Hacker News new | ask | show | jobs
by DanBC 4818 days ago
This wasn't someone hacking MtGox.

This was someone on a vulnerable OS, running without malware protection, with Java active in the browser, visiting an unknown link, and possibly giving an application permission to run. (Although maybe it didn't need permission to run?)

To get to that point the person needed to ignore several well established security principles.
4 comments
StavrosK 4818 days ago
Oh come on, how hard is it for MtGox to implement TOTP and tell users to download Google Authenticator? It's not really that much hassle to enter a code each time you want to make a transaction, and these things wouldn't happen.

Sure, the user was being stupid here, but MtGox didn't do them any favors either.

link
zwily 4818 days ago
"Oh come on, how hard is it for MtGox to implement TOTP and tell users to download Google Authenticator?"

Not hard, and they did it a long time ago. The user didn't opt in.

link
axefrog 4818 days ago
When I signed up for an account, there was no obvious prompting to go and turn it on. It's all well and good having extra security, but if you don't actively try to get your users to make use of it, it's only going to be marginally useful.
link
DanBC 4818 days ago
That user was aware of extra MtGox security and chose not to use it.

On top of that the user

1) Chose to turn off (or not use) malware software

2) Enabled Java in the browser

3) Chose to visit a short url link presented in a chat window

4) Clicked through a big scary warning

All while still logged into their MtGox account.

It sucks that they're a victim of crime, but their actions were dumb.

link
StavrosK 4818 days ago
Hum, really? I didn't notice it in the settings, and I'm sure I would have. I'll look again, thank you.
link
drivebyacct2 4818 days ago
Not only is there TOTP, they also sent free Yubikeys to anyone who requested one last year.
link
axefrog 4818 days ago
Yes, but we have to assume the majority of people are not going to be particularly educated on stuff like this. Implementing simple checks before confirming a transfer out of an account should be a given.
link
theycallmemorty 4818 days ago
I agree that the user is largely at fault here, but would you consider this acceptable if the same thing happened on your bank website?

I'm not familiar with Mt Gox but it's unacceptable if they don't have two factor authentication.

EDIT: Scrolling down, it appears they DO offer two-factor authentication. nvm.

link
amalag 4818 days ago
How did the executable instruct the bitcoin transfer to take place?
link