Bitcoin Forum
November 12, 2024, 11:04:58 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 [8]  All
  Print  
Author Topic: Possible false alarm: MtGox break in  (Read 15376 times)
DiabloD3 (OP)
Legendary
*
Offline Offline

Activity: 1162
Merit: 1000


DiabloMiner author


View Profile WWW
September 14, 2011, 03:04:02 AM
 #141

Was this a mtgox session hijack from the forum hack?  Were you logged into mtgox when the forum hack occurred?



That would be interesting if it was related.

deepceleron
Legendary
*
Offline Offline

Activity: 1512
Merit: 1036



View Profile WWW
September 14, 2011, 06:17:43 AM
 #142


Asking once again. Do you use a Yubikey on Mt.Gox?

As Ive said in the past, I do not believe that they improve security.

They do not prevent every kind of attack but they stop entire categories of attacks.  You are wrong on this one and should think about it a bit more.  

They stop entire categories of attacks which not everyone is especially prone to.  SSO is a nice to have and very worthwhile in a lot of cases, but it introduce yet another layer of expense and complexity.  I don't use one at my exchange but I am quite careful about my username, password, access methods, etc.

Most importantly, I do consider the funds I have at my exchange to be disposable.  I consider the risk from incompetence, dishonesty, and government intervention to put the assets I have at my exchange at risk more than my authentication being compromised.  A good number of people would be well advised to NOT follow suite here.


The yubikey is the "something you have" in two-factor authentication. Even if Diablo was successfully phished for his password by a fake email, the yubikey credentials would also be needed in order to log in. Then there is a second passkey in the yubikey needed to execute trades. The answer is, unless MtGox is still deeply hacked and PwNd from the inside and the cracker is going after $60 accounts first, the yubikey requirement would have prevented an attacker from logging in and executing trades or withdraws.

Mtgox should have audit logging, and be able to see when the IP logged in and if they used Diablo's login. Ideally a log of the last several logins and IPs should be shown on your user account page too - gmail can even do this. If the hackers used Diablo's username and password, and it is long and hard to crack as Diablo indicates, then it isn't MtGox's fault, as Diablo's credentials were obtained some other way.
TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500


Firstbits.com/1fg4i :)


View Profile
September 14, 2011, 07:04:30 AM
 #143

Was this a mtgox session hijack from the forum hack?  Were you logged into mtgox when the forum hack occurred?



That would be interesting if it was related.
Wouldn't it be possible that some of the code injected in the forum during the attack included somthing that would do some nastiness if you had 'gox opened in another tab?

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
EhVedadoOAnonimato
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500



View Profile
September 14, 2011, 08:05:07 AM
 #144

Wouldn't it be possible that some of the code injected in the forum during the attack included somthing that would do some nastiness if you had 'gox opened in another tab?

Yes, a CSRF attack, but if MtGox code is well written it should be protected against it, afaik.
Pages: « 1 2 3 4 5 6 7 [8]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!