Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Service Discussion
Re: Mt.Gox Account secured with Yubikey but still had 29 BTCs stolen
by
coinage
on 14/09/2013, 23:57:10 UTC
If Mt. Gox allows withdrawals using either the OTP -or- the Yubikey, Google Authenticator OTP is the far more likely vulnerability.

That would be the case if, when setting up the OTP, you typed its key details into a file on your computer or smartphone (how else would you recover it if there's a problem?)  ... or if you ever installed software on your trading computer to process the OTP (instead of or in addition to Google Authenticator on the phone)  ... or if you ever connect the phone to the computer.  All these scenarios assume a compromised computer, and not necessarily any user error.

Or, the smartphone with GA could itself be compromised.  If the phone was used to trade, or if the Mt. Gox account name & password were kept on it, then the PC need not be involved.


An inside theft by Mt. Gox employees would seem more likely to involve accounts lacking Yubikey withdrawal restrictions, to keep a lower profile, unless the intention of the theft was to visibly harm the exchange's reputation in an especially newsworthy way.