msin (OP)
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 15, 2011, 08:50:47 PM |
|
I'd like to share my recent experience with MtGox. I deposited about $1k to mess around with. I purchased 45 bitcoins with no problem. Then two days ago, I get an email stating that there's been a withdrawal from my account and that if I didn't authorize it, I should reply immediately. I replied immediately telling them to freeze my account. Then I tried to login to MtGox, couldn't and my IP was blocked. Furthermore, I tried password recovery but that was also blocked. Turns out someone hijacked my account, changed the email and password, cashed all my money for bitcoins and withdrew everything, about 300 bitcoins. I can't believe you can change the email and password of an account without confirmation from the original email. Anyway, my support ticket is closed and my account is empty. Thanks MtGox.
|
|
|
|
grahamgreene
Newbie
Offline
Activity: 25
Merit: 0
|
|
December 15, 2011, 09:15:40 PM |
|
That's really unfortunate, sorry for your troubles. You should try not to keep so many BTC in the same place though, unless you're immediately going to execute a trade.. A bit late for that, I know, but don't let this one bad experience turn you off BTC completely. Keep an encrypted wallet file on a USB key, or encrypted with something like Kleopatra, and never keep all your BTC in the same wallet. Hope you can get some sort of resolution with Mt. Gox though.
|
|
|
|
msin (OP)
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 15, 2011, 10:09:46 PM |
|
Yes, thank you for the advice. It wasn't that I had so many bitcoins, I actually had none, it was that I had about $1k in cash, ready to buy up bitcoins. The hijacker bought up the bitcoins with my cash and then withdrew. I was just shocked that there were no safety precautions with MtGox, no fail safe, no way to stop the transaction. Ultimately I was locked out of my account and the hijacker was free to do whatever they want. There should be a Freeze account option with MtGox.
|
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
December 15, 2011, 11:09:02 PM Last edit: December 16, 2011, 12:23:04 AM by Stephen Gornick |
|
I was just shocked that there were no safety precautions with MtGox, no fail safe, no way to stop the transaction. Sorry to hear of your financial loss. MtGox has a ticket-based support system. Have you opened a ticket? http://support.mtgox.comWithdrawals are limited based on the exchange's default AML related limits. It used to be a fairly low BTC level, like 100 BTC per day. I don't know what the threshold is nowadays. The exchange does encourage the use of Yubikey: - https://yubikey.mtgox.com/The Yubikey is a device allowing secure identification with a "One Time Password". It is recognized as a USB keyboard by your computer, and touching it with your finger causes it to input a 44 character long password which is unique and is only valid for a few seconds. Each time you use it a new password is generated, protecting your account even if someone has access to your computer.
A Yubikey will allow you to login to your Mt.Gox account securely via two-factor authentication (you will still need to login with your username and password first), adding an extra laywer of security to your Mt.Gox account.
Please note that Yubikey's order from Mt.Gox can only be used with Mt.Gox.
In the event that your Yubikey is lost, you will only be able to order a new one if you can prove you are the account holder.
|
|
|
|
SistaS0uljah
Newbie
Offline
Activity: 43
Merit: 0
|
|
December 16, 2011, 12:11:22 AM |
|
I don't keep much of a balance in Mt. Gox. At most, I've had about $50 in USD and no more than 10BTC. Once I buy BTC, I generally send it immediately to my personal encrypted wallet. Sorry to hear about your loss and I'm disturbed to hear that Mt.Gox doesn't have better security policies. You'd think they'd have learned something after the mid-summer crash. I'm feeling more comfortable with TradeHill now (met one of the founders recently, and he's a real straight-arrow). Haven't tried Crypto X Change, but may give them a look. I like seeing more competition in the BTC exchange market!
|
|
|
|
julz
Legendary
Offline
Activity: 1092
Merit: 1001
|
|
December 16, 2011, 02:16:42 AM |
|
Totally agree with this, my MtGox account was hacked, my password and email were changed, and my bitcoins are now gone, about 300. Nothing from MtGox, they don't give a shit. When I received the account withdrawal email, I immediately told them to freeze my account, they didn't.
When did this happen? Did you use the same password on multiple systems? Did you use a crappy short password? I'm not trying to 'blame the victim' here - but in most cases it does seem to turn out that the user was using woefully inadequate passwords, or that the security breach was on the user's side, so please let us know if you have any information on how your 'account was hacked'. Also - there is a daily withdrawal limit in place on most mtgox accounts.. are you saying that all 300 or so disappeared at once - or that this happened over a period of time? How much followup have you done with mtgox support?
|
@electricwings BM-GtyD5exuDJ2kvEbr41XchkC8x9hPxdFd
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
December 16, 2011, 02:27:11 AM |
|
I would agree, the Yubikey is a very strong shield against this kind of attack.
THey should promote it more. In a way they do - the way I got my Yubikey is I was offered a free one after I made a fairly large deposit. I took it. In retrospect, if I felt about yubikey then the way I do now, I'd have gladly paid for one.
The Yubikey ships from Japan, but they ship it with express mail kind of shipping, so it gets to the US pretty fast. It is worthwhile if you're going to do anything serious with bitcoins.
Others argue correctly that the Yubikey won't do squat if MtGox itself is compromised, but the risk of one's password getting compromised or keylogged is a constant presence outside of the control of MtGox, and of course, the issue at hand in this case.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
PatrickHarnett
|
|
December 16, 2011, 03:22:43 AM |
|
US$1k isn't a lot to have sitting in an account, but it is enough to be annoying to have stolen. Trying to play with $50 or 10 BTC is tiny, especially if you are moving things between exchanges and it takes an age for that to happen at times.
Yes, yubikeys and the like help, but having an exchange with some responsibility to users against negligence would also be an improvement. I've struck several exchanges that didn't want to help when their systems were at fault, and I've been lucky to escape them before losing too much money (BitPLN and Bitcoin7).
Also, bear in mind Mt.Gox is about 85% of the exchange market and assess if you think they are over-represented in the problems that keep recurring. When I trade their I work on the belief that I might not get my money out. I can't make a positive accusation, but they are not my #1 preferred place to transfer anything of value.
|
|
|
|
Greed
Newbie
Offline
Activity: 25
Merit: 0
|
|
December 16, 2011, 04:09:16 AM |
|
Holy shit. Sorry for your loss. I hope you've haven't completely lost your faith in bitcoin due to Mtgox :/
How did the attacker know to recover from your account? Were you talking to people somewhere about how much cash you had in your account, or was this just some one-time happenstance thing?
|
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
December 16, 2011, 04:50:44 AM |
|
I would also be one to mention that if the limit is 100 BTC per day, how did the attacker get more than that in a single day, and if not, what's the limit?
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
chume
Newbie
Offline
Activity: 39
Merit: 0
|
|
December 16, 2011, 06:09:18 AM |
|
The current limit is 400 BTC or $1K
|
|
|
|
msin (OP)
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 16, 2011, 03:33:25 PM |
|
Totally agree with this, my MtGox account was hacked, my password and email were changed, and my bitcoins are now gone, about 300. Nothing from MtGox, they don't give a shit. When I received the account withdrawal email, I immediately told them to freeze my account, they didn't.
When did this happen? Did you use the same password on multiple systems? Did you use a crappy short password? I'm not trying to 'blame the victim' here - but in most cases it does seem to turn out that the user was using woefully inadequate passwords, or that the security breach was on the user's side, so please let us know if you have any information on how your 'account was hacked'. Also - there is a daily withdrawal limit in place on most mtgox accounts.. are you saying that all 300 or so disappeared at once - or that this happened over a period of time? How much followup have you done with mtgox support? Hello, this happened three days ago. My password was very strong and never compromised. I would love to know myself how my account was hijacked. I've continued to ask support for help, but they are doing nothing, other than restoring my original email. There were several withdrawals on my account, all done within minutes, the largest withdrawal was 258btc. The problem I have is that the hijackers was able to use my $ to buy bitcoins with several transactions, and make several withdrawals, all without confirmation from me and within 20 minutes total. MtGox has destroyed the BTC market, and I feel they will continue to compromise the overall market for BTC.
|
|
|
|
msin (OP)
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 16, 2011, 03:42:31 PM |
|
Holy shit. Sorry for your loss. I hope you've haven't completely lost your faith in bitcoin due to Mtgox :/
How did the attacker know to recover from your account? Were you talking to people somewhere about how much cash you had in your account, or was this just some one-time happenstance thing?
Hi Greed, Not sure how the hacker accessed my account. The only thing I received was one notice that there was a withdrawal from my account, which I immediately responded to. After that, I couldn't access my account, the hacker changed everything, my email, password, etc.. Which I can't believe is possible in the account setting without confirmation from the old email. I emailed MtGox so many times to freeze my account immediately after the withdrawal email, but didn't hear back until 2 days later and it was too late. I'll never use MtGox again, in my opinion, they're irresponsibility is the reason we had the BTC crash.
|
|
|
|
msin (OP)
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 16, 2011, 03:49:55 PM |
|
US$1k isn't a lot to have sitting in an account, but it is enough to be annoying to have stolen. Trying to play with $50 or 10 BTC is tiny, especially if you are moving things between exchanges and it takes an age for that to happen at times.
Yes, yubikeys and the like help, but having an exchange with some responsibility to users against negligence would also be an improvement. I've struck several exchanges that didn't want to help when their systems were at fault, and I've been lucky to escape them before losing too much money (BitPLN and Bitcoin7).
Also, bear in mind Mt.Gox is about 85% of the exchange market and assess if you think they are over-represented in the problems that keep recurring. When I trade their I work on the belief that I might not get my money out. I can't make a positive accusation, but they are not my #1 preferred place to transfer anything of value.
Thanks for the input. I didn't think 1k was a lot to mess around with and I thought it was a good time to buy. MtGox has completely lost my trust and as the #1 exchange, it's amazing that they have so many flaws in their system. How do they let you change your account email, which is main method to confirm your identity, so easy? Once the hacker did that, it was easy for them to "reset" a new password. The withdrawal email stated that I should reply immediately if I didn't authorize the trade, which I did to no avail. Why would they put that in emails if it doesn't work? I'm afraid to buy bitcoins as I'm confident Mtgox lack of security will cause another massive BTC crash.
|
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
December 16, 2011, 03:51:49 PM |
|
Hello, this happened three days ago. My password was very strong and never compromised. I would love to know myself how my account was hijacked. I've continued to ask support for help, but they are doing nothing, other than restoring my original email. There were several withdrawals on my account, all done within minutes, the largest withdrawal was 258btc. The problem I have is that the hijackers was able to use my $ to buy bitcoins with several transactions, and make several withdrawals, all without confirmation from me and within 20 minutes total. MtGox has destroyed the BTC market, and I feel they will continue to compromise the overall market for BTC.
Unless you boot your computer freshly from a live CD or have just barely installed an OS, the moment anyone starts browsing the internet at large, there is no way they can be certain they don't have a keylogger on their machine. Bitcoin is known to malware authors, and they will target bitcoin-related passwords. If you get keylogged, you will never have any way to prove or disprove that that's what happened. Likewise, MtGox isn't going to be able to either - the only thing they can do is say that somebody from IP address x.x.x.x logged in and withdrew your funds to address X. This is why I have a Yubikey. I am conscientious and practice safe computing habits, but you never know when you're going to get compromised by the next "0-day" vulnerability. Safe computing means assuming your computer is probably compromised all of the time and planning accordingly to reduce your risk. (For example, not only do I use Yubikey, the computer I use to log in to MtGox and transacting Bitcoins is absolutely NEVER used for surfing the web, because I believe a computer not used for web surfing is far less likely to be compromised). The Yubikey is far from perfect - but it is pretty effective against keyloggers and makes you a far more challenging target for hackers. It is also pretty powerful because the physical key has two modes, one for generating login passwords and one for generating withdrawal passwords. A Yubikey code generated for a login won't work for a withdrawal, so even if somebody breaks into your account, they can't do anything with it (other than trade) without a code they're far less likely to have a chance at getting.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
msin (OP)
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 16, 2011, 03:59:01 PM |
|
I thought it might help to post the hijacker's transactions on my account, and how it wasn't necessary to authorized or confirm these transactions by MtGox.
Purchases
Tue 13 Dec 2011 03:29:47 PM GMT Spent BTC bought: [tid:1323790187459527] 6.84700000 BTC at $3.22000 $22.04734 $0.68522
Tue 13 Dec 2011 03:29:03 PM GMT Spent BTC bought: [tid:1323790143318090] 32.79614017 BTC at $3.22000 $105.60357 $22.73256
Tue 13 Dec 2011 03:29:03 PM GMT Spent BTC bought: [tid:1323790143203780] 160.98640384 BTC at $3.22000 $518.37622 $128.33613
Tue 13 Dec 2011 03:29:03 PM GMT Spent BTC bought: [tid:1323790143159223] 19.89999999 BTC at $3.21899 $64.05790 $646.71235
Tue 13 Dec 2011 03:29:03 PM GMT Spent BTC bought: [tid:1323790143032510] 43.85985600 BTC at $3.21899 $141.18444 $710.77025
Tue 13 Dec 2011 03:29:02 PM GMT Spent BTC bought: [tid:1323790142989042] 0.99400000 BTC at $3.21898 $3.19967 $851.95469
Tue 13 Dec 2011 03:29:02 PM GMT Spent BTC bought: [tid:1323790142956975] 22.00000000 BTC at $3.21000 $70.62000 $855.15436
Withdrawals:
Tue 13 Dec 2011 03:30:01 PM GMT Withdraw Bitcoin withdraw to1NMBnbywM8KBppQxictvQKmyPz2uUSqJ79 6.81831800 BTC 0.00000000 BTC
Tue 13 Dec 2011 03:29:15 PM GMT Withdraw Bitcoin withdraw to 19HiW7hqsm2E4sqJK8wnfG9TCEyiPG2hVT 282.54000000 BTC 0.00760710 BTC
|
|
|
|
msin (OP)
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 16, 2011, 04:28:51 PM |
|
Hello, this happened three days ago. My password was very strong and never compromised. I would love to know myself how my account was hijacked. I've continued to ask support for help, but they are doing nothing, other than restoring my original email. There were several withdrawals on my account, all done within minutes, the largest withdrawal was 258btc. The problem I have is that the hijackers was able to use my $ to buy bitcoins with several transactions, and make several withdrawals, all without confirmation from me and within 20 minutes total. MtGox has destroyed the BTC market, and I feel they will continue to compromise the overall market for BTC.
Unless you boot your computer freshly from a live CD or have just barely installed an OS, the moment anyone starts browsing the internet at large, there is no way they can be certain they don't have a keylogger on their machine. Bitcoin is known to malware authors, and they will target bitcoin-related passwords. If you get keylogged, you will never have any way to prove or disprove that that's what happened. Likewise, MtGox isn't going to be able to either - the only thing they can do is say that somebody from IP address x.x.x.x logged in and withdrew your funds to address X. This is why I have a Yubikey. I am conscientious and practice safe computing habits, but you never know when you're going to get compromised by the next "0-day" vulnerability. Safe computing means assuming your computer is probably compromised all of the time and planning accordingly to reduce your risk. (For example, not only do I use Yubikey, the computer I use to log in to MtGox and transacting Bitcoins is absolutely NEVER used for surfing the web, because I believe a computer not used for web surfing is far less likely to be compromised). The Yubikey is far from perfect - but it is pretty effective against keyloggers and makes you a far more challenging target for hackers. It is also pretty powerful because the physical key has two modes, one for generating login passwords and one for generating withdrawal passwords. A Yubikey code generated for a login won't work for a withdrawal, so even if somebody breaks into your account, they can't do anything with it (other than trade) without a code they're far less likely to have a chance at getting. Yep, I agree with you, I have learned my lesson and will definitely use a Yubikey. I will not use MtGox as they have many security flaws in their system. I've never had my bank accounts, equity accounts, or even email accounts hacked, because of basic security precautions taken by those companies. Would be really easy for MtGox to avoid issues like this with a simple email confirmation.
|
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
December 16, 2011, 04:45:48 PM |
|
Yep, I agree with you, I have learned my lesson and will definitely use a Yubikey. I will not use MtGox as they have many security flaws in their system. I've never had my bank accounts, equity accounts, or even email accounts hacked, because of basic security precautions taken by those companies. Would be really easy for MtGox to avoid issues like this with a simple email confirmation.
AFAIK, MtGox is the only one offering the Yubikey option (someone correct me if I'm wrong, or if any other exchange has two factor authentication). I would agree that there are simple things MtGox could do to improve security - for example, like requiring a 2nd password for withdrawal above a limit, or making withdrawals wait a little while to give you time to blow the whistle, or requiring a PGP signature to withdraw. On the other hand, if you have a compromised machine, or a compromised e-mail account, none of this will be much help.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
RyNinDaCleM
Legendary
Offline
Activity: 2408
Merit: 1009
Legen -wait for it- dary
|
|
December 16, 2011, 04:47:12 PM |
|
Did you click a link in an "Mt Gox" email? Or basically, were you phished? They have been warning about phishing emails for months.
|
|
|
|
msin (OP)
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 16, 2011, 04:51:18 PM |
|
Did you click a link in an "Mt Gox" email? Or basically, were you phished? They have been warning about phishing emails for months.
Nope I didn't. I just received an email saying that there was a withdrawal. I went to MtGox on a separate page and tried to login to my account and I couldn't login.
|
|
|
|
|