24 BTC stolen from my bitstamp account 2FA and email confirmation protected

[gabridome]

Big lesson learned.
Thanks everybody for taking care.

I'm really frustrated. if 2FA, strong password,confirmation email is not enough I don't know how is possible to develop this thing in which I strongly believed.

Paper and offline wallets are not handy, hardware wallets are not ready, brainwallets are not safe.

[roslinpl]

Update: Bitstamp replied.
in summary they haven't detected anything strange or suspicious in the related operations on their part.
In my ticket I specifically asked if there heve been changes in my account email but there were not. So it's obvious to me that he had also the control of my email. This is also confirmed by the connection from different tor related IPs.

They suggested me to contact a computer expert. It will be tough I think. I have to start from scratch.

what you can do? You will track IP? IP of someone who did not know anything about this?

You can only track transaction, and maybe - maybe you can find someone on some forum with wallet address where your money were transfered.

Not a lot you can do.

Seems like your Bitcoins are still @1PGPkndy1nYLUee3nKKLez8smjqK5zBNKE ... so it is hard to track owner ...

Lesson : do not use Bitstamp
Lesson2: do not keep your money @ exchange.

[breakinglocks]

I agree,
logging into email & bitstamp from the same phone you get the 2FA codes from kinda compromises the idea of 2FA.
Before using 2FA on phones, you would get a little RSA standalone token for this purpose. The idea is, to get the 2FA codes from a disconnected source from the one you type your normal password in, so if somebody just hacks you he can't get into your accounts without also stealing the RSA token physically from you.

And if you have to get your RSA codes from an internet connected phone (which I think, at this point is still fine) it is still some longshot that if your PC is compromised your phone will be too. But to login from the same phone you get 2FA from is obviously the easiest way to get compromised, as it completly eliminates the idea that something physical also has to be stolen from you for gaining access to your accounts.

I also agree with the poster who said there should be an option of bitstamp and other sites to set some withdraw addresses, and only be able to change them with another password and maybe some wait time also (obviously not forced on the users, but optional settings). Would make stealing a whole lot harder. And then you could even set one of those addresses to some safely stored paper wallet and in case you get paranoid that you might be infected, you can just sent it there.

[roslinpl]

Update: On 2/22 I had an access to my gmail account fro Cyprus... Never been there.

I already explained to you that the IPs used to haxor you are IPs belonging to the Tor network. https://www.torproject.org/

yes there will be lots of IPs from all around the world used.

How answer the more interesting questions.

a) have you ever logged into bitstamp from your phone
b) do you use e-mail on your phone and have a e-mail client on it with your password saved
c) was the phone connected to wifi or a network provider with a data plan at the time in question?

Protip for everyone: There is a small program called "JAuth" with is a Java based open source implementation of Google 2FA. You can install this on an old otherwise unused computer that is not connected to the internet or anything else. There are also cheap $90 android phones you can use for this purpose, only install google auth on it and nothing else & delete all the google spyware & permanently turn off wifi and don't have a SIM card in it.

Also people, beware that 25 BTC is a lot of money. There are those willing to do customized targeting (including social engineering attacks) to get at that kind of money. U fat and ugly and some hot blond girl approaches you and wants to fuck? be suspicious, she's likely after your money

Indeed ... so best storage is cold storage - but there is a chance for devs to dev some nice antihack apps for bitcoin users.

[Probably]

I'm really frustrated. if 2FA, strong password,confirmation email is not enough I don't know how is possible to develop this thing in which I strongly believed.

Paper and offline wallets are not handy, hardware wallets are not ready, brainwallets are not safe.

convenience is an advanced feature.

you're blaming tools (2FA, strong pw, conf email) when none of that has anything to do with you being compromised.

Your level of being compromised would render basically any computer system vulnerable, it has nothing to do with bitcoin and everything to do with your being hacked via bad software OR the issue of trusting a 3rd party with a "promise."


for example, confirmation emails with a static confirm link only work if your email isn't compromised. they should link you to a page on the site that requires you to use a specific IP address, redundant 2FA and possibly another password for a secure login. That would be "more secure" but "less convenient."

[sebicas]

Does you cellphone have access to your email and  Google Authenticator?
If so could somebody got access to your phone while on vacation?

[BitCoinNutJob]

they took 5 days to answer you? thats a fucking disgrace

[daynomate]

Sorry for your loss OP

Do we have a list of exchanges that have implemented this locked-withdrawal address? I heard of it earlier but can't remember the site that was going to use it.

I think given the implications, that this feature should be universal in all exchanges.

[roslinpl]

they took 5 days to answer you? thats a fucking disgrace

Disgrace is how Bitstamp indeed is threating their customers. MtGox had same problem.. perhaps both exchanges will get their lessons..

[johnyj]

Most likely a login session on the phone was not terminated, so hacker simply re-enter bitstamp and at the same time email account is usually auto-login, no 2FA is required

There is a weakness from bitstamp's side: You don't need 2FA code for withdraw. Since usually your email session is always logged in, once a malware took control of the device, he only need to wait until you logged into bitstamp

I just checked my computer, my email session is always automatically logged in, so it is also possible a malware can withdraw all my coins when I logged into bitstamp. Scary but true

[Jeronimus]

If i understood properly from what i read, my bets would be on the the hacker having had access to your smartphone.
Either via some malware you installed OR via known security holes in the software installed on your device and or known backdoors the NSA builds into every such spy-device known as smartphone, the hacker also knew about.

It is my understanding that via your smartphone you accessed also your email, were trading on bitstamp and also using it for the 2FA

So the hacker had access to your email password via the phone, bistamp password, and of course the 2FA  (be it a keylogger, trojan with full access, NSA backdoor, security hole in your smartphone OS etc)


The above is the reason why i refuse to own a smart(dumb)phone and decided to use an old laptop with linux to do the 2 factor authentication for me.

The laptop will never touch the internet ever again. The codes for the 2 FA are on a usb stick and also printed out in case of hardware damage allowing me to restore the 2FA on another device if ever required. (you have to make sure the clock on the laptop displays the right time or 2FA won't work)

There are probably many ways to do the 2FA in linux, like using jauth, or installing virtualbox and then install android within it(old laptop too slow for this), but i decided to use wine and used winauth inside it.

To use winauth you first have to install dotnet 4.0 however, and that is not so easy. Tutorials on the net using winetricks did not work for me. I ended up copying the whole msnet 4.0 folders into the appropriate locations in the wine folders from a win98 install in virtualbox and to my surprise it worked...

[gabridome]

Update: On 2/22 I had an access to my gmail account fro Cyprus... Never been there.

I already explained to you that the IPs used to haxor you are IPs belonging to the Tor network. https://www.torproject.org/

yes there will be lots of IPs from all around the world used.

How answer the more interesting questions.

a) have you ever logged into bitstamp from your phone
b) do you use e-mail on your phone and have a e-mail client on it with your password saved
c) was the phone connected to wifi or a network provider with a data plan at the time in question?

Protip for everyone: There is a small program called "JAuth" with is a Java based open source implementation of Google 2FA. You can install this on an old otherwise unused computer that is not connected to the internet or anything else. There are also cheap $90 android phones you can use for this purpose, only install google auth on it and nothing else & delete all the google spyware & permanently turn off wifi and don't have a SIM card in it.

Also people, beware that 25 BTC is a lot of money. There are those willing to do customized targeting (including social engineering attacks) to get at that kind of money. U fat and ugly and some hot blond girl approaches you and wants to fuck? be suspicious, she's likely after your money

Yes I have logged in from my phone to bitstamp and I had there my google authenticator installed.
Yes I had my email account with the password saved on the same phone
Yes it was connected to a 3g data plan

[moni3z]

I don't use authenticator, is it possible to just log into your regular google account and disable it in settings? Attacker seemed to have used email as 2FA.
Your phone should've sent you all sorts of notifications when you got those emails unless you turned them off, or the attacker immediately turned off sync/notifications when they got control of your gmail.

I also endorse the immutable withdraw address(es) option to prevent this in the future. They will need control over your wallet as well to get the coins or somehow social engineer the exchange into resetting the immutable withdraw addresses.

[gabridome]

I don't use authenticator, is it possible to just log into your regular google account and disable it in settings? Attacker seemed to have used email as 2FA.
Your phone should've sent you all sorts of notifications when you got those emails unless you turned them off, or the attacker immediately turned off sync/notifications when they got control of your gmail.

I also endorse the immutable withdraw address(es) option to prevent this in the future. They will need control over your wallet as well to get the coins or somehow social engineer the exchange into resetting the immutable withdraw addresses.

The only form of 2FA possible on Bitstamp is Google Authenticator.

[leshow]

Most likely a login session on the phone was not terminated, so hacker simply re-enter bitstamp and at the same time email account is usually auto-login, no 2FA is required

There is a weakness from bitstamp's side: You don't need 2FA code for withdraw. Since usually your email session is always logged in, once a malware took control of the device, he only need to wait until you logged into bitstamp

I just checked my computer, my email session is always automatically logged in, so it is also possible a malware can withdraw all my coins when I logged into bitstamp. Scary but true

this seems like the most likely to me. it bypasses 2fa and if they already had your email it would be easy. wait till you log in to bitstamp, initiate withdrawal, confirm the email.

if it is from inside bitstamp it's very scary thought to have.

[sickpig]

I went on vacation on the 21st. On 23rd I logged in to bitstamp because I thought one week of storage of bitcoin on an exchange were too much.

My balance was zero $ and zero bitcoins. From the history I saw someone (not me) made this astonishing things:

* 2014-02-22 19:56:08   109.163.234.9   Logged in using two-factor authentication
* 2014-02-22 20:01:39   109.163.234.9   Opened bitcoin withdrawal request for 23.83677391 BTC to 1PGPkndy1nYLUee3nKKLez8smjqK5zBNKE
* 2014-02-22 20:01:39   109.163.234.9   Bitcoin withdrawal request: email was sent to user
* 2014-02-22 20:02:00   109.163.234.9   Bitcoin withdrawal request: email confirmed by user
* 2014-02-22 20:09:33   161.53.74.122   Changed user password
* 2014-02-22 20:12:33   96.47.226.20   Opened instant buy order for $36.30
* 2014-02-22 20:13:38   96.47.226.20   Opened bitcoin withdrawal request for 0.05965404 BTC to 1PGPkndy1nYLUee3nKKLez8smjqK5zBNKE
* 2014-02-22 20:13:38   96.47.226.20   Bitcoin withdrawal request: email was sent to user
* 2014-02-22 20:15:35   96.47.226.20   Bitcoin withdrawal request: email confirmed by user
* 2014-02-22 20:24:24   141.212.108.13   Changed user password

if I read correctly it seems they managed to restore your usual password after the hack, am i right?

[njcarlos]

Really It seems the only explanation for me is that I did it and forgot about it but there is no trace of the confirmation emails and I don't have trace of the destination address.

No offense, but what the hell is this supposed to mean? "I did it and forgot about it?" Who moves 11000-16000 USD and "forgets" about it?

[Marco Polo]

Most likely a login session on the phone was not terminated, so hacker simply re-enter bitstamp and at the same time email account is usually auto-login, no 2FA is required

This would have been my guess also, but from the history it says:

Code:

* 2014-02-22 19:56:08   109.163.234.9   Logged in using two-factor authentication

109.163.234.9 is a TOR relay, so it seems it was the hacker that did a full logon from TOR using 2FA (also it is the same address that withdraws the BTC).

The most likely option then is that they have access to (atleast) your phone.

I think the reason the hacker changed the password was so you would not log on yourself and change the password in case you saw the withdrawal email. He then changed it back to cover his tracks, just in case you would not notice.

* Did he delete the confirmation emails bitstamp sent from your email?

* You should make a list of all ip addresses the hackers used and confirm that they are TOR relays on https://metrics.torproject.org/relay-search.html
Not likely, but the hacker might have made a mistake somewhere in not using TOR.

* It would be interesting if you could export a list from your Android phone of all the applications installed and post it here, especially those installed just (1-2 weeks) before the hack.

[roslinpl]

Yes I have logged in from my phone to bitstamp and I had there my google authenticator installed.
Yes I had my email account with the password saved on the same phone
Yes it was connected to a 3g data plan

This means that the criminal(s) could steal all your money if they indeed have compromised your phone and I am guessing this is the case here. :-/

This is a rather sad and expensive life lesson for you. I hope you and others learn from it.

Sad and expensive indeed ...
I hope you will recover soon.

Try to keep tracking their wallet address with your btc. One day they must spend it. Maybe they will do a small mistake and you will be able to track them. But perhaps this would be difficult.

[gabridome]

Yes I have logged in from my phone to bitstamp and I had there my google authenticator installed.
Yes I had my email account with the password saved on the same phone
Yes it was connected to a 3g data plan

This means that the criminal(s) could steal all your money if they indeed have compromised your phone and I am guessing this is the case here. :-/

This is a rather sad and expensive life lesson for you. I hope you and others learn from it.

Sad and expensive indeed ...
I hope you will recover soon.

Try to keep tracking their wallet address with your btc. One day they must spend it. Maybe they will do a small mistake and you will be able to track them. But perhaps this would be difficult.

I agree... Do you know a good address tracker? I used one last year but I don't even remember the name (it wasn't so good anyway)