rohnearner (OP)
|
|
April 18, 2014, 04:49:26 AM |
|
I use 2-step Login verification in almost every online service which provides it..! I want to know is it possible for someone to invade 2-step verification while logging in..! I mean if someone uses phishing they can get my password is it possible to do any similar kind of trick to get pass 2-stop verification .? If yes how to Protect Yeah I know I have to be very conscious about every link I click and every Page I visit but other than that.?
|
|
|
|
bryant.coleman
Legendary
Offline
Activity: 3780
Merit: 1219
|
|
April 18, 2014, 05:07:05 AM |
|
Check this: https://coinreport.net/localbitcoins-report-stolen-funds/On reddit, user don4of4 posted a warning to fellow LocalBitcoins.com users that sellers and buyers have been reporting news of stolen funds from their wallets on the website. The user said that he didn’t believe all of the commotion, but when his 5 Bitcoin were transferred from his account without his knowledge, even though he had a 30 character random password and GAuth, he realized something was really wrong. Having a 2FA does not always guard you from robbery and hacking.
|
|
|
|
rohnearner (OP)
|
|
April 18, 2014, 05:15:04 AM |
|
Check this: https://coinreport.net/localbitcoins-report-stolen-funds/On reddit, user don4of4 posted a warning to fellow LocalBitcoins.com users that sellers and buyers have been reporting news of stolen funds from their wallets on the website. The user said that he didn’t believe all of the commotion, but when his 5 Bitcoin were transferred from his account without his knowledge, even though he had a 30 character random password and GAuth, he realized something was really wrong. Having a 2FA does not always guard you from robbery and hacking. I know Its not like if i'm using 2FA than no can hack me...! but I want to know what techniques they might use..? like to get my passw they can easily get it through Phishing link or Keylogs , but how they invade 2fa..? because I'm getting OTP in my mobile .
|
|
|
|
Vod
Legendary
Offline
Activity: 3906
Merit: 3167
Licking my boob since 1970
|
|
April 18, 2014, 05:16:23 AM |
|
Check this: https://coinreport.net/localbitcoins-report-stolen-funds/On reddit, user don4of4 posted a warning to fellow LocalBitcoins.com users that sellers and buyers have been reporting news of stolen funds from their wallets on the website. The user said that he didn’t believe all of the commotion, but when his 5 Bitcoin were transferred from his account without his knowledge, even though he had a 30 character random password and GAuth, he realized something was really wrong. Having a 2FA does not always guard you from robbery and hacking. I know Its not like if i'm using 2FA than no can hack me...! but I want to know what techniques they might use..? like to get my passw they can easily get it through Phishing link or Keylogs , but how they invade 2fa..? because I'm getting OTP in my mobile . Consider it could be a corrupt admin of the online service you use. Can't protect against that other than keeping your coins in your own wallet.
|
|
|
|
rohnearner (OP)
|
|
April 18, 2014, 05:19:29 AM |
|
Check this: https://coinreport.net/localbitcoins-report-stolen-funds/On reddit, user don4of4 posted a warning to fellow LocalBitcoins.com users that sellers and buyers have been reporting news of stolen funds from their wallets on the website. The user said that he didn’t believe all of the commotion, but when his 5 Bitcoin were transferred from his account without his knowledge, even though he had a 30 character random password and GAuth, he realized something was really wrong. Having a 2FA does not always guard you from robbery and hacking. I know Its not like if i'm using 2FA than no can hack me...! but I want to know what techniques they might use..? like to get my passw they can easily get it through Phishing link or Keylogs , but how they invade 2fa..? because I'm getting OTP in my mobile . Consider it could be a corrupt admin of the online service you use. Can't protect against that other than keeping your coins in your own wallet. Hmm.... So that is the worst case scenario . No one can protect me if thats the case..! but other than that I hope I'm secure from other filthy hackers that sends Phisin mails and malicious software to get my ID/Pass .
|
|
|
|
shorena
Copper Member
Legendary
Offline
Activity: 1498
Merit: 1540
No I dont escrow anymore.
|
|
April 18, 2014, 05:20:55 AM |
|
Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm. The localbitcoins incident looks like a stolen session key. http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/What to do? Well the usual - dont stay logged in after you are done - dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible
|
Im not really here, its just your imagination.
|
|
|
solarion
|
|
April 18, 2014, 05:26:11 AM |
|
*THIS* is why we can't have nice things.
|
|
|
|
Light
|
|
April 18, 2014, 05:32:51 AM |
|
I use 2-step Login verification in almost every online service which provides it..! I want to know is it possible for someone to invade 2-step verification while logging in..! I mean if someone uses phishing they can get my password is it possible to do any similar kind of trick to get pass 2-stop verification .? If yes how to Protect Yeah I know I have to be very conscious about every link I click and every Page I visit but other than that.?
For a time based 2FA unless they have the secret you've shared there's no way they will be able to brute-force it before it changes. I suppose they could guess it, but it's like a 1 in 999,999 chance literally to get it right. Basically, it means you're far safer having 2FA than with just a password alone - the only way you'll be compromised is a server side flaw, a scam by the site owner, you lose your secret key and your password to the same person.
|
|
|
|
rohnearner (OP)
|
|
April 18, 2014, 05:33:32 AM |
|
Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm. The localbitcoins incident looks like a stolen session key. http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/What to do? Well the usual - dont stay logged in after you are done - dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible I got a good topic to study now..! will collect all the required info about session key to know more about it and how to avoid falling in trap..! I can't even ask for links :p as you mentioned don't click links :p
|
|
|
|
rohnearner (OP)
|
|
April 18, 2014, 05:36:59 AM |
|
I use 2-step Login verification in almost every online service which provides it..! I want to know is it possible for someone to invade 2-step verification while logging in..! I mean if someone uses phishing they can get my password is it possible to do any similar kind of trick to get pass 2-stop verification .? If yes how to Protect Yeah I know I have to be very conscious about every link I click and every Page I visit but other than that.?
For a time based 2FA unless they have the secret you've shared there's no way they will be able to brute-force it before it changes. I suppose they could guess it, but it's like a 1 in 999,999 chance literally to get it right. Basically, it means you're far safer having 2FA than with just a password alone - the only way you'll be compromised is a server side flaw, a scam by the site owner, you lose your secret key and your password to the same person. Or the hackers succeed to steal my mobile number, or any other device used in process..!
|
|
|
|
shorena
Copper Member
Legendary
Offline
Activity: 1498
Merit: 1540
No I dont escrow anymore.
|
|
April 18, 2014, 05:39:59 AM |
|
Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm. The localbitcoins incident looks like a stolen session key. http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/What to do? Well the usual - dont stay logged in after you are done - dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible I got a good topic to study now..! will collect all the required info about session key to know more about it and how to avoid falling in trap..! I can't even ask for links :p as you mentioned don't click links :p Probably a good way to start researching are the steam hacks or steam account hijacks. People take over steam accounts with just a link clicked from within steam chat. And steam uses this 2fa auth system if you want to login on a new system. They send you a mail with a code thats valid for only a short period of time. And even if you get that persons steam password and mail password you have to wait 14 days on the new system to trade. But people get robbed all the time.
|
Im not really here, its just your imagination.
|
|
|
rohnearner (OP)
|
|
April 18, 2014, 05:49:33 AM |
|
Well if someone gets your session key they are pretty much logged in allready, no 2fa can help you there. Withdrawal should allways be something you have to confirm. The localbitcoins incident looks like a stolen session key. http://www.reddit.com/r/Bitcoin/comments/23a26k/breaking_remove_your_btc_from_localbitcoins/What to do? Well the usual - dont stay logged in after you are done - dont click any strange links. Best thing would probably to not click links at all, but I dont think thats feasible I got a good topic to study now..! will collect all the required info about session key to know more about it and how to avoid falling in trap..! I can't even ask for links :p as you mentioned don't click links :p Probably a good way to start researching are the steam hacks or steam account hijacks. People take over steam accounts with just a link clicked from within steam chat. And steam uses this 2fa auth system if you want to login on a new system. They send you a mail with a code thats valid for only a short period of time. And even if you get that persons steam password and mail password you have to wait 14 days on the new system to trade. But people get robbed all the time. Pointing a flaw in a system is always easier than building a system and maintaining it..! this is what hackers do , A coder builds a site from a scratch like a builder builds a building , than after builder finishes the building someone comes to inspection and tells him that there is a some flaw in wiring and the whole building might catch the fire if not repaired..! same story is with hackers they look into the website and finds flaw and exploits any vulnerability they find..! Its very hard to create a flawless system...
|
|
|
|
Light
|
|
April 18, 2014, 05:55:39 AM |
|
Or the hackers succeed to steal my mobile number, or any other device used in process..!
Unless you've rooted your phone or done some crazy crap to it it's unlikely that hackers will have access to your phone. It's far more probable you lose your phone/it gets stolen. Even then you should be able to request a new 2FA be set up and you're good to go (remember to backup your secret key by printing it out or writing it down).
|
|
|
|
rohnearner (OP)
|
|
April 18, 2014, 05:59:33 AM |
|
Or the hackers succeed to steal my mobile number, or any other device used in process..!
Unless you've rooted your phone or done some crazy crap to it it's unlikely that hackers will have access to your phone. It's far more probable you lose your phone/it gets stolen. Even then you should be able to request a new 2FA be set up and you're good to go (remember to backup your secret key by printing it out or writing it down). Yeah i know the probability of someone stealing my mobile to get pass 2FA is on very lower side , but we never know maybe a person sitting next to me becomes greedy and ....!
|
|
|
|
Equate
|
|
April 18, 2014, 06:04:19 AM |
|
I once updated my Android device and it fucked up the Google authenticator but I had screen shots of all the QR codes so it's better to save QR codes or secret key to prevent you from trouble.
|
|
|
|
rohnearner (OP)
|
|
April 18, 2014, 06:07:10 AM |
|
I once updated my Android device and it fucked up the Google authenticator but I had screen shots of all the QR codes so it's better to save QR codes or secret key to prevent you from trouble.
I have a nice backup of all the required info offline in multiple hard drives and also some on paper.
|
|
|
|
Equate
|
|
April 18, 2014, 06:19:51 AM |
|
I once updated my Android device and it fucked up the Google authenticator but I had screen shots of all the QR codes so it's better to save QR codes or secret key to prevent you from trouble.
I have a nice backup of all the required info offline in multiple hard drives and also some on paper. that's good strategy to save yourself .
|
|
|
|
bryant.coleman
Legendary
Offline
Activity: 3780
Merit: 1219
|
|
April 18, 2014, 06:21:44 AM |
|
Consider it could be a corrupt admin of the online service you use. Can't protect against that other than keeping your coins in your own wallet.
I thought that localbitcoins.com was a very reliable and trusted site. But after the Mt Gox fiasco, I am not going to trust anyone too much. In this case, the fiat was being converted to BTC, and was stolen at this stage. So... keeping the coins in an offline wallet argument doesn't matter here.
|
|
|
|
cp1
|
|
April 18, 2014, 06:29:30 AM |
|
The only way would be to steal your 2 factor secret code or to use a man in the middle attack. It's much more likely that they get into your account through means other than directly logging in.
|
|
|
|
jodybay
|
|
April 18, 2014, 06:44:49 AM |
|
and if they successfully installed the key logger and got al ble to know your email address hthen they can steal your couns even though you have a 2FA
|
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ PRIMEDICE The Premier Bitcoin Gambling Experience - PRIMEDICE 3 COMING 9TH AUGUST @PrimeDice ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
|
|
|
|