|
bitcoin.newsfeed
|
 |
February 14, 2014, 10:39:58 AM |
|
When was the last time you changed your password? Is it unique?
You can have 200chars upper-lower-special char 0-day new password, if your computer is once rated and part of the botnet you are screwed, it keylogs everything right into the database based on keywords ... 2FA and secure OS is the only way. |
... Question Everything, Believe Nothing ...
|
|
|
|
Herp
|
|
February 14, 2014, 10:41:39 AM |
|
Damn ... shit. This is sick. Did you have 2FA backup somewhere in the same PC?
2FA key was written down on paper as "backup". I am just wondering how could that happened? it seems impossible if you have 2FA Maybe 2FA on rooted/jailbroken device ... and attacker infected both devices pc and smartphone/tablet via same router. EDIT : I assume you're in Thailand ... 90% of smartphones there are rooted. EDIT2 : Damn, from today I'll login to Havelock only from TailsOS ... Probably jailbroken at MBK? I have to chime in, I'm also really sorry to hear that. I can only try and fathom how that feels. This makes me truly sad and angry! Just to address other questions/vulnerabilities: When was the last time you changed your password? Is it unique? Did you at some point land on a phishing site, i.e. a Havelock-copy (I guess you may not have noticed it)? I'd like a comment from Havelock. I guess you guys have already contacted them? I'm, just pointing them to this problem, as well. In many of the cases it's actually a person close to the victim, probably living in your own house or a friend or someone with actual physical access to your computer and phone. There were many such cases. Might even be your wife or lover. Also there might be another possibility no one here discussed and that is the possibility of this guy lying to prop up another exchange. I'm not saying it's the case but it's possible. |
|
|
|
romerun
Legendary
 Offline
Activity: 1078
Merit: 1002
Bitcoin is new, makes sense to hodl.
|
|
February 14, 2014, 10:48:00 AM |
|
sounds like havelock inside job, well, what's lost is lost, better buy new machine, ubuntu air gap it and relocate all your coin stashes to new wallets,
also if havelock is not helping, raise the issue over reddit, and let's up vote
|
|
|
|
|
|
minerpumpkin
|
|
February 14, 2014, 10:52:01 AM |
|
We can't know if the story is true, sure. But I have no reason not to believe him as long as I don't make any important decisions due to that fact.
If his computer is compromised, everything is lost, of course! But the reason I'm asking is, if he maybe changed his password just yesterday, this could indicate another attack vector (keylogger) than maybe a break-in to his email account or a breach in Havelock itself.
Physical theft is an option, yeah. So: How many people do know you're "into Bitcoin" or own AM shares? Do they even know what AM shares are? Did you tell people about it?
|
I should have gotten into Bitcoin back in 1992...
|
|
|
|
Herp
|
|
February 14, 2014, 10:57:00 AM |
|
We can't know if the story is true, sure. But I have no reason not to believe him as long as I don't make any important decisions due to that fact.
If his computer is compromised, everything is lost, of course! But the reason I'm asking is, if he maybe changed his password just yesterday, this could indicate another attack vector (keylogger) than maybe a break-in to his email account or a breach in Havelock itself.
Physical theft is an option, yeah. So: How many people do know you're "into Bitcoin" or own AM shares? Do they even know what AM shares are? Did you tell people about it?
There are lots of pathological liars in this world who can be amazingly convincing. Physical theft is a very real option. Many people tell their friends, spouse or love ones about their investments. Very few people can keep it a secret. You'd be amazed how often the person responsible is a room mate or someone close. In this described event of getting access to 2 factor I think these 2 scenarios are highly probable. I think a Havelock "rogue" trader would have targeted an even bigger account or several such accounts so I don't think that's the case. |
|
|
|
|
minerpumpkin
|
|
February 14, 2014, 11:43:47 AM |
|
We can't know if the story is true, sure. But I have no reason not to believe him as long as I don't make any important decisions due to that fact.
If his computer is compromised, everything is lost, of course! But the reason I'm asking is, if he maybe changed his password just yesterday, this could indicate another attack vector (keylogger) than maybe a break-in to his email account or a breach in Havelock itself.
Physical theft is an option, yeah. So: How many people do know you're "into Bitcoin" or own AM shares? Do they even know what AM shares are? Did you tell people about it?
There are lots of pathological liars in this world who can be amazingly convincing. Physical theft is a very real option. Many people tell their friends, spouse or love ones about their investments. Very few people can keep it a secret. You'd be amazed how often the person responsible is a room mate or someone close. In this described event of getting access to 2 factor I think these 2 scenarios are highly probable. I think a Havelock "rogue" trader would have targeted an even bigger account or several such accounts so I don't think that's the case. I'd guess his mail account got compromised. It's simply the biggest hole you can get through. I guess it's futile to discuss what is 'probable' because why would someone do something improbable - because it is improbable. Circular logic, we'll have to wait and see... |
I should have gotten into Bitcoin back in 1992...
|
|
|
|
101111
|
|
February 14, 2014, 12:06:10 PM |
|
very sorry to hear about that Empow, I hope you can catch the thief
|
|
|
|
|
|
robix
|
|
February 14, 2014, 12:12:47 PM |
|
I'd guess his mail account got compromised. It's simply the biggest hole you can get through. I guess it's futile to discuss what is 'probable' because why would someone do something improbable - because it is improbable. Circular logic, we'll have to wait and see...
Is 2FA disabled when you request a new password? I don't think so. |
|
|
|
|
|
minerpumpkin
|
|
February 14, 2014, 12:44:06 PM |
|
I'd guess his mail account got compromised. It's simply the biggest hole you can get through. I guess it's futile to discuss what is 'probable' because why would someone do something improbable - because it is improbable. Circular logic, we'll have to wait and see...
Is 2FA disabled when you request a new password? I don't think so. But in case of Google Mail you could have control over the 2FA authenticating entity... |
I should have gotten into Bitcoin back in 1992...
|
|
|
|
robix
|
|
February 14, 2014, 02:01:58 PM |
|
I'd guess his mail account got compromised. It's simply the biggest hole you can get through. I guess it's futile to discuss what is 'probable' because why would someone do something improbable - because it is improbable. Circular logic, we'll have to wait and see...
Is 2FA disabled when you request a new password? I don't think so. But in case of Google Mail you could have control over the 2FA authenticating entity... ok |
|
|
|
|
|
dmcdad
|
|
February 14, 2014, 02:08:52 PM |
|
empoweoqwj: very sorry to hear about this, and I hope you or havelock track down exactly what happened. Man, this has been a really crappy week for BTC.
|
|
|
|
|
|
shawshankinmate37927
|
|
February 14, 2014, 04:19:35 PM |
|
nope - Mac - and no, I didn't install that "Stealth Bit" malware
That's the only computer you've used to logon to Havelock? Yep. Just my Macbook Did you have Google Authenticator installed on this or a different device? |
"It is well enough that people of the nation do not understand our banking and monetary system, for if they did, I believe there would be a revolution before tomorrow morning." - Henry Ford
|
|
|
silverfuture
Legendary
Offline
Activity: 947
Merit: 1008
central banking = outdated protocol
|
|
February 14, 2014, 04:37:54 PM |
|
I'd guess his mail account got compromised. It's simply the biggest hole you can get through. I guess it's futile to discuss what is 'probable' because why would someone do something improbable - because it is improbable. Circular logic, we'll have to wait and see...
Is 2FA disabled when you request a new password? I don't think so. But in case of Google Mail you could have control over the 2FA authenticating entity... Compromised gmail account seems like the simplest and most likely scenario. |
|
|
|
|
havelock
|
|
February 14, 2014, 04:50:22 PM |
|
Here at Havelock we take security issues very seriously.
We have never had any issues with users that enabled 2FA on their account. We have contacted the person that has made the claim that is account has been compromised and are looking to resolve the matter has soon as possible.
Trying to balance ease of use and security is never easy, especially in the Bitcoin realm. We can always add additional security features but those will always slow down the user experience.
So we turn to you, our valued customers, what features would like us to add to our platform?
1. Confirmation email before any action is taken; some but not all actions.
2. Pending withdrawal of your Bitcoins; time lock?
3. Lock account by IP address?
We always value your opinions and we strive to serve the Bitcoin community to the best of our ability.
Also we can assure everyone that it was not an "inside rogue employee"
Thank you,
Support Team
Havelock Investments
|
|
|
|
|
Caesium
|
|
February 14, 2014, 04:54:02 PM |
|
2. Pending withdrawal of your Bitcoins; time lock?
How about allowing us to specify a withdrawal address that is then locked; coins can only be sent to this address. It can be unlocked, but upon doing so an email is sent notifying me that it's been unlocked and it takes a further 7 days or so before a new address can be entered? |
|
|
|
|
jimmothy
|
|
February 14, 2014, 04:56:02 PM |
|
Here at Havelock we take security issues very seriously.
We have never had any issues with users that enabled 2FA on their account. We have contacted the person that has made the claim that is account has been compromised and are looking to resolve the matter has soon as possible.
Trying to balance ease of use and security is never easy, especially in the Bitcoin realm. We can always add additional security features but those will always slow down the user experience.
So we turn to you, our valued customers, what features would like us to add to our platform?
1. Confirmation email before any action is taken; some but not all actions.
2. Pending withdrawal of your Bitcoins; time lock?
3. Lock account by IP address?
We always value your opinions and we strive to serve the Bitcoin community to the best of our ability.
Also we can assure everyone that it was not an "inside rogue employee"
Thank you,
Support Team
Havelock Investments
Yes to every one of those. (Instant bitcoin withdrawals worries me a bit) Also maybe requiring a pin before placing orders/doing anything like btct.co would be nice. |
|
|
|
|
michaelGedi
Sr. Member
Offline
Activity: 364
Merit: 250
"to be or not to be, that is the bitcoin"
|
|
February 14, 2014, 05:01:24 PM |
|
Here at Havelock we take security issues very seriously.
We have never had any issues with users that enabled 2FA on their account. We have contacted the person that has made the claim that is account has been compromised and are looking to resolve the matter has soon as possible.
Trying to balance ease of use and security is never easy, especially in the Bitcoin realm. We can always add additional security features but those will always slow down the user experience.
So we turn to you, our valued customers, what features would like us to add to our platform?
1. Confirmation email before any action is taken; some but not all actions.
2. Pending withdrawal of your Bitcoins; time lock?
3. Lock account by IP address?
We always value your opinions and we strive to serve the Bitcoin community to the best of our ability.
Also we can assure everyone that it was not an "inside rogue employee"
Thank you,
Support Team
Havelock Investments
Yes to every one of those. (Instant bitcoin withdrawals worries me a bit) Also maybe requiring a pin before placing orders/doing anything like btct.co would be nice. I somewhat agree, you can never have too many security options at this stage with bitcoin... perhaps a poll should be offered via email or on the forum to put possible security additions in order of priority? |
|
|
|
hdbuck
Legendary
Offline
Activity: 1260
Merit: 1002
|
|
February 14, 2014, 05:11:47 PM |
|
Here at Havelock we take security issues very seriously.
We have never had any issues with users that enabled 2FA on their account. We have contacted the person that has made the claim that is account has been compromised and are looking to resolve the matter has soon as possible.
Trying to balance ease of use and security is never easy, especially in the Bitcoin realm. We can always add additional security features but those will always slow down the user experience.
So we turn to you, our valued customers, what features would like us to add to our platform?
1. Confirmation email before any action is taken; some but not all actions.
2. Pending withdrawal of your Bitcoins; time lock?
3. Lock account by IP address?
We always value your opinions and we strive to serve the Bitcoin community to the best of our ability.
Also we can assure everyone that it was not an "inside rogue employee"
Thank you,
Support Team
Havelock Investments
Yes to every one of those. (Instant bitcoin withdrawals worries me a bit) Also maybe requiring a pin before placing orders/doing anything like btct.co would be nice. yes to every of those + YUBIKEY!!!! |
|
|
|
|
runam0k
Legendary
Offline
Activity: 1092
Merit: 1001
Touchdown
|
|
February 14, 2014, 05:18:28 PM |
|
Here at Havelock we take security issues very seriously.
We have never had any issues with users that enabled 2FA on their account. We have contacted the person that has made the claim that is account has been compromised and are looking to resolve the matter has soon as possible.
Trying to balance ease of use and security is never easy, especially in the Bitcoin realm. We can always add additional security features but those will always slow down the user experience.
So we turn to you, our valued customers, what features would like us to add to our platform?
1. Confirmation email before any action is taken; some but not all actions.
2. Pending withdrawal of your Bitcoins; time lock?
3. Lock account by IP address?
We always value your opinions and we strive to serve the Bitcoin community to the best of our ability.
Also we can assure everyone that it was not an "inside rogue employee"
Thank you,
Support Team
Havelock Investments
PIN for orders or withdrawals, perhaps, or lock the BTC withrawal address for x days. Instant BTC withdrawals to any old BTC address is a problem. |
|
|
|
|
|
shawshankinmate37927
|
|
February 14, 2014, 05:20:54 PM |
|
Here at Havelock we take security issues very seriously.
We have never had any issues with users that enabled 2FA on their account. We have contacted the person that has made the claim that is account has been compromised and are looking to resolve the matter has soon as possible.
Trying to balance ease of use and security is never easy, especially in the Bitcoin realm. We can always add additional security features but those will always slow down the user experience.
So we turn to you, our valued customers, what features would like us to add to our platform?
1. Confirmation email before any action is taken; some but not all actions.
2. Pending withdrawal of your Bitcoins; time lock?
3. Lock account by IP address?
We always value your opinions and we strive to serve the Bitcoin community to the best of our ability.
Also we can assure everyone that it was not an "inside rogue employee"
Thank you,
Support Team
Havelock Investments
2FA via e-mail, like on blockchain.info. |
"It is well enough that people of the nation do not understand our banking and monetary system, for if they did, I believe there would be a revolution before tomorrow morning." - Henry Ford
|
|
|
|
