63.73 BTC Hacked - Blockchain.info secured by 2FA - Starting security podcast?

[HYPERfuture]

I've made a quick guide to fully securing coins on Blockchain.info for beginners as these horror stories really upset me: https://bitcointalk.org/index.php?topic=876492

[Addition]

Are Mac users (OSX) better protected in this case or just as susceptible as Windows/Linux users?

Umm, Linux is in no way as susceptible as Windows.

Linux and Mac have similarly strong security - Windows is a joke.

Have there ever been any cases where Microsoft were held accountable/compensated for security flaws in their OS?

[Velkro]

Help...
I am not sure if someone accessed a backup of my wallet somewhere... All my BTC was stolen via a single blockchain transaction

43d9ecf12e25a0bcc6c655660d604cdff800f726dc42f68b08cea8fc1d61a3c4

sent to here

https://blockchain.info/address/1L8zn4BJs2B4a4pxN4HBaNKEgaowpa3857

if anyone has help or can apply any forensics... i am more than willing to pay a bounty to recover some of these funds... thank you...

skype me at "thestatdude"

many of these coins were purchased via credit card and i have hardly afford to lose them... please help..

Man im so sorry for you, who would have know that using TOR is security risk.
Im feeling your pain.

[Addition]

I've made a quick guide to fully securing coins on Blockchain.info as these horror stories really upset me: https://bitcointalk.org/index.php?topic=876492

Thanks for sharing!

Your thoughts on 3rd party devices, such as Trezor? I'm worried about losing the device if I buy a few.

(Though sure they would have considered that) Just wondering in the event of losing device, how quickly Stored BTC funds would be recoverable and the process involved?

[HYPERfuture]

I've made a quick guide to fully securing coins on Blockchain.info as these horror stories really upset me: https://bitcointalk.org/index.php?topic=876492

Thanks for sharing!

Your thoughts on 3rd party devices, such as Trezor? I'm worried about losing the device if I buy a few.

(Though sure they would have considered that) Just wondering in the event of losing device, how quickly Stored BTC funds would be recoverable and the process involved?

You can back up to paper wallet easily with their tool so even if you lose the Trezor the coins are safe. Also the Trezor is password protected so as long as your password is in your HEAD only they cannot steal your coins. This is just my understanding of it and I can't make any guarantees.

[Addition]

If you have a Keylogger on your computer the only thing that will stop unauthorised withdrawals is SMS 2fa - which I understand blockchain.info offers.

If you only have email 2fa the hacker just needs to wait until you login to your email service and they have the password. Then they wait until you log into your blockchain.info account and they have all they need. They could even delete the email from your email account after authorising the transaction.

Note, a keylogger will also give someone access to your local wallet passphrase too. It happened to someone I know and they lost a couple hundred thousand dollars worth. Keyloggers are very very dangerous.

What I am not sure about is if a malicious user gets your blockchain.info login details and you have SMS 2Fa activated can they still grab the private key. That would totally defy the purpose of SMS 2fa so I assume not but I am not sure.

Me too? But surely possible to "clone" somebodies sim card remotely?

[HYPERfuture]

If you have a Keylogger on your computer the only thing that will stop unauthorised withdrawals is SMS 2fa - which I understand blockchain.info offers.

If you only have email 2fa the hacker just needs to wait until you login to your email service and they have the password. Then they wait until you log into your blockchain.info account and they have all they need. They could even delete the email from your email account after authorising the transaction.

Note, a keylogger will also give someone access to your local wallet passphrase too. It happened to someone I know and they lost a couple hundred thousand dollars worth. Keyloggers are very very dangerous.

What I am not sure about is if a malicious user gets your blockchain.info login details and you have SMS 2Fa activated can they still grab the private key. That would totally defy the purpose of SMS 2fa so I assume not but I am not sure.

Me too? But surely possible to "clone" somebodies sim card remotely?

I prefer Yubikey for 2FA on blockchain. Cell phones are too accessible

[inBitweTrust]

Have there ever been any cases where Microsoft were held accountable/compensated for security flaws in their OS?

Your thinking about security wrong. All Turing complete devices are susceptible to security flaws. The only way to have a good degree of confidence is by using single purpose security devices (hardware wallets), paperwallets, or multisig where some of the key are in cold storage.

Even if one had 2fa SMS a compromised computer could transmit a worm to the victims cellphone when it was plugged in or connected to the same network.

You can only have a certain degree of confidence in security and 100% confidence never applies to any system or industry.

[LiteCoinGuy]

dont think that blockchain is not secure but that your computer has team viewer, maleware or TOR installed. or several people have access to your pc etc etc

[TKeenan]

if the hacker is here... please contact me... and sleep with a clean conscience, and no fear of being caught

Wow!  You are a real optimist man.  At least you'll be able to dream up some 'bright side' to think about from this point.

[wpalczynski]

Its tools like this solitude turd that perpetuate the problems inherent with BTC now.  I'm glad to see that the majority of users here sympathize with Statdude and are actually providing advice and trying to help.

What the fuck do you want us to do about it faggot?  You dun goofed son.

This isn't reddit, we don't upvote faggots for being retards here.

this post does not represent the majority, security is a learning process, our time is finite

[wpalczynski]

SMS 2FA is the key, that way they need to compromise your PC and have physical access to your phone.

fact is, i treated my blockchain.info as a WEB wallet, trusting them it was SECURE with 2FA alone.

it was not.

All someone needs can be found by hacking your PC and installing a keylogger.

they need no 2FA whatsoever if they then have your password.

[saddampbuh]

How did I get this Keylogger? I am VERY careful and dont install anything that isnt virus checked.

Is is possible my IP Vanish software which uses Tor was compromised?

virus scan doesn't mean shit any competent hacker will crypt his malware to be undetectable to av and any half decent bot or rat can scan your computer for wallet.dat or anything bitcoin related in a few seconds, 90% its someone from ukraine or russia and you will never find them or your coins, sorry for the loss i' be suicidal over this

[crazyjack]

its over for you, sorry...you wanted anonymity, well you got it even when you are hacked and smashed....that is why everything needs a central authority, even BTC, otherwise its doomed..who would trust in that system...anyway...

[rokkyroad]

Blockchain does have the withdrawal password option if I remember right. Don't they also have an on screen keyboard that would defeat a keylogger? 

[statdude]

Thanks for the comments guys... PLEASE send dust to these addresses with a public comment marking them back to this thread..I have been trying to do so but it will not work for some reason. I am doing anything I can to get these coins labeled for all to see.

[wpalczynski]

You already know what addresses your coins went to.  Im curious how sending additional dust will get these coins labelled.  Don't quite understand what that will accomplish.  Could someone please explain?

Thanks for the comments guys... PLEASE send dust to these addresses with a public comment marking them back to this thread..I have been trying to do so but it will not work for some reason. I am doing anything I can to get these coins labeled for all to see.

[statdude]

You can send dust with a public note in blockchain.info, viewable by all.

It appears my gmail was logged into on 22-Nov. Google was supposed to send me a security notification to my phone and email, yet I received neither?

Also, how is my gmail logged into when it has 2FA Google Auth activated???

[inBitweTrust]

Also, how is my gmail logged into when it has 2FA Google Auth activated???

Here is one way how:
https://www.duosecurity.com/blog/bypassing-googles-two-factor-authentication



If your computer has a trojan keylogger and you are storing your backup on it all a hacker needs to do is capture your password to unlock your private keys without any need to verify 2FA with Google. The hacker can see and read back a history of everything you type on your computer while you are infected.

Once your computer is rooted you are completely owned. If your cellphone communicates with that infected computer in anyway it can also be compromised. 

[statdude]

Well, would that may be possible via my Thunderbird ASP?

Still though, why did I receive NO notification of the suspicious login?