63.73 BTC Hacked - Blockchain.info secured by 2FA - Starting security podcast?

[ScryptAsic]

Wow... I should take my money off of online wallets. I really like using the blockchain.info app on my phone, but it's not worth the security risk.
I definetly don't want to run a full blown bitcoin client like bitcoin-qt...

I wouldn't think of using anything but Bitcoin-QT.  It is intensive but once the blockchain is downloaded there is minimal effect on my computer experience if I leave it open.  I'm not even terribly confident that it is secure and I have a pass code that takes minutes to input (random phrases from Ulysses).  

I finally broke down and installed a phone wallet but only for the novelty.  There is never more than fifty bucks in it.

These stories kind of scare me.  I don't have nearly the amount that OP had but I don't want to lose anything that I have.  2FA on an email account might seem like an inconvenience but is necessary in my opinion.

I feel for you, OP.  I hope that there is a way to bet your BTC back...

Edit - I have no idea if it works or not but I type in my password and then hit five random keys (anywhere in the middle) followed by hitting the backspace five times).  Even if it is placebo, I have always thought that was a way I could defeat any potential keyloggers.  Note - I am not the most tech savvy individual in the world.

This would not foil any potential keylogging attempts of stealing your password to your wallet. A keylogger can see all the keys that you press so if they attempt to decrypt your wallet with your password, they can simply delete the last 5 letters and then would have access to your wallet. A keylogger would not even know that you entered them in the middle of your password so it would not affect it.

Also blockchain.info allows the 2nd password that is optional and will allow you to send funds can be entered via a "screen" keyboard which prevents most keyloggers from capturing your password

[v0yager]

Sorry bro.....
Are you link your email to your Blockchain account? Maybe there is a private key backup file that sent by Blockchain in your email. The hacker get access to your email, he got your privet key, he got everything.

[sangaman]

Sorry OP about the loss. I hope you catch the hacker and make him pay. It would be useful to know how your computer was compromised, if you ever find out.

And just a heads up for people talking about online wallets, Blockchain.info being online isn't what made it hackable in this case. If your computer is compromised - as appears to have been the case here - then any bitcoins that computer has access to, either on local wallets or online wallets, are in jeopardy.

[MemoryShock]

Edit - I have no idea if it works or not but I type in my password and then hit five random keys (anywhere in the middle) followed by hitting the backspace five times).  Even if it is placebo, I have always thought that was a way I could defeat any potential keyloggers.  Note - I am not the most tech savvy individual in the world.

This would not foil any potential keylogging attempts of stealing your password to your wallet. A keylogger can see all the keys that you press so if they attempt to decrypt your wallet with your password, they can simply delete the last 5 letters and then would have access to your wallet. A keylogger would not even know that you entered them in the middle of your password so it would not affect it.

Also blockchain.info allows the 2nd password that is optional and will allow you to send funds can be entered via a "screen" keyboard which prevents most keyloggers from capturing your password

Thank you for the post.  I can appreciate my bubble being burst as it does help.  Not sarcasm at all.

I pretty much don't touch that computer outside of work and three websites.  I'm on a different computer for this forum and other BTC related activity...

[statdude]

Sorry OP about the loss. I hope you catch the hacker and make him pay. It would be useful to know how your computer was compromised, if you ever find out.

And just a heads up for people talking about online wallets, Blockchain.info being online isn't what made it hackable in this case. If your computer is compromised - as appears to have been the case here - then any bitcoins that computer has access to, either on local wallets or online wallets, are in jeopardy.

Trust me, I would love to catch them.

The most frustrating thing is I have NO idea how I got a keylogger. That has never happened before, and I wonder if I was targeted somehow by someone I know. The only explanation for that, would be somehow my TeamViewer had a password I used somewhere else that was leaked, but it's impossible to verify now.

I had no idea you could use 2FA for Teamviewer or I would have. I also should have had a stronger and more unique password there obviously.
I also would have used the On-Screen keyboard for blockchain.info or any sensitive passwords, and turned off blockchain email backups of my wallet, which they stupidly had on in default settings.

I would even consider restricting login to certain IP addresses. I thought about this many times but was worried I'd lock myself out somehow.

Any of those things may have saved me. I am still not sure if Tor use had anything to do with it, but if it did, that's even more upsetting.

And NEVER have trusted Google to protect my account in any way shape or form.

The irony I just put all my BTC there for safekeeping the week before is what really astounds me.

Google 2FA = total failure.  

[Berthorl]

damn, i feel for the op. being gutted like a fish is not cool..

i hope something good happens to you.

[statdude]

Thanks man.

To any true bitcoiners interested: I realize this is a long shot, but I am willing to be the face of a campaign to increase bitcoin security standards, thus making it more accessible to the common user. If you or your organization are interested in collaborating on such a campaign, I am willing to put a public face to this through interview and speeches.

All I ask is the opportunity to recoup some funds over time via donations. I am still a bitcoin believer, but believe the average user and service has a long way to go on security. I've learned a lot of lessons through this ordeal I'd like to share to improve best practices and help drive bitcoin forward. 

If I don't find anyone to collaborate with, I will likely start my own YouTube channel or podcast to promote bitcoin security. If you are interested in participating either via editing/graphics or being on the show, please PM me.

By the way, blockchain.info delisted from bitcoin.org due to lax security. Appropriate? http://www.reddit.com/r/Bitcoin/comments/2ogyt4/blockchaininfo_has_been_delisted_from_bitcoinorg/

Regards

[peonminer]

After selling all of my BTC and deciding to get back into the crypto realm... I am seeing many more breach stories. Really makes you realize the importance of taking any large amount of coinage you have 'offline' and onto paper secured in your private possession. Sorry for your loss OP. Valuble lessons and whatnot.

[Levitron]

Um I'm not too familiar with teamviewer but that might have been not so smart, as teamviewer would give access to your computer to the person so who knows what they could do.

I'm glad I didnt go the blockchain.info route as I seen too many probs there, I only use electrum the best light pc wallet around

[HYPERfuture]

Thanks man.

To any true bitcoiners interested: I realize this is a long shot, but I am willing to be the face of a campaign to increase bitcoin security standards, thus making it more accessible to the common user. If you or your organization are interested in collaborating on such a campaign, I am willing to put a public face to this through interview and speeches.

All I ask is the opportunity to recoup some funds over time via donations. I am still a bitcoin believer, but believe the average user and service has a long way to go on security. I've learned a lot of lessons through this ordeal I'd like to share to improve best practices and help drive bitcoin forward. 

If I don't find anyone to collaborate with, I will likely start my own YouTube channel or podcast to promote bitcoin security. If you are interested in participating either via editing/graphics or being on the show, please PM me.

By the way, blockchain.info delisted from bitcoin.org due to lax security. Appropriate? http://www.reddit.com/r/Bitcoin/comments/2ogyt4/blockchaininfo_has_been_delisted_from_bitcoinorg/

Regards

I think this is great that you are turning this negative experience around into the start of something new.

Good luck with your project, and who knows maybe you will make much more than the coins lost if your project takes off (of course I hope you may yet still recover the coins lost too).

[electerium]

This to me is an important lesson in sandboxing and compartmentalizing your bitcoins.

Store the majority of them in proper cold storage--- e.g paper wallet or a old laptop with a clean os install. These are things that are dedicated storage device and generally never exposed to the Internet other than to move coins. Never check email or go past cnn.com.

Store the rest of your coins that you conceivably need to spend on a consistent basis on your phone or regular desktop.


Don't rely on touchID or coin base or 2fa or Google. If you possess any amount of coins that isn't nominal, you are a target with a gigantic flashing red light that says "try me"; period.

[funtotry]

This to me is an important lesson in sandboxing and compartmentalizing your bitcoins.

Store the majority of them in proper cold storage--- e.g paper wallet or a old laptop with a clean os install. These are things that are dedicated storage device and generally never exposed to the Internet other than to move coins. Never check email or go past cnn.com.

Store the rest of your coins that you conceivably need to spend on a consistent basis on your phone or regular desktop.


Don't rely on touchID or coin base or 2fa or Google. If you possess any amount of coins that isn't nominal, you are a target with a gigantic flashing red light that says "try me"; period.

The issue was not the lack of physical and/or local security, the issue was that the OP was effectively using tor (via a vpn) and the exit node was able to launch a MITM attack

[peonminer]

So if Tor isn't a safe patch option....

[TheGame]

There have been numerous posts on reddit about blockchain.info hacks.

Give us more info, did you access blockchain via TOR ?
Did you click on google adwards for blockchain (phishing attack) ?

More than 1k BTC have been stolen, i am beginning to think their main server has been hacked and user/pass are being sniffed realtime.
Tell us more to make a conclusion..

I doubt it. People are probably just losing their coins through lack of security or hackers on their own end.

[chiefraven]

this is pretty newb question, but what does TOR really hide you?

some people argue it doesnt, so im just trying to get an ideal response. As for the 63 btc loss how do you prevent this? besides the 2fa setup.. it seems like this can happen to anyone. I thought the 2fa helps a lot..

[statdude]

this is pretty newb question, but what does TOR really hide you?

some people argue it doesnt, so im just trying to get an ideal response. As for the 63 btc loss how do you prevent this? besides the 2fa setup.. it seems like this can happen to anyone. I thought the 2fa helps a lot..

2fa didn't do shit for me.

[1echo]

no chance of getting this back.

thats beauty (and ugliness) of BTC

[malaimult]

this is pretty newb question, but what does TOR really hide you?

some people argue it doesnt, so im just trying to get an ideal response. As for the 63 btc loss how do you prevent this? besides the 2fa setup.. it seems like this can happen to anyone. I thought the 2fa helps a lot..

2fa didn't do shit for me.

All that 2fa will do with a blockchain.info wallet is prevent an attacker from accessing your identifier. If they have a copy of a backup then 2fa will do nothing for you. If they successfully launch a MITM attack then then they could trick you into giving your 2fa code along with your password, which would allow them to download a copy of a backup.

It also appears that blockchain.info has made some changes to their security. They apparently no longer allow people to connect to blockchain.info via a tor exit node, but rather force them to use their .onion address. This will get people out of the habbit of trying to connect to their .info domain via tor and into using their .onion address

[jbreher]

this is pretty newb question, but what does TOR really hide you?

2fa didn't do shit for me.

When one connects to an https: server over Tor, with which entity does the server establish an ssh-protected session? Is it you, or is it the Tor exit node?

[dwealth]

okay, important question, where does one go to find a good paper wallet to print out.

without putting the private keys at risk, etc when printing it. yeah im paranoid.