almightyruler (OP)
Legendary
 Offline
Activity: 2268
Merit: 1092
|
 |
August 23, 2019, 08:38:30 PM |
|
In recent days my LBC account has been repeatedly probed:
08/17/2019 06:32 Failed login attempt 175.136.7.241
08/16/2019 22:30 Failed login attempt 175.136.53.202
08/16/2019 20:56 Failed login attempt 1.9.207.170
08/16/2019 17:10 Failed login attempt 210.195.23.136
08/14/2019 08:08 Failed login attempt 115.134.62.224
08/11/2019 16:36 Failed login attempt 124.13.250.203
08/11/2019 14:03 Failed login attempt 161.142.59.116
08/10/2019 23:55 Failed login attempt 210.186.99.148
08/10/2019 21:52 Failed login attempt 60.51.2.234
08/10/2019 18:01 Failed login attempt 219.92.150.84
08/10/2019 00:58 Failed login attempt 42.188.120.179
08/09/2019 08:18 Failed login attempt 210.195.40.83
All the IPs are from Malaysia, which is not where I live.
I'm assuming someone has scraped feedback and is targeting accounts they think will hold funds (mine is listed as 20+ BTC traded)
I have 2FA active on the account, so cracking it would be useless anyway. (If you're not using 2FA - enable it now!)
Anyone else seeing this sort of activity in their LBC account?
|
|
|
|
|
BitcoinGirl.Club
Legendary
Offline
Activity: 2814
Merit: 2737
Farewell LEO: o_e_l_e_o
|
In recent days my LBC account has been repeatedly probed:
08/17/2019 06:32 Failed login attempt 175.136.7.241
08/16/2019 22:30 Failed login attempt 175.136.53.202
08/16/2019 20:56 Failed login attempt 1.9.207.170
08/16/2019 17:10 Failed login attempt 210.195.23.136
08/14/2019 08:08 Failed login attempt 115.134.62.224
08/11/2019 16:36 Failed login attempt 124.13.250.203
08/11/2019 14:03 Failed login attempt 161.142.59.116
08/10/2019 23:55 Failed login attempt 210.186.99.148
08/10/2019 21:52 Failed login attempt 60.51.2.234
08/10/2019 18:01 Failed login attempt 219.92.150.84
08/10/2019 00:58 Failed login attempt 42.188.120.179
08/09/2019 08:18 Failed login attempt 210.195.40.83
All the IPs are from Malaysia, which is not where I live.
I'm assuming someone has scraped feedback and is targeting accounts they think will hold funds (mine is listed as 20+ BTC traded)
I have 2FA active on the account, so cracking it would be useless anyway. (If you're not using 2FA - enable it now!)
Anyone else seeing this sort of activity in their LBC account?
It's Failed login attempt, so do not worry much about it. Anyone can use your username and try to login with random password or even if they know the password (worse case)but your 2fa is not known to them then they can not login to your account but for that attempt it will keep a log which you are seeing in this case. You will be worried if you see any successful login attempt. |
|
|
|
almightyruler (OP)
Legendary
Offline
Activity: 2268
Merit: 1092
|
|
August 23, 2019, 08:54:56 PM |
|
You will be worried if you see any successful login attempt.
Yes, I understand that they're unlikely to be able to successfully access my account, but it's worth considering: 1. To log in, LBC allows you to use your email address (which is private) or your username (which is publicly listed on feedback pages) 2. 2FA isn't an unbreakable fortress. To verify the 2FA signature your device generates, LBC has to compare against a copy of a shared secret, so anyone who possesses that secret (eg employee, hacker) will be able to generate a valid 2FA signature. LBC even helpfully shows your 2FA recovery code when you're logged in, which means their web server has read access to that secret. |
|
|
|
|
|
Mahanton
|
|
August 23, 2019, 09:45:23 PM |
|
You will be worried if you see any successful login attempt.
Yes, I understand that they're unlikely to be able to successfully access my account, but it's worth considering: 1. To log in, LBC allows you to use your email address (which is private) or your username (which is publicly listed on feedback pages) 2. 2FA isn't an unbreakable fortress. To verify the 2FA signature your device generates, LBC has to compare against a copy of a shared secret, so anyone who possesses that secret (eg employee, hacker) will be able to generate a valid 2FA signature. LBC even helpfully shows your 2FA recovery code when you're logged in, which means their web server has read access to that secret. Nothing is unbreakable thats why we got really worried if hackers do really able to bypass LBC security but for now theres nothing to worry. Its a little bit alarming that you do have multiple log-in from unknown IP's which isnt yours.It do proves out that your email info is known. 2fa is a must specially to accounts that had funds on it. |
|
|
|
|
|
| R |
▀▀▀▀▀▀▀██████▄▄
████████████████
▀▀▀▀█████▀▀▀█████
████████▌███▐████
▄▄▄▄█████▄▄▄█████
████████████████
▄▄▄▄▄▄▄██████▀▀ | LLBIT | | | 4,000+ GAMES███████████████████
██████████▀▄▀▀▀████
████████▀▄▀██░░░███
██████▀▄███▄▀█▄▄▄██
███▀▀▀▀▀▀█▀▀▀▀▀▀███
██░░░░░░░░█░░░░░░██
██▄░░░░░░░█░░░░░▄██
███▄░░░░▄█▄▄▄▄▄████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ | █████████
▀████████
░░▀██████
░░░░▀████
░░░░░░███
▄░░░░░███
▀█▄▄▄████
░░▀▀█████
▀▀▀▀▀▀▀▀▀ | █████████
░░░▀▀████
██▄▄▀░███
█░░█▄░░██
░████▀▀██
█░░█▀░░██
██▀▀▄░███
░░░▄▄████
▀▀▀▀▀▀▀▀▀ |
| | | ██░░░░░░░░░░░░░░░░░░░░░░██
▀█▄░▄▄░░░░░░░░░░░░▄▄░▄█▀
▄▄███░░░░░░░░░░░░░░███▄▄
▀░▀▄▀▄░░░░░▄▄░░░░░▄▀▄▀░▀
▄▄▄▄▄▀▀▄▄▀▀▄▄▄▄▄
█░▄▄▄██████▄▄▄░█
█░▀▀████████▀▀░█
█░█▀▄▄▄▄▄▄▄▄██░█
█░█▀████████░█
█░█░██████░█
▀▄▀▄███▀▄▀
▄▀▄▀▄▄▄▄▀▄▀▄
██▀░░░░░░░░▀██ | | | | | | | .
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
░▀▄░▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄░▄▀
███▀▄▀█████████████████▀▄▀
█████▀▄░▄▄▄▄▄███░▄▄▄▄▄▄▀
███████▀▄▀██████░█▄▄▄▄▄▄▄▄
█████████▀▄▄░███▄▄▄▄▄▄░▄▀
████████████░███████▀▄▀
████████████░██▀▄▄▄▄▀
████████████░▀▄▀
████████████▄▀
███████████▀ | ▄▄███████▄▄
▄████▀▀▀▀▀▀▀████▄
▄███▀▄▄███████▄▄▀███▄
▄██▀▄█▀▀▀█████▀▀▀█▄▀██▄
▄██▀▄██████▀████░███▄▀██▄
███░█████████▀██░████░███
███░████░█▄████▀░████░███
███░████░███▄████████░███
▀██▄▀███░█████▄█████▀▄██▀
▀██▄▀█▄▄▄██████▄██▀▄██▀
▀███▄▀▀███████▀▀▄███▀
▀████▄▄▄▄▄▄▄████▀
▀▀███████▀▀ | | OFFICIAL PARTNERSHIP
FAZE CLAN
SSC NAPOLI | | |
|
|
|
Stedsm
Legendary
Offline
Activity: 3052
Merit: 1273
|
|
August 23, 2019, 09:58:40 PM |
|
If I'm not wrong, they give us a set of codes which we need to write down? I've had my 2fa enabled on one of my accounts which used to be very active, but the image file that I saved on my offline PC got deleted by me accidentally. Is there any way you know to recover this 2fa thing there?
I've actually had no funds in it so I'm at least safe there (as I believe that even my 2fa could have been stolen if I may have gone online through that PC ever maybe, because I've an IMAGE saved of those codes).
|
| .SHUFFLE.COM.. | ███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████ | ███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████ | .
...Next Generation Crypto Casino... |
|
|
|
malevolent
can into space
Legendary
Offline
Activity: 3472
Merit: 1721
|
|
August 23, 2019, 10:04:29 PM |
|
2. 2FA isn't an unbreakable fortress. To verify the 2FA signature your device generates, LBC has to compare against a copy of a shared secret, so anyone who possesses that secret (eg employee, hacker) will be able to generate a valid 2FA signature.
If you don't trust Localbitcoins employees not to defraud you, you shouldn't be using their site. I think a bigger worry (with exchanges and similar sites in general) is that someone may successfully socially engineering their customer support to take over another person's account. (maybe not anymore in 2019 with selfie verifications being common but still) I haven't logged in in a while, but can your really see the 2FA key when logged in? That doesn't sound like a good security practice. |
Signature space available for rent.
|
|
|
squatter
Legendary
Offline
Activity: 1666
Merit: 1196
STOP SNITCHIN'
|
|
August 23, 2019, 10:20:42 PM |
|
To log in, LBC allows you to use your email address (which is private) or your username (which is publicly listed on feedback pages) In 2019? I'm amazed. Most sites switched to email logins years ago because this is such an easy avenue to brute force weakly secured accounts. LBC even helpfully shows your 2FA recovery code when you're logged in, which means their web server has read access to that secret.
Yikes. I was already paranoid about my TOTP shared secret being stored on exchange databases as it is. Localbitcoins seems to take the cake for terrible security practices. |
|
|
|
almightyruler (OP)
Legendary
Offline
Activity: 2268
Merit: 1092
|
|
August 23, 2019, 10:30:52 PM
Last edit: August 23, 2019, 10:52:37 PM by almightyruler Merited by malevolent (1) |
|
I haven't logged in in a while, but can your really see the 2FA key when logged in? That doesn't sound like a good security practice.
 The text seems to be saying that it will only be displayed for 24 hours after 2FA is enabled. Still risky, since anyone who can access your computer when logged in (including remotely capturing your screen when you load the 2FA page) will be able to capture and replicate your secret. [Edited to add] I can see a clear problem here: to disable 2FA, you need to provide signed proof you possess a secret, but that secret is shown right there on the same screen. Anyone with access to your computer within the first 24 hours after 2FA is added could quietly disable it, and without needing to know your password. With every other 2FA I've had to reset today (new phone), the recovery key is only shown at the first or second step. Some sites made me re-enter the recovery key to confirm I had it saved. LBC is the only one out of several exchanges I've loaded today that shows the recovery key after 2FA is enabled. |
|
|
|
|
TryNinja
Legendary
Offline
Activity: 2870
Merit: 7117
Crypto Swap Exchange
|
|
August 23, 2019, 11:06:43 PM
Last edit: August 23, 2019, 11:37:50 PM by TryNinja |
|
The text seems to be saying that it will only be displayed for 24 hours after 2FA is enabled. Still risky, since anyone who can access your computer when logged in (including remotely capturing your screen when you load the 2FA page) will be able to capture and replicate your secret.
[Edited to add] I can see a clear problem here: to disable 2FA, you need to provide signed proof you possess a secret, but that secret is shown right there on the same screen.
With every other 2FA I've had to reset today (new phone), the recovery key is only shown at the first or second step. Some sites made me re-enter the recovery key to confirm I had it saved. LBC is the only one out of several exchanges I've loaded today that shows the recovery key after 2FA is enabled.
Not that I agree with the way the show this, but wouldn't this be the same if it was just a QR code with the 2FA secret code? How would you be able to activate it in your phone without actually seeing it in the screen? And most services will only require the 2FA code to disable it, something you can also get just from the secret code/QR. And a malware/anyone with access to your screen would be able to see it/screenshot it/scan it/etc... Anyone with access to your computer within the first 24 hours after 2FA is added could quietly disable it, and without needing to know your password. Anyone with access to your ACCOUNT. And if they have this, your code is probably compromised anyway. |
|
|
|
malevolent
can into space
Legendary
Offline
Activity: 3472
Merit: 1721
|
|
August 23, 2019, 11:36:26 PM |
|
Not that I agree with the way the show this, but wouldn't this be the same if it was just a QR code with the 2FA secret code? How would you be able to activate it in your phone without actually seeing it in the screen? And most services will only require the 2FA code to disable it, something you can also get just from the secret code/QR. And a malware/anyone with access to your screen would be able to see it/screenshot it/scan it/etc... Anyone with access to your computer within the first 24 hours after 2FA is added could quietly disable it, and without needing to know your password. Anyone with access to your ACCOUNT. And if they have this, your code is probably compromised anyway. They shouldn't be showing the code after 2FA has already been enabled. It's being displayed for an unnecessary 24 hours and a lot can happen within that time frame, and they're making it slightly and needlessly easier for bad hombres to hijack accounts. |
Signature space available for rent.
|
|
|
almightyruler (OP)
Legendary
Offline
Activity: 2268
Merit: 1092
|
|
August 23, 2019, 11:37:18 PM |
|
[Edited to add] I can see a clear problem here: to disable 2FA, you need to provide signed proof you possess a secret, but that secret is shown right there on the same screen.
With every other 2FA I've had to reset today (new phone), the recovery key is only shown at the first or second step. Some sites made me re-enter the recovery key to confirm I had it saved. LBC is the only one out of several exchanges I've loaded today that shows the recovery key after 2FA is enabled.
Not that I agree with the way the show this, but wouldn't this be the same if it was just a QR code with the 2FA secret code? How would you be able to activate it in your phone without actually seeing it in the screen? And most services will only require the 2FA code to disable it, something you can also get just from the secret code/QR. And a malware/anyone with access to your screen would be able to see it/screenshot it/scan it/etc... Anyone with access to your computer within the first 24 hours after 2FA is added could quietly disable it, and without needing to know your password. Anyone with access to your ACCOUNT. And if they have this, your code is probably compromised anyway. Yeah, I agree that if your machine is compromised - screen and key logging etc - then it doesn't matter if that secret only shows up for 2 seconds. You're done for, anyway. But displaying the recovery key on the very same screen that allows you to disable 2FA is just plain dumb, since it means anyone with physical access can disable 2FA, without knowing your login details. To me there seems to be something very wrong with this scenario: "In order to reduce security on your account, you will need to prove you have the secret." "By the way, the secret is XYZ." Once you've proven your device has accepted the key (by inputting the 6 digit signature) there should be no need to show the recovery key again. |
|
|
|
|
TryNinja
Legendary
Offline
Activity: 2870
Merit: 7117
Crypto Swap Exchange
|
|
August 23, 2019, 11:41:07 PM |
|
They shouldn't be showing the code after 2FA has already been enabled. It's being displayed for an unnecessary 24 hours and a lot can happen within that time frame, and they're making it slightly and needlessly easier for bad hombres to hijack accounts.
"In order to reduce security on your account, you will need to prove you have the secret."
"By the way, the secret is XYZ."
I see. I thought you needed to input the 2FA generated code before seeing the secret code again (for cases where you didn't save it and used an app that doesn't let you export them, like Google Authenticator). In this case, I agree it is a pretty dumb idea, even if only for 24 hours. |
|
|
|
almightyruler (OP)
Legendary
Offline
Activity: 2268
Merit: 1092
|
|
August 23, 2019, 11:52:49 PM |
|
I see. I thought you needed to input the 2FA generated code before seeing the secret code again (for cases where you didn't save it and used an app that doesn't let you export them, like Google Authenticator).
Nope, if you're logged in, all you need to do is load the 2FA management URL, and the secret is presented to you without any challenge whatsoever. I've just grabbed my phone to confirm that the value shown on the screen is all you need to enter into Google Authenticator in order to clone 2FA. I now have two different "accounts" on Google Auth (one QR at setup, one entered text from 2FA management URL) showing the exact same 6 digit signature. |
|
|
|
|
TryNinja
Legendary
Offline
Activity: 2870
Merit: 7117
Crypto Swap Exchange
|
|
August 23, 2019, 11:59:58 PM |
|
Nope, if you're logged in, all you need to do is load the 2FA management URL, and the secret is presented to you without any challenge whatsoever.
I've just grabbed my phone to confirm that the value shown on the screen is all you need to enter into Google Authenticator in order to clone 2FA. I now have two different "accounts" on Google Auth (one QR at setup, one entered text from 2FA management URL) showing the exact same 6 digit signature.
Maybe we should suggest them to change this? https://localbitcoins.com/support/request/#other |
|
|
|
|
Findingnemo
|
|
August 24, 2019, 05:12:54 AM |
|
Anyone else seeing this sort of activity in their LBC account?
Yes I do faced the same issue few days back and immediately contacted lbc support then this is what I got from them as response. Hi xxxxx,
Thank you for contacting us.
The login Guard triggers whenever a login attempt is done from an unauthorized browser ( a browser that has not been used to log into the account before ).
When the login guard triggers, it sends an email with the verification link, this link should be opened in that same unauthorized browser in order to verify it.
If you receive the Login Guard and you have not made any attempt to access your account from a new browser, that means that someone has managed to figure out your password and trying to access your account from a different browser.
To address this issue, do not open the link in the email sent to you, instead, you need to:
1. Log into your account normally from an authorized browser.
2. Check your Login history to make sure that someone has tried to access your account from the following link. https://localbitcoins.com/accounts/profile-edit/personal-data/ (you can see the IP address for each login attempt, if you notice a different IP address used only once or twice, thats the login attempt).
3. Go to your account setting and update your password from the following link: https://localbitcoins.com/password_change/
Once you update your password, your account will be safe again, You can learn more about some good security practices from our security guide https://localbitcoins.com/guides/security
Let us know if you have any further questions.
---
Best regards,
LocalBitcoins
In response to:
I am getting these kind of failed login attempt warning in the recent days,so I am afraid of the account security now.
Can I get the failed login ip details to know where my account tried to login? And I did changed my password after that I never got the failed attempt of lofin so act fast before happening something and also 2FA saved my funds which I am enabled it for very long time. |
| | .
.Duelbits. | │ | ..........UNLEASH..........
THE ULTIMATE
GAMING EXPERIENCE | │ | DUELBITS
FANTASY
SPORTS | ████▄▄▄█████▄▄▄
░▄████████████████▄
▐██████████████████▄
████████████████████
████████████████████▌
█████████████████████
████████████████▀▀▀
███████████████▌
███████████████▌
████████████████
████████████████
████████████████
████▀▀███████▀▀ | .
▬▬
VS
▬▬ | ████▄▄▄█████▄▄▄
░▄████████████████▄
▐██████████████████▄
████████████████████
████████████████████▌
█████████████████████
███████████████████
███████████████▌
███████████████▌
████████████████
████████████████
████████████████
████▀▀███████▀▀ | /// PLAY FOR FREE ///
WIN FOR REAL | │ | ..PLAY NOW.. | |
View ArchiveReport to moderator |
|
|
almightyruler (OP)
Legendary
Offline
Activity: 2268
Merit: 1092
|
|
August 24, 2019, 02:27:26 PM |
|
"When the login guard triggers, it sends an email with the verification link"
I checked back over my emails, and I have received no warnings about failed logins or new devices. I only found out about them today; when I logged in the site warned me that there had been 12 failed login attempts.
|
|
|
|
|
buwaytress
Legendary
Offline
Activity: 2842
Merit: 3536
Join the world-leading crypto sportsbook NOW!
|
|
August 24, 2019, 06:50:39 PM |
|
Strange, because I've also got an account over +20BTC, and an email which is public to those on LBC (on my trades listed actually), and never got probed like that. Are you using your account anywhere else? Because if you are, you should start checking out all of those accounts and see if any are compromised. I'm guessing your email was bought, with a suggested password, and it could have worked somewhere, so the guy is now trying to see if it works elsewhere.
Happens every couple of weeks with another email of mine but on FB. I used a random name I thought was nonsense, only to find out a few years ago it means something very common in another language (so all the login attempts come from that country!).
|
|
|
|
|
Findingnemo
|
|
August 25, 2019, 05:12:56 AM |
|
"When the login guard triggers, it sends an email with the verification link"
I checked back over my emails, and I have received no warnings about failed logins or new devices. I only found out about them today; when I logged in the site warned me that there had been 12 failed login attempts.
Login guard triggers only after the correct login credentials were entered,in case if you have 2FA the login guard work after the successful entrance of 2FA code so I believe even if the hacker got your password still needs 2fa codes to enter that is why you didn't got any warning link. But since I changed the password I never get the failed login which means someone hacked the password database of lbc ? |
| | .
.Duelbits. | │ | ..........UNLEASH..........
THE ULTIMATE
GAMING EXPERIENCE | │ | DUELBITS
FANTASY
SPORTS | ████▄▄▄█████▄▄▄
░▄████████████████▄
▐██████████████████▄
████████████████████
████████████████████▌
█████████████████████
████████████████▀▀▀
███████████████▌
███████████████▌
████████████████
████████████████
████████████████
████▀▀███████▀▀ | .
▬▬
VS
▬▬ | ████▄▄▄█████▄▄▄
░▄████████████████▄
▐██████████████████▄
████████████████████
████████████████████▌
█████████████████████
███████████████████
███████████████▌
███████████████▌
████████████████
████████████████
████████████████
████▀▀███████▀▀ | /// PLAY FOR FREE ///
WIN FOR REAL | │ | ..PLAY NOW.. | |
View ArchiveReport to moderator |
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2912
Merit: 2347
|
|
August 27, 2019, 02:53:35 AM |
|
It's Failed login attempt, so do not worry much about it.
Anyone can use your username and try to login with random password or even if they know the password (worse case)but your 2fa is not known to them then they can not login to your account but for that attempt it will keep a log which you are seeing in this case.
You will be worried if you see any successful login attempt.
I think this the OP likely had an account with the same email address on another bitcoin exchange or service that has its database hacked/leaked. I think someone is trying permutations of the OP's hacked password on another site. The OP should make sure his password is entirely unique, and not a permutation of his password elsewhere. |
|
|
|
|
almightyruler (OP)
Legendary
Offline
Activity: 2268
Merit: 1092
|
|
August 27, 2019, 03:26:51 AM |
|
I think this the OP likely had an account with the same email address on another bitcoin exchange or service that has its database hacked/leaked. I think someone is trying permutations of the OP's hacked password on another site.
The OP should make sure his password is entirely unique, and not a permutation of his password elsewhere.
I use unique passwords and unique email addresses for each different site. If it wasn't for LBC allowing login via username (which shows publicly on the feedback page), my account wouldn't be probed at all. |
|
|
|
|
|
