BTC were sent away from our own proper logins.  In the end, it did turn out to be from the hack, and MtGox to this day won't do the right thing and refund their users that lost BTC due to their negligence (despite the fact that they make a very large amount of money from us users).  Bottom line is, I was told one thing, and it ended up being another.  There will never be a way to prove it one way or another. (FYI - I lost 20.19 BTC in the hack and if they check my logs they will clearly see this transfer happened from an IP address that I surely never use - aside from the fact of course that I reported it days before news of the hack went public)

With all of this in mind, just because a site operator gives someone an explanation, it doesn't necessarily mean its always true.

[fcmatt]

Here we have a mtgox user who got owned due to a process on mtgox that made it easy for the attacker
to do so via a password reset while having access to the user's email account.

It strikes me as very beneficial for mtgox to close this hole.

The "hole" happens to be standard security procedure for every site on the internet... even banks.
If you lose control of it there is nothing a site can reasonably be expected to do.

I just checked my bank's website and that is not the case for me.
You need to know the user name as well as your account number which I cannot recall ever seeing it in an email from them.
If you forgot your user name you need a debit card number, debit card pin, and the account number.

My point is that my bank made it harder then just knowing a user name and the email is sent containing enough information
to reset the password via a web page.

The process you mention above is perfectly fine for a forum like this one.

But I am not trying to be argumentative. All I am saying is here is one way for MTGOX to improve their security for a website
that is going to be attacked on a daily basis using every method known to hackers.