Bitcoin Forum
December 03, 2016, 05:56:19 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: I suspect GPUMax was compromised and passwords stolen  (Read 5732 times)
molecular
Donator
Legendary
*
Offline Offline

Activity: 2128



View Profile
June 02, 2012, 05:46:50 PM
 #21

If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.

nefario. this is great, so your effort already payed off. congrats!

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
1480787779
Hero Member
*
Offline Offline

Posts: 1480787779

View Profile Personal Message (Offline)

Ignore
1480787779
Reply with quote  #2

1480787779
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480787779
Hero Member
*
Offline Offline

Posts: 1480787779

View Profile Personal Message (Offline)

Ignore
1480787779
Reply with quote  #2

1480787779
Report to moderator
REF
Hero Member
*****
Offline Offline

Activity: 526


View Profile
June 02, 2012, 05:51:19 PM
 #22

Im sure he also asked if they had other accounts besides GPUmax. From what I see he did nothing wrong. He even tried contacting pirate, when he got no response he gave a warning to the community.

I'd love to use two factor auth, but I don't even have a cell phone. Are there other ways to do two factor auth? And are there any plans to implement them soon? I hope so.

I dont remember where I saw the link but recently nefario posted a link to google auth desktop version.
bitlane
Internet detective
Sr. Member
****
Offline Offline

Activity: 462


I heart thebaron


View Profile
June 02, 2012, 05:58:54 PM
 #23

Im sure he also asked if they had other accounts besides GPUmax. From what I see he did nothing wrong. He even tried contacting pirate, when he got no response he gave a warning to the community.

I'd love to use two factor auth, but I don't even have a cell phone. Are there other ways to do two factor auth? And are there any plans to implement them soon? I hope so.

I dont remember where I saw the link but recently nefario posted a link to google auth desktop version.

No, the right thing would have been to tell people to check their passwords and not blindly tell them (as I quoted above) that GPUMAX was to blame for this.

rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
June 02, 2012, 06:12:21 PM
 #24

I'd love to use two factor auth, but I don't even have a cell phone. Are there other ways to do two factor auth? And are there any plans to implement them soon? I hope so.
Several ways. Yubikey is my personal favorite, but here is a bunch of links:

http://yubico.com/ <-- The makers of the Yubikey
http://www.symantec.com/verisign/vip-authentication-service <-- paid service that PayPal and many others use for authentication. Yubico makes a credential that is compatible with this service as well.
http://onlinenoram.gemalto.com/ <-- TOTP token that AWS uses for authentication, made by Gemalto. This is a dedicated device that can do the same thing as Google Auth, without the phone.
http://motp.sourceforge.net/#7 <-- links to lots of tokens and related software.
https://lastpass.com/ <-- password storage software that works on almost any platform and almost any browser, and that can use 2-factor auth for logging in.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
imsaguy
General failure and former
VIP
Hero Member
*
Offline Offline

Activity: 574

Don't send me a pm unless you gpg encrypt it.


View Profile WWW
June 02, 2012, 06:23:22 PM
 #25

How many of those users had bitcoinica accounts?

Coming Soon!™ © imsaguy 2011-2013, All rights reserved.

EIEIO:
https://bitcointalk.org/index.php?topic=60117.0

Shades Minoco Collection Thread: https://bitcointalk.org/index.php?topic=65989
Payment Address: http://btc.to/5r6
bitlane
Internet detective
Sr. Member
****
Offline Offline

Activity: 462


I heart thebaron


View Profile
June 02, 2012, 06:48:08 PM
 #26

How many of those users had bitcoinica accounts?

Please stay on topic. This is clearly GPUMAX's fault (as stated in the first post).
It couldn't possibly have anything to do with another service  Roll Eyes

...I mean, just look at GPUMAX's (and Pirate's....in general) track record when it comes to security and loss.

Please re-apply tunnel vision and/or add blinders to continue this conversation Wink

Stephen Gornick
Legendary
*
Offline Offline

Activity: 1988



View Profile
June 02, 2012, 07:14:49 PM
 #27

Probably unrelated, but just wanted to bring it up in case it is relevant:

"My mtgox account got compromised, what can I do?" [June 1, 2012]
 - http://bitcointalk.org/index.php?topic=84585.0

FreeMoney
Legendary
*
Offline Offline

Activity: 1246


Strength in numbers


View Profile WWW
June 02, 2012, 07:44:58 PM
 #28

How many of those users had bitcoinica accounts?

Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
TT
Member
**
Offline Offline

Activity: 77



View Profile
June 02, 2012, 07:51:12 PM
 #29

I've been proposing the following:

Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist.

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.

https://bitcointalk.org/index.php?topic=84585.msg937236#msg937236

Please, exchanges, implement this SOON. You cannot implement it soon enough.
smickles
Sr. Member
****
Offline Offline

Activity: 446



View Profile WWW
June 02, 2012, 10:09:18 PM
 #30

http://yourlogicalfallacyis.com/false-cause

rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
June 02, 2012, 10:14:08 PM
 #31

"cum hoc ergo propter hoc"

<3 latin

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
June 03, 2012, 01:35:02 AM
 #32


Math Man
Full Member
***
Offline Offline

Activity: 150


View Profile
June 03, 2012, 01:54:43 AM
 #33

I think this thread belongs in the "speculation" sub-category.  Better yet, create a "wild speculation" sub-category.  It would fit better there.
FreeMoney
Legendary
*
Offline Offline

Activity: 1246


Strength in numbers


View Profile WWW
June 03, 2012, 04:39:56 AM
 #34

The title needs to be changed imo.

Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
dave3
Full Member
***
Offline Offline

Activity: 227


View Profile
June 03, 2012, 06:40:30 AM
 #35

Several ways. Yubikey is my personal favorite, but here is a bunch of links:

http://yubico.com/ <-- The makers of the Yubikey
http://www.symantec.com/verisign/vip-authentication-service <-- paid service that PayPal and many others use for authentication. Yubico makes a credential that is compatible with this service as well.
http://onlinenoram.gemalto.com/ <-- TOTP token that AWS uses for authentication, made by Gemalto. This is a dedicated device that can do the same thing as Google Auth, without the phone.
http://motp.sourceforge.net/#7 <-- links to lots of tokens and related software.
https://lastpass.com/ <-- password storage software that works on almost any platform and almost any browser, and that can use 2-factor auth for logging in.

Do you know if you can use the same yubikey for several different services, or do you need to get a separate one for each account?
Stephen Gornick
Legendary
*
Offline Offline

Activity: 1988



View Profile
June 03, 2012, 06:44:55 AM
 #36

Do you know if you can use the same yubikey for several different services, or do you need to get a separate one for each account?


The Yubikey from Mt. Gox can only be used with Mt. Gox (and BlockChain.info wallet, apparently, which I'm guessing has permission to auth through Mt. Gox API or something)

It doesn't work on other services where a Yubikey is used.

The Yubikey from Yubico works at Mt. Gox and [Edit: see rjk's correction below] elsewhere where Yubikeys are supported.

rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
June 03, 2012, 11:03:55 AM
 #37

Do you know if you can use the same yubikey for several different services, or do you need to get a separate one for each account?


The Yubikey from Mt. Gox can only be used with Mt. Gox (and BlockChain.info wallet, apparently, which I'm guessing has permission to auth through Mt. Gox API or something)

It doesn't work on other services where a Yubikay is used.

The Yubikey from Yubico works at Mt. Gox and elsewhere where Yubikeys are supported.
Slight correction - only keys programmed by MtGox can be used with MtGox - you can't use one that you got direct from Yubico. The reason is that MtGox runs their own authentication server with their own keypairs, instead of using Yubico's free cloud authentication system.

However, any website that uses the free service provided by Yubico for authentication will support a generic device ordered from Yubico.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
molecular
Donator
Legendary
*
Offline Offline

Activity: 2128



View Profile
June 03, 2012, 12:04:31 PM
 #38

How many of those users had bitcoinica accounts?

+3 funny, FreeMoney

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
Aseras
Hero Member
*****
Offline Offline

Activity: 658


View Profile
June 03, 2012, 06:43:07 PM
 #39

There is no perfect way. As soon as you make one someone else wind find a way to break it or work around it. If its accessible in any form. Someone can break in.
FreeMoney
Legendary
*
Offline Offline

Activity: 1246


Strength in numbers


View Profile WWW
June 03, 2012, 09:34:51 PM
 #40

There is no perfect way. As soon as you make one someone else wind find a way to break it or work around it. If its accessible in any form. Someone can break in.

Give up human!

Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!