casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
December 09, 2011, 07:28:52 PM |
|
I would agree that a Yukibey isn't necessary. It would have protected me in this case, but just not doing stupid things like sharing passwords across accounts would have helped. I don't do a lot of withdrawals, so using the Yubikey wouldn't be that much of an issue. I'll probably pick one up. $18 for a Yubikey could have saved me $700 of losses.
Hope the guy who did this encounters some nasty bad karma
I don't do a lot of withdrawals either - the whole point of the Yubikey is to make sure that no one can withdraw without it, regardless of the frequency. Its usefulness is unrelated to how often you would use it. I believe a Yubikey is necessary for me, as you never know when your machine has been compromised, it's probably not going to warn you, and the only way you'll know is when your funds disappear. You don't even know that that's not what happened to you just now - you may assume that it was a pool operator, but there is no way you can know that for sure. To me, saying a Yubikey isn't necessary would be like saying airbags aren't necessary, just wear your seatbelt, or that fire insurance isn't necessary, just never light fires. It's a secondary protection with a meaningful benefit that hopefully you'll never need. I agree it's not necessary if you don't mind losing what's in your account one day (esp. if you don't really have more than a few BTC), but if it's an amount you care about, and especially if you think you'll be using bitcoins for a long time... it should be a no brainer. Ordering a Yubikey will not lock your account until you receive it and use it for the first time. It comes already active and ready to use, there are no drivers, fully compatible with PC/Mac/Linux, computer thinks it is just a plain keyboard. You just hit Enter at the MtGox Yubikey screen to bypass it if you haven't yet received it, and you stick it in your USB port and press a button and it types a one-time password. Really simple. And also a neat little gadget to carry around if you like to talk to people about Bitcoins.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
nmat
|
|
December 09, 2011, 07:30:59 PM |
|
Mt. Gox really should have some form of two factor authentication beyond the yubikey.
A simple email confirmation would be great.
|
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1512
Merit: 1049
Death to enemies!
|
|
December 09, 2011, 07:32:43 PM |
|
Yubikey will guard against primitive to moderate forms of your computer compromise. Advanced forms of malware can change the send to address in the last moment or on-the-fly to hacker's address and the coins will be stolen. Such things exist for wire transfers already.
Yubikey will be next to useless if Mt Gox site is hacked again and all coins in mt gox possession is withdrawn to hacker's address.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1512
Merit: 1049
Death to enemies!
|
|
December 09, 2011, 07:34:21 PM |
|
Mt. Gox really should have some form of two factor authentication beyond the yubikey.
A simple email confirmation would be great. When I get possession over someone- the e-mail is 1st on my priority list. And most compromises and password resets start from compromised e-mail account. You might guess how useful and secure the e-mail confirmation might be.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
December 09, 2011, 07:37:49 PM |
|
Yubikey will guard against primitive to moderate forms of your computer compromise. Advanced forms of malware can change the send to address in the last moment or on-the-fly to hacker's address and the coins will be stolen. Such things exist for wire transfers already.
Yubikey will be next to useless if Mt Gox site is hacked again and all coins in mt gox possession is withdrawn to hacker's address.
Same way that door locks protect against amateur thieves and burglars, are worthless against professional expert lockpickers. But practically speaking, there are far more amateurs busy trying to steal your stuff than professionals. And professionals are usually smart enough to get real jobs and are often busy being productive, they aren't as pressed to steal from you to survive. You wouldn't ever leave your house unlocked to every teenager in the neighborhood just because "it's not going to stop a determined professional lockpicker, so why bother locking it"?
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
nmat
|
|
December 09, 2011, 07:38:19 PM |
|
When I get possession over someone- the e-mail is 1st on my priority list. And most compromises and password resets start from compromised e-mail account. You might guess how useful and secure the e-mail confirmation might be. Of course. It's far from being the best option, but in some cases it can help. Besides, it's free and does not have shipping costs
|
|
|
|
Andrew Bitcoiner
|
|
December 09, 2011, 07:52:55 PM |
|
Keep in mind a yubikey helps with the more likely case of someone hacking into your account, it does not help if MtGox itself gets helped.
|
|
|
|
amazingrando (OP)
|
|
December 09, 2011, 08:22:17 PM |
|
After going through all of my accounts, it appears that my accounts on the following sites were compromised: - Mt. Gox
- Slush
- Ozcoin
- Mt. Red
- Bitclockers
- Deepbit
- Bitcoins.lc
If a pool was the source of leaked password, then I would expect it to be from one of the above. I would recommend checking your accounts and changing passwords for any of these pools.
|
Bitbond - 105% PPS mining bond - mining payouts without buying hardware
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1512
Merit: 1049
Death to enemies!
|
|
December 09, 2011, 10:01:57 PM |
|
Same way that door locks protect against amateur thieves and burglars, are worthless against professional expert lockpickers. I use locks on my house only as tamper-evident devices. They might delay teenagers, but for professional thieves and other adversaries, there is booby traps in my house. If they become tamper-evident, the evidence will be the tamperer blown all over the walls. Illegal, but effective as hell. The Yubikey will not make you less safer, that's the probably more important. If there is no additional closed-source software with it (as far as I know they are recognized as standard HID keyboard). It's far from being the best option, but in some cases it can help It's hard for me to imagine how I can get acess to your mt gox password, and not your e-mail password with your naked girfriend in it. The worst effect that ineffective security measures gives to you are the false sense of security.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
the joint
Legendary
Offline
Activity: 1834
Merit: 1020
|
|
December 09, 2011, 11:15:51 PM |
|
Here is something that I find people have a problem with: They go through all the trouble of coming up with super-secure passwords for their pools, exchanges, wallets, etc. But, what they forgot is that their email password is extremely shitty.
|
|
|
|
robocop
|
|
December 10, 2011, 04:00:09 PM |
|
One simple (maybe dummy) question. Why you can change wallet-address and password so easy in mtGox?
Is it not secured with a email-confirmation?
|
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1512
Merit: 1049
Death to enemies!
|
|
December 10, 2011, 04:03:45 PM |
|
One simple (maybe dummy) question. Why you can change wallet-address and password so easy in mtGox?
Is it not secured with a email-confirmation?
If I have Your mtGox password, it's almost certain that I have owned your e-mail account also. This security measure gives more hassle and very little security.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
msin
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 17, 2011, 11:58:13 PM |
|
A few hours ago, someone was able to get into my Mt. Gox account, change the password and change the wallet address. I have not be able to log in yet, but I assume that the a**hole that accessed my account took out my 225 btc that was in there.
Stupidly I also used the same password for a few of my pool accounts, which the hacker has since hijacked.
Has anyone else had a problem today?
Even if you haven't, be sure you're using a strong password and not using the same password among sites.
\ Hey friend, exact same thing happened to me! I lost about 270 BTC. Account email and password were changed. MtGox has done nothing about it, closed my support ticket with no resolution. I was not victim of phishing, this was a straight up hack. Probably more to come, I would recommend that people get out of MtGox asap.
|
|
|
|
amazingrando (OP)
|
|
December 19, 2011, 01:35:59 AM |
|
Hey friend, exact same thing happened to me! I lost about 270 BTC. Account email and password were changed. MtGox has done nothing about it, closed my support ticket with no resolution. I was not victim of phishing, this was a straight up hack. Probably more to come, I would recommend that people get out of MtGox asap.
That really sucks man. It's a lot of money lost. Just like you, Mt.Gox did nothing when I opened a ticket. I've gone back to TradeHill. Mt. Gox seems to be such a huge target and they don't seem to take security that seriously. It's probably better for the community if we use other exchanges more heavily. We don't need a monopoly in trading. Particularly one that is lax in security. That could threaten the stability of bitcoin.
|
Bitbond - 105% PPS mining bond - mining payouts without buying hardware
|
|
|
Mt.Gox Support
VIP
Sr. Member
Offline
Activity: 308
Merit: 250
|
|
December 19, 2011, 03:07:37 AM |
|
A few hours ago, someone was able to get into my Mt. Gox account, change the password and change the wallet address. I have not be able to log in yet, but I assume that the a**hole that accessed my account took out my 225 btc that was in there.
Stupidly I also used the same password for a few of my pool accounts, which the hacker has since hijacked.
Has anyone else had a problem today?
Even if you haven't, be sure you're using a strong password and not using the same password among sites.
\ Hey friend, exact same thing happened to me! I lost about 270 BTC. Account email and password were changed. MtGox has done nothing about it, closed my support ticket with no resolution. I was not victim of phishing, this was a straight up hack. Probably more to come, I would recommend that people get out of MtGox asap. Hi MSIN We are sincerely very sorry to hear that you have been a victim of this kind of fraudulent activity. From the information we have it looks as though your private data was stolen and used to gain access to your account to change your password. You can contact us for more info. Despite your belief, Mt.Gox has not been hacked in any way and trading on Mt.Gox is still safe/secure. The way in which your account was taken over proves this point (again, you can contact us for more details). That all being said, regrettably, it is to late for us to do anything with respect to recovering your funds. Besides general security tips (strong passwords, not clicking links in emails, not opening unfamiliar attachments) to try and avoid this from happening again, our only suggestion is to buy a Yubikey. If you are not familiar a Yubikey operates as a 2-factor, one time password and thus, will make your account impervious to these types of attacks as the attacker would require both your password and the physical key to gain entry. Us asking you to buy a Yubikey may seem like salt in the wound after you've been victimized like this, however it is our sincere suggestion that you get one if you continue on as our customer or even if you decide to join a different exchange. We also hope that this experience will not turn you away from using bitcoin in the future.
|
|
|
|
msin
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 19, 2011, 04:21:01 PM |
|
A few hours ago, someone was able to get into my Mt. Gox account, change the password and change the wallet address. I have not be able to log in yet, but I assume that the a**hole that accessed my account took out my 225 btc that was in there.
Stupidly I also used the same password for a few of my pool accounts, which the hacker has since hijacked.
Has anyone else had a problem today?
Even if you haven't, be sure you're using a strong password and not using the same password among sites.
\ Hey friend, exact same thing happened to me! I lost about 270 BTC. Account email and password were changed. MtGox has done nothing about it, closed my support ticket with no resolution. I was not victim of phishing, this was a straight up hack. Probably more to come, I would recommend that people get out of MtGox asap. Hi MSIN We are sincerely very sorry to hear that you have been a victim of this kind of fraudulent activity. From the information we have it looks as though your private data was stolen and used to gain access to your account to change your password. You can contact us for more info. Despite your belief, Mt.Gox has not been hacked in any way and trading on Mt.Gox is still safe/secure. The way in which your account was taken over proves this point (again, you can contact us for more details). That all being said, regrettably, it is to late for us to do anything with respect to recovering your funds. Besides general security tips (strong passwords, not clicking links in emails, not opening unfamiliar attachments) to try and avoid this from happening again, our only suggestion is to buy a Yubikey. If you are not familiar a Yubikey operates as a 2-factor, one time password and thus, will make your account impervious to these types of attacks as the attacker would require both your password and the physical key to gain entry. Us asking you to buy a Yubikey may seem like salt in the wound after you've been victimized like this, however it is our sincere suggestion that you get one if you continue on as our customer or even if you decide to join a different exchange. We also hope that this experience will not turn you away from using bitcoin in the future. You are wrong, my password was not compromised. Anyway, if you have proof that someone gained access to my account, then why didn't you stop it, especially when the IP address was from the Ukraine? You will never become mainstream if users are required to use Yubikey and it's just a matter of time before another hack.
|
|
|
|
Anonymous
Guest
|
|
December 21, 2011, 06:57:30 AM |
|
amazingrando my friend! I am so sorry to hear that!
The person probably GOT your password from one of the pools you use. Most pools use mysql and they are really easy to do an injection attack and gain access - it's either that or a dishonest pool admin.
Either way those are far more likely to be true than MTGox being hacked.
I thought the same thing. The only reason I thought it might be Mt. Gox being hacked (besides other people having the same issue) is that the first change to any of my accounts was at Mt. Gox. Accessing my pool accounts came afterward. That was probably done intentionally to keep from raising red flags. Had you noticed suspicious activity or discovered your pool account hacked I'm sure (I hope) you would have changed passwords on any related websites. I'm very sorry that happened. You really should get a YubiKey. And never use the same password twice. Last pass is free. -> https://lastpass.com/That is what I use. I even pay for the premium service, not because I have too, but because I support them, because they make my life so much easier.
|
|
|
|
BinaryMage
|
|
December 21, 2011, 07:07:06 AM |
|
You are wrong, my password was not compromised. Anyway, if you have proof that someone gained access to my account, then why didn't you stop it, especially when the IP address was from the Ukraine? You will never become mainstream if users are required to use Yubikey and it's just a matter of time before another hack.
They have no idea where you live, and plenty of MtGox users use proxies and/or Tor, which makes the IP address essentially useless information. Speaking as someone who had their account hacked, I suggest you reconsider your statement that your password was not compromised. I thought that too, but it turned out I had unknowingly fallen for a phishing scam. Your password being compromised is a lot more likely than MtGox being hacked. If they were hacked, as they were in July, both we and they would know.
|
|
|
|
shakaru
Sr. Member
Offline
Activity: 406
Merit: 250
QUIFAS EXCHANGE
|
|
December 25, 2011, 08:08:54 PM |
|
This is why I just say stay away from MtGox. Your bitcoins are safer in a dogs house as atleast the dog would bark when soemthing dosent look right.
amazingrando I am sorry to hear about your loss. It seems that we all lose soemthing in Bitcoin at some point. I would advise from my own research and experiance that you only use an exchange to move btc to other currencies and not hold your coins there. Seeing how you already started that, then good for you. Also I would suggest using tradehill. MtGox has never hit the promised withdraw or transfer times on more than twice, and when I do have problems with TradeHill, they are only quick glitches and the staff is more than helpful.
|
|
|
|
amazingrando (OP)
|
|
December 26, 2011, 06:41:34 PM |
|
This is why I just say stay away from MtGox. Your bitcoins are safer in a dogs house as atleast the dog would bark when soemthing dosent look right.
amazingrando I am sorry to hear about your loss. It seems that we all lose soemthing in Bitcoin at some point. I would advise from my own research and experiance that you only use an exchange to move btc to other currencies and not hold your coins there. Seeing how you already started that, then good for you. Also I would suggest using tradehill. MtGox has never hit the promised withdraw or transfer times on more than twice, and when I do have problems with TradeHill, they are only quick glitches and the staff is more than helpful.
Thanks for the advice Shakaru. TradeHill has been quite good for me. The only reason I've been using Mt.Gox is that Dwolla works better for me than Paxum. But, maybe that's a small price to pay for a better exchange.
|
Bitbond - 105% PPS mining bond - mining payouts without buying hardware
|
|
|
|