Bitcoin Forum
November 11, 2024, 06:31:49 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: successful phishing attack - what to do - mtgox sucks  (Read 1067 times)
iopo (OP)
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
April 18, 2012, 05:20:28 AM
 #1

Hi everybody,
yes, I'm stupid. But the problem now is: what to do now?

these guys were successful with me:
https://bitcointalk.org/index.php?topic=58606.0

mostly because I had submitted all the docs for verification to mtgox a few days ago. My question is about mtgox responsibility:

- the fact that they had my email is due to mtgox negligence
- mtgox executes every BTC transfer request immediately, and I think this is a design flaw. Given the number of phishing attacks (due - again - to mtgox negligence) I would expect a delay between the initiation of the transfer and its execution. I have contacted mtgox 2 min (!!) after the account was compromised - and all the BTC were already gone. A 5 min delay would have been enough to prevent this mess (anyway it takes about 1 h for the network to update - so I don't see how this would affect the user experience).

of course mtgox said: sorry, it is your problem! To me, this is unacceptable.

Any though?
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1358
Merit: 1002



View Profile
April 18, 2012, 05:24:05 AM
 #2

They are right, and what you said in the first sentence of the second line of your post sums it up pretty nicely.

MtGox has a fucking green SSL bar. I doubt any phishing site will have an EV SSL cert.
Also. don't you have the habit of looking at the lower left corner of your browser/mail client and see if the link you are hovering with your mouse matches the link on the text before you click it? You should get the habit of doing it. It really helps.

To answer your question about what to do: You eat the loss. Ultimately it was your fault, sorry.
Dutch Merganser
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile
April 18, 2012, 05:31:32 AM
 #3

They are right, and what you said in the first sentence of the second line of your post sums it up pretty nicely.

MtGox has a fucking green SSL bar. I doubt any phishing site will have an EV SSL cert.

To answer your question about what to do: You eat the loss. Ultimately it was your fault, sorry.
Compromised SSL certificates are a hot property, there may actually be enough money in bitcoin fraud to make buying one cost-effective. Actually, the pricing I've seen slides depending on the site.

http://www.formtek.com/blog/?p=2851

"Science flies you to the Moon, religion flies you into buildings."
 - Victor Stenger

"Religion is regarded by the common people as true, by the wise as false, and the rulers as useful."
 - Seneca the Elder (ca. 54 BCE - ca. 39 CE) Roman rhetorician
Serenata
Sr. Member
****
Offline Offline

Activity: 250
Merit: 250



View Profile WWW
April 18, 2012, 05:37:51 AM
 #4

If you saw a really cool price in MtGox, you would hate the five minute delay in every transaction you're proposing. I think the fast processing of transactions is considered a plus+++ for exchanges.

BitcoinX.gr - To ελληνικό στέκι τoυ Bitcoin

My GPG Key
Dutch Merganser
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile
April 18, 2012, 05:45:17 AM
 #5

If you saw a really cool price in MtGox, you would hate the five minute delay in every transaction you're proposing. I think the fast processing of transactions is considered a plus+++ for exchanges.
5 minutes could present quite an arbitrage opportunity if queued orders were visible Shocked but if it ever happens it would only be due to a malfunction, period.

"Science flies you to the Moon, religion flies you into buildings."
 - Victor Stenger

"Religion is regarded by the common people as true, by the wise as false, and the rulers as useful."
 - Seneca the Elder (ca. 54 BCE - ca. 39 CE) Roman rhetorician
iopo (OP)
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
April 18, 2012, 07:39:02 AM
 #6

If you saw a really cool price in MtGox, you would hate the five minute delay in every transaction you're proposing. I think the fast processing of transactions is considered a plus+++ for exchanges.

the five min delay would be for the withdraw of BTC, not for the exchange of BTC. Given the amount of attacks going around, and given that it is ultimately their fault having given out our emails, I would have expected something like that.

Also, the BTC withdraw from my account was automated - it took about 10 sec between the moment I entered the password and the moment I was notified of the withdraw. Captcha anyone?

Yes, I was stupid. But this must be the 30th phishing email I receive. And so it happen that I had just submitted my documents for identity verification. Of course, I don't put the blame entirely on MtGox, but I was expecting them to have set up some extra security measure.
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1358
Merit: 1002



View Profile
April 18, 2012, 07:48:55 AM
 #7

If you saw a really cool price in MtGox, you would hate the five minute delay in every transaction you're proposing. I think the fast processing of transactions is considered a plus+++ for exchanges.

the five min delay would be for the withdraw of BTC, not for the exchange of BTC. Given the amount of attacks going around, and given that it is ultimately their fault having given out our emails, I would have expected something like that.

Also, the BTC withdraw from my account was automated - it took about 10 sec between the moment I entered the password and the moment I was notified of the withdraw. Captcha anyone?

Yes, I was stupid. But this must be the 30th phishing email I receive. And so it happen that I had just submitted my documents for identity verification. Of course, I don't put the blame entirely on MtGox, but I was expecting them to have set up some extra security measure.

Aren't you asking too much from someone who clearly can't even protect themselves? Wink
iopo (OP)
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
April 18, 2012, 09:06:47 AM
 #8

An interesting email exchange with mtgox

Mtgox: Our system is designed to protect our users from phishing attacks. Unfortunately, if an user herself has given the login information to the hacker, we can not prevent the theft or damage caused. We apologize for any inconvenience caused.

me: I gave them the password, you gave them my email!

To be more precise, since the attack originates from a stolen email, rather than at 'identity theft' it qualifies as 'impersonation fraud', where MtGox is being fraudulently impersonated. It is as if someone knocks at my door claiming to be from Comcast when he is not. The key point here is that if this person has something that can qualify him as a legitimate Comcast agent (a stolen ID, or badge, or something else), Comcast is the victim of an impersonation fraud. Hence Comcast should reimburse me, and then should go after the impersonators.

Hence my question: after you become aware that someone was impersonating you unlawfully, using the email list that was stolen from you, did you take any step to stop this person from impersonating you?

Mtgox: We apologize for any inconvenience caused. As explained before, there is no way of proving that your account was in fact compromised, or that it was the Mt.Gox database leak that caused this to happen.

me: "there is no way of proving that your account was in fact compromised." Similarly, there is no way for me to know that mtgox is not in kahoot with whoever sent me that email. Hence my request to see a police report, or any evidence showing that  mtgox took some actions to stop that scam.

mtgox: We feel sorry that you feel this way. We will be waiting for the police report.
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1015



View Profile
April 18, 2012, 09:24:52 AM
 #9

//

Edit: Nevermind. I'll quit being an asshole, now.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!