Bitcoin Forum
December 12, 2024, 02:04:04 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: Localbitcoins Update  (Read 3265 times)
leopard2
Legendary
*
Offline Offline

Activity: 1372
Merit: 1014



View Profile
April 18, 2014, 11:30:37 PM
 #21


Thanks for the input Rishodi ! Is a session logout possible with an Active listing?

Huh? Sure it is, close your browser :-)

And if using 2FA, it must be paper based, paper is normally not affected by malware... Cheesy

Truth is the new hatespeech.
RockHound (OP)
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
April 18, 2014, 11:54:41 PM
Last edit: April 19, 2014, 11:12:07 PM by RockHound
 #22


Thanks for the input Rishodi ! Is a session logout possible with an Active listing?

Huh? Sure it is, close your browser :-)

And if using 2FA, it must be paper based, paper is normally not affected by malware... Cheesy

Cheers Mr Leopard, I'm just being justifiably paranoid  Cheesy

There's a general consensus on their forums that this issue was largely FUD? - Conducted several sales today, non of my clients have got back to me with any issues, all positive feedback.

From my perspective everything's been working great.

They're a good team the Localbitcoins crew, sure they will post something on their blogspot pretty soon, giving the all clear.
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
April 19, 2014, 12:07:05 AM
Last edit: April 19, 2014, 12:30:31 AM by escrow.ms
 #23


Thanks for the input Rishodi ! Is a session logout possible with an Active listing?

Huh? Sure it is, close your browser :-)

And if using 2FA, it must be paper based, paper is normally not affected by malware... Cheesy

It's true but  ^ that's false sense of security.
Let's say bob's pc got infected or was infected by some malware, some days later bob started using localbitcoins.
Bob enabled 2 factor authentication on infected pc. Is he's safe?  NO

Why? Because he created 2factor seed/keys on a infected machine and malware can capture keystrokes,take screenshot,share screen etc and there are high chances of getting paper code's/2factor seed compromised by hacker.

leopard2
Legendary
*
Offline Offline

Activity: 1372
Merit: 1014



View Profile
April 19, 2014, 09:05:30 PM
 #24

I don't think there is a "seed". Those 2FA codes cannot be deterministic, or they would be a huge joke  Grin

Screenshots, yes. If your PC has been taken over, you are out of luck - but to be honest, then the attacker could just empty your BTC wallet on your PC not just Localbitcoins.

Also the question referred to session takeover only. The session is gone when you close your browser.

Truth is the new hatespeech.
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
April 19, 2014, 09:21:49 PM
 #25

I don't think there is a "seed". Those 2FA codes cannot be deterministic, or they would be a huge joke  Grin



Maybe you should atleast check localbitcoins or any other site/app that is using 2 factor authentication.

The authentication key (seed)can be used on multiple devices simultaneously
 
Quote
The most common form of Two-Factor Authentication is TOTP. TOTP uses a secret seed and the current time to generate each of the individual authentication tokens. Essentially:


Given that anyone can know the current time, if the attacker knows the secret seed, he can essentially generate a valid OTP token at any time.
So it's possible that the secret seed that you are using for Two-Factor Authentication might be compromised.

http://blog.authy.com/heartbleed
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
April 19, 2014, 09:25:29 PM
 #26

As for paper codes, one screenshot is enough and sometimes people save them as PDF file for printing on their pc.
moni3z
Hero Member
*****
Offline Offline

Activity: 899
Merit: 1002



View Profile
April 20, 2014, 01:10:05 AM
 #27

As for paper codes, one screenshot is enough and sometimes people save them as PDF file for printing on their pc.

Or write emails to themselves containing the seed/key
chandan123
Full Member
***
Offline Offline

Activity: 212
Merit: 100

Hi


View Profile WWW
April 20, 2014, 11:11:13 AM
 #28

yesterday i withdraw bitcoin from localbitcoin wallet to my QT wallet and it confirmed after 10-20 mins

cheers

FreeLite.co.in
All FOR SALE Wink
BitTalk.com   FreeBTC    FreeCasino.in   Name.co.in  LiteCo.in  IndiaCo.in
leopard2
Legendary
*
Offline Offline

Activity: 1372
Merit: 1014



View Profile
April 20, 2014, 03:28:37 PM
 #29

I don't think there is a "seed". Those 2FA codes cannot be deterministic, or they would be a huge joke  Grin



Maybe you should atleast check localbitcoins or any other site/app that is using 2 factor authentication.

The authentication key (seed)can be used on multiple devices simultaneously
 
Quote
The most common form of Two-Factor Authentication is TOTP. TOTP uses a secret seed and the current time to generate each of the individual authentication tokens. Essentially:


Given that anyone can know the current time, if the attacker knows the secret seed, he can essentially generate a valid OTP token at any time.
So it's possible that the secret seed that you are using for Two-Factor Authentication might be compromised.

http://blog.authy.com/heartbleed

Ok thanks for the lesson

If it is possible to generate new 2FA codes from seed automatically I don't understand the benefit - seed would be merely another password then

You sure LBC will not ask for additional info before generating new 2FA list?

Truth is the new hatespeech.
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
April 20, 2014, 04:18:30 PM
Last edit: April 20, 2014, 04:47:41 PM by escrow.ms
 #30

You sure LBC will not ask for additional info before generating new 2FA list?

Paper codes list? It should, but I just tried and found a big fucking flaw.

Once you are logged in, you can generate same list again. There is a big flaw, it doesn't generates a new 2FA code list until old one is used, instead of that it shows you current list.

Ie: Once Attacker got your session somehow and logged in your account, he can get your 2FA paper code keys.
I think this method was used to steal users coin and I am sure only those users who were using paper code 2FA got affected.
Ps: I have reported it to jeremias on lbc


edit: it's fixed now, codes were cached by their system for 24 hours.
leopard2
Legendary
*
Offline Offline

Activity: 1372
Merit: 1014



View Profile
April 20, 2014, 07:25:30 PM
 #31

Wow now I am extra glad we had this discussion

Is the 24h caching thingy fixed for everyone then?

Truth is the new hatespeech.
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
April 20, 2014, 08:33:24 PM
 #32

Wow now I am extra glad we had this discussion

Is the 24h caching thingy fixed for everyone then?

Yeah it's fixed.
billysweird
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
April 21, 2014, 11:03:14 AM
 #33

thanks for notice
i usually take my wallet with me and then update the localbitcoins
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!