Bitcoin Forum
December 03, 2016, 02:39:25 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: Newbie Experience with MtGox  (Read 2962 times)
msin
Legendary
*
Offline Offline

Activity: 1064


View Profile
December 16, 2011, 04:53:10 PM
 #21

Yep, I agree with you, I have learned my lesson and will definitely use a Yubikey.  I will not use MtGox as they have many security flaws in their system.  I've never had my bank accounts, equity accounts, or even email accounts hacked, because of basic security precautions taken by those companies.  Would be really easy for MtGox to avoid issues like this with a simple email confirmation.

AFAIK, MtGox is the only one offering the Yubikey option (someone correct me if I'm wrong, or if any other exchange has two factor authentication).

I would agree that there are simple things MtGox could do to improve security - for example, like requiring a 2nd password for withdrawal above a limit, or making withdrawals wait a little while to give you time to blow the whistle, or requiring a PGP signature to withdraw.  On the other hand, if you have a compromised machine, or a compromised e-mail account, none of this will be much help.

They should go the route of a pin requirement for any actions.  The thing that really bothers me is that you can change your account email within MtGox without any confirmation whatsoever.  That's what really screwed my over, I was unable to put a stop to any actions.
1480732765
Hero Member
*
Offline Offline

Posts: 1480732765

View Profile Personal Message (Offline)

Ignore
1480732765
Reply with quote  #2

1480732765
Report to moderator
1480732765
Hero Member
*
Offline Offline

Posts: 1480732765

View Profile Personal Message (Offline)

Ignore
1480732765
Reply with quote  #2

1480732765
Report to moderator
1480732765
Hero Member
*
Offline Offline

Posts: 1480732765

View Profile Personal Message (Offline)

Ignore
1480732765
Reply with quote  #2

1480732765
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
December 16, 2011, 05:06:25 PM
 #22

They should go the route of a pin requirement for any actions.  The thing that really bothers me is that you can change your account email within MtGox without any confirmation whatsoever.  That's what really screwed my over, I was unable to put a stop to any actions.

Even if account e-mail required confirmation, withdrawal does not.  Withdrawals are instant.  By the time you received the confirmation e-mail, it's already too late.

If withdrawal requires a PIN, and you have a keylogger, the attacker would also have your PIN.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
phelix
Legendary
*
Offline Offline

Activity: 1680


nmc:id/phelix


View Profile
December 16, 2011, 07:04:02 PM
 #23

They should go the route of a pin requirement for any actions.  The thing that really bothers me is that you can change your account email within MtGox without any confirmation whatsoever.  That's what really screwed my over, I was unable to put a stop to any actions.

confirmed - that really seems like an invitation to be goxxed. why the heck would they do that?

also I would like to see an option for an email confirmation for all withdrawals







blockchained.com ■ bitcointalk top posts
mcorlett
Donator
Sr. Member
*
Offline Offline

Activity: 308



View Profile
December 16, 2011, 07:43:55 PM
 #24

They should go the route of a pin requirement for any actions.  The thing that really bothers me is that you can change your account email within MtGox without any confirmation whatsoever.  That's what really screwed my over, I was unable to put a stop to any actions.

confirmed - that really seems like an invitation to be goxxed. why the heck would they do that?

also I would like to see an option for an email confirmation for all withdrawals
How about disabling withdrawals for new IP addresses until confirmed by email?

interlagos
Hero Member
*****
Offline Offline

Activity: 497


View Profile
December 16, 2011, 08:26:48 PM
 #25

Msin, what email service did you use?

If email companies have access to so many details about your account then they can actually request password change first then get into your account do whatever they want and then delete certain incoming emails to make it look like it was an attacker.

We need to start thinking about decentralized email service!
nmat
Hero Member
*****
Offline Offline

Activity: 602


View Profile
December 16, 2011, 08:38:17 PM
 #26

AFAIK, MtGox is the only one offering the Yubikey option (someone correct me if I'm wrong, or if any other exchange has two factor authentication).

Both TradeHill and CampBX have free 2 factor authentication with an SMS/phone call to your cellphone.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
December 16, 2011, 09:27:34 PM
 #27

AFAIK, MtGox is the only one offering the Yubikey option (someone correct me if I'm wrong, or if any other exchange has two factor authentication).

Both TradeHill and CampBX have free 2 factor authentication with an SMS/phone call to your cellphone.

That's excellent... sort of like how Chase and PayPal have the same thing.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
onelineproof
Jr. Member
*
Offline Offline

Activity: 50


View Profile WWW
December 16, 2011, 09:43:57 PM
 #28

@msin

Did you have browser windows/tabs from other websites open in the same time as when you were logged in to Mt Gox?

I always make sure to open Mt Gox in a new Incognito Chromium Window, which basically creates an independent and private browsing session that I use just for Mt Gox. Otherwise, I think you can have an attack from a rogue website looking for things like a Mt Gox cookie for your current session.

Pirate Linux developer: https://piratelinux.org
Cwallet developer: https://github.com/piratelinux/cwallet
Donate: 1proofgtqF9JJ26ZCYatkvWfpJE8bDYxa
msin
Legendary
*
Offline Offline

Activity: 1064


View Profile
December 17, 2011, 11:11:45 PM
 #29

Msin, what email service did you use?

If email companies have access to so many details about your account then they can actually request password change first then get into your account do whatever they want and then delete certain incoming emails to make it look like it was an attacker.

We need to start thinking about decentralized email service!

I use Gmail, but it has nothing to do with my emai, it's my MtGox account that was hacked.  Still nothing from MtGox, they refuse to respond to me.
msin
Legendary
*
Offline Offline

Activity: 1064


View Profile
December 17, 2011, 11:12:56 PM
 #30

Did you click a link in an "Mt Gox" email? Or basically, were you phished?
They have been warning about phishing emails for months.

Nope,  I wasn't phished, that's what's so frustrating, my account was just hacked and MtGox didn't do anything to stop it.
msin
Legendary
*
Offline Offline

Activity: 1064


View Profile
December 17, 2011, 11:15:11 PM
 #31

They should go the route of a pin requirement for any actions.  The thing that really bothers me is that you can change your account email within MtGox without any confirmation whatsoever.  That's what really screwed my over, I was unable to put a stop to any actions.

confirmed - that really seems like an invitation to be goxxed. why the heck would they do that?

also I would like to see an option for an email confirmation for all withdrawals



Couldn't agree more, my email was allowed to be changed once the hacker was in my account, then they could do whatever they wanted.  So lame.
msin
Legendary
*
Offline Offline

Activity: 1064


View Profile
December 17, 2011, 11:16:02 PM
 #32

AFAIK, MtGox is the only one offering the Yubikey option (someone correct me if I'm wrong, or if any other exchange has two factor authentication).

Both TradeHill and CampBX have free 2 factor authentication with an SMS/phone call to your cellphone.

Thanks, I'll probably be using TradeHill from now on. 
msin
Legendary
*
Offline Offline

Activity: 1064


View Profile
December 17, 2011, 11:17:03 PM
 #33

@msin

Did you have browser windows/tabs from other websites open in the same time as when you were logged in to Mt Gox?

I always make sure to open Mt Gox in a new Incognito Chromium Window, which basically creates an independent and private browsing session that I use just for Mt Gox. Otherwise, I think you can have an attack from a rogue website looking for things like a Mt Gox cookie for your current session.

You know, I really don't remember, I could have had additional windows open.  I'll definitely keep that in mind.
msin
Legendary
*
Offline Offline

Activity: 1064


View Profile
December 17, 2011, 11:24:00 PM
 #34

I think the overall point I'm trying to make is that BTC will never be mainstream if the #1 exchange has so many security holes, and money just disappears.  Plus, the customer service at MTGox is complete shit.
nmat
Hero Member
*****
Offline Offline

Activity: 602


View Profile
December 18, 2011, 12:48:51 AM
 #35

I think the overall point I'm trying to make is that BTC will never be mainstream if the #1 exchange has so many security holes, and money just disappears.  Plus, the customer service at MTGox is complete shit.

The #1 exchange is chosen by people. If you are looking into alternatives I recommend CampBX for US users. They have excellent support.

Personally I never had any problem with MtGox, but I don't use it for the same reasons I wouldn't mine at Deepbit: they have a huge market share.
PatrickHarnett
Hero Member
*****
Offline Offline

Activity: 518



View Profile
December 18, 2011, 08:39:24 AM
 #36

Just doing some hunting - is there a "terms of use" for Gox?  I couldn't see it.  Pretty crummy for the so called #1 exchange.
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1722

Let's talk governance, lipstick, and pigs.


View Profile
December 18, 2011, 09:37:18 AM
 #37

Just doing some hunting - is there a "terms of use" for Gox?  I couldn't see it.  Pretty crummy for the so called #1 exchange.
If it's based in Japan, then what good would legalese do for you? Use at your own risk until something better comes along. There's lots of ideas floating around, but mtgox is here and now.

I think this is a photo from 2006 of the CEO and trainees (looks like spring break) when Mutum Sigillum (the USA counterpart where your money actually goes) started:
MUTUM SIGILLUM LLC — 2915 OGLETOWN ROAD, # 1085 — NEWARK, DE 19713 — U.S.A.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
PatrickHarnett
Hero Member
*****
Offline Offline

Activity: 518



View Profile
December 19, 2011, 01:39:41 AM
 #38

Just doing some hunting - is there a "terms of use" for Gox?  I couldn't see it.  Pretty crummy for the so called #1 exchange.
If it's based in Japan, then what good would legalese do for you? Use at your own risk until something better comes along. There's lots of ideas floating around, but mtgox is here and now.

Legalese would be fine, even if in Japanese.  I will not be back there until the end of March, but that doesn't matter.  I know where they are located.
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!