I suspect GPUMax was compromised and passwords stolen

[molecular]

If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.

nefario. this is great, so your effort already payed off. congrats!

[1715141686]

1715141686

[1715141686]

1715141686

[REF]

Im sure he also asked if they had other accounts besides GPUmax. From what I see he did nothing wrong. He even tried contacting pirate, when he got no response he gave a warning to the community.

I'd love to use two factor auth, but I don't even have a cell phone. Are there other ways to do two factor auth? And are there any plans to implement them soon? I hope so.

I dont remember where I saw the link but recently nefario posted a link to google auth desktop version.

[bitlane]

Im sure he also asked if they had other accounts besides GPUmax. From what I see he did nothing wrong. He even tried contacting pirate, when he got no response he gave a warning to the community.

I'd love to use two factor auth, but I don't even have a cell phone. Are there other ways to do two factor auth? And are there any plans to implement them soon? I hope so.

I dont remember where I saw the link but recently nefario posted a link to google auth desktop version.

No, the right thing would have been to tell people to check their passwords and not blindly tell them (as I quoted above) that GPUMAX was to blame for this.

[rjk]

I'd love to use two factor auth, but I don't even have a cell phone. Are there other ways to do two factor auth? And are there any plans to implement them soon? I hope so.

Several ways. Yubikey is my personal favorite, but here is a bunch of links:

http://yubico.com/ <-- The makers of the Yubikey
http://www.symantec.com/verisign/vip-authentication-service <-- paid service that PayPal and many others use for authentication. Yubico makes a credential that is compatible with this service as well.
http://onlinenoram.gemalto.com/ <-- TOTP token that AWS uses for authentication, made by Gemalto. This is a dedicated device that can do the same thing as Google Auth, without the phone.
http://motp.sourceforge.net/#7 <-- links to lots of tokens and related software.
https://lastpass.com/ <-- password storage software that works on almost any platform and almost any browser, and that can use 2-factor auth for logging in.

[imsaguy]

How many of those users had bitcoinica accounts?

[bitlane]

How many of those users had bitcoinica accounts?

Please stay on topic. This is clearly GPUMAX's fault (as stated in the first post).
It couldn't possibly have anything to do with another service  

...I mean, just look at GPUMAX's (and Pirate's....in general) track record when it comes to security and loss.

Please re-apply tunnel vision and/or add blinders to continue this conversation

[Stephen Gornick]

Probably unrelated, but just wanted to bring it up in case it is relevant:

"My mtgox account got compromised, what can I do?" [June 1, 2012]
 - http://bitcointalk.org/index.php?topic=84585.0

[FreeMoney]

How many of those users had bitcoinica accounts?

[TT]

I've been proposing the following:

Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist.

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.

https://bitcointalk.org/index.php?topic=84585.msg937236#msg937236

Please, exchanges, implement this SOON. You cannot implement it soon enough.

[smickles]

http://yourlogicalfallacyis.com/false-cause

[rjk]

http://yourlogicalfallacyis.com/false-cause

"cum hoc ergo propter hoc"

<3 latin

[Phinnaeus Gage]

http://yourlogicalfallacyis.com/false-cause

They always blame the pirate, don't they?

[Math Man]

I think this thread belongs in the "speculation" sub-category.  Better yet, create a "wild speculation" sub-category.  It would fit better there.

[FreeMoney]

The title needs to be changed imo.

[dave3]

Several ways. Yubikey is my personal favorite, but here is a bunch of links:

http://yubico.com/ <-- The makers of the Yubikey
http://www.symantec.com/verisign/vip-authentication-service <-- paid service that PayPal and many others use for authentication. Yubico makes a credential that is compatible with this service as well.
http://onlinenoram.gemalto.com/ <-- TOTP token that AWS uses for authentication, made by Gemalto. This is a dedicated device that can do the same thing as Google Auth, without the phone.
http://motp.sourceforge.net/#7 <-- links to lots of tokens and related software.
https://lastpass.com/ <-- password storage software that works on almost any platform and almost any browser, and that can use 2-factor auth for logging in.

Do you know if you can use the same yubikey for several different services, or do you need to get a separate one for each account?

[Stephen Gornick]

Do you know if you can use the same yubikey for several different services, or do you need to get a separate one for each account?

The Yubikey from Mt. Gox can only be used with Mt. Gox (and BlockChain.info wallet, apparently, which I'm guessing has permission to auth through Mt. Gox API or something)

It doesn't work on other services where a Yubikey is used.

The Yubikey from Yubico works at Mt. Gox and [Edit: see rjk's correction below] elsewhere where Yubikeys are supported.

[rjk]

Do you know if you can use the same yubikey for several different services, or do you need to get a separate one for each account?

The Yubikey from Mt. Gox can only be used with Mt. Gox (and BlockChain.info wallet, apparently, which I'm guessing has permission to auth through Mt. Gox API or something)

It doesn't work on other services where a Yubikay is used.

The Yubikey from Yubico works at Mt. Gox and elsewhere where Yubikeys are supported.

Slight correction - only keys programmed by MtGox can be used with MtGox - you can't use one that you got direct from Yubico. The reason is that MtGox runs their own authentication server with their own keypairs, instead of using Yubico's free cloud authentication system.

However, any website that uses the free service provided by Yubico for authentication will support a generic device ordered from Yubico.

[molecular]

How many of those users had bitcoinica accounts?

+3 funny, FreeMoney

[Aseras]

There is no perfect way. As soon as you make one someone else wind find a way to break it or work around it. If its accessible in any form. Someone can break in.

[FreeMoney]

There is no perfect way. As soon as you make one someone else wind find a way to break it or work around it. If its accessible in any form. Someone can break in.

Give up human!