Bitcoin Forum
December 06, 2016, 02:16:39 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Is it safe to login MtGox on a compromised computer using YubiKey?  (Read 1486 times)
finway
Hero Member
*****
Offline Offline

Activity: 714


View Profile
January 06, 2012, 05:23:35 AM
 #1

I mean, can yubikey be copied?
blockchain.info can make use of a MtGox yubikey, so i guess?

1481033799
Hero Member
*
Offline Offline

Posts: 1481033799

View Profile Personal Message (Offline)

Ignore
1481033799
Reply with quote  #2

1481033799
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481033799
Hero Member
*
Offline Offline

Posts: 1481033799

View Profile Personal Message (Offline)

Ignore
1481033799
Reply with quote  #2

1481033799
Report to moderator
1481033799
Hero Member
*
Offline Offline

Posts: 1481033799

View Profile Personal Message (Offline)

Ignore
1481033799
Reply with quote  #2

1481033799
Report to moderator
1481033799
Hero Member
*
Offline Offline

Posts: 1481033799

View Profile Personal Message (Offline)

Ignore
1481033799
Reply with quote  #2

1481033799
Report to moderator
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
January 06, 2012, 05:29:07 AM
 #2

The Yubikey output can't be reused, but malware can withdraw everything once you've logged in.

Edit: Actually, another Yubikey press is required for withdrawal, so you'd have to be withdrawing for the malware to steal your money.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Maged
Legendary
*
Offline Offline

Activity: 1260


View Profile
January 06, 2012, 05:47:54 AM
 #3

blockchain.info can make use of a MtGox yubikey, so i guess?
I'm honestly confused about how they do that.

casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 06, 2012, 05:49:33 AM
 #4

The Yubikey output can't be reused, but malware can withdraw everything once you've logged in.

Edit: Actually, another Yubikey press is required for withdrawal, so you'd have to be withdrawing for the malware to steal your money.

Further, withdrawal requires a different YubiKey press.  YubiKey has two keys in it, one used when you briefly press the button, the other used when you hold it down.  The long press is needed for withdrawals.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
finway
Hero Member
*****
Offline Offline

Activity: 714


View Profile
January 06, 2012, 06:30:00 AM
 #5

So logining in need one short press, and withdrawing need one long press.

But can yubikey be copied?  Software way or Hardware way?


Quote
The YubiKey provides strong two-factor authentication, combining something you know (a password) with something you have (a YubiKey). It protects your online identity from viruses, Trojans and hackers at a security level that can be compared with a smart card. To guarantee a secure life-cycle, the YubiKey is manufactured in Sweden with best practice security processes.

And i am curious about how piuk make use of a MtGox yubikey too.

casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 06, 2012, 06:31:47 AM
 #6


But can yubikey be copied?  Software way or Hardware way?

Yubikey can't be copied.  Computer thinks it is a keyboard, not a USB stick.  It types a password on your computer when you press its button.

Yubikey uses one shared AES key for each of the two modes.  The Yubikey knows it, so does MtGox.  The keys cannot be read from the Yubikey, but it can be overwritten with new keys with special software.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
finway
Hero Member
*****
Offline Offline

Activity: 714


View Profile
January 06, 2012, 06:37:48 AM
 #7


But can yubikey be copied?  Software way or Hardware way?

Yubikey can't be copied.  Computer thinks it is a keyboard, not a USB stick.  It types a password on your computer when you press its button.

Yubikey uses one shared AES key for each of the two modes.  The Yubikey knows it, so does MtGox.  The keys cannot be read from the Yubikey, but it can be overwritten with new keys with special software.

That's neat. Thank you for your elaboration.

deepceleron
Legendary
*
Offline Offline

Activity: 1470



View Profile WWW
January 06, 2012, 06:40:45 AM
 #8

Go ahead and type in your password; compromised can mean key logger and screen shots, your wallet file sent to another computer, along with your bookmarks and address book. Hope you didn't use your password anywhere else, or have any btc in your wallet. Yubikey protects against a stolen Mtgox user/pass being able to log into MtGox without the physical fob code, but it doesn't prevent anything else a hacker might want to do.

finway
Hero Member
*****
Offline Offline

Activity: 714


View Profile
January 06, 2012, 06:50:46 AM
 #9

Go ahead and type in your password; compromised can mean key logger and screen shots, your wallet file sent to another computer, along with your bookmarks and address book. Hope you didn't use your password anywhere else, or have any btc in your wallet. Yubikey protects against a stolen Mtgox user/pass being able to log into MtGox without the physical fob code, but it doesn't prevent anything else a hacker might want to do.
Thank you, i'm not hacked. Just want to figure out the question.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!