MTGOX really is affecting me being able to feed my family

[Kazimir]

Well,I lost $200,somehow my account was hacked (no password changed,I was able to login)
[....]
I'll be using another exchange.

P.S. my PC is very secure.

That sucks man I assume you changed your password in the mean time?

Did you *ever* use the previous password (the one that was comprimised) on any other website or service or phone or anything?

Was it an easy to guess or bruteforce password? Or rather, if you're sure you're not using that password any longer (which you shouldn't), what was it? Just curious, cause some people really seem to have a twisted ideas about the strength of their password.

[1715320380]

1715320380

[1715320380]

1715320380

[1715320380]

1715320380

[1715320380]

1715320380

[Stephen Gornick]

P.S. my PC is very secure.

Which version of Windows are you running?

[Kazimir]

P.S. my PC is very secure.

Which version of Windows are you running?

I assume you mean: which version of Linux?

He said it's very secure, so obviously he's not running Mac OS X or Windows.

[Stephen Gornick]

P.S. my PC is very secure.

Which version of Windows are you running?

I assume you mean: which version of Linux?

He said it's very secure, so obviously he's not running Mac OS X or Windows.

No I meant Windows.  I'm guessing it was Windows, and wanted a good opportunity to explain how one running Windows cannot make the statement "my PC is very secure".  And to recommend how anyone, particularly someone running Windows, with more than pocket change worth of funds on their exchange should be using two factor authentication.

[TangibleCryptography]

One thing I have asked for in the past and never gotten a response from MtGox on is a IRREVOCABLE DELAY TIMER.
Make it optional but it could add security and prevent thefts like this.  Pretty simple concept.

User sets a irrevocable waiting period of sending coins.  
User understands when setting it that it can't be removed without waiting the same amount of time (i.e. if you remove a 60 min waiting period it takes 60 minutes before it is removed).

So it works like this:
1) Attack attempts to send coins.
2) MtGox accepts the requests and delays it x minutes (preset by user).
3) MtGox sends email (and SMS it is 2012) to user with amount of coins, address, and a CANCEL THIS IS FRAUD link.
4) If user clicks cancel link it DOESN'T require a password (as attacker may have changed it), the tx is canceled and account frozen
5) If tx is legit delay timer expires and funds are sent.

It allows users to set the level of security they want.  Users who want ability to instantly send coins can use default 0 min delay timer.  Cautious users could use a delay timer of 30 min.  Ultra paranoid could use a delay time of 240 min.  Combined with email and SMS notifications it becomes very difficult for an attacker to transfer coins off site.

Now using the same process the user could WHITE LIST certain addresses which don't need to be delayed.  Obviously adding an address to the whitelist requires the delay (as would changing email or SMS phone #).  User gets emails (w/ fraud link) for adding a whitelisted addess, changing delay timer, removing delay period, changing email/phone, and sending coins.


Maybe I should trademark the term "warm wallet" (i.e. it isn't a "hot wallet" or "cold wallet" but a "warm wallet")?

[Raoul Duke]

P.S. my PC is very secure.

But you are not. You can't buy an anti-stupidity software, you know?

Stop clicking links to phishing sites inside phishing emails.

[rjk]

I would like answers to my questions about network security. It seems that the recent claims of compromise are made by those that don't want to discuss whether their network is secure.

I want to know:
Have you used or are you using Tor?
Have you used or are you using a VPN?
Are you on a corporate network?
(And further to the above, has your company admin installed a company trusted root certificate on your box)
Have you ever clicked a link to mtgox in an email?

Also, since your password is unique for all sites, I'm sure you will have no problem sharing it with us for analysis since we can assume it has been compromised.

There's no point posting here asking for help if we can't have the information to help you.

[Kazimir]

And to recommend how anyone, particularly someone running Windows, with more than pocket change worth of funds on their exchange should be using two factor authentication.

How do you go about two factor authentication, when using a local wallet / BTC client?

Personally I use an encrypted wallet, and run a client inside a VM which is on an encrypted truecrypt container which I only mount to run bitcoin. Still, everything occurs at my computer locally. Do you have something else in mind when you advocate two factor authentication?

[Inaba]

The solution is to stop using MTGox.  Their constant lies about funding times and delay after delay is indicative of a larger problem that they are not admitting to (insolvency, outright fraud, using funds interest free?  Who knows).  But the fact is, they continually lie about what is going on and the "reason" why they somehow can't complete requests. 

They are a, in a nutshell, incredibly dishonest and people need to stop using them.  Find another exchange.

[cryptoanarchist]

Their withdraw problems from wire transfers to Dwolla delays is just too much now. Why is it that I have to complain here bout them for them to do anything about my delays? As soon as I do it's like they do me a small favor and clear a little of the lot of money I have withdrawn but still has not shown up in my accounts. I'm fully verified with them and was thinking about becoming a trusted member but it just seems like it's not worth it. I used to have a great relationship with them as they used to be the best at Customer support and quickness of withdrawing but it's gone down hill the last two months and now I find myself with investments in BTC with MTGOX that I'm not getting my paid and not being able to support my family because of the amount of money they have held up of mine. Something needs to be done about this. Please magicaltux or anyone from MTGOX tell us the truth of what's going on.

Why are you using MtGox if you need to be able to withdraw on a timely basis?

Have you done ANY research on these companies? MtGox is notoriously slow with notoriously crappy customer service. The folks at Dwolla are confirmed scammer douchebags who change their TOS to rip people off.

[Unacceptable]

I would like answers to my questions about network security. It seems that the recent claims of compromise are made by those that don't want to discuss whether their network is secure.

I want to know:
Have you used or are you using Tor?
Have you used or are you using a VPN?
Are you on a corporate network?
(And further to the above, has your company admin installed a company trusted root certificate on your box)
Have you ever clicked a link to mtgox in an email?

Also, since your password is unique for all sites, I'm sure you will have no problem sharing it with us for analysis since we can assume it has been compromised.

There's no point posting here asking for help if we can't have the information to help you.

Never used TOR
Never been part of a VPN
Private home network behind a router with firewall & AV installed (Avast),but use other AV's when necessary.
Never click on any emails from any one I don't know personally.

My old PW was Capri200,kinda simple but I won't forget it.I'm not a software guru or crypto phreak.No I did not use that PW anywhere else ever.

I use Win 7 64 bit.I have been building PC's for 12 years,so I'm not new to the PC enviroment,just a little naive I guess.I know all about phising emails & never click any links in emails or websites without thinking,if I need to do so I use a spare PC that I can "sacrifice" by reinstalling (I have 4 PC's in my room for gaming & surfing).

My situation is exactly like this one:

https://bitcointalk.org/index.php?topic=84585.0

I would've posted there,but I didn't browse the threads far enough

[Stephen Gornick]

And to recommend how anyone, particularly someone running Windows, with more than pocket change worth of funds on their exchange should be using two factor authentication.

How do you go about two factor authentication, when using a local wallet / BTC client?

Personally I use an encrypted wallet, and run a client inside a VM which is on an encrypted truecrypt container which I only mount to run bitcoin. Still, everything occurs at my computer locally. Do you have something else in mind when you advocate two factor authentication?

Well, that comment was describing how two factor authentication (which Mt. Gox offered first with Yubikey, and as of a few hours ago now supports Google Authenticator as well) is needed for using Mt. Gox, especially on Windows, but really all platforms, to be protected from these password-only thefts.

For a local wallet / BTC client there's no concept of two factor, and thus there needs to be a level of security appropriate for the risk.  For larger amounts, there's a secure method -- an air gapped system used for transacting.  When M of N transactions are implemented, that will help to lessen the risk of theft as well.

For now, what you have is probably much more secure than what most do, but it still is vulnerable if your host is compromised, say from a 0-day.  Or let's say some thieving software engineer at ATI slipped in a wallet stealer into their GPU driver binaries.  We'ld probably never know until after the wallets are gone.  (Your VM image probably wouldn't run the ATI binary driver so you'ld probably be safe from that specific vulnerability.)

[Stephen Gornick]

My old PW was Capri200,kinda simple but I won't forget it.I'm not a software guru or crypto phreak.No I did not use that PW anywhere else ever.

Root cause detected (most likely):
 - https://passfault.appspot.com/password_strength.html#menu

Would be nice if Mt. Gox (and other exchanges) would warn if a weak password is entered.
 - http://en.wikipedia.org/wiki/Password_strength

Use secure passwords, and use KeePass or LastPass:
 - http://superuser.com/questions/432844/how-do-i-securely-store-and-manage-180-passwords

[Unacceptable]

The solution is to stop using MTGox.  Their constant lies about funding times and delay after delay is indicative of a larger problem that they are not admitting to (insolvency, outright fraud, using funds interest free?  Who knows).  But the fact is, they continually lie about what is going on and the "reason" why they somehow can't complete requests. 

They are a, in a nutshell, incredibly dishonest and people need to stop using them.  Find another exchange.

Personally,I'll only use MTgox for "at the moment trades",if I ever use them again,I'll never leave any coins or money in there again & I recommend everyone to do the same.

I was trading my cash for coins & vise versa,I made 15 BTC in 6 weeks this way,buy low sell high.I thought thier site was secure.I have an IT network guy coming over to scan my PC today,I'll let you guys know what we find.

[rjk]

Thanks for the answers. The simple answer is that that is an extremely easy password that any dictionary cracking system would have found quickly. You may be interested in LastPass to generate secure passwords that are per-site and store them for you. However, LastPass is only as strong as your master password, unless you use it with a yubikey.

[Unacceptable]

Thanks for the answers. The simple answer is that that is an extremely easy password that any dictionary cracking system would have found quickly. You may be interested in LastPass to generate secure passwords that are per-site and store them for you. However, LastPass is only as strong as your master password, unless you use it with a yubikey.

  NP

I just want to figure out WHY this is happening Yes my PW might have been easy to break 

The answer can't be using yubikey(if you lose it,you lose anyhow) or lastpass or whatever.If everyone has to be that secure minded then BTC will NEVER go mainstream.80% of the american public (me included) is dumber than box of rocks & will never accept those extremes of security,on a personal level.There has to be a better way.............I know of 3 people that have been hacked on MTgox in the last week,not to mention how many have not been reported here on the forum.........Something is up & hope this community can help find it out.......

[Stephen Gornick]

80% of the american public (me included) is dumber than box of rocks & will never accept those extremes of security,on a personal level.

He has a point there.  That's why (in the U.S.) when the banks have losses from identity theft they find it cheaper to either pass along the cost when they can (reverse transactions) or eat the remaining loss when they can't.  That's cheaper than the cost of customer training and lost customer satisfaction when trying to impose security procedures like a Yubikey, for instance.

I don't know the solution.  Now that there is Google authenticator on Mt. Gox, hopefully more people can secure their accounts.  Right now it seems the password crackers are just shooting fish in the Mt. Gox barrel.

[Stephen Gornick]

80% of the american public (me included) is dumber than box of rocks & will never accept those extremes of security,on a personal level.

He has a point there.  That's why (in the U.S.) when the banks have losses from identity theft they find it cheaper to either pass along the cost when they can (reverse transactions) or eat the remaining loss when they can't.  That's cheaper than the cost of customer training and lost customer satisfaction when trying to impose security procedures like a Yubikey, for instance.

Well, let's see after this LinkedIn security breach if anything changes.  3.4 million passwords have been cracked so far, though if the perpetrator has the corresponding e-mail addresses that hasn't been leaked yet.  But anyone in the list of 6 million with a password of 8 characters or less in length has probably had their LinkedIn password cracked by now, or will have before long.  At some point this will force "extremes of security" such as strong password requirements.

My old PW was Capri200,kinda simple but I won't forget it.I'm not a software guru or crypto phreak.No I did not use that PW anywhere else ever.

Incidentally, Capri200 either wasn't used or hasn't been cracked yet.
 - http://www.leakedin.org/?check=3d9ad3d4e34f82f0b0fd29de989d51acb737c1e8

[Unacceptable]

80% of the american public (me included) is dumber than box of rocks & will never accept those extremes of security,on a personal level.

He has a point there.  That's why (in the U.S.) when the banks have losses from identity theft they find it cheaper to either pass along the cost when they can (reverse transactions) or eat the remaining loss when they can't.  That's cheaper than the cost of customer training and lost customer satisfaction when trying to impose security procedures like a Yubikey, for instance.

Well, let's see after this LinkedIn security breach if anything changes.  3.4 million passwords have been cracked so far, though if the perpetrator has the corresponding e-mail addresses that hasn't been leaked yet.  But anyone in the list of 6 million with a password of 8 characters or less in length has probably had their LinkedIn password cracked by now, or will have before long.  At some point this will force "extremes of security" such as strong password requirements.

My old PW was Capri200,kinda simple but I won't forget it.I'm not a software guru or crypto phreak.No I did not use that PW anywhere else ever.

Incidentally, Capri200 either wasn't used or hasn't been cracked yet.
 - http://www.leakedin.org/?check=3d9ad3d4e34f82f0b0fd29de989d51acb737c1e8

Very interesting SG 

I'll never keep ANY money or coin at any exchange ever again because of this.I don't trust anyone in bitcoin any farther than I can throw them anymore....................

Those coins I lost were earned by mining,so I didn't lose any "out of pocket" cash at least.

This hacking crap WILL be the main thing that keeps bitcoin from going to the general population.Who besides software guru's & REAL puter nerds will understand how to secure either thier PC or logins to such an extreme level 

I'll still mine like crazy & reap those rewards,but as far letting any entity hold my earnings for any length of time,FORGET IT !!

Until there is a way to "backup" BTC like a bank does (reimburse for specific reasons),whether with insurance or something similar,BTC will be used mainly by launderers & drug dealers (Silk Road)................

[Stephen Gornick]

This hacking crap WILL be the main thing that keeps bitcoin from going to the general population.Who besides software guru's & REAL puter nerds will understand how to secure either thier PC or logins to such an extreme level 

Well, I guess they won't be adding any LinkedIn connections either.  Or looking for love on eHarmoney:
Another 1.5 million passwords leaked
 - http://arstechnica.com/security/2012/06/eharmony-confirms-member-passwords-compromise/