Bitcoin Forum
December 09, 2016, 09:56:04 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 [8]  All
  Print  
Author Topic: Possible false alarm: MtGox break in  (Read 13982 times)
DiabloD3
Legendary
*
Offline Offline

Activity: 1162


DiabloMiner author


View Profile WWW
September 14, 2011, 03:04:02 AM
 #141

Was this a mtgox session hijack from the forum hack?  Were you logged into mtgox when the forum hack occurred?



That would be interesting if it was related.

1481277364
Hero Member
*
Offline Offline

Posts: 1481277364

View Profile Personal Message (Offline)

Ignore
1481277364
Reply with quote  #2

1481277364
Report to moderator
"Your bitcoin is secured in a way that is physically impossible for others to access, no matter for what reason, no matter how good the excuse, no matter a majority of miners, no matter what." -- gmaxwell
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
deepceleron
Legendary
*
Offline Offline

Activity: 1470



View Profile WWW
September 14, 2011, 06:17:43 AM
 #142


Asking once again. Do you use a Yubikey on Mt.Gox?

As Ive said in the past, I do not believe that they improve security.

They do not prevent every kind of attack but they stop entire categories of attacks.  You are wrong on this one and should think about it a bit more.  

They stop entire categories of attacks which not everyone is especially prone to.  SSO is a nice to have and very worthwhile in a lot of cases, but it introduce yet another layer of expense and complexity.  I don't use one at my exchange but I am quite careful about my username, password, access methods, etc.

Most importantly, I do consider the funds I have at my exchange to be disposable.  I consider the risk from incompetence, dishonesty, and government intervention to put the assets I have at my exchange at risk more than my authentication being compromised.  A good number of people would be well advised to NOT follow suite here.


The yubikey is the "something you have" in two-factor authentication. Even if Diablo was successfully phished for his password by a fake email, the yubikey credentials would also be needed in order to log in. Then there is a second passkey in the yubikey needed to execute trades. The answer is, unless MtGox is still deeply hacked and PwNd from the inside and the cracker is going after $60 accounts first, the yubikey requirement would have prevented an attacker from logging in and executing trades or withdraws.

Mtgox should have audit logging, and be able to see when the IP logged in and if they used Diablo's login. Ideally a log of the last several logins and IPs should be shown on your user account page too - gmail can even do this. If the hackers used Diablo's username and password, and it is long and hard to crack as Diablo indicates, then it isn't MtGox's fault, as Diablo's credentials were obtained some other way.

TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616


Firstbits.com/1fg4i                :Ƀ


View Profile
September 14, 2011, 07:04:30 AM
 #143

Was this a mtgox session hijack from the forum hack?  Were you logged into mtgox when the forum hack occurred?



That would be interesting if it was related.
Wouldn't it be possible that some of the code injected in the forum during the attack included somthing that would do some nastiness if you had 'gox opened in another tab?

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
EhVedadoOAnonimato
Hero Member
*****
Offline Offline

Activity: 616



View Profile
September 14, 2011, 08:05:07 AM
 #144

Wouldn't it be possible that some of the code injected in the forum during the attack included somthing that would do some nastiness if you had 'gox opened in another tab?

Yes, a CSRF attack, but if MtGox code is well written it should be protected against it, afaik.
Pages: « 1 2 3 4 5 6 7 [8]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!