Localbitcoins Update

[leopard2]

Thanks for the input Rishodi ! Is a session logout possible with an Active listing?

Huh? Sure it is, close your browser :-)

And if using 2FA, it must be paper based, paper is normally not affected by malware...

[RockHound]

Thanks for the input Rishodi ! Is a session logout possible with an Active listing?

Huh? Sure it is, close your browser :-)

And if using 2FA, it must be paper based, paper is normally not affected by malware...

Cheers Mr Leopard, I'm just being justifiably paranoid  

There's a general consensus on their forums that this issue was largely FUD? - Conducted several sales today, non of my clients have got back to me with any issues, all positive feedback.

From my perspective everything's been working great.

They're a good team the Localbitcoins crew, sure they will post something on their blogspot pretty soon, giving the all clear.

[escrow.ms]

Thanks for the input Rishodi ! Is a session logout possible with an Active listing?

Huh? Sure it is, close your browser :-)

And if using 2FA, it must be paper based, paper is normally not affected by malware...

It's true but  ^ that's false sense of security.
Let's say bob's pc got infected or was infected by some malware, some days later bob started using localbitcoins.
Bob enabled 2 factor authentication on infected pc. Is he's safe?  NO

Why? Because he created 2factor seed/keys on a infected machine and malware can capture keystrokes,take screenshot,share screen etc and there are high chances of getting paper code's/2factor seed compromised by hacker.

[leopard2]

I don't think there is a "seed". Those 2FA codes cannot be deterministic, or they would be a huge joke  

Screenshots, yes. If your PC has been taken over, you are out of luck - but to be honest, then the attacker could just empty your BTC wallet on your PC not just Localbitcoins.

Also the question referred to session takeover only. The session is gone when you close your browser.

[escrow.ms]

I don't think there is a "seed". Those 2FA codes cannot be deterministic, or they would be a huge joke  

Maybe you should atleast check localbitcoins or any other site/app that is using 2 factor authentication.

The authentication key (seed)can be used on multiple devices simultaneously
 

The most common form of Two-Factor Authentication is TOTP. TOTP uses a secret seed and the current time to generate each of the individual authentication tokens. Essentially:


Given that anyone can know the current time, if the attacker knows the secret seed, he can essentially generate a valid OTP token at any time.
So it's possible that the secret seed that you are using for Two-Factor Authentication might be compromised.

http://blog.authy.com/heartbleed

[escrow.ms]

As for paper codes, one screenshot is enough and sometimes people save them as PDF file for printing on their pc.

[moni3z]

As for paper codes, one screenshot is enough and sometimes people save them as PDF file for printing on their pc.

Or write emails to themselves containing the seed/key

[chandan123]

yesterday i withdraw bitcoin from localbitcoin wallet to my QT wallet and it confirmed after 10-20 mins

cheers

[leopard2]

I don't think there is a "seed". Those 2FA codes cannot be deterministic, or they would be a huge joke  

Maybe you should atleast check localbitcoins or any other site/app that is using 2 factor authentication.

The authentication key (seed)can be used on multiple devices simultaneously
 

The most common form of Two-Factor Authentication is TOTP. TOTP uses a secret seed and the current time to generate each of the individual authentication tokens. Essentially:


Given that anyone can know the current time, if the attacker knows the secret seed, he can essentially generate a valid OTP token at any time.
So it's possible that the secret seed that you are using for Two-Factor Authentication might be compromised.

http://blog.authy.com/heartbleed

Ok thanks for the lesson

If it is possible to generate new 2FA codes from seed automatically I don't understand the benefit - seed would be merely another password then

You sure LBC will not ask for additional info before generating new 2FA list?

[escrow.ms]

You sure LBC will not ask for additional info before generating new 2FA list?

Paper codes list? It should, but I just tried and found a big fucking flaw.

Once you are logged in, you can generate same list again. There is a big flaw, it doesn't generates a new 2FA code list until old one is used, instead of that it shows you current list.

Ie: Once Attacker got your session somehow and logged in your account, he can get your 2FA paper code keys.
I think this method was used to steal users coin and I am sure only those users who were using paper code 2FA got affected.
Ps: I have reported it to jeremias on lbc


edit: it's fixed now, codes were cached by their system for 24 hours.

[leopard2]

Wow now I am extra glad we had this discussion

Is the 24h caching thingy fixed for everyone then?

[escrow.ms]

Wow now I am extra glad we had this discussion

Is the 24h caching thingy fixed for everyone then?

Yeah it's fixed.

[billysweird]

thanks for notice
i usually take my wallet with me and then update the localbitcoins