bitcoinBull



Offline



Activity: 826

Merit: 1000





rippleFanatic







LegendaryActivity: 826Merit: 1000rippleFanatic How to use 2-factor auth on mtgox, even without a smartphone September 21, 2012, 10:50:02 PM

Last edit: September 22, 2012, 12:05:09 PM by bitcoinBull #1



Every time you download programs, or re-install windows using that iso you got a from a torrent, chances are ever greater that there is a trojan/virus. The chances are also good that it will go Fully UnDetected by most, if not all, Anti-Virus programs (botnet operators use a "FUD crypter" for this). If so, your mtgox password will be captured and added to the botnet database of login/password form submissions.



Then dude takes your mtgox funds.



Quote from: Stephen Gornick on June 23, 2012, 12:59:46 AM Quote from: Ghostofkobra on June 22, 2012, 11:42:10 PM I lost roughly 2000 USD from my MT.Gox account at 08:40 JST on the 31th of may 2012.

A lot of that going on.



"MtGox account got cleared out"

- http://bitcointalk.org/index.php?topic=85533.0



"All BTC disappeared from my Mt. Gox account"

- http://bitcointalk.org/index.php?topic=88368.0



Another:

- http://bitcointalk.org/index.php?topic=80562.msg941759#msg941759



And another:

"My mtgox account got compromised, what can I do?"

- http://bitcointalk.org/index.php?topic=84585.0



And on other services as well. Here same thing happened to some GLBSE users:

- http://bitcointalk.org/index.php?topic=84893.0



In none of these was the person using multi-factor authentication. Mt. Gox has had Yubikey support for a while. Mt. Gox accounts now support Google Authenticator:

- https://mtgox.com/press_release_20120605.html

A lot of that going on."MtGox account got cleared out""All BTC disappeared from my Mt. Gox account"Another:And another:"My mtgox account got compromised, what can I do?"And on other services as well. Here same thing happened to some GLBSE users:In none of these was the person using multi-factor authentication. Mt. Gox has had Yubikey support for a while. Mt. Gox accounts now support Google Authenticator:



But not you! Because you used 2-factor auth for withdrawals and dude only has your mtgox password, not your OTP private key.





Step 1 :



Go to your mtgox security center and click "ADD NEW" under software authenticators.







Take a screenshot of this window, print it out, and lock it in a safe. Or copy/paste the secure private key and save it encrypted to a USB and lock that in a safe. Write it on a post-it, memorize it and then eat the post-it. Whatever you do, keep it secret but don't lose it.





Step 2 :



If you have an android phone, install the



If you have neither, you can use this



Now click the plus sign and add your secure private key. You are only running a local html5 app, so your secure private key is not being shared with anyone. You can even do this on an offline computer; you don't have to be online to use your secure private key to generate a one-time-passcode.









Step 3 :



Use your generated one-time-passcode in the mtgox security center.







This passcode changes every 30 seconds. That's how long you have to type it into mtgox and "save" your new 2-factor auth system.









Step 4 :



Add your new 2-factor method to "Withdrawal" to protect withdrawals.













Step 5 :



Also add it to "Security Center". Otherwise, anyone with your login password can simply go to security center and remove your 2-factor auth protection.













Now a one-time-passcode is needed to remove 2-factor from withdrawals.







Step 6 :



Your withdrawals are now protected.











CAVEAT on using the google authenticator html5 app:



Obviously, if you use your 2-factor "secure private key" on the same computer, it can be stolen along with the password. So pray that dude's trojan doesn't keylog everything, just login form passwords to sites like mtgox. Or use the google authenticator app on an offline computer. If you're ultra-paranoid, remember that your secure private key could be captured at set-up time when done on an insecure computer.



Also, the html5 app saves the secure private key to html5 localStorage, so click the (x) after use to remove it. Or clear it from the browser's cache/localStorage. So, bitcoins are now probably the most wanted target of hackers and trojan-botnet operators in search of easy profit. They are the most easily monetized score of digital theft, valued at face in BTC while credit card numbers are sold for pennies on the dollar.Every time you download programs, or re-install windows using that iso you got a from a torrent, chances are ever greater that there is a trojan/virus. The chances are also good that it will go Fully UnDetected by most, if not all, Anti-Virus programs (botnet operators use a "FUD crypter" for this). If so, your mtgox password will be captured and added to the botnet database of login/password form submissions.Then dude takes your mtgox funds.But not you! Because you used 2-factor auth for withdrawals and dude only has your mtgox password, not your OTP private key.Go to your mtgox security center and click "ADD NEW" under software authenticators.Take a screenshot of this window, print it out, and lock it in a safe. Or copy/paste the secure private key and save it encrypted to a USB and lock that in a safe. Write it on a post-it, memorize it and then eat the post-it. Whatever you do,If you have an android phone, install the google authenticator app for android . If you have an iOS device (iPod touch, iPad, iPhone), install the iOS app If you have neither, you can use this html5 google authenticator app . Download the zip file , extract it and open the index.html in your browser.Now click the plus sign and add your secure private key. You are only running a local html5 app, so your secure private key is not being shared with anyone. You can even do this on an offline computer; you don't have to be online to use your secure private key to generate a one-time-passcode.Use your generated one-time-passcode in the mtgox security center.This passcode changes every 30 seconds. That's how long you have to type it into mtgox and "save" your new 2-factor auth system.Add your new 2-factor method to "Withdrawal" to protect withdrawals.Also add it to "Security Center". Otherwise, anyone with your login password can simply go to security center and remove your 2-factor auth protection.Now a one-time-passcode is needed to remove 2-factor from withdrawals.Your withdrawals are now protected.CAVEAT on using the google authenticator html5 app:Obviously, if you use your 2-factor "secure private key" on the same computer, it can be stolen along with the password. So pray that dude's trojan doesn't keylog everything, just login form passwords to sites like mtgox. Or use the google authenticator app on an offline computer. If you're ultra-paranoid, remember that your secure private key could be captured at set-up time when done on an insecure computer.Also, the html5 app saves the secure private key to html5 localStorage, so click the (x) after use to remove it. Or clear it from the browser's cache/localStorage. College of Bucking Bulls Knowledge